I have successfully gotten Squid 3.5.20 to filter both HTTP and HTTPS in
transparent intercept mode. With intercept mode, iptables rules redirect
port 80 to squid's http_port 800 and HTTPS port 443 is redirected to
Squid's https_port 801. It all seems to work exactly as it should.
I have recently
I just read through the wiki being discussed. For the first time, I think I
finally understand, for the most part, what peek, splice and stare do. The
last time I read the wiki a few months ago, I gave up understanding those
because it was too confusing to me.
Thanks!
On Wed, Aug 24, 2016 at
I've been thinking that since we are talking about the squid wiki perhaps
we could just refer to it as the squiki?
On Tue, Aug 23, 2016 at 10:11 AM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 08/23/2016 08:34 AM, Marcus Kool wrote:
> > On 08/23/2016 11:26 AM, Alex Rousskov
work/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
>i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
>
> On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <stan.presc...@g
1.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
*2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist
On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>
> > ssl_bump none localhostgreen
> > ssl_bump peek tls_s1_connect all
> > ssl_bump splice tls_s2_client_hello tls_to_splice
> > ssl_bump stare tls_s2_client_hello all
> > ssl_bump bump tls_s3_server_hello all
>
I have had my squid implementation for sslbump set up and working for some
time now. I have had several people point out that my use of "sslproxyflags
DONT_VERIFY_PEER" is dangerous from a security standpoint. When I was first
trying to get sslbump working it would not work until I saw a
ie...@ngtech.co.il
>
>
>
> *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On
> Behalf Of *Stanford Prescott
> *Sent:* Wednesday, June 29, 2016 2:56 AM
> *To:* Amos Jeffries
> *Cc:* squid-users
> *Subject:* Re: [squid-users] Squid 3.5.19 how to find
I forgot to mention, I am using squid 3.5.19
On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <stan.presc...@gmail.com>
wrote:
> When I enter .wellsfargo.com in
>
> *acl tls_s1_connect at_step SslBump1*
> *acl tls_s2_client_hello at_step SslBump2*
> *acl tls_s3_server_h
33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
#
----
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 10 seconds
#icp_port 3130
half_closed_clients off
umask 022
> On 5/09/2015 8:37 a.m., Stanford Prescott wrote:
> >> acl s1_tls_connect at_step SslBump1
> >> acl s2_tls_client_hello at_step SslBump2
> >> acl s3_tls_server_hello at_step SslBump3
> >>
> >> acl tls_server_name_is_ip ssl::server_name_regex \
> >
var/log/squid/access.logcache_log
/var/log/squid/cache.logcache_mem 64 MBcache_dir diskd
/var/spool/squid/cache 1024 16 256maximum_object_size 33
MBminimum_object_size 0 KBrequest_body_max_size 0 KB# OTHER OPTIONS#
#via
offforwarded_
I have tried to enable safe searching with Squid 3.5.7 using ssl-bump
splice but when I enable it, browsing to https://google.com generates a
Squid error page saying there is no valid certificate. Browsing to all
other https sites loads the pages correctly and all other SSL-bump sites
get bumped
h another (even trusted one).
>
> It is not possible to change this behaviour without recompiling unless
> developers of dropbox has some "managed" mode...
>
> See http://docs.diladele.com/faq/squid/dropbox.html
>
> Best regards,
> Rafael
>
> Op 1 sep. 2015 om
Yes, SSLBump still works with the web apps, but it would be a lot more
convenient if the mobile apps would also work.
Does anyone know how to pin Squid's self-signed certificate's public key to
Googledrive and Dropbox so that it would work with SSLBump enabled?
Stan
On Mon, Aug 31, 2015 at 3:29
We have users of Squid 3.5.x with SSLBump enabled complaining about their
DropBox and GoogleDrive apps not connecting. We are assuming this is
related to the fact that these apps use HTTPS but they are not part of any
of the browsers, therefor these apps do not have the sefl-signed
certificate
I have SquidClamAV implemented with the Smoothwall Express 3.1 firewall. It
works well and fast with ssl-bump, although the majority of our users only
have relatively small networks with smaller loads.
FYI, E2Guardian has replaced the DansGuardian project and is currently well
maintained.
...@gmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
O, really?
17.08.15 4:03, Stanford Prescott пишет:
ufdbGuard is not a content filter.
On Sun, Aug 16, 2015 at 4:07 PM, Yuri Voinov yvoi...@gmail.com
yvoi...@gmail.com wrote:
ufdbguard does.
16.08.15 20:27, Stanford
ufdbGuard is not a content filter.
On Sun, Aug 16, 2015 at 4:07 PM, Yuri Voinov yvoi...@gmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
ufdbguard does.
16.08.15 20:27, Stanford Prescott пишет:
I have SquidClamAV implemented with the Smoothwall Express 3.1 firewall
Hi Amos. I wanted to try out the ssl-bump splice to send traffic to a
peer found in the recent snapshots for 3.5.6/7 to block Google images. I
compiled configured and installed the latest 3.5 snapshot and added the
directives you listed above to squid.conf but I am not sure I got them
right.
firewall
distros it was one of the good ones.
Eliezer
On 26/07/2015 18:26, Stanford Prescott wrote:
The OS is Smoothwall Express v3.1. A linux firewall distro not really
based
on any other of the major distros.
___
squid-users mailing list
squid
The developers of Smoothwall Express v3.1 have been trying to address this
issue for a few days now. We have had users complaining of this same issue
with Squid 3.5.5 and 3.5.6. It didn't seem to happen with prior versions.
We (or at least our lead developer Neal Murphy) thinks it is related to
The OS is Smoothwall Express v3.1. A linux firewall distro not really based
on any other of the major distros.
On Sun, Jul 26, 2015 at 10:15 AM, Eliezer Croitoru elie...@ngtech.co.il
wrote:
On 26/07/2015 03:33, Stanford Prescott wrote:
I did a new install of Squid 3.5.6 and it seems
I did a new install of Squid 3.5.6 and it seems to be working now.
On Fri, Jul 24, 2015 at 7:24 PM, James Lay j...@slave-tothe-box.net wrote:
On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
Thanks for that. Any ideas why I am experiencing that?
Stan
On Fri, Jul 24, 2015
I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5 is
started with ssl-bump enabled all the squid and ssl_crtd processes start
and Squid functions as intended when bumping ssl sites. However, when I
bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid
Thanks for that. Any ideas why I am experiencing that?
Stan
On Fri, Jul 24, 2015 at 7:07 PM, James Lay j...@slave-tothe-box.net wrote:
On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5
is started with ssl
After bumping Squid from 3.4.x to 3.5.x in our implementation of Squid in
the Smoothwall Express v3.1 firewall distro we have begun to have
complaints from our users about erratic behavior of Squid shutting down
during reboots or network drops causing reboots.
It appears that squid (v3.5.[5-6])
This probably more rightly belongs in the ufdbGuard mailing list, but SF
has been down for several days and I cannot post there. There is a bit of
overlap with ssl_bump and ufdGuard with one of the issues I am having.
Maybe someone here who uses ufdbGuard or squidGuard could help me?
I am trying
Hi all.
I've seen some folks asking questions about ufdbGuard and squidGuard here,
so I thought I would give it a try, too.
I am trying to integrate ufdbGuard to replace a working install of
squidGuard on our Smoothwall Express firewall distro with Squid 3.5.5.
Hopefully, if I can get it
Thanks, Amos. I will look into that.
On Fri, Jun 19, 2015 at 7:21 PM, Amos Jeffries squ...@treenet.co.nz wrote:
On 20/06/2015 9:46 a.m., Stanford Prescott wrote:
I have a working SSLBump configuration with Squid 3.5.4. It seems that
sometimes, if switching from HTTPS caching to only HTTP
I have to ask...what version of Squid are you using?
On Wed, May 27, 2015 at 1:41 PM, Mike mmone...@2keys.ca wrote:
Stanford Prescott stan.prescott at gmail.com writes:
Never mind. I figured the acl out. I was using someone else's
instructions who accidentally left out the double :: ssl
I also forgot to mention that for Squid 3.5.x /dev/shm needs to be
root:root and privileges of 0777.
On Fri, May 22, 2015 at 1:26 PM, Stanford Prescott stan.presc...@gmail.com
wrote:
This works for me with Squid 3.5.4. Hope it helps.
*acl localhostgreen src 192.168.192.1acl localnetgreen
This works for me with Squid 3.5.4. Hope it helps.
*acl localhostgreen src 192.168.192.1acl localnetgreen src 192.168.192.0/24
http://192.168.192.0/24*
*http_access allow localhosthttp_access deny !Safe_portshttp_access deny
CONNECT !SSL_portshttp_access allow
Never mind. I figured the acl out. I was using someone else's instructions
who accidentally left out the double :: *ssl::server_name* using just a
single :.
On Wed, May 20, 2015 at 12:36 PM, Stanford Prescott stan.presc...@gmail.com
wrote:
After a diversion getting SquidClamAV working, i am
,
which is to not bump the nobumpSites and bump all other sites that are not
in nobumpSites?
On Wed, May 20, 2015 at 12:45 PM, Stanford Prescott stan.presc...@gmail.com
wrote:
Never mind. I figured the acl out. I was using someone else's instructions
who accidentally left out the double :: *ssl
along with everything else.
Could it be an issue with using the website domain name and the scripts are
not recognizing the website's SNI info as a match to not be bumped?
On Wed, May 6, 2015 at 9:24 PM, Stanford Prescott stan.presc...@gmail.com
wrote:
Jason helped me a lot although I am still
I have still been trying to get peek and splice to work. Specifically I
want to allow the admins of our firewall distro to enter websites that they
do not want to bump on the squid UI page. I have been fiddling with info
that Amos and Nathan have provided me but with no success so far. Here is a
/mods/proxy/ssl_cert/squidCA.pem*
I haven't ever tried it without intercept. I will try it and see what
happens.
On Wed, May 6, 2015 at 7:59 PM, Jason Haar jason_h...@trimble.com wrote:
On 07/05/15 12:45, Stanford Prescott wrote:
*1430958788.054 5572 192.168.100.104 TCP_TUNNEL/200 2964
Will Squid 4 be able to be compiled with GCC 4.7.3 or will it require GCC
4.9.x or newer?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
I would like to give my users the ability to not bump certain sites. I
tried to use the examples given on the SSLPeekandSplice wiki page but can't
get it to work.
This is a snippet of my squid.conf file.
*https_port 192.168.10.1:808 http://192.168.10.1:808 intercept ssl-bump
I'm still pulling my hair out trying to figure out why Squid 3.5.2 with SSL
caching enabled will only start after the /var/spool/squid/cache is
emptied. This is the debug info I am getting when starting Squid when the
cache is not emptied.
*2015/03/29 10:27:56.896| Acl.cc(380) ~ACL: freeing ACL *
I have installed Squid 3.5.2 on the Smoothwall Express 3.1 firewall
distribution and it will not start correctly. I get this error
*2015/03/25 19:28:30.623 kid1| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/25 19:28:30.623 kid1| Acl.cc(380) ~ACL: freeing ACL *
*2015/03/25 19:28:33 kid1| Current
I have been trying to get Squid 3.5.2 to work with the Smoothwall Express
3.1 Linux firewall distribution. Specifically, I have modified the Squid
version included with Smoothwall Express 3.1 to enable HTTPS caching. I
have had this working successfully up to Squid version 3.4.10. Now with
trying
When trying to compile Squid 3.5.2 the compile fails. The only error messages I
can find are these:
tar: ./usr/share/errors/zh-cn: Cannot create symlink to `zh-hans': File exists
tar: ./usr/share/errors/zh-cn: Cannot create symlink to `zh-hant': File exists
A squid binary is produced but won't
44 matches
Mail list logo