>... considering security and filtering ...<
Regarding filtering, you might consider DNS-based filtering.
I did special developments in this area, i.e. for "Parental Control" and
ad/tracker-blocking.
"TLS everywhere" I consider a special trick of goggle, to protect their
ads/trackers from being
Looks like an issue regarding iptables. Because coova-chilli modifies the
rules, during start-up.
So I doubt, the rules in your post are incomplete, _not_ after start of
coova.
Definitely, this is not a squid issue.
BTW: I have squid intercept running on openwrt devices. For commercial
hotspots.
Delay pools are broken in squid 4.x for https. Work for http only.
"Known" bug, said to be fixed in squid 5.x only.
You might consider using squid 3.x instead.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
To get rid off the messages, on my 4.x, this squid.conf-option works for me:
debug_options ALL,0
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
Are you shure, default level=0 ?
I have squid 4.4; either started simply using "squid" or "squid -d 0".
squid.conf does not contain any line
debug_options .
however, in all cases messages like
2019/03/22 18:06:04 kid1| SECURITY ALERT: on URL: edge-mqtt.facebook.com:443
2019/03/22 18:06:04
In short words, there is _no_ safe method to disable cache.log
Reason to disable cache.log most of all is because of this kind of messages:
2019/03/20 22:41:43 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.93.35:443 remote=10.1.0.202:51283 FD 194 flags=33 (local IP does
not
>* Please note that setting cache.log to /dev/null is highly dangerous. <
Interesting. As this is standard when running squid on openwrt.
Is there any _safe_ method to disable output to cache.log ?
--
Sent from:
Hi Amos,
I assume, you got the password for the logfile via email.
Then, how to proceed here ? Should I file an official bug ?
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
After application of patch _and_ activation of requested debug_options
download via https is slower as in previous tests; but I have SD-card in the
openwrt device for logging, so this might be reason of slow down.
But it still does not seem to throttle to expected speed.
Attached the cache.log
1) I did some tests with my own webserver, and my local openwrt-system,
running squid.
And I can see, that http-traffic is throttled, but https is _not_.
I used 10MB of data for my tests. Download speed for http is throttled to
(my) 512kBit/s, as expected, but https is not throttled.
2) I got
I also have a problem with delay_pools on 4.4. Download speed is not
throttled. Easily to be verified when watching video from youtube, using
'statistics for nerds'.
I do not remember having this effect on 3.5
This squid runs on up-to-date openwrt device,
having limited resources.
I am happy to
I suspect, these messages, for example, are not caused by any malware, but
somehow by skype:
2019/01/23 13:38:18 kid1| SECURITY ALERT: on URL:
mobile.pipe.aria.microsoft.com:443
2019/01/23 13:38:18 kid1| SECURITY ALERT: Host header forgery detected on
local=52.114.76.35:443
Running squid 4.4 on very limited device, unfortunately quite a lot of
messages: "... SECURITY ALERT: Host header forgery detected ... " show up.
Unable to eliminate real cause of this issue (even using iptables to redir
all DNS requests to one dnsmasq does not help), these annoying messages
Running squid 4.3 on openwrt, I notice following warnings from time to time:
2018/10/14 16:36:39 kid1| WARNING: helper.sh #Hlpr2 exited
2018/10/14 16:36:39 kid1| Too few helper processes are running (need 1/5)
2018/10/14 16:36:39 kid1| Starting new helpers
2018/10/14 16:36:39 kid1|
Thanx a lot for clarification.
After upgrading to 4.3 and streamlining squid.conf
according to your suggestions, mem requirements seem to be a bit reduced.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Using squid 4.0.24 on openwrt, I see it grabbing significant amount of
additional RAM after short period of activity, although I tried to downsize
squid as much as possible. Any suggestion for further significant reduction
of mem requirements after startup, or why is there such a growth (> 10MB)
Found a workaround: Within my external helper (busybox shell-script) I start
the other process (chilli_query) using sudo. That works fine for me.
So we can cosider this issue solved.
Thanx a lot.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
The problem is the external ACL-helper, started by squid. It runs as "nobody"
actually, but it needs to start a special program, which must run as root.
FYI, openwrt is a shrinked-down LINUX, for embedded systems with limited
resources, without any user besides the admin.
openwrt often is used
At least, I have a good reason: Running squid on openwrt, where usually all
processes are root.
And external acl-helpers will not work, when started as nobody and trying to
run other processes.
Any answer to the original question ?
--
Sent from:
>I believe that journal is only wirtten to, when you make change at
filesystem level, like creating or removing files.<
This is more or less correct only, in case the _default_ journal strategy
"ordered" is used.
But even then, according to the docs, "metadata" is journalled. Which also
includes
Privet !
>Could you please elaborate? What’s wrong with rock on ext4? <
Default ext4 uses a "journal" of the modifications. Which adds I/O.
Timestamps of filemods are other I/Os. I do not think, that these features
are required for rock. Disabling journal completely will cause loss of data
>1500 iops baseline performance< Does this include management operations of
the filesystem used ?
And which filesystem is used ? ext4 might be a bad choice, in case not
significantly "degenerated".
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>I tried doing filters with firewall or dns level, but those are not
effective.<
(dnsmasq + ipset) + iptables should do it. You most likely need
(dnsmasq+ipset) to allow traffic to multi-IP sites like google, facebook
etc.
Will work on openwrt/LEDE, too. As I am using it.
--
Sent from:
>reply_header_access Cache-Control deny all<
Will this only affect downstream caches, or will this squid itself also
ignore any Cache-Control header info
received from upstream ?
--
View this message in context:
Content adaption can also be done without squid. Mod of message body
"on-the-fly" can be achieved using commercial product(s).
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Is-it-possible-to-modify-cached-object-tp4681073p4681075.html
Sent from the Squid -
In the past, I used ziproxy together with squid for slow or expensive
(mobile) point-to-point links.
ziproxy compresses (gzip) data from the web, and sends it via squid over the
slow/expensive link, usually also having a squid at the other end, serving
the clients.
Very convenient, as practically
>> It very looks like squids accouting of helpers is disturbed: I see much
more
>> than max helpers active after a few hours. And lot of helpers stay
>> alive,
>> when I kill parent process squid.
>By 'kill' do you mean something like "kill -9" ?
>Or do you mean the proper "kill -SIGHUP" or
Looks like I found a workaround: To use %SRC %SRCPORT. Which avoids (at least
up to now) identical key.
So it looks like a bug in squid.
This _might_ be part of the problem:
2016/10/26 06:11:28.417 kid1| 82,4| external_acl.cc(816) aclMatchExternal:
entry = { date=1477480288, result=DENIED tag=
>You referred to some assumptions that we might have on a linux system but
the question from my side is:
What for example?
Disk Space?
Libraries?
Etc..<
Sorry, I do not really know. I had one similar, very strange effect on my
embedded LINUX, regarding bash:
It was necessary for redirect function
Some addition:
I activated some squid-debugging, and noticed:
2016/10/25 10:06:36.340 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/10/25 10:06:36.340 kid1| helperOpenServers: Starting 10/20
'delay_generate_204.sh' processes
2016/10/25 10:06:36.462 kid1|
>But the startup should be 0 in all Squid-3.2+ like you say. Are you
applying any patches to external_acl.cc or helper/ChildConfig.cc ? <
No patches.
Now I rebuilt squid on a 32-bit debian, with default ./configure opts.
Same effect:
2016/10/24 09:54:09 kid1| helperOpenServers: Starting 5/5
1)
According to
http://www.squid-cache.org/Doc/config/external_acl_type/
in squid.conf, this
external_acl_type check_delay ttl=0 cache=0 %SRC /etc/squid/check_delay.sh
should start 0 helpers immediately after squid (3.5.22) start-up.
However, I always see 5.
2)
I often see this:
Sat Oct 22
Sorry, I forgot: Another difference is, that response times are lower today.
(BTW: I also did a SM-4 ...)
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-2-7-to-Squid-3-5-tp4680115p4680120.html
Sent from the Squid - Users mailing list archive at
Off topic, but anyway:
>Not a word, man. 10 years in IT - eternity :)<
Not true.
40yrs ago we already did interrupt driven programming or 20 yrs ago online
apps for mobile touchscreens with radio link.
Only real difference: Better graphics today :-)
--
View this message in context:
>But you can continue to assume that the hit - a measure of the efficiency of
the cache :)<
It depends on, whether you want to optimize towards lowest traffic volume on
the connection to the web, _or_ towards user experience, regarding "browser
speed", for example.
Or, some people are more
>I mean BYTE HIT :) If you have eyes :) <
Yes, I have. But you might consider to be more specific next time, when
offering a guesswork,
what you are refering to.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Your-real-byte-hit-tp4680014p4680023.html
Sent
You mean the 10% ? No problem.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Your-real-byte-hit-tp4680014p4680016.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
Although off topic,
>Oh, yes, we've seen. Bugs can not be closed for years. If the bug is not
obvious or can not be replayed in one action - it is ignored. <
there is no software (besides mine :-) which is free of bugs. So the amount
of bugs still present simply should be "managable". More or
>You are too few in number to provide something decent enough, and not from
the last century.<
The smaller the development team, the more efficient it is. Highly qualified
staff assumed.
And LINUX is as suitable to event-driven programming as MVS.
Therefore, (bad) compromise has to be made.
--
Might be usable. Question is, how effective it will be on overall traffic, as
most famous/accessed videos to be found on youtube. Which uses https, in my
area, at least.
--
View this message in context:
>since the plugin that is called “cache videos “ became now free and open
source <
Link, pls.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/regarding-to-cache-videos-plugin-now-as-open-source-tp4679366p4679378.html
Sent from the Squid - Users mailing list
Hack the code. Because it is even worse, as firefox for example does not obey
to the TTL.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/More-host-header-forgery-pain-with-peek-splice-tp4679178p4679181.html
Sent from the Squid - Users mailing list archive
I have the impression, that these squid versions are much more
memory/CPU-hungry compared to good old 2.7
Any users out there, to share some experience ?
I am running 3.5.20 on a 580MHz MIPS CPU, with 128MB RAM.
So my system is limited in many aspects, and I try some tuning.
For example, recent
Thanx a lot, I got it now.
The magic line in squid.conf, I had to add:
acl safe_ports port 3128
Now
http://my.local.ip.onsquidbox:3128/squid-internal-mgr/info
succeeds.
--
View this message in context:
No progress.
I rebuilt squid (3.5.20), incl. basic-auth, but still get
The following error was encountered while trying to retrieve the URL:
http://my_local_domain.lan:3128/squid-internal-mgr/info
Access Denied.
although I have in squid.conf (just for testing):
...
http_access deny connect
On 25/07/2016 8:55 p.m., reinerotto wrote:
>> * Squid has Basic authentication enabled. <
> This is _not_ the case in my environment.
> I had an _impression_ from the wiki, that basic_auth _might_ be used.
> (And there was a note from Yuri, having a similar problem like me :
>* Squid has Basic authentication enabled. <
This is _not_ the case in my environment.
I had an _impression_ from the wiki, that basic_auth _might_ be used.
(And there was a note from Yuri, having a similar problem like me :-)
Pls, consider an explicit statement in the wiki.
On an embedded
I have a problem to use cachemgr.cgi on an embedded system:
(Cache Server: 127.0.0.1:3128; manager name: manager: Password: maypasswd)
browser:
The following error was encountered while trying to retrieve the URL:
cache_object://127.0.0.1/
Cache Manager Access Denied.
Sorry, you are not currently
The patch for "Fast SNI" is included in 4.x, as I have seen. Any plans to
implement same patch i 3.5.x ?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Fast-SNI-Also-on-3-5-x-tp4678588.html
Sent from the Squid - Users mailing list archive at Nabble.com.
You overlooked this one in my post:
...
(assuming, all traffic from users is routed via squid box)
Which is easy to be done in a local squid, serving as/in gateway to the
internet. Whether personal or for a large LAN.
My "iptables rules to redirect port 53" are not so easy to be
Please, don't be so cryptic in your comments. The long quotations of the org
post are also a bit annoying, but anyway:
As you obviously do not understand the principle, how it works _without_
cisco, lemme explain:
(assuming, all traffic from users is routed via squid box)
- iptables rules
There is no need for cisco stuff.
dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
dnscrypt servers form this list:
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
connect
>stay in sync
naturally 90-something percent of the time. <
I have a local dnsmasq running. squid and all clients synced to it.
But the last 10% seem to cause the SECURITY ALERT.
2016/06/21 12:17:51.672 kid1| SECURITY ALERT: Host header forgery detected
on local=nn.nnn.nnn.nnn:443
Any real experience, how to block this feature ?
Actually, it allows to tunnel thru squid, because of special protocol.
In my logs, I see TCP_DENIED for http://check.googlezip.net/connect, because
of my ACL in squid.
However, traffic is still tunneled thru squid to goohles proxy.
--
View
I see quite a few messages like this one in my logs:
squid[1327]: SECURITY ALERT: on URL: sa.scorecardresearch.com:443
Running squid 3.5.19-20160524-r14057, https-intercept just for logging, so
no bump.
It is understood, that most likely this is because of squids DNS and
browsers DNS not to be in
55 matches
Mail list logo
