See below. Nothing else too interesting. Those four lines were the key.
http_port 3128
http_port 3180 intercept
https_port 3443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
I always see in access.log for the partial content
TCP_HIT_ABORTED/206
and this content eat my whole bandwidth
my conf is
range_offset_limit none partial
quick_abort_min 1840 KB
quick_abort_max 1844 KB
--
View this message in context:
On 27/01/2015 1:38 a.m., HackXBack wrote:
I always see in access.log for the partial content
TCP_HIT_ABORTED/206
ABORTED means the client disconnected. There is nothing you can do about
that in Squid.
HIT means the object delivered came from cache. No upstream bandwidth
was consumed in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
well,
but AFAIK server-first directive is deprecated in 3.5.x.
Hmm?
26.01.2015 19:37, Daniel Greenwald пишет:
See below. Nothing else too interesting. Those four lines were the key.
http_port 3128
http_port 3180 intercept
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://bugs.squid-cache.org/index.cgi
26.01.2015 5:09, HackXBack пишет:
Dear Yuri,
how I open bug ?
--
View this message in context:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not about it.
server-first keyword deprecated in 3.5.x.
AFAIK, keywork bump now has yet another meaningful.
And also: in your example can only use acl all. Any other ACL's
leading Bungled config line error.
I.e, for example,
acl net_bump
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Raf,
wil be better to take a look on Squid source. My config similar
Daniel's, excluding bump options - I have 3.4.11 in production yet.
26.01.2015 19:37, Daniel Greenwald пишет:
See below. Nothing else too interesting. Those four lines were the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In theory.
I don't see any 3.5.x bump working yet.
In 3.4.x bumping not chunked to stages and only IP-based dst acls will
working.
27.01.2015 1:54, Daniel Greenwald пишет:
hmm acc to how I read this page:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
No one ssl_bump combination did not work.
With your config I see only:
1422299531.482 18722 192.168.100.5 TCP_TUNNEL/200 99418 CONNECT
128.121.22.133:
443 - ORIGINAL_DST/128.121.22.133 -
and connection does'nt established.
No errors - no bump.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
who know, what this log messages mean:
2015/01/26 22:02:34 kid1| fwdNegotiateSSL: Error negotiating SSL
connection on FD 20: error::lib(0):func(0):reason(0) (5/-1/131)
2015/01/26 22:02:41 kid1| fwdNegotiateSSL: Error negotiating
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It's mistype. :)
Of course, I mean
acl net_bump src 192.168.101.0/24
Yep, sure - when I change all to another ACL - row bungled.
26.01.2015 23:33, Amos Jeffries пишет:
On 27/01/2015 5:37 a.m., Yuri Voinov wrote:
I'm not about it.
Thank you Amos, I have updated to bump. Working well just the same..
Even chrome doesn't complain for google properties. Very nice.
---
Daniel I Greenwald
On Mon, Jan 26, 2015 at 12:35 PM, Yuri Voinov yvoi...@gmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
After a bit Google-Fu ;)
I found this:
http://stackoverflow.com/questions/14770100/libssl-read-error-131-causing-an-application-crash
Is that it?
26.01.2015 23:22, Yuri Voinov пишет:
Hi gents,
who know, what this log messages mean:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You can't use dstdomain ACL for disable bumping.
Only dst with IP's.
You don't know site FQDN before bump. :)
26.01.2015 23:48, Josep Borrell пишет:
Hi all,
Working on squid 3.5.1 with HTTPS interception.
Trying to make a peek/splice
when you know tell me because i asked this question before here and i didnt
get any answer
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-negotiating-SSL-connection-on-FD-20-error--lib-0-func-0-reason-0-5-1-131-tp4669338p4669351.html
Sent from
Well the documentation says
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
So that means SslBump1 only works for direct proxy (ie CONNECT)
sessions, it's SslBump2 that peeks into
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I suggest we are asking in wrong place :)
This is OpenSSL error stack, not squid.
Also, man, which root CA bundle you are use in your installation?
27.01.2015 2:49, HackXBack пишет:
when you know tell me because i asked this question before here
Wasn't somebody saying that you'd need write an External ACL to evaluate
the SNI host because dstdomain isn't hooked into that code (yet? ever?)?
On 27 January 2015 at 08:33, Jason Haar jason_h...@trimble.com wrote:
Well the documentation says
# SslBump1: After getting TCP-level and HTTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
who knows - what does it mean below?
2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
detected on local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
flags=33 (intercepted port does not match 443)
2015/01/27
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 27/01/2015 11:13 a.m., Yuri Voinov wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Hi gents,
who knows - what does it mean below?
2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
detected on
Hello Daniel, Yuri
May be you could dump your whole squid.conf here (please remove any sensitive
details).
I still cannot understand once Squid has the target server hostname from SNI -
where is the acl/rule in squid.conf that can be used with this info present?
Best regards,
Rafael
21 matches
Mail list logo