On 3/10/2015 1:47 a.m., Александр Демченко wrote:
> Hello!
> It's looks like I have memory leak on squid with peek and splice https
> traffic.
> I use squid 3.5.9 (try 3.5.8 and 3.5.7 also). Openssl and libresll both
> tried.
> CentOs 7. Traffic redirecting transparently by wccp.
> Server: 8 cores,
On 5/10/2015 6:15 p.m., Dan Charlesworth wrote:
> It seems there’s no way to get the equivalent of the `dst` internal ACL into
> an external ACL. %DST returns the hostname from DNS not the origin IP.
>
> Am I missing something? Perhaps there's a more creative way to pass the IP to
> an external
On 6/10/2015 1:17 p.m., SaRaVanAn wrote:
> Hi All,
> With the help of Squid I want to return a custom payload for 404 response
> returned from web server. I have configured below acl to achieve the same
>
> acl denied_status_404 http_status 404
> deny_info http://errorpage.com denied_status_404
>
On 5/10/2015 4:41 p.m., birbird wrote:
> Hi Amos, thanks a lot for your reply.
>
>
> I have tried both -m and -d for htpasswd, they do generate different
> encrypted text, but none of them can be recognized by
> /usr/lib64/squid/ncsa_auth.
> I am still stuck at here.
>
>
> By the way, I just
On 10/06/2015 06:50 PM, Marcus Kool wrote:
> The 2b) option a.k.a "simply always allow the CONNECT www.example.com and
> later block GET https://www.example.com/index.html"; _only_ works for
> correctly SSL-bumped sites and does not work sites that do not use
> SSL+HTTP.
If you want the user to se
On 07/10/15 13:56, Marcus Kool wrote:
>
> This sounds like an interesting script. Do you want to make this public?
> And what about sites that use HSTS, can you also do a "GET /" and check
> the headers for HSTS?
Frankly it's a "script as you learn" type affair - it's not in any fit
state to be re
On 10/06/2015 07:18 PM, Jason Haar wrote:
On 06/10/15 23:21, Walter H. wrote:
Hello,
can you please provide an example of how to use this in squid.conf
#create external acl checker that returns "ERR" or "OK" based on cert
data sent to it
external_acl_type checkIfHTTPS children-max=20 concur
On 10/06/2015 06:05 PM, Rafael Akchurin wrote:
Hello Paul, Eliezer, Alex,
We (diladele ICAP) have an open bug /feature requests for this:
https://github.com/ra-at-diladele-com/qlproxy_external/issues/731
https://github.com/ra-at-diladele-com/qlproxy_external/issues/726
As Alex
On 06/10/15 23:21, Walter H. wrote:
> Hello,
>
> can you please provide an example of how to use this in squid.conf
#create external acl checker that returns "ERR" or "OK" based on cert
data sent to it
external_acl_type checkIfHTTPS children-max=20 concurrency=20
negative_ttl=3600 ttl=3600 grace=9
Dear All Please guide me how to cache facebook content with squid
Regards
ISHI
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Hello Paul, Eliezer, Alex,
We (diladele ICAP) have an open bug /feature requests for this:
https://github.com/ra-at-diladele-com/qlproxy_external/issues/731
https://github.com/ra-at-diladele-com/qlproxy_external/issues/726
As Alex described most probably we will do the 2b approach
Thanks Alex, Dieter & Eliezer
I've been trying to prevent the CONNECT request being processed by
ICAP and the following configuration in Squid 3.5.9 alongside a
standard SSL peek and splice config appears to work:
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
adaptation_access s
Hey,
I assume you are not using default squid.conf since what you are
describing is not squid default settings from sources.
You can use basic auth and others to protect this page.
What have you tried until now?
Can you share your squid.conf so it will make more sense?
Eliezer
On 06/10/2015 2
Hi Antony.
The URL is www..yasudamaritima.com.br, but according to the user, you have
to navigate and authenticate to the portion of the site which is supposed
to show the window, but the window is blank.
The squid.log captured during the user session is below:
1444152953.106 0 192.168.0.38
So I was playing with squid-internal-mgr (replacement for cachemgr.cgi it
seems), but I have no real authentication access , other than my ACL's
acl manager url_regex -i ^cache_object:// +i
^https?://[^/]+/squid-internal-mgr/
And limited to my networks obviously.
But as of now those pages are w
On 10/06/2015 10:14 AM, Paul Carew wrote:
> when accessing a blocked site over HTTPS the following ICAP
> response is received:
>
> ICAP/1.0 200 OK
> ISTAG: "PRODUCTNAME"
> Attribute: Blocked Sites
> Encapsulated: res-hdr=0, null-body=533
>
> HTTP/1.0 403 Blocked
> Content-Type: text/html
> Prag
Hey Paul,
From what I have seen until now I believe that the ICAP service
response is for a CONNECT request.
From security reasons browsers are not allowing or rather then not
implanting support for a direct HTTP response to a CONNECT(tunnel) requests.
This is why you see this reaction from th
On Tuesday 06 October 2015 at 17:40:11, Cristiano Nunes wrote:
> I have a Squid Version 3.9.Stable13 which is working perfect.
>
> Today I received a complanint of a users which is not able to browse a
> brazilian site.
>
> Squid log shows no DENY at all but the site only shows a white screen wi
Hi
Just a quick question regarding SSL bump and ICAP.
I have integrated Squid 3.5.9 with a commercial product that provides
an ICAP service. It works fine for HTTP.
Upon recieving an ICAP query for a blocked HTTP site the following
ICAP response is returned.
ICAP/1.0 200 OK
ISTAG: "PRODUCTNAME"
I have a Squid Version 3.9.Stable13 which is working perfect.
Today I received a complanint of a users which is not able to browse a
brazilian site.
Squid log shows no DENY at all but the site only shows a white screen with
no errors.
I thought this was a site bug. So I set up a NAT to the user
On 10/06/2015 01:27 AM, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks
> But this is a bug in squid - this means untrustworthy certs become
> trusted again - not a good look
IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
difficult to configure to do CR
Hi everyone,
I have successfully set up reverse proxy and ICP communication between
siblings. I'd like to encrypt cache sharing between siblings, but cannot
figure out the optimal solution for this. I have not found from
documentation, how to do ssl encryption between cache_peer hosts so that
Hi everyone,
I have successfully set up reverse proxy and ICP communication between
siblings. I'd like to encrypt cache sharing between siblings, but cannot
figure out the optimal solution for this. I have not found from
documentation, how to do ssl encryption between cache_peer hosts so that
On 02/10/2015 15:47, Александр Демченко wrote:
https_port squid_ip:3129 intercept ssl-bump \
key=/etc/squid/certs/squid.pem \
cert=/etc/squid/certs/squid.pem \
generate-host-certificates=off \
dynamic_cert_mem_cache_size=0MB \
sslflags=NO_DEFAULT_CA
Why no mem cache exactly? this is might be a
Hi everyone,
I have a Squid setup on a linux box with transparent interception of both
http and https traffic. Everything worked fine with Squid 3.5.6. After
upgrading to version 3.5.10, I get many warnings about host header forgery:
SECURITY ALERT: Host header forgery detected on local=10
Hello,
can you please provide an example of how to use this in squid.conf
by the way how would I use these
sslcrtvalidator_program
and
sslcrtvalidator_children
Thanks,
Walter
On Tue, October 6, 2015 09:27, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks
>
> I'm using
On 06.10.15 03:02, joe wrote:
cache_dir null /tmp
this one is useless since squid-2.7 and 3.1
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
cache deny all
coredump_dir /dev/null
cache_dir null /tmp
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-dir-NULL-tp4673532p4673561.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
s
Good catch - I don't think squid does CRL/OCSP checks
I'm using the external_acl_type method to achieve that: it does the
extra work and returns "ERR" for revoked certs - which (for me) causes
squid to fallback on splice mode - so that the client browser can see
the actual fault directly (ie I'm m
29 matches
Mail list logo