[squid-users] smp purge

Hi How are you I don`t know squid use smp , multi cpu process purge cache, each process define cache_dir ,when purge cache Choose a different worker,Lead to clear the cache fails ___ squid-users mailing list

[squid-users] Some delay pools questions

Hi. I have thought to have several delay pools but I doubt whether this is the right way. Eg. I want to give to the "administration" 512kb in total, to be distributed among 8 users. Give the "video editing area" a total of 1000KB to divide among 8 users. I want to limit the bandwidth dedicated to

Re: [squid-users] TCP_RESET non http requests on port 80

On 08/24/2016 12:24 PM, Omid Kosari wrote: > Alex Rousskov wrote >> Thus, the existing implementation should cover non-HTTP >> requests on port 80 (or 3128). If it does not, it is a bug. We should >> polish the documentation to make this clear. > The problem is not squid itself . The problem is

Re: [squid-users] TCP_RESET non http requests on port 80

Alex Rousskov wrote > Thus, the existing implementation should cover non-HTTP > requests on port 80 (or 3128). If it does not, it is a bug. We should > polish the documentation to make this clear. The problem is not squid itself . The problem is in some situations for example DOS(with malformed

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

I just read through the wiki being discussed. For the first time, I think I finally understand, for the most part, what peek, splice and stare do. The last time I read the wiki a few months ago, I gave up understanding those because it was too confusing to me. Thanks! On Wed, Aug 24, 2016 at

Re: [squid-users] Https_port with "official" certificate

On 08/24/2016 06:36 AM, Yuri Voinov wrote: > 24.08.2016 18:32, Antony Stone пишет: >> He wants to configure his browser to connect to the proxy over an SSL >> connection, and then inside this secure connection send standard HTTP and >> HTTPS requests > Yeah, I get it. It seems to me, is

Re: [squid-users] TCP_RESET non http requests on port 80

On 08/24/2016 07:54 AM, Amos Jeffries wrote: > on_unsupported_protocol will need patching to be applied when HTTP > parser detects unsupported protocol on port 80 (or 3128). on_unsupported_protocol determines (among other things) Squid behavior when encountering a strange (i.e., probably

Re: [squid-users] Https_port with "official" certificate

Oh, an a tiny little detail :) # squid -v Squid Cache: Version 4.0.13 Service Name: squid configure options: '--with-openssl' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy'

Re: [squid-users] Https_port with "official" certificate

This configuration here covers the use case described by the OP: https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/ If everything works well, you'll notice you won't support HTTP proxy at all, but users can reach both HTTP

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

On 08/24/2016 07:23 AM, Marcus Kool wrote: > I added an image in PNG format with data flow and events. And I added an XXX why that image might do more harm than good. > If you are interested I can send you the ODG file that was > used to generate the image. Please attach those image sources to

Re: [squid-users] TCP_RESET non http requests on port 80

acl status_400 http_status 400 deny_info TCP_RESET status_400 http_reply_access deny status_400 still send headers . just the 400 changed to 403 HTTP/1.1 403 Forbidden Server: squid Mime-Version: 1.0 Date: Wed, 24 Aug 2016 14:11:35 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5

Re: [squid-users] Objects with values below 60 second for Cache-Control max-age are not cached

On Mon, 2016-08-22 at 16:46 +0500, Garri Djavadyan wrote: > Hello Squid users, > > Can anyone explain, why Squid doesn't cache the objects with max-age > values below 60 seconds? For example: > > $ http_proxy="127.0.0.1:3128" curl --head "http://sandbox.comnet.loca > l/ > cgi-bin/hello.cgi" &&

Re: [squid-users] TCP_RESET non http requests on port 80

On 25/08/2016 12:39 a.m., Omid Kosari wrote: > This config works for dstdomain acl type > > acl test dstdomain 123.com > deny_info TCP_RESET test > adapted_http_access deny test > > > but it is not what i want . I want > > acl status_400 http_status 400 > deny_info TCP_RESET status_400 >

Re: [squid-users] Https_port with "official" certificate

Just to rewind this conversation to the actual problem ... On 24/08/2016 11:42 p.m., Samuraiii wrote: > On 24.8.2016 13:18, Antony Stone wrote: >> Unfortunately it's not Squid that's the challenge - it's the browser. >> >> If you're using Firefox and/or Chrome, you should be okay. >> >> See

Re: [squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl

On 24/08/2016 4:24 a.m., Diogenes S. Jesus wrote: If you want to do things like this safely please upgrade to Squid-4 where the logformat codes are available. Those codes provide customizable escaping and quoting styles so you can set one that protects LDAP against these

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 19:24, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote: > Then I do not understand what he wants op. >> >> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti >> on >> >>>

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote: > >> Then I do not understand what he wants op. > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti > on > > > Secure connection to squid proxy without need for anything else (on > > client side) than

Re: [squid-users] DENIED and ALLOWED at once?

On 24/08/2016 3:55 a.m., Sergio Belkin wrote: > 2016-08-19 17:22 GMT-03:00 Antony Stone : > >> On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote: >> >>> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin wrote: /var/log/squid/access.log

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

On 08/24/2016 02:43 AM, Alex Rousskov wrote: On 08/23/2016 08:34 AM, Marcus Kool wrote: ok, I suggest that you review what is done already. I have made a few corrections and improvements, trying to document every change (and some suggestions for future work) in the commit messages. The

Re: [squid-users] ext_kerberos_ldap_group_acl problem

Hello Dia,   Thank you for the reply,    So, can this be a “MIT” kerberos of HEIMDAL thing. Im use Samba4 for ADDC and that uses heimdal.   Even that the logs says : "Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos database".    Im using NFSv4 over

Re: [squid-users] Https_port with "official" certificate

Ok This is answer (not) I was looking for. Thank you S On 24 August 2016 14:48:40 CEST, Yuri Voinov wrote: > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > > > >24.08.2016 18:44, Samuraiii пишет: >> >>> >>> > No SSL-bumping or whatever just forwarding. >>>

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:44, Samuraiii пишет: > >> >> > No SSL-bumping or whatever just forwarding. >> Firstly, the concept is not safe. Users will have a secure connection to the proxy - as well as the next? HTTP? User misled green padlock, believes

Re: [squid-users] Https_port with "official" certificate

> > > No SSL-bumping or whatever just forwarding. > Firstly, the concept is not safe. Users will have a secure connection > to the proxy - as well as the next? HTTP? User misled green padlock, > believes all secure connection - as external traffic is not encrypted > after the fact. Second.

Re: [squid-users] TCP_RESET non http requests on port 80

This config works for dstdomain acl type acl test dstdomain 123.com deny_info TCP_RESET test adapted_http_access deny test but it is not what i want . I want acl status_400 http_status 400 deny_info TCP_RESET status_400 adapted_http_access deny status_400 OR acl HTTP proto HTTP acl PORT_80

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Against this backdrop, even a bump SSL security seems a masterpiece. 24.08.2016 18:32, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote: > >> 24.08.2016 18:23, Antony Stone пишет: >>> On Wednesday 24 August 2016

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:31, Samuraiii пишет: > >> look to the browser >> >> > like HTTPS ones. >> Then I do not understand what he wants op. >> >> >> > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection > > Secure

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote: > 24.08.2016 18:23, Antony Stone пишет: > > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > >> No one CA do not issue signing CA for subject, which is not CA itself. > >> > >> So, op wants impossible thing. > > > > Why

Re: [squid-users] Https_port with "official" certificate

> look to the browser > > > like HTTPS ones. > Then I do not understand what he wants op. > > > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection Secure connection to squid proxy without need for anything else (on client side) than configuring proxy in

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.08.2016 18:23, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > >> No one CA do not issue signing CA for subject, which is not CA itself. >> >> So, op wants impossible thing. > > Why would one need a signING

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 14:24, Antony Stone wrote: > On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote: > >> On 24.8.2016 14:18, Yuri Voinov wrote: >>> No one CA do not issue signing CA for subject, which is not CA itself. >>> >>> So, op wants impossible thing. >> I have tried to drop clientca option,

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote: > On 24.8.2016 14:18, Yuri Voinov wrote: > > No one CA do not issue signing CA for subject, which is not CA itself. > > > > So, op wants impossible thing. > > I have tried to drop clientca option, to add generate-host-certificates=off >

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Predictable. 24.08.2016 18:22, Samuraiii пишет: > On 24.8.2016 14:18, Yuri Voinov wrote: > > >> No one CA do not issue signing CA for subject, which is not CA itself. >> >> So, op wants impossible thing. >> > I have tried to drop clientca

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > No one CA do not issue signing CA for subject, which is not CA itself. > > So, op wants impossible thing. Why would one need a signING certificate just to create an SSL connection between the browser and Squid? Surely one merely

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 14:18, Yuri Voinov wrote: > > No one CA do not issue signing CA for subject, which is not CA itself. > > So, op wants impossible thing. > I have tried to drop clientca option, to add generate-host-certificates=off but outcome is still same error... even with just this as config:

Re: [squid-users] Https_port with "official" certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 No one CA do not issue signing CA for subject, which is not CA itself. So, op wants impossible thing. 24.08.2016 18:15, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > >> Squid fails to start for me with: >>

Re: [squid-users] Https_port with "official" certificate

Just one thing I noticed: "clientca" is not the CA which issued your "cert" (sklad.duckdns.org) - it's the CA to be used when doing client-side authentication, which I'm not sure if you're doing. Dio On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii wrote: > > > Please

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > Squid fails to start for me with: > FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443 > > I have found that this is related to missing self signed certificate, > and since I do not want to use self signed

[squid-users] TCP_RESET non http requests on port 80

Hello, I want to squid send tcp_reset as reply to non http requests on port 80 . I want that squid DONT reply these headers HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Wed, 24 Aug 2016 12:08:02 GMT Content-Type: text/html;charset=utf-8 Content-Length: 0 X-Cache: MISS from

Re: [squid-users] Https_port with "official" certificate

> Please give more details for "fails". > > Is the following your entire squid.conf (except for comments)? > > Have you tried getting SSL access to Squid working before introducing > authentication? > > What are you trying, to test this, and what are the results? > > > Regards, > > > Antony.

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote: > On 24.8.2016 13:18, Antony Stone wrote: > > > > See "Encrypted browser-Squid connection" at the bottom of > > http://wiki.squid-cache.org/Features/HTTPS > > I have seen that, it is the cause of my subscription to this list. > I haven't

Re: [squid-users] Https_port with "official" certificate

On 24.8.2016 13:18, Antony Stone wrote: > Unfortunately it's not Squid that's the challenge - it's the browser. > > If you're using Firefox and/or Chrome, you should be okay. > > See "Encrypted browser-Squid connection" at the bottom of > http://wiki.squid-cache.org/Features/HTTPS > > > Antony. >

Re: [squid-users] ext_kerberos_ldap_group_acl problem

Hi there. Well, the log says "Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos database". Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc

Re: [squid-users] Https_port with "official" certificate

On Wednesday 24 August 2016 at 13:09:52, Samuraiii wrote: > Hello, > I am trying to setup squid as SSL protected proxy for few users without > any intention to use ssl-bumping or any other MITM technique. > I just want to have SSL secured connection between browser and proxy. > Proxy will not be