date:20160925

Re: [squid-users] How does squid know the url of https?

2016-09-25 Thread Amos Jeffries

On 26/09/2016 1:28 p.m., Sergio Belkin wrote:
> I've read http://wiki.squid-cache.org/Features/SslBump
> 
> But I don't understand exactly how does squid to know the url.
> 
> Does squid a decryption is the client request?

Yes.

SSL-Bump is about performing an MITM interception attack on TLS traffic.
Decrypting it to get at the HTTP messages inside.

Since the original SslBump functionality is very much obsolete it is
perhapse best to read
 which explains
how the current releases do it.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How does squid know the url of https?

2016-09-25 Thread Sergio Belkin

I've read http://wiki.squid-cache.org/Features/SslBump

But I don't understand exactly how does squid to know the url.

Does squid a decryption is the client request?

Thanks in advance!

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid binding outgoing ip with a username auth

2016-09-25 Thread Amos Jeffries

On 26/09/2016 10:28 a.m., Ahmed Alzaeem wrote:
> hi amos , thanks  for reply .
> 
> but let me ask you other question  for clarification .
> 
> 
> in  the section :
> external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f 
> /path/to/config.file
> 
> now i see it has the form :
> ip_addr[/netmask] username|@group|ALL|NONE
> 
> 
> say i  have 3 users
> 
> user1
> user2
> and user3
> 
> ==
> user1 ——> 100.160.238.0:17648
> user2—>100.160.238.1:48049
> user3——>100.160.238.2:26394
> =
> will the  file /path/to/config.file  be like below 
> 
> 
> 100.160.238.0 user1
> 100.160.238.1 user2
> 100.160.238.2 user3
> 

Yes. Exactly so.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid binding outgoing ip with a username auth

2016-09-25 Thread --Ahmad--

hi amos , thanks  for reply .

but let me ask you other question  for clarification .


in  the section :
external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f 
/path/to/config.file

now i see it has the form :
ip_addr[/netmask] username|@group|ALL|NONE


say i  have 3 users

user1
user2
and user3

==
user1 ——> 100.160.238.0:17648
user2—>100.160.238.1:48049
user3——>100.160.238.2:26394
=



will the  file /path/to/config.file  be like below 


100.160.238.0 user1
100.160.238.1 user2
100.160.238.2 user3



kind regards 
> On Sep 25, 2016, at 12:58 AM, Amos Jeffries  wrote:
> 
> On 24/09/2016 6:13 p.m., --Ahmad-- wrote:
>> hi folks .
>> 
>> i have many ips on same server .
>> also i  have  basic_ncsa auth type on squid .
>> 
>> say i have 3 ips  and i created 3 users .
>> 
>> the issue i have now is any user can use any outgoing address .
>> 
>> let me explain below :
>> 
>> 
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> auth_param basic children 100
>> http_access allow ncsa_users
>> 
>> ###
>> http_port 100.160.238.0:17648
>> http_port 100.160.238.1:48049
>> http_port 100.160.238.2:26394
>> 
>> #
>> acl  ip1myip 100.160.238.0
>> acl  ip2 myip 100.160.238.1
>> acl  ip3 myip 100.160.238.2
>> #
>> 
>> tcp_outgoing_address 100.160.238.0 ip1
>> tcp_outgoing_address 100.160.238.1 ip2
>> tcp_outgoing_address 100.160.238.2 ip3
>> 
> 
> 'myip' matches the Squid IP address.
> tcp_outgoing_address is what sets the Squid IP address.
> See any problem with using the Squid IP address current value to set the
> Squid IP address?
> 
> Use the myportname ACL instead. In your above config it will match the
> IP:port string on the htp_port line. For example:
> 
>  acl ip0 myportname 100.160.238.0:17648
>  tcp_outgoing_address 100.160.238.0 ip0
> 
> Or you can add a name= parameter to each port to set a custom name for
> it that the myportname ACL looks for.
> 
> 
>> 
>> 
>> i created 3 users :
>> 
>> htpasswd -cdb   /etc/squid/squid_user user1 user1
>> htpasswd -cdb   /etc/squid/squid_user user2 user2
>> htpasswd -cdb   /etc/squid/squid_user user3 user3
>> 
>> #
>> 
>> 
>> 
>> now if user1 connected to 100.160.238.0:17648 it will be able to use it 
>> also if connected to   100.160.238.1:48049 also will be able .
>> 
>> and so for 100.160.238.2:26394.
>> 
>> 
>> the question is
>> how can i let user1 only use  100.160.238.0:17648  and user2 only use  
>> 100.160.238.1:48049  and user3 only use 100.160.238.2:26394 ???
>> 
> 
> Use the ext_file_userip_acl helper. The format for entries in the helper
> config file is listed in the man page:
>  >
> 
> Replace the line "http_access allow ncsa_users" with the following:
> 
> external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f
> /etc/squid/userIP.conf
> acl userIp external userIp
> 
> http_access deny !ncsa_users
> http_access allow userIp
> 
> NP: that is all. Do not add userIp check to tcp_outgoing_address lines.
> 
> 
> After all the above changes your squid.conf should look something like this:
> 
> ## ... the default http_access rules at the top ...
> ##
> ## Your local custom rules go here:
> 
> auth_param basic program /lib/squid/basic_ncsa_auth \
>/etc/squid/squid_user
> auth_param basic children 100
> 
> external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \
>-f /etc/squid/userIP.conf
> 
> acl ncsa_users proxy_auth REQUIRED
> acl userIp external userIp
> 
> http_access deny !ncsa_users
> http_access allow userIp
> http_access deny all
> 
> ##
> http_port 100.160.238.0:17648 name=0
> acl ip0 myportname 0
> tcp_outgoing_address 100.160.238.0 ip0
> 
> http_port 100.160.238.1:48049 name=1
> acl ip1 myportname 1
> tcp_outgoing_address 100.160.238.1 ip1
> 
> http_port 100.160.238.2:26394 name=2
> acl ip2 myportname 2
> tcp_outgoing_address 100.160.238.2 ip2
> 
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users 
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Errors in cache.log

2016-09-25 Thread Amos Jeffries

On 26/09/2016 7:36 a.m., erdosain9 wrote:
> #Pools para ancho de Banda 
> delay_pools 3 
> 
> ###VELOCIDAD PARA REDES SOCIALES 
> delay_class 1 1 
> delay_parameters 1 1/10 
> delay_access 1 allow adminis redes_sociales !stream 
> delay_access 1 deny all 
> 
> 
> #Limitar Video Streaming a 20k 
> delay_class 2 1 
> delay_parameters 2 2/10 
> delay_access 2 allow adminis stream !redes_sociales
> delay_access 2 deny all 
> 
> 
> #Ancho de Banda Administracion 
> delay_class 3 1 
> delay_parameters 3 256000/256000 
> delay_access 3 allow adminis !stream !redes_sociales 
> delay_access 3 deny all 
> 
> 
> So, here i have 3 different banwith for same people (adminis) in differents
> webs... like 10kb if they go to "facebook", 20kb, if they go to "youtube",
> and 256kb for all the rest. 
> 
> this would be fine?

Yes.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Errors in cache.log

2016-09-25 Thread erdosain9

#Pools para ancho de Banda 
delay_pools 3 

###VELOCIDAD PARA REDES SOCIALES 
delay_class 1 1 
delay_parameters 1 1/10 
delay_access 1 allow adminis redes_sociales !stream 
delay_access 1 deny all 


#Limitar Video Streaming a 20k 
delay_class 2 1 
delay_parameters 2 2/10 
delay_access 2 allow adminis stream !redes_sociales
delay_access 2 deny all 


#Ancho de Banda Administracion 
delay_class 3 1 
delay_parameters 3 256000/256000 
delay_access 3 allow adminis !stream !redes_sociales 
delay_access 3 deny all 


So, here i have 3 different banwith for same people (adminis) in differents
webs... like 10kb if they go to "facebook", 20kb, if they go to "youtube",
and 256kb for all the rest. 

this would be fine?

Thanks!





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Errors-in-cache-log-tp4679651p4679683.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to log url_rewrite results

2016-09-25 Thread Amos Jeffries

On 25/09/2016 5:29 p.m., Michael Pelletier wrote:
> Hello,
> 
> I can not get %et to log anything. What am I missing?
> 

%et is the tag produced by an external_acl_type helper, nothing to do
with url_rewrite_program.

If you are using a Squid-3.4+ AND if your helper is updated to use the
key=value pair protocol for those Squid versions. Then you could log
%note{status}:%note{url} for redirections, or %note{url-rewrite} for
re-written URLs.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How does squid know the url of https?

[squid-users] How does squid know the url of https?

Re: [squid-users] squid binding outgoing ip with a username auth

Re: [squid-users] squid binding outgoing ip with a username auth

Re: [squid-users] Errors in cache.log

Re: [squid-users] Errors in cache.log

Re: [squid-users] How to log url_rewrite results

7 matches

Site Navigation

Mail list logo

Footer information