[squid-users] Ubuntu 20.04 "apt update" issues behind a VPN and Squid proxy

2021-07-06 Thread David Mills 
Hi,

We've got a collection of Ubuntu 18.04 boxes out in the field. They connect
to an AWS OpenVPN VPN and use a Squid 3.5 AWS hosted Proxy. They work fine.

We have tried upgrading one to 20.04. Same setup. From the command line
curl or wget can happily download an Ubuntu package from the Ubuntu Mirror
site we use. But "apt update" gets lots of "IGN:" timeouts and errors.

The package we test curl with is
https://mirror.aarnet.edu.au/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.5_amd64.deb

The Squid log shows a line the doesn't occur for the successful 18.04 "apt
updates":
1625190959.233 81 10.0.11.191 TAG_NONE/200 0 CONNECT
mirror.aarnet.edu.au:443 - HIER_DIRECT/2001:388:30bc:cafe::beef -

The full output of an attempt to update is:

> Ign:1 https://mirror.aarnet.edu.au/ubuntu focal InRelease
>
> Ign:2 https://mirror.aarnet.edu.au/ubuntu focal-updates InRelease
>
> Ign:3 https://mirror.aarnet.edu.au/ubuntu focal-backports InRelease
>
> Ign:4 https://mirror.aarnet.edu.au/ubuntu focal-security InRelease
>
> Err:5 https://mirror.aarnet.edu.au/ubuntu focal Release
>
>   Could not wait for server fd - select (11: Resource temporarily
> unavailable) [IP: 10.0.11.82 3128]
> Err:6 https://mirror.aarnet.edu.au/ubuntu focal-updates Release
>
>   Could not wait for server fd - select (11: Resource temporarily
> unavailable) [IP: 10.0.11.82 3128]
> Err:7 https://mirror.aarnet.edu.au/ubuntu focal-backports Release
>
>   Could not wait for server fd - select (11: Resource temporarily
> unavailable) [IP: 10.0.11.82 3128]
> Err:8 https://mirror.aarnet.edu.au/ubuntu focal-security Release
>
>   Could not wait for server fd - select (11: Resource temporarily
> unavailable) [IP: 10.0.1.26 3128]
> Reading package lists... Done
>
> N: Ignoring file 'microsoft-prod.list-keep' in directory
> '/etc/apt/sources.list.d/' as it has an invalid filename extension
> E: The repository 'https://mirror.aarnet.edu.au/ubuntu focal Release'
> does not have a Release file.
> N: Updating from such a repository can't be done securely, and is
> therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user
> configuration details.
> E: The repository 'https://mirror.aarnet.edu.au/ubuntu focal-updates
> Release' does not have a Release file.
> N: Updating from such a repository can't be done securely, and is
> therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user
> configuration details.
> E: The repository 'https://mirror.aarnet.edu.au/ubuntu focal-backports
> Release' does not have a Release file.
> N: Updating from such a repository can't be done securely, and is
> therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user
> configuration details.
> E: The repository 'https://mirror.aarnet.edu.au/ubuntu focal-security
> Release' does not have a Release file.
> N: Updating from such a repository can't be done securely, and is
> therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user
> configuration details.
>

While running, the line

> 0% [Connecting to HTTP proxy (
> http://vpn-proxy-d68aca8a8f7f81d6.elb.ap-southeast-2.amazonaws.com:3128)]
>
appears often and hang for a while.

I've tried upping the squid logging and allowing all, but they didn't offer
any additional information about the issue.

Any advice would be greatly appreciated.

Regards,

David Mills

Senior DevOps Engineer

 E: david.mi...@acusensus.com

 M: +61 411 513 404

 W: acusensus.com

-- 
DISCLAIMER: Acusensus puts the privacy and security of its clients, its 
data and information at the core of everything we do. The information 
contained in this email (including attachments) is intended only for the 
use of the person(s) to whom it is addressed to, as it may be confidential 
and contain legally privileged information. If you have received this email 
in error, please delete all copies and notify the sender immediately. Any 
views or opinions presented are
solely those of the author and do not 
necessarily represent the views of Acusensus
Pty Ltd. Please consider the 
environment
before printing this email.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] UDP support for squid

2021-07-06 Thread robert k Wild 
Thank you Amos, very much appreciated

On Tue, 6 Jul 2021, 09:51 Amos Jeffries,  wrote:

> On 6/07/21 8:43 pm, robert k Wild wrote:
> > Thanks Amos much appreciated
> >
> > Is there a way of enabling socks udp at all or is this just not the case
> > at all with squid
> >
>
> Not until Squid is changed to support HTTP over UDP. That is coming with
> HTTP/3 but nowhere near an ETA on when it will be available.
>
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] UDP support for squid

2021-07-06 Thread Amos Jeffries 

On 6/07/21 8:43 pm, robert k Wild wrote:

Thanks Amos much appreciated

Is there a way of enabling socks udp at all or is this just not the case 
at all with squid




Not until Squid is changed to support HTTP over UDP. That is coming with 
HTTP/3 but nowhere near an ETA on when it will be available.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] UDP support for squid

2021-07-06 Thread robert k Wild 
Thanks Amos much appreciated

Is there a way of enabling socks udp at all or is this just not the case at
all with squid

Thanks,
Rob

On Tue, 6 Jul 2021, 08:02 Amos Jeffries,  wrote:

> On 23/06/21 9:06 pm, robert k Wild wrote:
> > hi all,
> >
> > after reading this guide, is this for enabling squid for SOCKSv5 ie UDP -
> >
>
> Well, yes and no.
>
> That is the guide for enabling SOCKS support. But for SOCKS/TCP
> connections, not UDP.
>
>
> > https://wiki.squid-cache.org/Features/Socks
> >
> > export CFLAGS=" -Dbind=SOCKSbind "
> > export CXXFLAGS=" -Dbind=SOCKSbind "
> > export LDADD=" -lsocks "
> >
> >
> > when building squid from source, do i append it at the end of the
> > "configure options"
> >
>
> You can either run the "export ..." commands before running ./configure
> or put them as KEY="value" parameters on its command line.
>
> Either;
>
>export CFLAGS=" -Dbind=SOCKSbind "
>export CXXFLAGS=" -Dbind=SOCKSbind "
>export LDADD=" -lsocks "
>./configure
>
> or,
>
>   ./configure \
> CFLAGS=" -Dbind=SOCKSbind " \
> CXXFLAGS=" -Dbind=SOCKSbind " \
> LDADD=" -lsocks "
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to use request headers in external_acl_type

2021-07-06 Thread Amos Jeffries 

On 1/07/21 5:17 am, Yosi Greenfield wrote:

Amos,

As always, thank you for your dedication answering all our questions.

Ok, turns out, as you noted, the browser is sending the correct request
headers. However, on https requests the external acl program is not getting
the custom header we're sending. SSL Bump is set, and works for our
redirector program, but not for the external acl program.


...>

Is it possible to get the custom abc_session header on https requests?



It *should* be, but until we know the problem is cause we don't really 
know for certain if it is fixable. Or how long/difficult that will be.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

2021-07-06 Thread Amos Jeffries 

On 5/07/21 11:31 pm, Ben Goz wrote:

By the help of God.

Someone have an idea what's wrong with my configuration?



The config you have shown does not contain any visible issues.

The feature page has information minimum kernel and library requirements 
for TPROXY to work reasonably well. There are also sections on other 
things to check for in regards to routing table behaviours in various 
kernels, and system security policies (eg SELinux, Apport, systemd)

  

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] UDP support for squid

2021-07-06 Thread Amos Jeffries 

On 23/06/21 9:06 pm, robert k Wild wrote:

hi all,

after reading this guide, is this for enabling squid for SOCKSv5 ie UDP -



Well, yes and no.

That is the guide for enabling SOCKS support. But for SOCKS/TCP 
connections, not UDP.



https://wiki.squid-cache.org/Features/Socks 


export CFLAGS=" -Dbind=SOCKSbind "
export CXXFLAGS=" -Dbind=SOCKSbind "
export LDADD=" -lsocks "


when building squid from source, do i append it at the end of the 
"configure options"




You can either run the "export ..." commands before running ./configure 
or put them as KEY="value" parameters on its command line.


Either;

  export CFLAGS=" -Dbind=SOCKSbind "
  export CXXFLAGS=" -Dbind=SOCKSbind "
  export LDADD=" -lsocks "
  ./configure

or,

 ./configure \
CFLAGS=" -Dbind=SOCKSbind " \
CXXFLAGS=" -Dbind=SOCKSbind " \
LDADD=" -lsocks "


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users