Re: [squid-users] compile squid with tumbleweed

[vacheslav]

yes, from the browser..

squid cache last showed:

2021/04/02 15:52:47 kid1| Logfile: opening log 
daemon:/var/log/squid/access.log
2021/04/02 15:52:47 kid1| Logfile Daemon: opening log 
/var/log/squid/access.log

2021/04/02 15:52:47 kid1| Unlinkd pipe opened on FD 40
2021/04/02 15:52:47 kid1| Local cache digest enabled; rebuild/rewrite 
every 3600/3600 sec

2021/04/02 15:52:47 kid1| Store logging disabled
2021/04/02 15:52:47 kid1| Swap maxSize 3072000 + 1048576 KB, estimated 
316967 objects

2021/04/02 15:52:47 kid1| Target number of buckets: 15848
2021/04/02 15:52:47 kid1| Using 16384 Store buckets
2021/04/02 15:52:47 kid1| Max Mem  size: 1048576 KB
2021/04/02 15:52:47 kid1| Max Swap size: 3072000 KB
2021/04/02 15:52:47 kid1| Rebuilding storage in /var/cache/squid (clean log)
2021/04/02 15:52:47 kid1| Using Least Load store dir selection
2021/04/02 15:52:47 kid1| Set Current Directory to /var/cache/squid
2021/04/02 15:52:47 kid1| Finished loading MIME types and icons.
2021/04/02 15:52:47 kid1| HTCP Disabled.
2021/04/02 15:52:47 kid1| Pinger socket opened on FD 45
2021/04/02 15:52:47 kid1| Squid plugin modules loaded: 0
2021/04/02 15:52:47 kid1| Adaptation support is off.
2021/04/02 15:52:47 kid1| Accepting SSL bumped HTTP Socket connections 
at local=0.0.0.0:8080 remote=[::] FD 43 flags=9
2021/04/02 15:52:47| WARNING: BCP 177 violation. Detected non-functional 
IPv6 loopback.

2021/04/02 15:52:47| pinger: Initialising ICMP pinger ...
2021/04/02 15:52:47| pinger: ICMP socket opened.
2021/04/02 15:52:47| pinger: ICMPv6 socket opened
2021/04/02 15:52:47 kid1| Store rebuilding is 19.99% complete
2021/04/02 15:52:47 kid1| Done reading /var/cache/squid swaplog (20010 
entries)

2021/04/02 15:52:47 kid1| Finished rebuilding storage from disk.
2021/04/02 15:52:47 kid1| 20010 Entries scanned
2021/04/02 15:52:47 kid1| 0 Invalid entries.
2021/04/02 15:52:47 kid1| 0 With invalid flags.
2021/04/02 15:52:47 kid1| 20010 Objects loaded.
2021/04/02 15:52:47 kid1| 0 Objects expired.
2021/04/02 15:52:47 kid1| 0 Objects cancelled.
2021/04/02 15:52:47 kid1| 0 Duplicate URLs purged.
2021/04/02 15:52:47 kid1| 0 Swapfile clashes avoided.
2021/04/02 15:52:47 kid1|   Took 0.26 seconds (76538.52 objects/sec).
2021/04/02 15:52:47 kid1| Beginning Validation Procedure
2021/04/02 15:52:47 kid1|   Completed Validation Procedure
2021/04/02 15:52:47 kid1|   Validated 20010 Entries
2021/04/02 15:52:47 kid1|   store_swap_size = 1355568.00 KB
2021/04/02 15:52:47 kid1| WARNING: 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB #Hlpr1 exited
2021/04/02 15:52:47 kid1| Too few 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB processes are running (need 1/32)

2021/04/02 15:52:47 kid1| Closing HTTP(S) port 0.0.0.0:8080
2021/04/02 15:52:47 kid1| storeDirWriteCleanLogs: Starting...
2021/04/02 15:52:47 kid1|   Finished.  Wrote 20010 entries.
2021/04/02 15:52:47 kid1|   Took 0.01 seconds (3978131.21 entries/sec).
2021/04/02 15:52:47 kid1| FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB helpers are crashing too rapidly, need help!


squid log last showed:


1617367631.100    868 10.0.28.26 TCP_REFRESH_MODIFIED_ABORTED/200 13935 
GET http://spastv.ru/ - HIER_DIRECT/84.201.153.140 text/html
1617367725.880  0 10.0.28.26 NONE/000 0 NONE 
error:transaction-end-before-headers - HIER_NONE/- -
1617367845.916  0 10.0.28.26 NONE/000 0 NONE 
error:transaction-end-before-headers - HIER_NONE/- -


which is an every minute check


sudo systemctl status squid
● squid.service - Squid caching proxy
 Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; 
vendor preset: disabled)
 Active: failed (Result: exit-code) since Sun 2021-04-04 21:58:13 
+03; 5s ago

   Docs: man:squid(8)
    Process: 28198 
ExecStartPre=/usr/libexec/squid/initialize_cache_if_needed.sh 
(code=exited, status=0/SUCCESS)
    Process: 28202 ExecStart=/usr/sbin/squid -FC (code=exited, 
status=0/SUCCESS)

   Main PID: 28203 (code=exited, status=1/FAILURE)

Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 
28355 started
Apr 04 21:58:12 proxy (squid-1)[28355]: FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: squid-1 process 28355 
exited with status 1
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 
28405 started
Apr 04 21:58:13 proxy (squid-1)[28405]: FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 
exited with status 1
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 
will not be restarted for 3600 seconds due to repea>
Apr 04 21:58:13 proxy squid[28203]: Exiting due to repeated, frequent 
failures
Apr 04 21:58:13 proxy systemd[1]: squid.service: Main process exited, 

Re: [squid-users] compile squid with tumbleweed

[Vacheslav]

hmm, thanks for both of you.. i regenerated new certificates using 
Eliazer's method and now squid restarted but it is refusing connections..
i normally configure port 8080 as the proxy port in the browser, and i 
am thinking there needs to be another port for ssl bumping?


now the configuration is like this:




# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

##sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB




ssl_bump peek all
ssl_bump splice all



#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
#refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
#refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 
80% 129600 reload-into-ims




range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1



cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?)   0   0%  0
refresh_pattern .   0   20% 
4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9


On 4/2/21 2:02 PM, Amos Jeffries wrote:

On 1/04/21 11:41 pm, Majed Zouhairy wrote:


to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der




sudo squid -z

asks for certificate password
then

Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 
violation. Detected non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate 
configured for HTTP_port 0.0.0.0:8080


That says there is no CA certificate found in the file configured for 
that ports tls-cert= option. Squid requires a signing (CA) certificate 
and its private key in order to perform SSL-Bump.


With "squid -k parse" Squid should tell you what it is loading from that 
file.





squid conf:


...


http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA






ssl_bump peek all
ssl_bump splice all

sslproxy_cert_error allow all





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit bandwidth

[vacheslav]

2.09.20 18:23, Amos Jeffries пишет:

On 1/09/20 7:50 pm, Majed Zouhairy wrote:

On Tue, 2020-09-01 at 05:10 +1200, Amos Jeffries wrote:

On 31/08/20 8:24 pm, Vacheslav wrote:

Peace,

been suffering for many hours so i'd rather ask for aid..

i'm trying to limit the flow mainly for the most maximize people


Okay.

What Squid version are you using?



sudo squid -v
Squid Cache: Version 4.13
Service Name: squid


acl slower src 10.46.0.74 10.46.0.107

One of the reasons this posting git held up for moderation was that
the
lines which are supposed to contain ASCII tab characters contained
Unicode characters "\c3\82".

this is now another email client..so let's confirm that

If those Unicode characters are actually present in your squid.conf
file
then you need to go through and remove them all.

i went ahead and typed those added lines in nano and deleted the
original ones..still not a trump!

...

acl localnet src 10.46.0.0/24   #  local private
network (LAN)

...

acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"


...


error_directory /usr/share/squid/errors/en

The above is a default value. Remove that line from your config.

this? error_directory /usr/share/squid/errors/en

Yes, that one.

so it's not the email client even



delay_pools 1
delay_class 1 3
delay_access 1 allow slower !localnet

All IPs which match "slower" ACL are also matched by "localnet" ACL.

It is impossible for an IP to be both part of slower and not part of
localnet. So this line never matches and all traffic is not-delayed.

To fix, remove the "!localnet" requirement from the above line.

i already tried that, i was thinking that there would be an option like
acl slower src 10.46.0.74 10.46.0.107
acl localnet src !10.46.0.74 10.46.0.0/24
so as not type the whole subnet individual addresses


It is possible to define an ACL like localnet with holes. But that would
not do what you are wanting.

still that would be very nice to know



"delay_access 1 allow slower"  does what you are asking for in terms of
only the IPs listed in "slower" having their traffic slowed down.

If that is not working, then you may be hitting a bug or something is
different from what you have told us about the traffic. eg CONNECT
tunnels do not always have delay pools applied in Squid-4.


Amos


it's only working on http downloads,

might it have any relationship with ufdbguard is being used?

the rest of the config

delay_pools 1
delay_class 1 3
delay_access 1 allow slower
delay_access 1 deny all
delay_parameters 1 51200/51200 -1/-1 51200/25600

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 512 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit bandwidth

[Vacheslav]

Well now it works only on http downloads.. thanks mais the problem is 
that most downloads are now through https



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] limit bandwidth

[Vacheslav]

Peace,

been suffering for many hours so i'd rather ask for aid..

i'm trying to limit the flow mainly for the most maximize people


acl slower      src 10.46.0.74 10.46.0.107
acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.46.0.0/24        #  local private network (LAN)


acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 8080    # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.k

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
error_directory /usr/share/squid/errors/en
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed


delay_pools 1
delay_class 1 3
delay_access 1 allow slower !localnet
delay_access 1 deny all
delay_parameters 1 12800/12800 -1/-1 6400/12800


http_access allow localnet
http_access allow localhost

i tried doing the delay class 1 1

but bandwidth is full

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] I would like to know performance sizing aspects.

[vacheslav]

having 3GB memory with a ufdb improves performace

6.08.20 08:28, m k пишет:

Eliezer,

Squid's default setting is 1 core CPU, 16GB mem.
How many URLs(Blacklist) will degrade Squid's performance?

Also, SSL-Bump.

Thank you,
kitamura


2020年8月6日(木) 13:38 Eliezer Croitor >:


Kitamura,

About the tens of thousands of URLs, Have you considered using a
Blacklisting utility, it might lower the memory footprint.

Eliezer



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com 

*From:* squid-users mailto:squid-users-boun...@lists.squid-cache.org>> *On Behalf Of *m k
*Sent:* Thursday, August 6, 2020 7:25 AM
*To:* Amos Jeffries mailto:squ...@treenet.co.nz>>
*Cc:* squid-users@lists.squid-cache.org

*Subject:* Re: [squid-users] I would like to know performance
sizing aspects.

Amos,

Thank you for your reply.

It was very helpful.

> That number was gained before HTTPS became so popular. So YMMV
depending
> on how many CONNECT tunnels you have to deal with. That HTTPS
traffic can possibly be decrypted

> and cached but performance trade-offs are quite large.

Squid uses SSL-Bump.

I'm very worried about the internet slowing down due to https
decording. and I'm also worried about the internet slowing down
due to using Blacklist.

I load tens of thousands of URL(black list file) every time I set
up ACL.

How many requests does SSL-Bump in one second?

Thank you,

kitamura

2020年8月5日(水) 10:32 Amos Jeffries mailto:squ...@treenet.co.nz>>:

On 5/08/20 11:28 am, m k wrote:
>> We are considering to use Squid for our proxy, and would
like to know
>> performance sizing aspects.
>>
>> Current web access request averages per 1 hour are as
followings
>> Clients：30,000、
>> Page Views:141,741/hour
>> *Requests:4,893,106
>>

Okay. Requests and client count are the important numbers there.

The ~1359 req/sec is well within a default Squid capabilities,
which can
extend up to around 10k req/sec before needing careful tuning.

That number was gained before HTTPS became so popular. So YMMV
depending
on how many CONNECT tunnels you have to deal with. That HTTPS
traffic
can possibly be decrypted and cached but performance
trade-offs are
quite large.


>> We will install Squid on CentOS 8.1.  Please kindly share your
>> thoughts / advices

Whatever OS you are most comfortable with administering. Be
aware that
CentOS official Squid packages are very slow to update -
Apparently they
still have only v4.4 (8 months old) despite a 8.2 point
release only a
few weeks ago.

So you may need to be building your own from sources and/or
using other
semi-official packagers such as the ones from Eliezer at
NGTech when he
gets around to CentOS 8 packages.
  


FYI; If you find yourself having to use SSL-Bump, then we highly
recommended to follow the latest Squid releases with fairly
frequent
updates (at minimum a few times per year - worst case
monthly). If you
like CentOS you may find Fedora more suitable to track the
security
environment volatility and update churn.


>> Is there sizing methodology and tools?

There are a couple of methodologies, depending on what aspect
you are
tuning towards - and one for identifying the limitation points
to begin
a tuning process tuning.

The info you gave above is the beginning. Checking to see if your
traffic rate is reasonably within capability of a single Squid
instance.

Yours is reasonable, so next step is to get Squid running and
see where
the trouble points (if any) are.

 For more see 



>> How much resources are generally recommended for our
environment?
>>　 CPU:　 Memory:　 Disk space : Other factors to be considered
if any:
>> Do you have a generally recommended performance testing
tools? Any
>> suggested guidelines?
>>


 CPU - squid is still mostly single-process. So prioritize
faster GHz
rates over core number. Multi-core can help of course, but not
as much
as cycle speeds do. Hyper-threading is useless for Squid.

 Memory - Squid will use as much as you can give it. Let your
budget
govern this.

 Disk - Squid will happily run with no disk - or lots of 

Re: [squid-users] Exclude dstdomain in access.log file

[Vacheslav]

well ufdbguard is better, it's about time to upgrade..
On Wed, 2020-01-01 at 18:14 -0300, Roberto Carna wrote:
> Hi people, I have Debian 9 + Squid 3.5.23.
> 
> I'm using squidguard to filter domains and URL's, so in
> /etc/squid/squid.conf I have:
> 
> url_rewrite_program /usr/bin/squidGuard -c
> /etc/squidguard/squidGuard.conf
> 
> I must exclude "hangouts.google.com" domain in
> /var/log/squid/access.log file.
> 
> So firstly I edited in my /etc/squid/squid.conf file:
> 
> acl exclude dstdomain hangouts.google.com
> access_log none exclude
> access_log /var/log/squid/access.log squid
> 
> But it didn't work, when I executed "tail -f
> /var/log/squid/access.log" I could see logs from hangouts.google.com.
> 
> After that I edited again my /etc/squid/squid.conf file:
> 
> acl exclude dstdomain hangouts.google.com
> access_log /var/log/squid/access.log squid !exclude
> 
> But it didn't work again.
> 
> Please can you tell me what I can do in order to deny logs from
> hangouts.google.com ???
> 
> Thanks a lot, greetings !!!
> 
> Robert
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid log analyzer

[Vacheslav]

i searched for a ufdb guard log analyzer and it was like looking for
aliens..so i settled for squid log analyzers..i tried calimaris which
reminded me that squid is translated to kalmar in Russian but the
version on opensuse does not provide what user went to where..i read
about lots of options..many are stopped from being updated, others
require too much setup and finally i saw sarg! almost everyone was
bashing it as slow and try this instead..but it promised to show which
user visited what url, so i installed it and tried it from command line
and it was fast but it failed to create the index file in the
configured folder so couldn't see the html results.. i suffered all day
reading this and that and experimenting and it was useless, so i tired
reaching for help on their forum and it is like i visited a ghost
town..
so who has tried  something similar to do this that is working?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem webpagge filter - acl & http_access

[Vacheslav]

I too wanted to block, but it was youtube, and eventually the best way
to do it was squid + ufdbguard

On Tue, 2019-10-15 at 13:03 -0500, ndoigny wrote:
> Hi All,
> 
> I did a Squid basic configuration on the port 3128.
> 
> The server proxy works correcly and I can browser from a client
> machine when
> I configure the proxy configuration.
> But when I try to do some web filtering on some sites, I always
> manage to
> access it
> 
> I created a txt file 'blocked_sites' in the path
> 'C:\squid\etc\squid'.
> I created the following ACL :
> acl blocked_sites dstdomain '/etc/squid/blocked_sites.txt'
> http_access deny blocked_sites
> 
> In the blocked_sites file txt, I indicate :
> 
> .facebook.com
> .msn.com
> .orange.be
> 
> I restarted the Squid service but the filter isn't working.
> 
> Can you help me ?
> 
> Thanks in advance.
> 
> Nicolas
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TAG_NONE/403 on www.mediavida.com

[Vacheslav Zouhairy]

and in order for this not happen again start suspecting yourself at
first instead of others


On Wed, 2019-05-29 at 05:15 -0500, Kike wrote:
> Okay. Found the issue.
> 
> I was doing ping to google, everything fine. I then pinged 
> www.mediavida.com
> and got returned by 127.0.0.1...
> Then I check the /etc/hosts while I was saying to myself "oh no, oh
> no, oh
> no..." and there it was, a rule that I put in the file a whole time
> ago I
> didn't even remember: 127.0.0.1 www.mediavida.com
> 
> I removed it and, of course it worked!
> 
> Soo embarrased, I spent so much time on this looking to other
> stuff... my god 
> 
> So sorry Amos and thank you s much!
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] youtube restriction.

[Vacheslav Zouhairy]

time to try ufdbguard, it is very flexible and relatively easy to
configure.
On Fri, 2019-04-05 at 15:06 +0200, Wegner Michaël wrote:
> Hi,
>  
> I install squid + squidguard, and I can’t play youtube video.
> For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; 
> https://m.youtube.com/watch?v=jbBUQ-uvlRU
>  
> Error : video not available 
> access to this video is limited I have Ubuntu server 18.04 and squid
> v 3.5.27 Can’ you help me please Thanks, Kind Regards 
> ___squid-users mailing 
> listsquid-us...@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid proxies won't pop up authentication or even attempt

[Vacheslav Zouhairy]

have you made sure that you clicked use this proxy for all protocols?

On Fri, 2019-02-22 at 00:25 -0600, amlgp wrote:
> Hi all, I've been trying to troubleshoot this for the last 2 days and
> it's
> starting to drive me nuts.
> 
> I am running on a Centos 6 server trying to start up some proxies
> with
> Squid.
> 
> When I manually try to enter my proxy using Firefox, no window pops
> up for
> authentication and I just time out. I have read that this might be
> due to a
> http access or acl error but I can't see anything wrong.
> 
> Steps I have taken so far:
> 
> -Set up network interfaces with Centos(all my IP's ping correctly
> from
> inside the server and outside the server)
> -Set up squid.conf with acl and userpass authentication
> 
> Squid version: squid-3.1.23-24.el6.x86_64
> 
> Access logs are empty, error logs are currently empty in
> /var/log/squid/squid.out after I fixed the visible_hostname error.
> Squid
> starts/restarts/stops without errors.
> 
> 
> I have tried using the actual hostname that shows up when using the
> "hostname" command and there are no changes, so I just replaced it
> with
> localhost instead.
> 
> Also, abc 123 x are real numbers, and the IP pings but the exact
> numbers
> have been replaced for this post.
> 
> Does anyone see what the problem might be? Thank you in advance!
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sslbump with multiple users and multiple ACLs for each

[Vacheslav]

Yeah,  with ufdbguard maybe there are other means ..

-Original Message-
From: squid-users  On Behalf Of 
stressedtux
Sent: Thursday, January 3, 2019 5:38 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Sslbump with multiple users and multiple ACLs for each

>>
>i need a hand to understand if it is possible to configure the proxy a 
>particular way. 

>Im needing to configure the proxy to allow at the same time:

>- a whitelist of sites that anyone that uses the proxy could use without login
- and in addition to that i need to have specific ACLs for different 
authenticated users. 

>I need to control both http and https connections to external sites. I can use 
>sslbump but im having hard time configuring sslbump with proxy_auth, and on 
>top of that, i need different acl whitelists for different users.

>Is this kind of configuration possible? Just trying to understand if im on a 
>dead road :D

Thanks in advanced!
Tux



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] bank blocked

[Vacheslav]

I do not use bump or splice if that is what you mean. I do not import 
certificates.. it works without proxy.

-Original Message-
From: squid-users  On Behalf Of 
Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] bank blocked

On 31.10.18 17:41, Vacheslav wrote:
>2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
>UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
>2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
>Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

does your system recopgnize this authority? Do have actual list of CAs?

>2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank 
>OAO/OU=Head Office/CN=*.bps-sberbank.by
>2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
>error code 12. It is marked as a TLS/SSL certificate issue
>2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
>https-option  i.bps-sberbank.by:443 CONNECT
>
>What is wrong?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] bank blocked

[Vacheslav]

Peace,

Here is the log ufdbguard:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head 
Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
https-option  i.bps-sberbank.by:443 CONNECT

What is wrong?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Git tag strategy in Squids GitHub repo

[Vacheslav]

-Original Message-
From: squid-users  On Behalf Of Alex 
Rousskov
Sent: Wednesday, August 22, 2018 5:51 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Git tag strategy in Squids GitHub repo

On 08/21/2018 09:05 PM, Amos Jeffries wrote:
> On 21/08/18 11:22 PM, Simon Staeheli wrote:
>> It would be awesome if there is tag pointing to every official Squid 
>> release. 

> our auto-commit bot the QA team came up with does not do tagging.

>Very true. It also does not water plants.


> And tags from third-party repositories (ie my release staging
> one) are not imported by the github PR process.

>True again and still irrelevant. GitHub does not import lightweight tags when 
>merging PRs because those tags are not a part of a PR branch and are not 
>supposed to be imported by git design.

>GitHub certainly supports release tagging. The PR merging bot is not (and 
>probably should not be) responsible for releases, including release tagging.

>FWIW, in March 2018 email to Amos, I have already tried to explain the design 
>approach behind git tagging and offered a specific short-term tagging 
>solution. I did not get a response.

>Alex.

I get this all the time it's never me, it's everybody else who is out to get me 
:)
Like it wasn't the driver, the port on the switch was blocking, i.e I'm the 
innocent good guy!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Git tag strategy in Squids GitHub repo

[Vacheslav]

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Wednesday, August 22, 2018 5:03 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Git tag strategy in Squids GitHub repo

On 22/08/18 7:27 PM, Vacheslav wrote:
> 
> -Original Message-
> From: Amos Jeffries
> 
> On 21/08/18 11:22 PM, Simon Staeheli wrote:
>> Hi there
>>
>> We build Squid directly from its sources 
>> (https://github.com/squid-cache/squid.git) and not via the tar.gz from 
>> squid-cache.org . Is there a clear strategy how you guys use git tags? It 
>> looks like as there are some SQUID_4_0_X tags but they were never updated 
>> since Squid 4 became stable. 
>>
>> It would be awesome if there is tag pointing to every official Squid 
>> release. 
>>
> 
>> Formally each release is supposed to have a SQUID_N_N(_X) tag.
> 
>> However, our auto-commit bot the QA team came up with does not do tagging. 
>> And tags from third-party repositories (ie my release staging
> one) are not imported by the github PR process.
> 
> So Why not ask them to fix that?
> 

>What makes you think I didn't do that most obvious of things?

Well the language you used is the one I use when I am talking about a resource 
which belongs to an enemy of mine!

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Git tag strategy in Squids GitHub repo

[Vacheslav]

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Wednesday, August 22, 2018 6:06 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Git tag strategy in Squids GitHub repo

On 21/08/18 11:22 PM, Simon Staeheli wrote:
> Hi there
> 
> We build Squid directly from its sources 
> (https://github.com/squid-cache/squid.git) and not via the tar.gz from 
> squid-cache.org . Is there a clear strategy how you guys use git tags? It 
> looks like as there are some SQUID_4_0_X tags but they were never updated 
> since Squid 4 became stable. 
> 
> It would be awesome if there is tag pointing to every official Squid release. 
> 

>Formally each release is supposed to have a SQUID_N_N(_X) tag.

>However, our auto-commit bot the QA team came up with does not do tagging. And 
>tags from third-party repositories (ie my release staging
one) are not imported by the github PR process.

So Why not ask them to fix that?

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] simple question Installed squid right now all internet access is blocked

[Vacheslav]

What you could say, why do I feel like he is trolling, although I would still 
think this is slander, but of course condemning is much worse than slander!

 

From: squid-users  On Behalf Of Alex 
K
Sent: Thursday, August 16, 2018 6:17 PM
To: Oldman 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] simple question Installed squid right now all 
internet access is blocked

 

Why i have the feeling that this is a troll?

 

 

 

On Thu, Aug 16, 2018, 14:29 Oldman mailto:ad...@daraksun.com> > wrote:

You wanted to know my server ip  and did you expect me to publish this
online?

I chose to beleive you are wasting my time :)

I am sorry I do not want to be rude but you are wasting my time.

Why you don't hire a tech then to set this up for you? You don't provide the 
requested info regardless how patiently it has been asked and you demand in the 
same time help... Providing internal ip details and not public ones has zero 
security implications...




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org  
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + Squidguard Youtube URL video filtering

[Vacheslav]

Wouldn't it be better to try it in ufdbguard?

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Thursday, August 16, 2018 4:18 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid + Squidguard Youtube URL video filtering

On 17/08/18 00:43, Roberto Carna wrote:
> Dear, I have Squid + Squidguard working OK.
> 
> Squidguard is filtering the entire www.youtube.com website.
> 
> But now I have to permit just one video from Youtube:
> 
> https://www.youtube.com/embed/ff9sDLGtnK8?rel=0=0
> 
> I have added the below URL as an exception in Squidguard:
> 
> www.youtube.com/embed/ff9sDLGtnK8?rel=0=0
> 
> but after that I can't see it, still blocked.
> 
> How can I enable just this URL from Squidguard preferently blocking 
> the rest of Youtube ???

>Unfortunately only with a great deal of difficulty.

>The "?v=..." and "/embed/..." URLs are just public identifiers to access the 
>YouTube APIs. At the HTTP level they result in a quite long series of 
>sub-requests, redirections and the like bouncing all over the
youtube.* and googlevideos.* and googleapis.* domains.
 Yes all of them are involved multiple times. So whitelisting is an 
all-or-nothing prospect, with other G services being implicitly whitelisted as 
side effects.


>Also, whenever the way to decipher the above maze of traffic gets published so 
>we can do things like what you ask. YT shortly afterwards change how it 
>operates - usually towards even more complexity. This has happened too many 
>times to be coincidence IMO.


>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allow one country only be able to use squid proxy?

[Vacheslav]

Why not just use an ad & porn blocking dns server?

-Original Message-
From: squid-users  On Behalf Of 
Antony Stone
Sent: Thursday, August 16, 2018 12:50 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Allow one country only be able to use squid proxy?

On Thursday 16 August 2018 at 11:39:29, Oldman wrote:

> I can get block of a country ip from
> 
> https://www.ip2location.com/blockvisitorsbycountry.aspx
> 
> Where to put that in conf file so I from a particular country only can 
> access internet?

>Er, you are suggesting that you will run a Squid proxy which can be used by 
>anyone with an IP address in a certain country?

>Who are you trying to provide proxy services to?


Antony.

--
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Vacheslav]

It's not nice to practice hypocrisy, he who believes in evolution goes to 
magicians! 

-Original Message-
From: Eliezer Croitoru  
Sent: Wednesday, August 15, 2018 10:35 AM
To: 'Vacheslav' 
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] microsoft list

Well..
It's a Squid-Cache mailing list but you wrote a very long sentence and it's 
hard to understand.
Health is important and trusting the Wizard is only when he proved himself 
worthy of it.
Microsoft have been proving that it's worth honor
If you specifically do not like their updates or caching computability or 
security then you are in the right place.
Microwave is nice and has benefits and losses but.. it gives easier lives to 
many.

Here we try to be direct and to not hold a mystery in the text.
You are welcome to add some more technical details to the subject if we do not 
know about it.

I will try to look at the git repository and learn.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vacheslav
Sent: Tuesday, August 14, 2018 2:08 PM
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

Well since you asked and are actually interested, I am going to reveal the 
secret just like Vanunu and  Rabin. The program is called disable win track!
But what I don't understand is that too many people get to understand stuff 
like split and peak and tls and even tougher technical stuff but when it comes 
to health, they just trust their wizard is giving them the right magic potion!
No one would break a thermometer and drink its contents but that is exactly 
what most do to their dearest beloved ones with disaster loaded needles!

-Original Message-
From: Eliezer Croitoru  
Sent: Tuesday, August 14, 2018 11:01 AM
To: 'Vacheslav' 
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] microsoft list

>Can you share this git with us?
>We are probably not updated enough.
>It will probably help others too so.

Can you please share it with us?

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vacheslav
Sent: Wednesday, August 1, 2018 9:19 AM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, July 31, 2018 7:34 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

On 31/07/18 23:32, Vacheslav wrote:
> Satanic greetings, you really think you are the smartest of us all that we 
> can't think of your stupid suggestion?
> 

>Please be civil. The response you received was a reasonable answer to your 
>question.

You won't find any more civil love than that.

>Both the TechNet article linked and the Squid FAQ config example for Windows 
>Update contains lists of domains that service uses.

>Blocking the rest of Microsoft and all of Akamai *by URL* is a much more 
>difficult proposition. Between them they host a very large percentage of 
>Internet domains.

Your last sentence is totally false. I found an open source handy piece of 
software which lets you choose how much you would like to block, even skype if 
desired, too bad there isn't a donate button on github or am I missing it?
So I just copied the domains inserted in the hosts file and plugged it in 
ufdbguard and the people who use this squid have considerably less traffic than 
others.

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Vacheslav]

Well, I am not talking to those who use microwaves and consider snickers a 
great food

-Original Message-
From: squid-users  On Behalf Of 
Antony Stone
Sent: Tuesday, August 14, 2018 2:26 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

On Tuesday 14 August 2018 at 13:08:25, Vacheslav wrote:

> Well since you asked and are actually interested, I am going to reveal 
> the secret just like Vanunu and  Rabin. The program is called disable 
> win track!

So, this is https://github.com/10se1ucgo/DisableWinTracking/releases ?

> But what I don't understand is that too many people get to understand 
> stuff like split and peak and tls and even tougher technical stuff but 
> when it comes to health, they just trust their wizard is giving them 
> the right magic potion! No one would break a thermometer and drink its 
> contents but that is exactly what most do to their dearest beloved 
> ones with disaster loaded needles!

Er, what?

This is still the Squid cache users' mailing list, isn't it?

Antony.

> -Original Message-
> From: Eliezer Croitoru 
> Sent: Tuesday, August 14, 2018 11:01 AM
> To: 'Vacheslav' 
> Cc: squid-users@lists.squid-cache.org
> Subject: RE: [squid-users] microsoft list
> 
> >Can you share this git with us?
> >We are probably not updated enough.
> >It will probably help others too so.
> 
> Can you please share it with us?
> 
> Thanks,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
> On Behalf Of Vacheslav Sent: Wednesday, August 1, 2018 9:19 AM
> To: 'Amos Jeffries' ; 
> squid-users@lists.squid-cache.org Subject: Re: [squid-users] microsoft 
> list
> 
> 
> -Original Message-
> From: squid-users  On 
> Behalf Of Amos Jeffries Sent: Tuesday, July 31, 2018 7:34 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] microsoft list
> 
> On 31/07/18 23:32, Vacheslav wrote:
> > Satanic greetings, you really think you are the smartest of us all 
> > that we can't think of your stupid suggestion?
> >
> >Please be civil. The response you received was a reasonable answer to 
> >your question.
> 
> You won't find any more civil love than that.
> 
> >Both the TechNet article linked and the Squid FAQ config example for 
> >Windows Update contains lists of domains that service uses.
> >
> >Blocking the rest of Microsoft and all of Akamai *by URL* is a much 
> >more difficult proposition. Between them they host a very large 
> >percentage of Internet domains.
> 
> Your last sentence is totally false. I found an open source handy 
> piece of software which lets you choose how much you would like to 
> block, even skype if desired, too bad there isn't a donate button on 
> github or am I missing it? So I just copied the domains inserted in 
> the hosts file and plugged it in ufdbguard and the people who use this 
> squid have considerably less traffic than others.


--
This space intentionally has nothing but text explaining why this space has 
nothing but text explaining that this space would otherwise have been left 
blank, and would otherwise have been left blank.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Vacheslav]

Well since you asked and are actually interested, I am going to reveal the 
secret just like Vanunu and  Rabin. The program is called disable win track!
But what I don't understand is that too many people get to understand stuff 
like split and peak and tls and even tougher technical stuff but when it comes 
to health, they just trust their wizard is giving them the right magic potion! 
No one would break a thermometer and drink its contents but that is exactly 
what most do to their dearest beloved ones with disaster loaded needles!

-Original Message-
From: Eliezer Croitoru  
Sent: Tuesday, August 14, 2018 11:01 AM
To: 'Vacheslav' 
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] microsoft list

>Can you share this git with us?
>We are probably not updated enough.
>It will probably help others too so.

Can you please share it with us?

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vacheslav
Sent: Wednesday, August 1, 2018 9:19 AM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, July 31, 2018 7:34 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

On 31/07/18 23:32, Vacheslav wrote:
> Satanic greetings, you really think you are the smartest of us all that we 
> can't think of your stupid suggestion?
> 

>Please be civil. The response you received was a reasonable answer to your 
>question.

You won't find any more civil love than that.

>Both the TechNet article linked and the Squid FAQ config example for Windows 
>Update contains lists of domains that service uses.

>Blocking the rest of Microsoft and all of Akamai *by URL* is a much more 
>difficult proposition. Between them they host a very large percentage of 
>Internet domains.

Your last sentence is totally false. I found an open source handy piece of 
software which lets you choose how much you would like to block, even skype if 
desired, too bad there isn't a donate button on github or am I missing it?
So I just copied the domains inserted in the hosts file and plugged it in 
ufdbguard and the people who use this squid have considerably less traffic than 
others.

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Vacheslav]

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, July 31, 2018 7:34 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

On 31/07/18 23:32, Vacheslav wrote:
> Satanic greetings, you really think you are the smartest of us all that we 
> can't think of your stupid suggestion?
> 

>Please be civil. The response you received was a reasonable answer to your 
>question.

You won't find any more civil love than that.

>Both the TechNet article linked and the Squid FAQ config example for Windows 
>Update contains lists of domains that service uses.

>Blocking the rest of Microsoft and all of Akamai *by URL* is a much more 
>difficult proposition. Between them they host a very large percentage of 
>Internet domains.

Your last sentence is totally false. I found an open source handy piece of 
software which lets you choose how much you would like to block, even skype if 
desired, too bad there isn't a donate button on github or am I missing it?
So I just copied the domains inserted in the hosts file and plugged it in 
ufdbguard and the people who use this squid have considerably less traffic than 
others.

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Vacheslav]

Satanic greetings, you really think you are the smartest of us all that we 
can't think of your stupid suggestion?

-Original Message-
From: Michael Da Cova  
Sent: Tuesday, July 31, 2018 1:01 PM
To: Vacheslav ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

Hi


On 31/07/18 08:55, Vacheslav wrote:
> Peace,
> Anyone got a url list to block windows update, akamia,
you could start by looking at 
https://technet.microsoft.com/en-gb/library/bb693717.aspx
who you going to deal with updates?
> and spying from microsoft?
good luck with that or you could install a linux distro
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Michael


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] microsoft list

[Vacheslav]

Peace,
Anyone got a url list to block windows update, akamia, and spying from 
microsoft?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

[Vacheslav]

Yeah all that I know, The million dollar question is should I continue blocking 
it?

-Original Message-
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of 
Marcus Kool
Sent: Thursday, May 17, 2018 3:22 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is 
indicated by 'https-option', most likely because the config has
option enforce-https-with-hostname on # default is off.

Marcus


On 17/05/18 08:03, Vacheslav wrote:
> I have this:
> acl {
> allSystems  {
>### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
>pass
>  alwaysallow
>  # !always-block
>   !ms-data-collection
>  !adult !security
>   !proxies !malware !warez
>  !gambling !violence !drugs
> !phishtank !spyware
>  chat dating !games religion  finance jobs shops sports travel news
>  webmail forum socialnet youtube
> !webtv webradio audiovideo
>  !ads
> searchengine
>  # with "logall on" or "logpass on" it makes sense to have the 
> category "checked" in the ACL.
>  any
>  # NOTE: ALL categories are part of the ACL for logging purposes.
>  # Only when logall is off, one can remove the allowed categories 
> from the ACL.
> }
> 
> I don't have a similar config acl.
> 
> -Original Message-
> From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of 
> Amos Jeffries
> Sent: Thursday, May 17, 2018 1:56 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] kaspersky and ufdbguard
> 
> On 17/05/18 17:45, Vacheslav wrote:
>> Peace,
>>
>> When I configured Kaspersky to use proxy, I started getting as an example:
>>
>> BLOCK -10.96.0.104 config https-option
>> 195.122.177.165:443 CONNECT
>>
>> I have require https hostname. Kaspersky is updating fine.
>>
>> Anyone has an idea what Kaspersky is connecting ?
>>
> 
> That is a custom log format, you have not provided any info about what each 
> field is. So no, we don't have much of a clue what it means.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

[Vacheslav]

I have this: 
acl {
   allSystems  {
  ### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
  pass 
   alwaysallow
   # !always-block
!ms-data-collection
   !adult !security
!proxies !malware !warez
   !gambling !violence !drugs 
  !phishtank !spyware
   chat dating !games religion  finance jobs shops sports travel news
   webmail forum socialnet youtube
   !webtv webradio audiovideo
   !ads
   searchengine
   # with "logall on" or "logpass on" it makes sense to have the 
category "checked" in the ACL.
   any
   # NOTE: ALL categories are part of the ACL for logging purposes.
   # Only when logall is off, one can remove the allowed categories 
from the ACL.
   }

I don't have a similar config acl.

-Original Message-
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Amos 
Jeffries
Sent: Thursday, May 17, 2018 1:56 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

On 17/05/18 17:45, Vacheslav wrote:
> Peace,
> 
> When I configured Kaspersky to use proxy, I started getting as an example:
> 
> BLOCK -10.96.0.104 config https-option
> 195.122.177.165:443 CONNECT
> 
> I have require https hostname. Kaspersky is updating fine.
> 
> Anyone has an idea what Kaspersky is connecting ?
> 

That is a custom log format, you have not provided any info about what each 
field is. So no, we don't have much of a clue what it means.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] kaspersky and ufdbguard

[Vacheslav]

Peace,

When I configured Kaspersky to use proxy, I started getting as an example:

BLOCK -10.96.0.104 config https-option  
195.122.177.165:443 CONNECT

I have require https hostname. Kaspersky is updating fine.

Anyone has an idea what Kaspersky is connecting ?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Vacheslav]

Works like a charm is a stubborn phrase, never experienced that when being 
charmed one problem is gone and replaced with numerous others, like sick 
relatives?

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri
Sent: Saturday, February 10, 2018 10:57 PM
To: Alex Rousskov ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid SSL db on ramdisk

Yes, confirmed.

When I've replaced int m; and int d; to long m; and long d; - works like charm.


11.02.2018 01:08, Yuri пишет:
> int m; declaration inside static bool parseBytesOptionValue(size_t * 
> bptr, char const * value) ?
>
> If I set it long, as by as int d, seems ok.
>
>
> 11.02.2018 01:04, Alex Rousskov пишет:
>> On 02/10/2018 12:02 PM, Yuri wrote:
>>> 11.02.2018 00:59, Alex Rousskov пишет:
 On 02/10/2018 10:03 AM, Yuri wrote:

> What is correct syntax for -M option?
 The correct syntax is, roughly,

   -M [bytes|KB|MB|GB]
>>> Exactly with space between integer and units?
>> Without anything between integer and units. For example: 2GB
>>
>> Alex.

--
*
* C++20 : Bug to the future *
*




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Macros

[Vacheslav]

Nothing exists means you don’t exist, there is no reason not throw yourself out 
of the window then.

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri
Sent: Thursday, February 8, 2018 10:36 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Macros

 

Indeed :)

You can cover this by write good documentation and share it ;) This is 
OpenSource ;) Nothing exists - except you will create by yourself ;)

 

09.02.2018 01:34, Alfredo Daniel Rezinovsky пишет:

I tried searching in the code and still couldn't find it. But Challenge 
accepted.

 

On 08/02/18 16:28, Yuri wrote:

This is OpenSource :) There is no documentation :) (As they say - read
the code to get documentation ;))
 
 
09.02.2018 01:26, Alfredo Daniel Rezinovsky пишет:

I know there is a macro ${service_name}
 
I like to know if there are other or there's a way to parse
environment variables in squid.conf.
 
I didn't find this in the on line documentation
 
___
squid-users mailing list
squid-users@lists.squid-cache.org  
http://lists.squid-cache.org/listinfo/squid-users






___
squid-users mailing list
squid-users@lists.squid-cache.org  
http://lists.squid-cache.org/listinfo/squid-users







___
squid-users mailing list
squid-users@lists.squid-cache.org  
http://lists.squid-cache.org/listinfo/squid-users





-- 
*
* C++20 : Bug to the future *
*
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 3.5.20 run out of my memory.

[Vacheslav]

I cron those for memory, try it.
0 */1 *   *   *  root   
/usr/sbin/sysctl -w vm.drop_caches=3

0 */1 *   *   *  root   
/bin/sync && /bin/echo 3 | /usr/bin/tee /proc/sys/vm/drop_cache

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of minh hung d? hoang
Sent: Wednesday, February 7, 2018 9:35 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] 3.5.20 run out of my memory.

 

Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode.

With basic config in squid.conf, but squid is run out of my server's memory.

Here is my configure option :

'--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info' 
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' 
'--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-gnuregex' '--enable-delay-pools' '--enable-cache-digests' 
'--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' 
'--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' 
'--enable-http-violations' '--enable-ssl-crtd' '--enable-linux-netfilter' 
'--enable-ltdl-install' '--enable-ltdl-convenience' 
'--enable-x-accelerator-vary' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 
'--disable-translation' '--disable-ipv6' '--disable-ident-lookups' 
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24' 
'--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536' 
'--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'
--



And i apply this patch before compile for disabling host forgery checks :

+diff -ur squid-3.5.20-orig/src/client_side_request.cc 
squid-3.5.20/src/client_side_request.cc
+--- squid-3.5.20-orig/src/client_side_request.cc2016-07-01 
13:37:50.0 +0200
 squid-3.5.20/src/client_side_request.cc2017-03-10 16:48:08.920084072 
+0100
+@@ -530,6 +530,10 @@
+ }
+ debugs(85, 3, HERE << "validate IP " << clientConn->local << " 
non-match from Host: IP " << ia->in_addrs[i]);
+ }
++// disable fogery check. See 
https://code.nethesis.it/Nethesis/dev/issues/5088
++http->request->flags.hostVerified = true;
++http->doCallouts();
++return;
+ }
+ debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " 
possible from Host:");
+ hostHeaderVerifyFailed("local IP", "any domain IP");

 

And here is my squid.conf ( i don't post my http_access for clearly view :()

###
# Squid normally listens to port 3128
###

https_port 3130 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB 
cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn
http_port 3129 tproxy
http_port 3128

###
# squid ssl_bump option
###
acl step1 at_step SslBump1
acl block ssl::server_name "/etc/squid/block_domain.txt"
ssl_bump peek step1
ssl_bump terminate block
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher  
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

###
## LOGFILE OPTIONS
###

mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid

include /etc/squid/logging.conf
###
## OPTIONS FOR TROUBLESHOOTING
###

coredump_dir /var/spool/squid
debug_options ALL,1
cache_effective_user squid
cache_effective_group squid
###
## PERSISTENT CONNECTION HANDLING
###
 
detect_broken_pconn off
client_persistent_connections off
server_persistent_connections on

###
## ERROR PAGE OPTIONS

Re: [squid-users] Website bypass with always-direct

[Vacheslav]

What if we think from the heart?

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Jorge Bastos
Sent: Thursday, December 14, 2017 1:22 PM
To: 'Alex Rousskov' ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Website bypass with always-direct

Alex,

> Ok, so what would be the directive to allow what i want to achieve?


What do you want to achieve?

Earlier, you implied that you do not want to see a request in Squid logs. As 
Amos have said, Squid cannot "unsee" the transaction: Once the transaction 
reaches Squid, Squid will handle it (forward, block, delay, mangle, log, etc.). 
If you want Squid to not see a transaction, then all the solutions will be 
outside of Squid and its directives. Please explain what you want with this 
fact in mind.

It's what I want,
I thought squid would be able to do that bypass!
I have to do it with iptables then,

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] can't block streaming

[Vacheslav]

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, November 1, 2017 3:52 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] can't block streaming

On 01/11/17 21:54, Vacheslav wrote:
> Thanks for your time,
>
> -Original Message-
> From: Amos Jeffries
> Sent: Tuesday, October 31, 2017 5:45 PM
>
> On 31/10/17 22:05, Vacheslav wrote:
>> Peace,
>>
>> I tired searching and debugging but I couldn’t find a solution, 
>> whatever I do youtube keeps working.
>>
>> Here is my configuration:
> ...
>> # Media Streams
>>
>> ## MediaPlayer MMS Protocol
>>
>> acl media rep_mime_type mms
>>
>> acl mediapr url_regex dvrplayer mediastream ^mms://
>>
>> ## (Squid does not yet handle the URI as a known proto type.)
>
>> Unsupported URI schemes should result in the client receiving an HTTP 
>> error page instead of Squid handling the traffic.
>
>> Which also explains your problems: the Browser is either not using 
>> the proxy at all for this traffic, or sending the traffic through a 
>> CONNECT tunnel that is allowed to be created for other reasons.
>
> Well I tried unchecking automatically detect proxy settings. There are 
> 2 network cards on the squid, one with a gateway, the same  is used as 
> the proxy ip port 3128 and youtube is not in the bypass proxylist. I 
> tried using opera, the same result.

>Things like YT do not have to be on any bypass list to avoid the proxy.
>It just has to have a URL scheme for some protocol the browser detects as not 
>able to go through the HTTP-only proxy. eg "mms:"

>Since mms:// means a non-HTTP protocol and it is not commonly supported by 
>HTTP proxies, the browsers usually send it directly >to the mms protocol 
>port(s) AFAIK.

Well I tired switching the ip of the pc to one that can't do http and https at 
all without proxy. I tested it without proxy enabled and internet sites don't 
open, I switched the proxy back on and youtube works when it is forbidden.


> What do you mean by a connect tunnel?

>Things like this:

"
  >CONNECT r1---sn-ntqe6n76.googlevideo.com:443 HTTP/1.1

  >... non-HTTP data stream.
"

>Which tells Squid to open a TCP connection to the named server and port.
That is how a YouTube video I'm watching right now is currently going through a 
test Squid. The browser of course shows it as a GET request for some https: 
URI, but the proxy only sees that CONNECT.

To see what is inside that particular port 443 tunnel one has to use SSL_Bump 
feature to decrypt the HTTPS protocol that is supposed to be on that port.


> ...
>
>> # We strongly recommend the following be uncommented to protect 
>> innocent
>>
>> # web applications running on the proxy server who think the only
>>
>> # one who can access services on "localhost" is a local user
>>
>> #http_access deny to_localhost
>>
>> # Deny all blocked extension
>>
>> error_directory /usr/share/squid/errors/en
>>
>> deny_info ERR_BLOCKED_FILES blockfiles
>>
>> http_access deny blockfiles
>>
>> #
>>
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>
>
>> Please read the above line, and consider all the custom rules you 
>> placed above it.
> I moved the below text to under
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> http_access deny mediapr
> http_access deny mediapr1
> http_access deny mediapr2
> http_access deny mediapr3
> http_reply_access deny media
> ...
>>
>> #url_rewrite_program /usr/sbin/squidGuard
>>
>> #url_rewrite_children 5
>>
>> #debug_options ALL,1 33,2 28,9
>>
>> And where must I place the before last 2 lines in order for squid 
>> guard to work?
>>
>
>> Right there where they are in your config will do.
>
>> What do you expect SquidGuard to do?
>
> At first, I thought squid guard is needed to block file extension, 
> then I discovered that it blocks urls so it is not a bad idea to block 
> porn sites and porn search terms.

>Ah, I see. Well, if you are new to it I advise to try using squid.conf ACLs 
>first. Sending things to helpers is quite I/O and memory intensive and most of 
>what SG does can be done better by modern Squid.

Also, SquidGuard specifically is very outdated software and no longer 
maintained. If you have to do access control in a helper at all it is better to 
use the external_acl_type interface and other helpers that meet the more 
specific need.

Well then, I'll go with your advice and not use prehistoric software.

>
>

[squid-users] can't block streaming

[Vacheslav]

Peace,

I tired searching and debugging but I couldn't find a solution, whatever I
do youtube keeps working.

Here is my configuration:

 

 

# Recommended minimum configuration:

#

 

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8  # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12# RFC1918 possible internal network

#acl localnet src 192.168.0.0/16  # RFC1918 possible internal network

#acl localnet src fc00::/7   # RFC 4193 local private network range

#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

 

acl SSL_ports port 443

acl Safe_ports port 80# http

acl Safe_ports port 21# ftp

acl Safe_ports port 443  # https

acl Safe_ports port 70# gopher

acl Safe_ports port 210  # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280  # http-mgmt

acl Safe_ports port 488  # gss-http

acl Safe_ports port 591  # filemaker

acl Safe_ports port 777  # multiling http

acl CONNECT method CONNECT

acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

 

 

 

# Media Streams

 

 

## MediaPlayer MMS Protocol

acl media rep_mime_type mms

acl mediapr url_regex dvrplayer mediastream ^mms://

## (Squid does not yet handle the URI as a known proto type.)

 

 

## Active Stream Format (Windows Media Player)

acl media rep_mime_type x-ms-asf

acl mediapr1 urlpath_regex \.(afx|asf)(\?.*)?$

 

 

## Flash Video Format

acl media rep_mime_type video/flv video/x-flv

acl mediapr2 urlpath_regex \.flv(\?.*)?$

 

 

## Flash General Media Scripts (Animation)

acl media rep_mime_type application/x-shockwave-flash

acl mediapr3 urlpath_regex \.swf(\?.*)?$

 

 

## Others currently unknown

acl media rep_mime_type ms-hdr

acl media rep_mime_type x-fcs

 

 

http_access deny mediapr

http_access deny mediapr1

http_access deny mediapr2

http_access deny mediapr3

http_reply_access deny media

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

 

# Deny all blocked extension

error_directory /usr/share/squid/errors/en

deny_info ERR_BLOCKED_FILES blockfiles

http_access deny blockfiles

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

 

# Allow localhost always proxy functionality

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir aufs /var/cache/squid 100 16 256

 

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp: 1440   20%10080

refresh_pattern ^gopher:1440   0%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern . 0  20%4320

 

#url_rewrite_program /usr/sbin/squidGuard

#url_rewrite_children 5

#debug_options ALL,1 33,2 28,9

 

And where must I place the before last 2 lines in order for squid guard to
work?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users