Re: [squid-users] Squid instalaltion for NTLM error

On 26/09/19 10:34 pm, Tevfik Ceydeliler wrote: > Hi > In  > https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#Kerberos >  page, That is for Kerberos, not NTLM. > there is directive to add crontab: > > 05  4  *   *   *     net rpc changetrustpw -d 1 | logger -t

Re: [squid-users] Protecting squid against ddos attacks

On 23/09/19 1:59 am, Chirayu Patel wrote: > Hi Amos, > > Thanks a lot for giving some amazing insights.. > > So currently I am using Squid to achieve 2 things : > a) Content Filtering - by checking the url against an external db and > allow and block it accordingly. (using url_rewriter).  > b)

Re: [squid-users] Working proxy_protocol_access settings on Squid 3.5 or 4?

On 25/09/19 6:41 am, Alex Rousskov wrote: > On 9/24/19 12:02 PM, Tom Karches wrote: > >> 2019/09/24 11:31:46 kid1| PROXY protocol error: invalid header ... > >> So, you are saying that v4 does not contain changes to fix the "PROXY >> protocol error" and my only option at this point is v5 code? >

Re: [squid-users] Delay pools not working with squid 4.x , and more Question !!

On 22/09/19 10:25 pm, --Ahmad-- wrote: > Hello Folks , > > i tested squid 4.8 and delay pools not working with it at all . > i reverted back to squid 3.5.x and i had delay pools working . > > Q1- do squid 4 support delay pools ? > Yes. > > Q2- with squid 3.5.x we have SMP about 4 childs ,

Re: [squid-users] Protecting squid against ddos attacks

On 21/09/19 1:03 am, Chirayu Patel wrote: > --> I have installed squid in a wifi access point which will in many > cases behave as an edge gateway as well.. So basically it itself is the > firewall. There is nothing in front to protect it. > --> There are 4 ports that are opened.. If someone

Re: [squid-users] SSL termination problem - squid's requests using https

On 18/09/19 10:22 am, Alex Rousskov wrote: > On 9/17/19 5:02 PM, Sam Holden wrote: > >> When I have protocol=http is reports: >> 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections > >> When I don't set the protocol is reports: >> 2019/09/17 20:17:38| Accepting reverse-proxy

Re: [squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

On 15/09/19 10:41 pm, John Sweet-Escott wrote: > Hi All > > We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on > Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering > of HTTPS traffic using SNI (see config in [2]). It it works correctly > when contacting

Re: [squid-users] squid 4.8 web reports

On 15/09/19 9:07 am, Erick Perez - Quadrian Enterprises wrote: > Good day, > using Squid 4.8 for about 200 users here. > I would like to generate reports, but on the squid website page most > of the tools listed are several years outdated. (example: calamaris) > Are there some recent web-based

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

On 14/09/19 7:43 pm, sknz wrote: > Hello Amos, > Okay, ports are fixed from here and forwarded 80 to 3127 in iptables. > > http_port 3128 # for proxy client > http_port 3127 intercept # for http intercept > This does not match the config suggested. Can you please re-post the config used with

Re: [squid-users] Squid Transparent Proxy with Coovachilli is not working

On 14/09/19 4:48 am, sknz wrote: > Hello reinerotto, > I've been stuck here for 3 days! This is complete iptable rules after > coova-chilli starts : https://paste.grasehotspot.org/view/raw/529efd6c > Each time you have posted details about your situation the ports used have been different from

Re: [squid-users] Multiple LDAP authentication server for Squid

On 12/09/19 10:41 pm, Antonino Sanacori wrote: > Hi. > > I use one ldap server for authentication of my users but now i have new > users on another branch of same ldap server. > > How can I configure squid.conf for support ldap authentication of my > users on different branches? > Squid does

Re: [squid-users] intercept vs. accel vhost allow-direct

On 12/09/19 9:53 pm, sknz wrote: > Hello, > > > > etho0 is for WAN and eth1 is for LAN side. > > and more detailed firewall settings: > > # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019 > *nat >

Re: [squid-users] intercept vs. accel vhost allow-direct

On 12/09/19 8:43 pm, sknz wrote: > I'm running a hotspot(CoovaChilli, Freeradius, etc.) server where > Squid-3.4.8(SSL enabled) for caching and logging. My machine is running on > Debian 8.1.1 with 2 NIC card. One for WAN and another for LAN to manage > hotspot AP(s). > > ERROR > The requested

Re: [squid-users] caching and changing content

On 12/09/19 8:25 pm, fansari wrote: > In my scenrio (squid 3.5.23) I have several clients which download content. > > Now I want to achieve two things: if one client has already downloaded the > content the second client requesting the same content should take it from > the squid cache. > > But:

Re: [squid-users] Disable 302 redirect in squid, but only to http://eais.rkn.gov.ru

On 12/09/19 7:45 am, Igor Rylov wrote: > After I've wrote my question, I thought, if it's possible to to do it with: > > acl sites_blocking_redirect url_regex eais\.rkn\.gov\.ru > > reply_header_access Location deny sites_blocking_redirect > > Is it a workable or the

Re: [squid-users] squid.config

On 10/09/19 10:16 pm, Sérgio Vieira wrote: > Hello, > > Can you help me with the query below? Only as far as the line ordering issue I mentioned the two days ago on-list. If that does not work, then all I can do is suggest a Squid upgrade. The latest version works for me when the log line

Re: [squid-users] request_header_replace User-Agent 'UA string' for certain URLs/domains/ACLs

On 10/09/19 10:28 am, Igor Rylov wrote: > How to change User-Agent string only for certain ACLs, for example, > If I set up an: acl acl_name dst some.url > or: acl acl_name url_regex some\.url\/path > or sources IPs: acl acl_name src 192.168.0.123 > > Then use the User-Agent replacement for the

Re: [squid-users] squid.config

On 7/09/19 10:41 pm, Sérgio Vieira wrote: > Hello, > > I’m trying to ignore some domains (like facebook.com, youtube.com, etc), > meaning that I don’t want logs from this domains. > > I already inserted in the config file the following: > acl nolog dstdomain “/etc/squid/acl-nolog.txt” >

Re: [squid-users] Squid CAS integration

On 6/09/19 9:36 pm, Dario Basset wrote: > Thanks. > > ->  With CAS I mean the Central Authentication Service, which is supported > here: https://github.com/apereo/cas  or here: > https://www.apereo.org/projects/cas     It is a system for Single Sign On > authentication with Service Ticket, and it

Re: [squid-users] Squid CAS integration

On 6/09/19 7:50 pm, Dario Basset wrote: > My institution has been asked to integrate Squid and CAS. We want to > integrate Squid and CAS in its simplest way, that is: Details about this CAS ? Does it have a specific name? "CAS" is like saying "proxy" - it is a type. What type(s) of

Re: [squid-users] simultanous requests: collapsed_forwarding

On 5/09/19 9:52 pm, fansari wrote: > In our scenario it might/will happen that clients will request the same > resources simultaneously. > > I ran a test where I start one download with curl and with short delay > (about 1s) I request the same content by another client. > > 1567673769.781 12123

Re: [squid-users] cannot access squid with https_port: 403

On 4/09/19 2:59 am, fansari wrote: > OK - I cannot figure out the whole requirement right now. > > In case it will not not work like this: with a) you mean "intercept" and > with b) "tproxy"? > No for (b) I mean "TLS explicit". New connections from clients start with TLS handshake immediately,

Re: [squid-users] HEAD requests: pass through?

On 4/09/19 9:54 pm, fansari wrote: > If my understanding is correct when the client already has the content it > sends a HEAD request to the squid and it will be checked whether the content > on the squid is newer than the local cache of the client. Maybe. HTTP/1.0-only clients are likely to do

Re: [squid-users] help with helper

On 4/09/19 1:13 am, jmperrote wrote: > Hello Amos, yes but how can I identified that is on the first request ?? > It will be first? but what does first actually mean? first this year? first today? first this second? HTTP is stateless. There is no concept of "second request" etc. outside of

Re: [squid-users] cannot access squid with https_port: 403

On 4/09/19 1:21 am, fansari wrote: > I have tested this and it is working. > > This is what I said: when I use this http_port directive then it works. > > So what is still unclear to me is: what is this https_port directive for? I > understood from one of you answers I found to someone else that

Re: [squid-users] Cant open some HTTPS with Squid 4.8

On 3/09/19 11:47 pm, KOTOXJle6 wrote: > Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to > squid error page for sites in ACL's. Yesterday i faced major problem HTTPS > sites doesnt open normally in IE11/EDGE and show blank page only + squid > replace certificate. If i tap

Re: [squid-users] cannot access squid with https_port: 403

On 4/09/19 12:29 am, fansari wrote: > Thank you for your reply. > > If I drop the keyword "intercept" I get this error message when starting > squid: > > FATAL: ssl-bump on https_port requires tproxy/intercept which is missing. > > Using "tproxy" does not help me either - I also end up with

Re: [squid-users] help with helper

On 3/09/19 10:35 pm, jmperrote wrote: > Hello we have a helper to validate users on squid reverse proxy, and > have a problem on the first validation time !! > > On a normal day the first validation, when a user open the client > browser squid invoque the pop/up and users insert user/password

Re: [squid-users] cache peer , force peer to use dns ipv4 not ipv6

On 3/09/19 10:33 pm, --Ahmad-- wrote: > Hello Team , thank you for replies . > > > http_port 10.61.8.189:1 name=1 > acl 1 myportname 1 > never_direct allow 1 > cache_peer 192.247.37.193 parent 12847 0 no-query  round-robin no-digest >

Re: [squid-users] cannot access squid with https_port: 403

On 3/09/19 8:46 pm, fansari wrote: > I have to setup a TLS proxy connection between client and squid. My config is > working with http_port (without TLS) but as soon as I try https_port it does > not work (squid 3.5.23 compiled with --enable-ssl' '--enable-ssl-crtd' > '--with-openssl'). > > What

Re: [squid-users] cache peer , force peer to use dns ipv4 not ipv6

On 3/09/19 4:45 pm, --Ahmad-- wrote: > Hello Team , > > just wondering . > > using cache peer to FWD request to upstream squid . > > the problem is sometimes the Upstream go to destination over ipv6 . > > is there an option can be used to force the peer to use ipv4 dns ? > Put the IPv4

Re: [squid-users] Working peek/splice no longer functioning on some sites

On 2/09/19 8:44 am, torson wrote: > For me it works with "ssl_bump peek step1", not with "ssl_bump peek all". > That tells me that your clients are lying to your proxy. "peek step1" means only the client-provided detail is available. eg the client says it is going to example.net (a domain which

Re: [squid-users] TCP_MISS_ABORTED/503 - -Squid-Error: ERR_DNS_FAIL 0

On 21/08/19 3:51 pm, L A Walsh wrote: > Pulled this out of my log. Downloading lots of files through squid has > the download aborting after about 3k files. This is the first I've seen > that there's also an associated ERR_DNS_FAIL -- is that a message from > squid's internal resolver?

Re: [squid-users] caching apt package lists/Raspbian

On 19/08/19 2:06 am, TarotApprentice wrote: > It turns out it still doesn't cache them the Packages.xz. From > discussions over on the RaspberryPi forums it seems its hitting the > following (this is just the Packages.xz) in order to match their > main, contrib, non-free and rpi repos. > > $

Re: [squid-users] squid for live streaming

On 19/08/19 2:41 pm, Eliza wrote: > Hello, > > Is there any guide for squid as a live steaming proxy? such as RTMP > protocal etc. > Squid only supports HTTP or ICY (SHOUTcast) streaming. There is nothing special to configure for those to work. Some RTMP/RTSP clients support tunneling through

Re: [squid-users] Getting lot of client lifetime timeout and subsequently running out of file descriptors

On 2019-08-19 07:14, Chirayu Patel wrote: Hi, I am running squid version 4.6 and have set the file descriptors limit to 5000 I get an average of 1 lakh hits daily and in a day or 2 , I start getting these messages : Sun Aug 18 15:00:29 2019 daemon.notice squid[4906]: WARNING: Closing client

Re: [squid-users] help to disconnect users after determinated time. TTL

On 16/08/19 3:30 am, jmperrote wrote: > Hello Emmanuel, we finish implementing a solution on PHP script, getting > the TTL time < 0 on the cachemgr, and it work. > > The problem is that the param --> auth_param basic credentialsttl 3 > minutes, give this time (180 seconds), but if the user still

Re: [squid-users] HAProxy + Squid

On 16/08/19 8:46 am, Service MV wrote: > Thank you, Amos. Taking into account your and Rafael's recommendations, > I configured HAProxy and Squid to use the PROXY protocol instead of > reformatting the messages. > At the moment I disabled authentication, due to internal requirements. > I had a

Re: [squid-users] Cache html pages with advertised length of -1?

On 15/08/19 8:14 pm, Joshua Kronemeyer wrote: > Hello all! > > I'm trying to cache some HTML pages with squid, but the pages I'm trying > to cache always advertise size of -1. (Advertised Size/Actual Size i.e. > -1/104732) > The http headers don't include a content-length. So the objects are of

Re: [squid-users] squid.config

On 14/08/19 9:11 am, Sérgio Vieira wrote: > Hello, > > I followed the instructions on this > site: https://howchoo.com/g/mwi3ntu1mjq/how-to-set-up-a-proxy-server-on-mac > > Regarding your questions: > - macOS Mojave 10.14.6 > - Squid v4.0 > - Instructions in the site mentioned above > - I use

Re: [squid-users] While using icap_service squid working when ip is used and failing when domain name is provided

On 13/08/19 3:55 am, Prudhvisagar Bellamkonda wrote: > Hi,  > Thanks for checking my message.  >  Please check the below configuration, we are running squid 3.5 version.  > > This service is running on aws its a ui application trying to connect to > virus scanner to scan the uploaded file and

Re: [squid-users] squid Illegal instruction

On 13/08/19 6:45 am, leomessi983 wrote: > > hi > yes I use it in different machines,but all of them are debian with the > same version! Okay. That means we can rely on the OS being the same, and _usually_ the compiler - though it does occasionally have problems. > At firts I compiled squid in

Re: [squid-users] squid Illegal instruction

On 2019-08-12 05:13, leomessi...@yahoo.com wrote: . . Hi After install my own compiled squid in a linux system i got Illegal instruction error when I run squid! These usually occur due to: * building on one OS and running on another * building on/for one CPU architecture and running on

Re: [squid-users] sending certificate chain from squid reverse proxy

On 3/08/19 6:08 am, Martin Hoffmann wrote: > Any ETA on this? > Working on it, but no definite ETA sorry. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problems with squid 3.1 to 3.3 upgrade

On 10/08/19 8:32 am, Tom Karches wrote: > > > On Fri, Aug 9, 2019 at 2:37 PM Alex Rousskov wrote: > > On 8/9/19 1:37 PM, Tom Karches wrote: > > On Fri, Aug 9, 2019 at 11:38 AM Alex Rousskov wrote: > > > Ok, here is the info from the real trace. First time with > #dns_v4_first >

Re: [squid-users] HAProxy + Squid

On 9/08/19 1:44 am, neok wrote: > Hi, I finally did the configuration differently. It's working very well for > me. > What you are doing is polluting every HTTP message with two new headers. The way Rafael suggested is more efficient since the PROXY protocol details are only delivered at the

Re: [squid-users] acl src question

On 9/08/19 1:57 am, Service MV wrote: > Hello everyone! > > I have a network 192.168.10.0/22 > I want to let the IP ranges 192.168.12.1 to 192.168.13.254 through my > proxy, but not the ranges 192.168.10.1 to 192.168.11.254. > If I don't misunderstand the documentation >

Re: [squid-users] Squid url rewriters creating issues in case of multi-threaded mode

On 7/08/19 6:40 pm, Chirayu Patel wrote: > > url_rewrite_program /tmp/squid/urlcat_server > url_rewrite_children 15 startup=1 idle=1 concurrency=30 queue-size=1 > url_rewrite_extras "%>a %lp %ssl::>sni" > > - > --> I have a single process which receives the requests in >

Re: [squid-users] cache-peer and tls

On 4/08/19 2:11 am, Eugene M. Zheganin wrote: > Hello, > > > I'm using squid 4.6 and I need to TLS-encrypt the session to the parent > proxy. I have in config: > > > cache_peer proxy.foo.bar parent 3129 3130 tls > tls-cafile=/usr/local/etc/squid/certs/le.pem >

Re: [squid-users] Squid 3.5.27 not caching at all

On 4/08/19 1:18 am, Mohamed Ali Ahmed wrote: > You have not provided enough information for us to know whether this is > a problem or testing mistake. > > What is this unstated "minimal change" you made that made caching > suddenly stop working?  > >  The only change i have made

Re: [squid-users] Squid 3.5.27 not caching at all

On 3/08/19 9:45 pm, Mohamed Ali Ahmed wrote: > Hello everyone, > I have set up Squid 3.5.27 on ubuntu 18.04 from the packages. I have > made the minimal change but when i check the access.log i get tcp_miss > 200 most of the websites even visiting the same website over and over again. > You have

Re: [squid-users] Reverse Proxy Detected

On 1/08/19 9:41 am, creditu wrote: > We have been using several squid servers in accelerator mode for a > number of years mainly for load balancing to send public requests to > backend servers. The requests to the squids typically come via a > well known commercial caching service. The

Re: [squid-users] Why `Storage Mem capacity` has a value larger than 100%.

9 on-disk objects ie. Total count of objects stored in all configured cache_dir. > `9 on-disk objects` means only 9 entries of 1185 are stored on disk, and > others are stored in memory? > Essentially, yes. > > > Amos Jeffries wrote >> Also, your proxy is appar

Re: [squid-users] Why `Storage Mem capacity` has a value larger than 100%.

On 29/07/19 2:46 pm, kmiku7 wrote: > Hello > My squid consume too much memory at startup time grow. > From manager cgi /squid-internal-mgr/info, I saw the `Storage Mem capacity` > in Cache information for squid is 2429.7%, larger than 100%. In my opinion, > this value should be less or equal to

Re: [squid-users] dns_v4_first off for squid Squid Cache: Version 5.0.0-20190715-rd3527ec67

On 2019-07-30 09:37, --Ahmad-- wrote: Hello Folks . i have a problem with IPV6 when i moved to squid Squid Cache: Version 5.0.0-20190715-rd3527ec67. in squid 3.5 when i put : dns_v4_first off i have all resolution of domains for ipv6 as 1st priority then ipv4 . but … when i have squid 5.x.x

Re: [squid-users] squid 4 fails to authenticate using NTLM

On 23/07/19 7:53 am, zby wrote: > My problem:  my browser keeps on prompting for authentication. > Facts: > > Debian 10 x86_64 > squid-4.6 + samba-4.9 > joined AD using "net ads join -U ...". OK. > wbinfo -t : OK > wbinfo -P or -p : OK > wbinfo -i userXYZ : returns data (OK) > wbinfo -g (well,

Re: [squid-users] caching apt package lists/Raspbian

On 21/07/19 4:20 pm, Mark James wrote: > Doing an “apt update” on the squid machine got another TCP_MISS_ABORTED for > ::1 and then subsequent IPv4 requests from other Pis get the > TCP_REQUEST_UNMODIFIED. > That hints that there is something broken in your local network IPv6 connectivity.

Re: [squid-users] squid time out

On 19/07/19 5:30 pm, ANDRINANTENAINA Avo wrote: > Hi Amos,  > > Thank you for your prompt reply. > > As you said, the first request is hitting the proxy with the "user" > field empty, but there is no second request. And I was wrong about the > "timer".  > Please find below the config I'm not

Re: [squid-users] Squid + ShadowSocks

On 19/07/19 1:35 pm, M. Anwer Ali wrote: > Hi, > > I have attached current setup of squid in the attachment. All the HTTP > traffic is passing through squid. We are mostly using is for Web > Filtering and its working fine. > Now we have a new addition to this setup, where we have installed Shadow

Re: [squid-users] caching apt package lists/Raspbian

On 20/07/19 5:19 pm, TarotApprentice wrote: > Recently upgraded to Raspbian Buster and squid 4.6. Since then I am unable to cache the Packages.xz that apt uses. The various other Pis using this proxy all end up downloading the 30MB Packages.xz every time. Does anyone have any suggestions on how to

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

On 19/07/19 6:49 pm, --Ahmad-- wrote: > > But may be im wrong with config and im open now to any suggestions to > change the config to get it working as i mentioned above with headers . > As I said at the end of my earlier mail: " You appear to have missed the fact that each check/test of the

Re: [squid-users] network problems with squid ssl-bump

On 18/07/19 7:52 pm, Ashley wrote: > Hi all, > > I have a couple of questions about squid 3.5. My company has set up a squid > proxy with sslbump functionality. There are more than 300 people in my > company and we are all intensive users of internet. > The TLS environment is a very volatile

Re: [squid-users] squid time out

On 19/07/19 1:57 am, ANDRINANTENAINA Avo wrote: > > I have a huge range in terms of network, but awkwardly, the > authentication/ACL and everything works well in one given subnet but not > on the others. The users in the other subnets are not able to surf the > internet, and this without any

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

On 17/07/19 9:41 pm, --Ahmad-- wrote: > Hi Alex, > acl half1 random 1/10 > acl half10001 random 1/9 > acl half10002 random 1/8 > acl half10003 random 1/7 > acl half10004 random 1/6 > acl half10005 random 1/5 > acl half10006 random 1/4 > acl half10007 random 1/3 > acl half10008 random 1/2 >

Re: [squid-users] sending certificate chain from squid reverse proxy

On 17/07/19 12:34 am, Kate Dawson wrote: > Hi, > > Is it possible to send a certificate chain from squid when it's used in > reverse proxy (accel) mode and compiled with gnutls ? > That has not been implemented yet. Sorry. > > is it possible to send an intermediate certificate when build

Re: [squid-users] Does request_header_replace support calling into another file

On 16/07/19 11:46 am, Lei Wen wrote: > I am using request_header_replace to modify out going HTTP headers, > mainly the basic/bearer token. Does request_header_replace support > calling another file, the content in that file would be "Basic ...". > What are you trying to achieve here? Your

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 14/07/19 5:33 pm, mikio.kishi wrote: > Hi all, > >  https://www.spinics.net/lists/squid/msg90523.html > > As mentioned in the above URL, I would like to use "SSL Bump with HTTP > Cache Peer Parent" as well. > However, still seems not be supported like the following. > ... > > Do you have

Re: [squid-users] Squid security advisories

Luigis' test and upload :-P Amos > >> On 14 Jul 2019, at 12:24 pm, Amos Jeffries wrote: >> >>> On 14/07/19 11:04 am, TarotApprentice wrote: >>> On the Squid-Announce list there were advisories 2019:1, 2, 3, 5 and 6. Was >>> there a 2019:4 that

Re: [squid-users] Squid security advisories

On 14/07/19 11:04 am, TarotApprentice wrote: > On the Squid-Announce list there were advisories 2019:1, 2, 3, 5 and 6. Was > there a 2019:4 that was missed? > Yes and no. There is a :4 issue. But the fix turned out to be incomplete so did not make it into this release. Amos

[squid-users] [squid-announce] Squid 4.8 is available

mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:5 Heap Overflow issue in HTTP Basic Authentication processing

uid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __ Credits: This vulnerability was discovered by Jeriko O

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:6 Multiple Cross-Site Scripting issues in cachemgr.cgi

list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __ Credits: This vulnerability was discovered by Anil Pazvant. Fixed by Amos Jeff

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:3 Denial of Service in HTTP Digest Authentication processing

s vulnerability was discovered by Jeriko One . Fixed by Amos Jeffries of Treehouse Networks Ltd. __ Revision history: 2019-05-14 14:56:49 UTC Initial Report 2019-06-05 15:52:17 UTC CVE Assignment 2019-06-08

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:2 Denial of Service in HTTP Basic Authentication processing

ecurity related bug reports are treated in confidence until the impact has been established. __ Credits: This vulnerability was discovered by Jeriko One . Fixed by Amos Jeffrie

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:1 Denial of Service issue in cachemgr.cgi

pact has been established. __ Credits: This vulnerability was discovered by Alex Rousskov of The Measurement Factory. Fixed by Amos Jeffries from Treehouse Networks Ltd. __ Revision history:

Re: [squid-users] allowing headers per ip and block headers on others

On 13/07/19 9:55 pm, --Ahmad-- wrote: > > > i want it when squid access / contact with 1.2.3.4 > > Use "dst" ACL for destination IP's. However, requests are generated before sending. Squid does not know which IP will *in future* be used to deliver the request. So this is unlikely to work

Re: [squid-users] squid 3.5.27 issue 407 Proxy Authentication Required

[ For free help please keep messages on-list. ] On 7/07/19 9:25 pm, Hery Razakarimanana wrote: > > Amos any news? > I have look into old reports on *TAG_NONE_ABORTED/XXX *according to > splice connection but i don't really understand > Thanks > Heri > > On Sun, Jul 7, 2019 at 3:17 AM Hery

Re: [squid-users] ipsec and squid https intercept

On 6/07/19 11:51 pm, leomessi983 wrote: > Hi > I use 2 server that connected to each other with IPsec tunnel. > > client Server1 ==ipsec tunnel==Server2Internat > > I configured Nat in Server2 toward internet and I use squid with tproxy > and ssl bump configuration to intercept

Re: [squid-users] squid 3.5.27 issue 407 Proxy Authentication Required

On 6/07/19 10:38 pm, Hery Razakarimanana wrote: > > Please what is the issue? > Your proxy only accepts Negotiate/Kerberos, Negotiate/NTLM or NTLM authentication. But you have curl using environment variables containing Basic auth credentials. To solve you will need to either; * add Basic

Re: [squid-users] delay_pools does not work in squid 4.x

On 1/07/19 4:18 am, sargen wrote: >>> acl deny_blocked proxy_auth -i "/usr/local/etc/squid/blocked_users.acl" >>> delay_pools 1 >>> delay_class 1 4 >>> delay_access 1 allow deny_blocked >>> delay_access 1 deny all >>> delay_parameters 1 -1 / -1 -1 / -1 -1 / -1 8000/16000 >>> >> If the above is an

Re: [squid-users] squid-users Digest, Vol 58, Issue 31

>> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of squid-users digest..." >> >> >> Today's Topics: >> >> 1. Re: Bypassing SSL Man In the Middle Filtering For Certain LAN >> IP's

Re: [squid-users] delay_pools does not work in squid 4.x

On 1/07/19 2:17 am, sargen wrote: > Hello. > My system is FreeBSD 11.2. I am using squid 3.5.28 compiled with support for > delay_pools in the following configuration > > acl deny_blocked proxy_auth -i "/usr/local/etc/squid/blocked_users.acl" > delay_pools 1 > delay_class 1 4 > delay_access 1

Re: [squid-users] Bypassing SSL Man In the Middle Filtering For Certain LAN IP's

On 30/06/19 2:32 pm, Mike Golf wrote: > Hi All, > > I've setup a squid proxy server on my PFSense router, is there any way > of bypassing HTTPS/SSL filtering for certain LAN IP's. HTTPS is not normally filtered at all. So for that to be happening something must be forcing it - all you have to do

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

On 29/06/19 10:34 pm, Walter H. wrote: > On 29.06.2019 10:17, Amos Jeffries wrote: >> On 29/06/19 3:03 am, Walter H. wrote: >>> sslproxy_cipher >>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

On 29/06/19 3:03 am, Walter H. wrote: > > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP > sslproxy_options NO_SSLv2 NO_SSLv3

Re: [squid-users] Running squid in intercept mode breaks whatsapp

On 27/06/19 3:12 am, Chirayu Patel wrote: > > I am redirecting port 80 and port 443 traffic to squid.. > > I went through some blogs and forums which suggest that Whatsapp seems > to send non SSL traffic on port 443 > (https://developers.facebook.com/docs/whatsapp/guides/network-requirements/) >

Re: [squid-users] Help with HTTPS SQUID 3.1.23

On 27/06/19 1:29 am, Anderson Rosario wrote: > I can not access to HTTPS sites, 3 weeks ago was working fine, without > doing any change in the topology update or config stopped and it is not > working with HTTPS sites. it keeps loading and I recieve a message from > navegators The connection to

Re: [squid-users] Help with transparent whitelisting proxy on Squid 4.4

On 27/06/19 11:39 am, Jared Fox wrote: > Hi Amos > > So i have tried the following based on your suggestions, but it is > still failing and have errors below: > > 1. Switched to a wildcard whitelist instead of single domain > 2. Updated the logformat to provide more information, see below: > 3.

Re: [squid-users] Help with transparent whitelisting proxy on Squid 4.4

On 26/06/19 2:45 pm, Jared Fox wrote:> > == Bad news / Major Blocker == > https connections to cloud tracing is still being blocked, these are > TLS 1.2 and uses SNI as seen via tcpdump. > Okay, now that you have the v4 capabilities: * Please add %ssl::bump_mode to your log so we can see easily

Re: [squid-users] Compile error from port on FreeBSD 11.2-RELEASE r342572

On 25/06/19 4:22 am, oleg palukhin wrote: > Hi list. > Trying update to squid3-3.5.28_2 from squid3-3.5.28_1 (port on FreeBSD > 11.2-RELEASE): > "--- support.lo --- > support.cc:2203:9: error: no matching function for call to > 'SSL_CTX_sess_set_get_cb' SSL_CTX_sess_set_get_cb(ctx,

Re: [squid-users] Help with transparent whitelisting proxy on Squid 4.4

On 25/06/19 1:24 pm, Jared Fox wrote: > Hi Squid-Users > > I need your help! > > So i have had been using Squid 3.5.20 (installed on Amazon Linux 2) > and its acting as a transparent ssl proxy with whitelist of allowed > addresses. I want to avoid running a mitm proxy and having to add CA >

Re: [squid-users] splash page: redirection loop

On 24/06/19 5:04 am, julien...@yahoo.fr wrote: > Hello, > > I'm trying to use Squid with Splash page and followed > https://wiki.squid-cache.org/ConfigExamples/Portal/Splash but I've got > an issue with a redirection loop. > Connecting to any web site redirects to splash page but splash page is >

Re: [squid-users] How to enable proxy protocol v2 on squid version 4.6.1, and NLB

On 21/06/19 10:45 pm, summaiya wrote: > Hi All, > > I have deployed EC2 Egress URL Filtering Squid Proxy solution, I have used > AWS PrivateLink to centralize web filtering in explicit mode. Squid proxy > farm is implemented by a Network Load Balancer which distributes TCP > requests across

Re: [squid-users] Squid4 forward proxy to upgrade from ws to wss

On 19/06/19 4:13 pm, Satyanarayana, Shekhar wrote: > Hi Squid Community, > > I am relatively new to Squid and I am facing the following issue, would > truly appreciate if you could help. > > Squid4.6 is used as a forward proxy to convert all traffic to secure > traffic. > > The configuration of

Re: [squid-users] Log resolved IP somehow?

On 19/06/19 1:37 am, Ralf Hildebrandt wrote: > From my log: > > > Mon Jun 17 07:28:47 2019 36 10.39.68.232 TCP_DENIED/302 390 CONNECT > trx.adscale.de:443 - HIER_NONE/- text/html accessRule=ensiloip - > > Now I tried find out why trx.adscale.de is being denied. I'm using

Re: [squid-users] Squid Process

On 19/06/19 1:18 am, Garbacik, Joe wrote: > Is there a chart or diagram somewhere to depict what key elements are > processed before others in squid? The architecture document (what we have) can be found at Any particular reason you

Re: [squid-users] Prepending a string to cache_peer username

On 18/06/19 5:01 pm, ngtech1ltd wrote: > I believe that eCAP or ICAP can do the trick for you. > > However I am not sure if it’s a good thing to pass usernames and > password in WWW Http requests. > Only if there are no other peers, and no traffic going direct either. Otherwise you end up

Re: [squid-users] Squid Listening on many ports

On 18/06/19 8:33 am, johnr wrote: > Hi, > > I am wanting to run squid listening on many ports (~100-200). From prior > mailing list questions > (http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-multiple-ips-is-listenting-to-some-ips-with-port-and-not-all-of-ips-td4668784.html), > I

Re: [squid-users] Useragent request/reply headers with squid .

On 15/06/19 8:57 pm, --Ahmad-- wrote: > Hello Folks , > > im trying to disable user agent info to be leaked out of squid using : > > request_header_access User-Agent deny all > reply _header_access User-Agent deny all > > squid very 3.5.x > > > but when i test sending the user agent info via

Re: [squid-users] Empty ACL technical risks

risks. > > Like here for example: > https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567 > Amos Jeffries wrote: "The check is a generic validity check used for all > ACLs. Whether it is 'harmless' depends on future events at the time of > checking. So

<    5   6   7   8   9   10   11   12   13   14   >