On 06/08/18 21:39, Antony Stone wrote:
On Monday 06 August 2018 at 13:32:32, --Ahmad-- wrote:
what could be the reason ?
Cookies on your computer, javascript in web pages, browser language
preferences, locally cached content...
I'm sure I haven't thought of everything.
Some sites check for
Ignoring the Squid part, is it TLS 1.2 that's the root problem, or the
ciphers?
Are you aware XP schannel.dll has some ciphers and protocols disabled by
default, even though they're supported?
See here:
I'd seen this licensing issue mentioned briefly before, but now I
actually understand what's going on. Thanks for explaining it in detail.
Good to know there's 2 paths moving along to solve the distro problem. I
feel more confident in moving forward with my little project now that I
know it's
On 14/05/2016 9:41 PM, Rafael Akchurin wrote:
The recompilation is quite easy btw
Oh, yeah... I know it's easy. I've already done it once on Debian. My
concern is that I won't be able to find time to keep it up to date.
Asking a package manager to download available updates takes about 10
Are there any Linux distros with pre-compiled versions of Squid with SSL
Bump support compiled in?
Alternatively, does anyone reputable do a 3rd party repo for
Debian/Ubuntu that includes SSL Bump?
TB
___
squid-users mailing list
Is it possible to do this:
* Intercept HTTPS and send it via Squid?
* Apply ACLs to the intercepted HTTPS traffic based on host/domain name?
* Not change any configuration on clients?
Should I keep researching how this peeking and bumping and splicing and
such works, or is it impossible?
TB
compilation 3-or some problems in squid
Thanks
-Original Message-
From: Tim Bates [mailto:t...@new-life.org.au]
Sent: Saturday, September 07, 2013 8:46 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] 100% CPU when bigger files are downloading
For anyone who's interested, I
For anyone who's interested, I upgraded to Debian Testing a few days
ago, and to their build of 3.3.8 - problem has been solved.
TB
On 3/08/2013 5:52 PM, Tim Bates wrote:
On 24/07/2013 2:01 PM, Tim Bates wrote:
OK, so I've got Squid 3.1.6 (from Debian Wheezy) running on a OpenVZ
container
On 24/07/2013 2:01 PM, Tim Bates wrote:
OK, so I've got Squid 3.1.6 (from Debian Wheezy) running on a OpenVZ
container.
OK, so I discovered I was actually running Squeeze still (which has
3.1.6). I upgraded to Wheezy (has Squid 3.1.20) hoping it would fix it,
but no... Still runs at 100% CPU
OK, so I've got Squid 3.1.6 (from Debian Wheezy) running on a OpenVZ
container. There are very few users, often just one at a time - we use
this for caching and filtering customer computers being repaired in a
small computer repair shop.
Any time we download anything over a couple of
On 10/03/2013 10:45 PM, Andreas Westvik wrote:
So what kind of format do I have now then?
Do you have any examples?
You've got dstdom_regex in the line that includes the list file, so
it's processing it through regex for every entry, and none of them need to.
Change the entries in the file
Basic old intercept was the plan.
On 2/01/2013 5:23 AM, Eliezer Croitoru wrote:
Tproxy or intercept\transparent?
Eliezer
On 1/1/2013 11:28 AM, Tim Bates wrote:
On 1/01/2013 4:18 PM, Amos Jeffries wrote:
On 30/12/2012 10:55 p.m., Tim Bates wrote:
Has anyone had experiences with running
On 1/01/2013 4:18 PM, Amos Jeffries wrote:
On 30/12/2012 10:55 p.m., Tim Bates wrote:
Has anyone had experiences with running Squid *transparently* on an
OpenVZ container in combination with a Cisco router?
Can it be done?
Is there anything to watch out for, or any tricks?
TB
Which
Has anyone had experiences with running Squid *transparently* on an
OpenVZ container in combination with a Cisco router?
Can it be done?
Is there anything to watch out for, or any tricks?
TB
On 5/10/2010 9:44 PM, John Dakos wrote:
Kromonos thank you for your message.
But I know this way with dstdom. but the problem is... on web has a
hundreds bypass proxy sites... this is no way for administrators. I spend a
lot of time to search on google for bypass domains.
Another idea ?
On 24/08/2010 4:20 PM, Mohamed Ashraf wrote:
Thank you for your reply
How do I block all https except some.
Please go and read some guides about Squid ACLs. What you want is
relatively simple once you have a basic understanding of the ACLs.
Below is the basic idea, which I have NOT
On 20/02/2010 7:36 AM, Ariel wrote:
Hello list, I have squid version 2.7.STABLE3, debian lenny
and wanted to know if I have way to cache the videos from youtube?
Yes, though I've not tried it. See http://cachevideos.com/
TB
On 20/11/2009, Henrik Nordstrom hen...@henriknordstrom.net wrote:
The list server do set internet standard list headers, so if you have a
mail client which knows about mailing lists then you get a Reply to
list alternative.
Which still requires people to mash the right button. People used to
Here's a question: Would Reply-To being set prevent people who post
getting a flood of user not found bounces back?
When I posted my thoughts earlier, I got about 6 messages telling me
users were not found or user rejected the message. Why should I care if
someone is still subscribed to the
Is the issue that they complain you aren't allowed to view content due
to location?
If so, what you want to do is prevent the X-Forwarded-For header from
being sent by using the header_access ACL.
To disable sending it for any site use: header_access X-Forwarded-For
deny all
To do it for just
Roland Roland wrote:
but while using wireshark, i see that for each browsing session i
retrieve all Static objects from the net! at the same time caching
logs shows hit after another...
is that normal ?!
I assume you are using Wireshark to watch traffic between your squid box
and the
Squid is probably not a good tool for this.
Icecast as a relay might be a suitable option if there's only a small
number of streams.
TB
Josef Karliak wrote:
hi,
does anyone know how to proxy stream (internet radio) to multiple clients.
1 stream from internet to many clients inside of
poncenby wrote:
I simply want squid to forward all requests without having to
configure client proxy settings.
You want it transparent or autodetected (WPAD) then, not reverse.
Static dns entries in /etc/hosts pointing to squid will be on the
client machine already
If you have the ability to
da...@davidwbrown.name wrote:
I am running: a Linux router/gateway, heavily firewalled (iptables) but with
the attack I installed Squid. I created two system files with ACLs to match:
bad_src_ip and bad_url_regex. From the Linux box ps shows that squid is running
but the logs show no activity
da...@davidwbrown.name wrote:
Hello Tim, yet-another-toppost! I spoke too soon. The proxy is blocking
everything! Even if I put in an ACL and specifically allow (http_access) I get
a big HTML page: The requested URL could not be retrieved: While trying to
retrieve the URL:
Edjé DOSSEH wrote:
That is my question: can i block ping from outside by squid?
No. That's a job for the firewall.
Another thing: I'm trying to use squid on windows(i'm doing a test with
windows xp). But when i deny an url(or domain) and after i remove this
domain or url from the list, it
░▒▓ ɹɐzǝupɐɥʞ ɐzɹıɯ ▓▒░ wrote:
how to except 1 ip on my network to not using transparant proxy ?
exception IP ?
In your routing/firewall rules. You need to change your redirect rule to
not include that address.
TB
Mark Barlow wrote:
Log all requests to port 80 and look for the PC/s that are
trying to access google constantly.
Especially at times when it's normally a lower load. At the school I
work for, lunchtime is pretty slow as pretty much everyone is off the
computers... And nights are obvious too
Amos Jeffries wrote:
This is one of the known bugs in Windows filesystem compatibility with
the rest of the world.
And Windows *user* compatibility with the rest of the world ;-)
Trying to convince a Windows user that case does mean something is like
extracting blood from the teeth of stone
Philipp Rusch - New Vision IT wrote:
I'd use Microsoft WSUS, its free and easy to setup.
It's only free after you've paid for a Windows Server license... Given
the price involved for that, I wouldn't call it free.
TB
Henrik Nordstrom wrote:
On ons, 2008-11-12 at 17:34 +, Jose Celestino wrote:
Not completely right, Thunderbird may also need to do some http to
render html e-mails with external references.
Yuck.. will defenitely stay away from Thunderbird then.
Regards
Henrik
Don't worry...
[EMAIL PROTECTED] wrote:
Can I use Squid as a proxy of Streaming protocol such as WMV,RealMedia and
QuickTime?
Can I use Squid as a proxy of Instant Messsage such as AOL,Yahoo and MSN?
Squid is an HTTP proxy, so anything that can use HTTP proxies can go
through it.
MSN Messenger and ICQ can
Henrik Nordstrom wrote:
Now we at least know for sure they are hostile.
For all we know that Squid download may well be a trojan.
Did anyone else notice that the site helpfully provides an MD5 hash to
check, and even provide a tool to check it with? Leaves me wondering if
both are trojans.
Ricardo Augusto de Souza wrote:
Why the hell do u want to cache windowsupdate?
Just install a WSUS (
http://technet.microsoft.com/en-us/wsus/default.aspx ) in one windows
machine in your LAN and it will download windowsupdate and send it to
your local machines.
Perhaps because clients can't
Andreas Moroder wrote:
Tim Bates schrieb:
Andreas Moroder wrote:
our squid passes all the http traffic to a parent proxy. Now we have
two
sites that work only if we access them through another parent proxy.
Is there a way to tell squid to redirect certain domains to this
secondary proxy
Andreas Moroder wrote:
our squid passes all the http traffic to a parent proxy. Now we have two
sites that work only if we access them through another parent proxy.
Is there a way to tell squid to redirect certain domains to this
secondary proxy ?
Yes. It is possible. I'm a bit rusty on how,
Ramiro Sabastta wrote:
I configured a cache of 100Gb on disk with aufs.
My max size of cache file configured is 50Mb. I note than the most
visited site is the update sites (windows update, symantec update,
etc) and this sites go direct always because download files bigger
than 50Mb.
Can I
Steven Jones wrote:
I have squid refusing to run on the aboveit appears Debian has set
squid up such that it only runs on a 2.6 kernel
http://wiki.kartbuilding.net/index.php/Squid_Issue,_Etch_and_a_2.4_Kernel
Sarge squid packages are not longer there...
Does anyone know of a ready made
howard chen wrote:
I notice some of our client is typing an additional dot at the end of
the domain, which make the squid ACL failed, e.g.
acl dstdomain_index dstdomain .example.com
You could just solve that by listing any domain twice, but with a dot
the second time,
Curt Coleman wrote:
My company is in the early stages of running a SQUID proxy for internet
filtering of public machines. Is there a method of remotely disabling the
filtering on specific machines?
If Squid acls are what you are filtering with, then you'd simply adjust
the acls, and reload the
On 10/5/2008, Brent Clark [EMAIL PROTECTED] wrote:
Im trying to get WPAD working, but Mozilla Firefox is not playing game.
IE is working.
My DNS entry:
wpadIN A 192.168.111.9
IN TXT service:
wpad:http://wpad.example.local:80/wpad.dat;
Anil Saini wrote:
sir
i am unable to block some sites like
www.catpass.info
www.newjumbo.info
i blocked them using ACL list but they opened when i type
www.catpass.info/index.php
www.newjumbo.info/index.php
plz tell me how to completely block there sites
We can't tell you why it's not
I've never had that happen at my place, and I've been running a
transparent proxy for quite some time.
Could it maybe be the client is not sending all the headers required?
What happens if you try to connect to the same streams with a browser
(Shout/Ice cast streams should load a web page
Paul Bryson wrote:
I've added a page with some ideas about creating a Squid install CD.
http://wiki.squid-cache.org/Features/SquidAppliance
How much of this seems realistic for someone to be able to put together?
None of it sounds impossible. I hereby take a step back from the line of
K K wrote:
For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO. For non-microsoft, this needs to be configured manually on each
client.
For non-MS browsers you can often still use WPAD (Firefox on Linux for
example can do that still).
You can also get a modified
You want to restrict one of your local IPs from getting on the internet?
Something like this:
acl LAN_Range src192.168.1.0/24
acl No_Internet_For_You src192.168.1.X (replace the X with the
IP you want to block).
http_access deny No_Internet_For_You
http_access
Bert Rapp wrote:
Here's an example of how I expect to use it:
acl mozacl browser MOZILLA
http_access allow mozacl
http_access deny all
But I think this would block access completely to IE.
You can use multiple acls to make it happen. My head's not functioning
fully right now (so you should
I think you're missing the cache_dir type from that.
My cache_dir line looks like this:
cache_dir ufs /var/spool/squid 2048 16 256
TB
Dave Coventry wrote:
Hi,
I'm having a problem with my squid.conf.
I have specified
cache_dir /usr/local/squid/var/cache 100 16 256
as per the directions under
I'll agree with that.
Background isn't too bad IMO, but I can see the issue. Fading it more
would fix it.
TB
Mark Nottingham wrote:
Great job!
Looks very nice -- except that the background image is distracting,
and makes it hard to read text.
Cheers,
On 05/02/2008, at 4:13 PM, Kinkie
Yogesh Patil wrote:
so the problem is that i am able to browse websites very well,
but Gmail, Yahoo Messenger, MSN Messenger etc.. and all the websites
using https not works, what would be the issue ?
I would say you are not forwarding (and/or NATing) the HTTPS port (443).
TB
Remembering of course to lower the maximum cache size in the config too
so it doesn't get too much again...
TB
Cassiano Martin wrote:
Shutdown squid and recreate the cache
squid -k shutdown
rm -rf /var/squid/cache/* (check if this is the real path)
squid -z
squid
Tek Bahadur Limbu wrote:
Robert Eaton wrote:
What I need to be able to do is have http://mysite and
http://mysite.mycompany.lan
bypass the proxy server without adding an exception. What am I doing wrong?
Try setting the append_domain setting in squid.conf
append_domain .mycompany.lan
TB
Henrik Nordstrom wrote:
On tis, 2007-10-30 at 10:49 +1100, Tim Bates wrote:
It seems our squid box is caching 302 Moved Temporarily responses...
Only if the 302 have an Expires / max-age making the response fresh.
Yeah... I think they do. It's from a custom coded upstream proxy
Go with DansGuardian. Squid can't do it.
TB
Hung Ng wrote:
Hello. There's this site http://celebritygalleries.org
that some students which is not adult because we
checked, but we also checked the words and some of the
words in the image tags are suggestive. We'd like to
allow them to surf, but
It seems our squid box is caching 302 Moved Temporarily responses...
Which is annoying as the upstream proxy is (IMO brokenly) using this
method to direct clients to a password reset page every 60 days. The
redirect is cached which means the password reset page comes up for any
sites that
[EMAIL PROTECTED] wrote:
Im sort of curious how you route your traffic? Im using iptables and
reroute all port 80 traffic to my proxy on port 8080. Port 443
traffic goes straight to website, because you cant cache encrypted
traffic. Or am I totally wrong about this?
You can't cache it, but
Shekhar Gupta wrote:
Can any one let me know how to block anonymous proxy sites . is their
a ways to block such things with keyword in squid .
You mean websites that assist people in bypassing your rules?
I use 4 methods...
One: deny anything that has certain strings in the URL.
Two: deny known
to correct or comment anything I've stated above.
.vp
From: Amos Jeffries [EMAIL PROTECTED]
To: Squid squid-users@squid-cache.org
Tim Bates wrote:
Can someone tell me if it's possible to block CONNECT attempts that
only
specify an IP address (rather than a hostname)?
I can see no legitimate reason
to the IP blocks just in case
there is a legit need.
Please feel free to correct or comment anything I've stated above.
.vp
From: Amos Jeffries [EMAIL PROTECTED]
To: Squid squid-users@squid-cache.org
Tim Bates wrote:
Can someone tell me if it's possible to block CONNECT attempts
that only
Can someone tell me if it's possible to block CONNECT attempts that
only specify an IP address (rather than a hostname)?
I can see no legitimate reason to CONNECT to an IP, and I've just caught
students using this method to bypass the filters.
TB
We use passthough authentication, but have no access to the upstream
logs. I vaguely remember seeing some docs on how to trick squid into
logging the username, but still passing it on. But I can't find anything
at all anymore...
Is it possible to make Squid *always* log usernames (when present)
Henrik Nordstrom wrote:
tis 2007-06-26 klockan 23:32 +1000 skrev Tim Bates:
Is it possible to make Squid *always* log usernames (when present) in
the logs, but still pass the account details on to the upstream proxy?
Sure, at least if it's basic authentication being used. Just use
Hi.
Quick question... Is it possible to log certain ACL matches to a
different ACL? Or even to the main log plus a different one?
I read something that suggested it was possible but there was no example
of how to do it.
TB
Vootla, Bhagwan wrote:
How do I specify in the proxy server that if a user hits XYZ.com,
BYPASS proxy completely and use DIRECT connection from the desktop.
Look into using a PAC file to configure the clients rather than just
setting the proxy. Then you can specify sites to bypass the proxy.
md5 wrote:
Hello,
Is it possible to show private IP to the Internet with squid?
Only using the X-Forwarded-For header (I think I spelled it right).
How can I show the client's internal IP to Internet instead of the WAN IP on
squid server?
You can't have it instead... How will the
David Gameau wrote:
Here's what we use to support WPAD+DHCP:
[From dhcpd.conf, in the global section of the file]
option option-252 code 252 = text;
option option-252 http://wpad.example.com/wpad.dat\n;;
Note that IE6 truncates the answer it gets (by dropping the
last character), which is
Download
indicator went form 0% to 100% in less than a second and confirmed a
download size of 554 bytes in 1 sec.
Did you happen to look at the file contents when it finished? Maybe it
contains a clue to what goes on...
I just tried that link with IE6, and it started downloading. The
always_direct is to tell Squid to not use a parent proxy. It does not
make the client bypass squid.
TB
Man-wai CHANG wrote:
http://www.jobs.gov.hk/eng/default.aspx
Only a blank page is shown. How could I use Squid to access it?
Should I use always_direct? But how? I tried, but failed.
acl
Browser here is Firefox.
Firefox automatically tries www. on the front of the domain if the DNS
lookup fails for the domain by itself. When you use squid, the browser
isn't doing it's own DNS lookups anymore, so it doesn't do these fancy
things.
Tell them to stop complaining about their
I can confirm it's still there. They're right at the bottom in tiny
writing Sponsored by then 3 links.
It's in a banner added only by that mirror.
Tim
Kashif Ali Bukhari wrote:
where i am unable to find any link
may be you are infacted with spyware
On 12/10/06, howard chen [EMAIL
You can't do authentication in transparent mode reliably.
otrcomm wrote:
hello,
is it possible to get Squid 2.6 to authenticate in transparent mode?
I set it up to run in transparent mode and defined an auth_param basic program,
but Squid seemed to ignore the authe_param entry. is
this
See the http_port option. Assuming you left your config in the default
full of comments state, then this is clearly explained there.
Otherwise, check the docs for it's usage.
As an example would be, you need something like below.
#==start
http_port 192.168.1.3:3128
http_port
Depends how the authentication is done. How are the usernames/passwords
stored?
Widi Apriyadi wrote:
Hello All, Squid Lovers.
I already make an authentication for user, it's working great.
But, how can user change the password on they own self ? Please...
Sorry if my English is poor.
Thanks
Hi.
I have a situation where I have to get squid to use a particular parent
proxy that requires authentication... Now, I've done this part, but some
users don't actually have their accounts yet on the new parent, so they
can't use it.
What I'd like to do is have some specific users (based
going to appear to be from the squid box?
Tim
Dwayne Hottinger wrote:
You could do a redirect at your firewall if you use iptables (netfilter) it
should be quite easy.
ddh
Quoting Tim Bates [EMAIL PROTECTED]:
Hi.
I have a situation where I have to get squid to use a particular parent
proxy
Tim Bates:
What I'd like to do is have some specific users (based on IP address)
get directed to the old parent proxy, while the rest go to the new one.
Is it possible to create rules as to which parent is used?
Yes. See cache_peer_access.
Regards
Henrik
What's the go with this spam (or otherwise dodgy email) on the list? It
is hitting the list, not just me right?
This is the 2nd one in a row today... Up side, these are the first spam
messages I've gotten from the list.
Tim
Madge wrote:
http://sjqfiw.whistleseason.info/?18693625
Thanks... I thought it was something simple like that. Works perfectly.
Henrik Nordstrom wrote:
ons 2006-06-21 klockan 15:53 +1000 skrev Tim Bates:
We are about to be moved to using a parent proxy that authenticates
users. Is it possible to pass the required user names/passwords through
my friend
today.
Tim Bates
**
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify
Just a fairly quick question to the ACL gurus
Is there a quick easy way to block all of a domain, except for a
specific subdomain? For example, I need to block live.com, but allow
mail.live.com.
Currently in squid.conf I have:
acl BlockedSites dstdomain /etc/squid/blockedsites.txt
I might be reading all this wrong, but couldnt you just set the max
cache size lower?
Alexander Grüner wrote:
Hi :-)
was wondering if there were a way to tell squid to clean cache
periodicaly?! So I would not have to do it myself.
I am doing this with a cron job in the middle of the
Some versions of IE are broken and look for wpad.da, missing the t
at the end. Symlink so they stay the same.
You need to be able to access the wpad file without the proxy for
obvious reasons (but this is sometimes overlooked). Check by turning off
all proxy options and trying to access where
Can you allow direct access for that particular host? As in for that
host, bypass squid. How did you set the clients to use the proxy?
Transparent, manually set on client, Active Directory, etc...
William K. Hardeman wrote:
I'm hoping someone can help me figure out a resolution to a problem
I wouldnt say it's unsafe. If it was a problem then squid wouldnt allow
it by default.
Look here: http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17
Peter Marshall wrote:
I found this site the other day. It said that if I could see my
internal IP then my proxy was *un-safe*. If this is
That url works through my squid proxy or without it.
So I wonder why the OP's Squid will not allow it?
I can also say it works fine through squid. I'll bet it's the DNS server
or the OS, not squid itself.
**
This message is
My proxy at the school I work for authenticated fine. Dansguardian
passes the authentication stuff back and forth to/from squid. Try to
configure squid to authenticate correctly first to be sure auth is
working OK. I couldnt get the LDAP auth program to work... That could be
your problem too.
It's the subnet mask. 32 means 255.255.255.255, which is a specific IP.
24 is a full network. Read up on subnetting if you want to understand
it better.
Barry Rumsey wrote:
Thanks. That did the trick. Whats the diff between the /24 and /32 ?
On Sun, 2005-12-11 at 06:35 +0200, Pieter De
What distro (fedora, mandrake, etc) are you using? Hopefully someone can
then point you to a binary package of the correct flavour.
Palula Brasil wrote:
I got Squid to work on my machine. Anyhow I am a very unexperienced Linux
user and would like to know what would be the easiest way to
I'd guess it's a worm attempting to either hit your squid, or go through
it to another web server (depending on how your squid is set up).
But then, Im not an expert either, so I might be wyyy off.
Tim
Lucia Di Occhi wrote:
I am getting a lot of the following in my cache.log, as anyone
Carlos Zottmann wrote:
acl RealPlayer browser R1
http_access allow RealPlayer
Wont that mean that clever users can bypass authentication by using a
browser that can fake being other browsers?
**
This message is intended
That's the wrong options if you are doing the authentication locally.
always_direct is for bypassing parent proxies.
I think what you want to do is to use http_access allow WIN1 (and so
on) as seperate ACLs to your main one that allows your clients to
access. Of course, as always, I could be
You cant do virus scanning from Squid directly, but if you use
dansguardian aswell, there's a plugin for it that does virus scanning
using ClamAV.
Oleksii Krykun wrote:
How to check incoming http traffic for viruses?
I would like to know about such implementation without http server. I
To the best of my knowledge no intrusion has occured on
www.squid-cache.org. I haven't performed a system audit though - I'm in
the middle of a coding sprint (in Brazil as it happens) - but perhaps
Duane or Henrik have the time to have a check.
I get the feeling it was done using a worm or
direct though, not the list.
Tim Bates
D E Radel wrote:
Greetings.
Sorry if this is a recurring question. I checked through the Squid FAQ
and didn't see anything on caching email. I have set our Outlook
clients to use IE's LAN settings, however the proxy is not working for
Outlook.
I am
including the suffix search to
determine if it's local first? If I can how. If I can't, any hints on
how to make it work?
Tim Bates
**
This message is intended for the addressee named and may contain
privileged information
95 matches
Mail list logo