[squid-users] [squid-announce] Squid 5.0.3 beta is available

port. http://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-announce ___ squid-users mailing list

[squid-users] [squid-announce] Squid 4.12 is available

If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/l

[squid-users] [squid-announce] [ADVISORY] SQUID-2020:5 Denial of Service when using SMP cache

__ Squid Proxy Cache Security Update Advisory SQUID-2020:5 __ Advisory ID: | SQUID-2020:5 Date: | June 19, 2020 Summary: | Denial

[squid-users] [squid-announce] [ADVISORY] SQUID-2020:6 Denial of Service issue in TLS Handshake

__ Squid Proxy Cache Security Update Advisory SQUID-2020:6 __ Advisory ID: | SQUID-2020:6 Date: | June 19, 2020 Summary: | Denial of

Re: [squid-users] Squid and c-icap's srv_url_check module

On 19/06/20 10:07 pm, Amiq Nahas wrote: >> Looks like traffic is fine and Squid operational, but no sign of any >> ICAP activity. I think try adding this to your config: >> >> adaptation_access svcBlocker allow all >> >> Its supposed to be the default action, but just to be sure add it >>

Re: [squid-users] Squid and c-icap's srv_url_check module

On 19/06/20 8:46 pm, Amiq Nahas wrote: > On Wed, Jun 17, 2020 at 8:28 PM Amos Jeffries wrote: >> >>> Browser does prompt for user credentials just like the squid.conf is >>> configured to do, but it is not blocking websites. >>> >>> However, when I exec

Re: [squid-users] Squid and c-icap's srv_url_check module

On 18/06/20 1:32 am, Amiq Nahas wrote: > On Wed, Jun 17, 2020 at 10:23 AM Amos Jeffries wrote: >> >> On 16/06/20 1:55 am, Amiq Nahas wrote: >>> Hi Guys, >>> >>> I am trying to use the srv_url_check module to block websites. >>> I have conf

Re: [squid-users] Squid and c-icap's srv_url_check module

On 16/06/20 1:55 am, Amiq Nahas wrote: > Hi Guys, > > I am trying to use the srv_url_check module to block websites. > I have configured squid with proxy authentication and followed this > wiki: https://sourceforge.net/p/c-icap/wiki/UrlCheckProfiles/ > to configure c-icap and srv_url_check. Now,

Re: [squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Sent from my alcatel U5 On 17/06/2020 09:36, Lukáš Loučanský wrote: > But - according to > https://github.com/squid-cache/squid/commit/eec67f04490a477d69891c8b05a94bea05e5efbfGREASE > > - as unknown extensions is meant to be ignored (?). The same said here >

Re: [squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Sent from my alcatel U5 On 17/06/2020 09:36, Lukáš Loučanský wrote: > But - according to > https://github.com/squid-cache/squid/commit/eec67f04490a477d69891c8b05a94bea05e5efbfGREASE > > - as unknown extensions is meant to be ignored (?). The same said here >

Re: [squid-users] Squid with different HTTP protocol versions

On 15/06/20 2:03 pm, Peng Luo wrote: > Hi, > > I’ve never used Squid until last week. Squid 4.11 has been set as a > proxy server for my mtk demo board connecting to the internet. > > > Recently, when I tried to run CTS on a demo board, few network test > cases failed. After tcpdumping and

Re: [squid-users] Problem with squid proxy authentication configuration

On 12/06/20 12:29 am, Amiq Nahas wrote: > On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries wrote: >> >> On 10/06/20 9:26 pm, Amiq Nahas wrote: >>> Hi Guys, >>> >>> I am trying to configure squid so as to have user proxy >>> authent

Re: [squid-users] Issue with SSL_BUMP and Office365 (for one...)

On 8/06/20 5:53 am, J. Dierkse wrote:> > I think I found the culprit; I’m exclusively using peer routing, and the > knowledgebase mentions that this is disabled when host forgery is detected. > I understand the reasoning behind disabling this, but it renders my setup > pointless for SSL

Re: [squid-users] Problem with squid proxy authentication configuration

On 10/06/20 9:26 pm, Amiq Nahas wrote: > Hi Guys, > > I am trying to configure squid so as to have user proxy > authentication, below is how my squid.conf file looks like: > > - > acl SSL_ports port 443 > acl Safe_ports port 80# http > acl Safe_ports port 21# ftp > acl

Re: [squid-users] squid-4.9 TCP_MISS_ABORTED and memory leak

On 2/06/20 11:44 pm, biao.wei wrote: > hi squid developer: >     we use squid-4.9 meet two questions： >       (1)some request have timeout, not response to user data neither to > request upstream from log information. Your logs are showing just over 14min to deliver 360 bytes to the client. That

Re: [squid-users] FATAL: mimeLoadIcon: cannot parse internal URL

On 2/06/20 3:29 am, Alberto Senni wrote: > Il 01/06/20 16:15, Amos Jeffries ha scritto: >> On 2/06/20 1:45 am, Alberto Senni wrote: >>> Hi to  all, >>> >>> on my linux Devuan configured as transparent router, squid 4 exit with >>> FATAL error (from sy

Re: [squid-users] FATAL: mimeLoadIcon: cannot parse internal URL

On 2/06/20 1:45 am, Alberto Senni wrote: > Hi to  all, > > on my linux Devuan configured as transparent router, squid 4 exit with > FATAL error (from syslog): > > May 31 14:36:02 beofw (squid-1): FATAL: mimeLoadIcon: cannot parse > internal URL:

Re: [squid-users] HTTPS_PORT AND SSL CERT

On 26/05/20 7:24 pm, Julien TEHERY wrote: > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has > not been delivered by the squid server as it should. The experimental GnuTLS support in Debian package does

Re: [squid-users] Bypass squid using iptables

On 25/05/20 10:09 pm, Ben Goz wrote: > B.H >>Tunneling it elsewhere, > Where can I tunnel it? and how can I configure my machine to support it? > You will need at least Squid-4, with this line in squid.conf: on_unsupported_protocol tunnel see also

Re: [squid-users] Squid 4.4 https_port and ssl-bump : Fatal bungled line

On 25/05/20 9:59 pm, ben benml wrote: > Hello, > > I'm contacting you for some help. > I need to deploy a secure proxy based on Squid. > > I try to use https_port combined with sslbump. I get an error message > about a bungled line. > > The reasons I want to do this : > - secure connection

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

On 25/05/20 9:25 pm, Ahmad Alzaeem wrote: > Here is debug result : > > > > 2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc > (1375) parseHttpRequest: Prepare absolute URL from  > 2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc > (2106)

Re: [squid-users] Squid cache with SSL

On 25/05/20 8:09 pm, Andrey Etush-Koukharenko wrote: > Hello, I'm trying to set up a cache for GCP signed URLs using squid 4.10 > I've set ssl_bump: > *http_port 3128 ssl-bump cert=/etc/ssl/squid_ca.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > sslcrtd_program

Re: [squid-users] squid configuration with c-icap

On 25/05/20 7:14 pm, Amiq Nahas wrote: > Hi Guys, > > At this point, I have got squid installed on my system. I think it is > working fine since I can browse the internet by adding a manual proxy > in firefox at localhost:3128. > > What I want now is to configure squid such that it passes the

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[NP: it would help if you replied through the list instead of directly to me, even as a CC. Your messages keep getting diverted to spam folder. ] On 25/05/20 4:26 am, Ahmad Alzaeem wrote: > Hi Amos ,  > > Sorry I'm confused a a bit … > > Are my results expected not to work with below : > > >

Re: [squid-users] Bypass squid using iptables

On 21/05/20 3:49 am, Ben Goz wrote: > B.H. > > I'm using squid with c-icap module for specific content filtering. I > configured squid with ssl bump so website with WSS won't work on it as > mentioned on squid documentation. So for such URLs (with WSS) I need > bypassing squid. I read in some

Re: [squid-users] Squid does not cache file download by FileZilla and apache FTPCLIENT

On 25/05/20 6:06 pm, david770514 wrote: > Hi Amos, > > The "apache.commons.net.ftp.FTPHTTPClient" is sent as CONNECT tunnels > through the proxy. Can I make it work through modifying the Squid? Let Squid > can cache file when I sent as CONNECT tunnels through the proxy? > Since it uses the

Re: [squid-users] Dumping sslbump'd decrytped http using icap protocol

On 25/05/20 12:56 am, Scott wrote: > Hi, > > Can someone recommend an ICAP application that will allow me to dump the HTTP > of a client-server conversation? > > I am doing some forensics on an app - I have sslbump configured correctly and > I can get the traffic to c-icap (for example). > >

Re: [squid-users] Docker squid container setup

On 25/05/20 4:29 am, pmohan wrote: > how do you set siblings in a docker swam setup .. squid config has to be > different isnt it ? That depends on how the containers are configured. Modern Squid use mDNS or regular DNS name lookup for cache_peer. So long as the containers have different IPs

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

On 24/05/20 12:17 pm, Ahmad Alzaeem wrote: > Tested on both OS below : > > Centos 7.7  64 bits  & Centos 6.10 > > > Same result , squid is not marking traffic . > > Is there a way to run squid into debug mode and debug to see if its > making DSCP or not ? 'mark' are Netfilter MARK values

Re: [squid-users] SMP + Ssl-Bump squid-tls_session_cache.shm

On 24/05/20 3:31 pm, Joshua Bazgrim wrote: > Squid 4.9 > Ubuntu 18.04.03 > > I'm trying to implement ssl-bumping into the frontend of a squid smp > setup, but I keep getting the following error: > FATAL: Ipc::Mem::Segment::open failed to > shm_open(/squid-tls_session_cache.shm): (2) No such file

Re: [squid-users] Squid does not cache file download by FileZilla and apache FTPCLIENT

On 21/05/20 9:35 pm, david770514 wrote: > Hello everyone, > > I need to implement FTP transfer via Squid proxy. > I use Web browser (Firefox, IE) to download file by my PC after the PC > already set the proxy server from Windows setting. The message in store.log > shows Squid has cached the file

Re: [squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

On 15/05/20 7:28 pm, David Touzeau wrote: > > Thanks alex, made this one on squid 4.10 > > > acl TestFinger server_cert_fingerprint > 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9 Is that a SHA1 fingerprint or a newer algorithm? AFAIK only SHA1 is supported by Squid currently.

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: >    > > Hi we want to use squid as * * * Secure Proxy * * * using https_port > We have tested major browsers and it seems working good. > > To make it work, we need to deploy the proxy certificate on all browsers > to make the secure connection

Re: [squid-users] "intercepted port does not match 443"

On 12/05/20 1:01 am, Matus UHLAR - fantomas wrote: > Hello, > > we have intercepting squid on one router and these messages started appear > sometimes: > > 2020/05/11 13:41:23 kid1| SECURITY ALERT: Host header forgery detected > on local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33

Re: [squid-users] Client IP PTR lookup on connect

On 14/05/20 1:44 am, Michal Bruncko wrote: > Hello guys > > following the original thread "[squid-users] Squid 4.9 Client IP PTR > lookup on connect" > > I am observing exactly same bahavour on > squid-4.4-8.module_el8.1.0+197+0c39cdc8.x86_64 on CentOS 8. Certainly 4.4 is older than 4.9. > At

Re: [squid-users] domains with accented international characters fail with Invalid URL

On 13/05/20 12:20 am, Patrick Chemla wrote: > Sorry for this, it seems it is not linked to accented characters. Other > not accented domains don't work too. > This is a huge clue in your log: >> >> *- 88.88.88.xx - - - [12/May/2020:08:05:43 +0200] " >>

Re: [squid-users] SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES

On 11/05/20 8:57 pm, leomessi...@yahoo.com wrote: > HI > COULD YOU PLEASE HELP ME? Please don't yell. > IN INTERCEPTED TOPOLOGY WITH TPROXY I HAVE PROBLEM. > > WHAT IS SQUID SOLUTION FOR SITES THAT HAVE MORE THAN ONE IP ADDRESSES? > FOR EXAMPLE SITE LIKE GOOGLE.COM RETURN DIFFERENT IP ADDRESS

Re: [squid-users] (SQUID 4.11) SSl_bump Fails on IOS and Android devices

On 11/05/20 8:26 am, Allan Raymond Ignacio wrote: > I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10 > and here is my configuration -  > > ... > > ### I can browse https on laptops BUT when I used IOS devices or > android, I get errors with this - > > > 1589083941.053     

Re: [squid-users] deny extensions not working for some https

On 11/05/20 12:21 pm, robert k Wild wrote: > Sorry I mean when you click that url link it downloads an iso file > > Your right that url link ends with > > id=5842 > Actually that is ".aspx" - the pattern I gave you ignores the query-string. There is actually no relationship between file type

Re: [squid-users] deny extensions not working for some https

On 11/05/20 11:00 am, robert k Wild wrote: > so i have made this > > #deny extension types > acl exttype urlpath_regex -i "/usr/local/squid/etc/extdeny.txt" > http_access deny exttype > > /usr/local/squid/etc/extdeny.txt > > \.exe(\?.*)?$ > \.msi(\?.*)?$ > \.msu(\?.*)?$ > \.zip(\?.*)?$ >

Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

On 7/05/20 7:44 pm, russel0901 wrote: > Hi, > > I already resolved my problem > > > my problem is on PATH MTU discovery > > may eth0 is set to have a MTU = 1500 > > and I read on another forums that he set the MTU to 1400.. and it works... > > Thank you all for the comments, advise

Re: [squid-users] Problem with Debugging Useragent

On 7/05/20 4:11 am, Ahmad Alzaeem wrote: > Hello Floks , > > > We have squid 4.x > > We need to debug the user agents being sent from our local network . > > We added : > logformat useragent %>a [%tl] "%{User-Agent}>h" > access_log stdio:/var/log/squid/${service_name}-useragent.log useragent

Re: [squid-users] Encrypt CONNECT Header

Alex has already covered the main point for your issue. The below are details I think it worth you spending some time on in addition to the encryption. On 7/05/20 3:18 am, Matus UHLAR - fantomas wrote: > On 05.05.20 17:29, Ryan Le wrote: >> Proxy-Authorization is of concern here. Most modern

Re: [squid-users] Squid Proxy not blocking websites

On 6/05/20 10:20 pm, Arjun K wrote: > Hi Amos > > Could you please share a sample configuration file containing allow and > deny sites defined in a text file so that I can put the same format with > my acls and validate in my environment. > I did in my earlier post. If you want more search the

Re: [squid-users] Squid Proxy not blocking websites

On 6/05/20 4:47 am, Arjun K wrote: > Hi Amos > > Thanks for your response and suggestions and I will incorporate your > inputs in the configuration. > Please find the below contents of denylist as I am unable to attach as a > document due to restrictions. > > .hotmail.com The above is dstdomain

Re: [squid-users] allowing zip only for a specific url regex

On 6/05/20 1:39 am, robert k Wild wrote: > Thanks Amos, > > so how would I allow these urls with a wild card then  > > Http://domain.com/path/1/to/any/where > > Http://domain.com/path/2/to/any/where > > Would I do this > > Http://domain.com/path/* > No. As the url_regex ACL name says, these

Re: [squid-users] Squid Proxy not blocking websites

On 6/05/20 12:58 am, Arjun K wrote: > Hi All > > Can any one help on the below issue. > I tried changing the order of deny and allow acl but it did not yield > any result. > What is the contents of the denylist.txt file? This usually happens when things in there are not the right dstdomain

Re: [squid-users] allowing zip only for a specific url regex

On 6/05/20 12:42 am, robert k Wild wrote: > cool thanks Amos :) > > if your interested these are my lines in my config > > #allow special URL paths > acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt" > > #deny MIME types > acl mimetype rep_mime_type

Re: [squid-users] allowing zip only for a specific url regex

On 5/05/20 11:38 pm, robert k Wild wrote: > hi all, > > i wanto to allow only zip files via a specific url regex > > atm im allowing all attachments > > ^https://attachments.office.net/owa/.* > > could i do this to lock it down to only zips > > ^https://attachments.office.net/owa/.zip >

Re: [squid-users] Let Squid use SSL certificate for a parent cache peer

On 5/05/20 10:21 pm, mariolatif741 wrote: > The purpose of proxy A is that its the proxy that will be given to my > clients. The purpose of all what I am doing is to let my clients use proxy B > indirectly through proxy A (so they can use proxy B without installing the > CA certificate) > It

Re: [squid-users] Let Squid use SSL certificate for a parent cache peer

On 5/05/20 9:48 pm, mariolatif741 wrote: > Since you said "If the client is participating in the TLS handshake it > *always* requires > the CA to be installed.", then I guess what I want to do is not possible. > > Can I make Squid send the requests received from the client to the cache > peer?

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

On 5/05/20 4:31 am, Alex Rousskov wrote: > On 5/3/20 10:41 PM, Scott wrote: > >> acl tcp_open_connect_sslbump at_step SslBump1 >> acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni" >> acl guest_net_src src x.y.z.0/24 >> >> ssl_bump peek tcp_open_connect_sslbump >> ssl_bump

Re: [squid-users] Let Squid use SSL certificate for a parent cache peer

On 5/05/20 9:04 pm, mariolatif741 wrote: > Hello, > > I have a Squid proxy server (proxy A) and I redirect all its traffic to > another proxy (proxy B) using a parent cache peer. > > However, proxy B requires a SSL certificate to be used so it can intercept > the HTTPS requests and read them. >

Re: [squid-users] squid logging disable based on ACL & kernel: Out of memory

On 3/05/20 12:58 am, Akshay Hegde wrote: > Dear Amos, > > Can you please elaborate, I didnt understand. If possible can you > explain with one example ? I mean behaviour of security and privacy > flaws when  > strip_query_terms is on and when strip_query_terms is off. > That directive only

Re: [squid-users] squid logging disable based on ACL & kernel: Out of memory

On 2/05/20 4:43 am, Akshay Hegde wrote: > Dear Alex, > > Thanks a lot, I started installing new squid on centos8 as you suggested. > > I got one more doubt its about logging. > > I have below option globally, which I don't want to make "off" > strip_query_terms on > > and my ACL as follows: >

Re: [squid-users] [EXTERNAL] Re: Ubuntu 18 with Squid 4.11 SSL_BUMP

On 30/04/20 9:11 am, Anthony Mead wrote: > Hmm, if there were more logs I'd share them! Any reason why I'd only see a > access.log line? > > I promise if I curl https://google.com this is the only line I see: > 1588193897.852 20 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT >

Re: [squid-users] Ubuntu 18 with Squid 4.11 SSL_BUMP

On 30/04/20 8:15 am, Anthony Mead wrote: > Thanks! I've re-compiled without the unnecessary flag, and restarted the > service with a new whitelist, unfortunately i'm getting such a varying of > /var/log/squid/access.log messages that I'm not sure what to google anymore. > > I want to deny all

Re: [squid-users] Ubuntu 18 with Squid 4.11 SSL_BUMP

On 30/04/20 4:10 am, AMead wrote: > 1. Compiled Squid 4.11 on Ubuntu 18 T3 EC2 instance: > > ./configure \ ... > --with-openssl \ > --enable-ssl \ "--enable-ssl" is not a Squid build option. > --enable-ssl-crtd > > > 2. Initialized the ssl database: > > sudo

Re: [squid-users] Gateway Proxy failure - but only with one browser ...

On 30/04/20 6:16 am, Walter H. wrote: > It is very probable that the following has the same reason - but I don't > know what's causing it ... > > the old browser on old OS gives this > > > While trying to retrieve the URL: https://mein.elba.hypo.at/* > > The following error was encountered: >

Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

ONn 29/04/20 2:56 am, russel0901 wrote: > Hi again... > > sorry the browser has a configuration, we already static the browser to our > server 10.20.X.X to port > > > about on the message of error: > > This site can’t be reached (on the browser error) > > www.bancnetonline.com took too

Re: [squid-users] failing https requests

On 28/04/20 2:03 am, Adam Weremczuk wrote: > Thanks Amos for the hint. > > Tcpdump in source reveals the following: > > HTTP/1.1 400 Bad Request ... > > Can I determine which of the above is actually causing failures? > The response says the request is bad. So look at the request message to

Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

On 25/04/20 9:09 am, russel0901 wrote: > I am having a problem on my squid proxy > Which version of Squid are you using? Output of squid -v would be best if you can provide. > this settings is allow all but i can't visit sites like bancnetonline, rcbc, > philhealth (govt and bank site) > >

Re: [squid-users] Configure A Native FTP proxy on Squid

On 26/04/20 8:26 am, Antony Stone wrote: > On Saturday 25 April 2020 at 19:27:51, Dawood Aijaz wrote: > >> Hi, >> >> Currently, I am developing a Data Loss Prevention Tool. One of the >> requirements is to monitor FTP traffic. So can someone help me set up an >> FTP native proxy is squid and how

Re: [squid-users] failing https requests

On 25/04/20 3:46 am, Adam Weremczuk wrote: > Hi all, > > I run squid-3.5.27_3 on pfSense 2.4.4 as well as in house Sugar CRM server. > > Recently Sugar license validation and updates checks made to > https://updates.sugarcrm.com/heartbeat/soap.php started failing (no > changes made at our end).

Re: [squid-users] 5 v 4

On 24/04/20 2:39 am, Donald Muller wrote: > What are the differences between V5.x and V4.x? > v5 is more advanced code, and currently still in beta. See and . Amos

Re: [squid-users] FW: Squid 4.11 not building with ssl enable on Buster

On 24/04/20 12:42 am, L.P.H. van Belle wrote: > Hai, > > The folder test-suite/buildtests/ > Is an not exiting folder in current 4.11 tar.gz > > Can you verify that? I thinks thats also from 5.x > It is part of our CI unit test setup. That part of the patch is only useful for git

Re: [squid-users] Squid 4.11 not building with ssl enable on Buster

On 24/04/20 12:28 am, Amos Jeffries wrote: > On 24/04/20 12:00 am, L.P.H. van Belle wrote: >> Hai, >> >> Im currently building squid 411 on debian buster. Cowbuilder setup. >> I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. >> Which i have

Re: [squid-users] Squid 4.11 not building with ssl enable on Buster

On 24/04/20 12:00 am, L.P.H. van Belle wrote: > Hai, > > Im currently building squid 411 on debian buster. Cowbuilder setup. > I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. > Which i have done since squid 3.2, first time it fails. > but only AMD64 fails to build, while

Re: [squid-users] Squid 4.11 not building with Heimdal Kerberos

On 23/04/20 11:41 pm, Silamael Darkomen wrote: > Hi, > > Just trying to build the new Squid 4.11 with Heimdal as Kerberos5 library. > Unfortunately, the enctype fix made in > src/acl/external/kerberos_ldap_group/support_krb5.cc does not compile > with Heimdal. > Their krb5_creds structure does

Re: [squid-users] logformat: override %tg, but keep subsecond resolution

On 23/04/20 2:29 am, Andreas Hasenack wrote: > Hi, > > I'm trying to override the %tg log format but keep its subsecond time > resolution. > > As a reminder, %tg gives you this: > > 22/Apr/2020:14:14:18.360 > > I would like it to be > > 2020-04-22 14:14:18.360 + > > I tried this first:

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing

ed bug reports are treated in confidence until the impact has been established. __ Credits: This vulnerability was discovered by Jeriko One . Fixed by Amos Jeffrie

[squid-users] [squid-announce] [ADVISORY] SQUID-2020:4 Multiple issues in HTTP Digest authentication

__ Squid Proxy Cache Security Update Advisory SQUID-2020:4 __ Advisory ID:SQUID-2020:4 Date: April 23, 2020 Summary:Multiple

[squid-users] [squid-announce] Squid 5.0.2 beta is available

tp://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-announce ___ squid-users mailing list squid-users@lists.squid

[squid-users] [squid-announce] Squid 4.11 is available

html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/listinfo/sq

Re: [squid-users] QUIC support in Squid

On 22/04/20 11:56 pm, TarotApprentice wrote: > I know QUIC has been around for a while. I see the IETF have a proposed > standard[1]. > > OpenSSL have also expressed interest, but not until OpenSSL 3 is out[2]. > > Are there any plans for Squid to support the QUIC protocol in a future > version?

Re: [squid-users] cache_peer configuration

On 22/04/20 2:25 am, kutz wrote: > On Wed, Apr 22, 2020 at 01:30:48AM +1200, Amos Jeffries wrote: >> On 21/04/20 11:06 pm, kutz wrote: >>> Hello List, >>> I'm trying to establish a proxy2proxy configuration with my >>> squid-3.5.28-1.el6.x86_64 >>> on

Re: [squid-users] cache_peer configuration

On 21/04/20 11:06 pm, kutz wrote: > Hello List, > I'm trying to establish a proxy2proxy configuration with my > squid-3.5.28-1.el6.x86_64 > on > Centos 6.10 > > cache_peer IP_OF_PEER parent 8080 0 no-query originserver name=server_1 If the upstream is a proxy, do not tell Squid it is an origin

Re: [squid-users] How to block images

On 21/04/20 6:34 pm, cryptexslayer wrote: > I am trying to save data by blocking .png, .jpg etc. I have tried for the > past 2 hours to setup ACL will block list but it doesn't seem to work. > > Here is my current config > HTML content does not get delivered to this text-only mailing list.

Re: [squid-users] tproxy sslbump and user authentication

On 21/04/20 11:08 am, Vieri wrote: > Hi, > > Is it possible to somehow combine the filtering capabilities of tproxy > ssl-bump for access to https sites and the access control flexibility of > proxy_auth (eg. kerberos)? Please see the FAQ:

Re: [squid-users] Subject: Expose FTP data using Squid

On 21/04/20 11:22 am, Dawood Aijaz wrote: >  Hi, > Currently, I am developing a project in which I am required to monitor > FTP traffic. So I am using Squid proxy with FTP over HTTP enabled. What do you mean by "FTP over HTTP" ? and how have you enabled it? Squid has native support for both

Re: [squid-users] squid 3.5 conf setup

On 21/04/20 2:48 am, James Adams wrote: > We have a few squid setups to handle large number of /24 IP blocks. > I want to know is there an easier configuration to do this as we have to > manually configure each conf file and can take a long time plus the fact > of human error. I am trying to

Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

On 19/04/20 8:22 pm, Dmitry Melekhov wrote: > > 19.04.2020 12:18, TarotApprentice пишет: >> I am not sure if you have any contact with the Debian maintainers. I >> raised a bug with Debian in March asking for 4.10 to get promoted to >> buster-backports on the grounds of security fixes. If we’re

Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

On 19/04/20 8:18 pm, TarotApprentice wrote: > I am not sure if you have any contact with the Debian maintainers. I > raised a bug with Debian in March asking for 4.10 to get promoted to > buster-backports on the grounds of security fixes. If we’re on the > stable release (buster) we are stuck with

Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

now going to be fixed in a later release. Amos > Thanks, > Marcus > > On 18/04/2020 14:10, Amos Jeffries wrote: >> __ >> >>

[squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

act has been established. __ Credits: This vulnerability was discovered by Jeriko One . Fixed by Amos Jeffries of Treehouse Networks Ltd. __ Revision history: 2019-05-14 14:56:49 UTC Initial Report 2019-06-23 15:15:56 UTC P

Re: [squid-users] dynamic ACLs

On 16/04/20 9:09 pm, Vieri wrote: > Hi, > > In sslbump tproxy "mode" one cannot authenticate user to limit/allow their > access to web content. > > I was thinking however of making a web form with auth within a custom Squid > error page. This way a user would "automatically" whitelist a web

Re: [squid-users] Header Detection Post SSL Bump in Squid 4.10

On 16/04/20 5:15 pm, shubham jain wrote: > Hi, > > *Context*: > I want to use Squid as a forward proxy, where I want to > 1) send all the Image requests directly, presumably using request header > 'accept' > 2) send all other requests through a cache peer Proxy service > > The req_header

Re: [squid-users] Squid proxy configuration for client SSL termination

On 16/04/20 1:23 pm, Michael Leikind wrote: > Greetings to the Squid community! > > I would like to get the recommendation on how to configure Squid (latest > version) with client SSL termination. > > The requirement is to provide proxy access to the internet for the > client who has no ability

Re: [squid-users] Distributing users according to their LDAP groups on multiple cache peers

On 8/04/20 1:48 am, Silamael Darkomen wrote: > Hello Amos, > > Thank you for your quick reply. > Could you perhaps give me a short configuration example, how this should > lool like? > It would be something like this: acl groupCheck external ... acl groupFoo note group foo http_access

Re: [squid-users] Distributing users according to their LDAP groups on multiple cache peers

On 7/04/20 6:19 pm, Silamael Darkomen wrote: > Hello, > > Is there any possibility to distribute a bunch of users to different > cache peers based on the user group in LDAP? > > For older versions this was possible by using the slow external ACL > first for evaluation in the http_access clause

Re: [squid-users] help with TC_MISS/200

On 7/04/20 10:13 am, Juan Manuel P wrote: > Hello a implementing a reverse transparent  proxy, connected directed to > internet with round-robin balance to two internal again reverse > transparent proxy. > There is no such thing as "reverse transparent proxy". "reverse proxy" and "transparent

Re: [squid-users] Squid transparent not caching apt requests from deb.debian.org

On 7/04/20 3:49 am, Alex Rousskov wrote: > On 4/4/20 8:02 PM, zrm wrote: >> Attached cache.log excerpt for wget-wget-apt-apt-wget-wget. It answers >> the apt requests from the cache once it's in there, it just won't cache >> it to begin with when apt makes the request > > Thank you for sharing

Re: [squid-users] Squid transparent not caching apt requests from deb.debian.org

On 5/04/20 2:53 am, Alex Rousskov wrote: > On 4/3/20 4:55 PM, zrm wrote: >> On 4/3/20 16:34, Alex Rousskov wrote: >>> On 4/3/20 4:26 PM, zrm wrote: In the first case we get TCP_MISS every time because it isn't caching the data, in the second case it's only the first time and after that

Re: [squid-users] Error negotiating SSL connection on FD 16

On 2/04/20 5:42 pm, saiyan_gc wrote: > Hi, thank you for reply me. Really appreciated! > > I modified the squid conf file to: > > http_port 2128 ssl-bump cert=/etc/squid/ssl_cert/example.com.cert \ > key=/etc/squid/ssl_cert/example.com.private \ > generate-host-certificates=on \ >

Re: [squid-users] Error negotiating SSL connection on FD 16

On 30/03/20 11:58 am, saiyan_gc wrote: > Hi, I am trying to setup a https proxy server, and after I followed some > tutorial, Which tutorial? > created self signed certificate, configure the squid.conf, I also > copied the certificate to the client host Which certificate? Where did you put

Re: [squid-users] How to Configure Proxy Chaining with ssl-bump

On 21/03/20 2:13 am, Michael Chen wrote: > Hi Amos, > Thanks for your explanation. > Could you instruct me how to install squid v5 based on CentOS 7? > Based on > url  > https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29, >

Re: [squid-users] How to perform regex only after Squid knows the full url with SslBump

On 23/03/20 4:19 am, Alex Rousskov wrote: > > To allow a CONNECT request, do not use regular URL syntax because > CONNECT requests use a different URI syntax. Sorry, I do not know > whether a url_regex ACL can be used for CONNECT URIs, but you can use > other ACLs if/as needed, of course. > It

Re: [squid-users] How to Configure Proxy Chaining with ssl-bump

On 20/03/20 8:27 pm, Michael Chen wrote: > Hi Amos, > May I know which function Squid v3.5.28 cannot do for my scenario? > Because Squid v3.5 still has command of cache_peer and ssl . > TLS is a volatile environment, with many changes going on constantly. Squid-3 has been deprecated since

Re: [squid-users] How to Configure Proxy Chaining with ssl-bump

On 20/03/20 7:12 pm, Michael Chen wrote: > Hi Amos, > Squid version 3.5.28 Squid-3 cannot do what you are wanting. You require Squid-4 or later if the peer supports TLS/SSL connections, and Squid-5 or later if it does not. > image.png > BR, > Michael > Please avoid posting things images.

Re: [squid-users] How to Configure Proxy Chaining with ssl-bump

On 20/03/20 6:31 pm, Michael Chen wrote: > Hi, > I would like to proxy chaining squid to parent proxy on the cloud, > Netskope proxy. Output of "squid -v" please. The version matters a lot when it comes to what you are trying to configure. Amos ___

<    2   3   4   5   6   7   8   9   10   11   >