on how to debug the problem would be greatfully received.
Thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
On Fri, 15 Oct 2010, Amos Jeffries wrote:
First step is upgrading to 3.1.8 to see if its one of the many found and
solved bugs.
If its still remains there check bugzilla for any references.
I'll certainly check with the latest Squid, but I haven't found anything in
bugzilla to suggest
On Mon, 18 Oct 2010, Amos Jeffries wrote:
Sounds a lot to me like some rare response from ICAP which confuses Squid
about the reply size.
This is possible. Although shouldn't Squid time out ICAP requests (and
close the connection) if the response takes too long to complete?
Or a
) and a
postcache respmod hook (respmod_precache). The caching Squid would
provide the same precache reqmod hook (reqmod_precache) and a precache
respmod hook (respmod_precache), although I don't have a use for these
myself.
Its a bit nasty, but it happens to work. :)
--
- Steve Hill
Technical Director
characters are a signature
of a type of attack) you will want to be able to differentiate between the
2.
In any case, uri_whitespace is a global option and would affect
everything, whereas urlpath_regex and urlpath_raw_regex can be mixed.
(did that make sense or have I misunderstood? :)
- - Steve
that escape some characters in the URI without
blocking legitimate requests.
I.e. you can filter URIs containing %2easp (the signature of some
attacks) without blocking legitimate requests for .asp
- ---
- - Steve Hill
Senior Software DeveloperEmail: [EMAIL PROTECTED
? And is this
supposed to be handled elsewhere?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts
upstream proxy. Is there some
way to turn off source address spoofing without using a second proxy?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
On 28.11.12 13:52, David Touzeau wrote:
Since Google and Youtube force browser to use SSL we have lake of
statistics and web filtering with Squid.
I would like if there is a good way in order to redirect SSL requests to
google/Youtube to non-encrypted requests ?
Google allow you to do this
On 28.11.12 23:22, David Touzeau wrote:
Thanks !!! But what about Youtube ?
I'm not aware of anything similar for youtube I'm afraid, but if you
come across anything I'd be very interested.
The other possibility is to ssl-bump the https sessions, but that's a
bit nasty.
--
- Steve Hill
/store.log
pid_filename /var/run/squid.pid
coredump_dir /var/spool/squid-nocache
-
The appropriate parts of cache.log are available at:
http://persephone.nexusuk.org/~steve/cache.log
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts
Squid's TPROXY sockets only seem to bind to the IPv4 stack - Some
Googling suggests it can be made to work with IPv6, but I've not found
anything explaining how. What am I missing?
Thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct
to the IPv4 stack. However, I just restarted squid and it has
now bound to the IPv6 stack so I'm not sure what was previously
preventing it. Anyway, looks like the problem is solved - thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts
of Squid (including 3.2.3) don't
seem to be exhibiting the problem to such an extent (I'm still seeing a
number of CLOSE_WAIT sockets with an rx queue length of 1 on these
servers, but in relatively small quantities.)
--
- Steve Hill
Technical Director
Opendium Limited http
On 09/01/13 10:14, Steve Hill wrote:
I have a busy Squid 3.2.3 server that constantly has a huge number of
connections tied up in CLOSE_WAIT (i.e. at the moment it has 364
ESTABLISHED but 3622 in CLOSE_WAIT).
tcp1 0 :::172.23.3.254:8080 :::172.23.2.158:49615
CLOSE_WAIT
of
returning a response, Squid generates a 500 Internal Server Error and
does not abandon the socket (the client then drops the connection, which
squid handles correctly, and therefore doesn't end in CLOSE_WAIT).
--
- Steve Hill
Technical Director
Opendium Limited http
response being sent and the browser dropping the connection (anything
the browser sends after the 403 just piles up in the socket's rx buffer).
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
configurations only route client-squid traffic via
GRE and the squid-client and squid-webserver traffic all follows the
usual routing instead (which would require Squid to have its own
dedicated connection to the router).
--
- Steve Hill
Technical Director
Opendium Limited http
and then hanging, waiting for the upload to
complete before redoing the request with auth credentials.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
be
true at this point anyway. clientProcessRequest() explicitly sets
readMore = false for CONNECT requests, so I don't understand how Squid
handles keep-alive CONNECT tunnels?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant
with the connection. If we can't connect to the
remote host for whatever reason, tunnel.cc calls errorSend() and all the
code paths seem to lead to the socket being closed; if we can connect
then the socket then I don't think client_side_request.cc touches it again.
--
- Steve Hill
option, which sounds like it
would almost do what I want, except the manual says that this option
gets forced back on for requests that fail host verification.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st
works as expected, so this is a reasonable stop-gap, but it
does seem that to_localhost is behaving in an unexpected way, since its
behaviour changes depending on whether the proxy is transparent or not.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa...@opendium.com
this doesn't seem to happen.
/rant
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts
in a test environment, I have no
choice but to just leave debug logging turned on on a production server.
Any suggestions / help from people more familiar with the Squid
internals would certainly be helpful.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
| Acl.cc(177) matches: checked: preauth_done = 0
2014/07/28 17:29:40.636 kid1| Acl.cc(177) matches: checked:
!preauth_done = 1
It looks to me like its probably only looking at the first tag that the
ACL returned - is this a known bug? I couldn't spot anything in Bugzilla.
--
- Steve Hill
On 29.07.14 06:37, Amos Jeffries wrote:
The note ACL type should match against values in the tag key name same
as any other annotation. If that does not work try a different key name
than tag=.
Perfect, thank you!
--
- Steve Hill
Technical Director
Opendium Limited http
that this is not an issue for devices that *always* go
through an intercepting proxy, since presumably they would never get to
see the real cert, so wouldn't pin it? So this is mainly an issue for
devices that move between networks?
--
- Steve Hill
Technical Director
Opendium Limited
. :)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
allow all
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
the client never gets the object it
requested.
For now I have worked around it with:
request_header_access Via deny https
request_header_access X-Forwarded-For deny https
But it does make me wonder if inserting the headers into bumped traffic
is a sensible thing to do.
--
- Steve Hill
:)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
I'm seeing a lot of this in both 3.4.6 and 3.4.9:
2014/11/18 15:08:48 kid1| assertion failed: DestinationIp.cc:60:
checklist-conn() checklist-conn()-clientConnection != NULL
I've looked through Bugzilla and couldn't see anything regarding this -
is this a known bug?
--
- Steve Hill
missing something?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
existed). Although
I've got to admit that I was a bit surprised to be told that the way
I've been successfully using Squid is impossible. :)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email
!).
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa
ssl_crtd). I also can't see
anything wrong with the certificate chain.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st
of the internal cert generator?
Thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts
problems, there could be some race conditions lurking here?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
as B's notes, before using appendNewOnly() to
merge them?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales
the correct way is to fix it - we could
specifically avoid appending token notes in the Negotiate/NTLM code,
or we could do something more generic in the absorb() method. (My
preference is the latter unless anyone can think why it would be a bad
idea).
--
- Steve Hill
Technical Director
/pkgconfig'
--enable-ltdl-convenience
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts
On 06.01.15 12:15, Steve Hill wrote:
Alternatively, A-absorb(B) could be altered to remove any notes from A
that have the same keys as B's notes, before using appendNewOnly() to
merge them?
I've implemented this for now in the attached patch and am currently
testing it. Initial results
to some external servers to validate HTTPS
certs before they have authenticated.
4. If you want to support WISPr then (2) and (3) are mandatory.
5. External ACL caching
You might be able to do it with internal ACLs, but... pain :)
--
- Steve Hill
Technical Director
Opendium Limited http
log into a portal, sadly vanilla Android still doesn't
include a WISPr client (I'd put money on this being down to patents!).
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email
not always have control of the DHCP/DHCPv6 servers.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries
to a bug I've
reported to Apple, despite supplying them with extensive debugging).
/rant :)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone
opcode 0xf3
) at main.cc:1236
(sorry about the DWARF errors - it looks like I've got a version
mismatch between gcc and gdb)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st
e seen this before?
Cheers.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contac
to confirm). In this case, Squid has no way to know what
name to stick in the cert, so will just use the IP instead.
2. The bumping is happening in step 1 instead of step 2 for some reason.
See: http://bugs.squid-cache.org/show_bug.cgi?id=4327
--
- Steve Hill
Technical Director
Opendium
everything
that isn't http/https since there will be nothing on the squid server to
handle that traffic.
It doesn't sound like a great idea to me - why not just redirect
http/https traffic at the gateway (TPROXY) instead of mangling DNS?
--
- Steve Hill
Technical Director
Opendium Limited
'
The user name given to the external ACL is - even though the request
has been authenticated. Setting a-require_auth in
parse_externalAclHelper() makes it work, but obviously just makes %un
behave like %LOGIN, so isn't a solution.
--
- Steve Hill
Technical Director
Opendium Limited
the "note"
directive to explicitly stuff the headers into the notes, but it looks
like the note directive doesn't allow you to use format strings (i.e.
"note icap_headers %adapt::note to "%adapt::<last_h" rather than substituting the headers.)
--
- Steve Hill
Te
ns.
Any help would be appreciated. Thanks. :)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquirie
a user visits your page, you're going to
need to ssl bump the requests in order to have an ACL based on the
referrer and path. And as you know, ssl bumping involves sticking a
certificate on each device.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
A256" part would indicate that
this is a Squid database key, which is very confusing since with the
certificate cache disabled I wouldn't expect to see these at all.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xm
ClientRequestContext each time, and before long we've leaked several
gigabytes of memory (on some networks I'm seeing 16GB or more of leaked
RAM over 24 hours!).
Unfortunately I'm a bit lost in the Squid code and can't quite figure
out how to gracefully terminate the connection and destroy t
this bug off and on for months - hadn't spotted that there
was a bug report open for it :)
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Sales / enquiries:
Email:sa...@opendium.com
Phone:+44-1792-824568 / sip:sa
:
Upgrade: websocket
Connection: Upgrade
Unfortunately, since Squid doesn't support websockets I think there's no
way around this - by the time we see the request and can identify it as
Skype we've already bumped it so we're committed to pass it through
Squid's HTTP engine. :(
--
- Steve
e
to find the IP of the server you're connecting to? You would never make
a DNS request for '*.example.com' so I don't see a reason why you would
send an SNI that has a larger scope than the DNS request you made.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.
has stated that they have no intention of fixing it :(
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales
alled), so I
wonder if this is something new from Microsoft.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.
NNECT requests are always responded to
with an HTTP 409 (Conflict) error page."
As I understand it, turning host_verify_strict on causes problems with
CDNs which use DNS tricks for load balancing, so I'm not sure I
understand the rationale behind preventing it from being turned off for
CONNECT r
irst place.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email:st...@opendium.com
Phone:sip:st...@opendium.com
Sales / enquiries contacts:
Email:sa...@op
will never be fixed
to work, or work around the broken apps within Squid and therefore get
them working without the cooperation of the app developers.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@o
Is there a way of figuring out if the current request is a bumped
request when the http_access ACL is being checked? i.e. can we tell the
difference between a GET request that is inside a bumped tunnel, and an
unencrypted GET request?
--
- Steve Hill
Technical Director
Opendium
sites
too and are seeing good results so far.
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp://www.opendium.com
Enquiries Support
- ---
sa...@opendium.comsupp...@opendium.com
+44-1792
a combo of the myportname and proto ACLs should do that.
I think when using a nontransparent proxy you can't tell the difference
between:
1. HTTPS requests inside a bumped CONNECT tunnel, and
2. unencrypted "GET https://example.com/ HTTP/1.1" requests made
directly to the proxy.
--
-
series without problems. But I don't
think any of our sites have as high req/sec load as you.
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp://www.opendium.com
Enquiries Support
- ---
sa...@opendium.com
patches). That said, with the schools currently on holiday
those fixes haven't yet been well tested on real-world servers - we'll
find out if there are any issues with them when term starts again :)
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp
passed along
with the request, but I think the bug mentioned above would cause those
headers to be discarded mid-request in some cases)
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp://www.opendium.com
Enquiries Support
-
. The client and squid may expire the records up to 1
second apart.
So what's the solution? (Notably the validation check can't be disabled
without hacking the code).
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp://www.opendium.com
Enquiries
er go away.
--
- Steve Hill
Technical Director
OpendiumOnline Safety / Web Filteringhttp://www.opendium.com
Enquiries Support
- ---
sa...@opendium.comsupp...@opendium.com
+44-1792-824568 +44-1
/show_bug.cgi?id=4526
...which I had thought to have gone away in Squid 5.1. I will apply the
patch next week and see if the problem goes away again.
--
- Steve Hill
Technical Director | Cyfarwyddwr Technegol
OpendiumOnline Safety & Web Filtering http://www.opendium
-
the things which stand out are:
- Long Strings: 220 MB
- Short Strings: 2.1 GB
- Comm::Connection: 217 MB
- HttpHeaderEntry: 777 MB
- MemBlob: 773 MB
- Entry: 226 MB
What's the best way of debugging this? It there a way to list all of
the Comm::Connection objects?
Thanks.
--
- Steve Hill
I did use netstat on it though, and the number of
established TCP connections was 1090 - that is obviously made up of
client->proxy, proxy->origin and proxy->icap connections - my gut
feeling was that it wasn't enough connections to account for 200-odd MB
of Comm::Connection objects.
looks like it should be accounted for.
There are similarities though - lots of memory going to HttpHeaderEntry
and Short Strings in both cases.
--
- Steve Hill
Technical Director | Cyfarwyddwr Technegol
OpendiumOnline Safety & Web Filtering http://www.opendium.com
Dio
79 matches
Mail list logo
