Re: [squid-users] squid ssl-bump with icap returns 503

2021-03-04 Thread Amos Jeffries
On 5/03/21 1:39 am, Niels Hofmans wrote: Hi Amos, Thank you for getting back to me. So if ssl-bump is required on the http(s)_port directive, I end up at: https_port simply means TLS is the transport protocol. The transport is terminated at the proxy. There are many permutations of what is

Re: [squid-users] squid ssl-bump with icap returns 503

2021-03-04 Thread Amos Jeffries
On 4/03/21 11:36 pm, Niels Hofmans wrote: Hi guys, I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com : https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

Re: [squid-users] permit google chrome updates

2021-03-02 Thread Amos Jeffries
On 3/03/21 1:59 am, jmpatagonia wrote: Yes the proxy have external authentication --> auth_param basic program /usr/lib/squid/basic_ldap_auth but I receive a lot of request from users like 02/Mar/2021:12:45:02 -0300 || - || xx.xx.xx. || TCP_DENIED/407|| CONNECT ||

Re: [squid-users] permit google chrome updates

2021-03-02 Thread Amos Jeffries
On 3/03/21 1:21 am, jmpatagonia wrote: I need help to permit google chrome on squid 02/Mar/2021:12:18:01 -0300 || - || 10.114.37.20 || TCP_DENIED/407|| CONNECT || clients1.google.com:443 || text/html The 407 means authentication is required. see

Re: [squid-users] help to redirect http request to another squid proxy

2021-02-28 Thread Amos Jeffries
On 26/02/21 8:47 pm, jmpatagonia wrote: Hello I need help to redirect request http/https from a specific domain to another squid proxy server. Like a domain for example microsoft.com redirect o transfer all request to another squid proxy server. Firstly, "redirect"

Re: [squid-users] My cache gived me a content-length of 0, and a 200 TCP_REFRESH_UNMODIFIED_ABORTED

2021-02-25 Thread Amos Jeffries
On 25/02/21 4:45 am, Señor J Onion wrote: Thanks Amos - that’s a very kind and thorough explanation. Ok - I understand why the content-length is 0 as the server responded with a 304. Gotcha. Squid in response responds with a 200. And I also understand why it is a REFRESH because the server

Re: [squid-users] My cache gived me a content-length of 0, and a 200 TCP_REFRESH_UNMODIFIED_ABORTED

2021-02-24 Thread Amos Jeffries
On 25/02/21 12:50 am, Señor J Onion wrote: I am new to Squid, I have been trying to get this to work for almost two weeks now, and have found nothing in the archives. This is my curl command (you will get a 403 forbidden by the time you run this dear reader): curl -s -D - -o /dev/null -G -d

Re: [squid-users] Allow specific set of IP to access a specific set of URL

2021-02-24 Thread Amos Jeffries
On 24/02/21 10:14 pm, Klaus Brandl wrote: The acl for the url must be of type url_regex, or something else: acl allowedurl url_regex "url.txt" This line tells Squid to load a file full of regex patterns. Nothing more. The http_access line is the list of rules that determines when those

Re: [squid-users] transparently proxy squid in a docker container

2021-02-24 Thread Amos Jeffries
On 24/02/21 3:14 pm, Justin Michael Schwartzbeck wrote: Hi all, For some years I have used squid 3.5 with SSL bump and transparent proxy locally on my laptop. I have been using the following in my squid.conf: ssl_bump server-first all http_port 3128 http_port 3129 intercept http_port 3130

Re: [squid-users] Squid doesn't notice AD group changes

2021-02-22 Thread Amos Jeffries
On 22/02/21 11:41 pm, heimarbeit123.99 wrote: You were right! I realy don't know how I was able to miss this.. I removed "-R" and don't get the error anymore. I did read the documentation again and -K and -S should be fine. -d of course too. But now I get the error "WARNING: LDAP search error

Re: [squid-users] Squid doesn't notice AD group changes

2021-02-22 Thread Amos Jeffries
On 22/02/21 10:42 pm, heimarbeit123.99 wrote: of course I did read the documentation. Otherwise I would not have asked here. I would not ask for your time if the solution would be available for myself. I am asking right here -after some weeks- because I do not know what is finally wrong. You

Re: [squid-users] Squid doesn't notice AD group changes

2021-02-22 Thread Amos Jeffries
On 22/02/21 9:26 pm, heimarbeit123.99 wrote: So I finally tried it on my Squid Proxy. I edited the squid like this: external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D proxyu...@domain.com -W /etc/squid/ldappass.txt -f

Re: [squid-users] Why some traffic is TCP_DENIED

2021-02-16 Thread Amos Jeffries
On 16/02/21 11:09 pm, Vieri wrote: Hi, I'm trying to understand why Squid denies access to some sites, eg: [Tue Feb 16 10:15:36 2021].044  0 - TCP_DENIED/302 0 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html [Tue Feb 16 10:15:36 2021].050

Re: [squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407

2021-02-15 Thread Amos Jeffries
On 16/02/21 4:16 am, Yanko Hernández Álvarez wrote: > On Fri, Feb 12, 2021 at 5:36 PM Amos Jeffries wrote: >> >> On 13/02/21 9:29 am, Yanko Hernández Álvarez wrote: >>> Hello :-) >>> >>> How is it possible that some user tried to log in with t

Re: [squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407

2021-02-12 Thread Amos Jeffries
On 13/02/21 9:29 am, Yanko Hernández Álvarez wrote: Hello :-) How is it possible that some user tried to log in with the correct password and squid response was a TCP_DENIED/407? ... http_access deny !LoggedIn # LoggedIn = proxy_auth REQUIRED What rules follow this one? and what ACL

Re: [squid-users] Originserver load balancing and health checks in Squid reverse proxy mode

2021-02-09 Thread Amos Jeffries
On 10/02/21 9:59 am, Alex Rousskov wrote: On 2/9/21 11:35 AM, Chris wrote: This is what I'm seeing in peer_select in cache_log with 44,3 debug options: Add (at least) "15,3" to your debug_options and then look for getWeightedRoundRobinParent lines. Looking at mgr:server_list Cache Manager

Re: [squid-users] Port or switch level authorization

2021-02-08 Thread Amos Jeffries
On 8/02/21 10:48 pm, Eliezer Croitoru wrote: I have a Mikrotik PPPOE server and I would like to register the logged in user on PPPOE Tunnel creation. In the mikroitk device I have a code which can run a curl/fetch request with the login details ie IP and username towards any server. I was

Re: [squid-users] Originserver load balancing and health checks in Squid reverse proxy mode

2021-02-08 Thread Amos Jeffries
On 9/02/21 3:40 am, Chris wrote: Hi all, I'm trying to figure out the best way to use squid (version 3.5.27) in reverse proxy mode in regard to originserver health checks and load balancing. So far I had been using the round-robin originserver cache peer selection algorithm while using

Re: [squid-users] Squid "suspending ICAP service for too many failures"

2021-01-30 Thread Amos Jeffries
On 31/01/21 6:08 am, Andrea Venturoli wrote: On 1/29/21 8:38 PM, Alex Rousskov wrote: Packet captures can tell you whether other Squid-ICAP server connections were active at the time, whether from-Squid SYN packets were able to reach the ICAP server, etc. In other words, basic network

Re: [squid-users] re-directing through squid using MAC

2021-01-30 Thread Amos Jeffries
On 30/01/21 8:19 pm, Wolfgang Paul Rauchholz wrote: I got two questions actualy. I want to re-direct all traffic certain users (parental control...) through squid. (1)  What i the best possibility to do so independently of whether they are on the LAN or are outside home? There is no single

Re: [squid-users] Fixing Squid configuration for caching proxy?

2021-01-29 Thread Amos Jeffries
On 30/01/21 8:57 am, Alex Rousskov wrote: On 1/29/21 12:56 PM, Milos Dodic wrote: Here are the logs, but first to mention, from the server that is going through the Squid, I am using curl -k (-k to ignore SSL insecure warnings atm). From the Squid iself, I use squidclient, as using curl from

Re: [squid-users] reply_header_access vs rep_mime_type to deny mime types

2021-01-25 Thread Amos Jeffries
On 26/01/21 1:47 am, robert k Wild wrote: sorry Amos, i will explain why i use the "rep_mime_type" so when users go to a website and click on a link to download and if that download is an .exe/.zip etc etc (on my mimedeny.txt ), squid will stop/block the download and instead they will get an

Re: [squid-users] reply_header_access vs rep_mime_type to deny mime types

2021-01-25 Thread Amos Jeffries
On 26/01/21 1:24 am, robert k Wild wrote: hi all, just want your thoughts on what the best acl is to deny mime types Please explain what you mean by "deny mime types" ... Deliver the servers response but without telling the client what data format it is using ? Prevent the servers

Re: [squid-users] Squid 5 service stops after assertion failure

2021-01-24 Thread Amos Jeffries
On 25/01/21 10:42 am, Vieri wrote: After the assertion failure Squid tries to restart a few times (assertion failures seen again) and finally exits. A manual restart works, but I don't know for how long. The external script "bllookup" is probably responsible for bad output, That is a

Re: [squid-users] Problem with tcp_outgoing_address

2021-01-24 Thread Amos Jeffries
On 24/01/21 5:40 am, hlager wrote: Hey guys, i'm trying to get squid working with two outgoing ip adresses, but only one will work, i hope someone can help me. I'm using an ESXI with a Ubuntu VM, i got 3 NICs on it. One Local were the traffic comes in and two which are for the outgoing

Re: [squid-users] sslcrtvalidator_program

2021-01-18 Thread Amos Jeffries
On 19/01/21 5:53 am, Eliezer Croitoru wrote: Hey Alex, I have tried to read the documentation and to compose a single certificate validation "call" or "request". The issue with this is that I am unable to do that. It would help a lot if a single verification request would be public and

Re: [squid-users] Trying to verify couple tls issues

2021-01-18 Thread Amos Jeffries
On 19/01/21 6:04 am, Eliezer Croitoru wrote: I wrote the next "helping/helper/testing scripts": https://github.com/elico/tls-check-script/blob/master/tls-check.rb https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh Now I am trying to verify what issues exists that causes

Re: [squid-users] Peer selection based on IP with multiple ports?

2021-01-16 Thread Amos Jeffries
On 17/01/21 1:52 am, roee klinger wrote: Hey, I am using Squid to route users to different peers based on their usernames, I was asked to add support for IP whitelisting recently but I ran into an issue. If one IP wants to access to different peers, I will have to do it based on on the

Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-13 Thread Amos Jeffries
On 14/01/21 3:17 am, David Touzeau wrote: Hi This error is generated every 15 minutes when using any authenticator helper (ntlm, kerberos...) Is there a way to investigate on this issue ? kidxx| WARNING: no_suid: setuid(0): (1) Operation not permitted This looks like

Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

2021-01-13 Thread Amos Jeffries
On 13/01/21 11:27 pm, Dieter Bloms wrote: Hello, the wiki of squid cache project (wiki.squid-cache.org) has an incomplete certificate chain. I can't access the website with enabled sslbump and tlsv1.3 support, because squid isn't able to download the missing intermediate certificate on its own.

Re: [squid-users] Microsoft store issues with ssl-bump

2021-01-12 Thread Amos Jeffries
On 12/01/21 11:32 pm, NgTech LTD wrote: Im saying that my config might be wrong and I will send you a full config save which can show you the whole setup like most vendors has. I have upgraded squid in production. Let me verify first before shouting "bug". Eliezer Okay. I see a few things

Re: [squid-users] Microsoft store issues with ssl-bump

2021-01-12 Thread Amos Jeffries
On 12/01/21 10:15 pm, Eliezer Croitoru wrote: This works in another proxy which looks at the SNI only without any bump involved. So you are saying you find a bug with Squid? or .. ?? Amos ___ squid-users mailing list

Re: [squid-users] cache_peer selection based on username

2021-01-12 Thread Amos Jeffries
On 12/01/21 9:17 pm, Eliezer Croitoru wrote: Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. That can be added in via the the key_extras detail. Though I am still worried that the OP *only* asked

Re: [squid-users] ERROR connecting to squid proxy server

2021-01-12 Thread Amos Jeffries
On 12/01/21 6:30 pm, Reshma V Kumar wrote: Hi ! This is the error from cache.log file 2021/01/11 23:21:07 kid1| idnsSendQuery FD -1: sendto: (0) No error. "-1" is a closed socket. It looks like there is no UDP port open for sending traffic to your DNS server(s). You are starting Squid

Re: [squid-users] Change cipher suite ordering

2021-01-12 Thread Amos Jeffries
On 12/01/21 5:44 pm, vinod mg wrote: Hello Team, I need some help in configuring cipher suite ordering. I am using squid with SSL configs and trying to configure the cipher order but not able to do so, I am using below sites to check my chipher ordering and its showing different ordering

Re: [squid-users] cache_peer selection based on username

2021-01-11 Thread Amos Jeffries
On 11/01/21 8:06 am, roee klinger wrote: Thanks, Eliezer, I was able to get it working. Here is an example in case anybody runs into this in the future: acl mynote1 note mykey note1 acl mynote2 note mykey note2 FYI, key names ending with "_" character are reserved for custom keys

Re: [squid-users] How do I rotate access.log?

2021-01-11 Thread Amos Jeffries
On 11/01/21 8:53 am, Matus UHLAR - fantomas wrote: On 10.01.21 17:24, roee klinger wrote: I just wanted to give an update in case anyone is interested, I was not able to find a solution, it was posted here: http://lists.squid-cache.org/pipermail/squid-users/2020-December/023074.html

Re: [squid-users] TCP_DENIED/403 3954 CONNECT www.welt.de:443 - HIER_NONE/- text/html

2021-01-05 Thread Amos Jeffries
On 6/01/21 6:21 am, Wolfgang Paul Rauchholz wrote: I run a home server under Centos 7 and squid 3.5.20. The config is still work in progress as I started only today. Any tipps are welcomed The function is as expected when working from my LAN. But when I tested today from my cell phone from 

Re: [squid-users] Uploaded data size log

2021-01-05 Thread Amos Jeffries
On 5/01/21 8:34 pm, Кристина Павская wrote: Hi, Сan I configure squid log to display the size of uploaded data transmitted from user to server? Yes you can create a custom log format. see Amos ___

Re: [squid-users] PCI Certification compliance lists

2021-01-03 Thread Amos Jeffries
On 4/01/21 3:12 am, ngtech1ltd wrote: I am looking for domains lists that can be used for squid to be PCI Certified. I have read this article: https://www.imperva.com/learn/data-security/pci-dss-certification/ And couple others to try and understand what might a Squid proxy ssl-bump exception

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

2021-01-02 Thread Amos Jeffries
On 3/01/21 9:08 am, ngtech1ltd wrote: I am trying to configure 5.0.4 with sslbump to bump only a set of domains. I am unsure about the right way it should be done. The basic constrains are POLICY vs a set of rules. * Should I bump all connections with exceptions? * Should I bump non else

Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

2020-12-31 Thread Amos Jeffries
On 31/12/20 10:14 pm, Antony Stone wrote: On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote: If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in

Re: [squid-users] Anyone has experience with Windows clients DNS timeout

2020-12-29 Thread Amos Jeffries
On 30/12/20 9:02 am, NgTech LTD wrote: I have seen this issue on Windows clients over the past. Windows nslookup shows that the query has timed out after 2 seconds. On Linux and xBSD I have researched this issue and have seen that: the DNS server is doing a recursive lookup and it takes from 7

Re: [squid-users] squid writes to /var/log/messages

2020-12-21 Thread Amos Jeffries
On 22/12/20 2:29 am, sampei02 wrote: I can confirm that squid will write to /var/log/messages if syslog logging is enabled AND syslog is configured to write to /var/log/messages (this is the default behaviour on some Linux distributions, such as Debian, but not Ubuntu). My distro is Centos7

Re: [squid-users] squid writes to /var/log/messages

2020-12-21 Thread Amos Jeffries
On 21/12/20 9:55 pm, sampe...@tiscali.it wrote: Ok, I noted these 2 squid processes: root/usr/sbin/squid -sYC squid (squid-1) --kid squid-1 -sYC -s means "Enable logging to syslog” This option ‘-s’ could explain writing to messages ? Squid does not write to

Re: [squid-users] What is the state of V5 branch? Can I try to publish some RPMS?

2020-12-19 Thread Amos Jeffries
On 17/12/20 10:28 pm, Eliezer Croitor wrote: Hey, Next year I will start publishing RPMs for Squid again. What is the state of V5? What should be verified or tested with V5? Status of Squid-5 is that there are three major bugs to be resolved or proven not to be as important as they seem

Re: [squid-users] Problem with access.log and when using SMP

2020-12-19 Thread Amos Jeffries
On 19/12/20 8:07 pm, mikio.ki...@gmail.com wrote: Hi, I have the following same problem using access_log. What version of Squid are you using? I thought that problem was solved long ago. In that case, does the following "stdio" logging module also become a workaround to solve the issue

Re: [squid-users] Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

2020-12-15 Thread Amos Jeffries
On 15/12/20 4:03 am, Klaus Westkamp wrote: Hi, i'm uncertain, wether this mailing list is the correct one to ask, but i have the disputable honor to make a squid running on a Windows Server (if possible). Whilst squid.exe seems to run fine, i constantly run into an unresponsive system, when

Re: [squid-users] Proxy Server closes the connection to http server before transferring all application data to http client

2020-12-14 Thread Amos Jeffries
On 15/12/20 4:21 pm, Zhang, Lily (USD) wrote: Hi I installed 4.13 squid proxy server. See attachment, http server (10.250.16.46) sends FIN, ACK to tells that response is finished.  Proxy server (10.244.102.133) sends FIN, ACK back to http server (10.250.16.46) before "Application Data" is

Re: [squid-users] sslcrtvalidator_program

2020-12-14 Thread Amos Jeffries
On 14/12/20 9:11 am, Eliezer Croitor wrote: I am trying to understand the way the sslcrtvalidator_program works. I am pretty sure I have asked this in the past but didn’t found it for some reason. I want to read line by line so. /^-BEGIN CERTIFICATE-$/ *** /^-END CERTIFICATE-$/

Re: [squid-users] Sqlite3 with Squid

2020-12-13 Thread Amos Jeffries
On 13/12/20 11:01 am, Eliezer Croitor wrote: Well indeed it's very similar. I would need to think about it a bit more to grasp it again in my mind. However in the embedded world ruby/perl/python are not usually available so.. True. Though for limited devices you can do the same thing they do

Re: [squid-users] authorized by pcname

2020-12-13 Thread Amos Jeffries
On 13/12/20 10:44 pm, sampei02 wrote: Thanks for your suggestions. 1. In this way I should move problem to another level that is dhcp server. 2. My DHCP server already updates to local DNS, that is Active Directory, but Squid cannot point to this local Microsoft DNS because It’s using external

Re: [squid-users] Sqlite3 with Squid

2020-12-12 Thread Amos Jeffries
On 11/12/20 12:03 pm, Eliezer Croitor wrote: Amos or Alex might remember or know how to trigger external_acl helper cache cleanup. I don't know what it might affect since there is some context code per request or connection or session. "squid -k reconfigure" is the best trigger I know of.

Re: [squid-users] authorized by pcname

2020-12-12 Thread Amos Jeffries
On 11/12/20 3:55 am, sampei02 wrote: Can I set acl to authorize specific computer name by http_access directive ? Maybe. That depends on whether there is any mechanism for Squid to identify the "computer name". I used usually acl src but I’d like to specify Netbios name, so I Thought

Re: [squid-users] dhcp

2020-12-11 Thread Amos Jeffries
On 11/12/20 7:48 pm, sampei02 wrote: Can you suggest way to manage acl for clients which are using DHCP server? Firstly, what does DHCP have to do with clients using HTTP ? eg, why is it even a consideration for you? Secondly, what are you trying to have Squid do? To provide help we need

Re: [squid-users] replacement for obsoleted cache controls (ign-no-cache; ign-must-reval. + ign-auth)

2020-12-09 Thread Amos Jeffries
On 9/12/20 11:14 am, L A Walsh wrote: On 2020/12/06 12:14, Alex Rousskov wrote: On 12/6/20 10:12 AM, L A Walsh wrote: Since the early 4.x series and now, the cache control headers: FTR: Since Squid-3.2 ignore-no-cache ignore-must-revalidate ignore-auth ... Thanks for the followup. 

[squid-users] WCCPv2 testers needed

2020-12-06 Thread Amos Jeffries
Hi all, We have some improvements to the WCCPv2 packet parser which need real-traffic testing to verify nothing is broken before being submitted for merge. If you are able to test a patch of WCCPv2 please get in touch with me. It will require Squid-4 or later version. Cheers Amos

Re: [squid-users] replacement for obsoleted cache controls (ign-no-cache; ign-must-reval. + ign-auth)

2020-12-06 Thread Amos Jeffries
On 7/12/20 9:14 am, Alex Rousskov wrote: On 12/6/20 10:12 AM, L A Walsh wrote: ... * ignore-no-cache Squid v3.2 release notes imply that Squid does what most admins want now, without any explicit option: "Its commonly desired behaviour is obsoleted by correct HTTP/1.1 Cache-Control:no-cache

Re: [squid-users] ERROR connecting to squid proxy server

2020-12-01 Thread Amos Jeffries
On 1/12/20 8:20 pm, Reshma V Kumar wrote: Hi all, I am testing squid 4.13 on AIX 7.2. I started the squid proxy server in the foreground using the following command */opt/freeware/sbin/squid_32 -f /opt/freeware/etc/squid/squid.conf -d3 --foreground* To test if the squid proxy server is working

Re: [squid-users] reply_header to block downloads

2020-11-18 Thread Amos Jeffries
On 19/11/20 9:20 am, robert k Wild wrote: hi all, can i use the acl "reply_header_access" to block downloads, like i have done with the " rep_mime_type " or is this not what its meant for That directive stops matching responses being delivered to clients (they get an error page instead).

Re: [squid-users] squid mitm

2020-11-18 Thread Amos Jeffries
On 19/11/20 4:48 am, Niels Hofmans wrote: Hi guys, I am trying to setup squid with TLS intercaption on Docker in an alpine linux image. My configuration is as follows: access_log /dev/stdout Not a great idea. stdout is process specific ... and Squid is a collection of multiple processes

Re: [squid-users] Gather POST request on HTTPS traffic?

2020-11-17 Thread Amos Jeffries
On 18/11/20 1:41 am, roee klinger wrote: Hey Amos, Thanks for your response, I will try to implement this today and check if I can get the data I am looking for. I do however have a few questions regarding this approach: 1. If I understand the docu currently, then the server is getting a

Re: [squid-users] squid 4/5 feature request send login informations to peers

2020-11-17 Thread Amos Jeffries
On 17/11/20 9:27 pm, David Touzeau wrote: Hi, We a first Squid using Kerberos + Active Directory authentication. This first squid is used to limit access using ACls and Active Directory groups. This first squid using parents as peer in order to access to internet in this way:    

Re: [squid-users] Gather POST request on HTTPS traffic?

2020-11-16 Thread Amos Jeffries
On 17/11/20 12:14 pm, roee klinger wrote: Hello everyone, I work at a digital agency that has quite a few machines that are managing some Instagram accounts, they are all running in the same LAN and we are using Squid as a proxy to log and analyze some usage statistics and to make sure the 

Re: [squid-users] auth_param tls? limiting proxy access based on client TLS authentication

2020-11-13 Thread Amos Jeffries
On 14/11/20 8:30 am, Bob Rich wrote: I've got squid configured as an old-school explicit forward proxy. I would like to limit access through the proxy to only those clients that authenticate either to an HTTPS proxy listener or via client auth injected into a CONNECT request to the origin

Re: [squid-users] mime deny not working anymore

2020-11-13 Thread Amos Jeffries
On 13/11/20 7:19 am, robert k Wild wrote: hi all, can anyone say why this isnt working anymore, im scratching my head thinking about it #deny MIME types acl mimerep rep_mime_type "/usr/local/squid/etc/mimedeny.txt" http_reply_access deny mimerep and in my /usr/local/squid/etc/mimedeny.txt

Re: [squid-users] issues with sslbump and "Host header forgery detected" warnings

2020-11-07 Thread Amos Jeffries
On 7/11/20 10:18 am, Leonardo Rodrigues wrote>     However, some connections are failing with the "Host header forgery detected" warnings. Example: ...     Questions:     - without using WPAD or without configuring proxy on the client devices, is this somehow "fixable" ? Same DNS

Re: [squid-users] Best practice for adding or removing ACLs dynamically ?

2020-11-01 Thread Amos Jeffries
On 1/11/20 12:27 pm, roee klinger wrote: Thanks Amos! I updated "auth_param basic credentialsttl" according to your advice and it is working great. I am still having issues with the "tcp_outgoing_address 192.168.8.12 acl_for_user3002" part, you mentioned: > For ACLs with values that are

Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading

2020-10-31 Thread Amos Jeffries
On 31/10/20 3:20 am, Scott wrote: On Sat, Oct 31, 2020 at 12:49:16AM +1300, Amos Jeffries wrote: On 30/10/20 3:27 pm, Scott wrote: On Thu, Oct 29, 2020 at 10:08:42PM +1300, Amos Jeffries wrote: On 29/10/20 12:06 pm, Scott wrote: On Wed, Oct 28, 2020 at 12:00:01PM +, squid-users-reques

Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading

2020-10-31 Thread Amos Jeffries
On 31/10/20 3:20 am, Scott wrote: On Sat, Oct 31, 2020 at 12:49:16AM +1300, Amos Jeffries wrote: On 30/10/20 3:27 pm, Scott wrote: On Thu, Oct 29, 2020 at 10:08:42PM +1300, Amos Jeffries wrote: On 29/10/20 12:06 pm, Scott wrote: On Wed, Oct 28, 2020 at 12:00:01PM +, squid-users-reques

Re: [squid-users] Best practice for adding or removing ACLs dynamically ?

2020-10-31 Thread Amos Jeffries
On 31/10/20 1:34 pm, roee klinger wrote:  Hey, I have Squid configured to send users to different outgoing interface like so: .. auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpassword acl acl_for_user3002 proxy_auth user2 tcp_outgoing_address 192.168.8.12

Re: [squid-users] squid restart

2020-10-31 Thread Amos Jeffries
On 1/11/20 12:02 am, Vieri wrote: Hi, Around every hour or so, the Squid proxy client experience comes to a crawl. It takes a very long time to load a simple web page. ... I guess the reason could be for this:     Maximum number of file descriptors:   4096     Largest file desc

Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading

2020-10-30 Thread Amos Jeffries
On 30/10/20 3:27 pm, Scott wrote: On Thu, Oct 29, 2020 at 10:08:42PM +1300, Amos Jeffries wrote: On 29/10/20 12:06 pm, Scott wrote: On Wed, Oct 28, 2020 at 12:00:01PM +, squid-users-reques wrote: Date: Thu, 29 Oct 2020 00:08:34 +1300 From: Amos Jeffries On 28/10/20 5:25 pm, Scott wrote

Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading

2020-10-29 Thread Amos Jeffries
On 29/10/20 12:06 pm, Scott wrote: On Wed, Oct 28, 2020 at 12:00:01PM +, squid-users-reques wrote: Date: Thu, 29 Oct 2020 00:08:34 +1300 From: Amos Jeffries On 28/10/20 5:25 pm, Scott wrote: Here are the logs (first not working, followed by working). Note this is the login attempt

Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

2020-10-28 Thread Amos Jeffries
On 28/10/20 5:25 pm, Scott wrote: Here are the logs (first not working, followed by working). Note this is the login attempt, not the loading of the initial page. You'll see in the NOT WORKING section that the browser does NOT return a cookie to the server, which is where the problem may be.

Re: [squid-users] Running squid inside docker container

2020-10-23 Thread Amos Jeffries
On 23/10/20 10:40 pm, rahul.negi wrote: After I ran above command, I am getting below error “FATAL: xcalloc: Unable to allocate 1048576 blocks of 392 bytes!” There is not enough RAM available to Squid. Check the total available on the machine, the per-process limits on the machine, what

Re: [squid-users] Suppressing authentication schemes

2020-10-21 Thread Amos Jeffries
On 21/10/20 7:53 pm, Philipp Gesang wrote: > On Tuesday, 2020-10-20 10:59:41 -0400 Alex Rousskov wrote >> On 10/20/20 10:44 AM, Philipp Gesang wrote: >>> On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov wrote > a while back we received a report from a customer that Windows > hosts

Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries
On 21/10/20 1:24 am, Christophe Leloup wrote: > Hi, > > I have connected my debian to my active directory. I don't have machine > authentication by user but only by ip. attached my squid.conf. > > Have a read of this: Amos

Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries
On 21/10/20 1:24 am, Christophe Leloup wrote: > Hi, > > I have connected my debian to my active directory. I don't have machine > authentication by user but only by ip. attached my squid.conf. > Well. Yes, that looks true. Amos ___ squid-users

Re: [squid-users] sslbump https intercepted or tproxy

2020-10-20 Thread Amos Jeffries
On 20/10/20 4:39 am, Vieri wrote: > Hi, > > It's unclear to me if I can use TPROXY for HTTPS traffic. You can. It is just an alternative to NAT. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries
On 20/10/20 10:44 pm, Christophe Leloup wrote: > Good morning all, > > I am French. excuse me for my English. > I am looking for a tutorial. how integrated an active directory 2008 with > squid. > > do you have any leads or websites? > That depends on what you are trying to make Squid do,

Re: [squid-users] Squid doesn't call helper

2020-10-20 Thread Amos Jeffries
On 20/10/20 6:18 pm, Kornexl, Anton wrote: > Squid 4.10 on Ubuntu 20.04 > >   > > The configured program is started but not called (or the result not used) > Please check cache.log to find out which of those two very different things is happening. One means the ACL is not being checked or

Re: [squid-users] websockets through Squid

2020-10-19 Thread Amos Jeffries
On 19/10/20 11:07 am, Vieri wrote: > > On Saturday, October 17, 2020, 10:36:47 PM GMT+2, Alex Rousskov wrote: > >> or due to some TLS error. >> I filed bug #5084 > > Hi again, > > Thanks for opening a bug report. > > I don't want to add anything there myself because I wouldn't want to

Re: [squid-users] websockets through Squid

2020-10-16 Thread Amos Jeffries
On 17/10/20 3:07 am, Vieri wrote: > Hi, > > I think I found something in the cache.log I posted before. > > sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_3 > ... > sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_2 > > It seems that Squid sometimes connects to the remote HTTP server with

Re: [squid-users] allow certian user ips to access only 2 domains and disallow everything

2020-10-16 Thread Amos Jeffries
On 16/10/20 10:21 pm, simon ben wrote: > I have squid running perfectly fine on centos 7 64 bit with no issues > I want to allow certain user ips to access a few sites and block > everything else so below is the config > the sites are  > 1) paloaltonetworks.com > 2) redcloak.secureworks.com >

Re: [squid-users] Help with with delay pools

2020-10-14 Thread Amos Jeffries
On 15/10/20 7:52 am, Service MV wrote: > Hello everyone, I don't know if anyone can help me with this configuration. > > acl Domain_Users note group AQUAAAUV7TIfbORUj8PLQv4YAQIAAA== > delay_pools 1 > delay_class 1 1 > delay_parameters 1 250/250 > delay_access 1 allow Domain_User >

Re: [squid-users] R: Trouble with an app

2020-10-13 Thread Amos Jeffries
On 13/10/20 8:59 pm, Roberto Nunnari wrote: > Hi Amos. > > Thank you for your help. > > Could it be that the client received the zscaler certificate and because it's > wrong for google it closed the connection? > Unfortunately, the logs on the client don't show no clue about it.. > That is

Re: [squid-users] How to configure squid to not cache

2020-10-13 Thread Amos Jeffries
On 13/10/20 8:37 am, Ronan Lucio wrote: > I'm sorry. My bad. > Just found it > > On Tue, Oct 13, 2020 at 8:20 AM Ronan Lucio wrote: >> >> Hi, >> I'd like to configure squid for proxy only, no caching any content. >> >> Looking at squid docs, it instructs to use "cache deny all", but I >> didn't

Re: [squid-users] websockets through Squid

2020-10-10 Thread Amos Jeffries
On 11/10/20 6:13 am, Vieri wrote: > I'm also getting this other file that can't be copied: > > cp ../../src/tests/stub_debug.cc tests/stub_debug.cc > cp: cannot create regular file 'tests/stub_debug.cc': No such file or > directory > make[3]: *** [Makefile:1490: tests/stub_debug.cc] Error 1 > >

Re: [squid-users] Trouble with an app

2020-10-10 Thread Amos Jeffries
On 10/10/20 2:54 am, Roberto Nunnari wrote: > Hello. > >   > > I work in secondary school and our access to internet is protected in > two points: > > 1)  Squid proxy (I manage this) > > 2)  Internet service provider (they change *.google.com ssl > certificate with zscaler) > >   > >

Re: [squid-users] websockets through Squid

2020-10-08 Thread Amos Jeffries
On 9/10/20 11:56 am, Vieri wrote: >> As a workaround, try sequential build ("make" instead of "make -j...") > > I removed -j, but I'm still getting a similar error: > Not just similar. The same one. FYI, some make do parallel by default. I advise explicitly using -j1 for the workaround build.

Re: [squid-users] websockets through Squid

2020-10-07 Thread Amos Jeffries
On 8/10/20 2:29 am, Vieri wrote: >> To allow WebSocket tunnels, you need http_upgrade_request_protocols >> available since v5.0.4 > > Thanks for the info. > My distro does not include v. 5 yet as it's still beta, although I could try > compiling it. > > Just a thought though. What would the

Re: [squid-users] SSL on different ports

2020-10-06 Thread Amos Jeffries
On 7/10/20 2:16 pm, Ronan Lucio wrote: > Hi, > > By default, Squid accepts SSL connection only to port 443. You are referring to the SSL_ports ACL ? That does not mean accepting SSL connections. Only that the port is known to be used primarily for SSL. So that opening opaque CONNECT tunnels

Re: [squid-users] sslproxy_options on squid 3.5.20

2020-10-06 Thread Amos Jeffries
On 6/10/20 1:35 pm, Nisa Balakrishnan wrote: > Hi, > > I am trying to allow access for only tls versions 1.2 and above on Squid > 3.5.20 > Note that "above 1.2" are not supported by that ancient version of Squid. Your test disables everything except SSLv1 code in the library. > For testing

Re: [squid-users] I want to know the concerns of load testing

2020-10-02 Thread Amos Jeffries
On 2/10/20 6:26 pm, m k wrote: > Hello Please tell me additionally. 4. I only know Squid up to 3000 > users. Is there any case where Squid is used by a company that is used > by more than 30,000 users? Please let me know if there is a large > company using Squid. 5. What are the important point

Re: [squid-users] I want to know the concerns of load testing

2020-10-02 Thread Amos Jeffries
On 2/10/20 3:15 pm, m k wrote: > Hello, > > I'm planning a proxy renewal for a company with 45k clients. > I'm looking at the performance of a single Squid to determine the number > of Squids. > > Environment: Virtual (OpenStack) > OS: CentOS8.1 > CPU: 4 cores > MEM: 8GB > DISK: SATA30GB / 100GB

Re: [squid-users] ACL matches when it shouldn't

2020-09-30 Thread Amos Jeffries
Ah. Think I found it. Line 9600 in the earlier file contains a URL with un-escaped "||" sequence. Pipe is a reserved character in regex so needs \-escaping like '?' '*' '.', '$', '^, '[', ']', '(', ')', '$' and '\' in the original URL. See the note below though for long-term fix ... On

Re: [squid-users] ACL matches when it shouldn't

2020-09-29 Thread Amos Jeffries
On 30/09/20 2:27 am, Vieri wrote: > Hi, > > I have a url_regex ACL loaded with this file: > > https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing > > Then I have an access denial like so: > > http_access deny bad_dst_urls > > Problem is that I am not expecting

Re: [squid-users] How te deal with proxy authentication bypass

2020-09-29 Thread Amos Jeffries
On 29/09/20 3:55 am, Service MV wrote: > In my case I have the domains, for example from webex, which I get from > their official support page. It seems that I am doing something wrong or > I am not understanding well. > I base on this documentation >

Re: [squid-users] squid 5.0.4 cache_peer bug on https outgoing

2020-09-28 Thread Amos Jeffries
On 28/09/20 10:39 pm, openwrt wrote: > I located the bug and found a another way to deal with it. > > The bug is that cache_peer https CONNECT drops the port number > > If you do the compatibility treatment on the back of the agent software, > you can solve this problem > > However, it would be

  1   2   3   4   5   6   7   8   9   10   >