Re: [squid-users] Squid 4.14 : no_suid: setuid(0): (1) Operation not permitted

2021-02-28 Thread David Touzeau
ml Many users says there is no impact on helpers and performance as it is just a warning... Did you confirm it ? Le 28/02/2021 à 01:58, Alex Rousskov a écrit : On 2/27/21 7:22 PM, David Touzeau wrote: Hi, regulary i have this error : 2021/02/28 01:18:43 kid1| helperOpenSe

[squid-users] Squid 4.14 : no_suid: setuid(0): (1) Operation not permitted

2021-02-27 Thread David Touzeau
Hi, regulary i have this error : 2021/02/28 01:18:43 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes 2021/02/28 01:18:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted i have set the setuid permission chown root:squid security_file_certgen chmod

Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-14 Thread David Touzeau
/squid.pid' '--with-swapdir=/var/cache/squid' 'build_alias=x86_64-linux-gnu' Le 14/01/2021 à 05:43, Amos Jeffries a écrit : On 14/01/21 3:17 am, David Touzeau wrote: Hi This error is generated every 15 minutes when using any authenticator helper (ntlm, kerberos...) Is there a way to investigate

[squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-13 Thread David Touzeau
Hi This error is generated every 15 minutes when using any authenticator helper (ntlm, kerberos...) Is there a way to investigate on this issue ? kidxx| WARNING: no_suid: setuid(0): (1) Operation not permitted Sometimes, after rebooting the system, issue is fixed for an undetermined

Re: [squid-users] PCI Certification compliance lists

2021-01-04 Thread David Touzeau
Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Zoom: Coming soon *From:*David Touzeau *Sent:* Monday, January 4, 2021 3:25 PM *To:* ngtech1...@gmail.com; squid-users@lists.squid-cache.org *Subject:* Re: [squid-users] PCI Certification compliance

Re: [squid-users] PCI Certification compliance lists

2021-01-04 Thread David Touzeau
Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Zoom: Coming soon *From:*squid-users *On Behalf Of *David Touzeau *Sent:* Monday, January 4, 2021 10:23 AM *To:* squid-users@lists.squid-cache.org *Subject:* Re: [squid-user

Re: [squid-users] PCI Certification compliance lists

2021-01-04 Thread David Touzeau
Hi Eiezer, I can help you by giving a list but Just by using "main domains": * Banking/transcations : 27 646 websites. * AV sofwtare and updates sites (fw, routers...) : 133 295 websites I can give it to you the lists , they are incomplete and it should decrease squid performance by

[squid-users] squid 4/5 feature request send login informations to peers

2020-11-19 Thread David Touzeau
Thanks Amos You means using "login=PASS" in peer settings and in Proxy parent B and C use the "basic_fake_auth" helper to "simulate" the requested auth ? Le 17/11/2020 à 11:43, Amos Jeffries a écrit : On 17/11/20 9:27 pm, David Touzeau wrote: Hi, W

[squid-users] squid 4/5 feature request send login informations to peers

2020-11-17 Thread David Touzeau
Hi, We a first Squid using Kerberos + Active Directory authentication. This first squid is used to limit access using ACls and Active Directory groups. This first squid using parents as peer in order to access to internet in this way: | > SQUID B

[squid-users] Squid4/5: Feature request identify access rules.

2020-11-07 Thread David Touzeau
When having several *_access http_access,reply_access... In a stressed environment, it is difficult to hunt an issue or a wrong rule. The debug mode is impossible because the proxy in production mode write too many logs.. But if we can identify the rule and add pointer to the log, it is

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

2020-05-20 Thread David Touzeau
Thanks for the answer details How to be a sponsor ? ( cost ) of such feature Could you think it can be planned for 5.x ? I think it should be a "future" "standard" in the same way of DNS over SSL Le 19/05/2020 à 16:46, Alex Rousskov a écrit : On 18/05/20 10:15 am, David T

Re: [squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

2020-05-19 Thread David Touzeau
TestFinger ssl_bump stare ssl_step2 all ssl_bump bump all But no luck, website still decrypted. Le 13/05/2020 à 21:33, Alex Rousskov a écrit : On 5/12/20 7:42 AM, David Touzeau wrote: ssl_bump peek ssl_step1 ssl_bump splice TestFinger ssl_bump stare ssl_step2 all ssl_bump bump all Seems TestFinger

[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

2020-05-19 Thread David Touzeau
Hi we want to use squid as * * * Secure Proxy * * * using https_port We have tested major browsers and it seems working good. To make it work, we need to deploy the proxy certificate on all browsers to make the secure connection running. In this case, squid forward requests without

[squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

2020-05-12 Thread David Touzeau
Hi, i'm trying to play with acl "server_cert_fingerprint" for splicing websites. First, get the fingerprint : openssl s_client -host www.clubic.com -port 443 2> /dev/null | openssl x509 -fingerprint -noout # Build the acl acl TestFinger server_cert_fingerprint

[squid-users] TCP Fast open and squid4

2020-02-21 Thread David Touzeau
Hi Is Squid handle TCP Fast open on modern kernel ? Has anyone tried to implement this directive and noticed a performance improvement ? Best regards. ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] squid v4: logformat log the last denied ACL object

2019-04-18 Thread David Touzeau
Le 15/04/2019 à 22:41, Alex Rousskov a écrit : On 4/15/19 8:01 AM, David Touzeau wrote: Is it possible, sometimes to better understand a bunch of ACLs to log the last matches or a set of matched acls objects: 192.168.1.235 - - [15/Apr/2019:15:59:30 +0200] "GET http://www.msftncsi.com/ncs

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-04-16 Thread David Touzeau
Le 02/04/2019 à 10:39, Amos Jeffries a écrit : On 2/04/19 8:53 pm, L.P.H. van Belle wrote: I suggest start compairing the logs you posted, the builds are really different. Differences in - kernel - needed packages - build paramaters due to missing or different packages. Etc. Just diff you

[squid-users] squid v4: logformat log the last denied ACL object

2019-04-15 Thread David Touzeau
Hi Is it possible, sometimes to better understand a bunch of ACLs to log the last matches or a set of matched acls objects: example 192.168.1.235 - - [15/Apr/2019:15:59:30 +0200] "GET http://www.msftncsi.com/ncsi.txt HTTP/1.1" 200 211 "-" "curl/7.52.1" TCP_MISS:HIER_DIRECT text/plain

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-04-02 Thread David Touzeau
Le 02/04/2019 à 18:06, Alex Rousskov a écrit : On 4/2/19 1:23 AM, David Touzeau wrote: Le 01/04/2019 à 23:22, Alex Rousskov a écrit : Do your Squids use shared memory for the memory cache? See memory_cache_shared (even if you do not set it explicitly). http://www.squid-cache.org/Doc/config

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-04-02 Thread David Touzeau
Le 02/04/2019 à 07:43, L A Walsh a écrit : On 4/1/2019 2:17 AM, David Touzeau wrote: We have recompiled same squid version on 2 systems https://github.com/dtouzeau/1.6.x/blob/Tempfiles/centos7-config.log?raw=true --- Result was CentOS 44

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-04-02 Thread David Touzeau
Le 01/04/2019 à 23:22, Alex Rousskov a écrit : On 4/1/19 3:17 AM, David Touzeau wrote: On 30.03.19 10:22, David Touzeau wrote: * Debian 9 net install + Squid compiled * CentOS 7 minimal  + Squid compiled Same version, same compilation parameters, same Squid settings. It seems that Squid

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-04-01 Thread David Touzeau
Le 01/04/2019 à 00:23, David Touzeau a écrit : Le 31/03/2019 à 05:50, Amos Jeffries a écrit : On 31/03/19 3:41 am, David Touzeau wrote: On 30.03.19 10:22, David Touzeau wrote: Did you have perform squid stress on Debian against CentOS ? I have installed: * Debian 9 net install + Squid

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-03-31 Thread David Touzeau
Le 31/03/2019 à 05:50, Amos Jeffries a écrit : On 31/03/19 3:41 am, David Touzeau wrote: On 30.03.19 10:22, David Touzeau wrote: Did you have perform squid stress on Debian against CentOS ? I have installed: * Debian 9 net install + Squid compiled * CentOS 7 minimal  + Squid compiled Same

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

2019-03-30 Thread David Touzeau
On 30.03.19 10:22, David Touzeau wrote: Did you have perform squid stress on Debian against CentOS ? I have installed: * Debian 9 net install + Squid compiled * CentOS 7 minimal  + Squid compiled Same version, same compilation parameters, same Squid settings. It seems that Squid on CentOS

[squid-users] Why Squid on CentOS is faster than Debian ?

2019-03-30 Thread David Touzeau
Hi all, Did you have perform squid stress on Debian against CentOS ? I have installed: * Debian 9 net install + Squid compiled * CentOS 7 minimal  + Squid compiled Same version, same compilation parameters, same Squid settings. It seems that Squid on CentOS is 10 times faster than squid on

Re: [squid-users] squid 4.x: decided: do not cache but share because the entry has been released

2019-02-24 Thread David Touzeau
ers] squid 4.x: decided: do not cache but share because the entry has been released On 2/23/19 10:17 AM, Amos Jeffries wrote: > On 24/02/19 5:33 am, David Touzeau wrote: >> http.cc(982) haveParsedReplyHeaders: decided: do not cache but share >> because the entry has been released;

[squid-users] squid 4.x: decided: do not cache but share because the entry has been released

2019-02-23 Thread David Touzeau
Hi I'm trying to store in cache an Internet file Run the squid in debug mode says: http.cc(982) haveParsedReplyHeaders: decided: do not cache but share because the entry has been released; HTTP status 200 What "but share because the entry has been released" event means ?

Re: [squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents

2019-02-23 Thread David Touzeau
] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents On 23/02/19 2:45 am, David Touzeau wrote: > Hi, > > > > We would like to use this infrastructure: > > > > Squid-cache client authentication 1 > > >| > Squid Parent with

Re: [squid-users] Transparent vs Tproxy: performance ?

2018-09-02 Thread David Touzeau
an Tproxy... But you confirm that this is not relevant... Best regards, -Message d'origine- De : squid-users De la part de Amos Jeffries Envoyé : samedi 1 septembre 2018 17:07 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] Transparent vs Tproxy: performance ? On 1/09/18 9:33 PM, David To

[squid-users] Transparent vs Tproxy: performance ?

2018-09-01 Thread David Touzeau
Hi We have 2 ways to make the squid in < transparent mode. > The standard Transparent method and (with modern kernels) the use of < Tproxy > method I would like to know which is the best according to the performance ? Or is it the same ? Best regards.

Re: [squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

2018-08-16 Thread David Touzeau
sers] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL On 16/08/18 11:58, David Touzeau wrote: > Hi, > > > > I have written my own url_rewrite helper > > > > On SSL sites, the helper answering a redirect to a remote denied php page. > No your helper *rew

[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

2018-08-15 Thread David Touzeau
Hi, I have written my own url_rewrite helper On SSL sites, the helper answering a redirect to a remote denied php page. With HTTP, no issue but on SSL there is a different behavior My helper return rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0

Re: [squid-users] Squid v4.1: commBind Cannot bind [::1] on SNMP with no ipv6

2018-07-15 Thread David Touzeau
11:40, David Touzeau wrote: > Hi > > > > Hi, > > > > Ipv6 is not enabled on this Debian 9 system. > Nod. That would be why is cannot open IPv6 sockets. Squid is designed to comply with RFC 6540 (aka BCP 177), and to assume the machine it is running on als

[squid-users] Squid v4.1: commBind Cannot bind [::1] on SNMP with no ipv6

2018-07-14 Thread David Touzeau
Hi Hi, Ipv6 is not enabled on this Debian 9 system. sysctl -a |grep ipv6|grep disable sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret"

Re: [squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

2018-01-25 Thread David Touzeau
Thanks Amos for the tips. The error was a python helper that works on 3.5 but freeze on v4. Forward code to php fix the issue Thanks again ! ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] 3.5.27: Compilation failed CRYPTO_LOCK_X509 on Debian 9

2018-01-23 Thread David Touzeau
-Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de Amos Jeffries Envoyé : mercredi 24 janvier 2018 01:21 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] 3.5.27: Compilation failed CRYPTO_LOCK_X509 on Debian 9 Squid-3 on

[squid-users] 3.5.27: Compilation failed CRYPTO_LOCK_X509 on Debian 9

2018-01-23 Thread David Touzeau
Hi all Did anyone have encountered and fixed this issue : Make failed with the following error : /bin/bash ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -isystem /usr/include/mit-krb5

Re: [squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

2018-01-23 Thread David Touzeau
Notice, it appears on both http/https ports Transparent Ports are freezing each 10 minutes. I mention that in normal port there is no issue, the issue can be generated only on transparent mode. De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de David

Re: [squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

2018-01-22 Thread David Touzeau
Notice, it appears on both http/https ports, not only SSL De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de David Touzeau Envoyé : lundi 22 janvier 2018 23:39 À : squid-users@lists.squid-cache.org Objet : [squid-users] v4.0.22 error:transaction-end-before

[squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

2018-01-22 Thread David Touzeau
Hi I'm using Squid Cache: Version 4.0.22 in transparent method After several times the SSL port going into < freeze mode > and write in logs 1516660011.849 00 192.168.1.214 NONE/000 0 NONE error:transaction-end-before-headers - Doing a squid -k reconfigure release all freeze

Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2017-04-28 Thread David Touzeau
you do not need to add any intermediate certificates to system storage - > site seems to be sending the whole chain as it should... > > BUT the overall site SSL rating is so bad.. > > Raf > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.sq

Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2017-04-28 Thread David Touzeau
Voinov [mailto:yvoi...@gmail.com] Envoyé : jeudi 27 avril 2017 23:26 À : David Touzeau <da...@articatech.com>; squid-users@lists.squid-cache.org Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Be careful with intermediate CA's you grabbed.

Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2017-04-27 Thread David Touzeau
: jeudi 27 avril 2017 22:52 À : David Touzeau <da...@articatech.com>; squid-users@lists.squid-cache.org Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Squid can't have any intermediate certificates. As by as root CA's. You can u

Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2017-04-27 Thread David Touzeau
@lists.squid-cache.org Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Look. It can be intermediate certificates issue. Does Squid have Symantec intermediate certificates? 27.04.2017 22:47, David Touzeau пишет: > Hi, > I'm unable to access to

[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2017-04-27 Thread David Touzeau
Hi, I'm unable to access to https://www.boutique.afnor.org website. I would like to know if this issue cannot be fixed and must deny bump website to fix it. Without Squid the website is correctly displayed Squid claim an error page with "(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)"

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

2017-01-24 Thread David Touzeau
-Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de David Touzeau Envoyé : mardi 24 janvier 2017 11:42 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

2017-01-24 Thread David Touzeau
This is a different log trace from David's. Here Squid is setting up a TUNNEL to the clients original dst-IP, successfully. Any TLS funky stuff going on for this transaction is done directly between server and client. Squid's only involvement is to peek at the Hello messages and record them for

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

2017-01-23 Thread David Touzeau
/2017 12:28 p.m., David Touzeau wrote: > Same issue with https://www.digitalocean.com/ is somebody did not > encounter the issue using Squid in transparent mode with SSL ?? > The TLS / HTTP Senvironment is in the process of stabilizing, but still quite volatile. Since the error mes

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

2017-01-23 Thread David Touzeau
Same issue with https://www.digitalocean.com/ is somebody did not encounter the issue using Squid in transparent mode with SSL ?? -Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de David Touzeau Envoyé : dimanche 22 janvier 2017 19:49

[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

2017-01-22 Thread David Touzeau
Hi I'm using SSL transparent method : https_port 0.0.0.0:53695 intercept disable-pmtu-discovery=transparent name=MyPortNameID22 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn sslproxy_foreign_intermediate_certs

Re: [squid-users] 3.5.23: Retreive pairs in note acl

2017-01-14 Thread David Touzeau
> I have created an external helper that return OK a=note1 > > What is the correct line to retrieve the correct note ? acl annotatedWithANote1 note a note1 http_access deny annotatedWithANote1 Alex. > acl aclname note [-m[=delimiters]] name [value ...] > # match transaction

[squid-users] 3.5.23: Retreive pairs in note acl

2017-01-14 Thread David Touzeau
Hi I have created an external helper that return OK a=note1 By adding tags in logs I see correctly that squid writes in log, "a:%20note1" But I cannot match this note in acls both test1 and test2 test3 not matches the added tag Acl test1 note a:note1 Acl test2 note a=note1 Acl test3

Re: [squid-users] [3.5x]: identd lookup made before proxy_protocol checking and failed [help]

2017-01-06 Thread David Touzeau
[help] On 2017-01-06 22:12, David Touzeau wrote: > Added in bugtrack > > http://bugs.squid-cache.org/show_bug.cgi?id=4657 > > > -Message d'origine- > De : David Touzeau > > Hi, > > We need to use ident daemon in order to authenticate users. > > Squid

[squid-users] [3.5x]: identd lookup made before proxy_protocol checking and failed [help]

2017-01-05 Thread David Touzeau
Hi, We need to use ident daemon in order to authenticate users. Squid works fine when computers are directly connected to the proxy. We have added HaProxy * * * Load-balancer * * * using *proxy_protocol* between users and 2 Squid proxies With the load balancer, squid want to query identd port

Re: [squid-users] Squid freeze each hour.

2016-12-20 Thread David Touzeau
:42, David Touzeau wrote: > Is there any way to disabling Cache digest without need to recompile > squid ? Hi, Use "digest_generation off". http://www.squid-cache.org/Doc/config/digest_generation/ Garri ___ squid-users mailing

Re: [squid-users] Squid freeze each hour.

2016-12-20 Thread David Touzeau
Hi Alex, Is there any way to disabling Cache digest without need to recompile squid ? -Message d'origine- De : Alex Rousskov [mailto:rouss...@measurement-factory.com] Envoyé : mardi 20 décembre 2016 17:21 À : squid-users@lists.squid-cache.org Cc : David Touzeau <da...@articatech.

Re: [squid-users] Squid freeze each hour.

2016-12-20 Thread David Touzeau
SH_EXPIRES 2016/12/20 15:27:41.533 kid1| 71,6| store_digest.cc(288) storeDigestAdd: storeDigestAdd: added entry, key: A1F5E4243AA2BD14C147D180CBD5022F -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : mardi 20 décembre 2016 14:30 À : 'David Touzeau' <d

Re: [squid-users] Squid freeze each hour.

2016-12-20 Thread David Touzeau
using ssl-bump? --> No Are you using it with multiple cores? --> Only one core Can you attach the squid.conf( removing the confidential details) to this email? -Message d'origine- De : Eliezer Croitoru [mailto:elie...@ngtech.co.il] Envoyé : mardi 20 décembre 2016 14:30 À : 'David

[squid-users] Squid freeze each hour.

2016-12-20 Thread David Touzeau
Hi I'm using the 3.5.23, each hour, the proxy port did not respond for 3 to 10 minutes. During the freeze have made a -k debug to see whats happening. Here a piece of log of the log during the freeze: Is there something relevant ?: 2016/12/20 12:09:09.072 kid1| 71,6| store_digest.cc(226)

Re: [squid-users] cache_peer and PROXY protocol

2016-12-20 Thread David Touzeau
ponsor on it... >> -Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de Amos Jeffries Envoyé : lundi 19 décembre 2016 13:20 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] cache_peer and PROXY protocol On 20/12/2016 12:44 a.m., David T

[squid-users] cache_peer and PROXY protocol

2016-12-19 Thread David Touzeau
Hi Squid accept "Proxy protocol" in http_port, is there a chance to see "PROXY Protocol" supported in cache_peer if you need to link 2 squid ? Best regards. ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] clt_conn_tag and url_rewrite_program

2016-11-16 Thread David Touzeau
On 17/11/2016 1:50 a.m., David Touzeau wrote: > > > Hi, > > I have my own redirector and i want to play with the clt_conn_tag but > i encounter some issues ( perhaps for misunderstanding ) > > url_rewrite_program /usr/share/artica-postfix/filter.py > url_rewrite_c

[squid-users] clt_conn_tag and url_rewrite_program

2016-11-16 Thread David Touzeau
Hi, I have my own redirector and i want to play with the clt_conn_tag but i encounter some issues ( perhaps for misunderstanding ) url_rewrite_program /usr/share/artica-postfix/filter.py url_rewrite_children 10 startup=1 idle=1 concurrency=4 url_rewrite_extras "%>a/%>A %un %>rm myip=%la

Re: [squid-users] ACL is used in context without an HTTP response. Assuming mismatch

2016-05-13 Thread David Touzeau
-cache.org Objet : Re: [squid-users] ACL is used in context without an HTTP response. Assuming mismatch On 13/05/2016 7:06 p.m., David Touzeau wrote: > Thanks Alex > > Any ACLs tips to avoid these warning ? or just assume it's normal in this > situation... ? > Yes and n

Re: [squid-users] ACL is used in context without an HTTP response. Assuming mismatch

2016-05-13 Thread David Touzeau
Thanks Alex Any ACLs tips to avoid these warning ? or just assume it's normal in this situation... ? -Message d'origine- De : Alex Rousskov [mailto:rouss...@measurement-factory.com] Envoyé : vendredi 13 mai 2016 00:40 À : squid-users@lists.squid-cache.org Cc : David Touzeau <

[squid-users] ACL is used in context without an HTTP response. Assuming mismatch

2016-05-12 Thread David Touzeau
Hi I did not want squid to log it's TCP_DENIED/407 when sending authentication to browsers I think this acl should work acl CODE_TCP_DENIED http_status 407 access_log none CODE_TCP_DENIED But squid claim : 2016/05/12 23:44:07 kid1| WARNING: CODE_TCP_DENIED ACL is used in

Re: [squid-users] High CPU usage

2016-04-15 Thread David Touzeau
We have the same issue when upgrading to 3.5.16 3.5.16 -> squid take 100% CPU Back to 3.5.13 -> 12% CPU -Message d'origine- De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part de Amos Jeffries Envoyé : vendredi 15 avril 2016 13:23 À :

[squid-users] [Squid 3.5.10] - Unable to cache objects from Cloudflare

2015-11-19 Thread David Touzeau
Hi It seems that squid is not able to save in cache objects from CloudFlare websites. Here it is the header information: Connecting to 127.0.0.1:8182... connected. Proxy request sent, awaiting response... HTTP/1.1 200 OK Date: Thu, 19 Nov 2015 18:03:31 GMT Content-Type: image/png

Re: [squid-users] 4.0.2: ALE missing URL

2015-11-07 Thread David Touzeau
Hi Alex, I'm using extra token %>ha{X-Forwarded-For} in helper configuration Is it help ? Le 07/11/2015 01:15, Alex Rousskov a écrit : On 11/06/2015 04:36 PM, David Touzeau wrote: Hi I'm testing the new 4.0.2 version.. Now i'm receive many errors like this in cache.log Whats wrong ? 2

Re: [squid-users] 4.0.2: ALE missing URL

2015-11-07 Thread David Touzeau
Le 07/11/2015 15:07, Amos Jeffries a écrit : On 7/11/2015 11:55 p.m., David Touzeau wrote: Hi Alex, I'm using extra token %>ha{X-Forwarded-For} in helper configuration Is it help ? Where you are using that ACL is also needed. Amos ___ sq

[squid-users] 4.0.2: ALE missing URL

2015-11-06 Thread David Touzeau
Hi I'm testing the new 4.0.2 version.. Now i'm receive many errors like this in cache.log Whats wrong ? 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing

Re: [squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

2015-10-25 Thread David Touzeau
Le 25/10/2015 09:01, Amos Jeffries a écrit : On 25/10/2015 5:47 a.m., David Touzeau wrote: auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 20 startup=5 idle=3 auth_param ntlm keep_alive on authenticate_ttl 14400

[squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

2015-10-23 Thread David Touzeau
Hi all. I'm testing squid 4.x with Active Directory connection. When there are spaces in logged accounts eg : "Jhon Rambo" squid use only the last string in logon user "Rambo". This corrupted account is used in all ACLS and events too and all acls matches Rambo and not "Jhon Rambo" This

[squid-users] [feature request]: Transparent FTP Proxy

2015-10-03 Thread David Touzeau
Hi Since the 3.5.x branch allows FTP gateway, is there any plan to support transparent FTP proxy ? Best regards ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2015-10-01 Thread David Touzeau
Dear I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode with SSL hooked In my config, i did not bump any site ( just to pass SSL protocol to squid in transparent mode) I'm trying to connect to https://raj2796.wordpress.com In cache.log 2015/10/02 00:07:05 kid1|

[squid-users] [3.5.7]: NTLM/Kerberos Account contains space

2015-08-11 Thread David Touzeau
Hi, Windows Active Directory server ( such as LDAP too) allow to create account using space : Jhon MacDoo When using NTLM/Kerberos and when logged with an account contains space, Only the first part of the account is displayed and sent to helpers If an user is called Jhon[space]MacDoo then

Re: [squid-users] 3.5.6: need help: FATAL: No valid signing SSL certificate but openssl verify is OK

2015-07-27 Thread David Touzeau
Thanks Amos, i have removed the generate-host-certificates http_port 0.0.0.0:3128 ssl-bump dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/chain.pem But Squid still not want load the couple of Ca and certificate. 2015/07/27 10:16:30| Using certificate in

[squid-users] 3.5.6: need help: FATAL: No valid signing SSL certificate but openssl verify is OK

2015-07-26 Thread David Touzeau
Dear My certificate and my own Root CA's that are already installed on all computers and need to use it in Squid. using The Certificate : -- openssl x509 -subject -issuer -enddate -noout -in

Re: [squid-users] AUFS vs. DISKS

2015-07-15 Thread David Touzeau
Your are right fred, It is is a difficult deal for us too... aufs - good speed but more troubles ( assertion failed, empty(), HTTP reply without date unstable rock system ) and must deal with squid crashes ( watchdog) diskd - more stable but slower... Le 15/07/2015 12:46, FredB a

Re: [squid-users] [3.5.6]: assertion failed: store.cc:850: store_status == STORE_PENDING

2015-07-14 Thread David Touzeau
Jeffries a écrit : On 15/07/2015 6:02 a.m., David Touzeau wrote: I understand the relationship with connection closures but: When store_status == STORE_PENDING appears, the proxy is crashing and nobody can surf. We have tried without define caches in squid but issue still occurs. I'm agree

Re: [squid-users] [3.5.6]: assertion failed: store.cc:850: store_status == STORE_PENDING

2015-07-14 Thread David Touzeau
ans we must restart squid. Le 14/07/2015 09:55, Amos Jeffries a écrit : On 14/07/2015 12:09 p.m., David Touzeau wrote: Hi all We receive this error in cache.log assertion failed: store.cc:850: store_status == STORE_PENDING Means the store code has some data in-transit for the client

[squid-users] [3.5.6]: assertion failed: store.cc:850: store_status == STORE_PENDING

2015-07-13 Thread David Touzeau
Hi all We receive this error in cache.log assertion failed: store.cc:850: store_status == STORE_PENDING Just after browser sends ERR_PROXY_CONNECTION_FAILED What does it means ? Best regards ___ squid-users mailing list

[squid-users] TAG_NONE/xxxx

2015-07-11 Thread David Touzeau
Hi all We using Squid 3.5.6 in transparent mode with SSL With the following settings: acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all We have many entries TAG_NONE/ in access.log when accessing to

Re: [squid-users] TAG_NONE/xxxx

2015-07-11 Thread David Touzeau
a écrit : On 11/07/2015 9:23 p.m., David Touzeau wrote: Hi all We using Squid 3.5.6 in transparent mode with SSL With the following settings: acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all We have many

Re: [squid-users] Issue with Citrix sessions and squid

2015-07-10 Thread David Touzeau
Many thanks Amos With your suggests, we have found that the issue is generated by Palo Alto Client for Citrix https://live.paloaltonetworks.com/docs/DOC-1321 And not from SQUID... Le 08/07/2015 23:26, Amos Jeffries a écrit : On 9/07/2015 7:01 a.m., David Touzeau wrote: Thanks Yuri, Any

Re: [squid-users] Issue with Citrix sessions and squid

2015-07-09 Thread David Touzeau
., David Touzeau wrote: Thanks Yuri, Any tips how to increase TCP/IP stack ? Did you means TCP/IP stack on the Citrix Server side or on the squid box or both ? I'm thinking its a problem related to TCP sockets. A rough estimate calculatino of: 10 users x10 tabs x20 avg domains per page x 2

Re: [squid-users] Squid and ufdbGuard, display blocked URL on client browser address bar

2015-07-09 Thread David Touzeau
Hi ikna This can be done, but you need to forget the ufdbgclient and create yourself a new one that is able to connect to the ufdbguard server in order to get ufdbguard results. In this case, you have with your code to replace the OK status=302 url= sent by ufdbguard server by OK

[squid-users] Issue with Citrix sessions and squid

2015-07-08 Thread David Touzeau
Dear I would like to share a strange behavior. We have servers that stores Citrix application. Each Citrix server run about 10 users/session Each session execute browsers connected to squid 3.5.6 or 3.3.13. After opening 10 tabs, browsers generates error about Connections broken or

Re: [squid-users] Issue with Citrix sessions and squid

2015-07-08 Thread David Touzeau
Squid* can surf trough Internet and open unlimited tabs without any issue. Le 08/07/2015 20:48, Yuri Voinov a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Looks like TCP/IP stack level issue. 09.07.15 0:26, David Touzeau пишет: Dear I would like to share a strange behavior. We

Re: [squid-users] [3.5.5]: BUG 3279: HTTP reply without Date

2015-07-06 Thread David Touzeau
Thanks Amos, i will test it!! Le 06/07/2015 19:09, Amos Jeffries a écrit : On 7/07/2015 4:49 a.m., David Touzeau wrote: Dear I'm using 3.5.5-20150528-r13841 After this error, the kid crash How can fix this issue ? Please try 3.5.6. If the problem persists you will need to run Squid under

[squid-users] [3.5.5]: BUG 3279: HTTP reply without Date

2015-07-06 Thread David Touzeau
Dear I'm using 3.5.5-20150528-r13841 After this error, the kid crash How can fix this issue ? 2015/06/12 08:37:22 kid1| BUG 3279: HTTP reply without Date: 2015/06/12 08:37:22 kid1| StoreEntry-key: 9A3B8E1EFB517CD386A1CBF13E477C5B 2015/06/12 08:37:22 kid1| StoreEntry-next: 0 2015/06/12 08:37:22

[squid-users] Tips to reduce cache

2015-06-16 Thread David Touzeau
Hi all, I need to force squid to cache some websites only for one hour ( no more) did this refresh_pattern directive is able to answerto this need ? What is the best refresh_pattern value to force a website to be cached only for one hour ? best regards

Re: [squid-users] BUG 3279: HTTP reply without Date:

2015-06-15 Thread David Touzeau
We encounter the same issue with Squid 3.5.5 using diskd limit crashes but access to web pages are freezed trough squid Le 12/04/2015 16:55, Monah Baki a écrit : Hi all, Compiled squid 3.5.2 on CentOS 6.6 as follows: $ ./configure --prefix=/home/cache --enable-follow-x-forwarded-for

[squid-users] Need tips in order to force youtube in HTTP only

2015-02-22 Thread David Touzeau
Hi the best... We using Youtube For School by adding Headers in HTTP protocol Since Youtube force everybody to use SSL, using Youtube For School trough squid is not possible. Sure using ssl-bump can do the trick but dealing with certificates on students computers is very difficult. Did

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

2014-12-01 Thread David Touzeau
Le 30/11/2014 09:08, Amos Jeffries a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/11/2014 12:52 a.m., David Touzeau wrote: Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active

Re: [squid-users] squid 3.5x: Active Directory accounts with space issue

2014-11-30 Thread David Touzeau
Le 26/11/2014 11:27, Amos Jeffries a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument

[squid-users] squid 3.5x: Active Directory accounts with space issue

2014-11-23 Thread David Touzeau
Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is

Re: [squid-users] High CPU-Usage with squid 3.4.9 (and/or 3.4.4)

2014-11-12 Thread David Touzeau
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/2014 07:41 PM, Marcus Kool wrote: Indeed but setting debug_options to ALL,9 does not work since the log file already is too big and unmanageable even before Squid begins to do thing that consumes CPU time. I have suggested a full one

[squid-users] Assertion failed: forward.cc:784: peer-use_ssl when using an Squid parent.

2014-04-03 Thread David Touzeau
Hi all i Have this kind of network: 1) A Squid client 3.3.12 with ssl-bump enabled transparent method. 2) A Squid Proxy 3.3.12 act has parent that listens 8080 but not in transparent mode. It is just designed to retreive content directly from Internet. Browser – SSL – Squid client +

[squid-users] 00:00:00:00:00:00 %eui and squid 3.4x

2014-04-03 Thread David Touzeau
Dear all I’m fighting with the squid 3.4x branch. Since this branch is born the %eui did not work any more. I’m testing all Squid 3.4x builds and Squid is not able to detect MAC Addresses and write in logs 00:00:00:00:00:00 The latest squid 3.3.1x works like a charme on MAC addresses and

  1   2   3   >