Re: [squid-users] big files caching-only proxy

Em 22/10/15 06:08, Amos Jeffries escreveu: On 22/10/2015 7:13 a.m., Leonardo Rodrigues wrote: It sounds to me that you are not so much wanting to cache only big things, you are wanting to cache only certain sites which contain mostly big things. The best way to confgure that is with the cache

Re: [squid-users] Ssl-Bump and revoked server certificates

Hi, I have a question regarding the SSL Server Certificate Validator. In the Wiki is written: "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results." What checks does the internal validation include ? Couldn't find any

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

On 22/10/2015 7:31 a.m., luizcasey wrote: > > > Hello, So what I am trying to accomplish here is to basically have a > whitelist of domains that is allowed via http/https. What you have actually configured is a whitelist with MUCH narrower criteria than that. > If the UID is > squid,apache,

Re: [squid-users] How can I change the Squid logo on an access denied page.

On 22/10/2015 7:52 a.m., Sebastien.Boulianne wrote: > Hi again, > > I would like to change the Squid'slogo that appear on an ccess denied page... > I replace the picture /usr/share/squid/icons/SN.png but it didnt work. > > What did I miss ? The other config files that sit next to squid.conf.

Re: [squid-users] Squid/NTLM Auth

On 22/10/2015 8:21 a.m., Keith White wrote: > > I have squid running on Centos 7 and am trying to setup AD > authentication. I have samba/winbindd installed and the system was added > to the domain with authconfig. I have tested authentication with > auth_ntlm and that works. I have also tested

Re: [squid-users] HTTP performance hit with Squid

On 23/10/15 07:47, SaRaVanAn wrote: > There is always a ~2 second delay between the request coming to our > system and going out of Squid. Suppose if a page has lot of embedded > URL's it's taking more time with squid in place.Suppose If I disable > squid the page loads very fast in client

Re: [squid-users] Squid/NTLM Auth

Added the debug options and grabbed the following after the 407 message was returned to the client. Is there anything specific I should be looking for? Thanks, Keith 2015/10/22 12:24:50.573 kid1| Starting new ntlmauthenticator helpers... 2015/10/22 12:24:50.574 kid1| 28,4| Acl.cc(70)

[squid-users] HTTP performance hit with Squid

Hi , we have been using squid 3.1.20 comes with debian wheezy 7. We could see there is a peformance hit in http traffic when we use Squid. For each HTTP GET request coming from client to proxy server, Squid takes nearly 2 seconds to generate HTTP GET in order to establish a connection with

Re: [squid-users] Is Websocket support planned?

On 23/10/2015 12:01 a.m., Christophe Donatsch wrote: > Dear squid-users, > > Our infrastructure rely on squid as a reverse-proxy to serve most of our web > applications. Our tests show that squid won't correctly handle an HTTP > request > to initiate a WebSocket connection. We'd like to know

Re: [squid-users] Ssl-Bump and revoked server certificates

On 23/10/2015 12:02 a.m., Sebastian Kirschner wrote: > Hi Amos , > > thanks for your reply. > > Maybe we got an misunderstanding or I have an "false" opinion of the sentence > I quoted before. > > I thought you could say to me what for checks would definitely performed in > "standard"

Re: [squid-users] squid-users Digest, Vol 14, Issue 73

Hi Amos , thanks for your reply. Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before. I thought you could say to me what for checks would definitely performed in "standard" installation with openssl, not only that you believe that the X.509

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

22.10.15 15:58, Amos Jeffries пишет: On 21/10/2015 4:53 p.m., Dan Charlesworth wrote: I’m getting these very frequently for api.github.com and github.com I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they only return the one IP when I do an nslookup as well … Any

Re: [squid-users] nonce_garbage_interval problem?

On 22/10/2015 10:58 p.m., Athos Fiolo wrote: > Hi, I'm facing a problem with the digest auth server responses. > > Client requests a page, server responds with 407 + nonce, client gets the > page correctly. The garbage interval is only about how often Squid attempts to discard already obsolete

Re: [squid-users] HTTP performance hit with Squid

What version of squid are you using now? Squid 3.1.20 is very old and it is recommended to use newer versions. If you are having specific troubles I think you figure out the issues pretty fast. What hardware are you using for you squid? is it a VM? RAM? CPU?Disk? How many clients? Have you used

[squid-users] Squid 100% CPU and possible attack

Hello, sometimes, for about half an hour, tour Squid becomes unstable and, by typing "top -s", Squid is taking the 100% of the CPU. In Squid's access.log, i see lots of entry like this:

[squid-users] How to inspect client certificate in ssl_bump

Hi, I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that inspect TLS handshake between client and server then allow the connection only when following two requirements are met: 1. The server address must be in our whitelist, and the server must provide a correct

Re: [squid-users] HTTP performance hit with Squid

I am using Squid version 3.1.20 running on Intel I7 processor with 16GB RAM. Even on connecting a single client I could able to reproduce this problem. 2015/10/22 20:34:23.146| ipcache_nbgethostbyname: Name 'mail.com'. DNS start time 2015/10/22 20:34:23.146|

Re: [squid-users] Squid 100% CPU and possible attack

The simplest way is to use fail2ban. What OS are you using? it is possible an attack but it's not 100%. What you can do is to also disable access using the proxy to this destination IP and address. 100% CPU in many cases is not something odd but you can try fail2ban with a special rule to block

Re: [squid-users] NTLM Authentication Failing

On 22/10/2015 10:33 a.m., Alex Samad wrote: > Would it be fair to say best practice is to get kerbose working in favour > of ntlm ? Best Practice is not to have NTLM at all. In the same way that its best practice not to use 8-bit (1 letter) passwords. NTLM was formally deprecated in 2006 by

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

On 21/10/2015 4:53 p.m., Dan Charlesworth wrote: > I’m getting these very frequently for api.github.com and github.com > > I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they > only return the one IP when I do an nslookup as well … > > Any updates from your end, Roel?

[squid-users] squid rock storage error

We are using CentOS release 6.6 (Final) 64bit. Squid Cache: Version 3.5.10 Service Name: squid configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid' '--includedir=/usr/include'

Re: [squid-users] Remote Desktop Gateway thru Squid.

On 22/10/2015 7:43 a.m., Sebastien.Boulianne wrote: > Hi all, > > Im looking to use my Remote Desktop Gateway with my Squid. > I tried this config but it didnt work. > > ### SITE > cache_peer site.domain.qc.ca parent 443 0 no-query originserver ssl > sslflags=DONT_VERIFY_PEER name=site > acl

Re: [squid-users] deny rep_mime_type

On 22/10/2015 10:00 a.m., HackXBack wrote: > sorry not deny but make it miss and not hit > with > store_miss > send_hit > Then you are wanting the same as what kinkie provided, but with store_miss instead of http_reply_access. You know it really helps if you read the documentation. Which is

Re: [squid-users] Ssl-Bump and revoked server certificates

On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote: > Hi, > > I have a question regarding the SSL Server Certificate Validator. > > In the Wiki is written: > "The helper will be optionally consulted after an internal OpenSSL validation > we do now, regardless of that validation results." > >

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 BTW - you omit many important settings from squid.conf.default. You configuration is so dangerous. 22.10.15 20:01, luizca...@gmail.com пишет: > Here is the config I am currently using based on your suggestion earlier. > However it does not

Re: [squid-users] nonce_garbage_interval problem?

On 23/10/2015 3:08 a.m., Athos Fiolo wrote: > Hi Amos. > >> Please check if a helper lookup is being performed on each request as well >> as new nonce generated. > > I guess you are right, but I don't know how to solve it. > cache.log doesn’t show restarts for the heelper, even if only 1/5

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

On 23/10/2015 3:01 a.m., luizca...@gmail.com wrote: > Here is the config I am currently using based on your suggestion earlier. > However it does not start. I have also added some questions to each for > verification purposes to make sure I am understanding what is actually going > on. > >

Re: [squid-users] HTTP performance hit with Squid

I tried by disabling internal dns in squid. Still i am seeing the same problem. What else can be looked at ? Its really makes user experience bad if he tries URL for the first time. Regards, Saravanan N On Thu, Oct 22, 2015 at 7:34 PM, SaRaVanAn wrote: > I

Re: [squid-users] Squid/NTLM Auth

On 23/10/2015 8:33 a.m., Keith White wrote: > Added the debug options and grabbed the following after the 407 message was > returned to the client. Is there anything specific I should be looking for? > > Thanks, > > Keith > > > 2015/10/22 12:24:50.573 kid1| Starting new ntlmauthenticator

Re: [squid-users] Squid 100% CPU and possible attack

On 23/10/2015 10:43 a.m., Job wrote: > Hello, > > sometimes, for about half an hour, tour Squid becomes unstable and, by typing > "top -s", Squid is taking the 100% of the CPU. > > In Squid's access.log, i see lots of entry like this: > >

Re: [squid-users] HTTP performance hit with Squid

On 23/10/2015 4:21 p.m., SaRaVanAn wrote: > I tried by disabling internal dns in squid. Still i am seeing the same > problem. > What else can be looked at ? Its really makes user experience bad if he > tries URL for the first time. Internal DNS in Suqid has very little to do with this. The DNS

[squid-users] range_offset_limit with SSL connection

did any one try range_offset_limit with https url's ? squid crash and restart with assertion error ... same as ... http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-quot-fd-table-conn-gt-fd-halfClosedReader-NULL-quot-tt4670979.html -- View this message in

[squid-users] R: nonce_garbage_interval problem?

Hi Amos. Thanks for your reply. Squid Cache: Version 3.4.8 On: Linux version 3.16.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) Maybe a known and solved bug? Athos Fiolo Software Engineer afi...@came.com CAME

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on. https_port 4827 intercept ssl-bump generate-host-certificates=on

Re: [squid-users] deny rep_mime_type

acl yt-loop dstdomain .googlevideo.com acl type-yt rep_mime_type text/plain store_miss deny yt-loop type-yt send_hit deny yt-loop type-yt -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816p4673857.html Sent from the Squid - Users

Re: [squid-users] R: nonce_garbage_interval problem?

On 23/10/2015 1:43 a.m., Athos Fiolo wrote: > Hi Amos. > Thanks for your reply. > > Squid Cache: Version 3.4.8 > > On: > Linux version 3.16.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version > 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) > > Maybe a known and

Re: [squid-users] Squid/NTLM Auth

I was able to confirm that ntlm_auth worked for the squid user. We currently use BlueCoat proxies so IE is definitely configured to use integrated authentication. No cache_effective* in the config. I will enable debugging and see what is happening as well as enable Kerberos. Thanks, Keith

Re: [squid-users] big files caching-only proxy

On 22/10/2015 7:13 a.m., Leonardo Rodrigues wrote: > > Hi, > > I have a running setup for proxying only 'big' files, like Windows > Update, Apple Updates and some other very specific URLs. That's working > just fine, no problem on that. > > For avoiding caching small things on the