[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Hi we want to use squid as * * * Secure Proxy * * * using https_port We have tested major browsers and it seems working good. To make it work, we need to deploy the proxy certificate on all browsers to make the secure connection running. In this case, squid forward requests without

[squid-users] Squid with connmark

What is the best way to intercept marked packets with squid and squid to be aware of mark and create an ACL on the mark? I have tried setting the mark and then DNAT and redirect to the intercept port and when printing the nmark I am getting 0 Is it required to use tproxy with tproxy-mark?

[squid-users] Dumping sslbump'd decrytped http using icap protocol

___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

Thanks alex, made this one on squid 4.10 acl TestFinger server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9 acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step2 ssl_bump splice ssl_step3

Re: [squid-users] Client IP PTR lookup on connect

On 14/05/20 1:44 am, Michal Bruncko wrote: > Hello guys > > following the original thread "[squid-users] Squid 4.9 Client IP PTR > lookup on connect" > > I am observing exactly same bahavour on > squid-4.4-8.module_el8.1.0+197+0c39cdc8.x86_64 on CentOS 8. Certainly 4.4 is older than 4.9. > At

Re: [squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

On 15/05/20 7:28 pm, David Touzeau wrote: > > Thanks alex, made this one on squid 4.10 > > > acl TestFinger server_cert_fingerprint > 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9 Is that a SHA1 fingerprint or a newer algorithm? AFAIK only SHA1 is supported by Squid currently.

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: >    > > Hi we want to use squid as * * * Secure Proxy * * * using https_port > We have tested major browsers and it seems working good. > > To make it work, we need to deploy the proxy certificate on all browsers > to make the secure connection

Re: [squid-users] "intercepted port does not match 443"

On 12/05/20 1:01 am, Matus UHLAR - fantomas wrote: > Hello, > > we have intercepting squid on one router and these messages started appear > sometimes: > > 2020/05/11 13:41:23 kid1| SECURITY ALERT: Host header forgery detected > on local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33

Re: [squid-users] Client IP PTR lookup on connect

Hi Amos thank you for very valuable response. I can confirm that amending default url_rewrite_extras value did the trick! thanks michal On 5/17/2020 12:36 PM, Amos Jeffries wrote: On 14/05/20 1:44 am, Michal Bruncko wrote: Hello guys following the original thread "[squid-users] Squid 4.9

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: Hi we want to use squid as * * * Secure Proxy * * * using https_port We have tested major browsers and it seems working good. To make it work, we need to deploy the proxy certificate on all browsers to make the secure connection running. In this case,

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

>> On 18/05/20 10:15 am, David Touzeau wrote: >>> Hi we want to use squid as * * * Secure Proxy * * * using https_port >>> We have tested major browsers and it seems working good. >>> >>> To make it work, we need to deploy the proxy certificate on all browsers >>> to make the secure connection

Re: [squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

On 5/15/20 3:28 AM, David Touzeau wrote: > acl TestFinger server_cert_fingerprint > 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9 > ssl_bump peek ssl_step2 > ssl_bump splice ssl_step3 TestFinger > ssl_bump stare ssl_step2 all > ssl_bump bump all > But no luck, website still

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 5/19/20 7:15 AM, Amos Jeffries wrote: > On 18/05/20 10:15 am, David Touzeau wrote: >>    >> >> Hi we want to use squid as * * * Secure Proxy * * * using https_port >> We have tested major browsers and it seems working good. >> >> To make it work, we need to deploy the proxy certificate on all

[squid-users] Sending CONNECT method requests over HTTPS

Hi all, I read a similar thread a couple of weeks ago, but my scenario has some differences. Anyway, my need is sending CONNECT method requests over HTTPS as well. If read the docs and just would like to confirm with you if I got it right: 1) To send CONNECT method requests over HTTPS I'm

Re: [squid-users] Squid with QOS marking

Following : https://wiki.squid-cache.org/Features/QualityOfService Based on it we need kernel patch for TOS , but I dont need TOS , I just need Layer 3 DSP , Linux mark rule based . Thanks > On May 20, 2020, at 1:19 AM, Ahmad

[squid-users] Squid with QOS marking

Hello Folks , Im trying to mark outgoing squid request based on Mark linux matching . I added to squid conf : qos_flows mark local-hit=0xd7 qos_flows mark local-miss=0xd7 -A OUTPUT -m mark --mark 0xd7 -j ACCEPT But on iptables there is no match with the mark d7 Im testing marking with