Re: [squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

2014-10-14 Thread Walter H.
acl allow_urls url_regex -i /etc/squid/allowurls-regex-acl.squid (a) acl block_urls url_regex -i /etc/squid/blockurls-regex-acl.squid (b) acl allow_urlpaths urlpath_regex -i /etc/squid/allowurlpaths-regex-acl.squid (c) acl block_urlpaths urlpath_regex -i /etc/squid/blockurlpaths-regex-acl.squid

Re: [squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

2014-10-15 Thread Walter H.
On 15.10.2014 08:13, Amos Jeffries wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 And the key difference in these configs is not the ACL contents, but the ordering in which they are matched. Mirzas' config starts by telling Squid everything on the LAN/localnet is allowed. Ok, fine,

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Walter H.
Hi, a sample of a .pac-File function FindProxyForURL( url, host ) { var strURL = ( decodeURI( url ) ).toLowerCase( ); var strHost = host.toLowerCase( ); // Redirect to proxy with these URLs if ( ( strURL == http://flickr.com/images/spaceball.gif; ) || ( strURL == ... ) )

Re: [squid-users] Correct order of acl rules?

2015-02-06 Thread Walter H.
On 06.02.2015 20:38, Amos Jeffries wrote: On 7/02/2015 8:27 a.m., Amos Jeffries wrote: On 7/02/2015 8:19 a.m., Walter H. wrote: the file blockurls-regex-acl.squid contains e.g. ^http:\/\/s[0-9]\.domain\.tld\/ the file allowurls-regex-acl.squid contains e.g. ^http:\/\/s[1-2]+\.domain\.tld

[squid-users] Correct order of acl rules?

2015-02-06 Thread Walter H.
Hello, my squid.conf contains the following lines - in this order ... acl allow_urlpaths urlpath_regex -i /etc/squid/allowurlpaths-regex-acl.squid acl block_urlpaths urlpath_regex -i /etc/squid/blockurlpaths-regex-acl.squid acl allow_urls url_regex -i /etc/squid/allowurls-regex-acl.squid --

[squid-users] Strange behaviour with Chrome (client OS = WinXP x64) ...

2015-02-01 Thread Walter H.
the mentioned error above, when activating this mentioned policy? the question to squid specialists: was it a good idea signing the SSL-bump CA certificate with the root certificate of my CA? Thanks -- Best regards, Walter H. smime.p7s Description: S/MIME Cryptographic Signature

Re: [squid-users] IPv6 and syntax?

2015-05-16 Thread Walter H.
On 16.05.2015 01:41, Amos Jeffries wrote: On 16/05/2015 6:14 a.m., Walter H. wrote: Hello, is IPv6 somewhat similar to IPv4? Somewhat, yes. I just wondered because of the different behaviour; e.g. I would write acl block_ipv4_range dst 84.84.84.0/24 deny_info errorpage block_ipv4_range

[squid-users] IPv6 and syntax?

2015-05-15 Thread Walter H.
Hello, is IPv6 somewhat similar to IPv4? e.g. I would write acl block_ipv4_range dst 84.84.84.0/24 deny_info errorpage block_ipv4_range http_access deny block_ipv4_range to block any hosts within this IPv4 range how would be the syntax for blocking any hosts within a specific IPv6 subnet

[squid-users] Correct Syntax for ACL?

2015-05-27 Thread Walter H.
Hello, would this be the correct syntax: acl crl-file url_regex -i \.crl$ or need it to be acl crl-file url_regex -i \.crl$ how does squid distinquish between a file containing rules e.g. acl acl-file url_regex -i /etc/url-acl.squid or the rule itself e.g. acl acl-rule url_regex -i \.exe$

[squid-users] SSL-bump and Public Key Piinning (HPKP)

2015-07-05 Thread Walter H.
Hello, I'm using squid with ssl-bump, after updating (I update only in bigger steps and not this often) my browser I realize, that this supports HPKP; I didn't find how to deactivate this - Chrome 43 so I thought, I could prevent squid of replying this header field with this:

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

2015-11-12 Thread Walter H.
On 05.11.2015 04:26, Amos Jeffries wrote: There was a bug about the wrong SNI being sent to servers on bumped traffic that got re-written. That got fixed in Squid-3.5.7 and re-writers should have been fully working since then. This seems to be a bug in 3.5.x only with 3.4.10 this works fine

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-18 Thread Walter H.
On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H.
On 19.10.2015 01:01, Amos Jeffries wrote: If you are interested in getting this helper bundled with Squid No; the details on how to prepare and submit a patch to squid-dev mailing list are at: The style guide-line is not compatible with mine

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H.
it was just the solution I did for myself, and brought it to the "public" AS IS. On 21.10.2015 00:53, Brett Lymn wrote: On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote: The style guide-line is not compatible with mine (space - tab); which can be fixed mostly b

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H.
On 07.10.2015 11:05, Amos Jeffries wrote: On 7/10/2015 4:27 a.m., Alex Rousskov wrote: On 10/06/2015 01:27 AM, Jason Haar wrote: Good catch - I don't think squid does CRL/OCSP checks But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look IIRC,

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H.
On 07.10.2015 16:48, Amos Jeffries wrote: or sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 can I have a working sample of valid_cert.pl that results in an "access denied" or any other error page of squid?

[squid-users] Possible Bug in squid? [Fwd: Re: [openssl-users] Problem checking certificate with OCSP]

2015-10-05 Thread Walter H.
ephen Henson" <st...@openssl.org> Date:Mon, October 5, 2015 17:11 To: openssl-us...@openssl.org -- On Mon, Oct 05, 2015, Walter H. wrote: > Hello, > > attached is the certificate and its chain of

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Walter H.
Hello, can you please provide an example of how to use this in squid.conf by the way how would I use these sslcrtvalidator_program and sslcrtvalidator_children Thanks, Walter On Tue, October 6, 2015 09:27, Jason Haar wrote: > Good catch - I don't think squid does CRL/OCSP checks > > I'm using

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-14 Thread Walter H.
On 13.11.2015 14:53, Yuri Voinov wrote: There is no solution for ICQ with Squid now. You can only bypass proxying for ICQ clients. from where do the ICQ clients get the trusted root certificates? maybe this is the problem, that e.g. the squid CA cert is only installed in FF and nowhere else

Re: [squid-users] Squid 3.5.9 RPM are available

2015-09-30 Thread Walter H.
Hello, can you do a little test for me? can you please try the following acl acl block_as4837 dst_as 4837 http_access deny block_as4837 and then try in a browser http://sudo.ml Thanks, Walter On 30.09.2015 18:45, Veiko Kukk wrote: On 30/09/15 18:27, Veiko Kukk wrote: I'm sorry, should

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H.
On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page

[squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H.
Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with squid, the page is shown ... Thanks,

Re: [squid-users] http request header must use hostname

2015-12-06 Thread Walter H.
On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname ... the SSL certificate of the host itself prevents the connection without message in the

Re: [squid-users] http request header must use hostname

2015-12-07 Thread Walter H.
On 07.12.2015 08:49, Amos Jeffries wrote: On 7/12/2015 5:41 p.m., Walter H. wrote: On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname

Re: [squid-users] Using subordinate CA for SSL Bump

2015-12-17 Thread Walter H.
On 14.12.2015 22:26, Yuri Voinov wrote: Hi all. Does anybody can tell me - is it possible to use subordinate secondary CA in squid for SSL Bumping purpose? this is possible; I had this for several months this way; I.e., we have self-signed primary CA for issue subordinate CA, subordinate CA

Re: [squid-users] Using subordinate CA for SSL Bump

2015-12-17 Thread Walter H.
On 17.12.2015 18:01, Alex Rousskov wrote: On 12/17/2015 03:12 AM, Yuri Voinov wrote: This looks like. Root CA doesn't send. Subordinate CA uses as signer for mimicked. All and any clients got security alert. There may still be some terminology misunderstanding here because not sending the

Re: [squid-users] Block google pictures

2015-11-26 Thread Walter H.
use SSL bump and block URLs and/or URL-paths On 26.11.2015 15:27, Funke, Martin wrote: Im using squid + squid guard in a primary school and sometimes the primary-school pupil search for penis and things like that :). That’s why I need a way to stop them doing these things. smime.p7s

[squid-users] SSL-bump and Ciphersuite?

2016-01-11 Thread Walter H.
Hello, I'd restrict the client by using a less resource consuming TLS encryption; I though doing just this e.g. http_port 3128 ... cipher=3DES ... (for restricting clients connecting to 3DES) or what would be less resource consuming? AES128? but where can I see, which ciphersuite is really

Re: [squid-users] SSL-bump and Ciphersuite?

2016-01-11 Thread Walter H.
Hello Amos, On Mon, January 11, 2016 11:13, Amos Jeffries wrote: > On 11/01/2016 10:50 p.m., Walter H. wrote: >> Hello, >> >> I'd restrict the client by using a less resource consuming TLS >> encryption; >> >> I though doing just this >&

Re: [squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

2016-03-26 Thread Walter H.
On 26.03.2016 11:53, Yuri Voinov wrote: Look at this, gents. http://i.imgur.com/kxrOEVd.png can you give me the complete URL just for testing purpose; https://download.microsoft.com/ does a forward to https://www.microsoft.com/en-us/download which squid version is in use? smime.p7s

[squid-users] Ciphersuites with SSL bump [squid 3.5.19]

2016-05-20 Thread Walter H.
Hello, I'd like to disable some ciphersuites when connecting with web servers; when I go there: https://cc.dcsec.uni-hannover.de/ I'm shown this (only the column with ciphersuite names): ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384

[squid-users] Regular expressions with dstdom_regex ACL

2016-05-12 Thread Walter H.
Hello, can someone please tell me which regular expression(s) would really block domains which are IP hosts for IPv4 this is my regexp: ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$ and this works as expected acl block_domains_iphost dstdom_regex

Re: [squid-users] Regular expressions with dstdom_regex ACL

2016-05-12 Thread Walter H.
On 12.05.2016 22:20, Walter H. wrote: Hello, can someone please tell me how I can achive this? the result should be that any URL like this http(s)://ip-address/ should be blocked by the specified error page Thanks and Greetings from Austria, Walter p.s. the sample here http://wiki.squid

Re: [squid-users] Regular expressions with dstdom_regex ACL

2016-05-13 Thread Walter H.
On Fri, May 13, 2016 07:32, Amos Jeffries wrote: > On 13/05/2016 3:44 p.m., Walter H. wrote: >> p.s. >> the sample here >> http://wiki.squid-cache.org/ConfigExamples/Chat/Skype >> doesn't work, too >> > > The skype pattern is matching the port Skype uses.

[squid-users] SSL-Bump and generated certificates ...

2016-05-16 Thread Walter H.
Hello, I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the generated certificates are now SHA2 and not SHA1, can I influence somewhere to generate still SHA1 certificates? (I have devices which use this proxy and are not able to handle SHA2) Thanks, Walter smime.p7s

[squid-users] DNS-Errors ... squid-cache.org

2016-05-10 Thread Walter H.
Hello, has anybody an idea where this errors come from, or what is causing them? May 10 11:21:00 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED) resolving 'lists.squid-cache.org/MX/IN': 173.255.241.90#53 May 10 11:21:01 lxwaldivm-001 named[30098]: error (connection refused)

[squid-users] Object Size?

2017-02-08 Thread Walter H.
Hello, the setting maximum_object_size 4 MB is the default; would the following setting maximum_object_size 2 MB also mean, that there would be stored much more objects on disk? Thanks Walter ___ squid-users mailing list

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Walter H.
On Tue, October 18, 2016 13:31, Garri Djavadyan wrote: > On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote: >> Hello, >> >> just in case anybody wants to run Squid 3.5.x on CentOS >> with SELinux enforcing, >> >> here is the semodule >>

[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Walter H.
Hello, just in case anybody wants to run Squid 3.5.x on CentOS with SELinux enforcing, here is the semodule module squid_update 1.0; require { type squid_conf_t; type squid_t; type var_t; class file { append open read write getattr lock execute_no_trans }; }

[squid-users] CentOS 6, Squid 3.5.20, Error message in /var/log/squid/cache.log

2016-11-23 Thread Walter H.
Hello, can someone tell me, especially the maintainer of the binary packages for CentOS what this message 2016/11/23 19:08:58 kid1| Error negotiating SSL on FD 39: error::lib(0):func(0):reason(0) (5/0/0) should say to me ... Thanks, Walter smime.p7s Description: S/MIME

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H.
the client machine(3.1.X)? > > All the above matters to understand how to offer the right solution. > > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -Original Message- > Fr

[squid-users] Hint for howto wanted ...

2016-11-27 Thread Walter H.
Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks - a Tablet-PC - a Smartphone - a Television on my LAN I've two squids as VMs on my PC (both are CentOS 6) I also have a virtual server (a CentOS 6, too) at a webhoster in a different country, which I

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H.
Hey, On 28.11.2016 14:51, Eliezer Croitoru wrote: Now to me the picture is much clear technically. As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones. why fix the first proxy, I wouldn't need it, if ssl-bump plus parent proxy (the

Re: [squid-users] Hint for howto wanted ...

2016-11-27 Thread Walter H.
-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Sunday, November 27, 2016 19:17 To: squid-users@lists.squid-cache.org Subject: [squid-users] Hint for howto wanted ... Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks - a Tab

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H.
On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote: > OK so the next step is: > Routing over tunnel to the other proxy and on it(which has ssl-bump) > intercept. by now only the 3.5.20 squid on the local VM does SSL-bump > If you have a public on the remote proxies which can use ssl-bump

Re: [squid-users] Hint for howto wanted ...

2016-11-29 Thread Walter H.
Hello, On Mon, November 28, 2016 22:45, Eliezer Croitoru wrote: > So much clear now to a solution. > If you don’t know what Policy Based Routing and you have a bunch of VM's and you are configuring the proxy in the browser manually you just need to install on the first proxy 3.5.22 that allows

Re: [squid-users] Hint for howto wanted ...

2016-11-29 Thread Walter H.
On Tue, November 29, 2016 03:59, Amos Jeffries wrote: > On 29/11/2016 7:49 a.m., Walter H. wrote: >> Hey, >> >> On 28.11.2016 14:51, Eliezer Croitoru wrote: >>> Now to me the picture is much clear technically. >>> As Amos suggested fix the first proxy(and

Re: [squid-users] IPv6 and TPROXY

2017-08-13 Thread Walter H.
onnections, would it be possible? Would the usage of: http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ override the tproxy function? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message----- From

Re: [squid-users] IPv6 and TPROXY

2017-08-09 Thread Walter H.
liezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, August 8, 2017 17:15 To: squid-users@lists.squid-cache

Re: [squid-users] IPv6 and TPROXY

2017-08-10 Thread Walter H.
e and maybe > sysctl will help to reveal couple things about the subject. > > All The Bests, > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > -Original Message- > F

Re: [squid-users] IPv6 and TPROXY

2017-08-12 Thread Walter H.
Thanks, Walter On 12.08.2017 20:23, Eliezer Croitoru wrote: Any progress with this issue? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Thursday, Au

[squid-users] This list generates a forward loop ...

2017-07-18 Thread Walter H.
Hello, On every post I get an error mail back: Subject:Undelivered Mail Returned to Sender From: "Mail Delivery System" Date: Tue, July 18, 2017 15:36 To: ... Priority: Normal This is the mail system at host

[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-18 Thread Walter H.
Hello, my Router Box runs a CentOS 6, with the EPEL squid34 RPM package this the iptables *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allow multicast -A INPUT -d 224.0.0.0/4 -j ACCEPT -A OUTPUT -d 224.0.0.0/4 -j ACCEPT # Allow anything on the local link -A INPUT -i lo

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-18 Thread Walter H.
On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: > On 18.07.17 14:29, Walter H. wrote: >>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT > >>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT > >>-A INPUT -j LOG --log-pref

Re: [squid-users] Squid Version 3.5.20 Any Ideas

2017-07-19 Thread Walter H.
Hello, this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ... the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know? On 19.07.2017 17:36, Yuri wrote:

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H.
On Wed, July 19, 2017 03:21, Amos Jeffries wrote: > On 19/07/17 01:37, Walter H. wrote: >> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: >>> On 18.07.17 14:29, Walter H. wrote: >>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT >>

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H.
l: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, July 18, 2017 15:29 To: squid-users@lists.squid-cache.org Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) acce

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H.
On Wed, July 19, 2017 11:31, Antony Stone wrote: > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote: > >> I added these rules, and will see which packets are caught >> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: >> "

Re: [squid-users] This list generates a forward loop ...

2017-07-19 Thread Walter H.
On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: <squid-us...@squid-cache.org> (expanded from <squid-users@lists.squid-cache.org>): mail forwarding loop for squid-us...@squid-cache.org Why? You sent a mail to the address squid-users

Re: [squid-users] This list generates a forward loop ...

2017-07-19 Thread Walter H.
On 20.07.2017 05:35, Walter H. wrote: On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: <squid-us...@squid-cache.org> (expanded from <squid-users@lists.squid-cache.org>): mail forwarding loop for squid-us...@squid-cache.org Why? You

[squid-users] IPv6 and TPROXY

2017-08-08 Thread Walter H.
Hello, I did at the ip6tables like this: https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j

[squid-users] wiki.squid-cache.org SSL configuration problem ...

2017-08-08 Thread Walter H.
Hello, the intermediate certificate which is provided doen't go with the end entitiy certificate ... the intermediate that is provided: Let's Encrypt Authority X1 the intermediate that should be provided: Let's Encrypt Authority X3 for more see:

Re: [squid-users] Squid IPv4:port to IPv6

2017-08-19 Thread Walter H.
On 19.08.2017 04:03, davidjesse...@aol.com wrote: I'm trying to connect to Squid with one IPv4 IP and based on the port I'm connecting with, I want Squid to use a different IPv6 IP for the connection. Below is my config file |acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port

[squid-users] list generates error messages ...

2017-05-17 Thread Walter H.
whenever I send a mail to the list, I get such an error message back from mailer-dae...@squid-cache.org This is the mail system at host lists.squid-cache.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further

Re: [squid-users] Squid custom error page

2017-05-17 Thread Walter H.
On 17.05.2017 16:04, Amos Jeffries wrote: On 17/05/17 23:32, chcs wrote: Expected Results: Display proxy server error page with deny info. This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.

[squid-users] CentOS6 and squid34 package ...

2017-05-25 Thread Walter H.
Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; there are no shown icons, when going to e.g. ftp://ftp.adobe.com/ when I tell the browser to show the image then I get this

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

2017-05-25 Thread Walter H.
On 25.05.2017 09:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could expect. All the traffic less blacklist is

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

2017-05-25 Thread Walter H.
On 25.05.2017 11:25, Amos Jeffries wrote: On 25/05/17 19:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could

Re: [squid-users] Squid custom error page

2017-05-18 Thread Walter H.
On 18.05.2017 19:40, chcs wrote: One more cuestion: With 2 CA differents certificates to block twitter.com>> differents results Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html Result: no problem, it's show me squid custom error page

Re: [squid-users] Squid + IPv6

2017-05-16 Thread Walter H.
On 16.05.2017 21:21, IAPS Security Services, Ltd. wrote: How can I compile squid for windows to get around the 128 ip limit imposed? have you ever tried to give each network interface more than 128 IP addresses at a time? smime.p7s Description: S/MIME Cryptographic Signature

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-27 Thread Walter H.
5/2017 14:07 PM, Walter H. wrote: On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; there are no

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-27 Thread Walter H.
On 25.05.2017 21:51, Mike wrote: Walter, what I've found is when compiling to squid 3.5.x and higher, the compile options change. Also remember that many of the options that were available with 3.1.x are depreciated and likely will not work with 3.4.x and higher. the compile options are not

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-25 Thread Walter H.
On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, Run "squid -v" to find out if there are any build options different. Usually its just two alternativ

Re: [squid-users] IPv6 and TPROXY

2017-08-19 Thread Walter H.
...@ngtech.co.il -Original Message- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Sunday, August 13, 2017 21:31 To: Eliezer Croitoru<elie...@ngtech.co.il> Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello Eliezer yes, because all my

Re: [squid-users] IPv6 and TPROXY

2017-08-21 Thread Walter H.
tech.co.il -Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Saturday, August 19, 2017 23:23 To: Eliezer Croitoru<elie...@ngtech.co.il> Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello, not really, I must live with the fa

[squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-17 Thread Walter H.
for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable ... Greetings, Walter smime.p7s Description: S/MIME Cryptographic Signature ___

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-18 Thread Walter H.
Hello, still certificate issues: missing intermediate certificate Greetings, Walter On 17.11.2017 13:39, Walter H. wrote: for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-18 Thread Walter H.
On 18.11.2017 13:51, Walter H. wrote: Hello, still certificate issues: missing intermediate certificate Greetings, Walter @Amos: There is *no* chain. Our cert is directly signed by the LetsEncrypt CA. Amos that's wrong; LetsEncrypt is only an intermediate, and MUST be given

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Walter H.
On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H.
On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am using squid in transparent mode . Everything working fine in Firefox and IE after i have imported the certificate in both the browser , but in Chrome 67 version on Windows 10 i am facing the below issue

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H.
On 26.06.2018 19:03, Amit pasari wrote: Dear Walter I have tried with both SHA1 and SHA256 cert . Sent from my iPhone On Jun 26, 2018, at 9:43 PM, Walter H. <mailto:walte...@mathemainzel.info>> wrote: On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am us

Re: [squid-users] block visit 80/443 browsing via IP(no domain name)

2018-07-29 Thread Walter H.
On 29.07.2018 06:11, Gordon Hsiao wrote: is there a way to block any attempt to visit http/https by _any_ IP directly, i.e. http://my-IP or https://my-IP (yes this will give a warning for SSL most likely). here my-IP could be any IPv4 address, for example. Basically I want to have Squid to

Re: [squid-users] Wpad problem (DNS)

2018-07-26 Thread Walter H.
On 26.07.2018 17:32, erdosain9 wrote: Hi, thanks I try Explorer 8.0 and Chrome 68.0... this can be deactivated on browser side; then wpad is for the cats ... Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing

Re: [squid-users] [squid-announce] Squid 4.2 is available

2018-08-11 Thread Walter H.
On 10.08.2018 07:41, Amos Jeffries wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.2 release! will there be a RPM for latest CentOS 6 available? Walter smime.p7s Description: S/MIME Cryptographic Signature

[squid-users] Error Message alert handshake failure

2018-08-29 Thread Walter H.
Hello, what does this message 2018/08/29 16:11:28 kid1| Error negotiating SSL on FD 22: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) in cache.log mean? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature

Re: [squid-users] Google analytics screwing up a lot of sites?

2018-03-26 Thread Walter H.
Hello On 26.03.2018 21:27, Bob Cochran wrote: We use squid 3.5.20 and a custom content filter to block undesirable (tracking) sites (e.g., google-analytics.com). get 3.5.27 ... It seems that Google's JavaScript ( or missing scripts ) is rendering various modal / dialog boxes useless

[squid-users] Message with SSL-bump with a specific site ...

2018-11-05 Thread Walter H.
Hello, can some explain what is causing this message While trying to retrieve the URL: https://www.3bg.at/* The following error was encountered: * *Failed to establish a secure connection to 193.138.123.75 * The system returned: /(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/