Hello,
I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
proxy. I have in config:
cache_peer proxy.foo.bar parent 3129 3130 tls
tls-cafile=/usr/local/etc/squid/certs/le.pem
sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
sslkey=/usr/local/etc/letsenc
Hi.
Does anyone have issues with iOS 10.x devices connecting through proxy
(3.5.x) to the https-enabled sites ? Because I do. Non-https sites work
just fine, but https ones just stuck on loading. First I thought that
this is a problem with sslBump and disabled it, but this didn't help. I
got
Hi.
On 29.09.2016 23:17, Alex Rousskov wrote:
> On 09/29/2016 02:58 AM, Eugene M. Zheganin wrote:
>> This time turbodom.ru entries are present in the debug log
> Yes, there are two complete HTTP transactions with that domain. One is a
> 407 Authentication Required and one is
Hi.
On 29.09.2016 08:38, Eugene M. Zheganin wrote:
> Hi.
>
> On 28.09.2016 21:21, Alex Rousskov wrote:
>>
>> Indeed! Fixing that exposes one HTTP request in the capture file.
>> Unfortunately,
>>
>> 1. Squid responded to that request (with a 407 messag
Hi.
On 28.09.2016 21:21, Alex Rousskov wrote:
Indeed! Fixing that exposes one HTTP request in the capture file.
Unfortunately,
1. Squid responded to that request (with a 407 message).
Follow (tcp.stream eq 32) in Wireshark.
2. Squid did not receive this request when debugging was on:
Hi.
On 28.09.2016 01:36, Alex Rousskov wrote:
> On 09/27/2016 02:02 PM, Eugene M. Zheganin wrote:
>
>> I guess squid
>> didn't get a way to increase debug level on the fly ?
> "squid -k debug" (or sending an equivalent signal) does that:
> http://wik
Hi.
On 28.09.2016 0:29, Alex Rousskov wrote:
Since you can reproduce this, I suggest collecting ALL,9 log for the
stuck master transaction:
http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
If collecting a debugging trace is impossible for some reason, then
colle
Hi.
I have a weird problem. I run a squid cache 3.5.19 on FreeBSD/amd64,
with about 300 active users, lots of authentication, external helpers
(yeah, it's usually the place when one starts to post configs, but let
me get to the point), and everything basically works just fine, but
sometimes o
Hi.
On 30.06.16 17:19, Amos Jeffries wrote:
>
> Okay, I wasn't suggesting you post it here. Its likely to be too big for
> that.
>
> I would look for the messages about the large object, and its FD. Then,
> for anthing about why it was closed by Squid. Not sure what tha would be
> at this point th
Hi.
On 30.06.2016 17:04, Amos Jeffries wrote:
On 30/06/2016 9:21 p.m., Eugene M. Zheganin wrote:
Hi,
Could this message be moved on loglevel 2 instead of 1 ?
I think that this message does 95% of the logs of the intercept-enabled
caches with authentication.
At least some switch would be nice
Hi,
Could this message be moved on loglevel 2 instead of 1 ?
I think that this message does 95% of the logs of the intercept-enabled
caches with authentication.
At least some switch would be nice, to switch this off instead of
switching the while facility to 0.
Thanks.
Eugene.
__
Hi.
On 29.06.16 05:26, Amos Jeffries wrote:
> On 28/06/2016 8:46 p.m., Eugene M. Zheganin wrote:
>> Hi,
>>
>> recently I started to get the problem when large downloads via squid are
>> often interrupted. I tried to investigate it, but, to be honest, got
>> now
Hi,
recently I started to get the problem when large downloads via squid are
often interrupted. I tried to investigate it, but, to be honest, got
nowhere. However, I took two tcpdump captures, and it seems to me that
for some reason squid sends FIN to it's client and correctly closes the
connectio
Hi.
On 18.05.2016 16:29, Amos Jeffries wrote:
I don't know what you mean by "the main tree". But The feature you
describe does not qualify for adding to the 3.5 production release
series. The only features added to a series after is goes to "stable"
production releases are ones which resolve no
Hi.
I've just checked that squid 3.5.19 sources, and discovered the
following fact that is really disturbing:
(first some explanation)
Markus Moeller, the author of the external kerberos group helper, has
implemented the Kerberos credentials cache in the
ext_kerberos_ldap_group_acl helper back in
Hi.
I'm using squid for a long time, I'm using it to authenticate/authorize
users accessing the Internet with LDAP in a Windows corporate
enviromnent (Basic/NTLM/GSS-SPNEGO) and recently (about several months
ago) I had to switch to the SMP scheme, because one process started to
eat the whole
Hi.
On 29.12.2015 17:05, Reet Vyas wrote:
> Hi
>
> I have working squid3.5.4 configuration with ssl bump, I am using this
> squid machine as router and have external IP to it and have a leased
> line connection but with leased line I have 10 extra IP address and I
> want to NAT those external ip t
Hi.
On 16.11.2015 0:39, Alex Rousskov wrote:
> On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote:
>> It's not even a HTTPS, its a tunneled HTTP CONNECT. But
>> squid for some reason thinks there shoudl be a HTTPS inside.
> Hello Eugene,
>
> Squid currently
Hi.
I'm still trying to figure out why I get certificate generated for IP
address instead of hostname when the HTTPS traffic is intercepted bu
sllBump-enable squid. I'm using iptables to do this:
rdr on $iifs inet proto tcp from 192.168.0.0/16 to ! port 443
-> 127.0.0.1 port 3131
rdr on vpn inet
Hi.
Is there a way to limit the number of available authentication
mechanisms (for a client browser) basing on certain squid IP which this
browser connects to, like, using http_port configuration directive ? For
example this is needed when one need to allow the non-domain machines to
pass thr
Hi.
I'm using URL rewriting to display instant messages to users. I'm doing
it using traffic interception and squid in transparent mode, so far I'm
intercepting http only. But I wonder, how it will behave with https,
since it's a tunneled connection ? I suppose, unless using ssl-Bum
technique, squ
Hi,
On 16.11.2015 19:51, Matej Kotras wrote:
> Thank you for your response, as this is my first try with Squid, and
> fairly newb in Linux.
> I do not understand at all differences between basic/ntlm/gss-spnego
> auths so I will do my homework and read about them. I've managed to
> get this workin
On 16.11.2015 14:29, Matej Kotras wrote:
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what
> AD group they are in. I use Squid-Analyzer for doing reports from
> access.log. I've found 2 anomalies with authorization so far. In
> access log, I see that user is author
Hi.
On 16.11.2015 18:46, dol...@ihcrc.org wrote:
>
> Squid Version: Squid 3.4.8
>
> OS Version: Debian 8 (8.2)
>
>
>
> I have installed Squid on a server using Debian 8 and seem to have the
> basics operating, at least when I start the squid service, I have am
> no longer getting any error mes
Hi.
On 16.11.2015 00:39, Alex Rousskov wrote:
> Hello Eugene,
>
> Squid currently supports two kinds of CONNECT tunnels:
>
> 1. A regular opaque tunnel, as intended by HTTP specifications.
>
> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.
>
> Opaque tunnels are the default.
Hi.
On 16.11.2015 00:14, Yuri Voinov wrote:
> It's common knowledge. Squid is unable to pass an unknown protocol on
> the standard port. Consequently, the ability to proxy this protocol does
> not exist.
>
> If it was simply a tunneling ... It is not https. And not just
> HTTP-over-443. This is m
Hi.
On 15.11.2015 0:43, Walter H. wrote:
> On 13.11.2015 14:53, Yuri Voinov wrote:
>> There is no solution for ICQ with Squid now.
>>
>> You can only bypass proxying for ICQ clients.
> from where do the ICQ clients get the trusted root certificates?
> maybe this is the problem, that e.g. the squid
Hi.
On 13.11.2015 18:53, Yuri Voinov wrote:
> There is no solution for ICQ with Squid now.
>
> You can only bypass proxying for ICQ clients.
>
There is: I can disable sslBump, and I did it already. It doesn't look
production-ready anyway.
Eugene.
___
sq
Hi.
Today I discovered that a bunch of old legacy ICQ clients that some
people till use have lost the ability to use HTTP CONNECT tunneling with
sslBump. No matter what I tried to allow direct splicing for them, all
was useless:
- arranging them by dst ACL, and splicing that ACL
- arranging them
Hi,
On 12.11.2015 17:48, Yuri Voinov wrote:
> More probably this is bug
> http://bugs.squid-cache.org/show_bug.cgi?id=4188.
>
Page said it's fixed, and applied to 3.5. If it's already in 3.5.11,
then it's not it - I just tested 3.5.11, and the behavior is the same.
Thanks.
Eugene.
__
Hi.
On 12.11.2015 17:04, Steve Hill wrote:
>
> proxy_auth won't work on intercepted traffic and will therefore always
> return false, so as far as I can see you're always going to peek and
> then splice. i.e. you're never going to bump, so squid should never
> be generating a forged certificate.
Hi.
This question is unrelated directly to my yesterday's one.
I decided to intercept the HTTPS traffic on my production squids from
proxy-unware clients to be able to tell them there's a proxy and they
should configure one.
So I'm doing it like (the process of forwarding using FreeBSD pf is not
Hi.
On 12.11.2015 0:06, Eugene M. Zheganin wrote:
> So, the user starts it's browser and opens the URL 'https://someurl'.
> And this URL matches both 'block' and 'blockssl' ACLs, one I created for
> you know... usual matching and one - for sslBump,
Hi.
On 11.11.2015 23:44, Amos Jeffries wrote:
> Proxy-authentication cannot be performed on MITM'd traffic. That
> includes SSL-bump decrypted messages.
>
> However, unlike the other methods SSL-bump CONNECT wrapper messages in
> explicit-proxy traffic can be authenticated and their credentials
>
Hi.
I have configured simple ssl peek/splice on squid 3.5.10 for some simple
cases, but in my production, where configs are complicated, it doesn't
work as expected - somehow it interferes with authentication.
Suppose we have a config like:
===Cut===
acl freetime time MTWHF 18:00-24:00
acl foo
Hi.
Squid uses mmap() call from 3.4.x, and mmap() on FreeBSD it has one
specific flag - MAP_NOSYNC, which prevents dirtied pages from being
flushed on disk:
MAP_NOSYNCCauses data dirtied via this VM map to be flushed to
physical media only when necessary (usually by
Hi.
On 18.03.2015 19:02, Amos Jeffries wrote:
> Process kid3 (SMP coordinator) is attempting to respond.
>
> Since you configured:
> snmp_port 340${process_number}
>
> and the coordinator is process number 3 I think it will be using port
> 3403 for that response.
>
>
Nobody is listening on these
Hi.
On 18.03.2015 16:04, Amos Jeffries wrote:
>
> SNMP is on the list of SMP-aware features.
>
> The worker receiving the SNMP request will contact other workers to
> fetch the data for producing the SNMP response. This may take some time.
>
Yeah, but it seems like it doesn't happen. Plus, I'm get
Hi.
I'm gathering statistics from squid using SNMP. When I use single
process everything is fine, but when it comes to multiple workers - SNMP
doesn't work - I got timeout when trying to read data with snmpwalk.
I'm using the following tweak:
snmp_port 340${process_number}
both workers bind on
Hi.
On 12.01.2015 19:06, Amos Jeffries wrote:
>
> I am confident that those types of leaks do not exist at al in Squid 3.4.
>
> These rounds of mmory exhaustion problems are caused by pseudo-leaks,
> where Squid incorrectly holds onto memory (has not forgotten it
> though) far longer than it shoul
Hi.
On 12.01.2015 16:41, Eugene M. Zheganin wrote:
> I'm now also having a strong impression that squid is leaking memory.
> Now, when 3.4.x is able to handle hundreds of users during several
> hours I notice that it's memory usage is constantly increasing. My
> patience al
Hi.
On 09.01.2015 00:10, Doug Sampson wrote:
> Man, I empathize with you. Have you tried running Squid 3.4.x on
> FreeBSD 9.3? Sometimes I wonder if it's FreeBSD 10.x that's causing
> the issue...
It's not. FreeBSD 9.x branch was a crappy release from it's start.
Eugene.
_
Hi.
On 09.01.2015 06:12, Amos Jeffries wrote:
> Grand total:
> => 9.5 GB of RAM just for Squid.
>
> .. then there is whatever memory the helper programs, other software
> on the server and operating system all need.
>
I'm now also having a strong impression that squid is leaking memory.
Now, whe
Hi.
On 12.01.2015 16:03, Eugene M. Zheganin wrote:
> Hi.
>
> Just to point this out in the correct thread - to all the people who
> replied here - Steve Hill has provided a patch for a 3.4.x that solves
> the most performance degradation issue. 3.4.x is still performing poorly
>
Hi.
Just to point this out in the correct thread - to all the people who
replied here - Steve Hill has provided a patch for a 3.4.x that solves
the most performance degradation issue. 3.4.x is still performing poorly
comparing to the 3.3.x branch, but I guess this is due to major code
changes. As
Hi.
On 24.10.2014 17:17, Rietzler, Markus (RZF, SG 324 /
) wrote:
> the important keyword is "NTLM"!
> without external auth helper squid 3.4 is working well. as soon as the
> external helper is active, cpu rises to 100%. nothing with workers etc.
> even the fakehelper is not working. just to ma
Hi.
On 23.10.2014 18:13, Carlos Defoe wrote:
> I had this kind of 100% CPU problem with auth helpers when upgrading
> to squid 3.4. I use negotiate_wrapper, kerberos, ntlm and basic auth.
> Then I had to fall back to 3.3 and it is production until now, with
> some troubles with broken clients, but
Hi.
I was using the 3.4.x branch for quite some time, it was working just
fine on small installations.
Yesterday I upgraded my largest cache installation from 3.3.13 to 3.4.8
(same config, diskd, NTLM/GSS-SPNEGO auth helpers, external helpers).
Today morning I noticed that squid is spiking to 100%
Hi.
Is someone getting this too ? I get this with sad regularity:
# grep lm_request /var/log/squid/cache.log
2014/10/06 14:32:12 kid1| assertion failed: UserRequest.cc:229:
"lm_request->waiting"
2014/10/07 16:06:10 kid1| assertion failed: UserRequest.cc:229:
"lm_request->waiting"
2014/10/16 16
Hi.
On 20.10.2014 22:29, Victor Sudakov wrote:
That's what we did.
1. Created an AD user called squiduser.
2. Extracted its keytab with something like
ktpass -princ HTTP/proxy.sibptus.transneft...@sibptus.transneft.ru -mapuser
squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /t
Hi.
On 19.10.2014 13:32, Victor Sudakov wrote:
>
> Hopefully I can interest our Windows admin to enable Kerberos event
> logging per KB262177.
>
> But for the present I have found an ugly workaround. In squid's keytab, I
> created another principal called 'squiduser' with the same hex key and
> kv
Hi.
On 18.10.2014 16:11, Victor Sudakov wrote:
I thought as much. This error seems suspicious. But why does a second
request not cause the same error?
No idea.
We have tried both ways (enabling all ciphers and enabling only
arcfour-hmac-md5), but it made no difference. Currently we are using
t
Hi.
On 17.10.2014 11:02, Victor Sudakov wrote:
>
> I am attaching a traffic dump.
>
> Please look at Frame No. 36, where a ticket is requested for
> "HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
> the ticket is granted, but for the wrong principal name.
>
The thing is, valid e
Hi.
On 28.09.2014 21:14, Victor Sudakov wrote:
How do I figure this out? I compiled squid from the FreeBSD ports
collection, don't remember any tunable option concerning SMP workers.
They're off by default. Plus, it's a 3.x feature. If you ported your
config from your 2.7 installation, they're
Hi.
On 28.09.2014 12:28, Victor Sudakov wrote:
squid 3.4.8 and 3.4.7 are leaking memory at the rate of several Mbytes
per minute on FreeBSD. Squid 3.4.8 leaks faster than 3.4.7.
The settings are more than modest:
cache_mem 128 MB
cache_dir ufs /webcache/cache 512 16 256
memory_pools off # neit
55 matches
Mail list logo
