Re: [squid-dev] how i can make each user to use only specify port in squid proxy

2018-11-21 Thread Amos Jeffries 
Please use the squid-users mailing list for help using Squid.

This mailing list is for developers/programmers discussion about the
Squid code internals and functionality changes to it.




On 21/11/18 12:55 am, WoWProxy wrote:
> I am starting to tunneling IPv6 with IPv4
>

There are at hundreds, possibly thousands, of types of "tunnel". Squid
can tunnel, but you appear not to be using that functionality in any way.

Much of your explanation about what you are doing is written in vague
terms like this. It is not clear whether the problem you are currently
seeing is going to help you reach your actual goal or just a problem on
the way to an irrelevant situation. Please provide more precise details
about what you are doing when you re-post to squid-users. That will
greatly improve any assistance people can give you.


HTH
Amos Jeffries
The Squid Software Foundation
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] TLS 1.3 0rtt

2018-11-21 Thread Amos Jeffries 
On 16/11/18 3:07 am, Marcus Kool wrote:
> After reading
> https://www.privateinternetaccess.com/blog/2018/11/supercookey-a-supercookie-built-into-tls-1-2-and-1-3/
> I am wondering if the TLS 1.3 implementation in Squid will have an
> option to disable the 0rtt feature so that user tracking is reduced.
> 

As the article mentions the issue is also part of TLS/1.2 and the
features behind it can already be configured to disable as needed. It is
unlikely that we would remove such a useful config option any time soon.


Also, it is worth stating that this type of tracking does not work
through a TLS proxy. The TLS session between client and proxy is not
shared with server and vice versa. The proxy<->server TLS session which
it might try tracking contains multiplexed traffic from many clients so
is not a reliable per-user tracker to the server.


Things get a lot less clear when SSL-Bumping since there is a mix of
OpenSSL and Squid code doing things and actions like peek/stare/splice
may require side effects of preventing TLS feature removal/disable.

It is an admin choice how and when to use such actions though so again
already configurable if one understand what those actions do rather than
just blindly throwing copy-paste config settings at the proxy until
something "works".

HTH
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev