[squid-users] help with regard to http/https filtering

2015-02-03 Thread Rajkumar Prasad 
Hi Everyone,

 

Have been working on very basic squid configurations and need a small help.
We have done this setup for everyone to provide very limited access on
restricted no of websites. My question here is that, is there a way we can
control entire certain part of URL to be getting dropped instead of whole
website and other contents. For e.g.

 

We need to have access to http://renderman.pixar.com however we want to
control an internal link within it
"https://renderman.pixar.com/forum/download.php &
https://renderman.pixar.com/forum/teamviewer.php"; . I see these are HTTPS
enabled portal and maybe I am unable to. My intention is to block these
specific URL's, keeping rest other navigation working. I tried url_regex and
urlpath_regex and those are not seems to be working.

 

See if you can add a little help.

 

Thanks 
Rajkumar

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Jason Haar 
On 04/02/15 18:47, Daniel Greenwald wrote:
> And happens to be one that squid desperately needs to remain in order
> to continue ssl bumping..
...and is one that diminishes in value as cert pinning becomes more
popular...

It's a tough life: on the one hand we want to do TLS intercept in order
to do content filtering of HTTPS (because the bad guys are deliberately
putting more and more malware onto HTTPS websites), and yet on the other
hand we all want some things to be private.

Bring back RFC3514, then all of this would be easy!!!

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Omid Kosari 
The only reason for extend is more capacity .
Currently there is no problem with current setup except capacity .
I can replace each SSD with new 500GB which doubles the capacity and it is
not enough . and old SSDs will be unusable . So i prefer a long term
solution like NAS .


Current spec of squid boxes are core i3 (with current 3.1.20 version one
core utilizes) and 16GB of ram . so far so good .



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Hypothetically-comparing-SATA-SAS-to-NAS-SAN-for-squid-tp4664350p4669531.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Daniel Greenwald 
Amos Wrote:
The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients.

And happens to be one that squid desperately needs to remain in order to
continue ssl bumping..


---
Daniel I Greenwald



On Tue, Feb 3, 2015 at 7:16 PM, Amos Jeffries  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
> >
> > Now I have:
> >
> > root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
> >
> > root and intermediate CA's. Most known I can found.
> >
> > Note: all of them was wound in different places - in addition with
> > Mozilla's bundle, shipped with OpenSSL.
> >
> > How I can found, which is absent?
>
> Depends on your definition of "absent". If one was being really
> serious about the security the Trusted CA list would be empty.**
>
> All the domains using DANE and TLSA DNS records? I am hoping someday
> to have Squid fetch and use those instead of the Trusted CA, but that
> is a while off. (hint, hint sponsorship welcome etc. and so on).
>
> >
> > And how to support this heap? In practice? Manually with CLI
> > openssl? Ok, but how to identify problem URL, when Squid's load
> > over 100 requests per second?
>
> With the cert validator helper I think. Probably something custom.
>
>
> ** The point of the word "Trusted" in Trusted CA is that they have
> passed through some difficult criteria to get listed and installed.
> Just grabbing CA certs from all over the place is risking a huge
> amount. The major well-known security flaw in the whole TLS/SSL system
> is that any one of the Trusted CAs is capable of forging signatures on
> other CAs clients. So dodgy list entries is a VERY big deal.
>
> Amos
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJU0Y8YAAoJELJo5wb/XPRjYzkH/0n9xKM6oi8Uk3h4PkJVHYg6
> 2fqVwPkXiSiqtxuD/DQ/IYJ04UQ0gxKz7KCWt4LaWoTBoAh8GdGnWciGCIcx1eYC
> GUhxOWP04ak1CSTaOOsUzAnXofp5Vc3pqaYHZVVohzE4KNvHzSEoOTGEwZpF2gtP
> yK559mi1g0wH8NVjzYaO/0oMEhIPuxjr2HyLBb3ZUWMG63JtlpQX35KGGm93A5Ws
> /03NhWs/iZDLpPvFivm3WxZme85Hl4XIbsWXp/AJWgK/jqr/SpFjUBs11CclTd9n
> zsTGiMMC+3RX/x1V/wzSrZ2wIdyAcfId2GRLKM4JaK7ABb0g3AMhQMesRv5JkDk=
> =Sgg5
> -END PGP SIGNATURE-
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

2015-02-03 Thread Daniel Greenwald 
I have a windows server running old 2.7 for simple reason that mswin
negotiate auth works totally flawless for seamless AD authentication on ALL
browsers . Vs with  samba/heimdal on *nix server users would randomly get
annoying logon popups which I could not eliminate.  It may be old but it
just works!




---
Daniel I Greenwald



On Mon, Feb 2, 2015 at 8:17 AM, Yuri Voinov  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Harry up, Raf :)
>
> I'm waiting for 3.5 Win64 for my notebook :)
>
> And don't forget SSL Bump ! :)
>
> 02.02.2015 20:47, Rafael Akchurin пишет:
> > Eldar will send soon as we finish some initial testing.
> > Raf
> >
> >
> > 
> > From: Amos Jeffries 
> > Sent: Monday, February 2, 2015 3:32 PM
> > To: Rafael Akchurin; squid-users@lists.squid-cache.org
> > Subject: Re: [squid-users] Squid Authentication
> >
> > On 3/02/2015 3:04 a.m., Rafael Akchurin wrote:
> >> Hello Amos,
> >>
> >> We will soon be able to have latest 3.5 built for Cygwin x64
> (hopefully).
> >>
> >
> > Yay! Are there any patches I can merge that will help minimize the
> > tracking work for future releases?
> >
> > Amos
> >
> >
> >> Rafael
> >>
> >> 
> >> From: Amos Jeffries
> >>
> >> On 2/02/2015 5:27 p.m., Raju M K wrote:
> >>> Need squid Authentication syntax for local users in Windows 7/8
> workgroup
> >>> Presently using squid 2.7 stable 8
> >>
> >> 2.7 was end-of-lifed *5 years ago*. Please upgrade.
> >> http://www.squid-cache.org/Versions/
> >>
> >> PS. I know we dont have a native windows version available of anything
> >> newer (though Cygwin does provide 3.2/3.3 builds). But there is no
> >> reason for Squid being tied down onto a Windows server while servicing
> >> Windows users, and many reasons for it to *not* be.
> >>
> >> Amos
> >>
> >> ___
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUz6L/AAoJENNXIZxhPexGRPsH/AhWdMapx+a/k9iS+QnzHp/w
> hQHy0HBHS4V6pQyqcWOmBxgq14SLxLUTwe8th6EavBDAERo3xstq5dt/Ped35Gg0
> gK1YjT3io/WCfqs2nIzvp2UycVmbQjt5Yld1hGlPEoP5H4WaulrffkaSzdZUJOlf
> 0XYPTHRnQiNFb2g6f37zbQyZmhWkkx9rTIobzuMAvnLcmXACFQjv7O0pY+pbS0nO
> q4S8ou7vfdhTfCkXSUd+jTqQ3dL8Vi3ZlSC8QDxDUEXCZPkBy8iHJR3pl1iRQA6u
> ZLomlz1pr6cHjr6AURw5rGqPMmt4DtqJskS4yrd/Ky/rIlrGTFyhltJNvtuC2wo=
> =k1L/
> -END PGP SIGNATURE-
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Amos Jeffries 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
> 
> Now I have:
> 
> root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
> 
> root and intermediate CA's. Most known I can found.
> 
> Note: all of them was wound in different places - in addition with 
> Mozilla's bundle, shipped with OpenSSL.
> 
> How I can found, which is absent?

Depends on your definition of "absent". If one was being really
serious about the security the Trusted CA list would be empty.**

All the domains using DANE and TLSA DNS records? I am hoping someday
to have Squid fetch and use those instead of the Trusted CA, but that
is a while off. (hint, hint sponsorship welcome etc. and so on).

> 
> And how to support this heap? In practice? Manually with CLI
> openssl? Ok, but how to identify problem URL, when Squid's load
> over 100 requests per second?

With the cert validator helper I think. Probably something custom.


** The point of the word "Trusted" in Trusted CA is that they have
passed through some difficult criteria to get listed and installed.
Just grabbing CA certs from all over the place is risking a huge
amount. The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients. So dodgy list entries is a VERY big deal.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU0Y8YAAoJELJo5wb/XPRjYzkH/0n9xKM6oi8Uk3h4PkJVHYg6
2fqVwPkXiSiqtxuD/DQ/IYJ04UQ0gxKz7KCWt4LaWoTBoAh8GdGnWciGCIcx1eYC
GUhxOWP04ak1CSTaOOsUzAnXofp5Vc3pqaYHZVVohzE4KNvHzSEoOTGEwZpF2gtP
yK559mi1g0wH8NVjzYaO/0oMEhIPuxjr2HyLBb3ZUWMG63JtlpQX35KGGm93A5Ws
/03NhWs/iZDLpPvFivm3WxZme85Hl4XIbsWXp/AJWgK/jqr/SpFjUBs11CclTd9n
zsTGiMMC+3RX/x1V/wzSrZ2wIdyAcfId2GRLKM4JaK7ABb0g3AMhQMesRv5JkDk=
=Sgg5
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Amos Jeffries 
On 4/02/2015 9:20 a.m., Anton Radkevich wrote:
> Yuri,
> 
> I'd like to allow or deny access for a client before establishing of
> encrypted channel to proxy server using an authentication method of squid
> proxy.


I think you and Yuri are talking past each other on this.

This page has what you want to know
. Yuri was talking about
section-2 connections, but I read your query as being closer to
section-4 connections.


> Can I setup any authentication method for https forward proxy? If yes, is
> it possible to use more secure hash algorithms than old md5?

Squid does Basic, Digest, NTLM, Negotiate, and (with a patch) Bearer.

Its not clear what you mean about MD5. Do you have a specific auth
helper like NCSA storing passwords using that hash?

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

04.02.2015 3:30, Anton Radkevich пишет:
> Guys,
>
> I just need an HTTPS proxy that can handle both http and https
connections for authorised clients only. I tried to configure something
like it's described here
http://www.mail-archive.com/squid-users@squid-cache.org/msg93592.html
> Forward HTTPs proxy with digest_pw_auth for example.
>
> But I am getting the same error clientNegotiateSSL: Error negotiating
SSL connection on FD 6: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request (1/-1) if I try to open a
website (http or https) with proxy enabled on browser settings: protocol
https, server proxy-squid.com , port 3129,
test:test (user/password)
Hm. This means you try to put HTTP requests over HTTPS port. You
need different Squid ports for HTTP and HTTPS. I'm afraid, you cannot
pass both protocols over one port.

>
> If I understood correctly from our communication its not possible to
configure squid like it described above. Or ther
>
> browser(proxy settings: protocol - https, server -proxy-squid.com
, port -3129, test:test (user/password))
<--> Squid Server (https_port 3129 with certificate) Destination
>
> Description of the connection flow:
> 1. a client set proxy settings of his browser settings: https,
server:port, user:password
> 2. a clients credentials were verified by squid server,  browser asks
the proxy to establish a virtual tunnel between itself and remote server
> 3. when a client enter https://example.com or http://example.com then
browser sends encrypted data through the squid proxy
>
> Anton
>
>
> 2015-02-03 23:45 GMT+03:00 Eliezer Croitoru mailto:elie...@ngtech.co.il>>:
>
> Hey Anton,
>
> If you use https_port with ssl certificate it will be for one of
two options:
> - interception of ssl traffic
> - reverse proxy with ssl
>
> For both cases the connection between the server and the client in
the end will be encrypted while non of them is in a forward proxy mode
and there for will not provide and cannot provide what you need\want.
>
> Eliezer
>
>
> On 03/02/2015 22:41, Anton Radkevich wrote:
>
> Hey Eliezer,
>
> Thank you for your explanation, just want to clarify.
>
> Does it mean that if I configure squid to listen https_port on
port 3129
> with ssl certificate, connection from a client to squid server
by port 3129
> will be NOT encrypted?
>
> Anton
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0T8YAAoJENNXIZxhPexGdE4H/0/zBOkDtAp0+CaDHXdSUDqu
z96bEorW7rLEXusohVXImuevgSWnyxvpUmsJiN/0zu26MzDHQ4jc0XD1qmM7YZ5y
YQ1gFnHdemLLN1fwxWqsLepXPKsZkEuM8oon8kvXxNn6xwCpN7COyeXCGA7e0+FO
p3qcF0SC8vIge0NDFzf8uhh8utV/5RaTBKUNz5tsNxy861Qp+YliMltDYUgIGcwD
wwEHvSJhtedkQ69D1BDZSMKAILipQfDp4CZt4R02TrkGG4OZMK7c02NO9CCbJsLp
p4LERF66bClc/p667P+XFZpGOKmMbOEOivLFVgzGhVC56CwQitCHKjUHMbVi+hg=
=uxsh
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Guys,

I just need an HTTPS proxy that can handle both http and https connections
for authorised clients only. I tried to configure something like it's
described here
http://www.mail-archive.com/squid-users@squid-cache.org/msg93592.html
Forward HTTPs proxy with digest_pw_auth for example.

But I am getting the same error clientNegotiateSSL: Error negotiating SSL
connection on FD 6: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http
request (1/-1) if I try to open a website (http or https) with proxy
enabled on browser settings: protocol https, server proxy-squid.com, port
3129, test:test (user/password)

If I understood correctly from our communication its not possible to
configure squid like it described above. Or ther

browser(proxy settings: protocol - https, server -proxy-squid.com, port
-3129, test:test (user/password)) <--> Squid Server (https_port 3129
with certificate) Destination

Description of the connection flow:
1. a client set proxy settings of his browser settings: https, server:port,
user:password
2. a clients credentials were verified by squid server,  browser asks the
proxy to establish a virtual tunnel between itself and remote server
3. when a client enter https://example.com or http://example.com then
browser sends encrypted data through the squid proxy

Anton


2015-02-03 23:45 GMT+03:00 Eliezer Croitoru :

> Hey Anton,
>
> If you use https_port with ssl certificate it will be for one of two
> options:
> - interception of ssl traffic
> - reverse proxy with ssl
>
> For both cases the connection between the server and the client in the end
> will be encrypted while non of them is in a forward proxy mode and there
> for will not provide and cannot provide what you need\want.
>
> Eliezer
>
>
> On 03/02/2015 22:41, Anton Radkevich wrote:
>
>> Hey Eliezer,
>>
>> Thank you for your explanation, just want to clarify.
>>
>> Does it mean that if I configure squid to listen https_port on port 3129
>> with ssl certificate, connection from a client to squid server by port
>> 3129
>> will be NOT encrypted?
>>
>> Anton
>>
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Sure. :)

This way:

http://yvoinov.blogspot.com/2014/08/squid-tor-privoxy-transparent-dns.html
http://yvoinov.blogspot.com/2014/08/squid-tor-privoxy-transparent-dns_19.html

:)

04.02.2015 2:44, Anton Radkevich пишет:
>
> Yuri,
>
> Can you please share any configuration examples? ;)
>
> 03 февр. 2015 г. 23:27 пользователь "Yuri Voinov" mailto:yvoi...@gmail.com>> написал:
>
>
> Eliezer,
>
> Squid can be cascaded with Privoxy+Tor. :)
>
> And then - we can route users into it using ACL's ;)
>
> Yep, not Squid itself. But with external services. ;)
>
> 04.02.2015 2:23, Eliezer Croitoru пишет:
> > On 03/02/2015 17:14, Anton Radkevich wrote:
> >> so just to be clear the connection flow will look like:
> >>
> >> browser  Server 
Destination
> >>
> >> where  is probably some form of HTTPS connection for
> >> support with the browser PAC
>
> > Hey Anton,
>
> > Squid do not support socks connection or any other form of encryption.
> > The known options to encrypt the connection between the client and the
> server are:
> > - ssl vpn tunnel
> > - ssh vpn tunnel
> > - some other weird and special ways
>
> > Since I am not familiar with all authentication methods I cannot answer.
> > On the other hand squid offers couple ways to authenticate and I am
> sure that the choice between md5 or other sha algorithm is not important
> if you are encrypting the connection between the server and the client
> using a tunnel.
> > If you wish to use some higher security levels you can use client side
> certificates and pin IP addresses to the certificates.
>
> > All The Bests,
> > Eliezer
>
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org

> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0TnOAAoJENNXIZxhPexG0KoH/0oD2VHwxS0YrE9tb/lohY7h
1sTo6/j9iKuPY97wDjNxGKl3wcmHmNF0QTGK5z60i9oj2FmjE4wXCNv2MehNjlIc
gZc+RlQlTdFEzKk2wQAWgflNg5YWw8Q2y59ApF/nhj2rQVdA1J+pVSkY8cnRSDq+
zjua8ks98+8qJEGDdgCBXeTtTYyfr0L9T7tPIHi7AZdDUMWu26+mY+F7pQVB03sE
r2ebSXlzhUXW6lNmIOGufQdUin1unTSSyoHVpEHrXNaYZIEB8EUjrFsME9W4E7M5
wALBLprKU6ZbfMljuTnG44LfXHYMuKnSLwyKQ0nB020KAdNh3CVNpgDbYR8lEp4=
=tvcQ
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

04.02.2015 2:39, Eliezer Croitoru пишет:
> Hey Yuri,
>
> From what I remember before squid passes data into ssl_crtd can debug
the certificates of the requested sites.
> If you will record\log them you can run a script throw them and find
the culprit pretty fast(relatively).
>
> What debug sections have you tried using to debug it?
> Since squid uses openssl libs it's probably do not know about the CA
and there for not much details about it.
OpenSSL knows about CA's. With capath= option in https_port. It uses it
to verify connection from cache to server.
>
> I would say that the URL is not important in the case of an intercept
proxy.
It is important to localize CA's problem. When I can see problem URL - I
can look ath this and find, which CA was used.
> In the case it's a regular forward proxy with ssl_bump you can run throw the 
> list of CONNECT
requests which logged before the decryption of the tunnel.
I use interception proxy. BTW, with over 100 requests per second and
corellation analyzes of two logs? access.log and cache.log? Bad idea, I
think.
>
> What squid.conf rules are you using?
>
> I noticed you assume that squid passes URL to ssl_crtd and it's not
how it works.
This is no matter. I want to find only easy way to catch problem SSL
connections through Squid.

>
> All The Bests,
> Eliezer
>
> On 03/02/2015 16:26, Yuri Voinov wrote:
>> Hi gents,
>>
>> I think, will be good to add advanced debug options to ssl_crtd to avoid
>> this:
>>
>> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca (1/0)
>>
>> Now we have no one tools to diagnose the situations above. Excluding own
>> eyes and brains. And - telepathy.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0TQXAAoJENNXIZxhPexGmPEH/iHVCwE821tkAxdwtHlKaCS3
wobvZVx9HAx7Q2C3S7VNR1wgtysG0psQd6P9UX6qniJpZAugZ5R27oLh0xDLtJgt
KZ7Uz0lpIkwTP5pJNmNAqA7vvPdJX6mkEEBK9ENBDGpjHo4wVvaRNfn+XXx/dfhn
k2m/ial6q0ZZ6WtLltjj0Fq73MdatQJefSWLPatTj7eMHDeACSxL/A0Me8EoyE/v
uYcTpIf2C/jy8A3x9DLGZMM+RXvtIWBJTR1ct3PrZMMLuaw0o0XAzbYPNY05RK7b
vyCuY2Ua+NrcTw0LX05vhdCwJnlvK6rh/Vi6M3yEivAkp0itjv2ZbpM3pNFD+NU=
=ajrM
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Eliezer Croitoru 

Hey Anton,

If you use https_port with ssl certificate it will be for one of two 
options:

- interception of ssl traffic
- reverse proxy with ssl

For both cases the connection between the server and the client in the 
end will be encrypted while non of them is in a forward proxy mode and 
there for will not provide and cannot provide what you need\want.


Eliezer

On 03/02/2015 22:41, Anton Radkevich wrote:

Hey Eliezer,

Thank you for your explanation, just want to clarify.

Does it mean that if I configure squid to listen https_port on port 3129
with ssl certificate, connection from a client to squid server by port 3129
will be NOT encrypted?

Anton



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Yuri,

Can you please share any configuration examples? ;)
03 февр. 2015 г. 23:27 пользователь "Yuri Voinov" 
написал:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Eliezer,
>
> Squid can be cascaded with Privoxy+Tor. :)
>
> And then - we can route users into it using ACL's ;)
>
> Yep, not Squid itself. But with external services. ;)
>
> 04.02.2015 2:23, Eliezer Croitoru пишет:
> > On 03/02/2015 17:14, Anton Radkevich wrote:
> >> so just to be clear the connection flow will look like:
> >>
> >> browser  Server  Destination
> >>
> >> where  is probably some form of HTTPS connection for
> >> support with the browser PAC
> >
> > Hey Anton,
> >
> > Squid do not support socks connection or any other form of encryption.
> > The known options to encrypt the connection between the client and the
> server are:
> > - ssl vpn tunnel
> > - ssh vpn tunnel
> > - some other weird and special ways
> >
> > Since I am not familiar with all authentication methods I cannot answer.
> > On the other hand squid offers couple ways to authenticate and I am
> sure that the choice between md5 or other sha algorithm is not important
> if you are encrypting the connection between the server and the client
> using a tunnel.
> > If you wish to use some higher security levels you can use client side
> certificates and pin IP addresses to the certificates.
> >
> > All The Bests,
> > Eliezer
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJU0S77AAoJENNXIZxhPexGw6QIAMUsnpSP4nYZB1rqO+M80J1q
> /w6qkbtDiQIN1Uo2aVD3YG1kldEGzyyIV+j4uCHet2OLznzyReobV5k+Nc3kk3t2
> 7/qpclaMVR/tHVtwPv/BoKHFUWSD49bQEBff7tl+7FV7QdA3zFE3URlYDz7vQ6EJ
> 8+kRVnhi/N57rFjSu3V8UC77CG81jAhx1vVy2iDofVvbEpXY1zX/gNU581hPcmQ0
> h8trHn8WnQmVqT1PFqQLPAjijBg546EcKzZbV+6cFnn/27+WdakwOChFrYp+sP3D
> pY0DB9upmc1XSLg6le6YrHEhRaCKj3gTinOkICywttvB5Xp89jNqcT5MahwHfA8=
> =pYLW
> -END PGP SIGNATURE-
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
No. It will be encrypted to both directions.

04.02.2015 2:41, Anton Radkevich пишет:
>
> Hey Eliezer,
>
> Thank you for your explanation, just want to clarify.
>
> Does it mean that if I configure squid to listen https_port on port
3129 with ssl certificate, connection from a client to squid server by
port 3129 will be NOT encrypted?
>
> Anton
>
> 03 февр. 2015 г. 23:23 пользователь "Eliezer Croitoru"
mailto:elie...@ngtech.co.il>> написал:
>
> On 03/02/2015 17:14, Anton Radkevich wrote:
>
> so just to be clear the connection flow will look like:
>
> browser  Server 
Destination
>
> where  is probably some form of HTTPS
connection for
> support with the browser PAC
>
>
> Hey Anton,
>
> Squid do not support socks connection or any other form of encryption.
> The known options to encrypt the connection between the client and
the server are:
> - ssl vpn tunnel
> - ssh vpn tunnel
> - some other weird and special ways
>
> Since I am not familiar with all authentication methods I cannot
answer.
> On the other hand squid offers couple ways to authenticate and I
am sure that the choice between md5 or other sha algorithm is not
important if you are encrypting the connection between the server and
the client using a tunnel.
> If you wish to use some higher security levels you can use client
side certificates and pin IP addresses to the certificates.
>
> All The Bests,
> Eliezer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users

>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0TLMAAoJENNXIZxhPexG5oQH+wST2zGmBB/QPJCMylsN8fSt
s9cLNvlJLyOR4WI+p6qy18JJijjuFsI54Ont3x/LAFKyrmrcGUnKZhPE/3S+Vcqk
zS/V7wpA7daTmUm697Dz0B34hlrVqjoUVUsINts/JE2pRCFA09crEzsFN/oWfPrQ
e5Ks5xjwqswJYtAX33r9qwsPyYjbsxZu0nMN/bNLWYvm58sU/prvCkS9M0pDMd0m
hVNLQ7Yr5xrkfMTZuEsXV8X2iM8um0voGih8LP4GU4h7VDOai2ScvJ6yXaH+P9rF
yi+0bg0lYpmBDlLB+yXBF02ZQ9etZv8AtEFZu9FepTyFbpiecds7IfbU9MBSgNA=
=JVZ0
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Hey Eliezer,

Thank you for your explanation, just want to clarify.

Does it mean that if I configure squid to listen https_port on port 3129
with ssl certificate, connection from a client to squid server by port 3129
will be NOT encrypted?

Anton
03 февр. 2015 г. 23:23 пользователь "Eliezer Croitoru" 
написал:

> On 03/02/2015 17:14, Anton Radkevich wrote:
>
>> so just to be clear the connection flow will look like:
>>
>> browser  Server  Destination
>>
>> where  is probably some form of HTTPS connection for
>> support with the browser PAC
>>
>
> Hey Anton,
>
> Squid do not support socks connection or any other form of encryption.
> The known options to encrypt the connection between the client and the
> server are:
> - ssl vpn tunnel
> - ssh vpn tunnel
> - some other weird and special ways
>
> Since I am not familiar with all authentication methods I cannot answer.
> On the other hand squid offers couple ways to authenticate and I am sure
> that the choice between md5 or other sha algorithm is not important if you
> are encrypting the connection between the server and the client using a
> tunnel.
> If you wish to use some higher security levels you can use client side
> certificates and pin IP addresses to the certificates.
>
> All The Bests,
> Eliezer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Eliezer Croitoru 

Hey Yuri,

From what I remember before squid passes data into ssl_crtd can debug 
the certificates of the requested sites.
If you will record\log them you can run a script throw them and find the 
culprit pretty fast(relatively).


What debug sections have you tried using to debug it?
Since squid uses openssl libs it's probably do not know about the CA and 
there for not much details about it.


I would say that the URL is not important in the case of an intercept proxy.
In the case it's a regular forward proxy with ssl_bump you can run throw 
the list of CONNECT requests which logged before the decryption of the 
tunnel.


What squid.conf rules are you using?

I noticed you assume that squid passes URL to ssl_crtd and it's not how 
it works.


All The Bests,
Eliezer

On 03/02/2015 16:26, Yuri Voinov wrote:

Hi gents,

I think, will be good to add advanced debug options to ssl_crtd to avoid
this:

2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)

Now we have no one tools to diagnose the situations above. Excluding own
eyes and brains. And - telepathy.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Eliezer,

Squid can be cascaded with Privoxy+Tor. :)

And then - we can route users into it using ACL's ;)

Yep, not Squid itself. But with external services. ;)

04.02.2015 2:23, Eliezer Croitoru пишет:
> On 03/02/2015 17:14, Anton Radkevich wrote:
>> so just to be clear the connection flow will look like:
>>
>> browser  Server  Destination
>>
>> where  is probably some form of HTTPS connection for
>> support with the browser PAC
>
> Hey Anton,
>
> Squid do not support socks connection or any other form of encryption.
> The known options to encrypt the connection between the client and the
server are:
> - ssl vpn tunnel
> - ssh vpn tunnel
> - some other weird and special ways
>
> Since I am not familiar with all authentication methods I cannot answer.
> On the other hand squid offers couple ways to authenticate and I am
sure that the choice between md5 or other sha algorithm is not important
if you are encrypting the connection between the server and the client
using a tunnel.
> If you wish to use some higher security levels you can use client side
certificates and pin IP addresses to the certificates.
>
> All The Bests,
> Eliezer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0S77AAoJENNXIZxhPexGw6QIAMUsnpSP4nYZB1rqO+M80J1q
/w6qkbtDiQIN1Uo2aVD3YG1kldEGzyyIV+j4uCHet2OLznzyReobV5k+Nc3kk3t2
7/qpclaMVR/tHVtwPv/BoKHFUWSD49bQEBff7tl+7FV7QdA3zFE3URlYDz7vQ6EJ
8+kRVnhi/N57rFjSu3V8UC77CG81jAhx1vVy2iDofVvbEpXY1zX/gNU581hPcmQ0
h8trHn8WnQmVqT1PFqQLPAjijBg546EcKzZbV+6cFnn/27+WdakwOChFrYp+sP3D
pY0DB9upmc1XSLg6le6YrHEhRaCKj3gTinOkICywttvB5Xp89jNqcT5MahwHfA8=
=pYLW
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Eliezer Croitoru 

On 03/02/2015 17:14, Anton Radkevich wrote:

so just to be clear the connection flow will look like:

browser  Server  Destination

where  is probably some form of HTTPS connection for
support with the browser PAC


Hey Anton,

Squid do not support socks connection or any other form of encryption.
The known options to encrypt the connection between the client and the 
server are:

- ssl vpn tunnel
- ssh vpn tunnel
- some other weird and special ways

Since I am not familiar with all authentication methods I cannot answer.
On the other hand squid offers couple ways to authenticate and I am sure 
that the choice between md5 or other sha algorithm is not important if 
you are encrypting the connection between the server and the client 
using a tunnel.
If you wish to use some higher security levels you can use client side 
certificates and pin IP addresses to the certificates.


All The Bests,
Eliezer

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Yuri,

I'd like to allow or deny access for a client before establishing of
encrypted channel to proxy server using an authentication method of squid
proxy.
Can I setup any authentication method for https forward proxy? If yes, is
it possible to use more secure hash algorithms than old md5?

Thanks,
Anton
03 февр. 2015 г. 23:12 пользователь "Yuri Voinov" 
написал:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> As forward HTTPS proxy you can use no tricks. Just preroute HTTPS traffic
> to Squid and permit method CONNECT with 443 port - Squid forward HTTPS
> connections by design.
>
> I do not understand, what does authentication here. This is another
> problem that is not related to proxying HTTPS.
>
> 04.02.2015 2:06, Anton Radkevich пишет:
> >
> > Thanks for quick reply,
> > We don't need ssl bumping, or isn't it possible to configure by another
> way, without using ssl bumping?
> >
> > What's about authentication using modern hash algorithms sha256/512?
> >
> > Anton
> >
> > 03 февр. 2015 г. 22:58 пользователь "Yuri Voinov"   > написал:
> >
> >
> > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >
> > 04.02.2015 1:03, Anton Radkevich пишет:
> >
> > > Hi everyone,
> >
> > > Could you please help me with configuration Squid3 as forward HTTPs
> proxy?
> >
> > > Is it possible to configure it in such way?
> >
> > > What we do need is a fully encrypted HTTPS forward proxy that can
> handle HTTP or HTTPS connection AND uses authentication.
> >
> > > so just to be clear the connection flow will look like:
> >
> > > browser  Server 
> Destination
> >
> > > where  is probably some form of HTTPS connection for
> support with the browser PAC
> >
> > > Also, for client auth, can we used more "modern" hashing algorithms
> like sha256/512? md5 is old and collision prone at this point.
> >
> > > Thank you in advance!
> >
> >
> >
> > > ___
> > > squid-users mailing list
> > > squid-users@lists.squid-cache.org
> 
> 
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> 
> 
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJU0SusAAoJENNXIZxhPexGYKsH/0eRnm1ZEuzIGmibIQiP/BxU
> +4qnPAmvu/nCVnemCrOVFDV/+49j/yCqjDtbdH1p6igCmjrzv2C11pgDP00IHs+l
> kOL2O/65ubae3rL3EFNIX60daXOsEGZ6kOOOZ5Ik6hHfvOeT8YhdB9ryl+JoWtXB
> DUVYPCsX+dsSmZHHC3fqjml7ZYG+rUb0K3Ipeq/khJibMqLzdJ6B4Vf+xeUqz+Nx
> 22YgaKx2ujsXgdIRzuz/HQfl5U9moGS0/iC5JEvq1TTmV8zk+7HFqJjVaKmL2Euk
> 9xvqTRPjfD7s7ZlqR/qtwwDxpYX6HbiGTLfYwAuDqtD2Ixj0CjgzLEeyGj6LvWs=
> =wJWL
> -END PGP SIGNATURE-
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
http://wiki.squid-cache.org/Features/Authentication
http://wiki.squid-cache.org/ConfigExamples#Authentication

This one?

04.02.2015 2:06, Anton Radkevich пишет:
>
> Thanks for quick reply,
> We don't need ssl bumping, or isn't it possible to configure by
another way, without using ssl bumping?
>
> What's about authentication using modern hash algorithms sha256/512?
>
> Anton
>
> 03 февр. 2015 г. 22:58 пользователь "Yuri Voinov" mailto:yvoi...@gmail.com>> написал:
>
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> 04.02.2015 1:03, Anton Radkevich пишет:
>
> > Hi everyone,
>
> > Could you please help me with configuration Squid3 as forward HTTPs
proxy?
>
> > Is it possible to configure it in such way?
>
> > What we do need is a fully encrypted HTTPS forward proxy that can
handle HTTP or HTTPS connection AND uses authentication.
>
> > so just to be clear the connection flow will look like:
>
> > browser  Server  Destination
>
> > where  is probably some form of HTTPS connection
for support with the browser PAC
>
> > Also, for client auth, can we used more "modern" hashing algorithms
like sha256/512? md5 is old and collision prone at this point.
>
> > Thank you in advance!
>
>
>
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org

> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0S0jAAoJENNXIZxhPexGWT4H/3pQ408tRavvV1mQeO9GQ4r+
0n5JIKyE8EMJLQ4OP0CSV0o5usnMKOiPOnK6AYDDKKin4QF85kBfS4QZyzzuvxPj
YCgi/zzijEvlEjsXX6ekwz1Qt+ImrhhvBXWSUqigf9WCe/cbrbOYFCLd0QuC/PbC
lYpMyeE0VGzFZaYeKOetTkBGsphYJyHTTDuzFiZkagLfCaWbpELQNAsMyoESR/2e
/LXFFXVB33mO6AVg3nNIv/34mCbpEKEqZUBht0O+7xMnEEYwSMAiELBdY+Tv/WTQ
ejNGPqzuKndaG8Al+FN8P+pqNqdJT1xVOLcyXohOj0KwBSWgl5YOybpKwbTbnh4=
=0F5M
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Eliezer Croitoru 

On 03/02/2015 16:56, Omid Kosari wrote:

Squidbox1: Average HTTP requests per minute since start:16000
Squidbox2: Average HTTP requests per minute since start:11000

About 300Mbit of bandwidth (Only http bandwidth which routed to squid boxes)

What is the hardware specs of these squid boxes? CPU? RAM?

Eliezer

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
As forward HTTPS proxy you can use no tricks. Just preroute HTTPS
traffic to Squid and permit method CONNECT with 443 port - Squid forward
HTTPS connections by design.

I do not understand, what does authentication here. This is another
problem that is not related to proxying HTTPS.

04.02.2015 2:06, Anton Radkevich пишет:
>
> Thanks for quick reply,
> We don't need ssl bumping, or isn't it possible to configure by
another way, without using ssl bumping?
>
> What's about authentication using modern hash algorithms sha256/512?
>
> Anton
>
> 03 февр. 2015 г. 22:58 пользователь "Yuri Voinov" mailto:yvoi...@gmail.com>> написал:
>
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> 04.02.2015 1:03, Anton Radkevich пишет:
>
> > Hi everyone,
>
> > Could you please help me with configuration Squid3 as forward HTTPs
proxy?
>
> > Is it possible to configure it in such way?
>
> > What we do need is a fully encrypted HTTPS forward proxy that can
handle HTTP or HTTPS connection AND uses authentication.
>
> > so just to be clear the connection flow will look like:
>
> > browser  Server  Destination
>
> > where  is probably some form of HTTPS connection
for support with the browser PAC
>
> > Also, for client auth, can we used more "modern" hashing algorithms
like sha256/512? md5 is old and collision prone at this point.
>
> > Thank you in advance!
>
>
>
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org

> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0SusAAoJENNXIZxhPexGYKsH/0eRnm1ZEuzIGmibIQiP/BxU
+4qnPAmvu/nCVnemCrOVFDV/+49j/yCqjDtbdH1p6igCmjrzv2C11pgDP00IHs+l
kOL2O/65ubae3rL3EFNIX60daXOsEGZ6kOOOZ5Ik6hHfvOeT8YhdB9ryl+JoWtXB
DUVYPCsX+dsSmZHHC3fqjml7ZYG+rUb0K3Ipeq/khJibMqLzdJ6B4Vf+xeUqz+Nx
22YgaKx2ujsXgdIRzuz/HQfl5U9moGS0/iC5JEvq1TTmV8zk+7HFqJjVaKmL2Euk
9xvqTRPjfD7s7ZlqR/qtwwDxpYX6HbiGTLfYwAuDqtD2Ixj0CjgzLEeyGj6LvWs=
=wJWL
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Thanks for quick reply,
We don't need ssl bumping, or isn't it possible to configure by another
way, without using ssl bumping?

What's about authentication using modern hash algorithms sha256/512?

Anton
03 февр. 2015 г. 22:58 пользователь "Yuri Voinov" 
написал:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> 04.02.2015 1:03, Anton Radkevich пишет:
> >
> > Hi everyone,
> >
> > Could you please help me with configuration Squid3 as forward HTTPs
> proxy?
> >
> > Is it possible to configure it in such way?
> >
> > What we do need is a fully encrypted HTTPS forward proxy that can handle
> HTTP or HTTPS connection AND uses authentication.
> >
> > so just to be clear the connection flow will look like:
> >
> > browser  Server  Destination
> >
> > where  is probably some form of HTTPS connection for
> support with the browser PAC
> >
> > Also, for client auth, can we used more "modern" hashing algorithms like
> sha256/512? md5 is old and collision prone at this point.
> >
> > Thank you in advance!
> >
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJU0ShIAAoJENNXIZxhPexGUg8H/3BGE1zXXDB5I8FxQPzEZVws
> rq5MrxRoA0SjMkwOsNkmRaKkIJpiC6GsMVvkxoFgy4K3S/d5OhPd5TC6wlQk6xvf
> 5gOBArogKLZ/iOJiRR3cNvxsnUpjxTpZwRq6PXbTxd7u0M9NxtONva5bIkUdFJVU
> aeMXZnoWJZJgrE8tcBDqsoDei8gILOT7wC0mTDV3uAJHnu728xy0oRpFq7/Osl/r
> SwNi81p2sjGi/z5VDBrE/4JcfJsDsoIzI/6AIjyw6XdbQRx7QTDD213UJnqt2uQA
> VddSYZp+hL5DQXhun+NSiwhpsgkmDj04hExsaPUXrZokxopOf/EAQ6ilQ2qDZ5c=
> =pMq4
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

04.02.2015 1:03, Anton Radkevich пишет:
>
> Hi everyone,
>
> Could you please help me with configuration Squid3 as forward HTTPs proxy?
>
> Is it possible to configure it in such way?
>
> What we do need is a fully encrypted HTTPS forward proxy that can
handle HTTP or HTTPS connection AND uses authentication.
>
> so just to be clear the connection flow will look like:
>
> browser  Server  Destination
>
> where  is probably some form of HTTPS connection for
support with the browser PAC
>
> Also, for client auth, can we used more "modern" hashing algorithms
like sha256/512? md5 is old and collision prone at this point.
>
> Thank you in advance!
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0ShIAAoJENNXIZxhPexGUg8H/3BGE1zXXDB5I8FxQPzEZVws
rq5MrxRoA0SjMkwOsNkmRaKkIJpiC6GsMVvkxoFgy4K3S/d5OhPd5TC6wlQk6xvf
5gOBArogKLZ/iOJiRR3cNvxsnUpjxTpZwRq6PXbTxd7u0M9NxtONva5bIkUdFJVU
aeMXZnoWJZJgrE8tcBDqsoDei8gILOT7wC0mTDV3uAJHnu728xy0oRpFq7/Osl/r
SwNi81p2sjGi/z5VDBrE/4JcfJsDsoIzI/6AIjyw6XdbQRx7QTDD213UJnqt2uQA
VddSYZp+hL5DQXhun+NSiwhpsgkmDj04hExsaPUXrZokxopOf/EAQ6ilQ2qDZ5c=
=pMq4
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Hi everyone,

Could you please help me with configuration Squid3 as forward HTTPs proxy?

Is it possible to configure it in such way?

What we do need is a fully encrypted HTTPS forward proxy that can handle
HTTP or HTTPS connection AND uses authentication.

so just to be clear the connection flow will look like:

browser  Server  Destination

where  is probably some form of HTTPS connection for
support with the browser PAC

Also, for client auth, can we used more "modern" hashing algorithms like
sha256/512? md5 is old and collision prone at this point.

Thank you in advance!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Now I have:

root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l
210

root and intermediate CA's. Most known I can found.

Note: all of them was wound in different places - in addition with
Mozilla's bundle, shipped with OpenSSL.

How I can found, which is absent?

And how to support this heap? In practice? Manually with CLI openssl?
Ok, but how to identify problem URL, when Squid's load over 100 requests
per second?

04.02.2015 0:31, Amos Jeffries пишет:
> On 4/02/2015 3:26 a.m., Yuri Voinov wrote: Hi gents,
>>
>> I think, will be good to add advanced debug options to ssl_crtd to avoid
>> this:
>>
>> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca (1/0)
>>
>> Now we have no one tools to diagnose the situations above. Excluding own
>> eyes and brains. And - telepathy.
>>
>> Amos,
>>
>> is it possible to get more informative diagnostics? URL will be enough.
>
> I dont think we can without re-writing OpenSSL library operations
> directly in Squid.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0RhxAAoJENNXIZxhPexGBXMH/iyom3/HPCkQB0xpAOZ7UdD0
aW5DhdzmGuaVQFbtxB4rkD+fd0KUxi3l0aOctE7xEjJFwB3R1BqjTqWD7Kw/N5I2
KaWUkxMHG2yxAjBqlOU/8ViJCpu4bq7aKQJWlfivr+qcH2QREUm5Q6cB9g18GKNy
mnS4qX7tcLp5mCtZAP4da9JkU9SqJy43AYkrPQTWVXKAz+ctZRDZVNzibhfIydmI
xXGy7iiUwwzJRLojjrp1WVpYQPV899EkhKxmFCW8uTqxMmzagDb5MmpHeaN7YyiN
VRnBD8dmiD0tZd1W69wlelVpfgdJJnOPF3UFYC97MHyBaVTDMCM6ZZOIS8xTyrQ=
=fqa6
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
What about linking OpenSSL libraries into Squid? Like eCAP?

Or how to trace openssl calls anywhere else?

AFAIK, URL is passed to SSL_CRTD. Then return with result, right?

Why we can't add catch errors and log it with URL?

This unrecoverable errors is makes correct bump much difficult.

04.02.2015 0:31, Amos Jeffries пишет:
> On 4/02/2015 3:26 a.m., Yuri Voinov wrote: Hi gents,
>>
>> I think, will be good to add advanced debug options to ssl_crtd to avoid
>> this:
>>
>> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca (1/0)
>>
>> Now we have no one tools to diagnose the situations above. Excluding own
>> eyes and brains. And - telepathy.
>>
>> Amos,
>>
>> is it possible to get more informative diagnostics? URL will be enough.
>
> I dont think we can without re-writing OpenSSL library operations
> directly in Squid.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0RU/AAoJENNXIZxhPexGRlsH/2dgwQuHz7QSPBukAqvSN3T6
RDao4nnWgM0V5ACgqRfSibwv4EuAPSJuJHDsvc3JxmNvb6bSuAu8RZ4ra+5cEdor
7yPJcSevskiuOkMFXq4XxyAIwaYMJEWGFSpyKmSQHHM0fVIHhVxWgF/0gGxUxNPm
aulE/R5zRoxt0Vvm0FLdLjgt5X1axyFeNoQYoLID24uggWXn8qkRcy1NrA9QnYOG
E9Y4vXwDHL48bBd5J7Ld1WGUAJ/xvokWOmK+Jz9dHuEIi4pT7u7IOFlkWBjZjWgi
eGuXoK0BqEBh+1izeFrpGKtfcqWC0ZWVn0Sykv6jl/l1B3PVta1GOwocFp9nPBA=
=ZzDE
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Alert unknown CA

2015-02-03 Thread Amos Jeffries 
On 4/02/2015 3:26 a.m., Yuri Voinov wrote: Hi gents,
> 
> I think, will be good to add advanced debug options to ssl_crtd to avoid
> this:
> 
> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca (1/0)
> 
> Now we have no one tools to diagnose the situations above. Excluding own
> eyes and brains. And - telepathy.
> 
> Amos,
> 
> is it possible to get more informative diagnostics? URL will be enough.

I dont think we can without re-writing OpenSSL library operations
directly in Squid.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Marcus Kool 



On 02/03/2015 12:56 PM, Omid Kosari wrote:

Squidbox1: Average HTTP requests per minute since start:16000
Squidbox2: Average HTTP requests per minute since start:11000


16000 request/min = 266 requests/sec.
With a well-tuned Squid system I estimate that the disk I/O is less than 2000 
IOPS
and the current SSDs should be able to cope with that.  So speed should not be 
an issue.

Why do you want to extend? Is it only to extend the disk cache capacity?

What is are specs of the current SSDs ?
It is worthwile to replace them with new SSDs with higher performance/capacity ?


About 300Mbit of bandwidth (Only http bandwidth which routed to squid boxes)

Right now squid boxes have 4 250GB SSD and there is no more free sata slots
on them . I want to use SAN/NAS to extend their capacity .

No i don't have free NAS/SAN but somebody has a 2bay model of following
model and suggest me half price
http://www.seagate.com/files/www-content/support-content/external-products/blackarmor-nas/_shared/docs/business-nas-guides/Seagate_NAS_Admin_Guide_EN.pdf


The PDF points to a Windows-only based NAS !


and found a review. i am not sure it is for same model
http://www.storagereview.com/seagate_business_storage_windows_server_4bay_nas_review

Is it useful for my purpose ? Or please provide general specs that i should
be aware before buy .


Marcus

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

2015-02-03 Thread Anton Radkevich 
Hi everyone,

Could you please help me with configuration Squid3 as forward HTTPs proxy?
Is it possible to configure it in such way?

What we do need is a fully encrypted HTTPS forward proxy that can handle
HTTP or HTTPS connection AND uses authentication.

so just to be clear the connection flow will look like:

browser  Server  Destination

where  is probably some form of HTTPS connection for
support with the browser PAC

Also, for client auth, can we used more "modern" hashing algorithms like
sha256/512? md5 is old and collision prone at this point.

Thank you in advance!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Omid Kosari 
Squidbox1: Average HTTP requests per minute since start:16000
Squidbox2: Average HTTP requests per minute since start:11000

About 300Mbit of bandwidth (Only http bandwidth which routed to squid boxes)

Right now squid boxes have 4 250GB SSD and there is no more free sata slots
on them . I want to use SAN/NAS to extend their capacity .

No i don't have free NAS/SAN but somebody has a 2bay model of following
model and suggest me half price
http://www.seagate.com/files/www-content/support-content/external-products/blackarmor-nas/_shared/docs/business-nas-guides/Seagate_NAS_Admin_Guide_EN.pdf

and found a review. i am not sure it is for same model
http://www.storagereview.com/seagate_business_storage_windows_server_4bay_nas_review

Is it useful for my purpose ? Or please provide general specs that i should
be aware before buy .




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Hypothetically-comparing-SATA-SAS-to-NAS-SAN-for-squid-tp4664350p4669503.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Eliezer Croitoru 

Hey Omid,

I do not have benchmarks.

I was actually in the past looking at GlusterFS and NFS for couple purposes.
The Gigabit and 10Gb have their difference.
The main big thing is that a simple SATA\SAS jack\connector\port 
supports up to 6Gb and in most cases the machine will not utilize even 
1Gb per port\disk.


If you do ask me about a comparison about ISCSI vs nfs vs glusterfs I 
would grade NFS as the best for lots of files while glusterfs is better 
for big files.
An ISCSI partition benefits are VFS in memory objects which eventually 
reduce access time compared to glusterfs and NFS.


I have tested glusterfs as a backend for a hypervisor and a local SSD 
drive was faster.


Do you have anything you think about Omid? if you have a scenario in 
hand I would like hear about it.


Eliezer

On 03/02/2015 14:45, Omid Kosari wrote:

@Eliezer , Any benchmark ?

This topic is very important for me .



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squidclamav - virus handling configuration.

2015-02-03 Thread Grzegorz Falkowski 
Hello,
I configured on ubuntu C-icap with squidclamav. Configuration work fine. Files 
are redirected to clamAV. If file is infected user is redirected and file is 
blocked. Squid is working as revProxy. For the first step I only need 
information about infected files. Because of that I would like configure it to 
redirect files but do not block. I can't find any solution in documentation. 
Can anybody help?
Thank You in advance.
Best Regards
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Alert unknown CA

2015-02-03 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Hi gents,

I think, will be good to add advanced debug options to ssl_crtd to avoid
this:

2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)

Now we have no one tools to diagnose the situations above. Excluding own
eyes and brains. And - telepathy.

Amos,

is it possible to get more informative diagnostics? URL will be enough.

WBR, Yuri

PS. Now I've added over 50 root and intermediate CA's. Still without
completely avoid this messages. It appears on site I do not know and can
not know.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0NqbAAoJENNXIZxhPexGWScH/0kzTf+ogwYsscr6qUChmnIC
oHH2tJWxC2CLK51XTWkS5LmPTEIS/yt+v6bxzghq0MFG+rdFN/8Wg/KFBZi3WayR
1UjRDbVt1U9vENSvAwkvL4n8bbuaTZCSlKCJAjN9V1wT7+FtJ5ZrTtsaS85e1zGV
xrmRygLtjcMnHYuakmK+CZjdlikSYFEQ3vfrPjvsnXVJcBDkJ+deVDikevsxuBP0
O2G1TNNVe6AUtjDNLhwpGde/T7tf5Vej4J9syzt7HIjcKL2ysoePRHb79BtNWjMs
OHE1A52ZRH4hIJ9aRa8pGw7BFDopnSaNuj6UxYT1VY10NZ08XfkD2RQt4EoaZxg=
=ArlJ
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Webpages won't load or load slowly

2015-02-03 Thread Amos Jeffries 
On 4/02/2015 2:01 a.m., Rich549 wrote:
> Eliezer Croitoru-2 wrote
>> Hey Rich,
>>
>> I am yet unsure about the issue you are having and even if squid 3.3.8 
>> is not the latest most of these sites should work fine for you throw
>> squid.
>> I believe that this is the place where we can take a look at the squid 
>> access.log output while surfing to understand the issue better.
>> If you are using IE\FF\Chrome you should have some profiling and network 
>> tools which can help understand the issue from the client side before 
>> running and looking for an issue in the middle.
>>
>> In IE and FF you can use the F12 button to open the tools toolbox and 
>> then go into network tab or icon.
>> You should then be able throw this tool see what happens with all the 
>> requests from the client side.
> 
> Hi,
> 
> Thanks for the suggestion, I've attached a couple of files showing the
> results of that.  I actually see a lot of DENIED errors for pretty much any
> websites using port 443 (SSL). 
> 
> twitter.png
> 
>   
> Twitter_accesslog.txt
> 
>   
> 
> 

Looks like perfectly normal NTLM meets HTTPS traffic behaviour to me.


Browser connects to proxy, proxy replies with 407 listing available auth
schemes.

1422968109.560  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.560  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.561  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.570  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.570  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.579  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html

... taking less than 1ms in Squid.


Browser re-tries request with stage-1 NTLM auth credentials selecting,
proxy responds with NTLM stage-2 challenge.

1422968109.661  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.667  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.679  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.694  0 172.31.21.3 TCP_DENIED/407 3722 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.701  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html
1422968109.706  0 172.31.21.3 TCP_DENIED/407 4106 CONNECT
abs.twimg.com:443 - HIER_NONE/- text/html

... taking less than 1ms in Squid.

Browser re-tries request with NTLM stage-3 auth credentials.

Proxy accepts connection, opens TCP tunnel to upstream server, starts
relaying bytes between client and server...

 NP: there is no timing info on that logged.


40sec later the server closes the connection (having delivered 0
bytes!). Proxy logs completion of the HTTPS stream.

1422968149.730  40156 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -
1422968149.731  40157 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -
1422968149.731  40149 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -
1422968149.731  40056 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -
1422968149.731  40022 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -
1422968149.731  40026 172.31.21.3 TCP_MISS/200 0 CONNECT
abs.twimg.com:443 aspleyri HIER_DIRECT/199.96.57.7 -


3.3 may have been introducing a bug, but 3.5 has the fix for that. So
there is nothing wrong here with Squid. The problem is somewhere in the
browser and server interactions.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Marcus Kool 

Hi Omid,

The I/O requirements can be estimated well if you tell more about the
environment.  If you know the number of requests/second that Squid prcoesses
you can add a percentage to increase performance and calculate the desired
I/Os per second (IOPS).
When you have the desired IOPS, you can calculate if 1 gbit is enough.

NFS has relatively much overhead, so I recommend a NAS with iSCSI or a SAN.

What kind of SAN/NAS did you have in mind ?

Do you already have a SAN or NAS ?

Marcus



On 02/03/2015 10:45 AM, Omid Kosari wrote:

How we can test this ?
What protocol suggested for Squid ? NFS, iSCSI,... ?

Apart from bandwidth, is there any important difference between 1Gbit
ethernet and 10G ? Do you suggest me to buy 1Gbit storage and monitor it or
you think the money will be wasted ?

Any news about this REALLY interesting thread ?

@Eliezer , Any benchmark ?

This topic is very important for me .






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Hypothetically-comparing-SATA-SAS-to-NAS-SAN-for-squid-tp4664350p4669494.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Webpages won't load or load slowly

2015-02-03 Thread Rich549 
Correction to example URL, http://www.ubuntugreek.com/ should be
http://www.ubuntugeek.com/.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669497.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Webpages won't load or load slowly

2015-02-03 Thread Rich549 
Eliezer Croitoru-2 wrote
> Hey Rich,
> 
> I am yet unsure about the issue you are having and even if squid 3.3.8 
> is not the latest most of these sites should work fine for you throw
> squid.
> I believe that this is the place where we can take a look at the squid 
> access.log output while surfing to understand the issue better.
> If you are using IE\FF\Chrome you should have some profiling and network 
> tools which can help understand the issue from the client side before 
> running and looking for an issue in the middle.
> 
> In IE and FF you can use the F12 button to open the tools toolbox and 
> then go into network tab or icon.
> You should then be able throw this tool see what happens with all the 
> requests from the client side.

Hi,

Thanks for the suggestion, I've attached a couple of files showing the
results of that.  I actually see a lot of DENIED errors for pretty much any
websites using port 443 (SSL). 

twitter.png
  
Twitter_accesslog.txt

  



Eliezer Croitoru-2 wrote
> If you have specific public urls you are trying to access I can try to 
> look at them and asses the basic available options.

The URLs are as follows : www.twitter.com, www.experts-exchange.com,
www.ubuntugreek.com, www.stackoverflow.com and www.reddit.com.


Eliezer Croitoru-2 wrote
> If you can first try to enable the dns_v4_first option in your 
> squid.conf it would be my first try.
> http://www.squid-cache.org/Doc/config/dns_v4_first/
> 
> Add "dns_v4_first on" to squid.conf.

Just added that to my config, hasn't made a difference.  I think I may have
tried this already, along with statically setting Google DNS servers.

Thanks,

Rich



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669496.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hypothetically comparing SATA\SAS to NAS\SAN for squid.

2015-02-03 Thread Omid Kosari 
How we can test this ?
What protocol suggested for Squid ? NFS, iSCSI,... ?

Apart from bandwidth, is there any important difference between 1Gbit
ethernet and 10G ? Do you suggest me to buy 1Gbit storage and monitor it or
you think the money will be wasted ?

Any news about this REALLY interesting thread ?

@Eliezer , Any benchmark ?

This topic is very important for me .






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Hypothetically-comparing-SATA-SAS-to-NAS-SAN-for-squid-tp4664350p4669494.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Webpages won't load or load slowly

2015-02-03 Thread Eliezer Croitoru 

Hey Rich,

I am yet unsure about the issue you are having and even if squid 3.3.8 
is not the latest most of these sites should work fine for you throw squid.
I believe that this is the place where we can take a look at the squid 
access.log output while surfing to understand the issue better.
If you are using IE\FF\Chrome you should have some profiling and network 
tools which can help understand the issue from the client side before 
running and looking for an issue in the middle.


In IE and FF you can use the F12 button to open the tools toolbox and 
then go into network tab or icon.
You should then be able throw this tool see what happens with all the 
requests from the client side.


If you have specific public urls you are trying to access I can try to 
look at them and asses the basic available options.


If you can first try to enable the dns_v4_first option in your 
squid.conf it would be my first try.

http://www.squid-cache.org/Doc/config/dns_v4_first/

Add "dns_v4_first on" to squid.conf.

Eliezer

On 03/02/2015 13:38, Rich549 wrote:

Except, I still have exactly the same issue of certain pages not loading.
Have I done this the wrong way? Should I have removed the old install of
Squid before compiling and installing the new one?




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Webpages won't load or load slowly

2015-02-03 Thread Rich549 
Ok, so I grabbed Squid 3.5.1, compiled it in Ubuntu, set all of the paths for
./configure so that the new files would overwrite the old, renamed
/usr/sbin/squid to /usr/sbin/squid3 so that the service didn't need to be
altered and everything after a service restart and a -k reconfigure Squid is
working ok.

Except, I still have exactly the same issue of certain pages not loading. 
Have I done this the wrong way? Should I have removed the old install of
Squid before compiling and installing the new one?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669493.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users