Re: [squid-users] 3.5.4 Can't access Google or Yahoo SSL, pages

2015-05-10 Thread Amos Jeffries 
Some good news in this front. We've managed to find the bit missing from
the r13811 patch.

3.5.4 should work with
.

There is already another important SSL related fix, so using the r13825
or later snapshot (out in a few hrs) may be better than just patching.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as transparent in 'caching layer'

2015-05-10 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Amos,

independent proxies also supported by Cisco WCCP. For redundancy it can
group any numbers of transparent proxies.

WBR, Yuri

10.05.15 12:57, Amos Jeffries пишет:
> On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
>> Hi,
>>
>> Most of all know about tiered network
>> topology(access,aggregation/dist,core) from core than to firewall and
then
>> to router. For redundancy usually there 2 core and 2 firewall. I was
>> thinking adding a transparent caching layer between core and
firewall,just
>> adding squid box. It is okay just adding 2 independent squid box or I
need
>> some sync between squid box ? What if I add not 2 but 6 and doing
>> active-active on both core n firewall? Can anybody give me insight ?
Btw My
>> objective is to save some bandwidths from user for internet access.
>
> Go with independent Squid boxes until you are happy that they are
> operating properly and you know whats going on. Number of Squid does not
> matter much, so long as they each can handle the traffic load you put
> through. If you are new to this start with just one and put only a small
> amount of the traffic through, then increase gradually until you need 2,
> and so on.
>
> Sync'ing between the Squid caches, and interception proxying can each
> have unwanted side effects. Its best to deal with those in separately to
> avoid confusion and troubles.
>
>
> "active-active on both core n firewall" does not matter. You MUST NOT
> perform destination-NAT (or TPROXY) on any machine other than the Squid
> box receiving the TCP connection from client(s). The firewalls and core
> only perform *routing* (perhapse over a tunnel) to get the TCP packets
> to the right Squid box. This has the nice side effect of greatly
> reducing the amount of data the firewalls need to sync.
>
>
> Hints for beginners:
>
>  Caching can make some traffic appear slower - all MISS and some REFRESH
> transactions. There is extra packet processing done by the proxy and
> latency getting the packets around. This is the tradeoff for bandwidth
> saving. Super-fast HITs and traffic optimization can make up for that,
> but not always.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVTzRXAAoJENNXIZxhPexGXJYIAMtb90ri0hymGN7ZGTVH98cy
uZbNjQ2kYQqxXGCkkSFECpjM0wqkONF6pPGrL1YqcecZCkmGNS6ExE6r4FMuX8y1
oBE2z9OfaN/4CfMq4+WvE0jwtyOSVyKIUSUKr+I2qTNCubg0kFgr9yWONOdLbUDJ
FJ06c1qqb1U8u8ZsYFTL7/hfTgVRr6QjnGQlnNcCwzU+/QIAtAP7GyRxJB0b0yxJ
i2M/LQ+d1LJMhCgX6ICgBas5x+GXXB3KHtH0jAn/xF854qciQhbOrMf0O/j/ac19
4XB8qfqsGkIvPe3TcPSYypyOJn1dXILpb7mmNogGzh+rE4nmdRG7cam6MX3En8c=
=SXkU
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as transparent in 'caching layer'

2015-05-10 Thread Ibrahim Lubis 
Thx all for the info
On May 10, 2015 5:35 PM, "Yuri Voinov"  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Amos,
>
> independent proxies also supported by Cisco WCCP. For redundancy it can
> group any numbers of transparent proxies.
>
> WBR, Yuri
>
> 10.05.15 12:57, Amos Jeffries пишет:
> > On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
> >> Hi,
> >>
> >> Most of all know about tiered network
> >> topology(access,aggregation/dist,core) from core than to firewall and
> then
> >> to router. For redundancy usually there 2 core and 2 firewall. I was
> >> thinking adding a transparent caching layer between core and
> firewall,just
> >> adding squid box. It is okay just adding 2 independent squid box or I
> need
> >> some sync between squid box ? What if I add not 2 but 6 and doing
> >> active-active on both core n firewall? Can anybody give me insight ?
> Btw My
> >> objective is to save some bandwidths from user for internet access.
> >
> > Go with independent Squid boxes until you are happy that they are
> > operating properly and you know whats going on. Number of Squid does not
> > matter much, so long as they each can handle the traffic load you put
> > through. If you are new to this start with just one and put only a small
> > amount of the traffic through, then increase gradually until you need 2,
> > and so on.
> >
> > Sync'ing between the Squid caches, and interception proxying can each
> > have unwanted side effects. Its best to deal with those in separately to
> > avoid confusion and troubles.
> >
> >
> > "active-active on both core n firewall" does not matter. You MUST NOT
> > perform destination-NAT (or TPROXY) on any machine other than the Squid
> > box receiving the TCP connection from client(s). The firewalls and core
> > only perform *routing* (perhapse over a tunnel) to get the TCP packets
> > to the right Squid box. This has the nice side effect of greatly
> > reducing the amount of data the firewalls need to sync.
> >
> >
> > Hints for beginners:
> >
> >  Caching can make some traffic appear slower - all MISS and some REFRESH
> > transactions. There is extra packet processing done by the proxy and
> > latency getting the packets around. This is the tradeoff for bandwidth
> > saving. Super-fast HITs and traffic optimization can make up for that,
> > but not always.
> >
> > Amos
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVTzRXAAoJENNXIZxhPexGXJYIAMtb90ri0hymGN7ZGTVH98cy
> uZbNjQ2kYQqxXGCkkSFECpjM0wqkONF6pPGrL1YqcecZCkmGNS6ExE6r4FMuX8y1
> oBE2z9OfaN/4CfMq4+WvE0jwtyOSVyKIUSUKr+I2qTNCubg0kFgr9yWONOdLbUDJ
> FJ06c1qqb1U8u8ZsYFTL7/hfTgVRr6QjnGQlnNcCwzU+/QIAtAP7GyRxJB0b0yxJ
> i2M/LQ+d1LJMhCgX6ICgBas5x+GXXB3KHtH0jAn/xF854qciQhbOrMf0O/j/ac19
> 4XB8qfqsGkIvPe3TcPSYypyOJn1dXILpb7mmNogGzh+rE4nmdRG7cam6MX3En8c=
> =SXkU
> -END PGP SIGNATURE-
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Client IP spoofing via squid proxy

2015-05-10 Thread Ambadas Hibare 
Hi Amos,

But in my requirement, the clients are configured with Squid IP & Port. Is 
there any possible way/approach by which I can make "Squid IP" hide towards web 
server?

sorry for typo, I meant squid IP

Regards,
Ambadas


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: 08 May 2015 21:32
To: Ambadas Hibare; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Client IP spoofing via squid proxy

On 9/05/2015 1:56 a.m., Ambadas Hibare wrote:
> Hi Amos,
> 
> It's happening as you said:
> 
> the packets doing this:
>  client -> Squid -SYN-> server
>  client <-ACK-- server
>  client -RST-> Squid 
> 
> There's a firewall in between squid & web server which is directly sending 
> SYN-ACK to client instead of squid.
> 
> But in my requirement, the clients are configured with IP & Port. Is there 
> any possible way/approach by which I can make client IP hide towards web 
> server?
> 
> Any help appreciated


With Squid-3.4 or later:
 

set it to "deny all"

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users