Re: [squid-users] Squid cache youtube and other websites
Firstly, I think the biggest roadblocks you’re going to hit with caching YouTube are: 1) It’s all encrypted now (thanks Google). Squid can’t cache what it can’t see inside an SSL tunnel. 2) They have a pretty intense CDN which you’ll need a StoreID helper to deal with. There are people on this list that know way more about it than me though, so I’ll let them explain how they do it. On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid cache youtube and other websites
Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Alternative ways of tracking users on unauthenticated proxy
Hi all, I'm setting up a system for using iPads in our school, and I'm stuck a bit on tracking what the students are doing on them. First up, I reaaly don't want a Pop-up login box from a 407 response from a proxy server, so I'm looking for some other way to track who is doing what. What i have set up so far is PacketFence with an SSL-bump transparent proxy (I've put the CAs o all the ipads) which works well in that users have to log in before they get internet access. This works (they get a web page, login and get 50 minutes of internet before it disconnects them), but the only way I have of tracking users is by working out who was on each ipad (from packetfence) then matching it against squid logs, which is messy. One plan I had would be to add/remove entries in dns or hosts for users, eg IP address 10.2.3.4 - hostname fbloggs (the user's login code) so usernames would show up in the client hostname field, but squid caches these I think. Another option would be via iptables somehow. Can anyone suggest any other possible workarounds for this? thanks, Jim Potter Network Manager Oasis Brislington (formerly Brislington Enterprise College) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid cache youtube and other websites
Hi Thanks Dan for info. I searched google about LUSCA and scripts available but I don't think it is working now. On Mon, May 25, 2015 at 12:21 PM, d...@getbusi.com wrote: Firstly, I think the biggest roadblocks you’re going to hit with caching YouTube are: 1) It’s all encrypted now (thanks Google). Squid can’t cache what it can’t see inside an SSL tunnel. 2) They have a pretty intense CDN which you’ll need a StoreID helper to deal with. There are people on this list that know way more about it than me though, so I’ll let them explain how they do it. On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid Ldap problem
On 24/05/2015 10:19 p.m., snakeeyes wrote: Hi I have squid 3.5 with LDAP on liux server openldap echo user1 123456 | /lib/squid/basic_ldap_auth -P -R -b dc=abc,dc=com -D cn=ldapadmin,dc=abc,dc=com -w 123456 -f sAMAccountName=%s -h 192.168.100.1 basic_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' What that says is that the -D ldapadmin account could not login to LDAP to do anything. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Alternative ways of tracking users on unauthenticated proxy
Hi all, I'm setting up a system for using iPads in our school, and I'm stuck a bit on tracking what the students are doing on them. First up, I reaaly don't want a Pop-up login box from a 407 response from a proxy server, so I'm looking for some other way to track who is doing what. What i have set up so far is PacketFence with an SSL-bump transparent proxy (I've put the CAs o all the ipads) which works well in that users have to log in before they get internet access. This works (they get a web page, login and get 50 minutes of internet before it disconnects them), but the only way I have of tracking users is by working out who was on each ipad (from packetfence) then matching it against squid logs, which is messy. Does packetfence provide a way to query the user that belongs to an IP address? If so, it might be possible to write a helper that squid can call to obtain the username. And if PacketFence is popular (I'd never heard of it, but that doesn't mean anything), then someone else might have already written one. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-bump deep dive (properly creating certs)
On 25/05/2015 8:48 a.m., Jason Haar wrote: On 25/05/15 04:25, James Lay wrote: My first question is about properly creating the certs. Looking at: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit this mentions using crtd, but as I understand it, crtd isn't supported when using transparent proxies. So, with no crtd, as I understand it this is what I'll need: I don't know where you got that from, but that's not true. I think you are confusing the issue that when squid is used as a transparent HTTPS proxy, it lacks the easy hostname details that a formal (ie non-transparent) proxy has. ie when a browser asks for a secure website via a formal proxy, it sends CONNECT github.com:443 HTTP/1.1 So squid knows *in advance* the server is called github.com. So it connects to github.com, downloads the public key and then uses crtd to create a clone of it - identical except that it's signed by your self-created Squid CA instead of Verisign/whatever Compare that with transparent proxy mode, where all that squid knows is that a browser has had it's outbound tcp port 443 traffic to 192.30.252.128 redirected onto it, so it doesn't know that is github.com. If you are using squid-3.4 or less, that's all there is to it - there's no way to figure out the cert name in a guaranteed fashion (there are hacks, but my own experience is that they can only work up to 95% of the time - and break for some of the largest sites). With squid-3.5 there is peek - which means squid can let the initial few packets through (ie act like splice) I dont think that is right. AFAIK, peek at step-1 lets the first few client packets buffer up inside Squid instead of leaving them in the TCP buffers. That way it can literally *peek* at the buffer contents to find the SNI without having consumed them. - which is enough to see the client send the SNI request to the https server and get the reply. That would be is step-2. Squid can selectively drain the buffered clientHello details toward the server (peek @ step-2). Or Squid can send its own ClientHello faked details (stare @ step 1 or 2) and repeat the peek process for the serverHello packets. So peek allows squid to learn about the true server name of the https server. This word true keeps getting thrown about in regards to the server name. Its just *a* name the client is aware of - one of many the server has usually. At that point *I think* squid creates a forged cert, then creates a new connection to the server, then links together the existing client tcp channel with the new proxy-server tcp channel and carries on intercepting (I think that's the outcome - there would have to be some extra smoke-n-mirrors in there to make that happen) AFAIK, the original server connection is still being used. This is stage-3. Squid should only have sent enough details to either splice (original clients details) or bump (Squid faked details). In pseudo-code, it looks like this if http_port and CONNECT (.*) HTTP then sni_name=$1 else if https_port and peek then sni_name=find_sni($ipaddress) else if https_port then sni_name=$ipaddress When all is said and done, transparent HTTPS intercept is the very last thing you should be working on. You need to gets squid working 100% as a formal proxy - and only then start looking at making that work in transparent mode. And you *definitely* want ssl_crtd. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [PATCH] SSL: Add suport for EECDH and disable client-initiated renegotiation
On 25/05/2015 11:30 p.m., Paulo Matias wrote: Hi, Sorry for getting this sent to squid-users instead of the adequate mailing list for patches (squid-dev). We have tried to send the patch to squid-dev without a subscription (as recommended in http://www.squid-cache.org/Support/mailing-lists.html#squid-dev), but perhaps the message did not get to the list administrator. Could you subscribe then please and post it (or the updated version after below). This has effects that I'd like our SSL devs to double check. For my part on the audit: * please separate into two patches - one for the renegotiation changes, one for the EECDH. * please avoid #ifdef and #ifndef in new code. - use #if defined() style instead. Renegotiation: * please wrap the entire ssl_info_cb() definition in the #if conditionals and the appropriate calling lines. I know its a bit messy, but increasingly the library builds are lacking renegtiation support entirely so this means smaller/faster builds. EECDH: FYI: with the deprecation of SSLv3 I'm working now towards a cleanup of the SSL options with removals where possible. * the DH parameters I think would be better added as a new option tls-dh=curve:/path/to/params where the 'curve' part is optional and implies EC when present - non-EC when absent. * SINGLE_ECDH_USE needs to be documented in release-4.sgml New emoptions=SINGLE_ECDH_USE/em parameter to ... * The ECDH changes affect both https_port and http_port. They need separate listings for each under changed directives, duplicate text on the line items is fine. * please implement (duplicate) all this UI parse change using the Security::PeerOptions object (src/security/PeerOptions.*) - the src/ssl/* code for UI parsing and config storage is 'legacy' only use by http(s)_port directives. - this may require some small changes suitable for use on client contexts - UI options added to Security::PeerOptions get documented in release-4.sgml as changes for both cache_peer and tls_outgoing_options. - also in cf.data.pre for those directives * configureSslEECDH() return true in the event that the chosen configuration options are not even available. - please make an #else condition that displays an ERROR message at level DBG_CRITICAL about the option(s) not being available, then return false. - variable 'ok' can then become const (define on assignment) and move fully inside the #if case. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [PATCH] SSL: Add suport for EECDH and disable client-initiated renegotiation
Hi Amos, On 25-05-2015 10:46, Amos Jeffries wrote: Could you subscribe then please and post it (or the updated version after below). This has effects that I'd like our SSL devs to double check. Thank you for your thorough review. I will prepare the updated version and post to the squid-dev mailing list as soon as it is ready. Best regards, Paulo Matias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-bump deep dive (self-signed certs in chain)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hm. Interesting. You want to say, you uses ordinal server certificate, signed with external trusted CA? And users can't see MiTM? 25.05.15 22:26, James Lay пишет: So following advice and instructions on this page: http://wiki.squid-cache.org/Features/DynamicSslCert I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my results: From the squid side: 2015/05/25 10:02:20.161| Using certificate in /opt/etc/squid/certs/SquidCA.pem 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: Certificate is self-signed, will not be chained I get the below when I don't specify a CA with curl, otherwise when I do I get no error: 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) And from the client side: root@kali:~/test# curl -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: self signed certificate in certificate chain * Closing connection #0 And testing with specifying the .der file: root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs * Closing connection #0 curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs I can confirm that the server is using a bona-fide certificate issued from StartSSL and works, so at this point I'm open to suggestions. Thank you. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVY1MBAAoJENNXIZxhPexGlcYH/2T/L153ynVqn3s9epC7Pwvv FxjHoamGMum6XJFooUZvQA0kaRzqhQSHduU0i6n4zWEowA4HgLkWrVeRrV/jXhxT CbcZ+KYrO+UAMxrB04r+b4WQl6OZFcoj0ne+WecsJqgH108GGyrA+at6ibvFVNLl ruiDntnH7fGuFV/o0J/hQfcxuHNDS7uND4iji7rSih2hIIET1ohG7EkppIaKwUAq DHA9PtNTmF27eCZuNFXVXxbAjXsRy9NYGC+rwzmFT0Sw2A8KCKl/XBBylu+IRJqv 0TscKQeb/LH9/Jkuh5v2KMLjGaoo7hyqY8q/sjnZVySYy2wKXuXolMbYb+vyla4= =XVIS -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Ssl-bump deep dive (self-signed certs in chain)
So following advice and instructions on this page: http://wiki.squid-cache.org/Features/DynamicSslCert I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my results: From the squid side: 2015/05/25 10:02:20.161| Using certificate in /opt/etc/squid/certs/SquidCA.pem 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: Certificate is self-signed, will not be chained I get the below when I don't specify a CA with curl, otherwise when I do I get no error: 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) And from the client side: root@kali:~/test# curl -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: self signed certificate in certificate chain * Closing connection #0 And testing with specifying the .der file: root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs * Closing connection #0 curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs I can confirm that the server is using a bona-fide certificate issued from StartSSL and works, so at this point I'm open to suggestions. Thank you. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] (no subject)
hi i have been using squid3 on ubuntu 14.04. i want to block the stream content in my lan. hence i written a acl like below. this acl at the top. but still it's not blocking. anybody help me ? acl Streaming rep_mime_type video/x-flv http_reply_access deny mynetwork Streaming Regards, Sarath kumar S ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] (no subject)
On Monday 25 May 2015 at 21:50:12 (EU time), S Sarath kumar wrote: Hi, below mentioned rules only applied acl Streaming rep_mime_type video/flv video/x-flv acl mynetwork src 10.108.20.0/24 http_reply_access deny mynetwork Streaming http_access allow mynetwork 1. Please reply to the list, not privately. 2. Are you saying that the above is your *entire* squid.conf? If yes, you have more problems with it than you might realise. If no, please do post the entire squid.conf, excluding blank lines and comments, and obscuring private information if appropriate (but be clear if you do this). Regards, Antony. -- The lottery is a tax for people who can't do maths. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] (no subject)
On Monday 25 May 2015 at 21:20:16 (EU time), S Sarath kumar wrote: hi i have been using squid3 on ubuntu 14.04. i want to block the stream content in my lan. hence i written a acl like below. this acl at the top. Please post the entire squid.conf (excluding blank lines / comments). That gives us a much better chance of answering your question. Antony. -- Most people have more than the average number of legs. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
