Re: [squid-users] Skype issue
Hey guys, here from Argentina, i am having the same issue. when Skype is trying to log in, this is what i've found at access.log 1433357138.206 31 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.161:443 - NONE/- text/html 1433357139.216 30 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.148:443 - NONE/- text/html 1433357140.263 49 10.0.0.110 TCP_DENIED/403 3433 CONNECT 65.55.223.38:443 - NONE/- text/html 1433357141.267 9 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.175:443 - NONE/- text/html 1433357143.230 35 10.0.0.110 TCP_DENIED/403 3435 CONNECT 111.221.74.33:443 - NONE/- text/html 1433357144.243 38 10.0.0.110 TCP_DENIED/403 3439 CONNECT 213.199.179.140:443 - NONE/- text/html I'm getting a 403 because squid is not receiving the user credentials (AD) and i can't find the problem. Any ideas? thank you all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Skype-issue-tp4666074p4671511.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] when using a search box on een website my hole internet explorer freezes incuding earlier opend tabs
On 3/06/2015 10:38 p.m., Jeroen Ruijter wrote: Dear Amos, When we use this website www.rechtspraak.nl and enter a search term in the search box the internet explorer session freezes. We are unable to close a window with control + w or with the mouse pressing the cross at the corner. I cannot start a new tab, all I can do is start e new instance of internet explorer but the previous session stays open and can still not be closed. Well, that sounds like your browser literally F**ing itself over. There is nothing I'm aware of that Squid does that would cause that extreme result, if there was it qualifies as a remotely executable security vulnerability since any attacker web server could also do it. Only with powershell I can close internet explorer. We use squid with authentication against our active directory (LDAP) and I cannot find any leads in the access log file when it happens. Any ideas? It's not Squid. The worst Squid can do is not respond, respond with wrong content, or with unexpected HTTP header set (that includes omitting application-expected ones). That is all perfectly normal error cases, no reason the browser should even blink. Sometimes browser bugs or broken javascripts can cause blank pages or hanging tabs. But that is not Squid related, and nowhere near as extreme as the symptoms you are mentioning. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TOS squid-3.5.0.4
Hi Amos not really after setting TOS config on Squid the idea is to allow Mikrotik router recognize marked paquets (as on previous squid 3.1.x) and then mark cache content, so that it can later pick by Mikrotik to deliver the already cached content to user at full lan speed, no queue on cache content. 1. /ip firewall mangle 2. add action=mark-connection chain=postrouting comment===SQUID - TOS 12== disabled=no dscp=12 \ 3. new-connection-mark=squid-connection passthrough=yes protocol=tcp src-address=192.168.10.2 4. add action=mark-packet chain=postrouting connection-mark=squid-connection disabled=\ 5. no new-packet-mark=squid-packs passthrough=yes El 3/6/15 a las 5:28, Amos Jeffries [via Squid Web Proxy Cache] escribió: On 1/06/2015 1:19 p.m., Marcel Fossua wrote: No luck Still not getting result at all I think the issue could be with my Mikrotik box # Marking packets with DSCP (for Mikrotik 6.x) for cache hit content coming from SQUID Proxy /ip firewall mangle add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=squid-connection passthrough=no comment===SQUID - TOS 12 == http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4671467/Captura_de_pantalla_2015-05-29_a_las_21.png Um. Do you mean you are go with having the router mark the packets instead of Squid? Amos ___ squid-users mailing list [hidden email] /user/SendEmail.jtp?type=nodenode=4671496i=0 http://lists.squid-cache.org/listinfo/squid-users If you reply to this email, your message will be added to the discussion below: http://squid-web-proxy-cache.1019090.n4.nabble.com/TOS-squid-3-5-0-4-tp4671459p4671496.html To unsubscribe from TOS squid-3.5.0.4, click here http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4671459code=bWFyY2VsQGd1aW5lYW5ldC5uZXR8NDY3MTQ1OXw4NDM0NzU1NzE=. NAML http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewerid=instant_html%21nabble%3Aemail.namlbase=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespacebreadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml -- Fossua-vcard Marcel Fossua Unix/Linux Network Administrator Tel: 0240 99448 www.guineanet.net http://www.guineanet.net/ www.familyfossua.com http://www.familyfossua.com guineanet.png (33K) http://squid-web-proxy-cache.1019090.n4.nabble.com/attachment/4671503/0/guineanet.png -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TOS-squid-3-5-0-4-tp4671459p4671503.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
Hi Thanks for reply. As of now we don't have router I have directly connected my machine to internet and other to LAN and I have configured client machine ubuntu to test squid which is in switch where other users are connected using gateway of router 192.168.0.1. I read your valuable suggestions, but I still confused with IPtables and squid 3.3 setting ,transparent and intercept options . root@squid:/home/squid# ip addr show 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5974/64 scope link valid_lft forever preferred_lft forever 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5975/64 scope link valid_lft forever preferred_lft forever root@squid:/home/squid# ip -4 route show default via 116.72.152.1 dev eth0 116.72.152.0/22 dev eth0 proto kernel scope link src 116.72.152.37 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.200 To use transparent/intercept what I have to set in my config file http_port 3128 intercept or transparent and Iptables rules , I have tried this rules http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect But not working Can you please tell me the firewall rules and let me know why my firewall rules are not working. On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk wrote: Amos Jeffries wrote on 06/02/2015 04:34 PM: On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: I have this in my squid server for it to work: The key words there are ... *in my Squid server* indeed :) NOTE to Klavs: loading the multiport kernel module seems overkill for a single-port match. it's puppets firewall module.. haven't had enough time to fix that module :) FYI: DONT_VERIFY_PEER, always_direct allow all, and slproxy_cert_error allow all have not been good ideas since 3.2. dont-verify actually inhibits the Mimic functions which give server-first bumping most of its usefulness. Thank you for those tips. -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
Your client needs to use your squid server as default gateway. And then you need the iptables rules I wrote about to direct traffic into squid for certain ports. Reet Vyas wrote on 06/03/2015 08:50 AM: Hi Thanks for reply. As of now we don't have router I have directly connected my machine to internet and other to LAN and I have configured client machine ubuntu to test squid which is in switch where other users are connected using gateway of router 192.168.0.1. I read your valuable suggestions, but I still confused with IPtables and squid 3.3 setting ,transparent and intercept options . root@squid:/home/squid# ip addr show 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 http://127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5974/64 scope link valid_lft forever preferred_lft forever 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 http://192.168.0.200/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5975/64 scope link valid_lft forever preferred_lft forever root@squid:/home/squid# ip -4 route show default via 116.72.152.1 dev eth0 116.72.152.0/22 http://116.72.152.0/22 dev eth0 proto kernel scope link src 116.72.152.37 192.168.0.0/24 http://192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.200 To use transparent/intercept what I have to set in my config file http_port 3128 intercept or transparent and Iptables rules , I have tried this rules http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect But not working Can you please tell me the firewall rules and let me know why my firewall rules are not working. On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk mailto:k...@vsen.dk wrote: Amos Jeffries wrote on 06/02/2015 04:34 PM: On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: I have this in my squid server for it to work: The key words there are ... *in my Squid server* indeed :) NOTE to Klavs: loading the multiport kernel module seems overkill for a single-port match. it's puppets firewall module.. haven't had enough time to fix that module :) FYI: DONT_VERIFY_PEER, always_direct allow all, and slproxy_cert_error allow all have not been good ideas since 3.2. dont-verify actually inhibits the Mimic functions which give server-first bumping most of its usefulness. Thank you for those tips. -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk mailto:k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org mailto:squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl_bump and SNI
Hello Nathan, thank you for an example. What version of squid are you running? Mine is: I've tried to apply the config you've posted, but with no luck. Squid can't get the domain: -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671506.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl_bump and SNI
On 4/06/2015 2:27 a.m., sp_ wrote: Hello Nathan, thank you for an example. What version of squid are you running? Mine is: I've tried to apply the config you've posted, but with no luck. Squid can't get the domain: Well, its not a simple situation. Lets start with clarifying some of the details... SNI is a relatively new feature of TLS. There is no guarantee of a domain name actually existing in the bumped (step1) metadata. So, Squid may have to do a peek at step2 to get the server cert details before it has any clue about what domain *might* be. Also that means the %ssl::sni helper format token depended on with the ACL helper approach will be - for these requests. To resolve that use the new (in squid-3.5.4) ssl::server_name ACL instead. Which checks against the CONNECT hostname (if any) at step1+, SNI domain (if any) at step2+, and server cert domain at step3. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fwd: TOS squid-3.5.0.4
Hi All let see if some of you can help me troubleshoot the issue I have with squid-3.5.0.4 on centos 6.6 configure with tproxy in fact the issue is relate to qos stuff i just set things according to manual * qos_flows tos local-hit=0x30 qos_flows mark local-hit=0x30 qos_flows tos sibling-hit=0x31 qos_flows mark sibling-hit=0x31 qos_flows tos parent-hit=0x32 qos_flows mark parent-hit=0x32 qos_flows tos disable-preserve-miss* tcpdump output *tcpdump -vni eth1 | grep 'tos 0x30'* *tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes*** *01:37:24.787867 IP (tos 0x30, ttl 64, id 38723, offset 0, flags [DF], proto TCP (6), length 534)* *01:37:24.788003 IP (tos 0x30, ttl 64, id 38724, offset 0, flags [DF], proto TCP (6), length 2920)* *01:37:24.788019 IP (tos 0x30, ttl 64, id 38726, offset 0, flags [DF], proto TCP (6), length 1256)* *01:37:24.788141 IP (tos 0x30, ttl 64, id 38727, offset 0, flags [DF], proto TCP (6), length 2920)* but for sure it's not marking anything while send traffic to my pppoe BRAS (MK) any trick to make me solve this will be higly appreciate Bests Rgds -- Fossua-vcard Marcel Fossua Unix/Linux Network Administrator ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] when using a search box on een website my hole internet explorer freezes incuding earlier opend tabs
Hi all, I am seeing the same in the IE and also in FF - but FF does not freeze everything - just this window. It may mean something is wrong with the site itself - of course IE is incorrect but nevertheless... Raf -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of turgut kalfaoglu Sent: Wednesday, June 3, 2015 3:52 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] when using a search box on een website my hole internet explorer freezes incuding earlier opend tabs On 06/03/2015 02:23 PM, Amos Jeffries wrote: On 3/06/2015 10:38 p.m., Jeroen Ruijter wrote: Dear Amos, When we use this website www.rechtspraak.nl and enter a search term in the search box the internet explorer session freezes. We are unable to close a window with control + w or with the mouse pressing the cross at the corner. I believe that's the normal behavior for Internet Explorer.. -turgut ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Skype issue
On 4/06/2015 6:34 a.m., rocaembole wrote: Hey guys, here from Argentina, i am having the same issue. when Skype is trying to log in, this is what i've found at access.log 1433357138.206 31 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.161:443 - NONE/- text/html 1433357139.216 30 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.148:443 - NONE/- text/html 1433357140.263 49 10.0.0.110 TCP_DENIED/403 3433 CONNECT 65.55.223.38:443 - NONE/- text/html 1433357141.267 9 10.0.0.110 TCP_DENIED/403 3437 CONNECT 157.55.130.175:443 - NONE/- text/html 1433357143.230 35 10.0.0.110 TCP_DENIED/403 3435 CONNECT 111.221.74.33:443 - NONE/- text/html 1433357144.243 38 10.0.0.110 TCP_DENIED/403 3439 CONNECT 213.199.179.140:443 - NONE/- text/html I'm getting a 403 because squid is not receiving the user credentials (AD) and i can't find the problem. Any ideas? Squid should be emitting 407 Proxy Authentication Required if credentials were the problem. 403 Forbidden is absolute denial, with no automated recovery possible by the client. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] worker per cache_dir
On 4/06/2015 5:18 a.m., Marcel Fossua wrote: Hi All hope someone can give me a way to accomplish what I have in mind I have 3.5.5 running with 9 workers active (the best numbers a get without errors) so I just set 1 worker per disk as schema below but I have a jbod with lot of disk I would like to add on squid.conf obviously the idea of 1 worker /disk is not longer a good deal then what is the best config to make let say worker 1 deal with several cache (3 or 4 for the occurence) so I could set 3 o 4 cache_dir per worker. Thanks Sure, inside the worker if...endif block list the other cache_dir you want it to deal with. Each worker can have up to 63. So long as the AUFS cache_dir are only used by one worker it will work fine. It is the other way around which is broken - multiple worker using one AUFS cache_dir. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 3.5.5 https problem
On 3/06/2015 5:06 p.m., Dmitry Melekhov wrote: Hello! Just tried to install 3.5.5 on production proxy, users complained about slow https connections, I see errors in cache.log like 2015/06/03 09:00:34 kid1| local=192.168.42.130:32922 remote=213.180.193.119:443 FD 964 flags=1: read/write failure: (32) Broken pipe 2015/06/03 09:00:46 kid1| local=192.168.42.130:52239 remote=178.154.131.216:443 FD flags=1: read/write failure: (32) Broken pipe 2015/06/03 09:01:56 kid1| local=192.168.42.130:34841 remote=213.180.193.119:443 FD 467 flags=1: read/write failure: (32) Broken pipe Switching back to 3.4.13 solved problem, but.. Any ideas what can cause this ? It is a socket being closed from the other end. The closure signal arrives while Squid is trying to write to it. Could be bug 3329 causing Squid confusion though. NP: The patch for that bug is now in Squid-4 (trunk / HEAD / dev / pre-beta) and will be backported to 3.5 when its had some time to settle, feedback from testing will speed that up if you can and wish to assist. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] worker per cache_dir
Hi All hope someone can give me a way to accomplish what I have in mind I have 3.5.5 running with 9 workers active (the best numbers a get without errors) so I just set 1 worker per disk as schema below but I have a jbod with lot of disk I would like to add on squid.conf obviously the idea of 1 worker /disk is not longer a good deal then what is the best config to make let say worker 1 deal with several cache (3 or 4 for the occurence) so I could set 3 o 4 cache_dir per worker. Thanks /cache_dir rock /cache1 46 min-size=1 max-size=31000 max-swap-rate=200 swap-timeout=300 # 200GB x 8 caches of large ( over 32KB) objects per-worker if ${process_number} = 1 cache_dir aufs /cache2 275000 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 2 cache_dir aufs /cache3 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 3 cache_dir aufs /cache4 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 4 cache_dir aufs /cache5 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 5 cache_dir aufs /cache6 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 6 cache_dir aufs /cache7 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 7 cache_dir aufs /cache8 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 8 cache_dir aufs /cache9 19 32 256 min-size=31001 max-size=1048576000 endif if ${process_number} = 9 cache_dir aufs /cache10 19 32 256 min-size=31001 max-size=1048576000 endif/ -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/worker-per-cache-dir-tp4671510.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users