Re: [squid-users] Squid 2.7, 3.4 and 3.5 Videos/Music/Images/Libraries/CDNs Booster

2015-09-16 Thread FredT 
Hi All,

Advanced Caching Add-On for Linux Squid Proxy Cache v2.7, v3.4 and v3.5 with
Videos, Music, Images, Libraries and CDNs.

New  version 2.633   
- September 16th 2015.
- New domains
More details on https://svb.unveiltech.com

Enjoy

Bye Fred 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-2-7-3-4-and-3-5-Videos-Music-Images-Libraries-CDNs-Booster-tp4668683p4673240.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

2015-09-16 Thread Emmanuel Garette 
Le 07/09/2015 18:40, Amos Jeffries a écrit :
> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>
>> Seems to be ok for me. Thanks for your fast reply.
>>
>> Need I open a bug in bugzilla ?
>>
> No need. I think this may be one of the existing ones about this helper.
> Thanks for the feedback it should be applied to the current versions
> shortly.

Hi,

Today I found a new problem. All work fine with computer join into
windows domain. Not for computer user CNTLM (not in the domain).

In debug mode I can see this error:

> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
108, fetch len: 0, offset: 108)

If I understand, there is no NT password.

In older code, there was this line:

> tmp = ntlm_fetch_string ((char *) auth, auth_length, >ntresponse);
> if (tmp.str != NULL && tmp.l != 0) {

The NT password was check only if len was different to 0.

In this part of your patch:
> /* still fetch the NT response and check validity against empty
password */
>  {
>  const strhdr * str = >ntresponse;
>  int16_t len = le16toh(str->len);
>  int32_t offset = le32toh(str->offset);
>  if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
offset == 0) {

if I replace last line with:

> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
auth_length || offset == 0) {

Everything works well.

Regards,
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

2015-09-16 Thread Emmanuel Garette 
Le 16/09/2015 11:05, Emmanuel Garette a écrit :
> Le 07/09/2015 18:40, Amos Jeffries a écrit :
>> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>> Seems to be ok for me. Thanks for your fast reply.
>>>
>>> Need I open a bug in bugzilla ?
>>>
>> No need. I think this may be one of the existing ones about this helper.
>> Thanks for the feedback it should be applied to the current versions
>> shortly.
> Hi,
>
> Today I found a new problem. All work fine with computer join into
> windows domain. Not for computer user CNTLM (not in the domain).
>
> In debug mode I can see this error:
>
>> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
> 108, fetch len: 0, offset: 108)
>
> If I understand, there is no NT password.

I forgot the trace:

YR TlRMTVNTUAABBrIAAAkACQAmBgAGACBTQ1JJQkVET01QRURBR08=
KK
TlRMTVNTUAADGAAYAFQAbAkACQBABQAFAEkGAAYATgBsgoJBAERPTVBFREFHT0FETUlOU0NSSUJFXRkbGCsAILbqhuHyAIWo6XZwbXFCW0p5

Regards,
>
> In older code, there was this line:
>
>> tmp = ntlm_fetch_string ((char *) auth, auth_length, >ntresponse);
>> if (tmp.str != NULL && tmp.l != 0) {
> The NT password was check only if len was different to 0.
>
> In this part of your patch:
>> /* still fetch the NT response and check validity against empty
> password */
>>  {
>>  const strhdr * str = >ntresponse;
>>  int16_t len = le16toh(str->len);
>>  int32_t offset = le32toh(str->offset);
>>  if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
> offset == 0) {
>
> if I replace last line with:
>
>> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
> auth_length || offset == 0) {
>
> Everything works well.
>
> Regards,
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] help with acl order and deny_info pages

2015-09-16 Thread Marko Cupać 
Hi,

I'm trying to setup squid in a way that it authenticates users via
kerberos and grants different levels of web access according to ldap
query of MS AD groups.After some trials and errors I have found acl
order which apparently does not trigger reauthentication (auth
dialogues in browsers although I don't even provide basic auth).
Here's relevant part:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny !auth all
http_access allow !basic_domains !basic_extensions basic_users
http_reply_access allow !basic_mimetypes basic_users
http_access allow !advanced_domains !advanced_extensions advanced_users
http_access allow expert_users all
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow localhost
http_access deny all

I'd like to know which acl triggered the ban, so I've created custom
error page:

error_directory /usr/local/etc/squid/myerrors
deny_info ERR_BASIC_EXTENSION basic_extensions

The problem is that my custom error page does not trigger when I expect
it to (member of basic_users accessing URL with extension listed in
basic_extensions) - ERR_ACCESS_DENIED is triggered instead. I guess
this is because of last matching rule which is http_access deny all.

Is there another way how I can order acls so that I don't trigger
reauthentication while triggering deny_info?

Thank you in advance.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] help with acl order and deny_info pages

2015-09-16 Thread Amos Jeffries 
On 17/09/2015 12:37 a.m., Marko Cupać wrote:
> Hi,
> 
> I'm trying to setup squid in a way that it authenticates users via
> kerberos and grants different levels of web access according to ldap
> query of MS AD groups.After some trials and errors I have found acl
> order which apparently does not trigger reauthentication (auth
> dialogues in browsers although I don't even provide basic auth).

What makes you think browser dialog box has anything to do with Basic auth?
All it means is that the browser does not know what credentials will
work. The ones tried (if any) have been rejected with a challenge
response (401/407) for valid ones. It may be the browser password manager.

If you are using only Kerberos auth then users enter their Kerberos
username and password into the dialog to allow the browser to fetch the
Kerberos token (or keytab entry) it needs to send to Squid.


> Here's relevant part:
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> http_access deny !auth all
> http_access allow !basic_domains !basic_extensions basic_users
> http_reply_access allow !basic_mimetypes basic_users
> http_access allow !advanced_domains !advanced_extensions advanced_users
> http_access allow expert_users all
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> http_access allow localhost
> http_access deny all
> 
> I'd like to know which acl triggered the ban, so I've created custom
> error page:
> 
> error_directory /usr/local/etc/squid/myerrors
> deny_info ERR_BASIC_EXTENSION basic_extensions
> 
> The problem is that my custom error page does not trigger when I expect
> it to (member of basic_users accessing URL with extension listed in
> basic_extensions) - ERR_ACCESS_DENIED is triggered instead. I guess
> this is because of last matching rule which is http_access deny all.

Perhapse.

But, basic_extensions is never the last listed ACL in a denial rule.
There is never a deny action associated with the ACL. That is why the
deny_info response template is not being used.

> 
> Is there another way how I can order acls so that I don't trigger
> reauthentication while triggering deny_info?

Not without the ACL definition details.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-09-16 Thread Dieter Bloms 
Hello Antony,


On Wed, Sep 16, Antony Stone wrote:

> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
> 
> > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
> > accessible via HTTPS and sslbump enable.
> > But I can't get any access to the destination
> > https://banking.postbank.de, which is accessible with 3.4.13.
> > I use the same config for both squid versions.
> 
> 1. What is that configuration (squid.conf without comments or blank lines, 
> please)?

the relevant part ist:

--snip--
acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key 
generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
ssl_bump none nodecryptdomains
ssl_bump server-first all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2:NO_SSLv3:ALL
sslproxy_cipher  
ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
--snip--

the destination banking.postbank.de is not listed in the 
/etc/squid/nodecrypt.domains file

with squid-3.4.13 the logs look like:

--snip--
1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET 
https://banking.postbank.de/rai/rai/image/pb-logo.png - 
HIER_DIRECT/62.153.105.15 image/png
1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET 
https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - 
HIER_DIRECT/62.153.105.15 image/png
1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET 
https://banking.postbank.de/rai/rai/css/image/fld-input.png - 
HIER_DIRECT/62.153.105.15 image/png
1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET 
https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - 
HIER_DIRECT/62.153.105.15 image/png
1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET 
https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - 
HIER_DIRECT/62.153.105.15 application/x-font-woff
1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET 
https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - 
HIER_DIRECT/62.153.105.15 image/png
1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET 
https://banking.postbank.de/rai/rai/css/image/action-links.png - 
HIER_DIRECT/62.153.105.15 image/png
--snip--

with squid 3.5.8 the logs look like:

--snip--
1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - 
HIER_DIRECT/62.153.105.15 -
--snip--


> 2. What differences do you get in the log files between the two versions when 
> you try to access that site?
> 
> This information may give us something to go on in helping with your problem.
> 
> 
> Regards,
> 
> 
> Antony.
> 
> -- 
> "Black holes are where God divided by zero."
> 
>  - Steven Wright
> 
>Please reply to the list;
>  please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


16.09.15 21:34, Amos Jeffries пишет:
> On 17/09/2015 3:18 a.m., Yuri Voinov wrote:
>>
>> This:
>>
>> http://osdir.com/ml/web.squid.general/2003-04/msg00800.html
>>
>> does not work.
>
> Do you have always_direct rules that match the request(s)?
I commented out last always_direct, without effect.
>
>  or "nonhierarchical_direct on" ?
No.
>
>
> The order of invocation is:
>
>  nonhierarchical_direct (on means dont use peers for methods which are
> uncacheable)
>
>  always_direct (allow means dont use peers at all)
>
>  never_direct (allow means dont use DIRECT/ORIGINAL_DST)
>
>  prefer_direct (on means use peers as last resort)
>
>  cache_peer_access (deny means dont use this peer)
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJV+Y+UAAoJENNXIZxhPexGvvcH/0wgz1unao5+xt9JgLHq1Onz
WD5xDJzd2sOyko3bkPQqLmuOvrVdGwOW01lULp7eVwnLBwN+zUKBTSevanqQsLEi
TBuQUUlf5K8yIET+Jm5OH85MuH3CSYRtU+15ZCOvnBipCLRIcm0atTQpTjMdMnJM
ETAV5SfmovoZPJnRgx2gaWWW6UbSTM9WuHnpV8lLh4IGQw+yqV2KlDjQUTryiuVC
w/MiMWumClG11IEw02rJNJlGzmi9Z7Nthak75bcNHbSXz6DrWq27Llb+QwtKgHw9
vnPJKj+cCyfx+9UXQnGjz11JGnVVYks+8NdT2Ete7VYKXy9HvqxPjcERH2f1wug=
=OcNo
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Sure.

I've tried all possible combinations.
Including this:

# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.*
ssl_bump splice NoSSLIntercept
ssl_bump bump all

# Privoxy+Tor access rules
never_direct allow CONNECT
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow CONNECT
cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

The problem is:

I need to forward ro parent AND combination for CONNECT and tor_url ACL.

Something like this:

# Privoxy+Tor access rules
never_direct allow CONNECT tor_url
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow CONNECT tor_url
cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

But this also doesn't work.

I'e., most queries must outgoing via Squid, with SSL Bump if needed, but
selected URLs must goes via cache_peer to Tor, both HTTP/HTTPS, and
HTTPS without bumping.

Can't understand how to achieve this.

16.09.15 21:34, Amos Jeffries пишет:
> On 17/09/2015 3:18 a.m., Yuri Voinov wrote:
>>
>> This:
>>
>> http://osdir.com/ml/web.squid.general/2003-04/msg00800.html
>>
>> does not work.
>
> Do you have always_direct rules that match the request(s)?
>  or "nonhierarchical_direct on" ?
>
> The order of invocation is:
>
>  nonhierarchical_direct (on means dont use peers for methods which are
> uncacheable)
>
>  always_direct (allow means dont use peers at all)
>
>  never_direct (allow means dont use DIRECT/ORIGINAL_DST)
>
>  prefer_direct (on means use peers as last resort)
>
>  cache_peer_access (deny means dont use this peer)
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJV+Y3yAAoJENNXIZxhPexGlmcH/3tBQvK14s468GAoc2KfeojA
8o9tL4YvLwRFKabmROtAdaZgOoYuBixHeHAa8Z1G3TezTmFxpg7MntT7mg0K/O1W
KXM5pOkjMnGFjCrHyVxHH3Lrcb3lDLO3BpHkeV8531KMinizQyroAb260gvI+r71
Q63nVT5hOaRlFgoIQX35eJc3bdAMH6To4mS8xws7djZnpB2XBlQt7wDCRxhy8gm5
1eoeP9rBdX71IGK1HutqnmVOjjKkobPD3TlFXdtm3KoUOLfz0OCa3zbfw+S7p2D7
AqvXvXVCvUVPgyzFp+TsDsI/7twEhjvGTsLeNbppojfVxMAIf25t0F9YxG443fs=
=XZT8
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
This:

http://osdir.com/ml/web.squid.general/2003-04/msg00800.html

does not work.

16.09.15 0:15, Matus UHLAR - fantomas пишет:
> On 15.09.15 23:42, Yuri Voinov wrote:
>> I asked a specific question. How does Squid as a whole - I am well
>> aware. Before asking a question - I tried everything I seemed right. And
>> I asked, hoping to get a specific answer or intelligible explanation,
>> not the common words and sentences to read the manual. I outlined the
>> position quite clear?
>
> so, have you tried cache_peer with dst acl or have you not?
>
>> If you do not know the exact answer - it is better to remain silent.
>
> you did not provide enough informations, you did not tell what you
did, you
> did not mention basic information like using sslbump and now you are
telling
> me not even try to help you?
>
> with this attitude I will just ignore you for next time no matter if I can
> help you or not.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJV+YgwAAoJENNXIZxhPexGpAQH/iP47RLncpw4R/qoXszztliH
vcCYgcXvqsYfWbFy6Qo95acz+4UIdCKku0rChN5Ffdl3UrrC6kYaE78HfzYiMcI/
r6blAzrtT1FAsxu6st8OKiQ2/yj2T431tyItbrti9ytJZ82OQylqeth5UpEFkddU
anHncnM11/wCl3K8MW2lGfp3hzdac6xuNWDp7l+X1ezGzs/79jFg2YhSnheDuNjf
/F5eMQ3ej3R2Fgh3C31XHpkSKKRysUqNN16x3gtlKgbzOMz9tH1qcWKz5MUJQTLf
Gwewx68iCfrCWpLJ3bQJlUwZ4bdOdt4MqP0eRGE94CRjJYIc0bfotoDj2mAckJs=
=AJno
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Amos Jeffries 
On 17/09/2015 3:18 a.m., Yuri Voinov wrote:
> 
> This:
> 
> http://osdir.com/ml/web.squid.general/2003-04/msg00800.html
> 
> does not work.

Do you have always_direct rules that match the request(s)?
 or "nonhierarchical_direct on" ?

The order of invocation is:

 nonhierarchical_direct (on means dont use peers for methods which are
uncacheable)

 always_direct (allow means dont use peers at all)

 never_direct (allow means dont use DIRECT/ORIGINAL_DST)

 prefer_direct (on means use peers as last resort)

 cache_peer_access (deny means dont use this peer)

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-09-16 Thread Amos Jeffries 
On 17/09/2015 3:16 a.m., Dieter Bloms wrote:
> Hello Antony,
> 
> 
> On Wed, Sep 16, Antony Stone wrote:
> 
>> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>>
>>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
>>> accessible via HTTPS and sslbump enable.
>>> But I can't get any access to the destination
>>> https://banking.postbank.de, which is accessible with 3.4.13.
>>> I use the same config for both squid versions.
>>
>> 1. What is that configuration (squid.conf without comments or blank lines, 
>> please)?
> 
> the relevant part ist:
> 
> --snip--
> acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key 
> generate-host-certificates=on dhparams=/etc/squid/dhparams.pem


Replace these...

> ssl_bump none nodecryptdomains
> ssl_bump server-first all

... with:

 acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice nodecrypt
 ssl_bump bump all

Maybe also remove the nodecryptdomains ACL. Depends on whether you use
it anywhere else.


> sslproxy_capath /etc/ssl/certs
> sslproxy_options NO_SSLv2:NO_SSLv3:ALL
> sslproxy_cipher  
> ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> sslproxy_cert_error deny all
> --snip--
> 
> the destination banking.postbank.de is not listed in the 
> /etc/squid/nodecrypt.domains file
> 
> with squid-3.4.13 the logs look like:
> 
> --snip--
> 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET 
> https://banking.postbank.de/rai/rai/image/pb-logo.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET 
> https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET 
> https://banking.postbank.de/rai/rai/css/image/fld-input.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET 
> https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET 
> https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - 
> HIER_DIRECT/62.153.105.15 application/x-font-woff
> 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET 
> https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET 
> https://banking.postbank.de/rai/rai/css/image/action-links.png - 
> HIER_DIRECT/62.153.105.15 image/png
> --snip--
> 
> with squid 3.5.8 the logs look like:
> 
> --snip--
> 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> --snip--

This is the CONNECT request which was made prior to the ssl_bump rules
being checked. 3.5 will log this regardless of bumping (or not). The
absence of "TCP_TUNNEL" means the bumping did happen.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Hm.

If I understand correctly, the right configuration must be:

# Privoxy+Tor access rules
never_direct allow CONNECT
never_direct allow tor_url

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

Right?

But:

http://i.imgur.com/UMxt2vh.png

Is CONNECT always requires DIRECT?

I can't see FIRSTUP_PARENT for CONNECT in access log:

1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
torproject.org:443 - HIER_DIRECT/154.35.132.70 -
1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
torproject.org:443 - HIER_DIRECT/38.229.72.16 -

Because of IP's banned by ISP, direct CONNECT got timeout.

Also, all rot_url ACL can't connect.

Where I'm wrong?

16.09.15 22:03, Amos Jeffries пишет:
> never_direct allow CONNECT

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJV+ZqiAAoJENNXIZxhPexGlFMIAKQ8dcxLXW8fJ8Os9WDHLdtI
RgVcJJvMxGq7VaSPiHIfZA3vV5//8ceg6kYJsP1rNckdsAyuaOsJlOlw3ammTjpR
zmLh/FKKAk8VG1S1npYnrlpcTUnbNf4O4vM+N2vEnQvdizNlhswhaXvgfc0/lrWV
Redi+jmGwBkPbiN8npwz6Xe0VbC3PMGwB4VefqCS8TN3z3Y2ABTTwJ4nMyUPuKIo
G4zdS9utXcnsqxhyIz7WIj9hVRfn2Jkl5SiWhyccqyELt4LwBJ0SMadGvDifA+Gg
ulQnJjXn+xSOdpmGN1HcYXqMgl0MoPGe+RpcxYAYJcwJfDd1llN7KyS6lYPmNJo=
=BIrI
-END PGP SIGNATURE-


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Optimezed???

2015-09-16 Thread Jorgeley Junior 
I think my squid is not optimezed due the percentage of hits, see the graph
bellow:

​
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Optimezed???

2015-09-16 Thread Jorgeley Junior 
Any suggestions?
Em 16/09/2015 17:10, "Eliezer Croitoru"  escreveu:

> Can you run a script on the access log? to verify couple things?
> Hit and Miss are not the only options and there is a possibility that your
> cache causes that only specific requests will be even downloaded using the
> cache.
>
> If so I will send you the bash script to try and see something.
>
> Eliezer
>
> On 16/09/2015 23:00, Jorgeley Junior wrote:
>
>> I think my squid is not optimezed due the percentage of hits, see the
>> graph
>> bellow:
>>
>> ​
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] high volume of 'missing files' in cache....TCP_SWAPFAIL

2015-09-16 Thread HackXBack 
Please Amos,
this is a bug in 3.5.x 
in 3.4.x this problem is not exist, and i goes back to 3.4 just because of
swapfail and losing a lot of data ..



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/high-volume-of-missing-files-in-cache-TCP-SWAPFAIL-tp4673203p4673262.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

2015-09-16 Thread Amos Jeffries 
On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
> 
> Hm.
> 
> If I understand correctly, the right configuration must be:
> 
> # Privoxy+Tor access rules
> never_direct allow CONNECT
> never_direct allow tor_url
> 
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
> 
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
> 
> Right?
> 
> But:
> 
> http://i.imgur.com/UMxt2vh.png
> 
> Is CONNECT always requires DIRECT?

In the above yes. If you don't want that remove the never_direct for
CONNECT as well.

> 
> I can't see FIRSTUP_PARENT for CONNECT in access log:
> 
> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
> 

Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
upstream. The access controls about how to pass things upstream are
irrelevant for them.

> Because of IP's banned by ISP, direct CONNECT got timeout.
> 
> Also, all rot_url ACL can't connect.
> 
> Where I'm wrong?

Where is the server IP coming from?

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Optimezed???

2015-09-16 Thread Antony Stone 
On Wednesday 16 September 2015 at 22:00:27, Jorgeley Junior wrote:

> I think my squid is not optimezed due the percentage of hits, see the graph
> bellow:

I agree with you.

Regards,


Antony.

-- 
+++ Divide By Cucumber Error.  Please Reinstall Universe And Reboot +++

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users