Re: [squid-users] SSL Peek and Splice
01.10.15 17:26, Job пишет: Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? Yes. 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Not only by dstdomain, but also with external redirectors: http://i.imgur.com/nXOtDPX.png Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] R: SSL Peek and Splice
01.10.15 17:31, Job пишет: Thank Yuri! By opening your png image the accessed domain is visible. So it is possible to block it in https peek and splice mode? Because of this occurs in SSL bump mode, inside HTTPS session. Thank you again! Francesco Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Yuri Voinov [yvoi...@gmail.com] Inviato: giovedì 1 ottobre 2015 13.29 A: squid-users@lists.squid-cache.org Oggetto: Re: [squid-users] SSL Peek and Splice 01.10.15 17:26, Job пишет: Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? Yes. 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Not only by dstdomain, but also with external redirectors: http://i.imgur.com/nXOtDPX.png Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Basic example for store.log analyzer
I already had a plan to write something like that in the past and I had some time so I wrote this store.log tool: http://paste.ngtech.co.il/pr3kbbf4q The tool is written in ruby and what it does is "estimating" what is in the cache_dir now based on reading the store.log. Since I have not spent too much time on understanding the store.log but I had a basic idea of whats in it that seems to give some results for now. The tool gets only one argument and it's the location of squid store.log and reads it like the store "journal" which takes view from nothing to what should exit now. Each line in the store.log represents one operation and it is expected to be logger in the order of execution. Due to this expectation we can predict that if a certain file was written to the disk(using SWAPOUT) and until the end of the log(which should represent now) it was not reported to be removed(RELEASE) from the cache it is still there but there is no guarantee that it will be used as a cache HIT. The tool needs more functionality to be more accurate and to display the estimated cache_dir size. For now running the script piping it with "wc -l"(reduce 1 line) will give you the result of how many objects you have in all your cache_dir on the server from the start time of the store.log. Any suggestions and requests regarding the tool are welcome. Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid ignores crlfile options
Hi I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching). To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) . I´m using the site https://revoked.grc.com/ to test my config. To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl. Converted the format of the crl from DER to pem and inserted it my squid.conf "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is revoked in the crl. But why squid seems to ignore the crlfile option / file ? Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available. #logfile 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1684) doCallouts: Doing calloutContext->hostHeaderVerify() 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1691) doCallouts: Doing calloutContext->clientAccessCheck() 2015/10/01 12:40:45.017 kid1| 83,3| client_side_request.cc(1712) doCallouts: Doing calloutContext->clientRedirectStart() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1720) doCallouts: Doing calloutContext->clientAccessCheck2() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1739) doCallouts: Doing clientInterpretRequestHeaders() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1748) doCallouts: Doing calloutContext->checkNoCache() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1528) sslBumpNeed: sslBump required: peek 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1830) doCallouts: calling processRequest() 2015/10/01 12:40:45.025 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 104(6000, 0x7fffe51c) 2015/10/01 12:40:45.026 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.026 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. 2015/10/01 12:40:45.040 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.041 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. 2015/10/01 12:40:45.041 kid1| 83,5| client_side.cc(4284) clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!! 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 104(6001, 0x7fffe4bc) 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(95) write: FD 15 wrote 357 <= 357 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 7 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 7 <= 7 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 6(0, 0x8077e5f90) 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1453 <= 4368 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 1455 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.586 kid1| 83,5| bio.cc(118) read: FD 15 read 1455 <= 1455 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,4| support.cc(211) check_domain: Verifying server domain revoked.grc.com to certificate name/subjectAltName revoked.grc.com 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(95) write: FD 15 wrote 182 <= 182 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 11(0, 0x0) 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 5 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(123)
Re: [squid-users] SSL Peek and Splice
On Thu, 2015-10-01 at 13:26 +0200, Job wrote: > Hello, > > by reading the 3.5 Squid verson "Peek and splice" features: > http://wiki.squid-cache.org/Features/SslPeekAndSplice > > i would like to ask you two questions, please: > > 1. in this implementations, i have to install the selfmade Certification > Authority as for SSL Bump? > 2. how can i block domain (dstdomain with squid) with Peek and Splice? It > seems not possible by reading the document > > Thank you for your patience and many thanks! > > Francesco > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users I've found that with peek/splice, instead of stare/bump, I did not need to install the certificate on the end device (daughter got a new phone and I forgot to install it...still worked anyway...cool). Config below for exactly what you're wanting...change netblocks to what you're using and change cert locations and what not. Before just doing a copy/paste and go, I would recommend reading the docs to get a better understanding of what the below directives mean. The file http_url.txt is regex so it will have entries like \.apple\.com. acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow SSL_ports http_access allow allowed_http_sites http_access deny all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek all acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate all sslproxy_capath /etc/ssl/certs sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni % ssl::>cert_subject %>Hs %___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: SSL Peek and Splice
Thank Yuri! By opening your png image the accessed domain is visible. So it is possible to block it in https peek and splice mode? Thank you again! Francesco Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Yuri Voinov [yvoi...@gmail.com] Inviato: giovedì 1 ottobre 2015 13.29 A: squid-users@lists.squid-cache.org Oggetto: Re: [squid-users] SSL Peek and Splice 01.10.15 17:26, Job пишет: > Hello, > > by reading the 3.5 Squid verson "Peek and splice" features: > http://wiki.squid-cache.org/Features/SslPeekAndSplice > > i would like to ask you two questions, please: > > 1. in this implementations, i have to install the selfmade Certification > Authority as for SSL Bump? Yes. > 2. how can i block domain (dstdomain with squid) with Peek and Splice? It > seems not possible by reading the document Not only by dstdomain, but also with external redirectors: http://i.imgur.com/nXOtDPX.png > > Thank you for your patience and many thanks! > > Francesco > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Install squid problems
I think the easiest way for you is to install squid3 via apt-get install squid3. It isnt the version 3.5.9 but is 3.5.8. Best Regards Sebastian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Install-squid-problems-tp4673495p4673502.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Can not pass Squid basic authentication
On 1/10/2015 10:41 p.m., birbird wrote: > Hi All, > > > I have setup basic authentication for Squid, but I can not get passed from > browser, just asked to inpu user/password time and time again. > > > I was stuck at, the command > /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd > dose not give any output. I think it means squid can not get the > authentication info. But I have no idea what to do next. > > > I create my password by > htpasswd -d /etc/squid/squid_passwd dan Try using -m instead of -d. > > > My squid config is > auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd > acl ncsa_users proxy_auth REQUIRED > > http_access allow ncsa_users > Is that the entire acces control configuration? If so, it is missing the basic security protections against tunnel abuse and protocol smuggling. aka; http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports These should be above the auth checks to reduce DoS vulnerabilities. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Peek and Splice
Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Install squid problems
On 2/10/2015 12:25 a.m., S.Kirschner wrote: > I think the easiest way for you is to install squid3 via apt-get install > squid3. > > It isnt the version 3.5.9 but is 3.5.8. > On Ubuntu it is 3.3.8 still. One needs to upgrade to Debian Testing repositories for more up to date software. sawa; 1) your post is not getting responded to until now because you are not subscribed to the mailing list. Nabble web interface is just a output display unless you subscribe to the mailing list. 2) that tutorial was outdated a week before it was published. Debian packages are available since early Aug. The .debs source pkgs can be used to build a 3.5.7 .deb binary package for your system to install, including all integration scripts Debian and Ubuntu need. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to avoid Squid disclosing the origin server IP when there is an error
Hi again, Thank you for all the information regarding this matter. Anyhow, I must say that I changed in my message the origin server to 127.0.0.1 just to not make public the real address of the origin server but the address that was made public was the real IP of that origin server which was accesible from the Internet. Regards -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/How-to-avoid-Squid-disclosing-the-origin-server-IP-when-there-is-an-error-tp4673418p4673510.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid ignores crlfile options
On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote: > Hi > > I´m using squid (3.5.9) as transparent https proxy with build options (see > below) and config (see below , I removed some uninteresting things from the > config like caching). > > To get the system more secure I would like to add crl checking (at the moment > static , later maybe dynamic if it's possible with my skills :-) ) and ocsp > (later) . > I´m using the site https://revoked.grc.com/ to test my config. > To do it I downloaded the certificate from the site , checked if a CRL URI is > available and downloaded the crl. > Converted the format of the crl from DER to pem and inserted it my squid.conf > "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". > > I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is > revoked in the crl. > > But why squid seems to ignore the crlfile option / file ? Because it is only relevant on http(s)_port when there is TLS client certificate authentication being verified. You do not have that configured. > Also I tested to use the crl in DER format but it still wouldn’t work , even > didn’t saw an error in the log when the file isn’t available. It is not even loaded unless the clientca= is configured. Which turns on client cert authentication. If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead. > #config > http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem > sslflags=VERIFY_CRL > > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem > sslflags=VERIFY_CRL > > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem > sslflags=VERIFY_CRL > > icp_port 0 This is a default, remove the icp_port line. > dns_v4_first on > pid_filename /var/run/squid/squid.pid This is a default, remove the pid_filename line. > cache_effective_user proxy > cache_effective_group proxy Check your build options (squid -v), your proxy is built to use the account 'squid'. It is usually a good idea to stick with the > error_default_language de-de > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons > visible_hostname pfsense visible_hostname needs to be FQDN and publicly resolvable. It is the DNS hostname people use to access your proxy for thise icons you configured (amongst other things). > cache_mgr ad...@pfsense-onesty.loc > access_log /var/squid/logs/access.log > cache_log /var/squid/logs/cache.log > cache_store_log none This is a default, remove the cache_store_log line. > netdb_filename /var/squid/logs/netdb.state > pinger_enable on > pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger This is probably a default too, if so remove the pinger lines. It will run unless disabled. > sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s > /var/squid/lib/ssl_db -M 4MB -b 2048 > sslcrtd_children 5 > > logfile_rotate 7 > debug_options rotate=7 > shutdown_lifetime 3 seconds > acl localnet src local.network.range > forwarded_for on This is a default, remove the forwarded_for line. > uri_whitespace strip > > acl dynamic urlpath_regex cgi-bin ? > cache deny dynamic Remove the above if you want to actually cache much content. Squid has been okay with caching this stuff since 2.7. > > acl allsrc src all Don't. Really. "all" is a built-in ACL, just use it. > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 > 1025-65535 > acl sslports port 443 563 > > acl purge method PURGE > acl connect method CONNECT > > acl HTTP proto HTTP > acl HTTPS proto HTTPS > acl allowed_subnets src local.network.range You defined localnet to that already. Meaning you can replace all uses of "allowed_subnets" with "localnet". > acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' > http_access allow manager localhost > > http_access deny manager > http_access allow purge localhost > http_access deny purge Best practice is now to move all the above http_access lines with their slow and DoS-vulnerable ACL processing down below the CONNECT line following... > http_access deny !safeports > http_access deny CONNECT !sslports > > request_body_max_size 0 KB Seriously? POST and PUT are forbidden to send data anywhere? > delay_pools 1 > delay_class 1 2 > delay_parameters 1 -1/-1 -1/-1 > delay_initial_bucket_level 100 > delay_access 1 allow allsrc Hmm. A delay pool that does not do anything, and every byte of
[squid-users] ICAP response header ACL
The latest adaption response headers are available through the %adapt::headers through an ACL? The documentation says that adaptation headers are available in the notes, but this only appears to be headers set with adaptation_meta, not the ICAP response headers. I had also considered using the "note" directive to explicitly stuff the headers into the notes, but it looks like the note directive doesn't allow you to use format strings (i.e. "note icap_headers %adapt::note to "%adapt::___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ICAP response header ACL
On 10/01/2015 07:43 AM, Steve Hill wrote: > The latest adaption response headers are available through the > %adapt:: headers through an ACL? > > The documentation says that adaptation headers are available in the > notes, but this only appears to be headers set with adaptation_meta, and with eCAP meta headers/options IIRC. > not > the ICAP response headers. I had also considered using the "note" > directive to explicitly stuff the headers into the notes, but it looks > like the note directive doesn't allow you to use format strings (i.e. > "note icap_headers %adapt:: note to "%adapt::
[squid-users] Transparent proxy with Ubuntu 15.04 and Squid3
I have a Squid/Dansguardian proxy server that successfully works when the client web browser is manually configured to use the proxy address:port. What I want to do is configure a transparent proxy server, presuming I wouldn't have to manually configure browsers. My LAN environment diagram: http://imgur.com/0MybmwE This is a home network environment with a cable modem, wifi router, client web browsers, and I have added the proxy server as a virtualized VMware server. For the proxy server I have two virtual network cards on the same subnet: eth0 192.168.1.14 (gateway and the proxy address) eth1 192.168.1.15 Is it possible the proxy server can intercept traffic from the clients, when the clients have direct access to the internet router? I don't understand how traffic is "intercepted" in this diagram. Do I need to change something on the router? How do I configure for proxy transparency? I've read some configurations, but they were confusing, or out of date, or specialized without much explanation. Thanks, Jake ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] analyzing cache in and out files
Em 30/09/15 04:13, Matus UHLAR - fantomas escreveu: the problem was iirc in caching partial objects http://wiki.squid-cache.org/Features/PartialResponsesCaching that problem could be avoided with properly setting range_offset_limit http://www.squid-cache.org/Doc/config/range_offset_limit/ but that also means that whole files instead of just their parts are fetched. it's quite possible that microsoft changed the windows updates to be smaller files, but I don't know anything about this, so I wonder if you really do cache windows updates, and how does the caching work related to informations above... On 30.09.15 11:08, Leonardo Rodrigues wrote: yes, i'm definitely caching windows update files !! [root@firewall ~]# cd /var/squid/ [root@firewall squid]# for i in `find . -type f`; do strings $i | head -3 | grep "http://;; done | grep windowsupdate | wc -l 824 and yes, i had to configure range_offset_limit: range_offset_limit 500 MB updates minimum_object_size 500 KB maximum_object_size 500 MB quick_abort_min -1 (being 'updates' the ACL with the URLs to be cached, basically windowsupdate and avast definition updates - the second one required further tweaks with storeid_rewrite for the CDN URLs) of course... BTW at one of my customers I noticed downloading the same HUGE files multiple times a day from a few machines - comodo antivirus. Some of updates have wven worse design... from access.log, i see a lot of TCP_HIT/206 (and just a few TCP_HIT/200), so it seems squid is able to get the fully cached file and provide the smaller pieces requested: [root@firewall squid]# grep "TCP_HIT/" access.log | grep windowsupdate | wc -l 9860 [root@firewall squid]# bzcat access.log.20150927.bz2 | grep "TCP_HIT/" | grep windowsupdate | wc -l 38584 can you provide maximum size of those files? having squid to download the WHOLE file at the very first request (even a partial request) may be bad, but considering it will be used later to provide the data for other requests, even partial ones, make things a little better. (this windowsupdate caching is running just for a few weeks, i expect HITs to grow a little more) watching this and providing information would be nice from you... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
Dear I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode with SSL hooked In my config, i did not bump any site ( just to pass SSL protocol to squid in transparent mode) I'm trying to connect to https://raj2796.wordpress.com In cache.log 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0) And i'm unable to display the web site, browser is freeze when trying to open website... How can i bypass this website and force squid to not analyze certificate on *.wordpress.com ? My config https_port 0.0.0.0:53695 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslproxy_version 0 sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cert_error allow all Best regards ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
we wish that somebody can build a good fingerprinting algorithm for pinning clients Thank you Alex -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673516.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent proxy with Ubuntu 15.04 and Squid3
On 2/10/2015 8:15 a.m., Jake wrote: > I have a Squid/Dansguardian proxy server that successfully works when > the client web browser is manually configured to use the proxy address:port. > > What I want to do is configure a transparent proxy server, presuming I > wouldn't have to manually configure browsers. "transparent proxy" is not what you think. The best choice is to use WPAD/PAC auto-configuration. That gets you all the benefts of manual configuration without the troubles of either manual or interception. > > My LAN environment diagram: > http://imgur.com/0MybmwE > > This is a home network environment with a cable modem, wifi router, > client web browsers, and I have added the proxy server as a virtualized > VMware server. > > For the proxy server I have two virtual network cards on the same subnet: > eth0 192.168.1.14 (gateway and the proxy address) > eth1 192.168.1.15 > > Is it possible the proxy server can intercept traffic from the clients, > when the clients have direct access to the internet router? I don't > understand how traffic is "intercepted" in this diagram. The router needs to route the packets to/through the proxy server. > > Do I need to change something on the router? Yes. > > How do I configure for proxy transparency? > You didn't say waht yoru router software was... > I've read some configurations, but they were confusing, or out of date, > or specialized without much explanation. The explanation for that is each router software being different. Config for one routing application will not work for others. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
On 2/10/2015 11:18 a.m., David Touzeau wrote: > > Dear > > I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode > with SSL hooked > In my config, i did not bump any site ( just to pass SSL protocol to > squid in transparent mode) > > I'm trying to connect to https://raj2796.wordpress.com > > In cache.log > > 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS > Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41 > 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130 > 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130 > 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401 > 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > And i'm unable to display the web site, browser is freeze when trying to > open website... > > How can i bypass this website and force squid to not analyze certificate > on *.wordpress.com ? > Couple of problems... > > My config > https_port 0.0.0.0:53695 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn > options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a range of protocol versions from N to N+x being selectable. If you poke holes by denying one version in the middle problems arise. NP: SSLv2 was only removed in Squid-4. This alone is probably your problem. But there is more you should fix to prevent later troubles. > acl ssl_step1 at_step SslBump1 > acl ssl_step2 at_step SslBump2 > acl ssl_step3 at_step SslBump3 > ssl_bump peek ssl_step1 > ssl_bump splice all With splice none of the ssl_proxy_* options are relevant. Apart from initial peeking a few bytes the TLS/SSL should be blindly tunnelled between client and server. We intend the above config to operate as if the client has sent an expicit-proxy a CONNECT and Squid without SSL support had received and enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later operate. > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not support those. > sslproxy_version 0 > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE > sslproxy_cert_error allow all Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Can not pass Squid basic authentication
Hi All, I have setup basic authentication for Squid, but I can not get passed from browser, just asked to inpu user/password time and time again. I was stuck at, the command /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd dose not give any output. I think it means squid can not get the authentication info. But I have no idea what to do next. I create my password by htpasswd -d /etc/squid/squid_passwd dan My squid config is auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users Could anyone please tell what's wrong with this. Any help will be highly appreciated!___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users