Re: [squid-users] SSL Peek and Splice

2015-10-01 Thread Yuri Voinov 



01.10.15 17:26, Job пишет:

Hello,

by reading the 3.5 Squid verson "Peek and splice" features:
http://wiki.squid-cache.org/Features/SslPeekAndSplice

i would like to ask you two questions, please:

1. in this implementations, i have to install the selfmade Certification 
Authority as for SSL Bump?

Yes.

2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems 
not possible by reading the document

Not only by dstdomain, but also with external redirectors:

http://i.imgur.com/nXOtDPX.png



Thank you for your patience and many thanks!

Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] R: SSL Peek and Splice

2015-10-01 Thread Yuri Voinov 



01.10.15 17:31, Job пишет:

Thank Yuri!

By opening your png image the accessed domain is visible.
So it is possible to block it in https peek and splice mode?

Because of this occurs in SSL bump mode, inside HTTPS session.


Thank you again!
Francesco


Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Yuri 
Voinov [yvoi...@gmail.com]
Inviato: giovedì 1 ottobre 2015 13.29
A: squid-users@lists.squid-cache.org
Oggetto: Re: [squid-users] SSL Peek and Splice

01.10.15 17:26, Job пишет:

Hello,

by reading the 3.5 Squid verson "Peek and splice" features:
http://wiki.squid-cache.org/Features/SslPeekAndSplice

i would like to ask you two questions, please:

1. in this implementations, i have to install the selfmade Certification 
Authority as for SSL Bump?

Yes.

2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems 
not possible by reading the document

Not only by dstdomain, but also with external redirectors:

http://i.imgur.com/nXOtDPX.png


Thank you for your patience and many thanks!

Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Basic example for store.log analyzer

2015-10-01 Thread Eliezer Croitoru 
I already had a plan to write something like that in the past and I had 
some time so I wrote this store.log tool:

http://paste.ngtech.co.il/pr3kbbf4q

The tool is written in ruby and what it does is "estimating" what is in 
the cache_dir now based on reading the store.log.


Since I have not spent too much time on understanding the store.log but 
I had a basic idea of whats in it that seems to give some results for now.


The tool gets only one argument and it's the location of squid store.log 
and reads it like the store "journal" which takes view from nothing to 
what should exit now.
Each line in the store.log represents one operation and it is expected 
to be logger in the order of execution.
Due to this expectation we can predict that if a certain file was 
written to the disk(using SWAPOUT) and until the end of the log(which 
should represent now) it was not reported to be removed(RELEASE) from 
the cache it is still there but there is no guarantee that it will be 
used as a cache HIT.


The tool needs more functionality to be more accurate and to display the 
estimated cache_dir size.
For now running the script piping it with "wc -l"(reduce 1 line) will 
give you the result of how many objects you have in all your cache_dir 
on the server from the start time of the store.log.


Any suggestions and requests regarding the tool are welcome.

Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid ignores crlfile options

2015-10-01 Thread Sebastian Kirschner 
Hi 

I´m using squid (3.5.9) as transparent https proxy with build options (see 
below) and config (see below , I removed some uninteresting things from the 
config like caching).

To get the system more secure I would like to add crl checking (at the moment 
static , later maybe dynamic if it's possible with my skills :-) ) and ocsp 
(later) .
I´m using the site https://revoked.grc.com/ to test my config.
To do it I downloaded the certificate from the site , checked if a CRL URI is 
available and downloaded the crl.
Converted the format of the crl from DER to pem and inserted it my squid.conf  
"crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".

I tested the "crl.pem" with openssl and the site https://revoked.grc.com/  is 
revoked in the crl.

But why squid seems to ignore the crlfile option / file ? 
Also I tested to use the crl in DER format but it still wouldn’t work , even 
didn’t saw an error in the log when the file isn’t available.


#logfile
2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1684) doCallouts: 
Doing calloutContext->hostHeaderVerify()
2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1691) doCallouts: 
Doing calloutContext->clientAccessCheck()
2015/10/01 12:40:45.017 kid1| 83,3| client_side_request.cc(1712) doCallouts: 
Doing calloutContext->clientRedirectStart()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1720) doCallouts: 
Doing calloutContext->clientAccessCheck2()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1739) doCallouts: 
Doing clientInterpretRequestHeaders()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1748) doCallouts: 
Doing calloutContext->checkNoCache()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1528) sslBumpNeed: 
sslBump required: peek
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1830) doCallouts: 
calling processRequest()
2015/10/01 12:40:45.025 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 
104(6000, 0x7fffe51c)
2015/10/01 12:40:45.026 kid1| 83,5| client_side.cc(4267) 
clientPeekAndSpliceSSL: Start peek and splice on FD 10
2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11
2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 
11 bytes
2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 
bytes of TLS client Hello
2015/10/01 12:40:45.026 kid1| 83,2| client_side.cc(4270) 
clientPeekAndSpliceSSL: SSL_accept failed.

2015/10/01 12:40:45.040 kid1| 83,5| client_side.cc(4267) 
clientPeekAndSpliceSSL: Start peek and splice on FD 10
2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11
2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 
11 bytes
2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 
bytes of TLS client Hello
2015/10/01 12:40:45.041 kid1| 83,2| client_side.cc(4270) 
clientPeekAndSpliceSSL: SSL_accept failed.
2015/10/01 12:40:45.041 kid1| 83,5| client_side.cc(4284) 
clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!!
2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 
104(6001, 0x7fffe4bc)
2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(95) write: FD 15 wrote 357 <= 357
2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 7
2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 7 <= 7
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 
6(0, 0x8077e5f90)
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1453 <= 4368
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 2915
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 2915
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 1455
2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1
2015/10/01 12:40:45.586 kid1| 83,5| bio.cc(118) read: FD 15 read 1455 <= 1455
2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL 
Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com
2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL 
Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com
2015/10/01 12:40:45.588 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL 
Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com
2015/10/01 12:40:45.588 kid1| 83,4| support.cc(211) check_domain: Verifying 
server domain revoked.grc.com to certificate name/subjectAltName revoked.grc.com
2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(95) write: FD 15 wrote 182 <= 182
2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 
11(0, 0x0)
2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 5
2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(123)

Re: [squid-users] SSL Peek and Splice

2015-10-01 Thread James Lay 
On Thu, 2015-10-01 at 13:26 +0200, Job wrote:

> Hello,
> 
> by reading the 3.5 Squid verson "Peek and splice" features:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> i would like to ask you two questions, please:
> 
> 1. in this implementations, i have to install the selfmade Certification 
> Authority as for SSL Bump?
> 2. how can i block domain (dstdomain with squid) with Peek and Splice? It 
> seems not possible by reading the document
> 
> Thank you for your patience and many thanks!
> 
> Francesco
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


I've found that with peek/splice, instead of stare/bump, I did not need
to install the certificate on the end device (daughter got a new phone
and I forgot to install it...still worked anyway...cool).

Config below for exactly what you're wanting...change netblocks to what
you're using and change cert locations and what not.  Before just doing
a copy/paste and go, I would recommend reading the docs to get a better
understanding of what the below directives mean.  The file http_url.txt
is regex so it will have entries like \.apple\.com.

acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump
cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %
ssl::>cert_subject %>Hs %___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] R: SSL Peek and Splice

2015-10-01 Thread Job 
Thank Yuri!

By opening your png image the accessed domain is visible.
So it is possible to block it in https peek and splice mode?

Thank you again!
Francesco


Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Yuri 
Voinov [yvoi...@gmail.com]
Inviato: giovedì 1 ottobre 2015 13.29
A: squid-users@lists.squid-cache.org
Oggetto: Re: [squid-users] SSL Peek and Splice

01.10.15 17:26, Job пишет:
> Hello,
>
> by reading the 3.5 Squid verson "Peek and splice" features:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> i would like to ask you two questions, please:
>
> 1. in this implementations, i have to install the selfmade Certification 
> Authority as for SSL Bump?
Yes.
> 2. how can i block domain (dstdomain with squid) with Peek and Splice? It 
> seems not possible by reading the document
Not only by dstdomain, but also with external redirectors:

http://i.imgur.com/nXOtDPX.png

>
> Thank you for your patience and many thanks!
>
> Francesco
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Install squid problems

2015-10-01 Thread S.Kirschner 
I think the easiest way for you is to install squid3 via apt-get install
squid3.

It isnt the version 3.5.9 but is 3.5.8.


Best Regards
Sebastian



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Install-squid-problems-tp4673495p4673502.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can not pass Squid basic authentication

2015-10-01 Thread Amos Jeffries 
On 1/10/2015 10:41 p.m., birbird wrote:
> Hi All,
> 
> 
> I have setup basic authentication for Squid, but I can not get passed from 
> browser, just asked to inpu user/password time and time again.
> 
> 
> I was stuck at, the command
> /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
> dose not give any output. I think it means squid can not get the 
> authentication info. But I have no idea what to do next.
> 
> 
> I create my password by
> htpasswd -d /etc/squid/squid_passwd dan

Try using -m instead of -d.

> 
> 
> My squid config is
> auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
> acl ncsa_users proxy_auth REQUIRED
> 
> http_access allow ncsa_users
> 

Is that the entire acces control configuration?

If so, it is missing the basic security protections against tunnel abuse
and protocol smuggling. aka;

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_Ports

These should be above the auth checks to reduce DoS vulnerabilities.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL Peek and Splice

2015-10-01 Thread Job 
Hello,

by reading the 3.5 Squid verson "Peek and splice" features:
http://wiki.squid-cache.org/Features/SslPeekAndSplice

i would like to ask you two questions, please:

1. in this implementations, i have to install the selfmade Certification 
Authority as for SSL Bump?
2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems 
not possible by reading the document

Thank you for your patience and many thanks!

Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Install squid problems

2015-10-01 Thread Amos Jeffries 
On 2/10/2015 12:25 a.m., S.Kirschner wrote:
> I think the easiest way for you is to install squid3 via apt-get install
> squid3.
> 
> It isnt the version 3.5.9 but is 3.5.8.
> 

On Ubuntu it is 3.3.8 still. One needs to upgrade to Debian Testing
repositories for more up to date software.


sawa;
1) your post is not getting responded to until now because you are not
subscribed to the mailing list. Nabble web interface is just a output
display unless you subscribe to the mailing list.

2) that tutorial was outdated a week before it was published. Debian
packages are available since early Aug. The .debs source pkgs can be
used to build a 3.5.7 .deb binary package for your system to install,
including all integration scripts Debian and Ubuntu need.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to avoid Squid disclosing the origin server IP when there is an error

2015-10-01 Thread Manuel 
Hi again,

Thank you for all the information regarding this matter. Anyhow, I must say
that I changed in my message the origin server to 127.0.0.1 just to not make
public the real address of the origin server but the address that was made
public was the real IP of that origin server which was accesible from the
Internet.

Regards




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/How-to-avoid-Squid-disclosing-the-origin-server-IP-when-there-is-an-error-tp4673418p4673510.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ignores crlfile options

2015-10-01 Thread Amos Jeffries 
On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote:
> Hi 
> 
> I´m using squid (3.5.9) as transparent https proxy with build options (see 
> below) and config (see below , I removed some uninteresting things from the 
> config like caching).
> 
> To get the system more secure I would like to add crl checking (at the moment 
> static , later maybe dynamic if it's possible with my skills :-) ) and ocsp 
> (later) .
> I´m using the site https://revoked.grc.com/ to test my config.
> To do it I downloaded the certificate from the site , checked if a CRL URI is 
> available and downloaded the crl.
> Converted the format of the crl from DER to pem and inserted it my squid.conf 
>  "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".
> 
> I tested the "crl.pem" with openssl and the site https://revoked.grc.com/  is 
> revoked in the crl.
> 
> But why squid seems to ignore the crlfile option / file ? 

Because it is only relevant on http(s)_port when there is TLS client
certificate authentication being verified. You do not have that configured.


> Also I tested to use the crl in DER format but it still wouldn’t work , even 
> didn’t saw an error in the log when the file isn’t available.

It is not even loaded unless the clientca= is configured. Which turns on
client cert authentication.


If you mean it to be used to verify the *server* certificates then you
need to configure sslproxy_crlfile instead.


> #config
> http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem 
> sslflags=VERIFY_CRL
> 
> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem 
> sslflags=VERIFY_CRL
> 
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem 
> sslflags=VERIFY_CRL
> 
> icp_port 0

This is a default, remove the icp_port line.

> dns_v4_first on
> pid_filename /var/run/squid/squid.pid

This is a default, remove the pid_filename line.

> cache_effective_user proxy
> cache_effective_group proxy

Check your build options (squid -v), your proxy is built to use the
account 'squid'. It is usually a good idea to stick with the


> error_default_language de-de
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
> visible_hostname pfsense

visible_hostname needs to be FQDN and publicly resolvable. It is the DNS
hostname people use to access your proxy for thise icons you configured
(amongst other things).

> cache_mgr ad...@pfsense-onesty.loc
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none

This is a default, remove the cache_store_log line.

> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

This is probably a default too, if so remove the pinger lines. It will
run unless disabled.

> sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s 
> /var/squid/lib/ssl_db -M 4MB -b 2048
> sslcrtd_children 5
> 
> logfile_rotate 7
> debug_options rotate=7
> shutdown_lifetime 3 seconds
> acl localnet src  local.network.range
> forwarded_for on

This is a default, remove the forwarded_for line.

> uri_whitespace strip
> 
> acl dynamic urlpath_regex cgi-bin ?
> cache deny dynamic

Remove the above if you want to actually cache much content. Squid has
been okay with caching this stuff since 2.7.

> 
> acl allsrc src all

Don't. Really. "all" is a built-in ACL, just use it.

> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 
> 1025-65535 
> acl sslports port 443 563  
> 
> acl purge method PURGE
> acl connect method CONNECT
> 
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl allowed_subnets src local.network.range

You defined localnet to that already. Meaning you can replace all uses
of "allowed_subnets" with "localnet".

> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
> http_access allow manager localhost
> 
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge

Best practice is now to move all the above http_access lines with their
slow and DoS-vulnerable ACL processing down below the CONNECT line
following...

> http_access deny !safeports
> http_access deny CONNECT !sslports
> 
> request_body_max_size 0 KB

Seriously? POST and PUT are forbidden to send data anywhere?

> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc

Hmm. A delay pool that does not do anything, and every byte of

[squid-users] ICAP response header ACL

2015-10-01 Thread Steve Hill 


The latest adaption response headers are available through the 
%adapt::headers through an ACL?


The documentation says that adaptation headers are available in the 
notes, but this only appears to be headers set with adaptation_meta, not 
the ICAP response headers.  I had also considered using the "note" 
directive to explicitly stuff the headers into the notes, but it looks 
like the note directive doesn't allow you to use format strings (i.e. 
"note icap_headers %adapt::note to "%adapt::___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ICAP response header ACL

2015-10-01 Thread Alex Rousskov 
On 10/01/2015 07:43 AM, Steve Hill wrote:

> The latest adaption response headers are available through the
> %adapt:: headers through an ACL?
> 
> The documentation says that adaptation headers are available in the
> notes, but this only appears to be headers set with adaptation_meta, 

and with eCAP meta headers/options IIRC.


> not
> the ICAP response headers.  I had also considered using the "note"
> directive to explicitly stuff the headers into the notes, but it looks
> like the note directive doesn't allow you to use format strings (i.e.
> "note icap_headers %adapt:: note to "%adapt::

[squid-users] Transparent proxy with Ubuntu 15.04 and Squid3

2015-10-01 Thread Jake 
I have a Squid/Dansguardian proxy server that successfully works when
the client web browser is manually configured to use the proxy address:port.

What I want to do is configure a transparent proxy server, presuming I
wouldn't have to manually configure browsers.

My LAN environment diagram:
http://imgur.com/0MybmwE

This is a home network environment with a cable modem, wifi router,
client web browsers, and I have added the proxy server as a virtualized
VMware server.

For the proxy server I have two virtual network cards on the same subnet:
eth0 192.168.1.14 (gateway and the proxy address)
eth1 192.168.1.15

Is it possible the proxy server can intercept traffic from the clients,
when the clients have direct access to the internet router? I don't
understand how traffic is "intercepted" in this diagram.

Do I need to change something on the router?

How do I configure for proxy transparency?

I've read some configurations, but they were confusing, or out of date,
or specialized without much explanation.

Thanks,
Jake
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] analyzing cache in and out files

2015-10-01 Thread Matus UHLAR - fantomas 

Em 30/09/15 04:13, Matus UHLAR - fantomas escreveu:


the problem was iirc in caching partial objects
http://wiki.squid-cache.org/Features/PartialResponsesCaching

that problem could be avoided with properly setting range_offset_limit
http://www.squid-cache.org/Doc/config/range_offset_limit/
but that also means that whole files instead of just their parts are
fetched.

it's quite possible that microsoft changed the windows updates to 
be smaller

files, but I don't know anything about this, so I wonder if you really do
cache windows updates, and how does the caching work related to 
informations

above...


On 30.09.15 11:08, Leonardo Rodrigues wrote:

   yes, i'm definitely caching windows update files !!

[root@firewall ~]# cd /var/squid/
[root@firewall squid]# for i in `find . -type f`; do strings $i | 
head -3 | grep "http://;; done  | grep windowsupdate | wc -l

824

   and yes, i had to configure range_offset_limit:

range_offset_limit 500 MB updates
minimum_object_size 500 KB
maximum_object_size 500 MB
quick_abort_min -1

(being 'updates' the ACL with the URLs to be cached, basically 
windowsupdate and avast definition updates - the second one required 
further tweaks with storeid_rewrite for the CDN URLs)


of course... BTW at one of my customers I noticed downloading the same HUGE
files multiple times a day from a few machines - comodo antivirus.
Some of updates have wven worse design...

   from access.log, i see a lot of TCP_HIT/206 (and just a few 
TCP_HIT/200), so it seems squid is able to get the fully cached file 
and provide the smaller pieces requested:


[root@firewall squid]# grep "TCP_HIT/" access.log | grep 
windowsupdate | wc -l

9860
[root@firewall squid]# bzcat access.log.20150927.bz2 | grep 
"TCP_HIT/" | grep windowsupdate | wc -l

38584


can you provide maximum size of those files?

   having squid to download the WHOLE file at the very first request 
(even a partial request) may be bad, but considering it will be used 
later to provide the data for other requests, even partial ones, make 
things a little better.


(this windowsupdate caching is running just for a few weeks, i expect 
HITs to grow a little more)


watching this and providing information would be nice from you...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2015-10-01 Thread David Touzeau 


Dear

I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode 
with SSL hooked
In my config, i did not bump any site ( just to pass SSL protocol to 
squid in transparent mode)


I'm trying to connect to https://raj2796.wordpress.com

In cache.log

2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS 
Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41

2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)
2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)


And i'm unable to display the web site, browser is freeze when trying to 
open website...


How can i bypass this website and force squid to not analyze certificate 
on *.wordpress.com ?




My config
https_port 0.0.0.0:53695  intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn 
options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

sslproxy_version 0
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cert_error allow all

Best regards

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-10-01 Thread HackXBack 
we wish that somebody can build a good fingerprinting algorithm for pinning
clients
Thank you Alex



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673516.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent proxy with Ubuntu 15.04 and Squid3

2015-10-01 Thread Amos Jeffries 
On 2/10/2015 8:15 a.m., Jake wrote:
> I have a Squid/Dansguardian proxy server that successfully works when
> the client web browser is manually configured to use the proxy address:port.
> 
> What I want to do is configure a transparent proxy server, presuming I
> wouldn't have to manually configure browsers.

"transparent proxy" is not what you think.

The best choice is to use WPAD/PAC auto-configuration. That gets you all
the benefts of manual configuration without the troubles of either
manual or interception.


> 
> My LAN environment diagram:
> http://imgur.com/0MybmwE
> 
> This is a home network environment with a cable modem, wifi router,
> client web browsers, and I have added the proxy server as a virtualized
> VMware server.
> 
> For the proxy server I have two virtual network cards on the same subnet:
> eth0 192.168.1.14 (gateway and the proxy address)
> eth1 192.168.1.15
> 
> Is it possible the proxy server can intercept traffic from the clients,
> when the clients have direct access to the internet router? I don't
> understand how traffic is "intercepted" in this diagram.

The router needs to route the packets to/through the proxy server.

> 
> Do I need to change something on the router?

Yes.

> 
> How do I configure for proxy transparency?
> 

You didn't say waht yoru router software was...


> I've read some configurations, but they were confusing, or out of date,
> or specialized without much explanation.

The explanation for that is each router software being different. Config
for one routing application will not work for others.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [3.5.9]: Error negotiating SSL connection on FD 12: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2015-10-01 Thread Amos Jeffries 
On 2/10/2015 11:18 a.m., David Touzeau wrote:
> 
> Dear
> 
> I'm using Squid Cache: Version 3.5.9-20150922-r13918 in transparent mode
> with SSL hooked
> In my config, i did not bump any site ( just to pass SSL protocol to
> squid in transparent mode)
> 
> I'm trying to connect to https://raj2796.wordpress.com
> 
> In cache.log
> 
> 2015/10/02 00:07:05 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=0.0.0.0:53695 remote=[::] FD 100 flags=41
> 2015/10/02 00:07:05 kid1| Accepting ICP messages on [::]:3130
> 2015/10/02 00:07:05 kid1| Sending ICP messages from [::]:3130
> 2015/10/02 00:07:05 kid1| Accepting SNMP messages on [::]:3401
> 2015/10/02 00:07:10 kid1| Error negotiating SSL connection on FD 12:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:20 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:07:21 kid1| Error negotiating SSL connection on FD 17:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 2015/10/02 00:09:10 kid1| Error negotiating SSL connection on FD 114:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
> 
> And i'm unable to display the web site, browser is freeze when trying to
> open website...
> 
> How can i bypass this website and force squid to not analyze certificate
> on *.wordpress.com ?
> 

Couple of problems...

> 
> My config
> https_port 0.0.0.0:53695  intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn
> options=NO_SSLv3 dhparams=/etc/squid3/ssl/dhparam.pem

No SSLv3, but SSLv2 is allowed. TLS version negotiation relies on a
range of protocol versions from N to N+x being selectable. If you poke
holes by denying one version in the middle problems arise.

NP: SSLv2 was only removed in Squid-4.

This alone is probably your problem. But there is more you should fix to
prevent later troubles.


> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice all

With splice none of the ssl_proxy_* options are relevant. Apart from
initial peeking a few bytes the TLS/SSL should be blindly tunnelled
between client and server.

We intend the above config to operate as if the client has sent an
expicit-proxy a CONNECT and Squid without SSL support had received and
enacted it. Sans bugs we have not found yet, that is how 3.5.8 and later
operate.


> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 

This tells Squid to use EEC* and EC* ciphers. Squid-3.5 and older do not
support those.


> sslproxy_version 0
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cert_error allow all


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Can not pass Squid basic authentication

2015-10-01 Thread birbird 
Hi All,


I have setup basic authentication for Squid, but I can not get passed from 
browser, just asked to inpu user/password time and time again.


I was stuck at, the command
/usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
dose not give any output. I think it means squid can not get the authentication 
info. But I have no idea what to do next.


I create my password by
htpasswd -d /etc/squid/squid_passwd dan


My squid config is
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users


Could anyone please tell what's wrong with this.
Any help will be highly appreciated!___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users