[squid-users] squid.conf Help

[Marius Van Heerden]

Hi all. Can you help?

When I use the following lines in my squid.conf it works, but it connects to
a local proxy server:

cache_peer 10.185.131.46  parent3128  3130  proxy-only default
cache_peer 10.185.131.13  sibling   3128  3130  proxy-only

When I use the following destination proxy server it does not work.

cache_peer 10.123.217.82  sibling   3128  3130  proxy-only default

Both the first 2 servers connect to this proxy and are working fine, but as
soon as I link this server to it squid fails to connect. 

Any help will be appreciated. 

Here follows my squid.conf file.


acl all src all
acl allow localhost
acl allow localnet
acl localhost src 127.0.0.1/32
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 3128   #http
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
acl apache rep_header Server ^Apache
http_access allow all
http_access allow manager localhost
http_access allow localhost
http_access allow localnet
http_access allow all
cache_peer 10.185.131.46  parent3128  3130  proxy-only default
cache_peer 10.123.217.82  sibling   3128  3130  proxy-only
cache_peer 10.185.131.13  sibling   3128  3130  proxy-only
http_reply_access allow all
icp_access allow localnet
never_direct allow all
forwarded_for on
cache_mem 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
maximum_object_size 4096 KB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320
cache_swap_high 95

Kind Regards,

Marius
 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid.conf Help

[Amos Jeffries]

On 2/10/2015 7:24 p.m., Mariusvh wrote:
> Hi all. Can you help?
> 
> When I use the following lines in my squid.conf it works, but it connects to
> a local proxy server:
> 
> cache_peer 10.185.131.46  parent3128  3130  proxy-only default
> cache_peer 10.185.131.13  sibling   3128  3130  proxy-only
> 
> When I use the following destination proxy server it does not work.
> 
> cache_peer 10.123.217.82  sibling   3128  3130  proxy-only default
> 
> Both the first 2 servers connect to this proxy and are working fine, but as
> soon as I link this server to it squid fails to connect. 
> 


Notice how the "10.123.*" is on a completely different subnet to the
working peers. It is probably a router or firewall level problem
preventing traffic connecting to that peer.


> Any help will be appreciated. 
> 
> Here follows my squid.conf file.

There are a quite a few broken things in that config. Please update to
the latest Squid version you can, then run "squid -k parse" and fix the
ERROR and WARNING which it reports.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

[Jason Haar]

Just a reminder people, but you've gone off-topic. The postbank.de
website issue has NOTHING to do with pining

Someone mentioned earlier it's due to the HTTPS cert not having a
complete cert-chain, and that web browsers auto-correct that situation,
but squid does not. So I would say either squid should:

1. implement the same sort of auto-correction code (say) Firefox does
(which I bet is a lot of work), or
2. flick into splice-mode when there's a cert error (which could be as
much work - I dunno)

I use external_acl_type to call an external script that tries to achieve
that. Basically it manually downloads the homepage to get the cert,
checks if it's valid against the OS CA list and if not, returns ERR so
that squid splice's the connection instead of bump-ing it. Means the
entire connection blocks of course the first time this occurs, but after
that caches it and it mostly works.


-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Peek And Splice memory leak

[Александр Демченко]

Hello!
It's looks like I have memory leak on squid with peek and splice https
traffic.
I use squid 3.5.9 (try 3.5.8 and 3.5.7 also). Openssl and libresll both
tried.
CentOs 7. Traffic redirecting transparently by wccp.
Server: 8 cores, 64GB RAM. Approx 600 clients with 150 requests per second.

Squid consume RAM without limits. Around 10MB in a second. (Screenshot from
zabbix: http://snag.gy/HQmJI.jpg)

Configruration:
#Disable cache
cache deny all
cache_mem 0 GB
memory_pools on
memory_pools_limit 0 MB

#Multi core
workers 6

https_port squid_ip:3129 intercept ssl-bump \
key=/etc/squid/certs/squid.pem \
cert=/etc/squid/certs/squid.pem \
generate-host-certificates=off \
dynamic_cert_mem_cache_size=0MB \
sslflags=NO_DEFAULT_CA

http_port squid_ip:3128

acl block_url ssl::server_name "/etc/squid/https_block.txt"

#Step settings
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump terminate step3 block_url
ssl_bump splice step3 all

http_access allow all



Somebody else had the same problem?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ignores crlfile options

[Sebastian Kirschner]

Thanks Amos for the reply ,

I will trim the config with your recommendations but a few questions exists on 
my side.

" If you mean it to be used to verify the *server* certificates then you need 
to configure sslproxy_crlfile instead."

I guess that was what im looking for :-) , 
but I couldn’t find something about that configuration directives on 
the squid doc configuration site and my squid ignores the options
because its unrecognized.

"> request_body_max_size 0 KB

Seriously? POST and PUT are forbidden to send data anywhere?"

Should the value be ignored because it’s a zero ?
Here the part of the Squid configuration document 
"If you set this parameter to a zero (the default), there will 
be no limit imposed."

" build-info requires a string. Whoever provided this package needs to fix 
that."
I was the builder :-) , could you give me a hint about that ?

Mit freundlichen Grüßen / Best Regards

Sebastian 

Message: 4
Date: Fri, 2 Oct 2015 02:51:56 +1300
From: Amos Jeffries 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid ignores crlfile options
Message-ID: <560d3a7c.2020...@treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote:
> Hi
> 
> I´m using squid (3.5.9) as transparent https proxy with build options (see 
> below) and config (see below , I removed some uninteresting things from the 
> config like caching).
> 
> To get the system more secure I would like to add crl checking (at the moment 
> static , later maybe dynamic if it's possible with my skills :-) ) and ocsp 
> (later) .
> I´m using the site https://revoked.grc.com/ to test my config.
> To do it I downloaded the certificate from the site , checked if a CRL URI is 
> available and downloaded the crl.
> Converted the format of the crl from DER to pem and inserted it my squid.conf 
>  "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".
> 
> I tested the "crl.pem" with openssl and the site https://revoked.grc.com/  is 
> revoked in the crl.
> 
> But why squid seems to ignore the crlfile option / file ? 

Because it is only relevant on http(s)_port when there is TLS client 
certificate authentication being verified. You do not have that configured.


> Also I tested to use the crl in DER format but it still wouldn’t work , even 
> didn’t saw an error in the log when the file isn’t available.

It is not even loaded unless the clientca= is configured. Which turns on client 
cert authentication.


If you mean it to be used to verify the *server* certificates then you need to 
configure sslproxy_crlfile instead.


> #config
> http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> http_port 127.0.0.1:3128 intercept ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> https_port 127.0.0.1:3129 intercept ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> icp_port 0

This is a default, remove the icp_port line.

> dns_v4_first on
> pid_filename /var/run/squid/squid.pid

This is a default, remove the pid_filename line.

> cache_effective_user proxy
> cache_effective_group proxy

Check your build options (squid -v), your proxy is built to use the account 
'squid'. It is usually a good idea to stick with the


> error_default_language de-de
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
> visible_hostname pfsense

visible_hostname needs to be FQDN and publicly resolvable. It is the DNS 
hostname people use to access your proxy for thise icons you configured 
(amongst other things).

> cache_mgr ad...@pfsense-onesty.loc
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none

This is a default, remove the cache_store_log line.

> netdb_filename /var/squid/logs/netdb.state pinger_enable on 
> pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

This is probably a default too, if so remove the pinger lines. It will run 
unless disabled.

> sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s 
> /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5
> 
> logfile_rotate 7
> debug_options rotate=7
> shutdown_lifetime 3 seconds
> acl localnet src  local.network.range
> forwarded_for on

This is a default, remove the forwarded_for line.

> uri_whitespace strip
> 
> acl dynamic urlpath_regex cgi-bin ?
> cache deny dynamic

Remove the above if 

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

[Amos Jeffries]

On 2/10/2015 7:58 p.m., Jason Haar wrote:
> Just a reminder people, but you've gone off-topic. The postbank.de
> website issue has NOTHING to do with pining
> 
> Someone mentioned earlier it's due to the HTTPS cert not having a
> complete cert-chain, and that web browsers auto-correct that situation,
> but squid does not. So I would say either squid should:
> 
> 1. implement the same sort of auto-correction code (say) Firefox does
> (which I bet is a lot of work), or
> 2. flick into splice-mode when there's a cert error (which could be as
> much work - I dunno)
> 
> I use external_acl_type to call an external script that tries to achieve
> that. Basically it manually downloads the homepage to get the cert,
> checks if it's valid against the OS CA list and if not, returns ERR so
> that squid splice's the connection instead of bump-ing it. Means the
> entire connection blocks of course the first time this occurs, but after
> that caches it and it mostly works.

I'm not sure but a custom certificate validator helper can probably do
all this better. An example helper in Perl can be found at
helpers/ssl/cert_valid.pl

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

[Jason Haar]

On 02/10/15 21:38, Amos Jeffries wrote:
> I'm not sure but a custom certificate validator helper can probably do
> all this better. An example helper in Perl can be found at
> helpers/ssl/cert_valid.pl
That website worked for me because my external validator had an
exception rule for valid certs containing "bank" (which makes it "ERR" -
causing squid to splice it instead of bump it). To see this problem for
myself I removed that check and indeed bump-ing then failed to work
(squid-3.5.10)

I then pointed sslabs.com at that site and it got a "B" rating and
there's no obvious signs of a cert error - so I can't figure out what is
going wrong. I've manually downloaded the server cert using "openssl
s_client" and the cert chain validates just fine - so what is squid
doing to it? Weird...

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL Bump and NF getsockopt failed

[Job]

Hello,

i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 port 
of my Squid server but https sites are not accessible anymore and i can see 
these errors in logs:

ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx

The section regardings SSL Bump in squid.conf if the following:

http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem 
key=/etc/squid/ssl/squid.key
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all

And https traffic, with NAT, goes out with any problems.

Where am i wrong?

Thank you!
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.9 for Microsoft Windows 64-bit is available (not 3.5.10 yet!)

[Rafael Akchurin]

Greetings everyone,



The CygWin based build of Squid proxy for Microsoft Windows version 3.5.9 is 
now available (amd64 only!).



* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.9-RELEASENOTES.html.

* Ready to use MSI package can be downloaded from http://squid.diladele.com.

* List of open issues for the installer - 
https://github.com/diladele/squid3-windows/issues



Thanks a lot for Squid developers for making this great software!



Please join our humble efforts to provide ready to run MSI installer for Squid 
on Microsoft Windows with all required dependencies at GitHub -

https://github.com/diladele/squid3-windows. Please report all 
issues/bugs/feature requests at GitHub project.

Issues about the *MSI installer only* can also be reported to 
supp...@diladele.com.



NB: 3.5.10 is already here, we'll do in a couple of days!



Best regards,

Rafael Akchurin

Diladele B.V.



--

Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5 for Windows and AD authentication

[Keith White]

I have installed squid 3.5 on Win2K12 and it is working fine.  The next step is 
to enable AD auth and apply an ACL for groups. All the documentation for AD 
auth is geared towards linux. Are there are docs/guides for doing this on 
Windows?

Thanks,

Keith




This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, 
Spanish and Portuguese versions of this disclaimer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

[Jason Haar]

On 02/10/15 23:43, Amos Jeffries wrote:
> I'm suspecting the order of these options screws things up. Or maybe
> just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL

...but I don't even use sslproxy_options There have been at least 3
people saying that bump doesn't work with that site - we all won't have
identical configs.

Chrome reports "ERR_CONNECTION_CLOSED" and Firefox "The connection to
banking.postbank.de was interrupted while the page was loading." - that
doesn't even sound cert-related - more TCP related (between client and
squid). Remember: the site works fine when squid is set to splice that site

I have compared the fake cert generated by squid against the real one
and there's obvious differences (using "openssl s_client -connect
banking.postbank.de:443 -servername banking.postbank.de|openssl x509
-noout -text"). References to "Certificate Policies" and "Certificate
Transparency" are present in the real cert and there's no equivalent in
the Fake cert. How that could trigger a TCP reset is beyond me? I've
also cranked up logging and there was nothing overt showing an issue

Real:

 X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
  CPS: https://d.symcb.com/cps
  User Notice:
Explicit Text: https://d.symcb.com/rpa
   X509v3 Basic Constraints:
CA:FALSE
   1.3.6.1.4.1.11129.2.4.2:
...k.i.w...X..gp
.N.H0F.!..<
...u.V.../...D.>.Fv\U...N...J.F0D.
.W!z...@'..n...C.W m.K/..
S.R,...KTu..)e...w.hd..:...(.L.qQ]g..D.
g..OO.N.H0F.!.~F.n#
Y..&^.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9..
Signature Algorithm: sha256WithRSAEncryption


Fake:

X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption




-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ignores crlfile options

[Amos Jeffries]

On 3/10/2015 12:11 a.m., Sebastian Kirschner wrote:
> Thanks Amos for the reply ,
> 
> I will trim the config with your recommendations but a few questions exists 
> on my side.
> 
> " If you mean it to be used to verify the *server* certificates then you need 
> to configure sslproxy_crlfile instead."
> 
>   I guess that was what im looking for :-) , 
>   but I couldn’t find something about that configuration directives on 
> the squid doc configuration site and my squid ignores the options
>   because its unrecognized.
> 

Sorry. I keep forgetting that one is not supported in Squid-3.

You will need Squid-4 with:
 tls_outgoing_options crlfile=/...


> "> request_body_max_size 0 KB
> 
> Seriously? POST and PUT are forbidden to send data anywhere?"
> 
>   Should the value be ignored because it’s a zero ?
>   Here the part of the Squid configuration document 
>   "If you set this parameter to a zero (the default), there will 
> be no limit imposed."

Maybe yes, maybe no. Sometimes our documentation is out of data and we
are moving to a model where "none" (the word) means no limits.

If you want the default, remove it from the config file. That goes for
almost all directives in Squid-3.


> 
> " build-info requires a string. Whoever provided this package needs to fix 
> that."
>   I was the builder :-) , could you give me a hint about that ?

It is a string for branding, or adding a custom sentence to squid -v
output. Major distros use it to label their builds clearly in a way
separated from the release version. Some of my clients use it to label
what their custom patching was applied to the build.

If you dont set it to a string like --enable-build-info="something" it
is not useful and can be removed entirely.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache_dir NULL

[Amos Jeffries]

On 3/10/2015 12:25 a.m., Job wrote:
> Hello,
> 
> i was trying the "null" storage module in Squid 3.4.x.

It does not exist.

Squid-3 does proper memory-only caching by default. Just erase or
comment out all cache_dir lines in your config and it works.

> I have some systems with huge users and with high traffic peaks expecially 
> during the morning.
> 
> We use Squid to filter internet traffic.
> 
> Do you think that enabling the cache_dir null will give us better 
> performances and less system usage?

RAM is faster than disk. This is a bast fact of I/O.

Eliminating the disk from the proxying system changes the I/O needs.
Whether that switch is a latency gain or loss depends on your traffic.

If your network is faster than the disks you were using; then it may
have some gain, otherwise not.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL Bump and NF getsockopt failed

[Amos Jeffries]

On 3/10/2015 12:31 a.m., Job wrote:
> Hello,
> 
> i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 
> port of my Squid server but https sites are not accessible anymore and i can 
> see these errors in logs:
> 
> ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx

The connection arriving at Squid does not have any NAT records in the
Squid machine kernel.

It is mandatory that NAT be done on the Squid machine. Not on some
remote router (aka CPE "port-forwarding").
 


It is mandatory that you *not* test NAT ports by configuring your
browser to use the proxy via it. Configure the testing browser the same
way teh cleints woudl be tested.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5 for Windows and AD authentication

[Amos Jeffries]

On 3/10/2015 6:11 a.m., Keith White wrote:
> I have installed squid 3.5 on Win2K12 and it is working fine.  The
> next step is to enable AD auth and apply an ACL for groups. All the
> documentation for AD auth is geared towards linux. Are there are
> docs/guides for doing this on Windows?


The SSPI helpers are Windows native intergration.

Though, Cygwin is trying to emulate Linux/POSIX on Windows so I'm not
sure which set of helpers are required there. Diladele may be able to help.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users