Re: [squid-users] Caching Facebook content

2015-10-07 Thread iishiii 
Dear 

1. Its Legal i think
2. Which OS i should choose to run squid on it fulfill my requirements
3. please give any good tatorial example for ssl bump to work with that. 
4. and alos explian about store ID...


i need to get it done as my bandwidth is being choked due to facebook,
playstore, windows updates and other dynamic contents... 
Bandwidth is the cost here :( 

Please help me




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Caching-Facebook-content-tp4673579p4673615.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 3.5.9 error, typo?

2015-10-07 Thread Tory M Blue 
X-Cnection: close

X-Cnection ??

Can someone explain that one to me, don't recall seeing it in previous
releases

Thanks
Tory
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 10:47 a.m., Ishtiaq Iqbal wrote:
> Dear All Please guide me how to cache facebook content with squid
> 

First; discover whether man-in-middle decryption is legal for your
situation. This is VERY IMPORTANT.

Second; get yourself a Squid with SSL capabilities enabled. This may or
may not be provided by your OS distribution.

Third; configure SSL-bump feature to decrypt facebook HTTPS traffic.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Accessing cache_peer siblings with ssl for reverse proxy

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 3:11 a.m., Veiko Kukk wrote:
> Hi everyone,
> 
> I have successfully set up reverse proxy and ICP communication between
> siblings. I'd like to encrypt cache sharing between siblings, but cannot
> figure out the optimal solution for this. I have not found from
> documentation, how to do ssl encryption between cache_peer hosts so that
> cache objects are transferred securely over the Internet.
> 
> It works like this: local http client connects to squid with plain http,
> squid acts as https client for remote server, fetches objects and stores
> them into cache. The question is, how to fetch objects from sibling
> caches with ssl and minimal overhead?

Same way you configured it for the parent proxy. What makes you think it
would be any different?

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 4:27 a.m., Alex Rousskov wrote:
> On 10/06/2015 01:27 AM, Jason Haar wrote:
>> Good catch - I don't think squid does CRL/OCSP checks
> 
>> But this is a bug in squid - this means untrustworthy certs become
>> trusted again - not a good look
> 
> 
> IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
> difficult to configure to do CRL checks. If my recollection is correct,
> then this is not exactly a Squid bug but more like a missing convenience
> feature.

Exactly. All thats missing is the squid.conf directive in Squid-3.x.
That has been added in Squid-4.

> 
> Squid does not know about OCSP. Another missing feature.
> 
> One may perform all those checks using a custom certificate validator
> helper, of course.
> 

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authentication setup for squid-internal-mgr

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 6:41 a.m., Tory M Blue wrote:
> So I was playing with squid-internal-mgr (replacement for cachemgr.cgi it
> seems), but I have no real authentication access , other than my ACL's
> 
> acl manager url_regex -i ^cache_object:// +i
> ^https?://[^/]+/squid-internal-mgr/
> 
> 
> And limited to my networks obviously.
> 
> But as of now those pages are wide open, so anyone could go to /menu and
> see /shutdown and type that in and bingo bango my squid server is shutdown.
> 

I believe the word is "Meh.". This is one of the expected use-cases for
CacheMgr. ie how the new access methods are designed to be used.

Strictly speaking its anyone who can access those reports. You just have
one less layer of protection than default installs use.

> 
> So was wondering if there is a way to make some of these pages require
> authentication? I'm not clear what "public" means in each instance below,

"public" means there is no report-specific password set by
cachemgr_passwd directive required to access it. The only control will
be the http_access rules you configure.


You create a urlpath_regex ACL to match regular (not squidclient or
cachemgr.cgi) requests for the reports like so:

 acl foo urlpath_regex \
^/squid-internal-mgr/(shutdown|reconfigure|rotate|offline_toggle)

Authentication can be applied in combination with that to do whatever
reports you want authenticated. Also group limitations, external ACL,
specific src IPs, etc..

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 10:00 p.m., Yuri Voinov wrote:
> and fourth. Consider correct usage of Store-ID.
> 

For facebook? they are/were pretty good for cacheability before the
HTTPS fanatics got to them.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Site not Working through SQUID

2015-10-07 Thread Amos Jeffries 
On 7/10/2015 7:32 a.m., Cristiano Nunes wrote:
> Hi Antony.
> 
> The URL is www..yasudamaritima.com.br, but according to the user, you have
> to navigate and authenticate to the portion of the site which is supposed
> to show the window, but the window is blank.
> 
> The squid.log captured during the user session is below:
> 

Apart from the favicon, which is inconsequential those transactions all
are successful (2x and 3xx status) and appear to have completed
properly. Some of the CONNECT's are staying active for several minutes
though, so the ones listed are unlikely to be related to the request at
the top, and if there were any they could close much later than the log
shows.

> 
> And here is my squid.conf.
> 

Looks very much okay.


Which leaves us with the troublesome issues like path-MTU discovery
problems. If there is a CONNECT happening but some payload data packets
not getting through you could end up with missing page parts.

Or maybe, server application not coping with proxied traffic. I've seen
some that simply crash the backend server script engine if you pass it a
X-Forwarded-For header with non-IPv4 contents.

Or maybe, the window was supposed to contain something over a non-HTTP
protocol that is broken.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Yuri Voinov 

and fourth. Consider correct usage of Store-ID.

07.10.15 14:59, Amos Jeffries пишет:

On 7/10/2015 10:47 a.m., Ishtiaq Iqbal wrote:

Dear All Please guide me how to cache facebook content with squid


First; discover whether man-in-middle decryption is legal for your
situation. This is VERY IMPORTANT.

Second; get yourself a Squid with SSL capabilities enabled. This may or
may not be provided by your OS distribution.

Third; configure SSL-bump feature to decrypt facebook HTTPS traffic.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 3.5.9 error, typo?

2015-10-07 Thread Amos Jeffries 
On 8/10/2015 11:44 a.m., Tory M Blue wrote:
> X-Cnection: close
> 
> X-Cnection ??
> 
> Can someone explain that one to me, don't recall seeing it in previous
> releases
> 

Some HTTP agents mangle the "Connection:" header name as a way to
disable it rather than removing like they should.

Unless you have some custom patch on Squid doing this its not Squid. But
just being relayed because the mangled header name is interpreted as a
custom header.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

2015-10-07 Thread Amos Jeffries 
On 8/10/2015 8:18 a.m., nando mendonca wrote:
> Hi,
> 
> I have squid 3.1 installed using ldap authentication. When i access a
> browser i enter my ldap credentials and it works fine. I’m able to browse
> all sites without any issues.
> 
> 
> Is there a way to use ldap groups to allow certain groups access to a few
> sites on the internet and then pretty much block everything else?

Please read this page 

Particularly the sections titled "Common Mistakes".

> 
> I’m able to restrict access to only a couple of sites and block everything
> else without using ldap group authentication, was just hoping this can be
> done with ldap group authentication.

Well, no because you cannot authenticate a whole group. There is no such
thing as "ldap group authentication"

There is group *authorization*, with LDAP protocol used to fetch the
group details.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Offtopic message (Invitation to the 6th FOSS International Workshop)

2015-10-07 Thread Amaury Viera Hernández 

Hello to everyone. As you can read in the subject, this message is off topic, 
but if you forgive me I want to invite you to participate in the 6th FOSS 
International Workshop that will be held in Havana, Cuba, from March 14th to 
18th, 2016 organized by the Free Software Center from the University of 
Informatics Sciences.

Workshop site: http://www.informaticahabana.cu/en/eventos/show/98
Event site: http://www.informaticahabana.cu/en/

You can participate as a delegate or as a researcher and to exchange with 
colleagues of many places in the world about free and open source 
technologgies. As a researcher and with the goal to get a publication you need 
to know this things about the sending of the papers:

IMPORTANT DATES

Convention

Presentation of abstracts and papers: October 20th, 2015
Notification on acceptance: November 20th, 2015
Sending of final paper for publication: December 7th, 2015

Fair
Applications for exhibition samples: up to January 28th, 2016
Confirmation of acceptance of exhibition samples: up to February 18th, 2016

Regards, Amaury.
17 de octubre: Final Cubana 2015 del Concurso de Programación ACM-ICPC.
http://coj.uci.cu/contest/contestview.xhtml?cid=1407
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

2015-10-07 Thread Dan Charlesworth 
Same here—I've been meaning to ask the list about this too. I’m still on 3.5.9, 
by the way.

> On 6 Oct 2015, at 10:55 PM, Roel van Meer  wrote:
> 
> Hi everyone,
> 
> I have a Squid setup on a linux box with transparent interception of both 
> http and https traffic. Everything worked fine with Squid 3.5.6. After 
> upgrading to version 3.5.10, I get many warnings about host header forgery:
> 
> SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 
> remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain 
> IP)
> SECURITY ALERT: By user agent:
> SECURITY ALERT: on URL: nexus.officeapps.live.com:443
> 
> These warnings all seem to occur for https web sites that use multiple DNS 
> records. The warnings coincide with the fact that the clients are unable to 
> get the requested page.
> 
> I've read the wiki page 
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
> and I can assert that:
> - we do NAT on the same box that is running Squid
> - both squid and the clients use the same DNS server
> 
> I've also tested 3.5.9, and this version also showed these warnings.
> Version 3.5.7 worked fine, and 3.5.8 did too.
> 
> So, one of the changes in 3.5.9 caused this behaviour.
> 
> Can anyone shed some more light on this? Is this a problem in my setup that 
> surfaced with 3.5.9, or is it a problem in Squid?
> 
> Thanks a lot for any help,
> 
> Roel
> 
> 
> My (abbreviated) config:
> 
> http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
> http_port 192.168.9.1:3129 intercept
> https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem
> icp_port 0
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> acl port-direct myportname 192.168.9.1:3128
> ssl_bump none port-direct
> acl port-trans_https myportname 192.168.9.1:3130
> external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD 
> %ssl::>sni /usr/bin/squidGuard-aclsni
> acl checksni external sni
> 
> ssl_bump peek port-trans_https step1
> ssl_bump terminate port-trans_https step2 checksni
> ssl_bump splice port-trans_https all
> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.1 ldap authentication

2015-10-07 Thread nando mendonca 
Hi,

I have squid 3.1 installed using ldap authentication. When i access a
browser i enter my ldap credentials and it works fine. I’m able to browse
all sites without any issues.


Is there a way to use ldap groups to allow certain groups access to a few
sites on the internet and then pretty much block everything else?


I’m able to restrict access to only a couple of sites and block everything
else without using ldap group authentication, was just hoping this can be
done with ldap group authentication.


Thanks,
Nando
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Access denied errors with many users

2015-10-07 Thread Robert Conlustro 
I have been using squid 3.4 for about 1 year now and everything was going fine 
up until a couple days ago when users started seeing access denied errors for 
some reason. I currently have around 900 active users all with their own src 
authentication IPs. I use a seperate folder for the users files and include 
them into the squid.conf file. Is there a maximum number of src IPs or include 
files inside the squid.conf? Maybe I have reached a limit somehwere. In the 
past I’ve had a hiccup here and there and always found the error or problem 
plain as could be in the cache.log but this time I cannot find the error. I’m 
stumped and turning to the community for the first time. Any help or 
recommendations would be greatly apreciated.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Yuri Voinov 

Sure.

Look at the typical fb URL:

http://i.imgur.com/3xQxD1z.png

It uses Akamai CDN and, without store-id, you will got MUCH duplicates 
for the same content.


And only with stire-ID you have a chance to get HIT:

http://i.imgur.com/n0NiVY6.png

07.10.15 15:06, Amos Jeffries пишет:

On 7/10/2015 10:00 p.m., Yuri Voinov wrote:

and fourth. Consider correct usage of Store-ID.


For facebook? they are/were pretty good for cacheability before the
HTTPS fanatics got to them.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Yuri Voinov 

This is security theatre.

07.10.15 18:01, FredB пишет:

For facebook? they are/were pretty good for cacheability before the
HTTPS fanatics got to them.

Amos



HTTPS everywhere is the new mantra

Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Site not Working through SQUID

2015-10-07 Thread Cristiano Nunes 
I thought that there were something broken is the workstation like old
Java or missing flash... A part of been tested in more than one
workstation, I NATed one of the workstation, by passing Squid, and it
worked flawless, so I ruled out something missing/broken.

I put a log on the firewall to check whether the site have a Java which
was trying a connection without proxy but nothing came up.

Any idea on what else can I try or look for?

BR,

Cris

Att.

Cristiano Nunes
Fone: 11 97052-2000

2015-10-07 5:44 GMT-03:00 Amos Jeffries :

> On 7/10/2015 7:32 a.m., Cristiano Nunes wrote:
> > Hi Antony.
> >
> > The URL is www..yasudamaritima.com.br, but according to the user, you
> have
> > to navigate and authenticate to the portion of the site which is supposed
> > to show the window, but the window is blank.
> >
> > The squid.log captured during the user session is below:
> >
>
> Apart from the favicon, which is inconsequential those transactions all
> are successful (2x and 3xx status) and appear to have completed
> properly. Some of the CONNECT's are staying active for several minutes
> though, so the ones listed are unlikely to be related to the request at
> the top, and if there were any they could close much later than the log
> shows.
>
> >
> > And here is my squid.conf.
> >
>
> Looks very much okay.
>
>
> Which leaves us with the troublesome issues like path-MTU discovery
> problems. If there is a CONNECT happening but some payload data packets
> not getting through you could end up with missing page parts.
>
> Or maybe, server application not coping with proxied traffic. I've seen
> some that simply crash the backend server script engine if you pass it a
> X-Forwarded-For header with non-IPv4 contents.
>
> Or maybe, the window was supposed to contain something over a non-HTTP
> protocol that is broken.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Eliezer Croitoru 

Just wondering if you can contribute to the StoreID DB at:
http://wiki.squid-cache.org/Features/StoreID/#A_CDN_Pattern_Database

Eliezer

On 07/10/2015 12:10, Yuri Voinov wrote:

Sure.

Look at the typical fb URL:

http://i.imgur.com/3xQxD1z.png

It uses Akamai CDN and, without store-id, you will got MUCH duplicates
for the same content.

And only with stire-ID you have a chance to get HIT:

http://i.imgur.com/n0NiVY6.png

07.10.15 15:06, Amos Jeffries пишет:

On 7/10/2015 10:00 p.m., Yuri Voinov wrote:

and fourth. Consider correct usage of Store-ID.


For facebook? they are/were pretty good for cacheability before the
HTTPS fanatics got to them.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Access denied errors with many users

2015-10-07 Thread Eliezer Croitoru 

Hey Robert,

If you have an access_denied then something should show up in the 
access.log.

It is pretty hard to tell from what it comes if the settings are unknown.
If you have about 900 users and it's static then using using conf files 
is fine.
But it it's a dynamic application, you should consider to use an 
external_acl helper which will test the src IP against some key\value DB.
It will remove the complexity of squid configuration and will allow you 
a more flexible solution.


Usually the way to solve this kind of issue is to use squid debug 
capabilities:

http://wiki.squid-cache.org/KnowledgeBase/DebugSections
Section 28 should shed some light on the issue.

Eliezer

On 07/10/2015 14:20, Robert Conlustro wrote:

I have been using squid 3.4 for about 1 year now and everything was going fine 
up until a couple days ago when users started seeing access denied errors for 
some reason. I currently have around 900 active users all with their own src 
authentication IPs. I use a seperate folder for the users files and include 
them into the squid.conf file. Is there a maximum number of src IPs or include 
files inside the squid.conf? Maybe I have reached a limit somehwere. In the 
past I’ve had a hiccup here and there and always found the error or problem 
plain as could be in the cache.log but this time I cannot find the error. I’m 
stumped and turning to the community for the first time. Any help or 
recommendations would be greatly apreciated.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.10 Performance

2015-10-07 Thread FredB 
Just FI

With high load system (and exactly the same configuration of course) the load 
average is significantly reduced by the use of the latest release in comparison 
with the previous 3.5.x versions

diskd, digest auth, basic auth, delay pools, some acls, 800 r/s, Debian wheezy 
64Bits

Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread Yuri Voinov 

Sure, Eliezer. I've took this as a basis for my partial solution.

07.10.15 17:38, Eliezer Croitoru пишет:

Just wondering if you can contribute to the StoreID DB at:
http://wiki.squid-cache.org/Features/StoreID/#A_CDN_Pattern_Database

Eliezer

On 07/10/2015 12:10, Yuri Voinov wrote:

Sure.

Look at the typical fb URL:

http://i.imgur.com/3xQxD1z.png

It uses Akamai CDN and, without store-id, you will got MUCH duplicates
for the same content.

And only with stire-ID you have a chance to get HIT:

http://i.imgur.com/n0NiVY6.png

07.10.15 15:06, Amos Jeffries пишет:

On 7/10/2015 10:00 p.m., Yuri Voinov wrote:

and fourth. Consider correct usage of Store-ID.


For facebook? they are/were pretty good for cacheability before the
HTTPS fanatics got to them.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Facebook content

2015-10-07 Thread FredB 

> 
> For facebook? they are/were pretty good for cacheability before the
> HTTPS fanatics got to them.
> 
> Amos
> 


HTTPS everywhere is the new mantra 

Fred 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Error on negotiating SSL connection

2015-10-07 Thread Job 
Hello,

i can intercept SSL Bumped connection actually.

But in squid logs i have this error, and clients disolay a squid error page.

These are the logs:

 fwdNegotiateSSL: Error negotiating SSL connection on FD 20: 
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest 
algorithm (1/-
2015/10/07 12:12:48 kid1| WARNING: ssl_crtd #Hlpr0 exited
2015/10/07 12:12:48 kid1| Too few ssl_crtd processes are running (need 5/100)
2015/10/07 12:12:48 kid1| Starting new helpers
2015/10/07 12:12:48 kid1| helperOpenServers: Starting 5/100 'ssl_crtd' processes

How can i resolve this?

Thank you
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] R: R: SSL Bump and NF getsockopt failed

2015-10-07 Thread Job 
Hi Amos!

Resolved: in squid.conf i have to write ip:port instead of :port.
As example, 192.168.10.254:3129 works with interception.

Only with :3129 it does not works!

Francesco


Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Job 
[j...@colliniconsulting.it]
Inviato: lunedì 5 ottobre 2015 14.06
A: Amos Jeffries; squid-users@lists.squid-cache.org
Oggetto: [squid-users] R:  SSL Bump and NF getsockopt failed

Hello Amos!

>The connection arriving at Squid does not have any NAT records in the
>Squid machine kernel.

>It is mandatory that NAT be done on the Squid machine. Not on some
>remote router (aka CPE "port-forwarding").

The iptables gateway is in the same machine where Squid+SSL bump run.

Our transparent proxy for 80/HTTP works perfectly, but users cannot access do 
https pages.

By consolle, if i telnet localhost 3129 (https intecept port), i have no 
connections, even though in netstat -avn | grep 3129 i have active and 
listening connections.

Please note i use the REDIRECT --to-port command in iptables.

Where am i wrong?

Thank you!
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H. 

On 07.10.2015 11:05, Amos Jeffries wrote:

On 7/10/2015 4:27 a.m., Alex Rousskov wrote:

On 10/06/2015 01:27 AM, Jason Haar wrote:

Good catch - I don't think squid does CRL/OCSP checks
But this is a bug in squid - this means untrustworthy certs become
trusted again - not a good look


IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
difficult to configure to do CRL checks. If my recollection is correct,
then this is not exactly a Squid bug but more like a missing convenience
feature.

Exactly. All thats missing is the squid.conf directive in Squid-3.x.
That has been added in Squid-4.


Squid does not know about OCSP. Another missing feature.

One may perform all those checks using a custom certificate validator
helper, of course.


Amos


Hi Amos,

what about these two directives in squid.conf?

sslcrtvalidator_program and sslcrtvalidator_children

or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?
(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;

instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include
#include
int main( int argc, char* argv[ ] )
{
static char szBuf[ 260 ];
int nLen;
while( ( nLen = read( 0, (void*) szBuf, 256 ) )>  0 )
{
write( 1, (void*) szBuf, nLen );
write( 2, (void*) szBuf, nLen );
}
return 0;
}

so I got the ident content as stdout and stderr and there I catched e.g. this:


0 cert_validate 3373 host=revoked.grc.com
cert_0=-BEGIN CERTIFICATE-
MIIE7jCCA9agAwIBAgISESFVaI04B3XaNMXfl0M+0/anMA0GCSqGSIb3DQEBBQUA
MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw
NDIzMTUzNzUyWhcNMTcwNDIzMTUzNzUyWjBKMQswCQYDVQQGEwJVUzEhMB8GA1UE
CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDEw9yZXZva2VkLmdy
Yy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDemi+5M5XRD7PR
/4177a6x7upbXMm2b79x/PwBELElAsUq+qtmoBs0FXiMmOfxp1BUW3KO4fJGjMuE
G0UxJNo4YOYuNTW4PQnWpLqsGh8epcLi7DDQax+yKU4VaTOnHqJDjyQjiVvqojkJ
nzaSMSrUgbr7gfQwrmUVlSYhMb1j4HMQUPEyvRtkeevwBU5PHsUEIZBheTo0P8RC
1BvxXl6cSAdKiOgiloDGEAKwAa1u8ZJWtuPQbp2fbOIyMygwjo8F1JC7ybw4lT6c
UluSPZew2LPLRIJea8nYjGl1jEbCm3I8gnWAcOywjgSCv3egvxDA1NrgGjKBszXd
pZdnZLmDAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+
BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4IPcmV2b2tlZC5ncmMuY29tggxtYWls
LmdyYy5jb20wCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n
cy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAC
hjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZh
bGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29t
L2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFHI8mO4OWDHnVO+3VJ6CsEaSE1JfMB8G
A1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IB
AQCSJwP5JwWeGblum7enlfmALaBZ+HpA7GwaCopvR2+oEI/saMalUYTog8B+m9Xr
zF4iCkAnxoe3PYlfSAONioXQA9qVrsJsrQhdfgWuFsQOwu30bwhpolxk0M50wYPE
FxAIfwW/FsCkUFQ/5t0yUuiGCAIhGQ6mU39RkC6t43NyzVAWy1cDL30VSRRtppjl
WnHI9r3t8wPyu0nVOWq1IQ+BWnrO9F7Eb8dvgbSRa+ZL+p6eDX+6OEp8IxVToTa7
4LN/oqAYvkOh5k8sBrwqUZWUV0emBPI0vcT2LoBQDjziBk/PcssQj8XK2VLJ8smp
iitPBGOk/ZlPIIN9//bfyVn+
-END CERTIFICATE-
cert_1=-BEGIN CERTIFICATE-
MIIEWjCCA0KgAwIBAgILBAABL07hQUMwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
MDBaFw0yMjA0MTMxMDAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMS0wKwYDVQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0
aW9uIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxo83A
3zNAJuveWteUZtQBY8wzRIng4rjCRw2PrWmGHKhzQgvxcvstrLURcoMi9lbnLsVn
cZ0AHDK84+0uCEWp5vrdyIyDBcFvS9AmSgv2G0XATX6TvA0nhO0wo+nGJibdLR/Y
i8POGdBb/Aif5NjiNeSgaKb2DaN0YEKyl4IkjkGk8i5eto6nbtlsfw07JDVq0Ktb
aveXAgA/UaanbnPKdw12fJu2MBoanPcfKHsOi0cf538FjMbJyLvP6dx6QS6hhtrU
ObLiE0CmqDr6D1MeT+xumAkbypp3s1WFhekuFrWdXlTxSnpsObpuFwY0s7JC4ffz
nJoLEUTeaniOsRNPAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlq36sFu5g2QqdsIcimnaQtz+/SgwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEEMTAvMC0GCCsG
AQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwHwYDVR0j
BBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEFBQADggEBADrn
/K6vBUOAJ3VBX6jwKI8fj4N+sri6rnUxJ4il5blOBEPSregTAKPbGQEwnmw8Un9c

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H. 

On 07.10.2015 16:48, Amos Jeffries wrote:

or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?

An ERR result from the helper should result in the invalid certificate
handling happening in Squid. Whether that results in a particular error
page (or not) depends on several things I'm not completely certain about.

Not really, there happens nothing different;



(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;


Ah. I see the concurrency channel is not documented, but is being sent.
What Squid version are you using?

I'm using squid 3.4.10, the build from Eliezer
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.4.10-1.el6.x86_64.rpm
and
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-helpers-3.4.10-1.el6.x86_64.rpm


instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include
#include
int main( int argc, char* argv[ ] )
{
 static char szBuf[ 260 ];
 int nLen;
 while( ( nLen = read( 0, (void*) szBuf, 256 ) )>   0 )
 {
 write( 1, (void*) szBuf, nLen );
 write( 2, (void*) szBuf, nLen );
 }
 return 0;
}

This helper is broken. The protocol here or even other helpers, has
never been to dump the input back to Squid.
be careful, this is part of the helper script above, to catch the 
content, whats sent to the helper ...

Input and output "lines" have different syntax and contents.

of course ...

so I got the ident content as stdout and stderr and there I catched e.g.
this:


0 cert_validate 3373 host=revoked.grc.com
cert_0=-BEGIN CERTIFICATE-



-END CERTIFICATE-


with this I could programme a correct certificate validator using OpenSSL,
but I MUST have a little bit more precise knowledge about the correct
interface;

can someone please explain how the 3373 of the CATCH CONTENT above is
calculated?

Documented in the wiki:
"Total size of the following request bytes taken by the key=pair
parameters."

That is the byte size of the "host=...END CERTIFICATE-" key-pair
part of the message.

Ok, I'll try if something was kicked away ...

returns always "0 OK 0 \1"
what does \1 mean here?

\1 is the binary code (0x01) for end of line/message this helper
requires. We cannot use \n like other helpers since several \n are part
of the cert PEM format.


is this also true for requests this helper receives?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users