Re: [squid-users] 4.0.2: ALE missing URL

2015-11-07 Thread David Touzeau 

Hi Alex,

I'm using extra token %>ha{X-Forwarded-For} in helper configuration

Is it help ?

Le 07/11/2015 01:15, Alex Rousskov a écrit :

On 11/06/2015 04:36 PM, David Touzeau wrote:

Hi

I'm testing the new 4.0.2 version..
Now i'm receive many errors like this in cache.log

Whats wrong ?


2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object


This may be a regression bug introduced by trunk r14351 (Support
logformat %macros in external_acl_type format). AFAIK, those messages
were added specifically to catch hard-to-find bugs like that.

There is some logic in the code to limit the number of these messages,
but, AFAICT, it does not work well for busy Squids: A worker doing 1000
requests per second might log ~100 messages per minute. Future releases
may have less aggressive reporting if other developers agree that the
current reporting is too aggressive and adjust the code.


If you are seeing these messages, some of your ACLs may not work
correctly. However, the messages are printed for missing fields that
Squid can compute from other sources, so without call stack analysis you
may not be able to tell which ACLs are not working, if any.


If you want to help fixing this bug, please consider doing the following:

1. Add "assert(false);" line to showDebugWarning() in
src/acl/FilledChecklist.cc. Any line within that method should work but
placing it last, after the debugs() line, may work the best. This
addition will _kill_ your Squid so do not use this in production or at
least keep an unpatched binary around for a quick replacement!

2. Post gdb backtrace from the assertion in #1 to Bugzilla.

Others may be able to provide you with more detailed instructions if you
need them.


Thank you,

Alex.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.2: ALE missing URL

2015-11-07 Thread Amos Jeffries 
On 7/11/2015 11:55 p.m., David Touzeau wrote:
> Hi Alex,
> 
> I'm using extra token %>ha{X-Forwarded-For} in helper configuration
> 
> Is it help ?
> 

Where you are using that ACL is also needed.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: Re: HTTP 503 error in squid proxy server

2015-11-07 Thread Amos Jeffries 
>>> On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote:
 Dear

 I have question about HTTPS communication through Squid Proxy Server.

 HTTP 503 error frequency occurs.
 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT
>>> ..xxx.io:443
 HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT
 ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name.
>>>

Hold up.

Squid is being instructed to open a TCP connection from itself to
..xxx.io and deliver the contents that follow the CONNECT
message there.


If ..xxx.io is the ELB, what do you expect will happen when
Squid obeys?

The short answer is "Forwarding Loop", eventually the cycle of
ELB->Squid->ELB->Squid ... ends up going through one of the Squid it has
already passed through which kills the loop with a 503.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent

2015-11-07 Thread Amos Jeffries 
On 8/11/2015 12:20 a.m., Michael Ludvig wrote:
> Hi again
> 
> Does anyone have any idea how to fix the below described problem? Please :)
> 

You are taking secured traffic. Removing the decryption. Then ...


>> i.e. auto-generates a fake SSL cert and makes a
>> direct connection to the target.

Except when the target is a peer receiving plain-text TCP connections
(not TLS encrypted connections) ...

>>
>> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443
>> - HIER_NONE/- -
>> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET
>> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html
>>

... splat.


Clear enough? If not the assertion below should make it clearer.


>> Alternatively if I change the ssl_bumpsetup to this:
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>>
>> I get a crash message in cache.log:
>>
>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>> "peer->use_ssl"

Attempting to connect and send encryption to a non-encryted peer.

Using a current version of Squid should fix that assertion and just not
let the peer be used. Your Squid is a whole 2 months old. In the arms
race that is SSL-Bump a few months is a long time.

Squid still will not generate new CONNECT to non-encrypted peers though.
So you will need to TLS enable the cache_peer link.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: Re: HTTP 503 error in squid proxy server

2015-11-07 Thread Antony Stone 
This reply came to my private address.

Forwarding to the list.

--  Forwarded Message Starts  --

Subject: Re: [squid-users] HTTP 503 error in squid proxy server
Date: Saturday 07 November 2015 10:43:14
From: 聡司蛭田 
To: Antony Stone >

Dear

Thank you for reply.

Squid version is squid-3.1.16-22.

> On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote:
>
> > Dear
> >
> > I have question about HTTPS communication through Squid Proxy Server.
> >
> > HTTP 503 error frequency occurs.
>
> Does it also occur if you point your browser directly at the site, not via
> Squid?

No browser. client Java Application communicate other site by using HTTPS
protcol  through squid proxy server.

> > 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT
> ..xxx.io:443
> > HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT
> >
> > ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name.
>
> Do you have access to that machine, to see what its logs show about the
> incoming requests, and the responses it generates?
>
> > Squid cache is disable.
>
> So, what are you using it for?
>
> > My addition squid config is the following.
> >
> > visible_hostname unknown
> > strip_query_terms off
> > acl NOCACHE src all
> > cache deny NOCACHE
>
> Please show all of your squid.conf, omitting comments and blank lines.

My squid config file is attached.

> > What could be considered the cause?
>
> Temporary failure on the content server?

Yes. temporary failure.

--  Forwarded Message Ends  --



squid.conf
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: Re: HTTP 503 error in squid proxy server

2015-11-07 Thread Antony Stone 
On Saturday 07 November 2015 at 12:48:09, Antony Stone wrote:

> This reply came to my private address.
> 
> Forwarding to the list.
> 
> --  Forwarded Message Starts  --
> 
> Subject: Re: [squid-users] HTTP 503 error in squid proxy server
> Date: Saturday 07 November 2015 10:43:14
> From: 聡司蛭田 
> To: Antony Stone >
> 
> Dear
> 
> Thank you for reply.
> 
> Squid version is squid-3.1.16-22.
> 
> > On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote:
> > > Dear
> > > 
> > > I have question about HTTPS communication through Squid Proxy Server.
> > > 
> > > HTTP 503 error frequency occurs.
> > 
> > Does it also occur if you point your browser directly at the site, not
> > via Squid?
> 
> No browser. client Java Application communicate other site by using HTTPS
> protcol  through squid proxy server.

Okay, let me re-phrase my question then:

Do you get the same intermittent problems if you tell the client java 
Application to connect to the site directly without using Squid?

> > > 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT
> > ..xxx.io:443
> > > HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT
> > > ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name.
> > 
> > Do you have access to that machine, to see what its logs show about the
> > incoming requests, and the responses it generates?

What is the answer to the above question?

> > > Squid cache is disable.
> > 
> > So, what are you using it for?

?

> > > My addition squid config is the following.
> > > 
> > > visible_hostname unknown
> > > strip_query_terms off
> > > acl NOCACHE src all
> > > cache deny NOCACHE
> > 
> > Please show all of your squid.conf, omitting comments and blank lines.
> 
> My squid config file is attached.
> 
> > > What could be considered the cause?
> > 
> > Temporary failure on the content server?
> 
> Yes. temporary failure.

No, I meant that there could genuinely be a temporary failure on the content 
server, which results in the HTTP/503 error.  Nothing Squid can do about that 
(especially since you're not using it in caching mode - what are you using it 
for?)

> --  Forwarded Message Ends  --

Please send all replies to the list.


Regards,


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] HTTP 503 error in squid proxy server

2015-11-07 Thread 聡司蛭田 
Dear

I have question about HTTPS communication through Squid Proxy Server.

HTTP 503 error frequency occurs.

10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT ..xxx.io:443
HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT

..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name.

Squid cache is disable.

My addition squid config is the following.

visible_hostname unknown
strip_query_terms off
acl NOCACHE src all
cache deny NOCACHE

What could be considered the cause?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent

2015-11-07 Thread Michael Ludvig 

Hi again

Does anyone have any idea how to fix the below described problem? Please :)

Thanks!

Michael

On 05/11/15 16:01, Michael Ludvig wrote:

Hi

I've got a network without direct internet access where I have Squid 
3.5.9as a transparent proxylistening on tcp/8080for HTTP and on 
tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 
respectively).


This Squid (proxy-test) doesn't have a direct Internet access either 
but can talk to a parent Squid (proxy-upstream) in other part of the 
network that does have Internet access.


With HTTP it works well - client makes a request to 
http://www.example.com(port 80), router and iptables redirect the 
connection to Squid's port 8080, that intercepts the request and makes 
a request to the upstream proxy that serves it as usual. Here are the 
config options used:


http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query
never_direct allow all

Now I wanted to do a similar thing for HTTPS:

https_port 8443 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump bump all

Without cache_peerit works as expected (when I enable temporary 
internet access), i.e. auto-generates a fake SSL cert and makes a 
direct connection to the target.


However with cache_peerit doesn't work. I get HTTP/503 error from the 
proxy:


1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 
- HIER_NONE/- -
1446684476.970 3 proxy-client TCP_MISS/503 4309 GET 
https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html


Alternatively if I change the ssl_bumpsetup to this:

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

I get a crash message in cache.log:

2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: 
"peer->use_ssl"


When I use this proxy in non-transparent mode, i.e. configuring the 
proxy on client to proxy-test:3128, it works:


1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT 
secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream -


So I need to somehow turn the HTTPSrequest that lands on 
proxy-testinto CONNECTrequest that's forwarded to proxy-upstream.
If Squid can't do that is there any other 
transparent-to-nontransparent proxy software that can do that?


Thanks!

Michael
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTP 503 error in squid proxy server

2015-11-07 Thread Antony Stone 
On Saturday 07 November 2015 at 09:30:04, 聡司蛭田 wrote:

> Dear
> 
> I have question about HTTPS communication through Squid Proxy Server.
> 
> HTTP 503 error frequency occurs.

Does it also occur if you point your browser directly at the site, not via 
Squid?

> 10.xx.xx.xx - - [01/Nov/2015:03:44:33 +0900] "CONNECT ..xxx.io:443
> HTTP/1.1" 503 0 "-" "Javaa/1.7.0_71" TCP_MISS:DIRECT
> 
> ..xxx.io:443 is ELB (Internet-Facing Load Balancer) DNS name.

Do you have access to that machine, to see what its logs show about the 
incoming requests, and the responses it generates?

> Squid cache is disable.

So, what are you using it for?

> My addition squid config is the following.
> 
> visible_hostname unknown
> strip_query_terms off
> acl NOCACHE src all
> cache deny NOCACHE

Please show all of your squid.conf, omitting comments and blank lines.

> What could be considered the cause?

Temporary failure on the content server?


Regards,


Antony.

-- 
Salad is what food eats.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.2: ALE missing URL

2015-11-07 Thread David Touzeau 



Le 07/11/2015 15:07, Amos Jeffries a écrit :

On 7/11/2015 11:55 p.m., David Touzeau wrote:

Hi Alex,

I'm using extra token %>ha{X-Forwarded-For} in helper configuration

Is it help ?


Where you are using that ACL is also needed.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Using as this:
external_acl_type ArticaRestrictAccess  ttl=360 negative_ttl=360 
children-startup=1 children-idle=1 children-max=5 ipv4 %SRC %SRCEUI48 
%>ha{X-Forwarded-For} 
/usr/share/artica-postfix/external_acl_restrict_access.php

acl ArticaRestrictAccess external ArticaRestrictAccess

external_acl_type MacToUid  ttl=360 negative_ttl=360 children-startup=1 
children-idle=1 children-max=5 ipv4 %SRC %SRCEUI48 %>ha{X-Forwarded-For} 
/usr/share/artica-postfix/external_acl_usersMacs.php --mactouid

acl MacToUid_acl external MacToUid

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users