Re: [squid-users] cache peer only forward http , not https !!!

2015-11-11 Thread Ahmad Alzaeem 
Here is what I mean 

[2.2.2-RELEASE][r...@pfsense.mne]/root: tail -f /var/squid/logs/access.log 

1447234509.328   9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -

1447234514.482   9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -

1447234519.858  59952 172.23.101.251 TCP_MISS/503 0 CONNECT www.youtube.com:443 
- HIER_NONE/- -

1447234560.135  71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234575.091  60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -

1447234605.998  76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -

1447234651.018  75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 12:49 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org; 'Amos Jeffries'
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump



  >



  >  



  >



  > All my users user ip:port to have internet



  >



  >  



  >



  >  



  >



  > I already have ISA windows server and it works with http and

  https



  >



  >  



  >



  > Im wondering why all complexity needed for peer https 



  >



  > !!!



  >



  >  



  >



  >  



  >



  > Anyway hnere is squid.conf



  >



  >  



  >



  > # This file is automatically generated by pfSense



  >



  > # Do not edit manually !



  >



  >  



  >



  > http_port 172.23.101.253:3128



  >



  > icp_port 0



  >



  > dns_v4_first on



  >



  > pid_filename /var/run/squid/squid.pid



  >



  > cache_effective_user proxy



  >



  > cache_effective_group proxy



  >



  > error_default_language en



  >



  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons



  >



  > visible_hostname mne



  >



  > cache_mgr aza...@mne.ps     
 
 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

2015-11-11 Thread Yuri Voinov 
And, BTW, code 503 means "Verboten/Forbidden" :) I.e., URL denied 
somewhere - may be on peer proxy.


11.11.15 14:39, Ahmad Alzaeem пишет:


Here is what I mean

[2.2.2-RELEASE][r...@pfsense.mne]/root: tail -f 
/var/squid/logs/access.log


1447234509.328 9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -


1447234514.482 9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -


1447234519.858 59952 172.23.101.251 TCP_MISS/503 0 CONNECT 
www.youtube.com:443 - HIER_NONE/- -


1447234560.135 71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234575.091 60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -


1447234605.998 76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -


1447234651.018 75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -


cheers

*From:*Yuri Voinov [mailto:yvoi...@gmail.com]
*Sent:* Wednesday, November 11, 2015 12:49 AM
*To:* Ahmad Alzaeem
*Cc:* squid-users@lists.squid-cache.org; 'Amos Jeffries'
*Subject:* Re: [squid-users] cache peer only forward http , not https !!!


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump

  >

  >

  >

  > All my users user ip:port to have internet

  >

  >

  >

  >

  >

  > I already have ISA windows server and it works with http and

  https

  >

  >

  >

  > Im wondering why all complexity needed for peer https

  >

  > !!!

  >

  >

  >

  >

  >

  > Anyway hnere is squid.conf

  >

  >

  >

  > # This file is automatically generated by pfSense

  >

  > # Do not edit manually !

  >

  >

  >

  > http_port 172.23.101.253:3128

  >

  > icp_port 0

  >

  > dns_v4_first on

  >

  > pid_filename /var/run/squid/squid.pid

  >

  > cache_effective_user proxy

  >

  > cache_effective_group proxy

  >

  > error_default_language en

  >

  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons

  >

  > visible_hostname mne

  >

  > cache_mgr aza...@mne.ps  
 




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer problem with Https only !!

2015-11-11 Thread Yuri Voinov 

Yes, 3.4.x can't forward https. Upgrade to 3.5.x

10.11.15 15:08, Ahmad Alzaeem пишет:


Hi im using pfsense with cache peer

Squid version is 3.4.10

I have peer proxy on port 80 and I can use it with http and https

Now if I use pfsense in the middle and let pfsense go to remote proxy 
(10.12.0.32  port 80 )


And I get internt from the pfsense proxy

I only have http websites working !!!

But https websites don’t work

Any help ?

Here is my pfsnese config :

# This file is automatically generated by pfSense

# Do not edit manually !

http_port 172.23.101.253:3128

icp_port 0

dns_v4_first on

pid_filename /var/run/squid/squid.pid

cache_effective_user proxy

cache_effective_group proxy

error_default_language en

icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons

visible_hostname mne

cache_mgr aza...@mne.ps

access_log /var/squid/logs/access.log

cache_log /var/squid/logs/cache.log

cache_store_log none

netdb_filename /var/squid/logs/netdb.state

pinger_enable off

pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

logfile_rotate 2

debug_options rotate=2

shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)

acl localnet src  172.23.101.0/24

forwarded_for off

via off

httpd_suppress_version_string on

uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?

cache deny dynamic

cache_mem 64 MB

maximum_object_size_in_memory 256 KB

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

minimum_object_size 0 KB

maximum_object_size 4 MB

cache_dir ufs /var/squid/cache 100 16 256

offline_mode off

cache_swap_low 90

cache_swap_high 95

cache allow all

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:1440  20%  10080

refresh_pattern ^gopher:  1440  0%  1440

refresh_pattern -i (/cgi-bin/|?) 0  0%  0

refresh_pattern .0  20%  4320

#Remote proxies

# Setup some default acls

# From 3.2 further configuration cleanups have been done to make 
things easier and safer. The manager, localhost, and to_localhost ACL 
definitions are now built-in.


# acl localhost src 127.0.0.1/32

acl allsrc src all

acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 
3127 1025-65535


acl sslports port 443 563

# From 3.2 further configuration cleanups have been done to make 
things easier and safer. The manager, localhost, and to_localhost ACL 
definitions are now built-in.


#acl manager proto cache_object

acl purge method PURGE

acl connect method CONNECT

# Define protocols used for redirects

acl HTTP proto HTTP

acl HTTPS proto HTTPS

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !safeports

http_access deny CONNECT !sslports

# Always allow localhost connections

# From 3.2 further configuration cleanups have been done to make 
things easier and safer.


# The manager, localhost, and to_localhost ACL definitions are now 
built-in.


# http_access allow localhost

request_body_max_size 0 KB

delay_access 1 allow allsrc

# Reverse Proxy settings

# Custom options before auth

dns_nameservers 8.8.8.8 10.12.0.33

cache_peer 10.12.0.32  parent 80 0 no-query no-digest no-tproxy proxy-only

# Setup allowed acls

# Allow local network(s) on interface(s)

http_access allow localnet

# Default block all to be sure

http_access deny allsrc

cheers



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

2015-11-11 Thread Yuri Voinov 

You are welcome :)

11.11.15 16:04, Ahmad Alzaeem пишет:


Bro you were awsome !

Thank you it worked

I appreciate your help a lot

I wish there is feedback in mailing list to give you 5/5 stars

J

cheers

*From:*Yuri Voinov [mailto:yvoi...@gmail.com]
*Sent:* Wednesday, November 11, 2015 1:04 PM
*To:* Ahmad Alzaeem
*Cc:* squid-users@lists.squid-cache.org
*Subject:* Re: [squid-users] cache peer only forward http , not https !!!

You need to locate URLs which must be forward to parent.

If this is all URL's, config must looks like this:

never_direct allow all
cache_peer  parent  0 no-query no-digest default
cache_peer_access 127.0.0.1 allow all

And, finally, you must use Squid 3.5.x. Thit will not be work on 3.4.x.

11.11.15 14:39, Ahmad Alzaeem пишет:

Here is what I mean

[2.2.2-RELEASE][r...@pfsense.mne ]/root:
tail -f /var/squid/logs/access.log

1447234509.328 9718 172.23.101.251 TCP_MISS/200 1448 CONNECT
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -

1447234514.482 9622 172.23.101.251 TCP_MISS/200 1448 CONNECT
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -

1447234519.858 59952 172.23.101.251 TCP_MISS/503 0 CONNECT
www.youtube.com:443  - HIER_NONE/- -

1447234560.135 71105 172.23.101.251 TCP_MISS/503 0 CONNECT
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -

1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234575.091 60607 172.23.101.251 TCP_MISS/503 0 CONNECT
shavar.services.mozilla.com:443 - HIER_NONE/- -

1447234605.998 76379 172.23.101.251 TCP_MISS/503 0 CONNECT
self-repair.mozilla.org:443 - HIER_NONE/- -

1447234651.018 75705 172.23.101.251 TCP_MISS/503 0 CONNECT
safebrowsing.google.com:443 - HIER_NONE/- -

cheers

*From:*Yuri Voinov [mailto:yvoi...@gmail.com]
*Sent:* Wednesday, November 11, 2015 12:49 AM
*To:* Ahmad Alzaeem
*Cc:* squid-users@lists.squid-cache.org
; 'Amos Jeffries'
*Subject:* Re: [squid-users] cache peer only forward http , not
https !!!


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump


  >


  >


  >


  > All my users user ip:port to have internet


  >


  >


  >


  >


  >


  > I already have ISA windows server and it works with http and

  https


  >


  >


  >


  > Im wondering why all complexity needed for peer https


  >


  > !!!


  >


  >


  >


  >


  >


  > Anyway hnere is squid.conf


  >


  >


  >


  > # This file is automatically generated by pfSense


  >


  > # Do not edit manually !


  >


  >


  >


  > http_port 172.23.101.253:3128


  >


  > icp_port 0


  >


  > dns_v4_first on


  >


  > pid_filename /var/run/squid/squid.pid


  >


  > cache_effective_user proxy


  >


  > cache_effective_group proxy


  >


  > error_default_language en


  >


  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons


  >


  > visible_hostname mne


  >


  > cache_mgr aza...@mne.ps 
 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

2015-11-11 Thread Yuri Voinov 

You need to locate URLs which must be forward to parent.

If this is all URL's, config must looks like this:

never_direct allow all
cache_peer  parent  0 no-query no-digest default
cache_peer_access 127.0.0.1 allow all

And, finally, you must use Squid 3.5.x. Thit will not be work on 3.4.x.

11.11.15 14:39, Ahmad Alzaeem пишет:


Here is what I mean

[2.2.2-RELEASE][r...@pfsense.mne]/root: tail -f 
/var/squid/logs/access.log


1447234509.328 9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -


1447234514.482 9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -


1447234519.858 59952 172.23.101.251 TCP_MISS/503 0 CONNECT 
www.youtube.com:443 - HIER_NONE/- -


1447234560.135 71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234569.644 70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -


1447234575.091 60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -


1447234605.998 76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -


1447234651.018 75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -


cheers

*From:*Yuri Voinov [mailto:yvoi...@gmail.com]
*Sent:* Wednesday, November 11, 2015 12:49 AM
*To:* Ahmad Alzaeem
*Cc:* squid-users@lists.squid-cache.org; 'Amos Jeffries'
*Subject:* Re: [squid-users] cache peer only forward http , not https !!!


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump

  >

  >

  >

  > All my users user ip:port to have internet

  >

  >

  >

  >

  >

  > I already have ISA windows server and it works with http and

  https

  >

  >

  >

  > Im wondering why all complexity needed for peer https

  >

  > !!!

  >

  >

  >

  >

  >

  > Anyway hnere is squid.conf

  >

  >

  >

  > # This file is automatically generated by pfSense

  >

  > # Do not edit manually !

  >

  >

  >

  > http_port 172.23.101.253:3128

  >

  > icp_port 0

  >

  > dns_v4_first on

  >

  > pid_filename /var/run/squid/squid.pid

  >

  > cache_effective_user proxy

  >

  > cache_effective_group proxy

  >

  > error_default_language en

  >

  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons

  >

  > visible_hostname mne

  >

  > cache_mgr aza...@mne.ps  
 




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pass client DNS requests

2015-11-11 Thread Mike 

On 11/11/2015 8:52 AM, Matus UHLAR - fantomas wrote:

On 10.11.15 17:03, Patrick Flaherty wrote:
Again I'm fairly new to Squid but loving it. We enforce only certain 
domains

be accessible via the whitelist directive. Is there a way to pass DNS
requests through the proxy for resolution? We are currently using 
Windows

host entries. L


no. Squid is a HTTP proxy. it's not a DNS proxy.
use DNS server or DNS proxy for that.

Squid cannot, but you can use an external DNS server, either at the same 
location or elsewhere.
You can setup another server (or two) with your own DNS (we use PowerDNS 
or pDNS), and then add the entry in squid.conf to use that DNS server. 
We have several setup this way.


The squid.conf entry would be like this:

dns_nameservers 11.22.33.44 11.22.33.45

Then on the DNS server just create entries for rerouted or blocked 
sites. I would suggest looking at the powerdns groups and mailing list 
for more details on this.


Mike

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] sslBump somehow interferes with authentication

2015-11-11 Thread Eugene M. Zheganin 
Hi.

I have configured simple ssl peek/splice on squid 3.5.10 for some simple
cases, but in my production, where configs are complicated, it doesn't
work as expected - somehow it interferes with authentication.

Suppose we have a config like:

===Cut===
acl freetime time MTWHF 18:00-24:00

acl foo dst 192.168.0.0/16
acl bar dstdomain .bar.tld

acl users proxy_auth steve
acl users proxy_auth mike
acl users proxy_auth bob

acl unauthorized proxy_auth stringthatwillnevermatch

acl block dstdomain "block.acl"
acl blockssl ssl::server_name "block.acl"

http_access allow foo
http_access allow bar

http_access deny unauthorized

http_access allow blockssl users freetime
http_access allow block users freetime
http_access deny blockssl users
http_access deny block users
http_access allow users
http_access deny all
===Cut===

This is a part of an actually working config (with some local names
modification, just to read it easily). This config is straightforward:
- foo and bar are allowed without authentication
- then an explicit authentication occurs ('http_access deny
unauthorized' looks redundant, and yes, the config will be work without
it, but the thing is that this ACL 'unauthorized' is used to display a
specific deny_info page for the users who failed to authorize).
- it allows to browse some usually blocked sites at some amounts of time
called 'freetime'.
- this config is sslBump-ready, a 'blockssl' ACL exists, which matches
site names on SNI.

Now I'm adding sslBump:

===Cut===
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump blockssl
ssl_bump splice all
===Cut===

As soon as I add sslBump, everything that is bumped, starts to be
blocking by 'http_access deny unauthorized' (everything that's spliced
works as intended). And I completely cannot understand why. Yes, I can
remove this line, but this way I'm loosing deny_info for specific cases
when someone fails to authorize, and plus - without sslBump it was
working, right ? Please help me understand this and solve the issue.

Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logging to syslog

2015-11-11 Thread Amos Jeffries 
On 11/11/2015 9:11 p.m., Sebastian Kirschner wrote:
> Hi Avraham,
> 
> I think it wouldnt be a good idea to just create a symlink because squid (or 
> the user under which squid runs) then must have access to the syslog,
> and if your squid instance get compromised the the syslog is open to read for 
> these one.

Indeed.

Syslog is no a socket path or such. It is a libc system call. Which
Squid *is* doing when that logging module is used.

syslog() accepts the message with the log type and level tags. The rest
is up to your system syslog.conf configuration and handling.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pass client DNS requests

2015-11-11 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
My 5 cents:

http://unbound.net/

11.11.15 22:07, Amos Jeffries пишет:
> On 12/11/2015 3:52 a.m., Matus UHLAR - fantomas wrote:
>> On 10.11.15 17:03, Patrick Flaherty wrote:
>>> Again I'm fairly new to Squid but loving it. We enforce only certain
>>> domains
>>> be accessible via the whitelist directive. Is there a way to pass DNS
>>> requests through the proxy for resolution? We are currently using
Windows
>>> host entries. L
>>
>> no. Squid is a HTTP proxy. it's not a DNS proxy.
>> use DNS server or DNS proxy for that.
>>
>
> DNS proxy also goes by the name "recursive resolver", which you might be
> more familiar with.
>
> The best design is to have a recursive resolver setup somewhere on your
> network and have it used by both your clients and Squid.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWQ2g+AAoJENNXIZxhPexGzhsH/jJslBRDX3WCKvWXkj3wPm9F
CwK4Xj1HCGNwqqU7Azyu2CVysD+SGF5r8q5kcqxQfjer2yHIV5GSxgdpdmDINBwL
HS5iNBmj52fkrdKM1gYQ/JEjw3N34UYPPKLKlGnAKNCBOeISi2Jivr6+gQmqINru
KRHzXJZl5IK3Jn8bQeOsrFJQuzw6aTBYLTwr1qSnB+2XkQyjkqnZC4fFhHr+dmlr
NtqKc4r/y4Tjh+o85Zt5wW7qGWZwk/bcVY3PAYZ1wqlDwgBijX921u97qiS9pt5b
4nU+KkjOUs4qwfSPTEqvi+91PFZTjlxEKcLniq1MSPzAtspdxSzeI0g4cxvK2jM=
=tiT6
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pass client DNS requests

2015-11-11 Thread Amos Jeffries 
On 12/11/2015 3:52 a.m., Matus UHLAR - fantomas wrote:
> On 10.11.15 17:03, Patrick Flaherty wrote:
>> Again I'm fairly new to Squid but loving it. We enforce only certain
>> domains
>> be accessible via the whitelist directive. Is there a way to pass DNS
>> requests through the proxy for resolution? We are currently using Windows
>> host entries. L
> 
> no. Squid is a HTTP proxy. it's not a DNS proxy.
> use DNS server or DNS proxy for that.
> 

DNS proxy also goes by the name "recursive resolver", which you might be
more familiar with.

The best design is to have a recursive resolver setup somewhere on your
network and have it used by both your clients and Squid.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] File rotation problem

2015-11-11 Thread Matus UHLAR - fantomas 

On 11.11.15 09:25, Verónica Ovando wrote:

I am using logrotate with this configuration in /etc/logrotate.d/squid3:

/var/log/squid3/access.log {
maxsize 50M
daily
compress
delaycompress
rotate 5
missingok
notifempty
create 0640 proxy proxy
sharedscripts
postrotate
test ! -e /var/run/squid3.pid || test ! -x 
/usr/sbin/squid3 || /usr/sbin/squid3 -k rotate

endscript
}

/var/log/squid3/cache.log {
maxsize 50M
daily
compress
delaycompress
rotate 5
missingok
notifempty
create 0640 proxy proxy
sharedscripts
postrotate
test ! -e /var/run/squid3.pid || test ! -x 
/usr/sbin/squid3 || /usr/sbin/squid3 -k rotate

endscript
}

In my /etc/crontab.daily logrotate is present.

In my squid.conf file logfile_rotate is set to 0.

My files are growing very quickly, they are more than 50 MB of size 
(some of them more than 2 GB). I have to execute manually squid3 -k 
rotate for the log rotation.


apparently logrotate is run once daily and those files are to be checked
daily.  you must use "maxsize" and run logrotate more often than daily to
force rotation when files grow over the limit.

I recommend rotating both access and cache files at the same time, btw.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pass client DNS requests

2015-11-11 Thread Matus UHLAR - fantomas 

On 10.11.15 17:03, Patrick Flaherty wrote:

Again I'm fairly new to Squid but loving it. We enforce only certain domains
be accessible via the whitelist directive. Is there a way to pass DNS
requests through the proxy for resolution? We are currently using Windows
host entries. L


no. Squid is a HTTP proxy. it's not a DNS proxy.
use DNS server or DNS proxy for that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] redirect 206 content

2015-11-11 Thread Alex Rousskov 
On 11/11/2015 05:42 AM, HackXBack wrote:

> is there a way to redirect 206 contents to acl ?


I assume that by "206 contents" you mean "HTTP 206 response body". I am
not sure what you mean by "redirect to ACL", but ACLs (including
external ACLs) do not have access to message bodies, only to
headers/metadata.

If you want to analyse message bodies, you should use an eCAP or ICAP
service. RESPMOD services get response bodies.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] File rotation problem

2015-11-11 Thread Amos Jeffries 
Besides the advice the others have given about how to manage logrotate.d
itself...

What OS and version are you using?

It looks like Debian or an derivative to me and the "squid3" naming is
being deprecated there. All the "squid3" things you are checking may not
actually exist anymore.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] YouTube Resolution Locker Plugin for Squid Proxy Cache 3.5.x

2015-11-11 Thread Amos Jeffries 
On 11/11/2015 12:57 p.m., HackXBack wrote:
> unveiltech can cache youtube html5 with full range 100% hit ?

Best place to ask is Unveiltech.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

2015-11-11 Thread Ahmad Alzaeem 
Bro you were awsome !

 

Thank you it worked

 

I appreciate your help a lot

 

I wish there is feedback in mailing list to give you 5/5 stars

:)

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 1:04 PM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 

You need to locate URLs which must be forward to parent.

If this is all URL's, config must looks like this:

never_direct allow all
cache_peer  parent  0 no-query no-digest default
cache_peer_access 127.0.0.1 allow all

And, finally, you must use Squid 3.5.x. Thit will not be work on 3.4.x.

11.11.15 14:39, Ahmad Alzaeem пишет:

Here is what I mean 

[2.2.2-RELEASE][r...@pfsense.mne  ]/root: tail -f 
/var/squid/logs/access.log 

1447234509.328   9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -

1447234514.482   9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -

1447234519.858  59952 172.23.101.251 TCP_MISS/503 0 CONNECT www.youtube.com:443 
  - HIER_NONE/- -

1447234560.135  71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234575.091  60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -

1447234605.998  76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -

1447234651.018  75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 12:49 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org; 'Amos Jeffries'
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump




  >




  >  




  >




  > All my users user ip:port to have internet




  >




  >  




  >




  >  




  >




  > I already have ISA windows server and it works with http and

  https




  >




  >  




  >




  > Im wondering why all complexity needed for peer https 




  >




  > !!!




  >




  >  




  >




  >  




  >




  > Anyway hnere is squid.conf




  >




  >  




  >




  > # This file is automatically generated by pfSense




  >




  > # Do not edit manually !




  >




  >  




  >




  > http_port 172.23.101.253:3128




  >




  > icp_port 0




  >




  > dns_v4_first on




  >




  > pid_filename /var/run/squid/squid.pid




  >




  > cache_effective_user proxy




  >




  > cache_effective_group proxy




  >




  > error_default_language en




  >




  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons




  >




  > visible_hostname mne




  >




  > cache_mgr aza...@mne.ps     
 
 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] File rotation problem

2015-11-11 Thread Verónica Ovando 

Hi. I need to set up correctly mi logfiles rotation.

I am using logrotate with this configuration in /etc/logrotate.d/squid3:

/var/log/squid3/access.log {
 maxsize 50M
 daily
 compress
 delaycompress
 rotate 5
 missingok
 notifempty
 create 0640 proxy proxy
 sharedscripts
 postrotate
 test ! -e /var/run/squid3.pid || test ! -x 
/usr/sbin/squid3 || /usr/sbin/squid3 -k rotate

 endscript
 }

 /var/log/squid3/cache.log {
 maxsize 50M
 daily
 compress
 delaycompress
 rotate 5
 missingok
 notifempty
 create 0640 proxy proxy
 sharedscripts
 postrotate
 test ! -e /var/run/squid3.pid || test ! -x 
/usr/sbin/squid3 || /usr/sbin/squid3 -k rotate

 endscript
 }

In my /etc/crontab.daily logrotate is present.

In my squid.conf file logfile_rotate is set to 0.

My files are growing very quickly, they are more than 50 MB of size 
(some of them more than 2 GB). I have to execute manually squid3 -k 
rotate for the log rotation.


Any help to resolve this problem will be appreciated.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Subject: Re: authentication of every GET request from part of URL?

2015-11-11 Thread Sreenath BH 
Hi,

Thanks to everyone who have responded in such detail.

I have done a proof of concept of the solution using external ACL
helper and URL rewriter, and it does what I wanted.

Regarding using a token in URL as a way to differentiate between
different users, I now understand the implications on downstream
caches and overall performance. Thanks for driving home the important
point.

regards,
Sreenath


On 11/9/15, Amos Jeffries  wrote:
> On 10/11/2015 6:12 a.m., Sreenath BH wrote:
>> Hi Alex,
>>
>> thanks for your detailed asnwers.
>>
>> Here are more details.
>> 1. If the URL does not have any token, we would like to send an error
>> message back to the browser/client, without doing a cache lookup, or
>> going to backend apache server.
>>
>> 2. If the token is invalid (that is we can't find it in a database),
>> that means we can not serve
>> data. In this case we would like to send back a HTTP error (something
>> like a  401 or 404, along with a more descriptive message)
>>
>
> All of the above is external_acl_type helper operations.
>
>> 3. If the token is valid(found), remove the token from the URL, and
>> use remaining part of URL as the key to look in Squid cache.
>>
>> 4. If found return that data, along with proper HTTP status code.
>
> The above is url_rewrite_program operations.
>
>> 5. If cache lookup fails(not cached), send HTTP request to back-end
>> apache server (removing the token), get returned result, store in
>> cache, and return to client/browser.
>
> And that part is normal caching. Squid will do it by default.
>
> Except the "removing the token" part. Which was done at step #4 already,
> so has no relevance here at step #5.
>
>>
>> I read about ACL helper programs, and it appears I can do arbitrary
>> validations in it, so should work.
>> Is it correct to assume that the external ACL code runs before url
>> rewriting?,
>
> The http_access tests are run before re-writing.
> If the external ACL is one of those http_access tests the answer is yes.
>
>>
>> Does the URL rewriter run before a cache lookup?
>
> Yes.
>
>
>
> Although, please note that despite this workaround for your cache. It
> really is *only* your proxy which will work nicely. Every other cache on
> the planet will see your applications URLs are being unique and needing
> different caching slots.
>
> This not only wastes cache space for them, but also forces them to pass
> extra traffic in the form of full-object fetches at your proxy. Which
> raises the bandwidth costs for both them and you far beyond what proper
> header based authentication or authorization would.
>
> As the other sysadmin around the world notice this unnecessarily raised
> cost they will start to hack their configs to force-cache the responses
> from your application. Which will bypass your protection system entirely
> since your proxy may not not even see many of the requests.
>
> The earlier you can get the application re-design underway to remove the
> credentials token from URL, the earlier the external problems and costs
> will start to dsappear.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logging to syslog

2015-11-11 Thread Avraham Serour 
I'm very very sorry for replying to your email directly, I didn't mention
to, I just clicked reply on gmail

I wanted squid to log to syslog, using the syslog module on ubuntu the
socket path is /dev/log
from there I have my rsyslog config that forwards it to logstash

In any case my manager just told me to not log directly to syslog anymore,
he wants to write the logs to file and have them shipped to syslog

In any case I think I found the root of my problems, my squid.conf was
being built using patch, I had a file with only the diff.
So it looks like the patch wasn't being applied correctly, so squid was
running with the default conf file.

Thanks for the help, and sorry again
Avraham

On Wed, Nov 11, 2015 at 2:55 PM, Sebastian Kirschner <
s.kirsch...@afa-finanz.de> wrote:

> Hi Avraham,
>
> 1. Please do not contact me direct, use the Mailing List.
>
> I read the sentences you wrote to me again,
> do you really want that squid logs the things that would go in access.log
> to your /var/log/syslog (default debian path),
> or do you just want to see what is written in the access.log.
>
> For Changing the location/ way that squid log the access entries read 2. ,
> if not the default
> path of the access log is /usr/local/squid/var/logs/access.log.
>
> 2. As you could see what Yuri Voinov wrote
> > #
> >#udpTo send each log line as text data to a UDP receiver.
> >#Place: The destination host name or IP and port.
> >#Place Format:   //host:port
> >#
> >#tcpTo send each log line as text data to a TCP receiver.
> >#Lines may be accumulated before sending (see buffered_logs).
> >#Place: The destination host name or IP and port.
> >#Place Format:   //host:port
> >#
> >#Default:
> >#access_log daemon:/var/log/squid/access.log squid
> >#Default:
> ># access_log daemon:/var/log/squid/access.log squid
>
> These is snipped from the squid configuration documents on squid page (
> http://www.squid-cache.org/Doc/config/access_log/).
>
> You could try ( I didn’t do it before) to use syslog as module and insert
> it in your squid.conf
>
> Best Regards
> Sebastian
>
>
> Von: Avraham Serour [mailto:tovm...@gmail.com]
> Gesendet: Mittwoch, 11. November 2015 11:48
> An: Sebastian Kirschner
> Betreff: Re: [squid-users] logging to syslog
>
> I'm actually using rsyslog, it comes with ubuntu
> in any case my conf for now is:
>
> template(name="lesquid_accessFormat" type="string"
> string="programname=%programname% %msg%\n")
> action(type="omfile" dirCreateMode="0700" FileCreateMode="0644"
>File="/var/log/messages" template="lesquid_accessFormat")
>
> then I tail the /var/log/messages file and check what happens when I make
> a request using the proxy
>
> On Wed, Nov 11, 2015 at 12:09 PM, Avraham Serour 
> wrote:
> so where should the symlink should be? what is the default unix socket
> path that squid tried to use?
>
> On Wed, Nov 11, 2015 at 10:11 AM, Sebastian Kirschner <
> s.kirsch...@afa-finanz.de> wrote:
> Hi Avraham,
>
> I think it wouldnt be a good idea to just create a symlink because squid
> (or the user under which squid runs) then must have access to the syslog,
> and if your squid instance get compromised the the syslog is open to read
> for these one.
>
> Best Regards
> Sebastian
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] File rotation problem

2015-11-11 Thread Antony Stone 
On Wednesday 11 November 2015 at 13:25:56, Verónica Ovando wrote:

> Hi. I need to set up correctly my logfiles rotation.

I think http://serverfault.com/questions/391538/logrotate-daily-and-size might 
help you.

> I am using logrotate with this configuration in /etc/logrotate.d/squid3:
> 
> /var/log/squid3/access.log {
>   maxsize 50M
>   daily
>   compress
>   delaycompress
>   rotate 5
>   missingok
>   notifempty
>   create 0640 proxy proxy
>   sharedscripts
>   postrotate
>   test ! -e /var/run/squid3.pid || test ! -x
> /usr/sbin/squid3 || /usr/sbin/squid3 -k rotate
>   endscript
>   }
> 
>   /var/log/squid3/cache.log {
>   maxsize 50M
>   daily
>   compress
>   delaycompress
>   rotate 5
>   missingok
>   notifempty
>   create 0640 proxy proxy
>   sharedscripts
>   postrotate
>   test ! -e /var/run/squid3.pid || test ! -x
> /usr/sbin/squid3 || /usr/sbin/squid3 -k rotate
>   endscript
>   }
> 
> In my /etc/crontab.daily logrotate is present.
> 
> In my squid.conf file logfile_rotate is set to 0.
> 
> My files are growing very quickly, they are more than 50 MB of size
> (some of them more than 2 GB). I have to execute manually squid3 -k
> rotate for the log rotation.

Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logging to syslog

2015-11-11 Thread Sebastian Kirschner 
Also its a bit Off-Topic,

I think it's a good idea that another user grep the information out of the 
access.log 
instead of let the access.log direct "write" in the syslog.

In my eyes its more secure.

Best Regards
Sebastian

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Multicast WCCPv2 + Squid 3.3.8

2015-11-11 Thread brendan kearney 
I am interested in this topic.  Would love to hear about your progress.

The os that squid runs on must participate in a dynamic routing protocol
such as ospf and needs to advertise a route to the multicast ip via itself.

Generally this is done by adding a virtual interface to the loopback and
giving that interface the multicast ip.  When the squid service is running
the os should advertise the route to the multicast ip on its loopback.
When the squid service is stopped the os should remove the route.

There are a couple of timing and interaction pieces you need to account
for, and manage outside of squid.

www.linuxjournal.com/article/3041
On Nov 10, 2015 11:26 PM, "Fatah Mumtaz"  wrote:

> Hi everyone,
> Currently i'm building lab for my thesis on the topic Multicast WCCPv2
> with Squid. I'm trying to config WCCPv2 to work with single proxy server
> (Squid 3.3.8) and multiple Cisco 2821 routers. WCCPv2 works well with one
> proxy server and one router configuration. It's been 2 months since I'm
> trying to implement multicast WCCPv2 and actually I don't know how to
> config Squid to be able to communicate with multiple routers using
> multicast to announce itself presence. Because I've read the documentation
> from Cisco and I've concluded into something like this "the routers are
> somehow the "clients" but not by sending IGMP messages, just by listening
> for multicast packets send by the "sources", the cache engines, on a
> specific multicast group address. " . So the proxy server (or Squid)
> acted as the multicast server that sends multicast packets. Been look over
> the net and still have no clue.
>
> And my question is simple :
> 1. Is it possible to config squid to announce itself presence to the
> routers using multicast? And if it is possible, please kindly provide any
> detail.
>
>
> I also attached the topology i'm working on and please tell me if you need
> any further info.
>
>
>
> Thank You
> Fatah Mumtaz
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] redirect 206 content

2015-11-11 Thread HackXBack 
Hello,
is there a way to redirect 206 contents to acl ?
Thanks.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/redirect-206-content-tp4674501.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logging to syslog

2015-11-11 Thread Sebastian Kirschner 
Hi Avraham,

1. Please do not contact me direct, use the Mailing List.

I read the sentences you wrote to me again,
do you really want that squid logs the things that would go in access.log to 
your /var/log/syslog (default debian path),
or do you just want to see what is written in the access.log.

For Changing the location/ way that squid log the access entries read 2. , if 
not the default
path of the access log is /usr/local/squid/var/logs/access.log. 

2. As you could see what Yuri Voinov wrote
> #  
>#udpTo send each log line as text data to a UDP receiver.
>#Place: The destination host name or IP and port.
>#Place Format:   //host:port
>#
>#tcpTo send each log line as text data to a TCP receiver.
>#Lines may be accumulated before sending (see buffered_logs).
>#Place: The destination host name or IP and port.
>#Place Format:   //host:port
>#
>#Default:
>#access_log daemon:/var/log/squid/access.log squid
>#Default:
># access_log daemon:/var/log/squid/access.log squid

These is snipped from the squid configuration documents on squid page 
(http://www.squid-cache.org/Doc/config/access_log/).

You could try ( I didn’t do it before) to use syslog as module and insert it in 
your squid.conf

Best Regards
Sebastian


Von: Avraham Serour [mailto:tovm...@gmail.com] 
Gesendet: Mittwoch, 11. November 2015 11:48
An: Sebastian Kirschner
Betreff: Re: [squid-users] logging to syslog

I'm actually using rsyslog, it comes with ubuntu
in any case my conf for now is:

template(name="lesquid_accessFormat" type="string" 
string="programname=%programname% %msg%\n")
action(type="omfile" dirCreateMode="0700" FileCreateMode="0644"
   File="/var/log/messages" template="lesquid_accessFormat")

then I tail the /var/log/messages file and check what happens when I make a 
request using the proxy

On Wed, Nov 11, 2015 at 12:09 PM, Avraham Serour  wrote:
so where should the symlink should be? what is the default unix socket path 
that squid tried to use?

On Wed, Nov 11, 2015 at 10:11 AM, Sebastian Kirschner 
 wrote:
Hi Avraham,

I think it wouldnt be a good idea to just create a symlink because squid (or 
the user under which squid runs) then must have access to the syslog,
and if your squid instance get compromised the the syslog is open to read for 
these one.

Best Regards
Sebastian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] YouTube Resolution Locker Plugin for Squid Proxy Cache 3.5.x

2015-11-11 Thread HackXBack 
am just giving my test for you and its up to you to solve it or not,
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/YouTube-Resolution-Locker-Plugin-for-Squid-Proxy-Cache-3-5-x-tp4674463p4674500.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http & https intercept based on DNS server

2015-11-11 Thread Ahmad Alzaeem 
Sorry , didn’t understand , could you explain more ??

cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of James Lay
Sent: Thursday, November 12, 2015 12:29 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid http & https intercept based on DNS server

On 2015-11-11 12:23, Ahmad Alzaeem wrote:
> Hi guys
> 
> I want to ask a question
> 
> Assume I have a dns server that resolve all the names to the ip of 
> squid
> 
> So we will have  all websites go to squid
> 
> The question is being asked here is :
> 
> If I used squid in intercept mode
> 
> Will I be able to handle http & https traffic without adding cert and 
> CA in the clients browsers' ??
> 
> Again
> 
> Will I have issues with Https in  certs ?
> 
> cheers
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

No.  Certain clients don't even use DNS, but a hardcoded IP (I'm looking at you 
TextNow).

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump somehow interferes with authentication

2015-11-11 Thread Amos Jeffries 
On 12/11/2015 7:12 a.m., Eugene M. Zheganin wrote:
> 
> As soon as I add sslBump, everything that is bumped, starts to be
> blocking by 'http_access deny unauthorized' (everything that's spliced
> works as intended). And I completely cannot understand why. Yes, I can
> remove this line, but this way I'm loosing deny_info for specific cases
> when someone fails to authorize, and plus - without sslBump it was
> working, right ? Please help me understand this and solve the issue.
> 

Proxy-authentication cannot be performed on MITM'd traffic. That
includes SSL-bump decrypted messages.

However, unlike the other methods SSL-bump CONNECT wrapper messages in
explicit-proxy traffic can be authenticated and their credentials
inherited by the messages decrypted. Squid should be doing that. But
again cannot do it for the fake/synthetic ones it generates itself on
intercepted port 443 traffic.

So the question becomes, why are foo and bar ACLs not matching?
 http_access rules are applied separately to the CONNECT wrapper message
and to the decrypted non-CONNECT HTTP message(s).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump somehow interferes with authentication

2015-11-11 Thread Eugene M. Zheganin 
Hi.

On 11.11.2015 23:44, Amos Jeffries wrote:
> Proxy-authentication cannot be performed on MITM'd traffic. That
> includes SSL-bump decrypted messages.
>
> However, unlike the other methods SSL-bump CONNECT wrapper messages in
> explicit-proxy traffic can be authenticated and their credentials
> inherited by the messages decrypted. Squid should be doing that. But
> again cannot do it for the fake/synthetic ones it generates itself on
> intercepted port 443 traffic.
>
> So the question becomes, why are foo and bar ACLs not matching?
>  http_access rules are applied separately to the CONNECT wrapper message
> and to the decrypted non-CONNECT HTTP message(s).
>
>
Yeah, completely my fault - I forgot to tell what URL user is trying to
browse and what matches when.
Once again.

===Cut===
acl freetime time MTWHF 18:00-24:00

acl foo dst 192.168.0.0/16
acl bar dstdomain .bar.tld

acl users proxy_auth steve
acl users proxy_auth mike
acl users proxy_auth bob

acl unauthorized proxy_auth stringthatwillnevermatch

acl block dstdomain "block.acl"
acl blockssl ssl::server_name "block.acl"

http_access allow foo
http_access allow bar

http_access deny unauthorized

http_access allow blockssl users freetime
http_access allow block users freetime
http_access deny blockssl users
http_access deny block users
http_access allow users
http_access deny all
===Cut===

So, the user starts it's browser and opens the URL 'https://someurl'.
And this URL matches both 'block' and 'blockssl' ACLs, one I created for
you know... usual matching and one - for sslBump, since dstdomain ACLs
cannot work there. So, the main idea here is to actually show some
information to the user, when he's trying to visit some blocked site via
TLS and that site isn't allowed - because all the user sees in such
situation are various browser-depending error pages, like "Proxy server
refusing connections" (Firefox) or some other brief error (cannot
remember it exactly)  in Chrome - so user thinks it's technical error
and starts bothering tech support. Can this goal be achieved for a
configuration with user authentication ? ACL 'foo' and ACL 'bar' don't
match 'somesite' because they are created to match some traffic that is
allowed to all proxy users, regardless of their authentication, and I
listed these ACLs here to give proper representation of my ACL structure
- there's a part without authentication, and there's a part with.

Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http & https intercept based on DNS server

2015-11-11 Thread Amos Jeffries 
On 12/11/2015 8:23 a.m., Ahmad Alzaeem wrote:
> Hi guys
> 
> I want to ask a question
> 
>  
> 
> Assume I have a dns server that resolve all the names to the ip of squid
> 

Please see the "Alternative Causes" section at the end of


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http & https intercept based on DNS server

2015-11-11 Thread James Lay 

On 2015-11-11 12:23, Ahmad Alzaeem wrote:

Hi guys

I want to ask a question

Assume I have a dns server that resolve all the names to the ip of
squid

So we will have  all websites go to squid

The question is being asked here is :

If I used squid in intercept mode

Will I be able to handle http & https traffic without adding cert and
CA in the clients browsers' ??

Again

Will I have issues with Https in  certs ?

cheers
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


No.  Certain clients don't even use DNS, but a hardcoded IP (I'm looking 
at you TextNow).


James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump somehow interferes with authentication

2015-11-11 Thread Eugene M. Zheganin 
Hi.

On 12.11.2015 0:06, Eugene M. Zheganin wrote:
> So, the user starts it's browser and opens the URL 'https://someurl'.
> And this URL matches both 'block' and 'blockssl' ACLs, one I created for
> you know... usual matching and one - for sslBump, since dstdomain ACLs
> cannot work there. So, the main idea here is to actually show some
> information to the user, when he's trying to visit some blocked site via
> TLS and that site isn't allowed - because all the user sees in such
> situation are various browser-depending error pages, like "Proxy server
> refusing connections" (Firefox) or some other brief error (cannot
> remember it exactly)  in Chrome - so user thinks it's technical error
> and starts bothering tech support. Can this goal be achieved for a
> configuration with user authentication ? ACL 'foo' and ACL 'bar' don't
> match 'somesite' because they are created to match some traffic that is
> allowed to all proxy users, regardless of their authentication, and I
> listed these ACLs here to give proper representation of my ACL structure
> - there's a part without authentication, and there's a part with.
>
Follow-up: the traffic isn't intercepted proxy traffic, it's a traffic
between a browser and a proxy, configured in that browser. If I remove
the line

http_access deny unauthorized

I'm receiving an sslBumped traffic from the sites that match the
'blockssl' ACL, and this traffic goes through the authentication chain.
The question is - why this line above makes the whole scheme to fall apart.

Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http & https intercept based on DNS server

2015-11-11 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


12.11.15 1:23, Ahmad Alzaeem пишет:
> Hi guys
>
> I want to ask a question
>
> 
>
> Assume I have a dns server that resolve all the names to the ip of squid
>
> 
>
> So we will have  all websites go to squid
>
> 
>
> The question is being asked here is :
>
> 
>
> If I used squid in intercept mode
>
> 
>
> 
>
> Will I be able to handle http & https traffic without adding cert and
CA in
> the clients browsers' ??
No.
>
>
> 
>
> 
>
> Again
>
> 
>
> Will I have issues with Https in  certs ?
May be, bay be not.
>
>
> 
>
> 
>
> cheers
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWQ6U7AAoJENNXIZxhPexGVxoIAJxeU9F5NmItNFNSXpkdI3ub
zR4/VzsUACS5BUiik4e2jSp2U5pPdwhyUIpIUpEgduTQqLbY9l1bOjEKhLqsUwcE
OuZvQvwKj4jLtiTyRlMTok4Zu/MnvoWXVru9kjx8yTmucRN8ws00FfoImV3q1ugu
h5BGVIlOn6xrglX6gyooC3tro1XnQ/z0dFcvvivNkpuheNKH4sup/Dw1jno5+Svn
OdvFxL8IFBTYhJCsKs38k/oLfU8//CgFyBz2BKhzXOcLP0XwgqKk376AVAIyoA8Q
DPRicrEWCe19naRYERswPaJ4bOGbc4hghFm0s+9JvDxIQgqbBcDXGP6if2Q6GpY=
=GeeY
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Dansguardian Squid and HTTPS

2015-11-11 Thread Bruno de Oliveira Bastos 
Hi, i have a server auth by group in Active Directory, the dansguardian recive 
every connection in HTTP and HTTPS, and after analyze its sent request to 
squid. In log of dansguardian i saw the username OK, but in squid log i saw 
only the IP of listen dansguardian. First, there is a way to dansguardian pass 
username to squid ? Second, in sites https i have a problem, i recive access 
denied, but in dansguardian i have the exceptionlist configured, but in squid 
log, i recive error 407 denied, only if i explicity a freesitelist in squid its 
work fine. Someone know how to solve this ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logging to syslog

2015-11-11 Thread Sebastian Kirschner 
Hi Avraham,

I think it wouldnt be a good idea to just create a symlink because squid (or 
the user under which squid runs) then must have access to the syslog,
and if your squid instance get compromised the the syslog is open to read for 
these one.

Best Regards
Sebastian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users