[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
Hi, Did anyone try on_unsupported_protocol for bumped https connections? I made a simple test with netcat but test failed. Same test is successful for port 80 (also intercepted by squid). Netcat Server --- Squid Box --- Client On Client: echo "" | nc 10.50.13.1 443 *** On Netcat Server: nc -kl 443 *** On Squid Box: squid.conf: https_port 8443 intercept ssl-bump \ cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all ssl_bump bump step2 all on_unsupported_protocol tunnel all access.log: 1447235165.673 9 10.41.0.100 NONE/200 0 CONNECT 10.50.13.1:443 - HIER_NONE/- - -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslBump adventures in enterprise production environment
Hi. Today I discovered that a bunch of old legacy ICQ clients that some people till use have lost the ability to use HTTP CONNECT tunneling with sslBump. No matter what I tried to allow direct splicing for them, all was useless: - arranging them by dst ACL, and splicing that ACL - arranging them by ssl::server_name ACL, and splicing it So I had to turn of sslBumping. Looks like it somehow interferes with HTTP CONNECT even when splicing it. Last version of sslBump part in the config was looking like that: acl icqssl ssl::server_name login.icq.com acl icqssl ssl::server_name go.icq.com acl icqssl ssl::server_name ars.oscar.aol.com acl icqssl ssl::server_name webim.qip.ru acl icqssl ssl::server_name cb.icq.com acl icqssl ssl::server_name wlogin.icq.com acl icqssl ssl::server_name storage.qip.ru acl icqssl ssl::server_name new.qip.ru acl icqlogin dst 178.237.20.58 acl icqlogin dst 178.237.19.84 acl icqlogin dst 94.100.186.23 ssl_bump splice children ssl_bump splice sbol ssl_bump splice icqlogin ssl_bump splice icqssl icqport ssl_bump splice icqproxy icqport ssl_bump bump interceptedssl ssl_bump peek step1 ssl_bump bump unauthorized ssl_bump bump entertainmentssl ssl_bump splice all I'm not sure that ICQ clients use TLS, but in my previous experience they were configured to use proxy, and to connect through proxy to the login.icq.com host on port 443. Sample log for unsuccessful attempts: 1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT login.icq.com:443 solodnikova_k HIER_NONE/- - 1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT login.icq.com:443 solodnikova_k HIER_NONE/- - 1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - 1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - Thanks. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ACL and http_access
On 13/11/2015 8:31 p.m., Magic Link wrote: > What i want if it's possible is : Users can't access Internet, except > during two periods each day i 'll define. During these two periods, > they can access only a few sites i define in the file (basic url http > or https per line)I have to know if it's possible with Squid ? or > Squidguard ? Or not at all ? Thank you ! The answer is "Yes". Anthony already gave you the config that does it. >> From: Antony.Stone >> >> I would suggest (assuming your regex list is good) trying: >> >> http_access allow localhost >> http_access allow network working_hours whitelist >> http_access allow network out_working_hours whitelist >> http_access deny all >> >> The above should allow access from 10.2.0.0/16 to the sites in your regex >> list >> between the hours 09:30-10:30 and 17:30-18:30 M-F >> Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)
Hi Amos and all, Learning on HTTP CONNECT, I got there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the "Delayed error responses" chapter: "When Squid fails to negotiate a secure connection with the origin server and bump-ssl-server-first is enabled, Squid remembers the error page and serves it after establishing the secure connection with the client and receiving the first encrypted client request. The error is served securely. The same approach is used for Squid redirect messages configured via deny_info. This error delay is implemented because (a) browsers like FireFox and Chromium do not display CONNECT errors correctly and (b) intercepted SSL connections must wait for the first request to serve an error." My ideas/questions: 1/ Is there a way to have the same with new peek and splice feature? 2/ Is there a way to say url_rewrite_program not to work on CONNECT request? This way the CONNECT is not redirected, next request the browser sends after squid has bumped it should be a kind of GET/POST one that will be redirected by url_rewrite_program. 3/ Would it works if squidguard were i-cap'ed? EG Le 13/11/2015 01:31, Amos Jeffries a écrit : On 13/11/2015 1:02 a.m., Edouard Gaulué wrote: Why is the browser not taking account of the redirect? Think about *exactly* what is being redirected. CONNECT is a request to setup a blind packet relaying tunnel. Why is it redoing the same connect? Because its a browser. They do some really weird things when confused. It was told a TCP relay tunnel existed at "https://proxyweb.echoppe.lan/cgi-bin/...;. Thats a pretty weird place for a network socket to exist. Why is there no trace at all in the proxy logs of this second CONNECT? Only if it was handled would it be logged. It seems it may have been read in (or maybe not) but definitely not processed for some reason. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
On 14/11/2015 8:39 a.m., Yuri Voinov wrote: > > And > > http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi > That is an older version of Squid than the Acme one you were calling ancient ;-) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 13/11/2015 10:00 p.m., Tarik Demirci wrote: > Hi, > Did anyone try on_unsupported_protocol for bumped https connections? I > made a simple test with netcat but test failed. Same test is > successful for port 80 (also intercepted by squid). HTTPS is a supported protocol. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Netcat plaintext is not HTTPS :) Also via 443 port :) 14.11.15 1:26, Amos Jeffries пишет: > On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >> Hi, >> Did anyone try on_unsupported_protocol for bumped https connections? I >> made a simple test with netcat but test failed. Same test is >> successful for port 80 (also intercepted by squid). > > HTTPS is a supported protocol. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjzHAAoJENNXIZxhPexG3h4IAL3wm8swMPzM1jjcRfZMoqWK QrxmOWwsXGTrbqOTPYgj/4ZKy/mVKSZvXJD5licNn3AAmOc1e1kCoqwQAqVZcx9D v9XMeTD5kGj1vtSmNzqRzFDrITRGg+Rd64s38sNZ+izBqku057aaCeIpjJPEf5bQ qADc46jRdf0i5M0dJnMk5gZ8wMPHeZdY4Wwvf7s3U3mGMKsw5cKtOybVZ5g3vnwR k4AnSX5lzQSRCPVq4gCFpkwip2iy4/QGih0ud0btnaFzm46h3ECGdpJwjeIDL0pT 1W4nAjidqAm9cBuLntks6uNJXRtqe6VU4Ojp2/vQ1stpgnep4BD3l9Xk1C3nHgU= =mB9Q -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 32-bit Windows Installer
Hi, Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? Thank You, Patrick ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 And http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi 14.11.15 0:32, Rafael Akchurin пишет: > Hello Patrik, > > We only build 64-bit - see http://squid.diladele.com > I do not know if anyone managed to build for 32-bit. May be use http://squid.acmeconsulting.it/Squid27.html ? > > Best regards, > Rafael Akchurin > Diladele B.V. > > -- > Please take a look at Web Safety - our ICAP based web filter server for Squid proxy > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Patrick Flaherty > Sent: Friday, November 13, 2015 7:11 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] 32-bit Windows Installer > > Hi, > > Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? > > Thank You, > Patrick > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjxYAAoJENNXIZxhPexGlX0H/0iFpJvyQgTtY/O4E2oYya0w UTJbFxcjwtxert3fZGGfGuNpgGwx5hfN4oncR/0Yw8YgxCZT8FHqM29BqlFfVF7n 1gQgA3/DelbVdMgZuRYcu+56p1Zs+jpM/67l1pw0NonoI0R26PdomFUP+J/0mq0D 3dd1aeUgS8HHvFp2IhgnMr9iMGVclj65Yl50oDFO4teMm1XUePEI3VAg4Pfcp+i3 OWm9sekRaffcSyzPIhwf9FO7Es7ZFAcr5LzYZqO4wjfJRW+mQ9KAUcb95UQE/xri QRVuUkxAncgXrggTMKfyL0ZsasoQKVEIhA3iOhiCcJLNRKS0wwwPz8TLU/6481M= =x/IE -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I lost bookmark for 3.1 or 3.3 Win32-Squid. :) 14.11.15 0:32, Rafael Akchurin пишет: > Hello Patrik, > > We only build 64-bit - see http://squid.diladele.com > I do not know if anyone managed to build for 32-bit. May be use http://squid.acmeconsulting.it/Squid27.html ? > > Best regards, > Rafael Akchurin > Diladele B.V. > > -- > Please take a look at Web Safety - our ICAP based web filter server for Squid proxy > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Patrick Flaherty > Sent: Friday, November 13, 2015 7:11 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] 32-bit Windows Installer > > Hi, > > Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? > > Thank You, > Patrick > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjygAAoJENNXIZxhPexGBTEIAIfWUu15WvD6VCq8y5MM+LH4 sIkTWVhP/7QZ3zhn7+NIXa+WDE+PJA1+k0xnuQslQAD+U6eWtFtd90OqdcZoUq2W CAYABA6Rp7RvWzp15xLsNTD2zwx1DEwvH9i4PRISpWmPcxEDpdU9i6QHQFrQL/AV j6MjEYmkDRslLQYjQ6rPtz6XetOCGG53NJCtL25w1iEC/cfIFCs0TOkig+SSifVy DmcJAaka+5wCxXXYCCm3pl+EhxLG8OmtGMaK/ZSDl/G5RNKvEQ69oNjM8IOQ9X9m +CzHcXCw+68cjf0qCamDU3U+j6+5bRmijnE9fA/zLBu/nOB7vWwQNH8St96DHrI= =iySP -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 14/11/2015 8:40 a.m., Yuri Voinov wrote: > > Netcat plaintext is not HTTPS :) Also via 443 port :) > Thanks Yuri. Can't believe I missed that bit :-0 Amos > 14.11.15 1:26, Amos Jeffries пишет: >> On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >>> Hi, >>> Did anyone try on_unsupported_protocol for bumped https connections? I >>> made a simple test with netcat but test failed. Same test is >>> successful for port 80 (also intercepted by squid). > >> HTTPS is a supported protocol. > >> Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)
On 13/11/2015 10:16 p.m., Edouard Gaulué wrote: > Hi Amos and all, > > Learning on HTTP CONNECT, I got > there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy > > > I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the > "Delayed error responses" chapter: > "When Squid fails to negotiate a secure connection with the origin > server and bump-ssl-server-first is enabled, Squid remembers the error > page and serves it after establishing the secure connection with the > client and receiving the first encrypted client request. The error is > served securely. The same approach is used for Squid redirect messages > configured via deny_info. This error delay is implemented because (a) > browsers like FireFox and Chromium do not display CONNECT errors > correctly and (b) intercepted SSL connections must wait for the first > request to serve an error." > > My ideas/questions: > 1/ Is there a way to have the same with new peek and splice feature? Not really because CONNECT is not a part of TLS. It is a HTTP message. > 2/ Is there a way to say url_rewrite_program not to work on CONNECT > request? http://www.squid-cache.org/Doc/config/url_rewrite_access/ This way the CONNECT is not redirected, next request the > browser sends after squid has bumped it should be a kind of GET/POST > one that will be redirected by url_rewrite_program. > 3/ Would it works if squidguard were i-cap'ed? All SquidGuard does is apply some basic ACL rules to the details it is given by Squid. You would be far better off simply converting the SG rulset into http_access ACLs. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 14.11.15 1:54, Amos Jeffries пишет: > On 14/11/2015 8:37 a.m., Yuri Voinov wrote: >> >> Raf, 2.7 is antique : >> > > So is 32-bit for servers. > > >> Somwehere was be 3.1 for Win32. >> >> http://squid.acmeconsulting.it/Squid3.html >> >> Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1 >> or 3.3. > > Before Diladele the only properly working builds of Squid were the 2.7 > ones from Acme. > > Everything between was experimental and/or only partially working. That > includes the Acme 3.x builds. Absolutely, Amos. I've tested it almost all. Only Diladele works like charm. With bump! > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRkByAAoJENNXIZxhPexG4ZUH/Rp8sNaBLyE/8n+etHDqqpIq 3T1Vln93UbE0nycJ69ywbK0zWzLxS3XGzg+mlPaEZuh9Hn9dWUDvfCQ+8mGAqLpS r0ZvpGje0oQjQtwFMkwyK+O8djLb9DCaqFkewuMPbr05Wlnu3cCVoVH1143ojN55 0S8v85XbiKgqOqs3zQ8EcvtU1ufC6JN3fYBQbyNGPzXAdwxXwSvFT2J+Zo+r2C6B m8lhVnbF6j//mTcVc7c46NMRJlWtDxMdDMZgOd0HNM8RFPkqAIIdNWur6AypLA1x UEqht+5pHcMgel4z+V5aCqKer0sS1LGjVRYWTOIcateG23z9bKiycBPfT4Xdf/I= =ZU1g -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
Hello Patrik, We only build 64-bit - see http://squid.diladele.com I do not know if anyone managed to build for 32-bit. May be use http://squid.acmeconsulting.it/Squid27.html ? Best regards, Rafael Akchurin Diladele B.V. -- Please take a look at Web Safety - our ICAP based web filter server for Squid proxy From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Patrick Flaherty Sent: Friday, November 13, 2015 7:11 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] 32-bit Windows Installer Hi, Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? Thank You, Patrick ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 http://squid.acmeconsulting.it/download/dl-squid.html 3.0 was here. 14.11.15 0:32, Rafael Akchurin пишет: > Hello Patrik, > > We only build 64-bit - see http://squid.diladele.com > I do not know if anyone managed to build for 32-bit. May be use http://squid.acmeconsulting.it/Squid27.html ? > > Best regards, > Rafael Akchurin > Diladele B.V. > > -- > Please take a look at Web Safety - our ICAP based web filter server for Squid proxy > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Patrick Flaherty > Sent: Friday, November 13, 2015 7:11 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] 32-bit Windows Installer > > Hi, > > Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? > > Thank You, > Patrick > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjwZAAoJENNXIZxhPexGAgQH/3Qq5ZOgdI+qgan7eL6Iqebh DTn0jkOaS/dK9NPolgFOFMvCm8iy59PBWMgGLuEaRDDyuzjL4uKejdJEl9o3ELiX YjP6H3QDbX7iO/4l/TVQM43/P/02g8URjrrMr3jZm0kGXzAIJOZhlBroWywlv5FF o4DkIDnpnENDB/Iyv8posz77Y+vBtAEBnA7M1EuiC/iRLci1DJOn8TZPGSJ6vuhK 24L2DPIkgSaYuHtHOysWf1KowNPgJ000/XK63UuEXOIX1Dx0C5T46QV2tUMjdxte pjgRsj1UBhQNkbkZ3Cb4foboaq0bCjkwazEikB+49Vnoi4zDLeCAs6WPUMiPTC0= =9TtE -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Raf, 2.7 is antique : Somwehere was be 3.1 for Win32. http://squid.acmeconsulting.it/Squid3.html Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1 or 3.3. 14.11.15 0:32, Rafael Akchurin пишет: > Hello Patrik, > > We only build 64-bit - see http://squid.diladele.com > I do not know if anyone managed to build for 32-bit. May be use http://squid.acmeconsulting.it/Squid27.html ? > > Best regards, > Rafael Akchurin > Diladele B.V. > > -- > Please take a look at Web Safety - our ICAP based web filter server for Squid proxy > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Patrick Flaherty > Sent: Friday, November 13, 2015 7:11 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] 32-bit Windows Installer > > Hi, > > Does anyone know if there are current 32-bit Windows Squid install binaries? If not what is the latest version that I can download a squid folder where I can create a service manually from? > > Thank You, > Patrick > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjvlAAoJENNXIZxhPexGbvkH/06u1ygQEY6tkO0ghOZOSCCd JUu8sM2X5PI0t2FN3w1keNEu+QCTzeIzJSinj/a0eW/kGuakdt9LlYjCqyoKvOM6 tNjp43Y2Uq/VcASJJPAXha6gjbM3095xXSmJ96R9PxdDRtcLzVMKKKD52Xbk/RMC LkCYEjwKc4SPpw/SbIWyOe2r43CCbxrJdQIDaM79TbQiYdR5GHS6aSksWRXtd+V0 BsHTRK/JWSdfBN/Q+O6Uvalztzvu1IRG6LD8UuzQCxceT5APFpmcwT1aiXOYm0+Z ZNi/PDsEZaJXyshwiq+QkLUFnAOZ3iwPDERUEK0M6G2SQZUJcG3d9iCnyGbF0VY= =Bdbu -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Only Win64, only hardcore :) Diladele RULEZZ ;) I use it on my notebook ;) Under Win10. ;) 14.11.15 1:51, Amos Jeffries пишет: > On 14/11/2015 8:39 a.m., Yuri Voinov wrote: >> >> And >> >> http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi >> > > That is an older version of Squid than the Acme one you were calling > ancient ;-) > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRj/jAAoJENNXIZxhPexGKygH/2N2QaIwgY852vF+9LUA4Wax GErqdViM7estLK+qxSxqF260aXqIjbpY4HtqGJkOC9gVIzTN0lMW1//H+rvRh7kP ihed+8Qe/vNQUuXdeNntwX3ReXkosGveSFlNmkrxyK7+GNlqbx0y1orjdIwFpoha QWabEwCJX29PXnBgsyRBdWwjYXih1+0WOogDaH1tZBZmZvogRKmsujGxEDfIW8u2 A/Z/MZzu1uP5Bb355q4c3NA5NPMGAksuZWwSZ+QwARc5YDxXTMI6g0MtTRS7v662 /NXV1nR9WChjPZTQj4hwJjw5QaUG4rpZT7UoA+Pt38BbnX3mUuXP60CrStLCVwU= =sND3 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 32-bit Windows Installer
On 14/11/2015 8:37 a.m., Yuri Voinov wrote: > > Raf, 2.7 is antique : > So is 32-bit for servers. > Somwehere was be 3.1 for Win32. > > http://squid.acmeconsulting.it/Squid3.html > > Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1 > or 3.3. Before Diladele the only properly working builds of Squid were the 2.7 ones from Acme. Everything between was experimental and/or only partially working. That includes the Acme 3.x builds. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid3.4 - MySQL, PHP script - block websites
Hello, I have problems to block web sites listet in mysql database. When i start the script below, it works, but squid3.4 give me log output; 2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from blockscript #Hlpr0, 3 bytes 'OK how can i fix that problem ? Thanks in advice Jens #!/usr/bin/php ", "", "", ""); if ($db->connect_error > 0) { die(fwrite(STDOUT,"ERR\n")); } while (!feof(STDIN)) { $i = trim(fgets(STDIN)); $s = explode(" ", $i); $dst = $s[0]; $row = array(); $query = "SELECT * FROM squid WHERE name = '$dst'"; if ($res = $db->query($query)) { $row = $res->fetch_row(); $rec = $res->num_rows; if (($row[2] == 1) || ($rec < 1)) fwrite(STDOUT,"ERR\n"); else fwrite(STDOUT,"OK\n"); $res->close(); } } $db->close(); ?> this is my squid.config auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd auth_param basic children 4 auth_param basic utf8 on auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort fuer die Internetberechtigung ein! auth_param basic credentialsttl 60 minutes auth_param basic casesensitive on external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php acl localnet src 192.168.178.7 acl ncsa_users proxy_auth REQUIRED acl mysql_block external blockscript acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access deny mysql_block http_access allow localhost ncsa_users http_access allow localnet ncsa_users # And finally deny all other access to this proxy http_access deny all http_port 3128 cache_mgr jkal...@web.de cache_effective_user squid # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? cache_dir ufs /sap/var/spool/squid 64 16 128 cache_access_log /sap/squid/log/access.log cache_log/sap/squid/log/cache.log cache_store_log /sap/squid/log/store.log # Leave coredumps in the first cache dir coredump_dir /sap/var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 logformat squid %tl.%03tu %6tr %>a %un %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)
On 11/13/2015 02:16 AM, Edouard Gaulué wrote: > I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the > "Delayed error responses" chapter: > "When Squid fails to negotiate a secure connection with the origin > server and bump-ssl-server-first is enabled, Squid remembers the error > page and serves it after establishing the secure connection with the > client and receiving the first encrypted client request. The error is > served securely. The same approach is used for Squid redirect messages > configured via deny_info." > > My ideas/questions: > 1/ Is there a way to have the same with new peek and splice feature? Yes, SslBump failures should result in delayed errors securely served to SSL clients where possible. This essential SslBump feature is not specific to the old server-first bumping method. If the latest Squid does not do this, it is essentially a bug. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 There is no solution for ICQ with Squid now. You can only bypass proxying for ICQ clients. 13.11.15 14:41, Eugene M. Zheganin пишет: > Hi. > > Today I discovered that a bunch of old legacy ICQ clients that some > people till use have lost the ability to use HTTP CONNECT tunneling with > sslBump. No matter what I tried to allow direct splicing for them, all > was useless: > > - arranging them by dst ACL, and splicing that ACL > - arranging them by ssl::server_name ACL, and splicing it > > So I had to turn of sslBumping. Looks like it somehow interferes with > HTTP CONNECT even when splicing it. > Last version of sslBump part in the config was looking like that: > > > acl icqssl ssl::server_name login.icq.com > acl icqssl ssl::server_name go.icq.com > acl icqssl ssl::server_name ars.oscar.aol.com > acl icqssl ssl::server_name webim.qip.ru > acl icqssl ssl::server_name cb.icq.com > acl icqssl ssl::server_name wlogin.icq.com > acl icqssl ssl::server_name storage.qip.ru > acl icqssl ssl::server_name new.qip.ru > > acl icqlogin dst 178.237.20.58 > acl icqlogin dst 178.237.19.84 > acl icqlogin dst 94.100.186.23 > > ssl_bump splice children > ssl_bump splice sbol > ssl_bump splice icqlogin > ssl_bump splice icqssl icqport > ssl_bump splice icqproxy icqport > > ssl_bump bump interceptedssl > > ssl_bump peek step1 > ssl_bump bump unauthorized > ssl_bump bump entertainmentssl > ssl_bump splice all > > I'm not sure that ICQ clients use TLS, but in my previous experience > they were configured to use proxy, and to connect through proxy to the > login.icq.com host on port 443. > Sample log for unsuccessful attempts: > > 1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT > login.icq.com:443 solodnikova_k HIER_NONE/- - > 1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT > login.icq.com:443 solodnikova_k HIER_NONE/- - > 1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT > login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - > 1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT > login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - > > Thanks. > Eugene. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRetRAAoJENNXIZxhPexGbikH/0EqoRzosGamhDwM9h0tVMOJ 4rpARbMvHK3wejCgFkh+yp/X2kZi1+nRU9+baJ9vWAmKz6nqf7loFA3S+2s6HzNC 3WyAc+ICO5O2TtC+hSwPVOn4YCjbdROKSGTc/T6MoAnlfnEVIP9IV+Qb29F53bIE vcMovH4iH2zE7XfPwtZY7eBqEiBsiSG51dg744LHfTzJEYZWmGwTjd7LAQtIwO5e p+4FwG4oDxFksPXWEs4L2mpk8meKZvqP6CGTzTULYZdcokXcozTNw0YTz468MIzx 4zyDBZNdZXEZTLA5kL89OCVjfuXSm8WqggVvxq9SHqUYs2aJBVUHZRWNnvLhFMU= =v1X4 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] strange behavior with systemd
Check SELinux permissions first. Best regards, Rafael > Op 13 nov. 2015 om 14:54 heeft Jakob Curdeshet > volgende geschreven: > > Hello all, > > I have a squid running as reverse proxy on a CentOS 7 box which uses systemd. > When installing the box everything was fine; I enabled the squid service and > it would start via systemd. > Now I have exchanged the certificate fot the HTTPS service. Then I did a > "systemctl start squid.service" and whoops, it failed. I then tried to start > squid manually which works perfectly, so the config file is ok. I looked at > the output of "journalctl -xn", which shows that squid claims it cannot find > the certificate I configured. I double-checked that there is only one squid > config file and that the same config file is used whether I start it per hand > or via systemd (which uses the config file defined in /etc/sysconfig/squid). > Then I thought maybe systemd does some tricky config file caching and > rebooted the box. No change, start via systemd says "FATAL: No valid signing > SSL certificate configured for https_port [::]:443" while starting by hand > gives "Using certificate in /etc/squid/...". I'm pretty sure this is rather > an issue with systemd than with squid, but before asking there I wanted to > check whether I have overlooked something on the squid side. Any ideas? > > > Hav a good weekend, > Jakob > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] strange behavior with systemd
Am 13.11.2015 um 15:11 schrieb Rafael Akchurin: Check SELinux permissions first. Independently, I suddenly had the ugly feeling I forgot something SELinux was the culprit, the key file of the certificate did not have the correct SELINUX type. Thanks and cheers, Jakob ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] strange behavior with systemd
Hello all, I have a squid running as reverse proxy on a CentOS 7 box which uses systemd. When installing the box everything was fine; I enabled the squid service and it would start via systemd. Now I have exchanged the certificate fot the HTTPS service. Then I did a "systemctl start squid.service" and whoops, it failed. I then tried to start squid manually which works perfectly, so the config file is ok. I looked at the output of "journalctl -xn", which shows that squid claims it cannot find the certificate I configured. I double-checked that there is only one squid config file and that the same config file is used whether I start it per hand or via systemd (which uses the config file defined in /etc/sysconfig/squid). Then I thought maybe systemd does some tricky config file caching and rebooted the box. No change, start via systemd says "FATAL: No valid signing SSL certificate configured for https_port [::]:443" while starting by hand gives "Using certificate in /etc/squid/...". I'm pretty sure this is rather an issue with systemd than with squid, but before asking there I wanted to check whether I have overlooked something on the squid side. Any ideas? Hav a good weekend, Jakob ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users