[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

2015-11-13 Thread Tarik Demirci 
Hi,
Did anyone try on_unsupported_protocol for bumped https connections? I
made a simple test with netcat but test failed. Same test is
successful for port 80 (also intercepted by squid).


Netcat Server  --- Squid Box --- Client

On Client:
echo "" | nc 10.50.13.1 443

***

On Netcat Server:
nc -kl 443

***

On Squid Box:

squid.conf:
https_port 8443 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump bump step2 all
on_unsupported_protocol tunnel all

access.log:
1447235165.673  9 10.41.0.100 NONE/200 0 CONNECT 10.50.13.1:443 -
HIER_NONE/- -

-- 
Tarık Demirci
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] sslBump adventures in enterprise production environment

2015-11-13 Thread Eugene M. Zheganin 
Hi.

Today I discovered that a bunch of old legacy ICQ clients that some
people till use have lost the ability to use HTTP CONNECT tunneling with
sslBump. No matter what I tried to allow direct splicing for them, all
was useless:

- arranging them by dst ACL, and splicing that ACL
- arranging them by ssl::server_name ACL, and splicing it

So I had to turn of sslBumping. Looks like it somehow interferes with
HTTP CONNECT even when splicing it.
Last version of sslBump part in the config was looking like that:


acl icqssl ssl::server_name login.icq.com
acl icqssl ssl::server_name go.icq.com
acl icqssl ssl::server_name ars.oscar.aol.com
acl icqssl ssl::server_name webim.qip.ru
acl icqssl ssl::server_name cb.icq.com
acl icqssl ssl::server_name wlogin.icq.com
acl icqssl ssl::server_name storage.qip.ru
acl icqssl ssl::server_name new.qip.ru

acl icqlogin dst 178.237.20.58
acl icqlogin dst 178.237.19.84
acl icqlogin dst 94.100.186.23

ssl_bump splice children
ssl_bump splice sbol
ssl_bump splice icqlogin
ssl_bump splice icqssl icqport
ssl_bump splice icqproxy icqport

ssl_bump bump interceptedssl

ssl_bump peek step1
ssl_bump bump unauthorized
ssl_bump bump entertainmentssl
ssl_bump splice all

I'm not sure that ICQ clients use TLS, but in my previous experience
they were configured to use proxy, and to connect through proxy to the
login.icq.com host on port 443.
Sample log for unsuccessful attempts:

1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -

Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL and http_access

2015-11-13 Thread Amos Jeffries 
On 13/11/2015 8:31 p.m., Magic Link wrote:
> What i want if it's possible is : Users can't access Internet, except
> during two periods each day i 'll define. During these two periods,
> they can access only a few sites i define in the file (basic url http
> or https per line)I have to know if it's possible with Squid ? or
> Squidguard ? Or not at all ? Thank you !

The answer is "Yes".

Anthony already gave you the config that does it.

>> From: Antony.Stone
>>
>> I would suggest (assuming your regex list is good) trying:
>>
>> http_access allow localhost
>> http_access allow network working_hours whitelist
>> http_access allow network out_working_hours whitelist
>> http_access deny all
>>
>> The above should allow access from 10.2.0.0/16 to the sites in your regex 
>> list 
>> between the hours 09:30-10:30 and 17:30-18:30 M-F
>>


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

2015-11-13 Thread Edouard Gaulué 

Hi Amos and all,

Learning on HTTP CONNECT, I got 
there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy


I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the 
"Delayed error responses" chapter:
"When Squid fails to negotiate a secure connection with the origin 
server and bump-ssl-server-first is enabled, Squid remembers the error 
page and serves it after establishing the secure connection with the 
client and receiving the first encrypted client request. The error is 
served securely. The same approach is used for Squid redirect messages 
configured via deny_info. This error delay is implemented because (a) 
browsers like FireFox and Chromium do not display CONNECT errors 
correctly and (b) intercepted SSL connections must wait for the first 
request to serve an error."


My ideas/questions:
1/ Is there a way to have the same with new peek and splice feature?
2/ Is there a way to say url_rewrite_program not to work on CONNECT 
request? This way the CONNECT is not redirected, next request the 
browser sends after squid has bumped it  should be a kind of  GET/POST 
one that will be redirected by url_rewrite_program.

3/ Would it works if squidguard were i-cap'ed?

EG


Le 13/11/2015 01:31, Amos Jeffries a écrit :

On 13/11/2015 1:02 a.m., Edouard Gaulué wrote:



Why is the browser not taking account of the redirect?

Think about *exactly* what is being redirected.

CONNECT is a request to setup a blind packet relaying tunnel.



Why is it redoing the same connect?

Because its a browser. They do some really weird things when confused.

It was told a TCP relay tunnel existed at
"https://proxyweb.echoppe.lan/cgi-bin/...;. Thats a pretty weird place
for a network socket to exist.



Why is there no trace at all in the proxy logs of this second CONNECT?


Only if it was handled would it be logged. It seems it may have been
read in (or maybe not) but definitely not processed for some reason.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Amos Jeffries 
On 14/11/2015 8:39 a.m., Yuri Voinov wrote:
> 
> And
> 
> http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi
> 

That is an older version of Squid than the Acme one you were calling
ancient ;-)

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

2015-11-13 Thread Amos Jeffries 
On 13/11/2015 10:00 p.m., Tarik Demirci wrote:
> Hi,
> Did anyone try on_unsupported_protocol for bumped https connections? I
> made a simple test with netcat but test failed. Same test is
> successful for port 80 (also intercepted by squid).

HTTPS is a supported protocol.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Netcat plaintext is not HTTPS :) Also via 443 port :)

14.11.15 1:26, Amos Jeffries пишет:
> On 13/11/2015 10:00 p.m., Tarik Demirci wrote:
>> Hi,
>> Did anyone try on_unsupported_protocol for bumped https connections? I
>> made a simple test with netcat but test failed. Same test is
>> successful for port 80 (also intercepted by squid).
>
> HTTPS is a supported protocol.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRjzHAAoJENNXIZxhPexG3h4IAL3wm8swMPzM1jjcRfZMoqWK
QrxmOWwsXGTrbqOTPYgj/4ZKy/mVKSZvXJD5licNn3AAmOc1e1kCoqwQAqVZcx9D
v9XMeTD5kGj1vtSmNzqRzFDrITRGg+Rd64s38sNZ+izBqku057aaCeIpjJPEf5bQ
qADc46jRdf0i5M0dJnMk5gZ8wMPHeZdY4Wwvf7s3U3mGMKsw5cKtOybVZ5g3vnwR
k4AnSX5lzQSRCPVq4gCFpkwip2iy4/QGih0ud0btnaFzm46h3ECGdpJwjeIDL0pT
1W4nAjidqAm9cBuLntks6uNJXRtqe6VU4Ojp2/vQ1stpgnep4BD3l9Xk1C3nHgU=
=mB9Q
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 32-bit Windows Installer

2015-11-13 Thread Patrick Flaherty 
Hi,

 

Does anyone know if there are current 32-bit Windows Squid install binaries?
If not what is the latest version that I can download a squid folder where I
can create a service manually from?

 

Thank You,

Patrick

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
And

http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi





14.11.15 0:32, Rafael Akchurin пишет:
> Hello Patrik,
>
> We only build 64-bit - see http://squid.diladele.com
> I do not know if anyone managed to build for 32-bit. May be use
http://squid.acmeconsulting.it/Squid27.html ?
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> --
> Please take a look at Web Safety - our ICAP based web filter server
for Squid proxy
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Patrick Flaherty
> Sent: Friday, November 13, 2015 7:11 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] 32-bit Windows Installer
>
> Hi,
>
> Does anyone know if there are current 32-bit Windows Squid install
binaries? If not what is the latest version that I can download a squid
folder where I can create a service manually from?
>
> Thank You,
> Patrick
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRjxYAAoJENNXIZxhPexGlX0H/0iFpJvyQgTtY/O4E2oYya0w
UTJbFxcjwtxert3fZGGfGuNpgGwx5hfN4oncR/0Yw8YgxCZT8FHqM29BqlFfVF7n
1gQgA3/DelbVdMgZuRYcu+56p1Zs+jpM/67l1pw0NonoI0R26PdomFUP+J/0mq0D
3dd1aeUgS8HHvFp2IhgnMr9iMGVclj65Yl50oDFO4teMm1XUePEI3VAg4Pfcp+i3
OWm9sekRaffcSyzPIhwf9FO7Es7ZFAcr5LzYZqO4wjfJRW+mQ9KAUcb95UQE/xri
QRVuUkxAncgXrggTMKfyL0ZsasoQKVEIhA3iOhiCcJLNRKS0wwwPz8TLU/6481M=
=x/IE
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I lost bookmark for 3.1 or 3.3 Win32-Squid. :)

14.11.15 0:32, Rafael Akchurin пишет:
> Hello Patrik,
>
> We only build 64-bit - see http://squid.diladele.com
> I do not know if anyone managed to build for 32-bit. May be use
http://squid.acmeconsulting.it/Squid27.html ?
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> --
> Please take a look at Web Safety - our ICAP based web filter server
for Squid proxy
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Patrick Flaherty
> Sent: Friday, November 13, 2015 7:11 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] 32-bit Windows Installer
>
> Hi,
>
> Does anyone know if there are current 32-bit Windows Squid install
binaries? If not what is the latest version that I can download a squid
folder where I can create a service manually from?
>
> Thank You,
> Patrick
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRjygAAoJENNXIZxhPexGBTEIAIfWUu15WvD6VCq8y5MM+LH4
sIkTWVhP/7QZ3zhn7+NIXa+WDE+PJA1+k0xnuQslQAD+U6eWtFtd90OqdcZoUq2W
CAYABA6Rp7RvWzp15xLsNTD2zwx1DEwvH9i4PRISpWmPcxEDpdU9i6QHQFrQL/AV
j6MjEYmkDRslLQYjQ6rPtz6XetOCGG53NJCtL25w1iEC/cfIFCs0TOkig+SSifVy
DmcJAaka+5wCxXXYCCm3pl+EhxLG8OmtGMaK/ZSDl/G5RNKvEQ69oNjM8IOQ9X9m
+CzHcXCw+68cjf0qCamDU3U+j6+5bRmijnE9fA/zLBu/nOB7vWwQNH8St96DHrI=
=iySP
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

2015-11-13 Thread Amos Jeffries 
On 14/11/2015 8:40 a.m., Yuri Voinov wrote:
> 
> Netcat plaintext is not HTTPS :) Also via 443 port :)
> 

Thanks Yuri. Can't believe I missed that bit :-0

Amos

> 14.11.15 1:26, Amos Jeffries пишет:
>> On 13/11/2015 10:00 p.m., Tarik Demirci wrote:
>>> Hi,
>>> Did anyone try on_unsupported_protocol for bumped https connections? I
>>> made a simple test with netcat but test failed. Same test is
>>> successful for port 80 (also intercepted by squid).
> 
>> HTTPS is a supported protocol.
> 
>> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

2015-11-13 Thread Amos Jeffries 
On 13/11/2015 10:16 p.m., Edouard Gaulué wrote:
> Hi Amos and all,
> 
> Learning on HTTP CONNECT, I got
> there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
> 
> 
> I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
> "Delayed error responses" chapter:
> "When Squid fails to negotiate a secure connection with the origin
> server and bump-ssl-server-first is enabled, Squid remembers the error
> page and serves it after establishing the secure connection with the
> client and receiving the first encrypted client request. The error is
> served securely. The same approach is used for Squid redirect messages
> configured via deny_info. This error delay is implemented because (a)
> browsers like FireFox and Chromium do not display CONNECT errors
> correctly and (b) intercepted SSL connections must wait for the first
> request to serve an error."
> 
> My ideas/questions:
> 1/ Is there a way to have the same with new peek and splice feature?

Not really because CONNECT is not a part of TLS. It is a HTTP message.

> 2/ Is there a way to say url_rewrite_program not to work on CONNECT
> request?

http://www.squid-cache.org/Doc/config/url_rewrite_access/



 This way the CONNECT is not redirected, next request the
> browser sends after squid has bumped it  should be a kind of  GET/POST
> one that will be redirected by url_rewrite_program.
> 3/ Would it works if squidguard were i-cap'ed?

All SquidGuard does is apply some basic ACL rules to the details it is
given by Squid.

You would be far better off simply converting the SG rulset into
http_access ACLs.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


14.11.15 1:54, Amos Jeffries пишет:
> On 14/11/2015 8:37 a.m., Yuri Voinov wrote:
>>
>> Raf, 2.7 is antique :
>>
>
> So is 32-bit for servers.
>
>
>> Somwehere was be 3.1 for Win32.
>>
>> http://squid.acmeconsulting.it/Squid3.html
>>
>> Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1
>> or 3.3.
>
> Before Diladele the only properly working builds of Squid were the 2.7
> ones from Acme.
>
> Everything between was experimental and/or only partially working. That
> includes the Acme 3.x builds.
Absolutely, Amos. I've tested it almost all. Only Diladele works like
charm. With bump!
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRkByAAoJENNXIZxhPexG4ZUH/Rp8sNaBLyE/8n+etHDqqpIq
3T1Vln93UbE0nycJ69ywbK0zWzLxS3XGzg+mlPaEZuh9Hn9dWUDvfCQ+8mGAqLpS
r0ZvpGje0oQjQtwFMkwyK+O8djLb9DCaqFkewuMPbr05Wlnu3cCVoVH1143ojN55
0S8v85XbiKgqOqs3zQ8EcvtU1ufC6JN3fYBQbyNGPzXAdwxXwSvFT2J+Zo+r2C6B
m8lhVnbF6j//mTcVc7c46NMRJlWtDxMdDMZgOd0HNM8RFPkqAIIdNWur6AypLA1x
UEqht+5pHcMgel4z+V5aCqKer0sS1LGjVRYWTOIcateG23z9bKiycBPfT4Xdf/I=
=ZU1g
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Rafael Akchurin 
Hello Patrik,

We only build 64-bit - see http://squid.diladele.com
I do not know if anyone managed to build for 32-bit. May be use 
http://squid.acmeconsulting.it/Squid27.html ?

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Patrick Flaherty
Sent: Friday, November 13, 2015 7:11 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] 32-bit Windows Installer

Hi,

Does anyone know if there are current 32-bit Windows Squid install binaries? If 
not what is the latest version that I can download a squid folder where I can 
create a service manually from?

Thank You,
Patrick

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://squid.acmeconsulting.it/download/dl-squid.html

3.0 was here.

14.11.15 0:32, Rafael Akchurin пишет:
> Hello Patrik,
>
> We only build 64-bit - see http://squid.diladele.com
> I do not know if anyone managed to build for 32-bit. May be use
http://squid.acmeconsulting.it/Squid27.html ?
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> --
> Please take a look at Web Safety - our ICAP based web filter server
for Squid proxy
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Patrick Flaherty
> Sent: Friday, November 13, 2015 7:11 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] 32-bit Windows Installer
>
> Hi,
>
> Does anyone know if there are current 32-bit Windows Squid install
binaries? If not what is the latest version that I can download a squid
folder where I can create a service manually from?
>
> Thank You,
> Patrick
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRjwZAAoJENNXIZxhPexGAgQH/3Qq5ZOgdI+qgan7eL6Iqebh
DTn0jkOaS/dK9NPolgFOFMvCm8iy59PBWMgGLuEaRDDyuzjL4uKejdJEl9o3ELiX
YjP6H3QDbX7iO/4l/TVQM43/P/02g8URjrrMr3jZm0kGXzAIJOZhlBroWywlv5FF
o4DkIDnpnENDB/Iyv8posz77Y+vBtAEBnA7M1EuiC/iRLci1DJOn8TZPGSJ6vuhK
24L2DPIkgSaYuHtHOysWf1KowNPgJ000/XK63UuEXOIX1Dx0C5T46QV2tUMjdxte
pjgRsj1UBhQNkbkZ3Cb4foboaq0bCjkwazEikB+49Vnoi4zDLeCAs6WPUMiPTC0=
=9TtE
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Raf, 2.7 is antique :

Somwehere was be 3.1 for Win32.

http://squid.acmeconsulting.it/Squid3.html

Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1
or 3.3.

14.11.15 0:32, Rafael Akchurin пишет:
> Hello Patrik,
>
> We only build 64-bit - see http://squid.diladele.com
> I do not know if anyone managed to build for 32-bit. May be use
http://squid.acmeconsulting.it/Squid27.html ?
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> --
> Please take a look at Web Safety - our ICAP based web filter server
for Squid proxy
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Patrick Flaherty
> Sent: Friday, November 13, 2015 7:11 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] 32-bit Windows Installer
>
> Hi,
>
> Does anyone know if there are current 32-bit Windows Squid install
binaries? If not what is the latest version that I can download a squid
folder where I can create a service manually from?
>
> Thank You,
> Patrick
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRjvlAAoJENNXIZxhPexGbvkH/06u1ygQEY6tkO0ghOZOSCCd
JUu8sM2X5PI0t2FN3w1keNEu+QCTzeIzJSinj/a0eW/kGuakdt9LlYjCqyoKvOM6
tNjp43Y2Uq/VcASJJPAXha6gjbM3095xXSmJ96R9PxdDRtcLzVMKKKD52Xbk/RMC
LkCYEjwKc4SPpw/SbIWyOe2r43CCbxrJdQIDaM79TbQiYdR5GHS6aSksWRXtd+V0
BsHTRK/JWSdfBN/Q+O6Uvalztzvu1IRG6LD8UuzQCxceT5APFpmcwT1aiXOYm0+Z
ZNi/PDsEZaJXyshwiq+QkLUFnAOZ3iwPDERUEK0M6G2SQZUJcG3d9iCnyGbF0VY=
=Bdbu
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Only Win64, only hardcore :)

Diladele RULEZZ ;) I use it on my notebook ;) Under Win10. ;)

14.11.15 1:51, Amos Jeffries пишет:
> On 14/11/2015 8:39 a.m., Yuri Voinov wrote:
>>
>> And
>>
>>
http://sourceforge.net/projects/squidwindowsmsi/files/squid-2.7.2_i386.msi
>>
>
> That is an older version of Squid than the Acme one you were calling
> ancient ;-)
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRj/jAAoJENNXIZxhPexGKygH/2N2QaIwgY852vF+9LUA4Wax
GErqdViM7estLK+qxSxqF260aXqIjbpY4HtqGJkOC9gVIzTN0lMW1//H+rvRh7kP
ihed+8Qe/vNQUuXdeNntwX3ReXkosGveSFlNmkrxyK7+GNlqbx0y1orjdIwFpoha
QWabEwCJX29PXnBgsyRBdWwjYXih1+0WOogDaH1tZBZmZvogRKmsujGxEDfIW8u2
A/Z/MZzu1uP5Bb355q4c3NA5NPMGAksuZWwSZ+QwARc5YDxXTMI6g0MtTRS7v662
/NXV1nR9WChjPZTQj4hwJjw5QaUG4rpZT7UoA+Pt38BbnX3mUuXP60CrStLCVwU=
=sND3
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 32-bit Windows Installer

2015-11-13 Thread Amos Jeffries 
On 14/11/2015 8:37 a.m., Yuri Voinov wrote:
> 
> Raf, 2.7 is antique :
> 

So is 32-bit for servers.


> Somwehere was be 3.1 for Win32.
> 
> http://squid.acmeconsulting.it/Squid3.html
> 
> Somewhere in Sourceforge was one more Win32 msi-installer with squid 3.1
> or 3.3.

Before Diladele the only properly working builds of Squid were the 2.7
ones from Acme.

Everything between was experimental and/or only partially working. That
includes the Acme 3.x builds.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-13 Thread Jens Kallup 

Hello,

I have problems to block web sites  listet in mysql database.
When i start the script below, it works, but squid3.4 give me log output;

2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from 
blockscript #Hlpr0, 3 bytes 'OK


how can i fix that problem ?

Thanks in advice
Jens

#!/usr/bin/php
", "", "", "");
if ($db->connect_error > 0) {
die(fwrite(STDOUT,"ERR\n"));
}
while (!feof(STDIN))
{
$i = trim(fgets(STDIN));
$s = explode(" ", $i);
$dst = $s[0];
$row = array();
$query = "SELECT * FROM squid WHERE name = '$dst'";
if ($res = $db->query($query)) {
$row = $res->fetch_row();
$rec = $res->num_rows;
if (($row[2] == 1) || ($rec < 1))
   fwrite(STDOUT,"ERR\n"); else
   fwrite(STDOUT,"OK\n");
$res->close();
}
}
$db->close();
?>


this is my squid.config

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd
auth_param basic children 4
auth_param basic utf8 on
auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort 
fuer die Internetberechtigung ein!

auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive on
external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php
acl localnet src 192.168.178.7
acl ncsa_users proxy_auth REQUIRED
acl mysql_block external blockscript
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny mysql_block
http_access allow localhost ncsa_users
http_access allow localnet  ncsa_users
# And finally deny all other access to this proxy
http_access deny all
http_port 3128
cache_mgr jkal...@web.de
cache_effective_user squid
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache_dir ufs /sap/var/spool/squid 64 16 128
cache_access_log /sap/squid/log/access.log
cache_log/sap/squid/log/cache.log
cache_store_log  /sap/squid/log/store.log
# Leave coredumps in the first cache dir
coredump_dir /sap/var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

2015-11-13 Thread Alex Rousskov 
On 11/13/2015 02:16 AM, Edouard Gaulué wrote:

> I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
> "Delayed error responses" chapter:
> "When Squid fails to negotiate a secure connection with the origin
> server and bump-ssl-server-first is enabled, Squid remembers the error
> page and serves it after establishing the secure connection with the
> client and receiving the first encrypted client request. The error is
> served securely. The same approach is used for Squid redirect messages
> configured via deny_info."
> 
> My ideas/questions:
> 1/ Is there a way to have the same with new peek and splice feature?

Yes, SslBump failures should result in delayed errors securely served to
SSL clients where possible. This essential SslBump feature is not
specific to the old server-first bumping method. If the latest Squid
does not do this, it is essentially a bug.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-13 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
There is no solution for ICQ with Squid now.

You can only bypass proxying for ICQ clients.

13.11.15 14:41, Eugene M. Zheganin пишет:
> Hi.
>
> Today I discovered that a bunch of old legacy ICQ clients that some
> people till use have lost the ability to use HTTP CONNECT tunneling with
> sslBump. No matter what I tried to allow direct splicing for them, all
> was useless:
>
> - arranging them by dst ACL, and splicing that ACL
> - arranging them by ssl::server_name ACL, and splicing it
>
> So I had to turn of sslBumping. Looks like it somehow interferes with
> HTTP CONNECT even when splicing it.
> Last version of sslBump part in the config was looking like that:
>
>
> acl icqssl ssl::server_name login.icq.com
> acl icqssl ssl::server_name go.icq.com
> acl icqssl ssl::server_name ars.oscar.aol.com
> acl icqssl ssl::server_name webim.qip.ru
> acl icqssl ssl::server_name cb.icq.com
> acl icqssl ssl::server_name wlogin.icq.com
> acl icqssl ssl::server_name storage.qip.ru
> acl icqssl ssl::server_name new.qip.ru
>
> acl icqlogin dst 178.237.20.58
> acl icqlogin dst 178.237.19.84
> acl icqlogin dst 94.100.186.23
>
> ssl_bump splice children
> ssl_bump splice sbol
> ssl_bump splice icqlogin
> ssl_bump splice icqssl icqport
> ssl_bump splice icqproxy icqport
>
> ssl_bump bump interceptedssl
>
> ssl_bump peek step1
> ssl_bump bump unauthorized
> ssl_bump bump entertainmentssl
> ssl_bump splice all
>
> I'm not sure that ICQ clients use TLS, but in my previous experience
> they were configured to use proxy, and to connect through proxy to the
> login.icq.com host on port 443.
> Sample log for unsuccessful attempts:
>
> 1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_NONE/- -
> 1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_NONE/- -
> 1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
> 1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
> login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
>
> Thanks.
> Eugene.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWRetRAAoJENNXIZxhPexGbikH/0EqoRzosGamhDwM9h0tVMOJ
4rpARbMvHK3wejCgFkh+yp/X2kZi1+nRU9+baJ9vWAmKz6nqf7loFA3S+2s6HzNC
3WyAc+ICO5O2TtC+hSwPVOn4YCjbdROKSGTc/T6MoAnlfnEVIP9IV+Qb29F53bIE
vcMovH4iH2zE7XfPwtZY7eBqEiBsiSG51dg744LHfTzJEYZWmGwTjd7LAQtIwO5e
p+4FwG4oDxFksPXWEs4L2mpk8meKZvqP6CGTzTULYZdcokXcozTNw0YTz468MIzx
4zyDBZNdZXEZTLA5kL89OCVjfuXSm8WqggVvxq9SHqUYs2aJBVUHZRWNnvLhFMU=
=v1X4
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] strange behavior with systemd

2015-11-13 Thread Rafael Akchurin 
Check SELinux permissions first.

Best regards,
Rafael

> Op 13 nov. 2015 om 14:54 heeft Jakob Curdes  het 
> volgende geschreven:
> 
> Hello all,
> 
> I have a squid running as reverse proxy on a CentOS 7 box which uses systemd. 
> When installing the box everything was fine; I enabled the squid service and 
> it would start via systemd.
> Now I have exchanged the certificate fot the HTTPS service. Then I did a 
> "systemctl start  squid.service" and whoops, it failed. I then tried to start 
> squid manually which works perfectly, so the config file is ok. I looked at 
> the output of  "journalctl -xn", which shows that squid claims it cannot find 
> the certificate I configured. I double-checked that there is only one squid 
> config file and that the same config file is used whether I start it per hand 
> or via systemd (which uses the config file defined in /etc/sysconfig/squid). 
> Then I thought maybe systemd does some tricky config file caching and 
> rebooted the box. No change, start via systemd says "FATAL: No valid signing 
> SSL certificate configured for https_port [::]:443" while starting by hand 
> gives  "Using certificate in /etc/squid/...".  I'm pretty sure this is rather 
> an issue with systemd than with squid, but before asking there I wanted to 
> check whether I have overlooked something on the squid side. Any ideas?
> 
> 
> Hav a good weekend,
> Jakob
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] strange behavior with systemd

2015-11-13 Thread Jakob Curdes 



Am 13.11.2015 um 15:11 schrieb Rafael Akchurin:

Check SELinux permissions first.
Independently, I suddenly had the ugly feeling I forgot something 
SELinux was the culprit, the key file of the certificate did not have 
the correct SELINUX type.


Thanks and cheers, Jakob

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] strange behavior with systemd

2015-11-13 Thread Jakob Curdes 

Hello all,

I have a squid running as reverse proxy on a CentOS 7 box which uses 
systemd. When installing the box everything was fine; I enabled the 
squid service and it would start via systemd.
Now I have exchanged the certificate fot the HTTPS service. Then I did a 
"systemctl start  squid.service" and whoops, it failed. I then tried to 
start squid manually which works perfectly, so the config file is ok. I 
looked at the output of  "journalctl -xn", which shows that squid claims 
it cannot find the certificate I configured. I double-checked that there 
is only one squid config file and that the same config file is used 
whether I start it per hand or via systemd (which uses the config file 
defined in /etc/sysconfig/squid). Then I thought maybe systemd does some 
tricky config file caching and rebooted the box. No change, start via 
systemd says "FATAL: No valid signing SSL certificate configured for 
https_port [::]:443" while starting by hand gives  "Using certificate in 
/etc/squid/...".  I'm pretty sure this is rather an issue with systemd 
than with squid, but before asking there I wanted to check whether I 
have overlooked something on the squid side. Any ideas?



Hav a good weekend,
Jakob



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users