Re: [squid-users] ACL and http_access

2015-11-14 Thread Magic Link 
I 've made a mistake so what i want is users can access Internet, except these 
two periods where they can access only few sites defined in the file.
I'll try next monday and come back here.
Thanks !

> To: squid-users@lists.squid-cache.org
> From: squ...@treenet.co.nz
> Date: Fri, 13 Nov 2015 21:42:59 +1300
> Subject: Re: [squid-users] ACL and http_access
> 
> On 13/11/2015 8:31 p.m., Magic Link wrote:
> > What i want if it's possible is : Users can't access Internet, except
> > during two periods each day i 'll define. During these two periods,
> > they can access only a few sites i define in the file (basic url http
> > or https per line)I have to know if it's possible with Squid ? or
> > Squidguard ? Or not at all ? Thank you !
> 
> The answer is "Yes".
> 
> Anthony already gave you the config that does it.
> 
> >> From: Antony.Stone
> >>
> >> I would suggest (assuming your regex list is good) trying:
> >>
> >> http_access allow localhost
> >> http_access allow network working_hours whitelist
> >> http_access allow network out_working_hours whitelist
> >> http_access deny all
> >>
> >> The above should allow access from 10.2.0.0/16 to the sites in your regex 
> >> list 
> >> between the hours 09:30-10:30 and 17:30-18:30 M-F
> >>
> 
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-14 Thread Eugene M. Zheganin 
Hi.

On 13.11.2015 18:53, Yuri Voinov wrote:
> There is no solution for ICQ with Squid now.
>
> You can only bypass proxying for ICQ clients.
>
There is: I can disable sslBump, and I did it already. It doesn't look
production-ready anyway.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-14 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
This will decrease request hit ratio minimum at 50%

14.11.15 20:11, Eugene M. Zheganin пишет:
> Hi.
>
> On 13.11.2015 18:53, Yuri Voinov wrote:
>> There is no solution for ICQ with Squid now.
>>
>> You can only bypass proxying for ICQ clients.
>>
> There is: I can disable sslBump, and I did it already. It doesn't look
> production-ready anyway.
>
> Eugene.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWR1ADAAoJENNXIZxhPexGYq0H/0Q3T11WPX42hevtp6Fu7Vyq
BV9o3bSpvISZ+HwnM55FLIyGM/nQi5+7xRVcLWEC/tERVCa/vz2ucmUeTC7anrc5
O0erhLimzlixMAfKPp+UzmIXv0/NoDqa2y6T5lRMhqY0ta5oyecZzEJXZb8aZz23
n53Lkw3bHOTLuB7o6Zvjz1TnLjwv/FBTKjTBauIJ6geDsj1RNLsDPzFGXV6u2RPZ
AbJjsSjItIuuH34jHzjGpEgzkD8mDOz6bm445FQ31vx6NTsf82XMHMkuJ5Lp2bDl
TO5Ht3SesMnzoUHcIE8sN4kvNLsoVn02/Tl34+oIISL0UJVEe87bm8OUAl249aE=
=2FE0
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fw: new message

2015-11-14 Thread patrick . lanot 
Hey!

 

New message, please read 

 

patrick.la...@inserm.fr

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL bumping without faked server certificates

2015-11-14 Thread Alex Rousskov 
On 11/14/2015 12:42 PM, Stefan Kutzke wrote:

> I have built a RPM package with latest 3.5.11 source based
> on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
> Squid is configured with SSL bump similar to the configuration suggested
> by Sebastian.

...

> 2015/11/10 19:24:30.181 kid1| 33,5|...
> 2015/11/10 19:25:30.016 kid1| 33,3| AsyncCall.cc(93) ScheduleCall:
> IoCallback.cc(135) will call
> ConnStateData::clientPinnedConnectionRead(local=172.31.1.15:49421
> remote=212.45.105.89:443 FD 15 flags=1, flag=-10, data=0x19ced08)
> [call349]


This one second gap after a successful SSL negotiation with the origin
server is rather suspicious, but I am going to ignore it, go out on a
limb, and speculate that you might be suffering from the "Handshake
Problem during Renegotiation" bug that we recently fixed. I do not think
the fix has made it into v3.5 branch yet, but you can get our v3.5 patch
here:

http://lists.squid-cache.org/pipermail/squid-dev/2015-November/003700.html


If that fix does not help, I recommend the following:

1. Reproduce the same bug with debug_options set to ALL,9.

2. File a new bug report in Squid bugzilla and post [compressed]
cache.log or a link to that log there. You may also post here, but it is
easier to track progress in bugzilla.


Thank you,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL bumping without faked server certificates

2015-11-14 Thread Stefan Kutzke 
Here is more information...

Squid's complete cache.log:
2015/11/10 19:22:10 kid1| Set Current Directory to /var/spool/squid
2015/11/10 19:22:10 kid1| Starting Squid Cache version 3.5.11 for 
x86_64-redhat-linux-gnu...
2015/11/10 19:22:10 kid1| Service Name: squid
2015/11/10 19:22:10 kid1| Process ID 15283
2015/11/10 19:22:10 kid1| Process Roles: worker
2015/11/10 19:22:10 kid1| With 1024 file descriptors available
2015/11/10 19:22:10 kid1| Initializing IP Cache...
2015/11/10 19:22:10 kid1| DNS Socket created at [::], FD 6
2015/11/10 19:22:10 kid1| DNS Socket created at 0.0.0.0, FD 7
2015/11/10 19:22:10 kid1| Adding domain galaxy.virtual from /etc/resolv.conf
2015/11/10 19:22:10 kid1| Adding nameserver 172.31.1.254 from /etc/resolv.conf
2015/11/10 19:22:10 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2015/11/10 19:22:10 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2015/11/10 19:22:10 kid1| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2015/11/10 19:22:10 kid1| Store logging disabled
2015/11/10 19:22:10 kid1| Swap maxSize 0 + 524288 KB, estimated 40329 objects
2015/11/10 19:22:10 kid1| Target number of buckets: 2016
2015/11/10 19:22:10 kid1| Using 8192 Store buckets
2015/11/10 19:22:10 kid1| Max Mem  size: 524288 KB
2015/11/10 19:22:10 kid1| Max Swap size: 0 KB
2015/11/10 19:22:10 kid1| Using Least Load store dir selection
2015/11/10 19:22:10 kid1| Set Current Directory to /var/spool/squid
2015/11/10 19:22:10 kid1| Finished loading MIME types and icons.
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall 
clientListenerConnectionOpened constructed, this=0x1df0a40 [call3]
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: 
StartListening.cc(59) will call clientListenerConnectionOpened(local=[::]:3128 
remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x1df0aa0) [call3]
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall 
clientListenerConnectionOpened constructed, this=0x1df0bd0 [call5]
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: 
StartListening.cc(59) will call 
clientListenerConnectionOpened(local=10.0.0.1:3129 remote=[::] FD 13 flags=41, 
err=0, HTTP Socket port=0x1df0c30) [call5]
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall 
clientListenerConnectionOpened constructed, this=0x1df0e40 [call7]
2015/11/10 19:22:10.830 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: 
StartListening.cc(59) will call 
clientListenerConnectionOpened(local=10.0.0.1:3443 remote=[::] FD 14 flags=41, 
err=0, HTTPS Socket port=0x1df0ea0) [call7]
2015/11/10 19:22:10.830 kid1| HTCP Disabled.
2015/11/10 19:22:10.830 kid1| Squid plugin modules loaded: 0
2015/11/10 19:22:10.830 kid1| Adaptation support is off.
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: entering 
clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 12 flags=9, 
err=0, HTTP Socket port=0x1df0aa0)
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCall.cc(38) make: make call 
clientListenerConnectionOpened [call3]
2015/11/10 19:22:10.831 kid1| Accepting HTTP Socket connections at 
local=[::]:3128 remote=[::] FD 12 flags=9
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: leaving 
clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 12 flags=9, 
err=0, HTTP Socket port=0x1df0aa0)
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: entering 
clientListenerConnectionOpened(local=10.0.0.1:3129 remote=[::] FD 13 flags=41, 
err=0, HTTP Socket port=0x1df0c30)
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCall.cc(38) make: make call 
clientListenerConnectionOpened [call5]
2015/11/10 19:22:10.831 kid1| Accepting NAT intercepted HTTP Socket connections 
at local=10.0.0.1:3129 remote=[::] FD 13 flags=41
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: leaving 
clientListenerConnectionOpened(local=10.0.0.1:3129 remote=[::] FD 13 flags=41, 
err=0, HTTP Socket port=0x1df0c30)
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: entering 
clientListenerConnectionOpened(local=10.0.0.1:3443 remote=[::] FD 14 flags=41, 
err=0, HTTPS Socket port=0x1df0ea0)
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCall.cc(38) make: make call 
clientListenerConnectionOpened [call7]
2015/11/10 19:22:10.831 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
connections at local=10.0.0.1:3443 remote=[::] FD 14 flags=41
2015/11/10 19:22:10.831 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: leaving 
clientListenerConnectionOpened(local=10.0.0.1:3443 remote=[::] FD 14 flags=41, 
err=0, HTTPS Socket port=0x1df0ea0)
2015/11/10 19:22:11 kid1| storeLateRelease: released 0 objects
2015/11/10 19:24:30.007 kid1| 89,5| Intercept.cc(375) Lookup: address BEGIN: 
me/client= 10.0.0.1:3443, destination/me= 10.0.0.2:42825
2015/11/10 19:24:30.007 kid1| 89,5| Intercept.cc(151) NetfilterInterception: 
address NAT: local=212.45.105.89:443 remote=10.0.0.2:42825 FD 11

Re: [squid-users] SSL bumping without faked server certificates

2015-11-14 Thread Stefan Kutzke 
Hi Alex,

okay, I think I understand a little more.

I am trying to get the old server-first method working with new peek and splice 
but without success.

I have built a RPM package with latest 3.5.11 source based on 
http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
Squid is configured with SSL bump similar to the configuration suggested by 
Sebastian.

In my view it's a good idea to give a detailed description of my setup with 
real IPs and hostnames:

1. Client machine

OS: CentOS 6.6 x86_64
IP: 10.0.0.2/24 (internal network)
Default Gateway: 10.0.0.1 (= Squid machine)


2. Squid machine

OS: CentOS 6.6 x86_64
IP 1: 10.0.0.1/24 (internal network)
IP 2: 172.31.1.15/24 (outgoing interface, behind a router)

# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DNAT   tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:80 
to:10.0.0.1:3129
DNAT   tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:443 
to:10.0.0.1:3443

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination
MASQUERADE  all  --  0.0.0.0/00.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

# squid -v
Squid Cache: Version 3.5.11
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' 
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' 
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' 
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' 
'--enable-auth-negotiate=kerberos,wrapper' 
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group' 
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' 
'--enable-removal-policies=heap,lru' '--enable-snmp' 
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' 
'--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 
'--with-included-ltdl' '--disable-arch-native' '--without-nettle' 
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience

# Squid configruation file
# Rules allowing access from your local networks
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# SSL Bump
acl step1 at_step SslBump1
acl MYSITE ssl::server_name school.bettermarks.com
ssl_bump peek step1
ssl_bump bump MYSITE
ssl_bump splice all
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Only allow purge from localhast (squidclient -m PURGE 
acl Purge method PURGE
http_access allow localhost Purge
http_access deny Purge
# Allow access from your local networks
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 10.0.0.1:3129 intercept
https_port 10.0.0.1:3443 intercept ssl-bump

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-14 Thread Walter H. 

On 13.11.2015 14:53, Yuri Voinov wrote:

There is no solution for ICQ with Squid now.

You can only bypass proxying for ICQ clients.

from where do the ICQ clients get the trusted root certificates?
maybe this is the problem, that e.g. the squid CA cert is only installed 
in FF

and nowhere else ...

13.11.15 14:41, Eugene M. Zheganin пишет:

Hi.

Today I discovered that a bunch of old legacy ICQ clients that some
people till use have lost the ability to use HTTP CONNECT tunneling with
sslBump. No matter what I tried to allow direct splicing for them, all
was useless:

- arranging them by dst ACL, and splicing that ACL
- arranging them by ssl::server_name ACL, and splicing it

So I had to turn of sslBumping. Looks like it somehow interferes with
HTTP CONNECT even when splicing it.
Last version of sslBump part in the config was looking like that:


acl icqssl ssl::server_name login.icq.com
acl icqssl ssl::server_name go.icq.com
acl icqssl ssl::server_name ars.oscar.aol.com
acl icqssl ssl::server_name webim.qip.ru
acl icqssl ssl::server_name cb.icq.com
acl icqssl ssl::server_name wlogin.icq.com
acl icqssl ssl::server_name storage.qip.ru
acl icqssl ssl::server_name new.qip.ru

acl icqlogin dst 178.237.20.58
acl icqlogin dst 178.237.19.84
acl icqlogin dst 94.100.186.23

ssl_bump splice children
ssl_bump splice sbol
ssl_bump splice icqlogin
ssl_bump splice icqssl icqport
ssl_bump splice icqproxy icqport

ssl_bump bump interceptedssl

ssl_bump peek step1
ssl_bump bump unauthorized
ssl_bump bump entertainmentssl
ssl_bump splice all

I'm not sure that ICQ clients use TLS, but in my previous experience
they were configured to use proxy, and to connect through proxy to the
login.icq.com host on port 443.
Sample log for unsuccessful attempts:

1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -


maybe give 3.4.x a try, 3.5 seems to have bugs 3.4.x don't have ...
or this is caused by the above ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL bumping without faked server certificates

2015-11-14 Thread Stefan Kutzke 
... and more ...


I don't know what is going wrong or what is missing in the configuration.

Both Squid and client are able to connect to 212.45.105.89:443 with
# openssl s_client -connect 212.45.105.89:443
CONNECTED(0003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU 
= Certification Services Division, CN = Thawte Premium Server CA, emailAddress 
= premium-ser...@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = 
"(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = DE, ST = Berlin, L = Berlin, O = bettermarks GmbH, CN = 
*.bettermarks.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Berlin/L=Berlin/O=bettermarks GmbH/CN=*.bettermarks.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
Services Division/CN=Thawte Premium Server 
CA/emailAddress=premium-ser...@thawte.com
---
Server certificate
-BEGIN CERTIFICATE-
MIIEljCCA36gAwIBAgIQDgGSShcLYslr7WvI8BNFWDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEzMTIyNDAwMDAwMFoXDTE2MDEyMzIzNTk1OVowZjEL
MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxQGQmVybGluMRkw
FwYDVQQKFBBiZXR0ZXJtYXJrcyBHbWJIMRowGAYDVQQDFBEqLmJldHRlcm1hcmtz
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANZNN7SeA27FgU3W
QEHHfgQhTnJ3zwviubXSU3vppqDmguuMfdR0NIqHQv3ds7QdEK0jik3rDzAzadBD
mQDmN4IIbp1IgFKuI9IWF/6jXv3ViNwdbIadUxPGHqa/SYO4XPFA3wpMBjHymvK2
GpXMD7vp7MxBCydtod5SY5kft6Y1T3jgIAjS2BUhXS8uQCra2kXLc2Jwu/JX5Asa
oQvnGhyltpnEQZto5MK1zeGaEi/AoJZOsrIv3nVULTyIqLqI33BD6Vru8kXp939k
rofE63723dA4YHhtVmrzn55milysxMZnR6XjdywFF41xFqed6dmHGOnGAkAJicqZ
QCOF2+cCAwEAAaOCAWgwggFkMBwGA1UdEQQVMBOCESouYmV0dGVybWFya3MuY29t
MAkGA1UdEwQCMAAwQgYDVR0gBDswOTA3BgpghkgBhvhFAQc2MCkwJwYIKwYBBQUH
AgEWG2h0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzLzAOBgNVHQ8BAf8EBAMCBaAw
HwYDVR0jBBgwFoAUp6KDuzRFQD381TBPErk+oQGf9tswOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL3N2ci1vdi1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGCCsGAQUFBwEBBF0wWzAiBggr
BgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTA1BggrBgEFBQcwAoYpaHR0
cDovL3N2ci1vdi1haWEudGhhd3RlLmNvbS9UaGF3dGVPVi5jZXIwDQYJKoZIhvcN
AQEFBQADggEBAFXVX0KqaJHiMZo7PjbWSfXunaZYdV4KIjpYlfyWBJ8Gb7p3e+4j
aKrs3Nq+ffRPnm+TtbJWRcJ0ssHSymJNiDw6UfYprNkIiOzgPisY8g32yPjUIekf
GPm9RaAO0ml9vQH/cNJjw4+Da249W0PYbkGWngozYqH9bOYIu88kqCVUePeHzQjI
rI9kUiXJOUZYwIhsdtFNiPbvLHyYdvWLsCvLYAk2hbJd2L1j7Z3YdO+Lf+gK+kj+
rgMji14ibaWx1iKfVJ7RaNBkNWsX3aE7dlBdx35Tc30Hy1eADq029ae+41oDEO8y
4f38eLFMYfXzHx0j1Td0WAXMGK3Nyhiquck=
-END CERTIFICATE-
subject=/C=DE/ST=Berlin/L=Berlin/O=bettermarks GmbH/CN=*.bettermarks.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3618 bytes and written 607 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: AES256-SHA256
Session-ID: D4883E09C2BAD02BACEB79C87CB6B7583D2D907FE6DA11290920CC6D4AEFD98D
Session-ID-ctx:
Master-Key: 
8A2CE177DFFD2FDD36124CF95CE4BA09D768FE919F001FE87B68ADF7881BFF9C50DDFDB0ADDC223AE34E58F30663935C
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1447183108
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---


Is there anything I can do in order to address my problem? More or other 
debugging options? Unfortunatily I am not
very familiar with Squid.

The next step would be to get CloudFront working. To be precise: I want to use 
a further hostname cdn.bettermarks.com
that is only a CNAME for d2gs9kr1131uxo.cloudfront.net. CloudFront provides 
several IP addresses, each of them is shared
by multiple hostnames/domains. There is no way to make a https connection to 
CloudFront without SNI.


Best regards,
Stefan


Am Dienstag, den 10.11.2015, 08:49 -0700 schrieb Alex Rousskov:
On 11/10/2015 07:05 AM, Stefan Kutzke wrote:

My assumption is that I have to use in Squid's config:

acl MYSITE ssl:server_name .mydomain.com
ssl_bump bump MYSITE
ssl_bump splice all

This results in tunneling all https traffic, nothing will be bumped and
cached.

Yes, probably because MYSITE (ssl::server_name) often needs SNI and SNI
is not available during step1 when MYSITE is evaluated in your config.
In other words, your

Re: [squid-users] SSL bumping without faked server certificates

2015-11-14 Thread Amos Jeffries 
On 15/11/2015 11:52 a.m., Alex Rousskov wrote:
> On 11/14/2015 12:42 PM, Stefan Kutzke wrote:
> 
>> I have built a RPM package with latest 3.5.11 source based
>> on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
>> Squid is configured with SSL bump similar to the configuration suggested
>> by Sebastian.
> 
> ...
> 
>> 2015/11/10 19:24:30.181 kid1| 33,5|...
>> 2015/11/10 19:25:30.016 kid1| 33,3| AsyncCall.cc(93) ScheduleCall:
>> IoCallback.cc(135) will call
>> ConnStateData::clientPinnedConnectionRead(local=172.31.1.15:49421
>> remote=212.45.105.89:443 FD 15 flags=1, flag=-10, data=0x19ced08)
>> [call349]
> 
> 
> This one second gap after a successful SSL negotiation with the origin
> server is rather suspicious, but I am going to ignore it, go out on a
> limb, and speculate that you might be suffering from the "Handshake
> Problem during Renegotiation" bug that we recently fixed. I do not think
> the fix has made it into v3.5 branch yet, but you can get our v3.5 patch
> here:
> 
> http://lists.squid-cache.org/pipermail/squid-dev/2015-November/003700.html
> 

FYI: I've just done the backport. It will be in snapshot r13951 or later
which should be available in 6-12hrs.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-14 Thread Amos Jeffries 
On 14/11/2015 2:20 p.m., Jens Kallup wrote:
> Hello,
> 
> I have problems to block web sites  listet in mysql database.
> When i start the script below, it works, but squid3.4 give me log output;
> 
> 2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from
> blockscript #Hlpr0, 3 bytes 'OK
> 
> how can i fix that problem ?

By not using PHP.

PHP is designed to be used to generate HTML page content in short
processing bursts, and exiting after each one. There are timeout bugs in
the PHP processing engine which make it unsuitable for long-running
processes such as Squid helpers.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users