Re: [squid-users] squid3.4 - MySQL, PHP script - block websites
Hello, Now, I use the follow script. But, it ends in endless search - web browser site search. #!/usr/bin/python import sys import time def grant (): sys.stdout.write( 'OK\n' ) def deny (): sys.stdout.write( 'ERR\n' ) while True: line = sys.stdin.readline() if (line.find("web.de") > -1): grant() else: deny() time.sleep(1) 2015/11/15 15:47:00.020 kid1| SECURITY ALERT: on URL: s3.amazonaws.com:443 2015/11/15 15:47:00.020 kid1| abandoning local=192.168.178.79:3128 remote=192.168.178.79:53719 FD 29 flags=33 2015/11/15 15:47:05.659 kid1| SECURITY ALERT: Host header forgery detected on local=192.168.178.79:3128 remote=192.168.178.79:53722 FD 34 flags=33 (intercepted port does not match 443) 2015/11/15 15:47:05.659 kid1| SECURITY ALERT: By user agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0 2015/11/15 15:47:05.659 kid1| SECURITY ALERT: on URL: safebrowsing.google.com:443 2015/11/15 15:47:05.659 kid1| abandoning local=192.168.178.79:3128 remote=192.168.178.79:53722 FD 34 flags=33 2015/11/15 15:48:01 kid1| Preparing for shutdown after 22 requests 2015/11/15 15:48:01 kid1| Waiting 30 seconds for active connections to finish 2015/11/15 15:48:01 kid1| Closing HTTP port 0.0.0.0:3129 2015/11/15 15:48:01 kid1| Closing HTTP port 0.0.0.0:3128 2015/11/15 15:48:01 kid1| Closing Pinger socket on FD 30 2015/11/15 15:48:01 kid1| Shutdown: NTLM authentication. 2015/11/15 15:48:01 kid1| Shutdown: Negotiate authentication. 2015/11/15 15:48:01 kid1| Shutdown: Digest authentication. 2015/11/15 15:48:01 kid1| Shutdown: Basic authentication. 2015/11/15 15:41:44| Pinger exiting. 2015/11/15 15:48:32 kid1| Shutting down... 2015/11/15 15:48:32 kid1| Closing unlinkd pipe on FD 23 2015/11/15 15:48:32 kid1| storeDirWriteCleanLogs: Starting... 2015/11/15 15:48:32 kid1| Finished. Wrote 3483 entries. 2015/11/15 15:48:32 kid1| Took 0.00 seconds (2294466.40 entries/sec). CPU Usage: 0.180 seconds = 0.120 user + 0.060 sys Maximum Resident Size: 100576 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:5748 KB Ordinary blocks: 5637 KB 24 blks Small blocks: 0 KB 5 blks Holding blocks: 36624 KB 7 blks Free Small blocks: 0 KB Free Ordinary blocks: 110 KB Total in use: 42261 KB 735% Total free: 110 KB 2% 2015/11/15 15:48:32 kid1| Logfile: closing log stdio:/sap/squid/log/store.log 2015/11/15 15:48:32 kid1| Logfile: closing log stdio:/sap/squid/log/access.log 2015/11/15 15:48:32 kid1| Open FD READ/WRITE7 DNS Socket IPv6 2015/11/15 15:48:32 kid1| Open FD UNSTARTED 8 DNS Socket IPv4 2015/11/15 15:48:32 kid1| Open FD WRITING 10 block.sh #1 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 11 Reading next request 2015/11/15 15:48:32 kid1| Open FD WRITING 12 block.sh #2 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 13 Reading next request 2015/11/15 15:48:32 kid1| Open FD WRITING 14 block.sh #3 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 15 Reading next request 2015/11/15 15:48:32 kid1| Open FD WRITING 16 block.sh #4 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 17 Reading next request 2015/11/15 15:48:32 kid1| Open FD WRITING 18 block.sh #5 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 21 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 22 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 25 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 26 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 29 Reading next request 2015/11/15 15:48:32 kid1| Open FD READING 31 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 32 Reading next request 2015/11/15 15:48:32 kid1| Open FD READ/WRITE 34 Reading next request 2015/11/15 15:48:32 kid1| Squid Cache (Version 3.4.8): Exiting normally. 2015/11/15 15:48:33 kid1| Set Current Directory to /sap/var/spool/squid 2015/11/15 15:48:33 kid1| Starting Squid Cache version 3.4.8 for x86_64-pc-linux-gnu... 2015/11/15 15:48:33 kid1| Process ID 10874 2015/11/15 15:48:33 kid1| Process Roles: worker 2015/11/15 15:48:33 kid1| With 65535 file descriptors available 2015/11/15 15:48:33 kid1| Initializing IP Cache... 2015/11/15 15:48:33 kid1| DNS Socket created at [::], FD 7 2015/11/15 15:48:33 kid1| DNS Socket created at 0.0.0.0, FD 8 2015/11/15 15:48:33 kid1| Adding nameserver fd00::c225:6ff:fe71:2b from /etc/resolv.conf 2015/11/15 15:48:33 kid1| helperOpenServers: Starting 0/4 'basic_ncsa_auth' processes 2015/11/15 15:48:33 kid1| helperOpenServers: No 'basic_ncsa_auth' processes needed. 2015/11/15 15:48:33 kid1| helperOpenServers: Starting 5/5 'block.sh' processes 2015/11/15 15:48:33 kid1| Logfile: opening log /sap/squid/log/access.log 2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module name. Use
Re: [squid-users] squid3.4 - MySQL, PHP script - block websites
On Sunday 15 November 2015 at 15:53:56, Jens Kallup wrote: > Hello, > > Now, I use the follow script. > But, it ends in endless search - web browser site search. > > #!/usr/bin/python > > import sys > import time > > def grant (): >sys.stdout.write( 'OK\n' ) > > def deny (): >sys.stdout.write( 'ERR\n' ) > > while True: > line = sys.stdin.readline() > if (line.find("web.de") > -1): > grant() > else: > deny() > time.sleep(1) 1. What are you trying to achieve with the above (or, alternatively, what do you believe it should do)? 2. I think you should deal with the following messages in the squid log before trying to use the service: 2015/11/15 15:48:33 kid1| ERROR: listen( FD 28, 192.168.178.79 [ job2], 16383): (98) Address already in use 3. While you're at it, it would be worth correcting the following warnings as well: 2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module name. Use 'stdio:/sap/squid/log/access.log' 2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module name. Use 'stdio:/sap/squid/log/store.log' Regards, Antony. -- The first fifty percent of an engineering project takes ninety percent of the time, and the remaining fifty percent takes another ninety percent of the time. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ACL and http_access
Thank you, i'll test it tomorrow. My boss needs this because of his limited bandwith. And he really needs to limit the access during two crucial periods where the bandwith's availability is very important. Enrique > From: antony.st...@squid.open.source.it > To: squid-users@lists.squid-cache.org > Date: Sun, 15 Nov 2015 10:06:59 +0100 > Subject: Re: [squid-users] ACL and http_access > > On Thursday 12 November 2015 at 15:55:10, Magic Link wrote: > > > I want people don't have access to Internet, except one hour twice a day > > with only some urls.listed in a file > > On 14/11/2015 11:23 p.m., Magic Link wrote: > > > I 've made a mistake so what i want is users can access Internet, except > > these two periods where they can access only few sites defined in the > > file. I'll try next monday and come back here. > > On Sunday 15 November 2015 at 03:01:44, Amos Jeffries wrote: > > > Then your config needs to be: > > > > acl hours time MTWHF 09:30-10:30 > > acl hours time MTWHF 17:30-18:30 > > > > http_access allow localhost > > http_access deny hours !whitelist > > http_access allow network > > http_access deny all > > Or, if you find it easier to understand: > > acl hours time MTWHF 09:30-10:30 > acl hours time MTWHF 17:30-18:30 > > http_access allow localhost > http_access allow network hours whitelist > http_access allow network !hours > http_access deny all > > That means "allow network access to whitelisted sites during the defined > hours, > or allow general access outside those hours". > > Personally I find a set of "allow" rules easier followed by a "deny" rules to > understand the logic of than interleaved "allow" and "deny" rules :) > > However, I find the new requirement very strange - would you mind sharing, > just > for interest's sake, why you want to implement this type of Internet access? > > > > Antony. > > -- > I want to build a machine that will be proud of me. > > - Danny Hillis, creator of The Connection Machine > >Please reply to the list; > please *don't* CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ACL and http_access
On Thursday 12 November 2015 at 15:55:10, Magic Link wrote: > I want people don't have access to Internet, except one hour twice a day > with only some urls.listed in a file On 14/11/2015 11:23 p.m., Magic Link wrote: > I 've made a mistake so what i want is users can access Internet, except > these two periods where they can access only few sites defined in the > file. I'll try next monday and come back here. On Sunday 15 November 2015 at 03:01:44, Amos Jeffries wrote: > Then your config needs to be: > > acl hours time MTWHF 09:30-10:30 > acl hours time MTWHF 17:30-18:30 > > http_access allow localhost > http_access deny hours !whitelist > http_access allow network > http_access deny all Or, if you find it easier to understand: acl hours time MTWHF 09:30-10:30 acl hours time MTWHF 17:30-18:30 http_access allow localhost http_access allow network hours whitelist http_access allow network !hours http_access deny all That means "allow network access to whitelisted sites during the defined hours, or allow general access outside those hours". Personally I find a set of "allow" rules easier followed by a "deny" rules to understand the logic of than interleaved "allow" and "deny" rules :) However, I find the new requirement very strange - would you mind sharing, just for interest's sake, why you want to implement this type of Internet access? Antony. -- I want to build a machine that will be proud of me. - Danny Hillis, creator of The Connection Machine Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid3.4 - MySQL, PHP script - block websites
Hey Jens, PHP failed long time ago to work nicely with squid. Do you think that SquidBlocker can fit your needs? You can understand what it is at: http://ngtech.co.il/squidblocker/ I think it might feet your needs just right. Python\perl\php will fit to a very small services while not utilizing concurrency by nature which SquidBlocker does by default. Eliezer * Feel free to contact me offlist for more info(special packaging etc..) On 14/11/2015 03:20, Jens Kallup wrote: Hello, I have problems to block web sites listet in mysql database. When i start the script below, it works, but squid3.4 give me log output; 2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from blockscript #Hlpr0, 3 bytes 'OK how can i fix that problem ? Thanks in advice Jens #!/usr/bin/php ", "", "", ""); if ($db->connect_error > 0) { die(fwrite(STDOUT,"ERR\n")); } while (!feof(STDIN)) { $i = trim(fgets(STDIN)); $s = explode(" ", $i); $dst = $s[0]; $row = array(); $query = "SELECT * FROM squid WHERE name = '$dst'"; if ($res = $db->query($query)) { $row = $res->fetch_row(); $rec = $res->num_rows; if (($row[2] == 1) || ($rec < 1)) fwrite(STDOUT,"ERR\n"); else fwrite(STDOUT,"OK\n"); $res->close(); } } $db->close(); ?> this is my squid.config auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd auth_param basic children 4 auth_param basic utf8 on auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort fuer die Internetberechtigung ein! auth_param basic credentialsttl 60 minutes auth_param basic casesensitive on external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php acl localnet src 192.168.178.7 acl ncsa_users proxy_auth REQUIRED acl mysql_block external blockscript acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access deny mysql_block http_access allow localhost ncsa_users http_access allow localnet ncsa_users # And finally deny all other access to this proxy http_access deny all http_port 3128 cache_mgr jkal...@web.de cache_effective_user squid # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? cache_dir ufs /sap/var/spool/squid 64 16 128 cache_access_log /sap/squid/log/access.log cache_log/sap/squid/log/cache.log cache_store_log /sap/squid/log/store.log # Leave coredumps in the first cache dir coredump_dir /sap/var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 logformat squid %tl.%03tu %6tr %>a %un %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote: > It's not even a HTTPS, its a tunneled HTTP CONNECT. But > squid for some reason thinks there shoudl be a HTTPS inside. Hello Eugene, Squid currently supports two kinds of CONNECT tunnels: 1. A regular opaque tunnel, as intended by HTTP specifications. 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic. Opaque tunnels are the default. Optional SslBump-related features allow the admin to designate admin-selected CONNECT tunnels for HTTPS inspections (of various depth). This distinction explains why and when Squid expects "HTTPS inside". There is currently no decent support for inspecting CONNECT tunnels other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels. Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel into an opaque tunnel before inspection starts. The recently added on_unsupported_protocol directive can automatically convert being-inspected non-HTTPS tunnels into opaque ones in some common cases, but it needs more work to cover more cases. AFAICT, you assume that "splicing" turns off all tunnel inspection. This is correct for step1 (as I mentioned above). This is not correct for other steps because they happen after some inspection already took place. Inspection errors that on_unsupported_protocol cannot yet handle, may result in connection termination and other problems. If Squid behavior contradicts some of the above rules, it is probably a bug we should fix. Otherwise, it is likely to be a missing feature. Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to figure out whether those connections are inspected (i.e., go beyond SslBump step1). If they are inspected, then this is not a Squid bug but a misconfiguration (unless the ACL code itself is buggy!). If they are not inspected, then it is probably a Squid bug. I do not have enough information to distinguish between those cases, but I hope that others on the mailing list can guide you towards a resolution given the above information. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 16.11.15 1:39, Alex Rousskov пишет: > On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote: >> It's not even a HTTPS, its a tunneled HTTP CONNECT. But >> squid for some reason thinks there shoudl be a HTTPS inside. > > > Hello Eugene, > > Squid currently supports two kinds of CONNECT tunnels: > > 1. A regular opaque tunnel, as intended by HTTP specifications. > > 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic. > > Opaque tunnels are the default. Optional SslBump-related features allow > the admin to designate admin-selected CONNECT tunnels for HTTPS > inspections (of various depth). This distinction explains why and when > Squid expects "HTTPS inside". > > There is currently no decent support for inspecting CONNECT tunnels > other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels. > > Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel > into an opaque tunnel before inspection starts. > > The recently added on_unsupported_protocol directive can automatically > convert being-inspected non-HTTPS tunnels into opaque ones in some > common cases, but it needs more work to cover more cases. > > > AFAICT, you assume that "splicing" turns off all tunnel inspection. This > is correct for step1 (as I mentioned above). This is not correct for > other steps because they happen after some inspection already took > place. Inspection errors that on_unsupported_protocol cannot yet handle, > may result in connection termination and other problems. > > > If Squid behavior contradicts some of the above rules, it is probably a > bug we should fix. Otherwise, it is likely to be a missing feature. > > > Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to > figure out whether those connections are inspected (i.e., go beyond > SslBump step1). If they are inspected, then this is not a Squid bug but > a misconfiguration (unless the ACL code itself is buggy!). If they are > not inspected, then it is probably a Squid bug. I do not have enough > information to distinguish between those cases, but I hope that others > on the mailing list can guide you towards a resolution given the above > information. I do not think it's killing them. It looks like an outgoing connection goes to the server, and then silence - of the reaction in the log is not there. Client hangs waiting for a response from server. > > > HTH, > > Alex. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWSOR0AAoJENNXIZxhPexGeMYH/jWi9I1CtBwzSUbDiwp4kjvy wqvJ63lT/l11t4cgBPOjrSVvLbtt5OJY6C+4Z6xkFZX4PgUKnLu6zaIVH1Dg9LrN 2WjgAL/Tks/d4mLKDIM/0LzlIDaJprigjCcWWngRVJRVivkgI5Fz4VxqDThP+qCc n6oL1XUE9qjrpbat+N2/0FlOG4/w5koLObxY8vYVWjcEAiHMcChIgoDR/ijQ3qen ZDRmE7uw8aOi7Fa1+M0TJUOLo8fF3EzPQI9Q5Xvfq4orn2lhn3LVXJCFho3s1qpa 8AxeGqmYs4+te5L9gOvuF0Y5RPzo71TOIA9hHz0loHAGPye2D1Uygi7gJYp87zo= =FMhF -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid3.4 - MySQL, PHP script - block websites
I think it is better to translate this code to c. Contact me, having c will give you speed and memory savings. Le 13 nov. 2015 8:22 PM, "Jens Kallup"a écrit : > Hello, > > I have problems to block web sites listet in mysql database. > When i start the script below, it works, but squid3.4 give me log output; > > 2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from > blockscript #Hlpr0, 3 bytes 'OK > > how can i fix that problem ? > > Thanks in advice > Jens > > #!/usr/bin/php > $db = new mysqli("", "", "", ""); > if ($db->connect_error > 0) { > die(fwrite(STDOUT,"ERR\n")); > } > while (!feof(STDIN)) > { > $i = trim(fgets(STDIN)); > $s = explode(" ", $i); > $dst = $s[0]; > $row = array(); > $query = "SELECT * FROM squid WHERE name = '$dst'"; > if ($res = $db->query($query)) { > $row = $res->fetch_row(); > $rec = $res->num_rows; > if (($row[2] == 1) || ($rec < 1)) >fwrite(STDOUT,"ERR\n"); else >fwrite(STDOUT,"OK\n"); > $res->close(); > } > } > $db->close(); > ?> > > > this is my squid.config > > auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd > auth_param basic children 4 > auth_param basic utf8 on > auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort > fuer die Internetberechtigung ein! > auth_param basic credentialsttl 60 minutes > auth_param basic casesensitive on > external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php > acl localnet src 192.168.178.7 > acl ncsa_users proxy_auth REQUIRED > acl mysql_block external blockscript > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > http_access deny mysql_block > http_access allow localhost ncsa_users > http_access allow localnet ncsa_users > # And finally deny all other access to this proxy > http_access deny all > http_port 3128 > cache_mgr jkal...@web.de > cache_effective_user squid > # We recommend you to use at least the following line. > hierarchy_stoplist cgi-bin ? > cache_dir ufs /sap/var/spool/squid 64 16 128 > cache_access_log /sap/squid/log/access.log > cache_log/sap/squid/log/cache.log > cache_store_log /sap/squid/log/store.log > # Leave coredumps in the first cache dir > coredump_dir /sap/var/spool/squid > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > logformat squid %tl.%03tu %6tr %>a %un %Ss/%03>Hs % > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with squid3 authentication
On 16/11/2015 7:17 a.m., Marcio Demetrio Bacci wrote: > Hi, > > My problem is as follows: > > The Windows stations in the domain are automatically authenticated on the > proxy, though the Linux stations ask for the password twice, even if the > password is entered correctly the first time. > > Does somebody has an idea? How are you identifying "ask for the password twice" ? two popups? (one for NTLM then one for Basic) or, two 407 responses? (NTLM requirement) Also what Squid version are you using? > > Follow my squid.conf file > > > > ### Configuracoes Basicas > http_port 3128 > > #debug_options ALL,111,2 29,9 84,6 > > hierarchy_stoplist cgi-bin ? > > ### Bloqueia o cache de CGI's > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY If you have a current Squid the above QUERY and hierarchy_stoplist lines are not useful, and may be harming your cache ratios. > > cache_mem 512 MB > cache_swap_low 80 > cache_swap_high 90 > maximum_object_size 512 MB > minimum_object_size 0 KB > maximum_object_size_in_memory 4096 KB > cache_replacement_policy heap LFUDA > memory_replacement_policy heap LFUDA > > #Para não bloquear downloads > quick_abort_min -1 KB > > > #Resolve um problema com conexoes persistentes > detect_broken_pconn on > > #Provoca ganho de performace ao usar conexoe pipeline > pipeline_prefetch on NTLM authentication behaviour does not comply with HTTP specification requirements, one of the side effects is that it breaks HTTP pipelines. > > fqdncache_size 1024 > > ### Parametros de atualizacao da memoria cache > refresh_pattern ^ftp:144020%10080 > refresh_pattern ^gopher:14400%1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern .020%4320 > > ### Localizacao dos logs > access_log /var/log/squid3/access.log > cache_log /var/log/squid3/cache.log > > > ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai > e subdiretorios > cache_dir aufs /var/spool/squid3 600 16 256 > > #Controle do arquivo de log > #logfile_rotate 10 > > #Libera acesso ao site da caixa > acl caixa dstdomain .caixa.gov.br > always_direct allow caixa > cache deny caixa You do not use cache_peer directives. The always_direct is not doing anything. > > > ### Realiza a autenticacao no AD via Winbind > > # NTLM > # para quem esta logado em maquinas windows, aproveita a senha do logon > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 50 > auth_param ntlm keep_alive off > > > # para clientes nao windows, user/senha tem de ser solicitado > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 10 > auth_param basic realm "Autenticacao - CMB - Acesso Monitorado" > auth_param basic credentialsttl 2 hours > > external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN > /usr/lib/squid3/ext_wbinfo_group_acl > > > ### ACLs > > #acl manager proto cache_object > acl localhost src 192.168.100.1/32 > #acl to_localhost dst 192.168.100.1/32 > acl SSL_ports port 22 443 563 1 # https, snews > acl Safe_ports port 80 8080 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 3001# imprenssa nacional > > acl purge method PURGE > acl CONNECT method CONNECT > > > ### Regras iniciais do Squid > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > > #acl manager proto cache_object > > acl connect_abertas maxconn 8 > > > # acl ligada a autenticacao > acl grupo_admins external ad_group gg_webadmins > acl grupo_liberado external ad_group gg_webliberados > acl grupo_restrito external ad_group gg_webcontrolados > > > ### Bloqueia extensoes de arquivos > acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas" > > ### Liberar alguns sites > acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos" > > ### Bloqueia sites por URL > acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos" > > ### Realiza o bloqueio por palavras > acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas" > > > ### Exige autenticacao > acl autenticados proxy_auth REQUIRED > > ### Incorpora as regras do SquidGuard > #redirect_program /usr/bin/squidGuard > #redirect_children 20 > #redirector_bypass on > > #libera o grupo internet > http_access allow grupo_admins grupo_admins requires authentication to be tested. > >
Re: [squid-users] sslBump adventures in enterprise production environment
On 11/15/2015 01:00 PM, Yuri Voinov wrote: > 16.11.15 1:39, Alex Rousskov пишет: >> Squid currently supports two kinds of CONNECT tunnels: >> 1. A regular opaque tunnel, as intended by HTTP specifications. >> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic. >> Opaque tunnels are the default. Optional SslBump-related features allow >> the admin to designate admin-selected CONNECT tunnels for HTTPS >> inspections (of various depth). This distinction explains why and when >> Squid expects "HTTPS inside". >> There is currently no decent support for inspecting CONNECT tunnels >> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels. >> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel >> into an opaque tunnel before inspection starts. >> The recently added on_unsupported_protocol directive can automatically >> convert being-inspected non-HTTPS tunnels into opaque ones in some >> common cases, but it needs more work to cover more cases. >> AFAICT, you assume that "splicing" turns off all tunnel inspection. This >> is correct for step1 (as I mentioned above). This is not correct for >> other steps because they happen after some inspection already took >> place. Inspection errors that on_unsupported_protocol cannot yet handle, >> may result in connection termination and other problems. >> If Squid behavior contradicts some of the above rules, it is probably a >> bug we should fix. Otherwise, it is likely to be a missing feature. >> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to >> figure out whether those connections are inspected (i.e., go beyond >> SslBump step1). If they are inspected, then this is not a Squid bug but >> a misconfiguration (unless the ACL code itself is buggy!). If they are >> not inspected, then it is probably a Squid bug. I do not have enough >> information to distinguish between those cases, but I hope that others >> on the mailing list can guide you towards a resolution given the above >> information. > I do not think it's killing them. It looks like an outgoing connection > goes to the server, and then silence - of the reaction in the log is not > there. Client hangs waiting for a response from server. Same difference. "Killing" == "breaking" == "preventing from working correctly" in this context. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
Hi. On 16.11.2015 00:14, Yuri Voinov wrote: > It's common knowledge. Squid is unable to pass an unknown protocol on > the standard port. Consequently, the ability to proxy this protocol does > not exist. > > If it was simply a tunneling ... It is not https. And not just > HTTP-over-443. This is more complicated and very marginal protocol. > I'm really sorry to tell you that, but you are perfectly wrong. These non-HTTPS tunnels have been working for years. And this isn't JTTPS because of: # openssl s_client -connect login.icq.com:443 CONNECTED(0003) 34379270680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 297 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with squid3 authentication
Hi, My problem is as follows: The Windows stations in the domain are automatically authenticated on the proxy, though the Linux stations ask for the password twice, even if the password is entered correctly the first time. Does somebody has an idea? Follow my squid.conf file ### Configuracoes Basicas http_port 3128 #debug_options ALL,111,2 29,9 84,6 hierarchy_stoplist cgi-bin ? ### Bloqueia o cache de CGI's acl QUERY urlpath_regex cgi-bin \? cache deny QUERY cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on #Provoca ganho de performace ao usar conexoe pipeline pipeline_prefetch on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern .020%4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 #Controle do arquivo de log #logfile_rotate 10 #Libera acesso ao site da caixa acl caixa dstdomain .caixa.gov.br always_direct allow caixa cache deny caixa ### Realiza a autenticacao no AD via Winbind # NTLM # para quem esta logado em maquinas windows, aproveita a senha do logon auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm keep_alive off # para clientes nao windows, user/senha tem de ser solicitado auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm "Autenticacao - CMB - Acesso Monitorado" auth_param basic credentialsttl 2 hours external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl ### ACLs #acl manager proto cache_object acl localhost src 192.168.100.1/32 #acl to_localhost dst 192.168.100.1/32 acl SSL_ports port 22 443 563 1 # https, snews acl Safe_ports port 80 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001# imprenssa nacional acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squid http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge #acl manager proto cache_object acl connect_abertas maxconn 8 # acl ligada a autenticacao acl grupo_admins external ad_group gg_webadmins acl grupo_liberado external ad_group gg_webliberados acl grupo_restrito external ad_group gg_webcontrolados ### Bloqueia extensoes de arquivos acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas" ### Liberar alguns sites acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos" ### Bloqueia sites por URL acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos" ### Realiza o bloqueio por palavras acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas" ### Exige autenticacao acl autenticados proxy_auth REQUIRED ### Incorpora as regras do SquidGuard #redirect_program /usr/bin/squidGuard #redirect_children 20 #redirector_bypass on #libera o grupo internet http_access allow grupo_admins #http_access deny extensoes_bloqueadas http_access allow sites_liberados http_access deny sites_bloqueados http_access deny palavras_bloqueadas # Libera acesso ao grupo de chefes e professores http_access allow grupo_liberado ### Liberando midia social e musica no horario do almoco acl almoco time 11:30-13:30 http_access allow almoco #bloqueia midia social durante o expediente acl social_proibido url_regex -i "/etc/squid3/acls/media-social" http_access deny social_proibido # Regra para bloqueio de extensoes de radios online / arquivos de streaming: acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo" #acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension" acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension" http_access deny proibir_musica http_reply_access deny streaming ### Controle de banda ### So existe um pool (1) delay_pools 1 ### nr do pool (1) e tipo de classe (2): total da banda disponivel e total de
Re: [squid-users] sslBump adventures in enterprise production environment
Hi. On 15.11.2015 0:43, Walter H. wrote: > On 13.11.2015 14:53, Yuri Voinov wrote: >> There is no solution for ICQ with Squid now. >> >> You can only bypass proxying for ICQ clients. > from where do the ICQ clients get the trusted root certificates? > maybe this is the problem, that e.g. the squid CA cert is only > installed in FF > and nowhere else ... From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But squid for some reason thinks there shoudl be a HTTPS inside. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ICQ-contest-td4673938.html 16.11.15 1:03, Eugene M. Zheganin пишет: > Hi. > > On 15.11.2015 0:43, Walter H. wrote: >> On 13.11.2015 14:53, Yuri Voinov wrote: >>> There is no solution for ICQ with Squid now. >>> >>> You can only bypass proxying for ICQ clients. >> from where do the ICQ clients get the trusted root certificates? >> maybe this is the problem, that e.g. the squid CA cert is only >> installed in FF >> and nowhere else ... > From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But > squid for some reason thinks there shoudl be a HTTPS inside. > > Eugene. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWSNp/AAoJENNXIZxhPexGU7QIAK+/EQGHac3kW8sYkzDWAazO qZ/WZzMU7NyZAjIKc9n9u8CvVq2KiIQHaS3yL0VVUZ+wzd28wToASHto73oJrmGw SECUE066a72SqQx0eC5thuT9PSrBwnger7uCy1DmxmU5OmBVdSLMCnFioTdIqzJV 3sWyYqedo/2mfXpgj3AMR3eZ/6y62diAO6GjD7pP3Qp8r0as4hcJUfC9UcPXFNOz Vx3okSMdaCfd+H0hyeKFZ/ZCSYHUosh4nk7vR0Y0QFed3mgRBEoeKw6F2ykNhQy/ vxWetXucVm+8ugk5CW56ON2YsPWTRjY/PObNZ2f1pnyzhD6xSBKz/hMHg3G3cOg= =90Z3 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump adventures in enterprise production environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It's common knowledge. Squid is unable to pass an unknown protocol on the standard port. Consequently, the ability to proxy this protocol does not exist. If it was simply a tunneling ... It is not https. And not just HTTP-over-443. This is more complicated and very marginal protocol. 16.11.15 1:03, Eugene M. Zheganin пишет: > Hi. > > On 15.11.2015 0:43, Walter H. wrote: >> On 13.11.2015 14:53, Yuri Voinov wrote: >>> There is no solution for ICQ with Squid now. >>> >>> You can only bypass proxying for ICQ clients. >> from where do the ICQ clients get the trusted root certificates? >> maybe this is the problem, that e.g. the squid CA cert is only >> installed in FF >> and nowhere else ... > From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But > squid for some reason thinks there shoudl be a HTTPS inside. > > Eugene. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWSNmbAAoJENNXIZxhPexGb3EH/iF1kJQvvNODlf8YysuYZofc vXqGhM+BERZenp1OgMVWt0MDEianQ/4C2zIoOgvDqyMD10in5bMDo54mT0HShBEC kP92NGPGmNTjJXWARUNWZAELx1Mzn+Z5XfY0ySxQDyHxpmkvpX/g7IE7uzdGiRJp 0Sn4x5WOUUbdUAbeSGTyC4rSpZr94vBDGHfWsKsCFaYqH2XkPCbrmg9YzxL20+6Q W8UUtsval65Wima7QwyFEY08kIKP+mj1uOesQOM4A/Qd7jo+tsX86xdvXuAUiLo+ bgj2Hd3fEIijzb7c/sIZBO2OUnKPILiYe7UZr4nkFu6NB1f4FX2qYtHxXKT5BMQ= =yhB5 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users