Re: [squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-15 Thread Jens Kallup 

Hello,

Now, I use the follow script.
But, it ends in endless search - web browser site search.

#!/usr/bin/python

import sys
import time

def grant ():
  sys.stdout.write( 'OK\n' )

def deny ():
  sys.stdout.write( 'ERR\n' )

while True:
line = sys.stdin.readline()
if (line.find("web.de") > -1):
grant()
else:
deny()
time.sleep(1)





2015/11/15 15:47:00.020 kid1| SECURITY ALERT: on URL: s3.amazonaws.com:443
2015/11/15 15:47:00.020 kid1| abandoning local=192.168.178.79:3128 
remote=192.168.178.79:53719 FD 29 flags=33
2015/11/15 15:47:05.659 kid1| SECURITY ALERT: Host header forgery 
detected on local=192.168.178.79:3128 remote=192.168.178.79:53722 FD 34 
flags=33 (intercepted port does not match 443)
2015/11/15 15:47:05.659 kid1| SECURITY ALERT: By user agent: Mozilla/5.0 
(X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0
2015/11/15 15:47:05.659 kid1| SECURITY ALERT: on URL: 
safebrowsing.google.com:443
2015/11/15 15:47:05.659 kid1| abandoning local=192.168.178.79:3128 
remote=192.168.178.79:53722 FD 34 flags=33

2015/11/15 15:48:01 kid1| Preparing for shutdown after 22 requests
2015/11/15 15:48:01 kid1| Waiting 30 seconds for active connections to 
finish

2015/11/15 15:48:01 kid1| Closing HTTP port 0.0.0.0:3129
2015/11/15 15:48:01 kid1| Closing HTTP port 0.0.0.0:3128
2015/11/15 15:48:01 kid1| Closing Pinger socket on FD 30
2015/11/15 15:48:01 kid1| Shutdown: NTLM authentication.
2015/11/15 15:48:01 kid1| Shutdown: Negotiate authentication.
2015/11/15 15:48:01 kid1| Shutdown: Digest authentication.
2015/11/15 15:48:01 kid1| Shutdown: Basic authentication.
2015/11/15 15:41:44| Pinger exiting.
2015/11/15 15:48:32 kid1| Shutting down...
2015/11/15 15:48:32 kid1| Closing unlinkd pipe on FD 23
2015/11/15 15:48:32 kid1| storeDirWriteCleanLogs: Starting...
2015/11/15 15:48:32 kid1|   Finished.  Wrote 3483 entries.
2015/11/15 15:48:32 kid1|   Took 0.00 seconds (2294466.40 entries/sec).
CPU Usage: 0.180 seconds = 0.120 user + 0.060 sys
Maximum Resident Size: 100576 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:5748 KB
Ordinary blocks: 5637 KB 24 blks
Small blocks:   0 KB  5 blks
Holding blocks: 36624 KB  7 blks
Free Small blocks:  0 KB
Free Ordinary blocks: 110 KB
Total in use:   42261 KB 735%
Total free:   110 KB 2%
2015/11/15 15:48:32 kid1| Logfile: closing log 
stdio:/sap/squid/log/store.log
2015/11/15 15:48:32 kid1| Logfile: closing log 
stdio:/sap/squid/log/access.log

2015/11/15 15:48:32 kid1| Open FD READ/WRITE7 DNS Socket IPv6
2015/11/15 15:48:32 kid1| Open FD UNSTARTED 8 DNS Socket IPv4
2015/11/15 15:48:32 kid1| Open FD WRITING  10 block.sh #1
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   11 Reading next request
2015/11/15 15:48:32 kid1| Open FD WRITING  12 block.sh #2
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   13 Reading next request
2015/11/15 15:48:32 kid1| Open FD WRITING  14 block.sh #3
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   15 Reading next request
2015/11/15 15:48:32 kid1| Open FD WRITING  16 block.sh #4
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   17 Reading next request
2015/11/15 15:48:32 kid1| Open FD WRITING  18 block.sh #5
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   21 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   22 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   25 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   26 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   29 Reading next request
2015/11/15 15:48:32 kid1| Open FD READING  31 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   32 Reading next request
2015/11/15 15:48:32 kid1| Open FD READ/WRITE   34 Reading next request
2015/11/15 15:48:32 kid1| Squid Cache (Version 3.4.8): Exiting normally.
2015/11/15 15:48:33 kid1| Set Current Directory to /sap/var/spool/squid
2015/11/15 15:48:33 kid1| Starting Squid Cache version 3.4.8 for 
x86_64-pc-linux-gnu...

2015/11/15 15:48:33 kid1| Process ID 10874
2015/11/15 15:48:33 kid1| Process Roles: worker
2015/11/15 15:48:33 kid1| With 65535 file descriptors available
2015/11/15 15:48:33 kid1| Initializing IP Cache...
2015/11/15 15:48:33 kid1| DNS Socket created at [::], FD 7
2015/11/15 15:48:33 kid1| DNS Socket created at 0.0.0.0, FD 8
2015/11/15 15:48:33 kid1| Adding nameserver fd00::c225:6ff:fe71:2b from 
/etc/resolv.conf
2015/11/15 15:48:33 kid1| helperOpenServers: Starting 0/4 
'basic_ncsa_auth' processes
2015/11/15 15:48:33 kid1| helperOpenServers: No 'basic_ncsa_auth' 
processes needed.
2015/11/15 15:48:33 kid1| helperOpenServers: Starting 5/5 'block.sh' 
processes

2015/11/15 15:48:33 kid1| Logfile: opening log /sap/squid/log/access.log
2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module 
name. Use

Re: [squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-15 Thread Antony Stone 
On Sunday 15 November 2015 at 15:53:56, Jens Kallup wrote:

> Hello,
> 
> Now, I use the follow script.
> But, it ends in endless search - web browser site search.
> 
> #!/usr/bin/python
> 
> import sys
> import time
> 
> def grant ():
>sys.stdout.write( 'OK\n' )
> 
> def deny ():
>sys.stdout.write( 'ERR\n' )
> 
> while True:
>  line = sys.stdin.readline()
>  if (line.find("web.de") > -1):
>  grant()
>  else:
>  deny()
>  time.sleep(1)

1. What are you trying to achieve with the above (or, alternatively, what do 
you believe it should do)?

2. I think you should deal with the following messages in the squid log before 
trying to use the service:

2015/11/15 15:48:33 kid1| ERROR: listen( FD 28, 192.168.178.79 [ job2], 
16383): (98) Address already in use

3. While you're at it, it would be worth correcting the following warnings as 
well:

2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module 
name. Use 'stdio:/sap/squid/log/access.log'
2015/11/15 15:48:33 kid1| WARNING: log name now starts with a module 
name. Use 'stdio:/sap/squid/log/store.log'


Regards,


Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the time.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL and http_access

2015-11-15 Thread Magic Link 
Thank you, i'll test it tomorrow.
My boss needs this because of his limited bandwith. And he really needs to 
limit the access during two crucial periods where the bandwith's availability 
is very important.

Enrique
> From: antony.st...@squid.open.source.it
> To: squid-users@lists.squid-cache.org
> Date: Sun, 15 Nov 2015 10:06:59 +0100
> Subject: Re: [squid-users] ACL and http_access
> 
> On Thursday 12 November 2015 at 15:55:10, Magic Link wrote:
> 
> > I want people don't have access to Internet, except one hour twice a day
> > with only some urls.listed in a file
> 
> On 14/11/2015 11:23 p.m., Magic Link wrote:
> 
> > I 've made a mistake so what i want is users can access Internet, except
> > these two periods where they can access only few sites defined in the
> > file. I'll try next monday and come back here.
> 
> On Sunday 15 November 2015 at 03:01:44, Amos Jeffries wrote:
> 
> > Then your config needs to be:
> > 
> >  acl hours time MTWHF 09:30-10:30
> >  acl hours time MTWHF 17:30-18:30
> > 
> >  http_access allow localhost
> >  http_access deny hours !whitelist
> >  http_access allow network
> >  http_access deny all
> 
> Or, if you find it easier to understand:
> 
> acl hours time MTWHF 09:30-10:30
> acl hours time MTWHF 17:30-18:30
> 
> http_access allow localhost
> http_access allow network hours whitelist
> http_access allow network !hours
> http_access deny all
> 
> That means "allow network access to whitelisted sites during the defined 
> hours, 
> or allow general access outside those hours".
> 
> Personally I find a set of "allow" rules easier followed by a "deny" rules to 
> understand the logic of than interleaved "allow" and "deny" rules :)
> 
> However, I find the new requirement very strange - would you mind sharing, 
> just 
> for interest's sake, why you want to implement this type of Internet access?
> 
> 
> 
> Antony.
> 
> -- 
> I want to build a machine that will be proud of me.
> 
>  - Danny Hillis, creator of The Connection Machine
> 
>Please reply to the list;
>  please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL and http_access

2015-11-15 Thread Antony Stone 
On Thursday 12 November 2015 at 15:55:10, Magic Link wrote:

> I want people don't have access to Internet, except one hour twice a day
> with only some urls.listed in a file

On 14/11/2015 11:23 p.m., Magic Link wrote:

> I 've made a mistake so what i want is users can access Internet, except
> these two periods where they can access only few sites defined in the
> file. I'll try next monday and come back here.

On Sunday 15 November 2015 at 03:01:44, Amos Jeffries wrote:

> Then your config needs to be:
> 
>  acl hours time MTWHF 09:30-10:30
>  acl hours time MTWHF 17:30-18:30
> 
>  http_access allow localhost
>  http_access deny hours !whitelist
>  http_access allow network
>  http_access deny all

Or, if you find it easier to understand:

acl hours time MTWHF 09:30-10:30
acl hours time MTWHF 17:30-18:30

http_access allow localhost
http_access allow network hours whitelist
http_access allow network !hours
http_access deny all

That means "allow network access to whitelisted sites during the defined hours, 
or allow general access outside those hours".

Personally I find a set of "allow" rules easier followed by a "deny" rules to 
understand the logic of than interleaved "allow" and "deny" rules :)

However, I find the new requirement very strange - would you mind sharing, just 
for interest's sake, why you want to implement this type of Internet access?



Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-15 Thread Eliezer Croitoru 

Hey Jens,

PHP failed long time ago to work nicely with squid.
Do you think that SquidBlocker can fit your needs?
You can understand what it is at:
http://ngtech.co.il/squidblocker/

I think it might feet your needs just right.
Python\perl\php will fit to a very small services while not utilizing 
concurrency by nature which SquidBlocker does by default.


Eliezer

* Feel free to contact me offlist for more info(special packaging etc..)

On 14/11/2015 03:20, Jens Kallup wrote:

Hello,

I have problems to block web sites  listet in mysql database.
When i start the script below, it works, but squid3.4 give me log output;

2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from
blockscript #Hlpr0, 3 bytes 'OK

how can i fix that problem ?

Thanks in advice
Jens

#!/usr/bin/php
", "", "", "");
if ($db->connect_error > 0) {
 die(fwrite(STDOUT,"ERR\n"));
}
while (!feof(STDIN))
{
 $i = trim(fgets(STDIN));
 $s = explode(" ", $i);
 $dst = $s[0];
 $row = array();
 $query = "SELECT * FROM squid WHERE name = '$dst'";
 if ($res = $db->query($query)) {
 $row = $res->fetch_row();
 $rec = $res->num_rows;
 if (($row[2] == 1) || ($rec < 1))
fwrite(STDOUT,"ERR\n"); else
fwrite(STDOUT,"OK\n");
 $res->close();
 }
}
$db->close();
?>


this is my squid.config

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd
auth_param basic children 4
auth_param basic utf8 on
auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort
fuer die Internetberechtigung ein!
auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive on
external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php
acl localnet src 192.168.178.7
acl ncsa_users proxy_auth REQUIRED
acl mysql_block external blockscript
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny mysql_block
http_access allow localhost ncsa_users
http_access allow localnet  ncsa_users
# And finally deny all other access to this proxy
http_access deny all
http_port 3128
cache_mgr jkal...@web.de
cache_effective_user squid
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache_dir ufs /sap/var/spool/squid 64 16 128
cache_access_log /sap/squid/log/access.log
cache_log/sap/squid/log/cache.log
cache_store_log  /sap/squid/log/store.log
# Leave coredumps in the first cache dir
coredump_dir /sap/var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Alex Rousskov 
On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote:
> It's not even a HTTPS, its a tunneled HTTP CONNECT. But
> squid for some reason thinks there shoudl be a HTTPS inside.


Hello Eugene,

Squid currently supports two kinds of CONNECT tunnels:

1. A regular opaque tunnel, as intended by HTTP specifications.

2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.

Opaque tunnels are the default. Optional SslBump-related features allow
the admin to designate admin-selected CONNECT tunnels for HTTPS
inspections (of various depth). This distinction explains why and when
Squid expects "HTTPS inside".

There is currently no decent support for inspecting CONNECT tunnels
other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels.

Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel
into an opaque tunnel before inspection starts.

The recently added on_unsupported_protocol directive can automatically
convert being-inspected non-HTTPS tunnels into opaque ones in some
common cases, but it needs more work to cover more cases.


AFAICT, you assume that "splicing" turns off all tunnel inspection. This
is correct for step1 (as I mentioned above). This is not correct for
other steps because they happen after some inspection already took
place. Inspection errors that on_unsupported_protocol cannot yet handle,
may result in connection termination and other problems.


If Squid behavior contradicts some of the above rules, it is probably a
bug we should fix. Otherwise, it is likely to be a missing feature.


Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to
figure out whether those connections are inspected (i.e., go beyond
SslBump step1). If they are inspected, then this is not a Squid bug but
a misconfiguration (unless the ACL code itself is buggy!). If they are
not inspected, then it is probably a Squid bug. I do not have enough
information to distinguish between those cases, but I hope that others
on the mailing list can guide you towards a resolution given the above
information.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


16.11.15 1:39, Alex Rousskov пишет:
> On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote:
>> It's not even a HTTPS, its a tunneled HTTP CONNECT. But
>> squid for some reason thinks there shoudl be a HTTPS inside.
>
>
> Hello Eugene,
>
> Squid currently supports two kinds of CONNECT tunnels:
>
> 1. A regular opaque tunnel, as intended by HTTP specifications.
>
> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.
>
> Opaque tunnels are the default. Optional SslBump-related features allow
> the admin to designate admin-selected CONNECT tunnels for HTTPS
> inspections (of various depth). This distinction explains why and when
> Squid expects "HTTPS inside".
>
> There is currently no decent support for inspecting CONNECT tunnels
> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels.
>
> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel
> into an opaque tunnel before inspection starts.
>
> The recently added on_unsupported_protocol directive can automatically
> convert being-inspected non-HTTPS tunnels into opaque ones in some
> common cases, but it needs more work to cover more cases.
>
>
> AFAICT, you assume that "splicing" turns off all tunnel inspection. This
> is correct for step1 (as I mentioned above). This is not correct for
> other steps because they happen after some inspection already took
> place. Inspection errors that on_unsupported_protocol cannot yet handle,
> may result in connection termination and other problems.
>
>
> If Squid behavior contradicts some of the above rules, it is probably a
> bug we should fix. Otherwise, it is likely to be a missing feature.
>
>
> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to
> figure out whether those connections are inspected (i.e., go beyond
> SslBump step1). If they are inspected, then this is not a Squid bug but
> a misconfiguration (unless the ACL code itself is buggy!). If they are
> not inspected, then it is probably a Squid bug. I do not have enough
> information to distinguish between those cases, but I hope that others
> on the mailing list can guide you towards a resolution given the above
> information.
I do not think it's killing them. It looks like an outgoing connection
goes to the server, and then silence - of the reaction in the log is not
there. Client hangs waiting for a response from server.
>
>
> HTH,
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSOR0AAoJENNXIZxhPexGeMYH/jWi9I1CtBwzSUbDiwp4kjvy
wqvJ63lT/l11t4cgBPOjrSVvLbtt5OJY6C+4Z6xkFZX4PgUKnLu6zaIVH1Dg9LrN
2WjgAL/Tks/d4mLKDIM/0LzlIDaJprigjCcWWngRVJRVivkgI5Fz4VxqDThP+qCc
n6oL1XUE9qjrpbat+N2/0FlOG4/w5koLObxY8vYVWjcEAiHMcChIgoDR/ijQ3qen
ZDRmE7uw8aOi7Fa1+M0TJUOLo8fF3EzPQI9Q5Xvfq4orn2lhn3LVXJCFho3s1qpa
8AxeGqmYs4+te5L9gOvuF0Y5RPzo71TOIA9hHz0loHAGPye2D1Uygi7gJYp87zo=
=FMhF
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3.4 - MySQL, PHP script - block websites

2015-11-15 Thread Luis Daniel Lucio Quiroz 
I think it is better to translate this code to c. Contact me, having c will
give you speed and memory savings.
Le 13 nov. 2015 8:22 PM, "Jens Kallup"  a écrit :

> Hello,
>
> I have problems to block web sites  listet in mysql database.
> When i start the script below, it works, but squid3.4 give me log output;
>
> 2015/11/14 01:27:40 kid1| helperHandleRead: unexpected read from
> blockscript #Hlpr0, 3 bytes 'OK
>
> how can i fix that problem ?
>
> Thanks in advice
> Jens
>
> #!/usr/bin/php
>  $db = new mysqli("", "", "", "");
> if ($db->connect_error > 0) {
> die(fwrite(STDOUT,"ERR\n"));
> }
> while (!feof(STDIN))
> {
> $i = trim(fgets(STDIN));
> $s = explode(" ", $i);
> $dst = $s[0];
> $row = array();
> $query = "SELECT * FROM squid WHERE name = '$dst'";
> if ($res = $db->query($query)) {
> $row = $res->fetch_row();
> $rec = $res->num_rows;
> if (($row[2] == 1) || ($rec < 1))
>fwrite(STDOUT,"ERR\n"); else
>fwrite(STDOUT,"OK\n");
> $res->close();
> }
> }
> $db->close();
> ?>
>
>
> this is my squid.config
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd
> auth_param basic children 4
> auth_param basic utf8 on
> auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort
> fuer die Internetberechtigung ein!
> auth_param basic credentialsttl 60 minutes
> auth_param basic casesensitive on
> external_acl_type blockscript %DST /usr/bin/php /sap/squid/block.php
> acl localnet src 192.168.178.7
> acl ncsa_users proxy_auth REQUIRED
> acl mysql_block external blockscript
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> http_access deny mysql_block
> http_access allow localhost ncsa_users
> http_access allow localnet  ncsa_users
> # And finally deny all other access to this proxy
> http_access deny all
> http_port 3128
> cache_mgr jkal...@web.de
> cache_effective_user squid
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
> cache_dir ufs /sap/var/spool/squid 64 16 128
> cache_access_log /sap/squid/log/access.log
> cache_log/sap/squid/log/cache.log
> cache_store_log  /sap/squid/log/store.log
> # Leave coredumps in the first cache dir
> coredump_dir /sap/var/spool/squid
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with squid3 authentication

2015-11-15 Thread Amos Jeffries 
On 16/11/2015 7:17 a.m., Marcio Demetrio Bacci wrote:
> Hi,
> 
> My problem is as follows:
> 
> The Windows stations in the domain are automatically authenticated on the
> proxy, though the Linux stations ask for the password twice, even if the
> password is entered correctly the first time.
> 
> Does somebody has an idea?

How are you identifying "ask for the password twice" ?

 two popups? (one for NTLM then one for Basic)

or,
 two 407 responses? (NTLM requirement)


Also what Squid version are you using?


> 
> Follow my squid.conf file
> 
> 
> 
> ### Configuracoes Basicas
> http_port 3128
> 
> #debug_options ALL,111,2 29,9 84,6
> 
> hierarchy_stoplist cgi-bin ?
> 
> ### Bloqueia o cache de CGI's
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

If you have a current Squid the above QUERY and hierarchy_stoplist lines
are not useful, and may be harming your cache ratios.


> 
> cache_mem 512 MB
> cache_swap_low 80
> cache_swap_high 90
> maximum_object_size 512 MB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 4096 KB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
> 
> #Para não bloquear downloads
> quick_abort_min -1 KB
> 
> 
> #Resolve um problema com conexoes persistentes
> detect_broken_pconn on
> 
> #Provoca ganho de performace ao usar conexoe pipeline
> pipeline_prefetch on

NTLM authentication behaviour does not comply with HTTP specification
requirements, one of the side effects is that it breaks HTTP pipelines.


> 
> fqdncache_size 1024
> 
> ### Parametros de atualizacao da memoria cache
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern .020%4320
> 
> ### Localizacao dos logs
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> 
> 
> ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
> e subdiretorios
> cache_dir aufs /var/spool/squid3 600 16 256
> 
> #Controle do arquivo de log
> #logfile_rotate 10
> 
> #Libera acesso ao site da caixa
> acl caixa dstdomain .caixa.gov.br
> always_direct allow caixa
> cache deny caixa


You do not use cache_peer directives. The always_direct is not doing
anything.

> 
> 
> ### Realiza a autenticacao no AD via Winbind
> 
> # NTLM
> # para quem esta logado em maquinas windows, aproveita a senha do logon
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive off
> 
> 
> # para clientes nao windows, user/senha tem de ser solicitado
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm "Autenticacao - CMB - Acesso Monitorado"
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl
> 
> 
> ### ACLs
> 
> #acl manager proto cache_object
> acl localhost src 192.168.100.1/32
> #acl to_localhost dst 192.168.100.1/32
> acl SSL_ports port 22 443 563 1 # https, snews
> acl Safe_ports port 80 8080 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 3001# imprenssa nacional
> 
> acl purge method PURGE
> acl CONNECT method CONNECT
> 
> 
> ### Regras iniciais do Squid
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> 
> #acl manager proto cache_object
> 
> acl connect_abertas maxconn 8
> 
> 
> # acl ligada a autenticacao
> acl grupo_admins external ad_group gg_webadmins
> acl grupo_liberado external ad_group gg_webliberados
> acl grupo_restrito external ad_group gg_webcontrolados
> 
> 
> ### Bloqueia extensoes de arquivos
> acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
> 
> ### Liberar alguns sites
> acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
> 
> ### Bloqueia sites por URL
> acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
> 
> ### Realiza o bloqueio por palavras
> acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
> 
> 
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> 
> ### Incorpora as regras do SquidGuard 
> #redirect_program /usr/bin/squidGuard
> #redirect_children 20
> #redirector_bypass on
> 
> #libera o grupo internet
> http_access allow grupo_admins

grupo_admins requires authentication to be tested.

> 
>

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Alex Rousskov 
On 11/15/2015 01:00 PM, Yuri Voinov wrote:
> 16.11.15 1:39, Alex Rousskov пишет:
>> Squid currently supports two kinds of CONNECT tunnels:

>> 1. A regular opaque tunnel, as intended by HTTP specifications.

>> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.

>> Opaque tunnels are the default. Optional SslBump-related features allow
>> the admin to designate admin-selected CONNECT tunnels for HTTPS
>> inspections (of various depth). This distinction explains why and when
>> Squid expects "HTTPS inside".

>> There is currently no decent support for inspecting CONNECT tunnels
>> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels.

>> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel
>> into an opaque tunnel before inspection starts.

>> The recently added on_unsupported_protocol directive can automatically
>> convert being-inspected non-HTTPS tunnels into opaque ones in some
>> common cases, but it needs more work to cover more cases.


>> AFAICT, you assume that "splicing" turns off all tunnel inspection. This
>> is correct for step1 (as I mentioned above). This is not correct for
>> other steps because they happen after some inspection already took
>> place. Inspection errors that on_unsupported_protocol cannot yet handle,
>> may result in connection termination and other problems.


>> If Squid behavior contradicts some of the above rules, it is probably a
>> bug we should fix. Otherwise, it is likely to be a missing feature.


>> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to
>> figure out whether those connections are inspected (i.e., go beyond
>> SslBump step1). If they are inspected, then this is not a Squid bug but
>> a misconfiguration (unless the ACL code itself is buggy!). If they are
>> not inspected, then it is probably a Squid bug. I do not have enough
>> information to distinguish between those cases, but I hope that others
>> on the mailing list can guide you towards a resolution given the above
>> information.

> I do not think it's killing them. It looks like an outgoing connection
> goes to the server, and then silence - of the reaction in the log is not
> there. Client hangs waiting for a response from server.


Same difference. "Killing" == "breaking" == "preventing from working
correctly" in this context.


Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Eugene M. Zheganin 
Hi.

On 16.11.2015 00:14, Yuri Voinov wrote:

> It's common knowledge. Squid is unable to pass an unknown protocol on
> the standard port. Consequently, the ability to proxy this protocol does
> not exist.
>
> If it was simply a tunneling ... It is not https. And not just
> HTTP-over-443. This is more complicated and very marginal protocol.
>
I'm really sorry to tell you that, but you are perfectly wrong. These
non-HTTPS tunnels have been working for years. And this isn't JTTPS
because of:

# openssl s_client -connect login.icq.com:443
CONNECTED(0003)
34379270680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with squid3 authentication

2015-11-15 Thread Marcio Demetrio Bacci 
Hi,

My problem is as follows:

The Windows stations in the domain are automatically authenticated on the
proxy, though the Linux stations ask for the password twice, even if the
password is entered correctly the first time.

Does somebody has an idea?

Follow my squid.conf file



### Configuracoes Basicas
http_port 3128

#debug_options ALL,111,2 29,9 84,6

hierarchy_stoplist cgi-bin ?

### Bloqueia o cache de CGI's
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

#Para não bloquear downloads
quick_abort_min -1 KB


#Resolve um problema com conexoes persistentes
detect_broken_pconn on

#Provoca ganho de performace ao usar conexoe pipeline
pipeline_prefetch on

fqdncache_size 1024

### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .020%4320

### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log


### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256

#Controle do arquivo de log
#logfile_rotate 10

#Libera acesso ao site da caixa
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa


### Realiza a autenticacao no AD via Winbind

# NTLM
# para quem esta logado em maquinas windows, aproveita a senha do logon
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive off


# para clientes nao windows, user/senha tem de ser solicitado
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm "Autenticacao - CMB - Acesso Monitorado"
auth_param basic credentialsttl 2 hours

external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN
/usr/lib/squid3/ext_wbinfo_group_acl


### ACLs

#acl manager proto cache_object
acl localhost src 192.168.100.1/32
#acl to_localhost dst 192.168.100.1/32
acl SSL_ports port 22 443 563 1 # https, snews
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001# imprenssa nacional

acl purge method PURGE
acl CONNECT method CONNECT


### Regras iniciais do Squid
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

#acl manager proto cache_object

acl connect_abertas maxconn 8


# acl ligada a autenticacao
acl grupo_admins external ad_group gg_webadmins
acl grupo_liberado external ad_group gg_webliberados
acl grupo_restrito external ad_group gg_webcontrolados


### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"

### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"

### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"

### Realiza o bloqueio por palavras
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"


### Exige autenticacao
acl autenticados proxy_auth REQUIRED

### Incorpora as regras do SquidGuard 
#redirect_program /usr/bin/squidGuard
#redirect_children 20
#redirector_bypass on

#libera o grupo internet
http_access allow grupo_admins

#http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas

# Libera acesso ao grupo de chefes e professores
http_access allow grupo_liberado

### Liberando midia social e musica no horario do almoco
acl almoco time 11:30-13:30
http_access allow almoco

#bloqueia midia social durante o expediente
acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
http_access deny social_proibido

# Regra para bloqueio de extensoes de radios online / arquivos de streaming:
acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"

#acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
http_access deny proibir_musica
http_reply_access deny streaming

### Controle de banda
### So existe um pool (1)
delay_pools 1
### nr do pool (1) e tipo de classe (2): total da banda disponivel e total
de

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Eugene M. Zheganin 
Hi.

On 15.11.2015 0:43, Walter H. wrote:
> On 13.11.2015 14:53, Yuri Voinov wrote:
>> There is no solution for ICQ with Squid now.
>>
>> You can only bypass proxying for ICQ clients.
> from where do the ICQ clients get the trusted root certificates?
> maybe this is the problem, that e.g. the squid CA cert is only 
> installed in FF
> and nowhere else ...
From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But
squid for some reason thinks there shoudl be a HTTPS inside.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ICQ-contest-td4673938.html

16.11.15 1:03, Eugene M. Zheganin пишет:
> Hi.
>
> On 15.11.2015 0:43, Walter H. wrote:
>> On 13.11.2015 14:53, Yuri Voinov wrote:
>>> There is no solution for ICQ with Squid now.
>>>
>>> You can only bypass proxying for ICQ clients.
>> from where do the ICQ clients get the trusted root certificates?
>> maybe this is the problem, that e.g. the squid CA cert is only
>> installed in FF
>> and nowhere else ...
> From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But
> squid for some reason thinks there shoudl be a HTTPS inside.
>
> Eugene.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSNp/AAoJENNXIZxhPexGU7QIAK+/EQGHac3kW8sYkzDWAazO
qZ/WZzMU7NyZAjIKc9n9u8CvVq2KiIQHaS3yL0VVUZ+wzd28wToASHto73oJrmGw
SECUE066a72SqQx0eC5thuT9PSrBwnger7uCy1DmxmU5OmBVdSLMCnFioTdIqzJV
3sWyYqedo/2mfXpgj3AMR3eZ/6y62diAO6GjD7pP3Qp8r0as4hcJUfC9UcPXFNOz
Vx3okSMdaCfd+H0hyeKFZ/ZCSYHUosh4nk7vR0Y0QFed3mgRBEoeKw6F2ykNhQy/
vxWetXucVm+8ugk5CW56ON2YsPWTRjY/PObNZ2f1pnyzhD6xSBKz/hMHg3G3cOg=
=90Z3
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-15 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
It's common knowledge. Squid is unable to pass an unknown protocol on
the standard port. Consequently, the ability to proxy this protocol does
not exist.

If it was simply a tunneling ... It is not https. And not just
HTTP-over-443. This is more complicated and very marginal protocol.

16.11.15 1:03, Eugene M. Zheganin пишет:
> Hi.
>
> On 15.11.2015 0:43, Walter H. wrote:
>> On 13.11.2015 14:53, Yuri Voinov wrote:
>>> There is no solution for ICQ with Squid now.
>>>
>>> You can only bypass proxying for ICQ clients.
>> from where do the ICQ clients get the trusted root certificates?
>> maybe this is the problem, that e.g. the squid CA cert is only
>> installed in FF
>> and nowhere else ...
> From nowhere. It's not even a HTTPS, its a tunneled HTTP CONNECT. But
> squid for some reason thinks there shoudl be a HTTPS inside.
>
> Eugene.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSNmbAAoJENNXIZxhPexGb3EH/iF1kJQvvNODlf8YysuYZofc
vXqGhM+BERZenp1OgMVWt0MDEianQ/4C2zIoOgvDqyMD10in5bMDo54mT0HShBEC
kP92NGPGmNTjJXWARUNWZAELx1Mzn+Z5XfY0ySxQDyHxpmkvpX/g7IE7uzdGiRJp
0Sn4x5WOUUbdUAbeSGTyC4rSpZr94vBDGHfWsKsCFaYqH2XkPCbrmg9YzxL20+6Q
W8UUtsval65Wima7QwyFEY08kIKP+mj1uOesQOM4A/Qd7jo+tsX86xdvXuAUiLo+
bgj2Hd3fEIijzb7c/sIZBO2OUnKPILiYe7UZr4nkFu6NB1f4FX2qYtHxXKT5BMQ=
=yhB5
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users