Re: [squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

[Tom Tom]

Bug created: http://bugs.squid-cache.org/show_bug.cgi?id=4394

On Thu, Dec 10, 2015 at 9:10 PM, Tom Tom  wrote:
> Hi Alex
>
> I've tested again. Squid (3.5.11) only terminates the connection
> (based on SHA1-Fingerprint), *if* the fingerprint is delimited with
> colons. If not, squid GET's the https-request as usual. I'll report a
> bug.
>
> With SHA1-FP (delimited):
> 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the
> config-file, Squid terminates the connection as expected:
> $ curl -x proxy:3128 -I -k -L https://www.yahoo.com
> HTTP/1.1 200 Connection established
> curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443
>
>
> With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532
> in the config-file, squid GET's the site:
> $ curl -x proxy:3128 -I -k -L https://www.yahoo.com
> HTTP/1.1 200 Connection established
>
> HTTP/1.1 200 OK
> Date: Thu, 10 Dec 2015 20:06:11 GMT
> P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR
> CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi
> UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE
> LOC GOV"
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=2592000
> ...
> 
>
> Kind regards,
> Tom
>
> On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov
>  wrote:
>> On 12/07/2015 02:05 PM, Tom Tom wrote:
>>> The configuration provided by Alex works for me (squid 3.5.11)
>>
>> Thank you for testing and helping expose problems.
>>
>>
>>> if:
>>> * the http_port-directive is configured with ssl-bump and a
>>> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
>>
>> ssl-bump is required to access SSL/TLS peeking code. Now way around that
>> today although future Squid versions may provide something like an
>> ssl-peek port option that tells Squid that no bumping, for any reason
>> (including error serving) is permitted on that port.
>>
>> Specifying root CA is required to serve certificate validation (and
>> other) errors, but we probably should be more flexible and allow no-CA
>> splice-or-terminate configurations as well.
>>
>> Related enhancement requests in bugzilla are welcomed, especially if
>> they are followed by quality patches.
>>
>>
>>> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
>>> two characters with a colon
>>> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
>>> ar***krebs.de)
>>
>> If Squid silently misinterprets colon-less fingerprints, it is a bug
>> that should be reported and fixed. Squid should either interpret them
>> correctly or exit with a configuration error.
>>
>>
>> Thank you,
>>
>> Alex.
>>
>>
>>
>>> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
>>>  wrote:
 On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
> * Alex Rousskov :
>> Please note that if you do not want to bump anything, then the following
>> should also work (bugs notwithstanding):
>>
>> ssl_bump splice whitelist
>> ssl_bump peek all
>> ssl_bump terminate blacklist
>> ssl_bump splice all
>
> That doesn't seem to work for me (squid 3.5.2)

> Yet I still can connect. What am I doing wrong?

 If you are indeed using v3.5.2, then that is a big red flag.

 If you are using the latest v3.5 release, then you should open a bug
 report, preferably with an ALL,9 log depicting a single failing
 transaction. AFAICT, the above is meant to work. If it does not, there
 is either a Squid bug or misconfiguration [that I cannot detect by
 reading email].


 Thank you,

 Alex.

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] reverse proxy setup

[Amos Jeffries]

On 11/12/2015 4:52 p.m., Alex Samad wrote:
> Hi
> 
> 
> Is there any way to remove these from the log
> 
> kid1| Error negotiating SSL connection on FD 38: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol (1/-1)
> 
> this is the corrosponding squid config
> options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE
> 
> Not I don't get this when I re enable tlsv1..

Strange. Usually that means non-TLS traffic being passed to the HTTPS
port. For example, clients opening plain-text HTTP connections to it.

> 
> I am presuming I can ignore these.

That is always up to you. In this case somebody is getting broken
traffic, and your logs are filling with the messages saying so.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Alex Samad]

Hi

I did the change over today.
Tested with Window 7 + exchange 2010 and it wouldn't connect whilst
there was no tls1 !

interesting IE worked against the web site  so ..

Did you come across this issues ?


On 11 December 2015 at 11:09, dweimer  wrote:
> On 2015-12-10 4:24 pm, Alex Samad wrote:
>>
>> Hi
>>
>> Answer my own question
>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html
>>
>> seems like there is a no-vhost, I presume vhost turns it on
>>
>>
>> On 11 December 2015 at 09:23, Alex Samad  wrote:
>>>
>>> Hi
>>>
>>>
>>> On 10 December 2015 at 23:44, dweimer  wrote:

 https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
  cert=/certs/wildcard.certificate.crt \
  key=/certs/wildcard.certificate.key \

 options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
  dhparams=/usr/local/etc/squid/dh.param \
  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
  vhost
>>>
>>>
>>> what is the vhost option can't find it on the doco page
>>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
>
>
> It maybe on by default now, unless you are doing multiple host names, its
> not necessary. The setup on mine is using a wildcard certificate and is
> proxying multiple domains names.
>
>
> --
> Thanks,
>Dean E. Weimer
>http://www.dweimer.net/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] reverse proxy setup

[Alex Samad]

Hi


Is there any way to remove these from the log

kid1| Error negotiating SSL connection on FD 38: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol (1/-1)

this is the corrosponding squid config
options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE

Not I don't get this when I re enable tlsv1..

I am presuming I can ignore these.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 32-bit (2.7.2) much faster than Squid 64-bit (3.5.11)

[Patrick Flaherty]

Hello,

 

Just following up on my slow 3.5.11 Squid server.  I loaded the 32-bit 2.7.2
version on the same box and it's so much faster for me. Its 4 to 5 times
faster for me on the same machine. Please any help appreciated. Amos, I
think I cleaned up my 3.5.11 squid.conf properly. I think my 2.7.2
squid.conf needs work.

See below Startup Cache logs from both 3.5.11 and 2.7.2 and also the
squid.conf files from 3.5.11 and 2.7.2.

 

Thank You,

Patrick

 

Squid 3.5.11 Startup Cache Log:

2015/12/10 19:50:09 kid1| Current Directory is /cygdrive/c/Windows/system32

2015/12/10 19:50:09 kid1| Starting Squid Cache version 3.5.11 for
x86_64-unknown-cygwin...

2015/12/10 19:50:09 kid1| Service Name: squid

2015/12/10 19:50:09 kid1| Process ID 1968

2015/12/10 19:50:09 kid1| Process Roles: worker

2015/12/10 19:50:09 kid1| With 3200 file descriptors available

2015/12/10 19:50:09 kid1| Initializing IP Cache...

2015/12/10 19:50:09 kid1| parseEtcHosts: /etc/hosts: (2) No such file or
directory

2015/12/10 19:50:09 kid1| DNS Socket created at [::], FD 5

2015/12/10 19:50:09 kid1| DNS Socket created at 0.0.0.0, FD 6

2015/12/10 19:50:09 kid1| Adding nameserver 172.16.50.9 from squid.conf

2015/12/10 19:50:09 kid1| Adding nameserver 172.16.50.13 from squid.conf

2015/12/10 19:50:09 kid1| Logfile: opening log
daemon:/var/log/squid/access.log

2015/12/10 19:50:09 kid1| Logfile Daemon: opening log
/var/log/squid/access.log

2015/12/10 19:50:09 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument

2015/12/10 19:50:09 kid1| Store logging disabled

2015/12/10 19:50:09 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects

2015/12/10 19:50:09 kid1| Target number of buckets: 1008

2015/12/10 19:50:09 kid1| Using 8192 Store buckets

2015/12/10 19:50:09 kid1| Max Mem  size: 262144 KB

2015/12/10 19:50:09 kid1| Max Swap size: 0 KB

2015/12/10 19:50:09 kid1| Using Least Load store dir selection

2015/12/10 19:50:09 kid1| Current Directory is /cygdrive/c/Windows/system32

2015/12/10 19:50:09 kid1| Finished loading MIME types and icons.

2015/12/10 19:50:09 kid1| HTCP Disabled.

2015/12/10 19:50:09 kid1| Squid plugin modules loaded: 0

2015/12/10 19:50:09 kid1| Adaptation support is off.

2015/12/10 19:50:09 kid1| Accepting HTTP Socket connections at
local=[::]:3130 remote=[::] FD 10 flags=9

2015/12/10 19:50:11 kid1| storeLateRelease: released 0 objects 


---

Squid 2.7.2 Startup Cache Log:

2015/12/10 19:50:38| Starting Squid Cache version 2.7.STABLE8 for
i686-pc-winnt...

2015/12/10 19:50:38| Running as Squid-Proxy-2.7.2 Windows System Service on
Windows Server 2008

2015/12/10 19:50:38| Service command line is: 

2015/12/10 19:50:38| Process ID 2644

2015/12/10 19:50:38| With 2048 file descriptors available

2015/12/10 19:50:38| With 2048 CRT stdio descriptors available

2015/12/10 19:50:38| Windows sockets initialized

2015/12/10 19:50:38| Using select for the IO loop

2015/12/10 19:50:38| Performing DNS Tests...

2015/12/10 19:50:38| Successful DNS name lookup tests...

2015/12/10 19:50:38| DNS Socket created at 0.0.0.0, port 50961, FD 5

2015/12/10 19:50:38| Adding DHCP nameserver 172.16.50.9 from Registry

2015/12/10 19:50:38| Adding DHCP nameserver 172.16.50.13 from Registry

2015/12/10 19:50:38| Adding DHCP nameserver 4.2.2.3 from Registry

2015/12/10 19:50:38| Adding domain  from Registry

2015/12/10 19:50:38| User-Agent logging is disabled.

2015/12/10 19:50:38| Referer logging is disabled.

2015/12/10 19:50:38| logfileOpen: opening log C:/squid/var/logs/access.log

2015/12/10 19:50:38| Unlinkd pipe opened on FD 8

2015/12/10 19:50:38| Swap maxSize 102400 + 65536 KB, estimated 12918 objects

2015/12/10 19:50:38| Target number of buckets: 645

2015/12/10 19:50:38| Using 8192 Store buckets

2015/12/10 19:50:38| Max Mem  size: 65536 KB

2015/12/10 19:50:38| Max Swap size: 102400 KB

2015/12/10 19:50:38| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec

2015/12/10 19:50:38| logfileOpen: opening log c:/squid/var/logs/store.log

2015/12/10 19:50:38| Rebuilding storage in C:/Squid/var/cache/squid (DIRTY)

2015/12/10 19:50:38| Using Least Load store dir selection

2015/12/10 19:50:38| Current Directory is C:\squid\sbin

2015/12/10 19:50:38| Loaded Icons.

2015/12/10 19:50:38| Accepting proxy HTTP connections at 0.0.0.0, port 3128,
FD 14.

2015/12/10 19:50:38| HTCP Disabled.

2015/12/10 19:50:38| Ready to serve requests.

2015/12/10 19:50:38| Done reading C:/Squid/var/cache/squid swaplog (0
entries)

2015/12/10 19:50:38| Finished rebuilding storage from disk.

2015/12/10 19:50:38| 0 Entries scanned

2015/12/10 19:50:38| 0 Invalid entries.

2015/12/10 19:50:38| 0 With invalid flags.

2015/12/10 19:50:38| 0 Objects loaded.

2015/12/10 19:50:38| 0 Objects expired.

2015/12/10 19:50:38| 0 Objects cancelled.

2015/12/10 19:50:38| 0 Duplicate URLs purge

Re: [squid-users] squid reverse proxy infront of exchange 2010

[dweimer]

On 2015-12-10 4:24 pm, Alex Samad wrote:

Hi

Answer my own question
http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html

seems like there is a no-vhost, I presume vhost turns it on


On 11 December 2015 at 09:23, Alex Samad  wrote:

Hi


On 10 December 2015 at 23:44, dweimer  wrote:

https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
 cert=/certs/wildcard.certificate.crt \
 key=/certs/wildcard.certificate.key \
 
options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE 
\

 dhparams=/usr/local/etc/squid/dh.param \
 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
 vhost


what is the vhost option can't find it on the doco page
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html


It maybe on by default now, unless you are doing multiple host names, 
its not necessary. The setup on mine is using a wildcard certificate and 
is proxying multiple domains names.


--
Thanks,
   Dean E. Weimer
   http://www.dweimer.net/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Alex Samad]

Hi

So I have taken this config done some slight customization for my site
and it appears to be working

Thanks for this ..

On 10 December 2015 at 23:44, dweimer  wrote:
> On 2015-12-09 11:29 pm, Alex Samad wrote:
>>
>> Hi
>>
>> config
>> https_port 22.4.2.5:443 accel
>> cert=/etc/httpd/conf.d/office.abc.com.crt
>> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
>> options=NO_SSLv2,NO_SSLv3
>> dhparams=/etc/squid/squid-office-dhparams.pem
>>
>> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>> sslcert=/etc/httpd/conf.d/office.abc.com.crt
>> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>> originserver login=PASS front-end-https=on ssl
>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
>> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
>> acl exch_domain dstdomain office.abc.com
>> acl exch_path urlpath_regex -i /exch(ange|web)
>> acl exch_path urlpath_regex -i /public
>> acl exch_path urlpath_regex -i /owa
>> acl exch_path urlpath_regex -i /ecp
>> acl exch_path urlpath_regex -i /microsoft-server-activesync
>> acl exch_path urlpath_regex -i /rpc
>> acl exch_path urlpath_regex -i /rpcwithcert
>> acl exch_path urlpath_regex -i /exadmin
>> acl exch_path urlpath_regex -i /ews
>> acl exch_path urlpath_regex -i /oab
>> acl exch_path urlpath_regex -i /autodiscover
>> cache_peer_access exchangeServer allow exch_domain exch_path
>> cache_peer_access webServer deny exch_domain exch_path
>> never_direct allow exch_domain exch_path
>> cache_mem 32 MB
>> maximum_object_size_in_memory 128 KB
>> access_log stdio:/var/log/squid/office-access.log squid
>> cache_log /var/log/squid/office-cache.log
>> cache_store_log stdio:/var/log/squid/office-cache_store.log
>> pid_filename /var/run/squid-office.pid
>> visible_hostname office.abc.com
>> deny_info TCP_RESET all
>> http_access allow all
>> miss_access allow all
>> icp_port 0
>> snmp_port 0
>>
>>
>>
>> cache.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors
>> available
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0,
>> FD 6
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
>> yieldbroker.com from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
>> 10.32.20.100 from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
>> 10.32.20.102 from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
>> stdio:/var/log/squid/office-access.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
>> rebuild/rewrite every 3600/3600 sec
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
>> stdio:/var/log/squid/office-cache_store.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
>> estimated 2520 objects
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir
>> selection
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and
>> icons.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent
>> 127.0.0.1/443/0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent
>> 10.32.69.11/443/0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
>> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
>> flags=9
>> Jan 01 10:33:35 1970/12/1

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Alex Samad]

Hi

Answer my own question
http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html

seems like there is a no-vhost, I presume vhost turns it on


On 11 December 2015 at 09:23, Alex Samad  wrote:
> Hi
>
>
> On 10 December 2015 at 23:44, dweimer  wrote:
>> https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
>>  cert=/certs/wildcard.certificate.crt \
>>  key=/certs/wildcard.certificate.key \
>>  options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
>>  dhparams=/usr/local/etc/squid/dh.param \
>>  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
>>  vhost
>
> what is the vhost option can't find it on the doco page
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Alex Samad]

Hi


On 10 December 2015 at 23:44, dweimer  wrote:
> https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
>  cert=/certs/wildcard.certificate.crt \
>  key=/certs/wildcard.certificate.key \
>  options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
>  dhparams=/usr/local/etc/squid/dh.param \
>  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
>  vhost

what is the vhost option can't find it on the doco page
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] help change cache dir

[Rafael Akchurin]

Hello Juancho,

Also check the SeLinux permissions.

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy.



From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Thursday, December 10, 2015 9:36 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] help change cache dir


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

chmod is about nothing. Who's the owner of cache dir?

11.12.15 2:27, juancho Alfonso пишет:
> Hey thereI have installed
  CentOS squid in 7I want to change the cache directory

  > appears when I try to initialize

  > Creating Swap Directories

  > FATAL: Failed to make directory swap mydirectory / cache /
  00:

  >  (13) Permission denied

 > directory is an external drive or a folder on the same
  partitionand I granted permissions

  > chmod 777 cacheorchmod cache squid.squid

  > no worksI need help to put more capacity more directories

  >

  >

  >

  > the squid.conf

  > ## Recommended minimum configuration:#

  > # Example rule allowing access from your local networks.#
  Adapt to list your (internal) IP networks from where browsing#
  should be allowedacl localnet src 10.0.0.0/8 # RFC1918 possible
  internal networkacl localnet src 172.16.0.0/12 # RFC1918 possible
  internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible
  internal networkacl localnet src fc00::/7 # RFC 4193 local private
  network rangeacl localnet src fe80::/10 # RFC 4291 link-local
  (directly plugged) machines

  > acl SSL_ports port 443acl Safe_ports port 80 # httpacl
  Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl
  Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl
  Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port
  280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports
  port 591 # filemakeracl Safe_ports port 777 # multiling httpacl
  CONNECT method CONNECTacl PAGINASBLOQUEADAS url_regex -i porno
  abcde

  > ## Recommended minimum Access Permission configuration:##
  Deny requests to certain unsafe portshttp_access deny
  PAGINASBLOQUEADAS

  > # Deny CONNECT to other than secure SSL portshttp_access deny
  !Safe_ports

  > # Only allow cachemgr access from localhosthttp_access deny
  CONNECT !SSL_portshttp_access allow localhost manager

  > # We strongly recommend the following be uncommented to
  protect innocent# web applications running on the proxy server who
  think the only# one who can access services on "localhost" is a
  local user#http_access deny to_localhost

  > ## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
  CLIENTS#

  > # Example rule allowing access from your local networks.#
  Adapt localnet in the ACL section to list your (internal) IP
  networks# from where browsing should be allowedhttp_access allow
  managerhttp_access allow localnet

  > # And finally deny all other access to this proxyhttp_access
  allow localhosthttp_access allow all

  > # Squid normally listens to port 3128http_port 3128
  transparent

  > # Uncomment and adjust the following to add a disk cache
  directory.

  > # Leave coredumps in the first cache dircoredump_dir
 /var/spool/squid

  > ## Add any of your own refresh_pattern entries above
  these.#refresh_pattern ^ftp:144020%
  10080refresh_pattern ^gopher:14400%1440refresh_pattern
  -i (/cgi-bin/|\?) 00%0refresh_pattern .020%
  4320

  >

  >

  > #juancache_mem 16384 MB#cache_replacement_policy heap LFUDA
  #El parámetro maximum_object_size define el tamaño máximo de los
  objetos que serán almacenados en el cache de
  discomaximum_object_size 200 MBcache_swap_low 90cache_swap_high
  95#correo del administrador del cachecache_mgr
  
ingenieria@conexiondigital.cocachemgr_passwd
 cache all

 > #this workcache_dir aufs /var/spool/squid 4 16 256 #this
  no workcache_dir aufs /var/spool/squid2 4 16 256

  > cache_effective_user squidcache_effective_group squid

  >

  >

  >

  > Juan Ernesto Alfonsoestudiante ingeniería
  electrónicauniversidad distrital Francisco José de Caldas

  > JUANCHO

  >  NEMESIS

  > KRAVEN

  >

  > " si un día tienes que elegir entre el mundo y el amor...

  > recuerda:

  >

  > si eliges el mundo quedarás sin amor,

  >

  > pero si eliges el amor, con él conquistarás al mundo"

  >

  > albert einstein

  >

  >

  >

  >

  >

  >

  > ___

  > squid-users mailing list

  > 
s

Re: [squid-users] help change cache dir

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Cache dir owner must be user which is specified in squid.conf:

http://i.imgur.com/AbYkE8M.png



11.12.15 2:27, juancho Alfonso пишет:
> Hey thereI have installed CentOS squid in 7I want to change the cache 
> directory
> appears when I try to initialize
> Creating Swap Directories
> FATAL: Failed to make directory swap mydirectory / cache / 00:
>  (13) Permission denied
> directory is an external drive or a folder on the same partitionand I
granted permissions
> chmod 777 cacheorchmod cache squid.squid
> no worksI need help to put more capacity more directories
>
>
>
> the squid.conf
> ## Recommended minimum configuration:#
> # Example rule allowing access from your local networks.# Adapt to
list your (internal) IP networks from where browsing# should be
allowedacl localnet src 10.0.0.0/8 # RFC1918 possible internal
networkacl localnet src 172.16.0.0/12 # RFC1918 possible internal
networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal
networkacl localnet src fc00::/7 # RFC 4193 local private network
rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
> acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port
21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 #
gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 #
unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port
488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777
# multiling httpacl CONNECT method CONNECTacl PAGINASBLOQUEADAS
url_regex -i porno abcde
> ## Recommended minimum Access Permission configuration:## Deny
requests to certain unsafe portshttp_access deny PAGINASBLOQUEADAS
> # Deny CONNECT to other than secure SSL portshttp_access deny !Safe_ports
> # Only allow cachemgr access from localhosthttp_access deny CONNECT
!SSL_portshttp_access allow localhost manager
> # We strongly recommend the following be uncommented to protect
innocent# web applications running on the proxy server who think the
only# one who can access services on "localhost" is a local
user#http_access deny to_localhost
> ## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#
> # Example rule allowing access from your local networks.# Adapt
localnet in the ACL section to list your (internal) IP networks# from
where browsing should be allowedhttp_access allow managerhttp_access
allow localnet
> # And finally deny all other access to this proxyhttp_access allow
localhosthttp_access allow all
> # Squid normally listens to port 3128http_port 3128 transparent
> # Uncomment and adjust the following to add a disk cache directory.
> # Leave coredumps in the first cache dircoredump_dir /var/spool/squid
> ## Add any of your own refresh_pattern entries above
these.#refresh_pattern ^ftp:144020%10080refresh_pattern
^gopher:14400%1440refresh_pattern -i (/cgi-bin/|\?) 0   
0%0refresh_pattern .020%4320
>
>
> #juancache_mem 16384 MB#cache_replacement_policy heap LFUDA #El
parámetro maximum_object_size define el tamaño máximo de los objetos que
serán almacenados en el cache de discomaximum_object_size 200
MBcache_swap_low 90cache_swap_high 95#correo del administrador del
cachecache_mgr ingenieria@conexiondigital.cocachemgr_passwd cache all
> #this workcache_dir aufs /var/spool/squid 4 16 256 #this no
workcache_dir aufs /var/spool/squid2 4 16 256
> cache_effective_user squidcache_effective_group squid
>
>
>
> Juan Ernesto Alfonsoestudiante ingeniería electrónicauniversidad
distrital Francisco José de Caldas
> JUANCHO
>  NEMESIS
> KRAVEN
>
> " si un día tienes que elegir entre el mundo y el amor...
> recuerda:
>
> si eliges el mundo quedarás sin amor,
>
> pero si eliges el amor, con él conquistarás al mundo"
>
> albert einstein
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWaeLfAAoJENNXIZxhPexGV6wH/0dy5nyvKJBsB8cWnXpyU661
98aA96FF+8QlQW+dkAKyNJ/dNtjv/VyGbglqyDDoaqwq2+Uef3dZauwyIQcwoRxZ
TVhUu47v+cX1F6Ka+JWxvw7hsIumoEvrXQQxdBoZUAqdXDRyvdK/VeraGyV1y2LD
qYQB/vIV7u/PGgiyzE5vtZ/aHYnAsiLQxMD4a3SSvDnSNx9fklhRGyTljcNuVH5n
NAXeXE3JD9+NW9rFY3/49TWNGJMNzH9v9RyQPG5uWkov/hAR1fXiRW7a/TD6pZ6V
/gb54gbAQcdCMXwsly7XQTswoG6OKGLuLl6+mLbLz3hgBpDfZDNAQMpKM4npiSU=
=ayi0
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] help change cache dir

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
chmod is about nothing. Who's the owner of cache dir?

11.12.15 2:27, juancho Alfonso пишет:
> Hey thereI have installed CentOS squid in 7I want to change the cache 
> directory
> appears when I try to initialize
> Creating Swap Directories
> FATAL: Failed to make directory swap mydirectory / cache / 00:
>  (13) Permission denied
> directory is an external drive or a folder on the same partitionand I
granted permissions
> chmod 777 cacheorchmod cache squid.squid
> no worksI need help to put more capacity more directories
>
>
>
> the squid.conf
> ## Recommended minimum configuration:#
> # Example rule allowing access from your local networks.# Adapt to
list your (internal) IP networks from where browsing# should be
allowedacl localnet src 10.0.0.0/8 # RFC1918 possible internal
networkacl localnet src 172.16.0.0/12 # RFC1918 possible internal
networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal
networkacl localnet src fc00::/7 # RFC 4193 local private network
rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
> acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port
21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 #
gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 #
unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port
488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777
# multiling httpacl CONNECT method CONNECTacl PAGINASBLOQUEADAS
url_regex -i porno abcde
> ## Recommended minimum Access Permission configuration:## Deny
requests to certain unsafe portshttp_access deny PAGINASBLOQUEADAS
> # Deny CONNECT to other than secure SSL portshttp_access deny !Safe_ports
> # Only allow cachemgr access from localhosthttp_access deny CONNECT
!SSL_portshttp_access allow localhost manager
> # We strongly recommend the following be uncommented to protect
innocent# web applications running on the proxy server who think the
only# one who can access services on "localhost" is a local
user#http_access deny to_localhost
> ## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#
> # Example rule allowing access from your local networks.# Adapt
localnet in the ACL section to list your (internal) IP networks# from
where browsing should be allowedhttp_access allow managerhttp_access
allow localnet
> # And finally deny all other access to this proxyhttp_access allow
localhosthttp_access allow all
> # Squid normally listens to port 3128http_port 3128 transparent
> # Uncomment and adjust the following to add a disk cache directory.
> # Leave coredumps in the first cache dircoredump_dir /var/spool/squid
> ## Add any of your own refresh_pattern entries above
these.#refresh_pattern ^ftp:144020%10080refresh_pattern
^gopher:14400%1440refresh_pattern -i (/cgi-bin/|\?) 0   
0%0refresh_pattern .020%4320
>
>
> #juancache_mem 16384 MB#cache_replacement_policy heap LFUDA #El
parámetro maximum_object_size define el tamaño máximo de los objetos que
serán almacenados en el cache de discomaximum_object_size 200
MBcache_swap_low 90cache_swap_high 95#correo del administrador del
cachecache_mgr ingenieria@conexiondigital.cocachemgr_passwd cache all
> #this workcache_dir aufs /var/spool/squid 4 16 256 #this no
workcache_dir aufs /var/spool/squid2 4 16 256
> cache_effective_user squidcache_effective_group squid
>
>
>
> Juan Ernesto Alfonsoestudiante ingeniería electrónicauniversidad
distrital Francisco José de Caldas
> JUANCHO
>  NEMESIS
> KRAVEN
>
> " si un día tienes que elegir entre el mundo y el amor...
> recuerda:
>
> si eliges el mundo quedarás sin amor,
>
> pero si eliges el amor, con él conquistarás al mundo"
>
> albert einstein
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWaeJHAAoJENNXIZxhPexG2u8H+gM/L1RdvwGHP6UiKbWPM3Fr
mU5Lt3V0iD6vLP7Wupn/oHyNNIhji39nkBLWPMs9SApodE0nOeirSD/M04TMfWMr
94HSDqnez+hOzlAZnCRxeI86eAu7w1ndY1SCfSJdXWHDkyY4sf7rvBczJigCP2Sm
+qX/4SHap32X5EoAwVWPk+lmyQ7MSma3x8OtzNUEqXfpX9EXMretXQ0yQ+B+egy+
9jvN5w+E8tKm1fV05rgT7B+QRNEG5jqnTI2hULX+xnJAbTcJZI/XR8AG2VmOvqjA
GErvrH6qqGpqW49IVEBY4Jm2qenThUbA2AOXq5d7bvybJP0oAJC1ap9pcc6gvyE=
=d1y4
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] help change cache dir

[juancho Alfonso]

Hey thereI have installed CentOS squid in 7I want to change the cache directory
appears when I try to initialize
Creating Swap Directories
FATAL: Failed to make directory swap mydirectory / cache / 00:
 (13) Permission denied
directory is an external drive or a folder on the same partitionand I granted 
permissions
chmod 777 cacheorchmod cache squid.squid
no worksI need help to put more capacity more directories



the squid.conf
## Recommended minimum configuration:#
# Example rule allowing access from your local networks.# Adapt to list your 
(internal) IP networks from where browsing# should be allowedacl localnet src 
10.0.0.0/8 # RFC1918 possible internal networkacl localnet src 172.16.0.0/12 # 
RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 
possible internal networkacl localnet src fc00::/7 # RFC 4193 local private 
network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly 
plugged) machines
acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # 
ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports 
port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl 
Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports 
port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method 
CONNECTacl PAGINASBLOQUEADAS url_regex -i porno abcde
## Recommended minimum Access Permission configuration:## Deny requests to 
certain unsafe portshttp_access deny PAGINASBLOQUEADAS
# Deny CONNECT to other than secure SSL portshttp_access deny !Safe_ports
# Only allow cachemgr access from localhosthttp_access deny CONNECT 
!SSL_portshttp_access allow localhost manager
# We strongly recommend the following be uncommented to protect innocent# web 
applications running on the proxy server who think the only# one who can access 
services on "localhost" is a local user#http_access deny to_localhost
## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#
# Example rule allowing access from your local networks.# Adapt localnet in the 
ACL section to list your (internal) IP networks# from where browsing should be 
allowedhttp_access allow managerhttp_access allow localnet
# And finally deny all other access to this proxyhttp_access allow 
localhosthttp_access allow all
# Squid normally listens to port 3128http_port 3128 transparent
# Uncomment and adjust the following to add a disk cache directory.
# Leave coredumps in the first cache dircoredump_dir /var/spool/squid
## Add any of your own refresh_pattern entries above these.#refresh_pattern 
^ftp:   144020% 10080refresh_pattern ^gopher:   14400%  
1440refresh_pattern -i (/cgi-bin/|\?) 0 0%  0refresh_pattern .  
0   20% 4320


#juancache_mem 16384 MB#cache_replacement_policy heap LFUDA #El parámetro 
maximum_object_size define el tamaño máximo de los objetos que serán 
almacenados en el cache de discomaximum_object_size 200 MBcache_swap_low 
90cache_swap_high 95#correo del administrador del cachecache_mgr 
ingenieria@conexiondigital.cocachemgr_passwd cache all
#this workcache_dir aufs /var/spool/squid 4 16 256 #this no workcache_dir 
aufs /var/spool/squid2 4 16 256 
cache_effective_user squidcache_effective_group squid



Juan Ernesto Alfonsoestudiante ingeniería electrónicauniversidad distrital 
Francisco José de Caldas
JUANCHO
 NEMESIS 
KRAVEN

" si un día tienes que elegir entre el mundo y el amor...
recuerda: 

si eliges el mundo quedarás sin amor, 

pero si eliges el amor, con él conquistarás al mundo" 

albert einstein 



  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Alex Samad]

Thanxs everyone i will try the changes and try with the debug options

Tls1 might be an issue. Might have to look at the ssl offloading config  so
squid  to exchange can be http instead of ssl

Eliezer hopefuly you'll do a centos 6. Any chance you can let me have a non
released .12  save me trying to build one.
A
On 11/12/2015 4:32 AM, "Eliezer Croitoru"  wrote:

> On 09/12/2015 12:49, Alex Samad wrote:
>
>> Hi
>>
>> Can't seem to find  3.5.12 for centos pre compiled at
>> http://www1.ngtech.co.il/repo/centos/6/x86_64/
>>
> Since it's in testing
> I have built and tested for CentOS 7 but yet to publish them.
> It will take a week or more.
>
> Eliezer
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

[Tom Tom]

Hi Alex

I've tested again. Squid (3.5.11) only terminates the connection
(based on SHA1-Fingerprint), *if* the fingerprint is delimited with
colons. If not, squid GET's the https-request as usual. I'll report a
bug.

With SHA1-FP (delimited):
41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the
config-file, Squid terminates the connection as expected:
$ curl -x proxy:3128 -I -k -L https://www.yahoo.com
HTTP/1.1 200 Connection established
curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443


With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532
in the config-file, squid GET's the site:
$ curl -x proxy:3128 -I -k -L https://www.yahoo.com
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Date: Thu, 10 Dec 2015 20:06:11 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR
CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi
UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE
LOC GOV"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=2592000
...


Kind regards,
Tom

On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov
 wrote:
> On 12/07/2015 02:05 PM, Tom Tom wrote:
>> The configuration provided by Alex works for me (squid 3.5.11)
>
> Thank you for testing and helping expose problems.
>
>
>> if:
>> * the http_port-directive is configured with ssl-bump and a
>> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
>
> ssl-bump is required to access SSL/TLS peeking code. Now way around that
> today although future Squid versions may provide something like an
> ssl-peek port option that tells Squid that no bumping, for any reason
> (including error serving) is permitted on that port.
>
> Specifying root CA is required to serve certificate validation (and
> other) errors, but we probably should be more flexible and allow no-CA
> splice-or-terminate configurations as well.
>
> Related enhancement requests in bugzilla are welcomed, especially if
> they are followed by quality patches.
>
>
>> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
>> two characters with a colon
>> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
>> ar***krebs.de)
>
> If Squid silently misinterprets colon-less fingerprints, it is a bug
> that should be reported and fixed. Squid should either interpret them
> correctly or exit with a configuration error.
>
>
> Thank you,
>
> Alex.
>
>
>
>> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
>>  wrote:
>>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
 * Alex Rousskov :
> Please note that if you do not want to bump anything, then the following
> should also work (bugs notwithstanding):
>
> ssl_bump splice whitelist
> ssl_bump peek all
> ssl_bump terminate blacklist
> ssl_bump splice all

 That doesn't seem to work for me (squid 3.5.2)
>>>
 Yet I still can connect. What am I doing wrong?
>>>
>>> If you are indeed using v3.5.2, then that is a big red flag.
>>>
>>> If you are using the latest v3.5 release, then you should open a bug
>>> report, preferably with an ALL,9 log depicting a single failing
>>> transaction. AFAICT, the above is meant to work. If it does not, there
>>> is either a Squid bug or misconfiguration [that I cannot detect by
>>> reading email].
>>>
>>>
>>> Thank you,
>>>
>>> Alex.
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Eliezer Croitoru]

On 09/12/2015 12:49, Alex Samad wrote:

Hi

Can't seem to find  3.5.12 for centos pre compiled at
http://www1.ngtech.co.il/repo/centos/6/x86_64/

Since it's in testing
I have built and tested for CentOS 7 but yet to publish them.
It will take a week or more.

Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay syntax, speed and network

[Amos Jeffries]

On 10/12/2015 11:38 p.m., Massimo.Sala wrote:
> 1) speed syntax
> 
> example :
> 
> delay_parameters 1 -1/-1 128/128 128000/128000
> 
> 
> The speed is bytes / sec.
> 
> Is it possible to use multipliers like K and M ?
> 

No.

> Is it possible to use units, like bps ( bit per sec ) ?
> 

No.

> 
> It is wonderfoul to read :
> 
> delay_parameters 1 -1/-1 10Mbps/10Mbps 1Mbps/1Mbps
> 

That does look nice. If only that had any relation to what the delay
pool values mean.


Taking the 10MB one for an example. Translating it to the units as
defined would be: 10Mbps/10Mb


BUT, that the "bps" part is *not* the speed limit the client will go. It
is the speed the client gains more traffic capacity.

The correct units to represent this as a speed in metric is:
   10MBpsps/10MBps

If one were to write 1Mbps/10Mb for example, that client would be able
to go up to 10Mbps. Quite non-intuitive to what you would expect a
number saying "1Mbps" would do.

However that is the burst limit, so on *average* you would see them
going 1Mbps. Emphasis on average. For every second they go under 1Mbps
they are permitted an equal amount *over* 1Mbps, with an peak (burst)
speed of 10Mbps.




> 
> 2) network
> 
> We have about 50 subnets, on different locations.
> 
> It is a "hub" topology : all the subnets are linked via WANs to our 
> central location, where there is the IT centre.
> 
> From the IT centre we have the links to Internet, and the proxy server 
> running squid ( forwarding, IT manager decision ).
> 
> 
> Our internal IP addressing is 10.0.0.0/8
> 
> 10.1.0.0 for the first site, 10.2.0.0 the 2nd, etc ...
> 
> 
> Goals :
> 
> overall proxy bandwidth limit : none
> each site limit : 10 Mbps
> each pc client limit : 1 Mbps
> 
> 
> My work-around is this, using class 3 for /16 networks :
> 
> delay_class 1 3
> delay_parameters 1 -1/-1 128/128 128000/128000
> 
> but it is a "fuzzy" fitting : each remote site is seen by squid as N 
> smaller networks, so the overall site limit is N * 10 Mbps ...
> 
> 
> Is it possible to match my goals ?

Using a class 5 pool and an externl_acl_type helper to classify each
request as to what site it is coming from and assign a unique tag=site
to each request.

However, you might as well use the tag= site classification to determine
a tcp_outgoing_tos/mark value to send to the underlying system QoS
functionality.

Delay pools is 1980's technology (as you might see from the fact that a
/16 is considered big enough to represent an entire network, lol).
Modern QoS can do a lot of things far better than Squid delay pools. Not
least of which is to add in all the non-HTTP traffic that goes nowhere
near Squid to the sites traffic speed accounting.


> 
> Or I request a new class, where we can specify the netmask.
> 

If you wish to supply a patch it will be considered. However, be aware
that delay pools is a very ancient and broken feature. I am wanting to
deprecate and remove it as soon as people will stop using it.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] issue with video

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
tar -cvf logs.tar access.log cache.log; gzip -9 logs.tar ->
http://drive.google.com -> sahre+post URL's

10.12.15 19:56, Magic Link пишет:
> Where can i upload my logs ? It's too big for the mail.
>
> From: magicl...@outlook.com
> To: squ...@treenet.co.nz; squid-users@lists.squid-cache.org
> Subject: RE: [squid-users] issue with video
> Date: Thu, 10 Dec 2015 11:29:42 +0100
>
>
>
>
> I activated the debug_option. I don't see anything particular in
access.log, but i don't know what to do with the content of cache.logI
'v never compiled squid, is there a tutorial ? I used to use the debian
stable repository, but get only the 3.4.8 version for debian 8 (i can
try with testing repository or another one if so)
>
> Thanks
>> To: squid-users@lists.squid-cache.org
>> From: squ...@treenet.co.nz
>> Date: Thu, 10 Dec 2015 12:09:00 +1300
>> Subject: Re: [squid-users] issue with video
>>
>> On 10/12/2015 3:42 a.m., Magic Link wrote:
>>> Hi,
>>> i have a problem with this video
http://www.cbsnews.com/news/heroin-in-the-heartland-60-minutes/ This
video doesn't start with squid (3.4.8) on Debian 8 but does with a
direct access to Internet.I don't know how to debug this issue.
>>> Any clues ? Thanks  
>>>
>>
>> Check cache.log to see if any errors are being logged when you
request it.
>>
>> Check access.log to see if the proxy is actually being contacted to
>> fetch the video.
>>
>> "debug_options 11,2" to see what the request and reply headers are.
>>
>> If you can, try an upgrade. Current Squid is 3.5.12. I'm just mentioning
>> this because its the nromal debugging step. I dont recommend a
>> cross-install of the 3.5.12 package to Debian 8 - it needs a proper
>> backport / recompile.
>>
>> The remaining steps get trickier and depend on the results of the above
>> checks, or whether
>>
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>  
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWaZl6AAoJENNXIZxhPexGGe4IAILsG3rcB+8WN0bn5++RHUie
ts4SNFYvOgmDt48xfy1uOzpjUbDmdE7mWlYKsyJ7rVQq44KmsnxJXQVVC3xYaERl
huvisfIIgIn+eGmdMmyQ07Vr0mN6f5bX1n7FiKI63/l0/7mD7EKgWmuiw1ISRuQ3
FhUkpxNAowJ9uC3Rf03sborivigriR+WzjKyBlQWbqI9rHSoEZm/6JTmyTXmGX7y
LjPejC1uaAK2VLyzGGCZPtABGZEpKP2XYnd0m6NWonhGhG2cFaA0zHQLE0BMMWRv
sVoiqL/X3GqB5Zf8fYBx+Ulhk+gBff+gpRvkv4GT7J3bB/ploGPdtiJL9hhPQBM=
=E3Ow
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] issue with video

[Magic Link]

Where can i upload my logs ? It's too big for the mail.

From: magicl...@outlook.com
To: squ...@treenet.co.nz; squid-users@lists.squid-cache.org
Subject: RE: [squid-users] issue with video
Date: Thu, 10 Dec 2015 11:29:42 +0100




I activated the debug_option. I don't see anything particular in access.log, 
but i don't know what to do with the content of cache.logI 'v never compiled 
squid, is there a tutorial ? I used to use the debian stable repository, but 
get only the 3.4.8 version for debian 8 (i can try with testing repository or 
another one if so)

Thanks
> To: squid-users@lists.squid-cache.org
> From: squ...@treenet.co.nz
> Date: Thu, 10 Dec 2015 12:09:00 +1300
> Subject: Re: [squid-users] issue with video
> 
> On 10/12/2015 3:42 a.m., Magic Link wrote:
> > Hi,
> > i have a problem with this video 
> > http://www.cbsnews.com/news/heroin-in-the-heartland-60-minutes/ This video 
> > doesn't start with squid (3.4.8) on Debian 8 but does with a direct access 
> > to Internet.I don't know how to debug this issue.
> > Any clues ? Thanks
> > 
> 
> Check cache.log to see if any errors are being logged when you request it.
> 
> Check access.log to see if the proxy is actually being contacted to
> fetch the video.
> 
> "debug_options 11,2" to see what the request and reply headers are.
> 
> If you can, try an upgrade. Current Squid is 3.5.12. I'm just mentioning
> this because its the nromal debugging step. I dont recommend a
> cross-install of the 3.5.12 package to Debian 8 - it needs a proper
> backport / recompile.
> 
> The remaining steps get trickier and depend on the results of the above
> checks, or whether
> 
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

[Kinkie]

On Thu, Dec 10, 2015 at 11:43 AM,   wrote:
> Massimo
>> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
>> 'addons.mozilla.org'
>
>
> Kinkie :
>>  it works exactly as you expect. "dstdomain addons.mozilla.org" does
>> not block subdomains.
>
>
>
> So why doesn't squid accept both rules ? a parsing bug ?


No bug, it is really intentional: ".addons.mozilla.org" also matches
"addons.mozilla.org" (without the dot). Therefore the latter is
rejected to keep the internal data structures consistent.


-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[dweimer]

On 2015-12-09 11:29 pm, Alex Samad wrote:

Hi

config
https_port 22.4.2.5:443 accel
cert=/etc/httpd/conf.d/office.abc.com.crt
key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
options=NO_SSLv2,NO_SSLv3
dhparams=/etc/squid/squid-office-dhparams.pem
cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
originserver login=PASS front-end-https=on ssl
sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
acl exch_domain dstdomain office.abc.com
acl exch_path urlpath_regex -i /exch(ange|web)
acl exch_path urlpath_regex -i /public
acl exch_path urlpath_regex -i /owa
acl exch_path urlpath_regex -i /ecp
acl exch_path urlpath_regex -i /microsoft-server-activesync
acl exch_path urlpath_regex -i /rpc
acl exch_path urlpath_regex -i /rpcwithcert
acl exch_path urlpath_regex -i /exadmin
acl exch_path urlpath_regex -i /ews
acl exch_path urlpath_regex -i /oab
acl exch_path urlpath_regex -i /autodiscover
cache_peer_access exchangeServer allow exch_domain exch_path
cache_peer_access webServer deny exch_domain exch_path
never_direct allow exch_domain exch_path
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
access_log stdio:/var/log/squid/office-access.log squid
cache_log /var/log/squid/office-cache.log
cache_store_log stdio:/var/log/squid/office-cache_store.log
pid_filename /var/run/squid-office.pid
visible_hostname office.abc.com
deny_info TCP_RESET all
http_access allow all
miss_access allow all
icp_port 0
snmp_port 0



cache.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors 
available

Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 
0.0.0.0, FD 6

Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
yieldbroker.com from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.100 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.102 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-access.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-cache_store.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
estimated 2520 objects
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir 
selection
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is 
/etc/squid
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types 
and icons.

Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 
127.0.0.1/443/0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 
10.32.69.11/443/0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 
0

Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
flags=9
Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 
objects



cache log
Dec 10 16:16:23 2015.225 RELEASE -1 
BE6736C8CD1A74A54575AF9880395D04   ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.287 RELEASE -1 
78C390A2D412F8E601035A2C1FD771C8   ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.296 RELEASE -1 
A7D8B3751858C54225D29408B56FE42D   ? ? ? ? 

Re: [squid-users] delay_pools from 3.1 to 3.4, media content

[Amos Jeffries]

On 10/12/2015 11:21 p.m., massimo.s...@asl.bergamo.it wrote:
> Massimo :
>>> acl acl_flussi_media rep_mime_type -i ^audio/
>>> acl acl_flussi_media rep_mime_type -i ^video/
> 
>>> 2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in 
>>> context without an HTTP response. Assuming mismatch.
> 
> 
> 
> Amos :
>> It means that *reply* header do not work when using *request* to decide
>> what delay pool the transaction will use.
> 
>> It has never worked. The older Squid just did not tell you about the
>> config problem.
> 
>> If you want traffic to be re-assigned to pools when the reply happens
>> you need to upgrade to at least the Squid-4.0.3 (beta) release.
> 
> 
> 
> Amos, many thanks for your answer.
> 
> 
> An example of ACLs to catch media content, e.g. :
> 
> acl acl_sites_media dstdomain .ask.fm .facebook.com .fbcdn.net 
> .googlevideo.com .youtube.com
> acl acl_types_media urlpath_regex -i \.asf$ \.avi$ \.flv$ \.mkv$ 
> \.mov$ \.mp3$ \.mp4$ \.mpeg$ \.mpg$ \.qt$ \.swf$ \.vob$ \.wmv$
> 

Both of those match against parts of the request message URL. Which is
fine for delay_access.

Be aware that neither of those matches the real content type.

Your config used to have a rep_mime_type ACL trying to check reply
header value. Which is the correct way to match mime / content type. It
just happens to be data only available after the reply has started
happening.

  acl acl_flussi_media rep_mime_type -i ^audio/
  acl acl_flussi_media rep_mime_type -i ^video/


> 
> 1) To apply the two ACLs to the same pool, which is the correct syntax ?
> 
> delay_access 1 allow acl_sites_media
> delay_access 1 allow acl_types_media
> 
> or
> 
> delay_access 1 allow acl_sites_media acl_types_media
> 

Both and neither. "correct" depends on what your local administrative
policy is.


> 
> 2)  Can you please add all of these stuff to the official docs ?

Where exactly did you look in the documentation? We dont have anything
provided by the Squid Project mentioning how to use delay pools for mime
content delaying. Specifically because it has not been possible to do
until very recently.



 "This is used to determine which delay pool a request falls into."

 Note the use of *request*.


"
acl aclname rep_mime_type [-i] mime-type ...
  # regex match against the mime type of the reply received by
  # squid. Can be used to detect file download or some
  # types HTTP tunneling requests. [fast]
  # NOTE: This has no effect in http_access rules. It only has
  # effect in rules that affect the reply data stream such as
  # http_reply_access.
"

Note the repeated used of *reply*. And the extra notice about usage only
with reply related rules (unlike delay_access).

It should be obvious at least from the second that the first is not
somewhere it will be useful.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

[Massimo . Sala]

Massimo
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
> 'addons.mozilla.org'


Kinkie :
>  it works exactly as you expect. "dstdomain addons.mozilla.org" does
> not block subdomains.



So why doesn't squid accept both rules ? a parsing bug ?

best regards, Massimo

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] delay syntax, speed and network

[Massimo . Sala]

1) speed syntax

example :

delay_parameters 1 -1/-1 128/128 128000/128000


The speed is bytes / sec.

Is it possible to use multipliers like K and M ?

Is it possible to use units, like bps ( bit per sec ) ?


It is wonderfoul to read :

delay_parameters 1 -1/-1 10Mbps/10Mbps 1Mbps/1Mbps



2) network

We have about 50 subnets, on different locations.

It is a "hub" topology : all the subnets are linked via WANs to our 
central location, where there is the IT centre.

From the IT centre we have the links to Internet, and the proxy server 
running squid ( forwarding, IT manager decision ).


Our internal IP addressing is 10.0.0.0/8

10.1.0.0 for the first site, 10.2.0.0 the 2nd, etc ...


Goals :

overall proxy bandwidth limit : none
each site limit : 10 Mbps
each pc client limit : 1 Mbps


My work-around is this, using class 3 for /16 networks :

delay_class 1 3
delay_parameters 1 -1/-1 128/128 128000/128000

but it is a "fuzzy" fitting : each remote site is seen by squid as N 
smaller networks, so the overall site limit is N * 10 Mbps ...


Is it possible to match my goals ?

Or I request a new class, where we can specify the netmask.


best regards, Sala 
massimo.s...@asl.bergamo.it
Tel. 035/385.034
ASL Provincia di Bergamo | Sistemi Informativi Strategici

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

[Amos Jeffries]

On 10/12/2015 11:02 p.m., Massimo.Sala wrote:
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of 
> 'addons.mozilla.org'
> 
> 
> I thought
> addons.mozilla.org  blocks only these hostname


ACLs do not block anything. Access Controls do.

This value tells Squid that addons.mozilla.org is an exact-match. Any
sub-domain is to be a non-match.


> 
> .addons.mozilla.org blocks all the sub-domains, like 
> www.addons.mozilla.org etc.addons.mozilla.org


This one tells Squid that "addons.mozilla.org" and *all* sub-domains are
to match true.


> 
> Which are the parsing rules of squid 3.4 ?

Each entry in the dstdomain ACL must be a unique and distinct match. The
two ranges of possible domain names above overlap.


Squid uses splay trees internally. So when there are two overlapping
entries, which one will be found and tested against will change randomly
based on how other things affect the splay. Which will cause random
rejections for the *.addons.mozilla.org sub-domains.

Thus having both is a problem. Which way around you place them in the
list of ACL values determins whether Squid can drop one (and just warn)
or not (the error).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

[Kinkie]

Hi,
  it works exactly as you expect. "dstdomain addons.mozilla.org" does
not block subdomains.

On Thu, Dec 10, 2015 at 11:02 AM,   wrote:
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
> 'addons.mozilla.org'
>
>
> I thought
> addons.mozilla.org  blocks only these hostname
>
> .addons.mozilla.org blocks all the sub-domains, like
> www.addons.mozilla.org etc.addons.mozilla.org
>
>
> Which are the parsing rules of squid 3.4 ?
>
> Does the first case block also the sub-domains ?
>
>
> best regards, Sala
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay_pools from 3.1 to 3.4, media content

[Massimo . Sala]

Massimo :
>> acl acl_flussi_media rep_mime_type -i ^audio/
>> acl acl_flussi_media rep_mime_type -i ^video/

>> 2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in 
>> context without an HTTP response. Assuming mismatch.



Amos :
> It means that *reply* header do not work when using *request* to decide
> what delay pool the transaction will use.

> It has never worked. The older Squid just did not tell you about the
> config problem.

> If you want traffic to be re-assigned to pools when the reply happens
> you need to upgrade to at least the Squid-4.0.3 (beta) release.



Amos, many thanks for your answer.


An example of ACLs to catch media content, e.g. :

acl acl_sites_media dstdomain .ask.fm .facebook.com .fbcdn.net 
.googlevideo.com .youtube.com
acl acl_types_media urlpath_regex -i \.asf$ \.avi$ \.flv$ \.mkv$ 
\.mov$ \.mp3$ \.mp4$ \.mpeg$ \.mpg$ \.qt$ \.swf$ \.vob$ \.wmv$


1) To apply the two ACLs to the same pool, which is the correct syntax ?

delay_access 1 allow acl_sites_media
delay_access 1 allow acl_types_media

or

delay_access 1 allow acl_sites_media acl_types_media


2)  Can you please add all of these stuff to the official docs ?


best regards, Sala
 
massimo.s...@asl.bergamo.it
Tel. 035/385.034
ASL Provincia di Bergamo | Sistemi Informativi Strategici

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.4, dstdomain

[Massimo . Sala]

2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of 
'addons.mozilla.org'


I thought
addons.mozilla.org  blocks only these hostname

.addons.mozilla.org blocks all the sub-domains, like 
www.addons.mozilla.org etc.addons.mozilla.org


Which are the parsing rules of squid 3.4 ?

Does the first case block also the sub-domains ?


best regards, Sala

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Issues with authentication in Squid3

[Amos Jeffries]

On 10/12/2015 10:24 p.m., Marcio Demetrio Bacci wrote:
> Hi,

Hi Marcio,
 You didn't get any response the last three threads you started about
this in the past few days. Around here that means nobody reading it has
an idea how to solve your problem or even any hints about to to go about
fixing it.

For example, I helped when I could, but you have now moved out of my
knowledge area into LDAP syntax problems.

It might help though if you stuck to one thread and updated it with your
changing experiment results. So anyone coming along in future (with a
fix, or the same issues) has it all in one place to work with and
hopefully followup.

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Issues with authentication in Squid3

[Marcio Demetrio Bacci]

Hi,

My problem with Squid 3.4.8 is the following :

The ext_ldap_group_acl locates the user group of a user, but even if find
the first group (eg "administrators") in which the user is a member
continue to search for all groups that the user is a member, so
authenticate the user only in his last group, in the my case is the Domain
Users group.

This way, only rules to Domain Users is working in my Squid Server. Rules
to admins users and others do not work.

I have the message in  /var/log/squid3/cache.log:

2015/12/10 06:36:33 kid1| helperOpenServers: Starting 1/50
'basic_ldap_auth' processes
ext_ldap_group_acl.cc(583): pid=24059 :Connected OK
ext_ldap_group_acl.cc(722): pid=24059 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=webadmins,DC=empresa,DC=com,DC=br
))', searchbase 'DC=empresa,DC=com,DC=br'
2015/12/10 06:36:34 kid1| Starting new redirector helpers...
2015/12/10 06:36:34 kid1| helperOpenServers: Starting 1/20 'squidGuard'
processes
ext_ldap_group_acl.cc(583): pid=24059 :Connected OK
ext_ldap_group_acl.cc(722): pid=24059 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=webliberados,DC=empresa,DC=com,DC=br
))', searchbase 'DC=empresa,DC=com,DC=br'
ext_ldap_group_acl.cc(583): pid=24060 :Connected OK
ext_ldap_group_acl.cc(722): pid=24060 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=domain%20users,DC=empresa,DC=com,DC=br))',
searchbase 'DC=empresa,DC=com,DC=br'
2015/12/10 06:38:04 kid1| Starting new redirector helpers...


Here is my squid.conf

http_port 3128
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
quick_abort_min -1 KB
detect_broken_pconn on
fqdncache_size 1024
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .020%4320
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_dir aufs /var/spool/squid3 600 16 256

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w
12345 -h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Proxy Server Squid
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type ad_group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -d -R
-b DC=empresa,DC=com,DC=br -D pr...@empresa.com.br -w 12345 -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,DC=empresa,DC=com,DC=br
))" -h 192.168.0.25

visible_hostname proxy.empresa.com.br
acl localhost src 192.168.0.1/32
acl SSL_ports port 22 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 88
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 389
acl Safe_ports port 443
acl Safe_ports port 464
acl Safe_ports port 488
acl Safe_ports port 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
acl grupo_admins external ad_group webadmins
acl grupo_liberado external ad_group webliberados
acl grupo_restrito external ad_group domain%20users
acl autenticados proxy_auth REQUIRED
http_access deny !autenticados
http_access allow grupo_admins
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access allow grupo_liberado
redirect_program /usr/bin/squidGuard
redirect_children 20
redirector_bypass on
http_access allow grupo_restrito
acl lan src 192.168.0.0/22
http_access allow lan
http_access deny all
error_directory /usr/share/squid3/errors/en
coredump_dir /var/spool/squid3

Regards,

Márcio
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid reverse proxy infront of exchange 2010

[Amos Jeffries]

On 10/12/2015 6:29 p.m., Alex Samad wrote:
> Hi
> 
> config
> https_port 22.4.2.5:443 accel
> cert=/etc/httpd/conf.d/office.abc.com.crt
> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
> options=NO_SSLv2,NO_SSLv3
> dhparams=/etc/squid/squid-office-dhparams.pem
> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

None of those ECDHE entries will work properlyy. Squid does not have the
additional curve name support needed to configure them.


> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
> sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS front-end-https=on ssl
> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer

Note that these cache_peer cert details are the "client certificate"
used to 2-way TLS authenticate Squid with the Office server.

I doubt the same certificate used on the https_port will work as both
server and client certificate. Perhapse that is why the verification has
to be fully disabled.


> acl exch_domain dstdomain office.abc.com
> acl exch_path urlpath_regex -i /exch(ange|web)
> acl exch_path urlpath_regex -i /public
> acl exch_path urlpath_regex -i /owa
> acl exch_path urlpath_regex -i /ecp
> acl exch_path urlpath_regex -i /microsoft-server-activesync
> acl exch_path urlpath_regex -i /rpc
> acl exch_path urlpath_regex -i /rpcwithcert
> acl exch_path urlpath_regex -i /exadmin
> acl exch_path urlpath_regex -i /ews
> acl exch_path urlpath_regex -i /oab
> acl exch_path urlpath_regex -i /autodiscover
> cache_peer_access exchangeServer allow exch_domain exch_path
> cache_peer_access webServer deny exch_domain exch_path
> never_direct allow exch_domain exch_path
> cache_mem 32 MB
> maximum_object_size_in_memory 128 KB
> access_log stdio:/var/log/squid/office-access.log squid
> cache_log /var/log/squid/office-cache.log
> cache_store_log stdio:/var/log/squid/office-cache_store.log
> pid_filename /var/run/squid-office.pid
> visible_hostname office.abc.com
> deny_info TCP_RESET all
> http_access allow all
> miss_access allow all
> icp_port 0
> snmp_port 0
> 
> 
> 
> cache.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
> yieldbroker.com from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.100 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.102 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-access.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
> rebuild/rewrite every 3600/3600 sec
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-cache_store.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
> estimated 2520 objects
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and 
> icons.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
> Jan 01 10:33:35

[squid-users] [squid related software] Web Safety ICAP Filter 4.3 for Squid is available

[Rafael Akchurin]

Greetings everyone,

Version 4.3.0.B716 of Web Safety ICAP Filter for Squid is now available. We 
have finally added support for working with Squid on FreeBSD 10 and pfSense 
2.2. In this version we tried to concentrate on better reporting, SSL bump root 
certificate management from Web UI and better dashboard exposing some Squid 
statistics (via squidclient).

More specifically, this version contains the following bug fixes and 
improvements:

- Monitoring information is now collected and processed by a specific 
standalone monitoring server wsmgrd. It is responsible for upload of monitoring 
information into configured database and generation of Surfing Now real time 
information, Surfing History and reports. Report upload was heavily optimized 
so hopefully the ever running Python upload scripts are now history. Please 
take into account the report generation is still being done by Python so it may 
still be slow on huge traffic. We plan to concentrate on this in version 4.4.

- We now added the Web UI for management of Root CA ssl bump certificates for 
the Squid proxy. It is now very simple to generate your own trusted root SSL 
decryption certificate, back up or upload your own pre-generated certificate 
all from Web UI.

- Web UI has a new and remastered dashboard with charts of CPU activity, RAM 
and SWAP used by Squid, ICAP server and monitoring daemon, various system 
information and history of last connections processed by Squid. Surfing Now and 
Surfing History allow searching for not only incident id as before but also for 
host, address, user name, etc.

We now have two preconfigured sample virtual appliances for Ubuntu 14 LTS and 
CentOS 7 (experimental) available at our site. Please if you have issues/bugs 
with Web UI or ICAP server do not hesitate to report to supp...@diladele.com. 
All other issues are better reported to squid Bugzilla.

Best regards,
Diladele B.V. Dev Team.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users