Re: [squid-users] Error accessing the 403 page

[Amos Jeffries]

On 2016-01-01 23:28, Alex Samad wrote:

Hi

I installed 3.5.12 and when I try and get to a page that is blocked. I
used to get an message page that said contact the admin person.

trying to get to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png


This is part of the error generated
The following error was encountered while trying to retrieve the URL:
http://alcdmz1:3128/squid-internal-static/icons/SN.png

alcdmz1 is the proxy server

I seemed to have blocked access to all error messages. not sure how as
I haven't made any changes except upgrading to .12 from .11


We fixed the Host header output on CONNECT requests to cache_peer 
between those versions. That is likely the reason it has started being 
visible.


The above URL is just an icon being served up by your Squid as part of 
the page display. The main error page text should have been sent as the 
body of the original 403 message itself.


Your http_access rules are the things rejecting it. Note that it 
contains the squid listening domain:port (alcdmz1:3128 or 
bcp.crwdcntrl.net:80) which your proxy machine is configured to announce 
publicly as its contain domain / FQDN.


The squid service needs to be publicly accessible at that domain:port 
that it is advertising as its public FQDN for this icon request to 
succeed. That means making the server hostname, or visible_hostname 
something that clients can access directly - and unique_hostname the 
private internal name the Squid instance uses to distinguish itself from 
other peers on the proxy farm.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile and Install squid 3.5.12 in a fresh Linux OS

[Amos Jeffries]

On 2016-01-02 11:36, Billy.Zheng wrote:

Hi, I have tried to compile and install Squid 3.5.12 in a fresh
CentOS 7 VPS host, because I doesn't understood so many configure,
so I just with minimum configure  I understood, I need openssl
to open a https port, and I need basic_auth to support user/password
authentication, so I just with following config:

./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--exec-prefix=/usr \
'--bindir=${prefix}/bin' \
'--sbindir=${prefix}/sbin' \
'--libdir=${prefix}/lib64' \
'--libexecdir=${prefix}/lib64/squid' \
'--includedir=${prefix}/include' \
'--datadir=${prefix}/share/squid' \
'--mandir=${prefix}/share/man' \
'--infodir=${prefix}/share/info' \
--localstatedir=/var \
'--with-logdir=${localstatedir}/log/squid' \
'--with-pidfile=${localstatedir}/run/squid.pid' \
'--with-swapdir=${localstatedir}/spool/squid' \
--sysconfdir=/etc/squid \
--with-openssl \
--enable-epoll \
--enable-auth \
--enable-auth-basic

it worked!


You can skip the --enable-auth and --enable-auth-basic as well if you 
like. Both are enabled by default.




But compare to the CentOS 7 yum package version, I found my own less 
many
config. following is missing list I never use in my own compile 
version.


--host=x86_64-redhat-linux-gnu \
--disable-strict-error-checking \
--disable-dependency-tracking \
--enable-follow-x-forwarded-for \
--enable-auth-ntlm=smb_lm,fake \
--enable-auth-digest=file,LDAP,eDirectory \
--enable-auth-negotiate=kerberos \
--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group
\
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-icap-client \
--enable-ident-lookups \
--enable-linux-netfilter \
--enable-removal-policies=heap,lru \
--enable-ssl-crtd \
--enable-storeio=aufs,diskd,ufs \
--enable-wccpv2 \
--enable-esi \
--enable-ecap \
--with-aio \
--with-default-user=squid \
--with-filedescriptors=16384 \
--with-dl \
--with-pthreads
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 
-grecord-gcc-switches

-m64 -mtune=generic -fpie'
'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 
-grecord-gcc-switches

-m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

I want to use newest version Squid, but i think I perhaps missing
something important option maybe, which can cause risk in some case?



No. Distro packagers like to list all the features enabled explicitly. 
All options are optional (hence the name).



Could any please help me for a `standard necessary' configure arguments
for current 3.5 serious?


For CentOS see:


or you could use the YUM repository listed earlier on the page. IIRC, 
Eliezer has 3.5.12 packages that match what you need.




Or, just tell me, this worked, it is fine, and I will very happy to 
use.


btw: When I first install, ./configure is passed, but make is failed.
because I am not install gcc-c++. I have to install gcc-c++, 
reconfigure

again, make is passed. I thought if ./configure could detect gcc-c++
is not installed, will more good.


./configure should not have passed. Should have exited with a "compiler 
cannot make executables" error. Maybe you have some other c++ compiler 
on the system.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error accessing the 403 page

[Amos Jeffries]

On 2016-01-02 13:19, Alex Samad wrote:

On 2 January 2016 at 09:22, Amos Jeffries  wrote:

On 2016-01-01 23:28, Alex Samad wrote:


Hi

I installed 3.5.12 and when I try and get to a page that is blocked. 
I

used to get an message page that said contact the admin person.

trying to get to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png


This is part of the error generated
The following error was encountered while trying to retrieve the URL:
http://alcdmz1:3128/squid-internal-static/icons/SN.png

alcdmz1 is the proxy server

I seemed to have blocked access to all error messages. not sure how 
as

I haven't made any changes except upgrading to .12 from .11



We fixed the Host header output on CONNECT requests to cache_peer 
between
those versions. That is likely the reason it has started being 
visible.


Sorry not sure how that is related to this.


It is the only Squid change between those versions that seems related to 
the issue.






The above URL is just an icon being served up by your Squid as part of 
the
page display. The main error page text should have been sent as the 
body of

the original 403 message itself.



agree

Your http_access rules are the things rejecting it. Note that it 
contains
the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) 
which
your proxy machine is configured to announce publicly as its contain 
domain

/ FQDN.



The original url was bcp.crwdcntrl.net:80, the page I got back
included the text
http://alcdmz1:3128/squid-internal-static/icons/SN.png


The squid service needs to be publicly accessible at that domain:port 
that
it is advertising as its public FQDN for this icon request to succeed. 
That
means making the server hostname, or visible_hostname something that 
clients
can access directly - and unique_hostname the private internal name 
the
Squid instance uses to distinguish itself from other peers on the 
proxy

farm.


so they can connect to alcdmz1:3128



conf
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 20 startup=0 idle=3
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 20 startup=0 idle=3
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
acl localnet src 10.3.8.0/24
acl localnet_auth src 10.1.0.0/14
acl localnet_auth src 10.2.0.0/16
acl localnet_auth src 10.2.2.1/32


NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the 
other localnet_auth entries are all redundant and can be removed.


(squid -k parse should be warning you about that)



acl localnet_guest src 10.1.22.0/24
acl localnet_appproxy src 10.172.23.3/32


NP: localnet and localnet_appproxy are both of the same type and both 
only used to allow http_access within the same block of allows.


You should simplify by adding 10.172.23.3 to the localnet definition and 
drop localnet_appproxy entirely.


acl sblYBOveride dstdomain -i 
"/etc/squid/lists/yb-nonsquidblacklist.acl"

acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
acl FTP proto FTP
acl DMZSRV src 10.3.2.110
acl DMZSRV src 10.3.2.111
always_direct allow FTP
always_direct allow DMZSRV
ftp_passive off
ftp_epsv_all off
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https


Aha. You have restricted the Safe_ports to exclude 3128. Thus 
"http://alcdmz1:3128/...; are rejected even if the remote client could 
resolve domains within the TLD "alcdmz1".




acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl icp_allowed src 10.3.2.110/32
acl icp_allowed src 10.3.2.111/32
acl icp_allowed src 10.172.23.0/32
acl icp_allowed src 10.172.23.4/32


NP: you do not need to put /32 on IPv4 addresses.


http_access allow manager localhost
http_access allow manager icp_allowed
http_access deny manager
http_access allow icp_allowed


All the manager and icp_allowed stuff above should be down ...


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


 ... here.

I would also restructure the manager tests as:
  http_access allow icp_allowed
  http_access allow localhost
  http_access deny manager

... which avoids repeated checking of the (relatively) slow regex 
manager ACL, and allows removal of the lines checking "allow localhost" 
and "allow icp_allowed".




http_access allow localnet
http_access allow localhost
http_access allow 

Re: [squid-users] Error accessing the 403 page

[Alex Samad]

On 2 January 2016 at 12:23, Amos Jeffries  wrote:
> On 2016-01-02 13:19, Alex Samad wrote:
>>
>> On 2 January 2016 at 09:22, Amos Jeffries  wrote:
>>>
>>> On 2016-01-01 23:28, Alex Samad wrote:


 Hi

 I installed 3.5.12 and when I try and get to a page that is blocked. I
 used to get an message page that said contact the admin person.

 trying to get to
 http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png


 This is part of the error generated
 The following error was encountered while trying to retrieve the URL:
 http://alcdmz1:3128/squid-internal-static/icons/SN.png

 alcdmz1 is the proxy server

 I seemed to have blocked access to all error messages. not sure how as
 I haven't made any changes except upgrading to .12 from .11
>>>
>>>
>>>
>>> We fixed the Host header output on CONNECT requests to cache_peer between
>>> those versions. That is likely the reason it has started being visible.
>>
>>
>> Sorry not sure how that is related to this.
>
>
> It is the only Squid change between those versions that seems related to the
> issue.
>
>

okay

>>
>>>
>>> The above URL is just an icon being served up by your Squid as part of
>>> the
>>> page display. The main error page text should have been sent as the body
>>> of
>>> the original 403 message itself.
>>>
>>
>> agree
>>
>>> Your http_access rules are the things rejecting it. Note that it contains
>>> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80)
>>> which
>>> your proxy machine is configured to announce publicly as its contain
>>> domain
>>> / FQDN.
>>>
>>
>> The original url was bcp.crwdcntrl.net:80, the page I got back
>> included the text
>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>
>>
>>> The squid service needs to be publicly accessible at that domain:port
>>> that
>>> it is advertising as its public FQDN for this icon request to succeed.
>>> That
>>> means making the server hostname, or visible_hostname something that
>>> clients
>>> can access directly - and unique_hostname the private internal name the
>>> Squid instance uses to distinguish itself from other peers on the proxy
>>> farm.
>>
>>
>> so they can connect to alcdmz1:3128
>>
>>
>>
>> conf
>> auth_param negotiate program /usr/bin/ntlm_auth
>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
>> auth_param negotiate children 20 startup=0 idle=3
>> auth_param negotiate keep_alive on
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --configfile
>> /etc/samba/smb.conf-squid
>> auth_param ntlm children 20 startup=0 idle=3
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic --configfile
>> /etc/samba/smb.conf-squid
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
>> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
>> acl localnet src 10.3.8.0/24
>> acl localnet_auth src 10.1.0.0/14
>> acl localnet_auth src 10.2.0.0/16
>> acl localnet_auth src 10.2.2.1/32
>
>
> NP: 10.1.0.0/14 contains and matches all of 10.2.*.*, therefore the other
> localnet_auth entries are all redundant and can be removed.
>
> (squid -k parse should be warning you about that)
>
>
>> acl localnet_guest src 10.1.22.0/24
>> acl localnet_appproxy src 10.172.23.3/32
>
>
> NP: localnet and localnet_appproxy are both of the same type and both only
> used to allow http_access within the same block of allows.
>
> You should simplify by adding 10.172.23.3 to the localnet definition and
> drop localnet_appproxy entirely.

I have change some of the ip addressing for the email

>
>> acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
>> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
>> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
>> acl FTP proto FTP
>> acl DMZSRV src 10.3.2.110
>> acl DMZSRV src 10.3.2.111
>> always_direct allow FTP
>> always_direct allow DMZSRV
>> ftp_passive off
>> ftp_epsv_all off
>> acl SSL_ports port 443
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 # https
>
>
> Aha. You have restricted the Safe_ports to exclude 3128. Thus
> "http://alcdmz1:3128/...; are rejected even if the remote client could
> resolve domains within the TLD "alcdmz1".

so  obvious once pointed out !  Wonder why it worked before though !

>
>
>> acl CONNECT method CONNECT
>> acl AuthorizedUsers proxy_auth REQUIRED
>> acl icp_allowed src 10.3.2.110/32
>> acl icp_allowed src 10.3.2.111/32
>> acl icp_allowed src 10.172.23.0/32
>> acl icp_allowed src 10.172.23.4/32
>
>
> NP: you do not need to put /32 on IPv4 addresses.
>
>> http_access allow manager localhost
>> http_access allow manager 

[squid-users] example of ecap code that filters incoming requests by filter ?

[Nir Krakowski]

anybody have a link to an example of a  ecap code that filters incoming
requests by filter ?

or what do I look for ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid+ssl and CPU load 100%

[Amos Jeffries]

On 2016-01-01 07:06, Lucas Castro wrote:

On 31-12-2015 15:00, Alex Rousskov wrote:

On 12/31/2015 10:58 AM, lucas castro wrote:

I have squid
Squid Cache: Version 3.5.7

I don't know how to ask about this,
But I'm getting 100% load and  squid don't accept connection anymore,
 my cache.log show me this.

2015/12/31 14:27:15.869 kid2| bio.cc(942) parseV3ServerHello: TLS
Extension: 0 of size:0
2015/12/31 14:27:15.869 kid2| bio.cc(942) parseV3ServerHello: TLS
Extension: 0 of size:0
2015/12/31 14:27:15.866 kid1| bio.cc(942) parseV3ServerHello: TLS
Extension: 0 of size:0

Someone has any idea what's happening?
IIRC, this is an SSL parsing bug in older Squids. Sorry, I do not have 
a

reference. If you are using SslBump, you should upgrade to the latest
v3.5 (at least).

Alex.

I'm already using squid 3.5.7.


Which is already 5 months outdated. TLS and SSL related things are 
changing on an almost weekly basis, even in the stable/production 
version.



I'll try to upgrade to 3.5.12.
I was look for this, but didn't find anything,  do you have some link
about this?


Yes:
 
 


 "crash or high CPU usage".

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Compile and Install squid 3.5.12 in a fresh Linux OS

[zw963]

Hi, I have tried to compile and install Squid 3.5.12 in a fresh
CentOS 7 VPS host, because I doesn't understood so many configure,
so I just with minimum configure  I understood, I need openssl
to open a https port, and I need basic_auth to support user/password
authentication, so I just with following config:

./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--exec-prefix=/usr \
'--bindir=${prefix}/bin' \
'--sbindir=${prefix}/sbin' \
'--libdir=${prefix}/lib64' \
'--libexecdir=${prefix}/lib64/squid' \
'--includedir=${prefix}/include' \
'--datadir=${prefix}/share/squid' \
'--mandir=${prefix}/share/man' \
'--infodir=${prefix}/share/info' \
--localstatedir=/var \
'--with-logdir=${localstatedir}/log/squid' \
'--with-pidfile=${localstatedir}/run/squid.pid' \
'--with-swapdir=${localstatedir}/spool/squid' \
--sysconfdir=/etc/squid \
--with-openssl \
--enable-epoll \
--enable-auth \
--enable-auth-basic

it worked!

But compare to the CentOS 7 yum package version, I found my own less many
config. following is missing list I never use in my own compile version.

--host=x86_64-redhat-linux-gnu \
--disable-strict-error-checking \
--disable-dependency-tracking \
--enable-follow-x-forwarded-for \
--enable-auth-ntlm=smb_lm,fake \
--enable-auth-digest=file,LDAP,eDirectory \
--enable-auth-negotiate=kerberos \
--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group
 \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-icap-client \
--enable-ident-lookups \
--enable-linux-netfilter \
--enable-removal-policies=heap,lru \
--enable-ssl-crtd \
--enable-storeio=aufs,diskd,ufs \
--enable-wccpv2 \
--enable-esi \
--enable-ecap \
--with-aio \
--with-default-user=squid \
--with-filedescriptors=16384 \
--with-dl \
--with-pthreads
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-m64 -mtune=generic -fpie'
'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

I want to use newest version Squid, but i think I perhaps missing
something important option maybe, which can cause risk in some case?

Could any please help me for a `standard necessary' configure arguments
for current 3.5 serious?

Or, just tell me, this worked, it is fine, and I will very happy to use.

btw: When I first install, ./configure is passed, but make is failed.
because I am not install gcc-c++. I have to install gcc-c++, reconfigure
again, make is passed. I thought if ./configure could detect gcc-c++
is not installed, will more good.

Thanks.

Yuri Voinov writes:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> Ah,
>
> this is antique 3.3.. (facepalm)
>

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error accessing the 403 page

[Alex Samad]

On 2 January 2016 at 09:22, Amos Jeffries  wrote:
> On 2016-01-01 23:28, Alex Samad wrote:
>>
>> Hi
>>
>> I installed 3.5.12 and when I try and get to a page that is blocked. I
>> used to get an message page that said contact the admin person.
>>
>> trying to get to
>> http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png
>>
>>
>> This is part of the error generated
>> The following error was encountered while trying to retrieve the URL:
>> http://alcdmz1:3128/squid-internal-static/icons/SN.png
>>
>> alcdmz1 is the proxy server
>>
>> I seemed to have blocked access to all error messages. not sure how as
>> I haven't made any changes except upgrading to .12 from .11
>
>
> We fixed the Host header output on CONNECT requests to cache_peer between
> those versions. That is likely the reason it has started being visible.

Sorry not sure how that is related to this.

>
> The above URL is just an icon being served up by your Squid as part of the
> page display. The main error page text should have been sent as the body of
> the original 403 message itself.
>

agree

> Your http_access rules are the things rejecting it. Note that it contains
> the squid listening domain:port (alcdmz1:3128 or bcp.crwdcntrl.net:80) which
> your proxy machine is configured to announce publicly as its contain domain
> / FQDN.
>

The original url was bcp.crwdcntrl.net:80, the page I got back
included the text
http://alcdmz1:3128/squid-internal-static/icons/SN.png


> The squid service needs to be publicly accessible at that domain:port that
> it is advertising as its public FQDN for this icon request to succeed. That
> means making the server hostname, or visible_hostname something that clients
> can access directly - and unique_hostname the private internal name the
> Squid instance uses to distinguish itself from other peers on the proxy
> farm.

so they can connect to alcdmz1:3128



conf
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 20 startup=0 idle=3
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 20 startup=0 idle=3
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
acl localnet src 10.3.8.0/24
acl localnet_auth src 10.1.0.0/14
acl localnet_auth src 10.2.0.0/16
acl localnet_auth src 10.2.2.1/32
acl localnet_guest src 10.1.22.0/24
acl localnet_appproxy src 10.172.23.3/32
acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
acl FTP proto FTP
acl DMZSRV src 10.3.2.110
acl DMZSRV src 10.3.2.111
always_direct allow FTP
always_direct allow DMZSRV
ftp_passive off
ftp_epsv_all off
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl icp_allowed src 10.3.2.110/32
acl icp_allowed src 10.3.2.111/32
acl icp_allowed src 10.172.23.0/32
acl icp_allowed src 10.172.23.4/32
http_access allow manager localhost
http_access allow manager icp_allowed
http_access deny manager
http_access allow icp_allowed
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localnet_appproxy
http_access deny !localnet_auth
http_access allow localnet_guest sblYBOveride
http_access deny localnet_guest sblMal
http_access deny localnet_guest sblPorn
http_access allow localnet_guest
http_access allow nonAuthSrc
http_access allow nonAuthDom
http_access allow sblYBOveride FTP
http_access allow sblYBOveride AuthorizedUsers
http_access deny sblMal
http_access deny sblPorn
http_access allow FTP
http_access allow AuthorizedUsers
http_access deny all
http_port 3128
http_port 8080
cache_mem 40960 MB
cache_mgr operations.mana...@abc.com
cache_dir aufs /var/spool/squid 55 16 256
coredump_dir /var/spool/squid
range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
80% 43200 reload-into-ims
refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440

[squid-users] Error accessing the 403 page

[Alex Samad]

Hi

I installed 3.5.12 and when I try and get to a page that is blocked. I
used to get an message page that said contact the admin person.

trying to get to
http://bcp.crwdcntrl.net/squid-internal-static/icons/SN.png


This is part of the error generated
The following error was encountered while trying to retrieve the URL:
http://alcdmz1:3128/squid-internal-static/icons/SN.png

alcdmz1 is the proxy server

I seemed to have blocked access to all error messages. not sure how as
I haven't made any changes except upgrading to .12 from .11
A
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Antony Stone]

On Friday 01 January 2016 at 14:21:38, Billy.Zheng(zw963) wrote:

> $ squid -v
> Squid Cache: Version 3.3.8
> configure options:  

> '--enable-eui'

That will do MAC address matching for you.

Please describe the network setup :)


Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Ah,

this is antique 3.3.. (facepalm)

01.01.16 19:24, Antony Stone пишет:
> On Friday 01 January 2016 at 14:21:38, Billy.Zheng(zw963) wrote:
>
>> $ squid -v
>> Squid Cache: Version 3.3.8
>> configure options: 
>
>> '--enable-eui'
>
> That will do MAC address matching for you.
>
> Please describe the network setup :)
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWhoWVAAoJENNXIZxhPexG43EH/jODC4f3Hle8RBoO31rKkmL1
1XiV8PICifxj0KYJt+IJLyHjpdXK0LoYNbH15Cxeb7U3QK6L1Kyu+FzKzmwiYonj
/P7A0dDjSKYhNlTjL6a+cCJsGJ1CuUagXxMT/VAaJjQXri4nLwt72QAueBqIsrH9
DN+VXGMSDgHwMApo9RXPpA9EQtac9A60sAQNr9EreEbUgRn7ERUhZBNVrn940xs5
P4mNMipIR4/h3YQye79gDArcxom/AVRzS3wz6aTu7BMO3RKOj8M2D8Nzr3HwMzMx
CavpFQ66w5mnEfV2ey41BmyISmhU+iKjBf+yImlALCRWJmU02j8f/tY8Kw/LurE=
=UXMD
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Matus UHLAR - fantomas]

On 01.01.16 20:50, Billy.Zheng(zw963) wrote:

Hi, all, I deploy a new Squid Server in my VPS server.
And i set a squid MAC address ACL, like following:

it seem like:

acl advance_users arp ??:??:??:??:??:??
http_access allow advance_users


But it not work. allow seem like never matched.

So, I want to get the MAC address squid can see, What should i to do?


are those clients on exactly the same internal network as you?
Because, behind router or a bridge you won't see their mac address anymore.
Note that this is a network design issue, not a bug or a flaw.

I'm afraid that VPS server already might do the bridging.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[zw963]

Hi, all, I deploy a new Squid Server in my VPS server.
And i set a squid MAC address ACL, like following:

it seem like:
>> acl advance_users arp ??:??:??:??:??:??
>> http_access allow advance_users

But it not work. allow seem like never matched.

So, I want to get the MAC address squid can see, What should i to do?

Thanks.
-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Did you built your squid with MAC acl support?

I.e., --enable-arp-acl ?

01.01.16 18:50, Billy.Zheng (zw963) пишет:
> Hi, all, I deploy a new Squid Server in my VPS server.
> And i set a squid MAC address ACL, like following:
>
> it seem like:
>>> acl advance_users arp ??:??:??:??:??:??
>>> http_access allow advance_users
>
> But it not work. allow seem like never matched.
>
> So, I want to get the MAC address squid can see, What should i to do?
>
> Thanks.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWhnevAAoJENNXIZxhPexGzr0IAJVyLua6Up/C1kYapoukEtmC
jxrfn/+/Xq1OsBvZDtzagUyYdZhvX8tBLAfgeE64mPGj3DNESwbKHRzqtR5wd+XL
usJ7o2tXQG0ytcGj3D3ZtT7/WautA6Tcf+3Ius8TlAjEccpnKQ52mfets16TqaZ8
JYo/R7rD3Y5OULHogFltnPeHngH17zVynshyqiL64X1kIASBhdvENCfXmB7+Xbgf
HWDBmVLlh8JWepTAe0JQaywiNeYXEMFZxIWQA5QfaUHA7ZO088NyjL+fn3gHPhJC
AjVoOXiV25m0+trW5L6BdK2LyCwNPvdmL/sbzeA+mctRFBBwwSNg7fBVRzXdsBk=
=hJGG
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Antony Stone]

On Friday 01 January 2016 at 13:50:20, Billy.Zheng(zw963) wrote:

> Hi, all, I deploy a new Squid Server in my VPS server.
> And i set a squid MAC address ACL, like following:
> 
> it seem like:
> >> acl advance_users arp ??:??:??:??:??:??
> >> http_access allow advance_users
> 
> But it not work. allow seem like never matched.

Please describe your network setup - specifically, what's the (client-facing) 
IP address of your Squid server, and what's the network range for your client 
machines?


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[zw963]

I don't know,  I just use CentOS 7 yum packages.

I try to get the version, show me following message:

$ squid -v
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--disable-strict-error-checking' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
 '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' 
'--enable-auth-negotiate=kerberos' 
'--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
 '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' 
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' 
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' 
'--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 
-mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 
-mtune=generic -fpie' 
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

I am not see any --enable-arp-acl in this output.

Thanks.

Yuri Voinov writes:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> Did you built your squid with MAC acl support?
>
> I.e., --enable-arp-acl ?
>
> 01.01.16 18:50, Billy.Zheng (zw963) пишет:
>> Hi, all, I deploy a new Squid Server in my VPS server.
>> And i set a squid MAC address ACL, like following:
>>
>> it seem like:
 acl advance_users arp ??:??:??:??:??:??
 http_access allow advance_users
>>
>> But it not work. allow seem like never matched.
>>
>> So, I want to get the MAC address squid can see, What should i to do?
>>
>> Thanks.
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>  
> iQEcBAEBCAAGBQJWhnevAAoJENNXIZxhPexGzr0IAJVyLua6Up/C1kYapoukEtmC
> jxrfn/+/Xq1OsBvZDtzagUyYdZhvX8tBLAfgeE64mPGj3DNESwbKHRzqtR5wd+XL
> usJ7o2tXQG0ytcGj3D3ZtT7/WautA6Tcf+3Ius8TlAjEccpnKQ52mfets16TqaZ8
> JYo/R7rD3Y5OULHogFltnPeHngH17zVynshyqiL64X1kIASBhdvENCfXmB7+Xbgf
> HWDBmVLlh8JWepTAe0JQaywiNeYXEMFZxIWQA5QfaUHA7ZO088NyjL+fn3gHPhJC
> AjVoOXiV25m0+trW5L6BdK2LyCwNPvdmL/sbzeA+mctRFBBwwSNg7fBVRzXdsBk=
> =hJGG
> -END PGP SIGNATURE-
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Antony Stone]

On Friday 01 January 2016 at 16:03:00, Billy.Zheng(zw963) wrote:

> My config is a little longer, But it worked fine in recent months.

Please:

1. Describe your network setup - specifically:
 - what is the client-facing IP address of your Squid server?
 - what network range are the clients in?

2. Post your squid.conf without comments or blank lines.

Partial information will almost certainly result in partial assistance from 
the list (not deliberately, just because we don't know enough to help as mich 
as we might).


Thanks,


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Host header forgery policy in service provider environment

[garryd]

On 2015-12-31 13:31, Amos Jeffries wrote:

On 2015-12-31 00:01, Garri Djavadyan wrote:

Hello Squid members and developers!

First of all, I wish you a Happy New Year 2016!

The current Host header forgery policy effectively prevents a cache
poisoning. But also, I noticed, it deletes verified earlier cached
object. Is it possible to implement more careful algorithm as an
option? For example, if Squid will not delete earlier successfully
verified and valid cached object and serve forged request from the
cache if would be more effective and in same time secure behavior.



This seems to be describing 



So far we don't have a solution. Patches very welcome.

Amos


Amos, thank you very much, bug 
 exactly the same 
problem I encountered! I've tested the proposed patch and updated the 
bug report.


Kind Regards,
Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Matus UHLAR - fantomas]

On 01.01.16 20:50, Billy.Zheng(zw963) wrote:
>Hi, all, I deploy a new Squid Server in my VPS server.
>And i set a squid MAC address ACL, like following:


On 01.01.16 16:00, Antony Stone wrote:

This is also my suspicion - hence the request for the network layout...


I just asked directly to avoid speculations and solving the problem on the
wrong sides.


(Although, are you sure that a bridge hides MAC addresses?  I thought they
passed ethernet frames from side to side as-is...)


some of them might. it's better to avoid this possibility directly at the
beginning.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid proxy removing Transfer-Encoding header

[Alex Rousskov]

On 12/31/2015 08:52 AM, aashima madaan wrote:

> So in my case, figured out when squid receives request header
> "Connection: close" , it strips of Transfer Encoding header from
> response. But if it does not receive Connection header it wil send back
> TE header. 

You are either asking irrelevant questions or you are not providing
enough context to receive relevant answers. Try focusing on the
higher-level problem first, and use this mailing list to guide you from
that problem to the right set of the lower-level symptoms as needed.


> So I am left with 2 questions now. 
> - Why does squid behave like that?
> - Second, so in my case HA Proxy is sending those headers to squid.
> Since Connection is also hop by hop header , why is HAProxy adding that
> header to request headers.

The short answer to both questions is "this is how HTTP or HTTP agents
work". This answer does not help you, of course. You need to either
study HTTP RFCs (a lot of work!) or ask a higher-level question to get
useful answers. What problem are you trying to fix?


Good luck,

Alex.


> On Wed, Dec 30, 2015 at 4:36 PM, Alex Rousskov wrote:
> 
> On 12/30/2015 02:24 PM, Aashima wrote:
> 
> > So it is like client -> Squid -> APP and return
> >  If App return Transfer-Encoding header to Squid, Squid removes
> that response
> > header and forwards rest to Client.
> >
> > Am not getting why it is removing that header ? Couldnt find any posts
> >  also on any discussion group or blog.
> 
> Transfer-Encoding is a standard HTTP hop-by-hop header. Hop-by-hop
> headers are meant for the immediate recipient (Squid in your case),
> rather than the final or "end" recipient (Client in your case). Squid
> must not forward hop-by-hop headers (but may add them as needed, which
> may look like forwarding to an outside observer).
> 
> If you describe the actual problem you are having (in addition to this
> technical detail), somebody on this list might be able to guide you
> towards a solution.
> 
> 
> Good luck,
> 
> Alex.
> 
> 
> 
> 
> -- 
> /Aashima Madaan/
> /
> /

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users