Re: [squid-users] Bizarrely slow, timing out DNS only via Squid :D

2016-03-02 Thread Eliezer Croitoru 

Well what I can see is that there are couple queries ID and the issues are:
0x8528: timeout
0x69c2 - timeout

but I am pretty sure that the DNS server that the query is against is:
192.231.203.132:53

So the first thing is to findout what dns servers are defined inside 
squid.conf

if you don't have any then look at /etc/resolv.conf

You should have there a list of server that you should run the dig -x 
command against and see how every one of them responses.

From squid point of view the issues are probably:
- network routing or firewall level issues(another middle machine or 
local settings)

- buggy or faulty or wrongly-configured dns server

The main reason that squid does the PTR lookup and other queries is 
since these are required.


If you want to start from the bottom and up you can try another thing:
use the dns_nameserver squid.conf option [ 
http://www.squid-cache.org/Doc/config/dns_nameservers/ ] with the local 
dns that worked fast for dig and nslookup(192.231.203.3) and only this use.

It should be:
dns_nameservers 192.231.203.3

You can run couple trials against public dns services like 
opendns\google or any other that is mentioned at: 
http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm


Also try to contact a http service with an ip such as 
ngtech.co.il|84.95.212.160 (which will be a good test against a server 
that has only ipv4 address).


If after all the above something is weird I would suggest you for a 
second to run the squid with default squid.conf(if you are using debian 
then you will need to remove couple "#" for the localnet acls).


You should know that there are cases which couple dns services just 
stops responding to dns queries which looks like what you see if it 
worked before.


Eliezer

On 03/03/2016 09:08, Dan Charlesworth wrote:

On 03/03/2016 07:39, Dan Charlesworth wrote:

Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
something like this for every request, taking about 10 seconds:

2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
idnsRead: starting with FD 7
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
idnsRead: FD 7: received 93 bytes from 192.231.203.132:53
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x733a, -3 answers
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
idnsGrokReply: error Name Error: The domain name does not exist. (3)
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns0 QID 0x69c2: timeout
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
idnsRead: starting with FD 7
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
idnsRead: FD 7: received 110 bytes from 172.16.100.4:53
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x69c2, 0 answers
2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
idnsRead: starting with FD 7
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
idnsRead: FD 7: received 246 bytes from 172.16.100.5:53
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x8528, 1 answers



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squidcllient making request

2016-03-02 Thread John Pearson 
Thanks Amos! It works.

New problem:
I am checking whether a url (object) is cached or not by using:

squidclient -p 3129 $url | fgrep X-Cache

I am getting a lot of messy code and when I quit (CRTL-C), squid logs are
showing TCP_HIT_ABORTED.

How can I not get the messy code and just get the result of fgrep.

Thanks

On Wed, Mar 2, 2016 at 1:22 AM, Amos Jeffries  wrote:

> On 2/03/2016 6:05 p.m., John Pearson wrote:
> > Hi,
> >
> > I have squid installed on a machine with two NICs.
> > eth0 - wan
> > eth1 - lan - 10.0.1.1
> >
> > Squid server is running on eth1.
> > I am trying to use the squidclient to fetch a url so that squid will
> cache
> > it. Like prefetching.
> >
> > Example:
> >
> > squidclient -v -h 10.0.1.1 -p 3128 -m GET http://www.apple.com
> >
>
> Problem #1;
>  you are missing a '/' on the end of the URL. That type of URL is not
> valid in HTTP/1.0. It has only recently become acceptible in HTTP/1.1,
> so not all services support it.
>
>
> > Result
> > ---
> > Request:
> > GET http://www.apple.com HTTP/1.0
> > Host: www.apple.com
> > User-Agent: squidclient/3.5.9
> > Accept: */*
> > Connection: close
> >
> > .
> >
> > 
> >
> > The cursor just blinks below the dot (after "Connection:close". Hard to
> > see) and nothing happens. I have to manually exit.
> >
> > When I exit, squid log shows A LOT of these lines:
> >
> > 10.0.1.1 TCP_MISS_ABORTED/000 0 GET http://www.apple.com - ORIGINAL_DST/
> > 10.0.1.1 -
>
> Problem #2;
>   you are sending the request to an intercept port without having gone
> through the NAT system.
>  If you left it to run, your machine would eventually crash as all
> networking sockets and resources were consumed by the forwarding loop.
>
>
> squidclient needs to use a forward-proxy port to connect to Squid.
> Usually that is 3128, which is the port registered for Squid
> forward-proxy ctraffic.
>
> Recommended practice is to leave port 3128 for proxy administrative
> access and tools like squidclient. Movine the intercept port to another
> random number and firewall it (in iptables with mangle tables rule) to
> prevent anything except NAT'd traffic reaching that random port.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bizarrely slow, timing out DNS only via Squid 😖

2016-03-02 Thread Dan Charlesworth 
Here we go:

# time dig -x 10.100.128.1

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> -x 10.100.128.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11319
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.128.100.10.in-addr.arpa. IN  PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400

;; Query time: 32 msec
;; SERVER: 192.231.203.3#53(192.231.203.3)
;; WHEN: Thu Mar  3 18:07:21 2016
;; MSG SIZE  rcvd: 93

real0m0.037s
user0m0.003s
sys 0m0.001s


> On 3 Mar 2016, at 5:44 PM, Eliezer Croitoru  wrote:
> 
> can you try the next command:
> dig -x 10.100.128.1
> 
> Eliezer
> 
> On 03/03/2016 08:04, Dan Charlesworth wrote:
>> Like this:
>> 
>> # time nslookup httpbin.org
>> Server:  192.231.203.3
>> Address: 192.231.203.3#53
>> 
>> Non-authoritative answer:
>> Name:httpbin.org
>> Address: 54.175.222.246
>> 
>> real 0m0.026s
>> user 0m0.001s
>> sys  0m0.004s
>> 
>> 
>> # time dig httpbin.org
>> 
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> httpbin.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44477
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
>> 
>> ;; QUESTION SECTION:
>> ;httpbin.org.IN  A
>> 
>> ;; ANSWER SECTION:
>> httpbin.org. 577 IN  A   54.175.222.246
>> 
>> ;; AUTHORITY SECTION:
>> httpbin.org. 6161IN  NS  ns-769.awsdns-32.net.
>> httpbin.org. 6161IN  NS  ns-1074.awsdns-06.org.
>> httpbin.org. 6161IN  NS  ns-410.awsdns-51.com.
>> httpbin.org. 6161IN  NS  ns-1756.awsdns-27.co.uk.
>> 
>> ;; ADDITIONAL SECTION:
>> ns-410.awsdns-51.com.9966IN  A   205.251.193.154
>> ns-769.awsdns-32.net.13639   IN  A   205.251.195.1
>> ns-1074.awsdns-06.org.   11459   IN  A   205.251.196.50
>> ns-1756.awsdns-27.co.uk. 11489   IN  A   205.251.198.220
>> 
>> ;; Query time: 21 msec
>> ;; SERVER: 192.231.203.3#53(192.231.203.3)
>> ;; WHEN: Thu Mar  3 17:03:04 2016
>> ;; MSG SIZE  rcvd: 246
>> 
>> real 0m0.026s
>> user 0m0.004s
>> sys  0m0.001s
>> 
>> 
>>> On 3 Mar 2016, at 4:55 PM, Eliezer Croitoru  wrote:
>>> 
>>> Hey Dan,
>>> 
>>> What dig+nslookup queries did you tested for?
>>> 
>>> Eliezer
>>> 
>>> On 03/03/2016 07:39, Dan Charlesworth wrote:
 Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
 something like this for every request, taking about 10 seconds:
 
 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
 idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
 idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
 idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
 idnsRead: starting with FD 7
 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
 idnsRead: FD 7: received 93 bytes from 192.231.203.132:53
 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
 idnsGrokReply: QID 0x733a, -3 answers
 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
 idnsGrokReply: error Name Error: The domain name does not exist. (3)
 2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
 idnsCheckQueue: ID dns8 QID 0x8528: timeout
 2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
 idnsCheckQueue: ID dns0 QID 0x69c2: timeout
 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
 idnsRead: starting with FD 7
 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
 idnsRead: FD 7: received 110 bytes from 172.16.100.4:53
 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
 idnsGrokReply: QID 0x69c2, 0 answers
 2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
 idnsCheckQueue: ID dns8 QID 0x8528: timeout
 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
 idnsRead: starting with FD 7
 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
 idnsRead: FD 7: received 246 bytes from 172.16.100.5:53
 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
 idnsGrokReply: QID 0x8528, 1 answers
 
 AND YET, every nslookup or dig done at the command line on the same server 
 is lightning fast. I’ve tried local and ISP-level DNS servers and get the 
 same result.
 
 What could be goin

Re: [squid-users] Bizarrely slow, timing out DNS only via Squid 😖

2016-03-02 Thread Eliezer Croitoru 

can you try the next command:
dig -x 10.100.128.1

Eliezer

On 03/03/2016 08:04, Dan Charlesworth wrote:

Like this:

# time nslookup httpbin.org
Server: 192.231.203.3
Address:192.231.203.3#53

Non-authoritative answer:
Name:   httpbin.org
Address: 54.175.222.246

real0m0.026s
user0m0.001s
sys 0m0.004s


# time dig httpbin.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> httpbin.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44477
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;httpbin.org.   IN  A

;; ANSWER SECTION:
httpbin.org.577 IN  A   54.175.222.246

;; AUTHORITY SECTION:
httpbin.org.6161IN  NS  ns-769.awsdns-32.net.
httpbin.org.6161IN  NS  ns-1074.awsdns-06.org.
httpbin.org.6161IN  NS  ns-410.awsdns-51.com.
httpbin.org.6161IN  NS  ns-1756.awsdns-27.co.uk.

;; ADDITIONAL SECTION:
ns-410.awsdns-51.com.   9966IN  A   205.251.193.154
ns-769.awsdns-32.net.   13639   IN  A   205.251.195.1
ns-1074.awsdns-06.org.  11459   IN  A   205.251.196.50
ns-1756.awsdns-27.co.uk. 11489  IN  A   205.251.198.220

;; Query time: 21 msec
;; SERVER: 192.231.203.3#53(192.231.203.3)
;; WHEN: Thu Mar  3 17:03:04 2016
;; MSG SIZE  rcvd: 246

real0m0.026s
user0m0.004s
sys 0m0.001s



On 3 Mar 2016, at 4:55 PM, Eliezer Croitoru  wrote:

Hey Dan,

What dig+nslookup queries did you tested for?

Eliezer

On 03/03/2016 07:39, Dan Charlesworth wrote:

Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
something like this for every request, taking about 10 seconds:

2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 93 bytes from 192.231.203.132:53
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x733a, -3 answers
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
idnsGrokReply: error Name Error: The domain name does not exist. (3)
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns0 QID 0x69c2: timeout
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 110 bytes from 172.16.100.4:53
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x69c2, 0 answers
2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 246 bytes from 172.16.100.5:53
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x8528, 1 answers

AND YET, every nslookup or dig done at the command line on the same server is 
lightning fast. I’ve tried local and ISP-level DNS servers and get the same 
result.

What could be going on here?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bizarrely slow, timing out DNS only via Squid 😖

2016-03-02 Thread Dan Charlesworth 
Like this:

# time nslookup httpbin.org
Server: 192.231.203.3
Address:192.231.203.3#53

Non-authoritative answer:
Name:   httpbin.org
Address: 54.175.222.246

real0m0.026s
user0m0.001s
sys 0m0.004s


# time dig httpbin.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> httpbin.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44477
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;httpbin.org.   IN  A

;; ANSWER SECTION:
httpbin.org.577 IN  A   54.175.222.246

;; AUTHORITY SECTION:
httpbin.org.6161IN  NS  ns-769.awsdns-32.net.
httpbin.org.6161IN  NS  ns-1074.awsdns-06.org.
httpbin.org.6161IN  NS  ns-410.awsdns-51.com.
httpbin.org.6161IN  NS  ns-1756.awsdns-27.co.uk.

;; ADDITIONAL SECTION:
ns-410.awsdns-51.com.   9966IN  A   205.251.193.154
ns-769.awsdns-32.net.   13639   IN  A   205.251.195.1
ns-1074.awsdns-06.org.  11459   IN  A   205.251.196.50
ns-1756.awsdns-27.co.uk. 11489  IN  A   205.251.198.220

;; Query time: 21 msec
;; SERVER: 192.231.203.3#53(192.231.203.3)
;; WHEN: Thu Mar  3 17:03:04 2016
;; MSG SIZE  rcvd: 246

real0m0.026s
user0m0.004s
sys 0m0.001s


> On 3 Mar 2016, at 4:55 PM, Eliezer Croitoru  wrote:
> 
> Hey Dan,
> 
> What dig+nslookup queries did you tested for?
> 
> Eliezer
> 
> On 03/03/2016 07:39, Dan Charlesworth wrote:
>> Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
>> something like this for every request, taking about 10 seconds:
>> 
>> 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
>> idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
>> 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
>> idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
>> 2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
>> idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
>> 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
>> idnsRead: starting with FD 7
>> 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
>> idnsRead: FD 7: received 93 bytes from 192.231.203.132:53
>> 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
>> idnsGrokReply: QID 0x733a, -3 answers
>> 2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
>> idnsGrokReply: error Name Error: The domain name does not exist. (3)
>> 2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
>> idnsCheckQueue: ID dns8 QID 0x8528: timeout
>> 2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
>> idnsCheckQueue: ID dns0 QID 0x69c2: timeout
>> 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
>> idnsRead: starting with FD 7
>> 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
>> idnsRead: FD 7: received 110 bytes from 172.16.100.4:53
>> 2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
>> idnsGrokReply: QID 0x69c2, 0 answers
>> 2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
>> idnsCheckQueue: ID dns8 QID 0x8528: timeout
>> 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: 
>> idnsRead: starting with FD 7
>> 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: 
>> idnsRead: FD 7: received 246 bytes from 172.16.100.5:53
>> 2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
>> idnsGrokReply: QID 0x8528, 1 answers
>> 
>> AND YET, every nslookup or dig done at the command line on the same server 
>> is lightning fast. I’ve tried local and ISP-level DNS servers and get the 
>> same result.
>> 
>> What could be going on here?
>> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bizarrely slow, timing out DNS only via Squid 😖

2016-03-02 Thread Eliezer Croitoru 

Hey Dan,

What dig+nslookup queries did you tested for?

Eliezer

On 03/03/2016 07:39, Dan Charlesworth wrote:

Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
something like this for every request, taking about 10 seconds:

2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 93 bytes from 192.231.203.132:53
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x733a, -3 answers
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
idnsGrokReply: error Name Error: The domain name does not exist. (3)
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns0 QID 0x69c2: timeout
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 110 bytes from 172.16.100.4:53
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x69c2, 0 answers
2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 246 bytes from 172.16.100.5:53
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x8528, 1 answers

AND YET, every nslookup or dig done at the command line on the same server is 
lightning fast. I’ve tried local and ISP-level DNS servers and get the same 
result.

What could be going on here?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Bizarrely slow, timing out DNS only via Squid 😖

2016-03-02 Thread Dan Charlesworth 
Right now we have 1 squid box (out of a lot), running 3.5.13, which does 
something like this for every request, taking about 10 seconds:

2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1794) idnsPTRLookup: 
idnsPTRLookup: buf is 43 bytes for 10.100.128.1, id = 0x733a
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1745) idnsALookup: 
idnsALookup: buf is 29 bytes for httpbin.org, id = 0x8528
2016/03/03 16:30:48.883 kid1| 78,3| dns_internal.cc(1683) 
idnsSendSlaveQuery: buf is 29 bytes for httpbin.org, id = 0x69c2
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 93 bytes from 192.231.203.132:53
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x733a, -3 answers
2016/03/03 16:30:48.884 kid1| 78,3| dns_internal.cc(1195) idnsGrokReply: 
idnsGrokReply: error Name Error: The domain name does not exist. (3)
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:53.884 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns0 QID 0x69c2: timeout
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 110 bytes from 172.16.100.4:53
2016/03/03 16:30:53.885 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x69c2, 0 answers
2016/03/03 16:30:58.885 kid1| 78,3| dns_internal.cc(1384) idnsCheckQueue: 
idnsCheckQueue: ID dns8 QID 0x8528: timeout
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1277) idnsRead: idnsRead: 
starting with FD 7
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1323) idnsRead: idnsRead: 
FD 7: received 246 bytes from 172.16.100.5:53
2016/03/03 16:30:58.886 kid1| 78,3| dns_internal.cc(1130) idnsGrokReply: 
idnsGrokReply: QID 0x8528, 1 answers

AND YET, every nslookup or dig done at the command line on the same server is 
lightning fast. I’ve tried local and ISP-level DNS servers and get the same 
result.

What could be going on here? 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sudden but sustained high bandwidth usage

2016-03-02 Thread Amos Jeffries 
On 3/03/2016 10:33 a.m., Heiler Bemerguy wrote:
> 
> Hello guys..
> 
> Thanks for the tips. I've ajusted some stuff here and noticed these
> repeated GETS below.. they are HITS, but why is this happening?

Because lots of clients want the object(s).

If they are HITs then whats the problem? Squid is doing what you asked
it to. Caching the traffic and presenting it whenever a client asks.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] rev 3.5.15

2016-03-02 Thread Amos Jeffries 
On 3/03/2016 12:33 a.m., joe wrote:
> 
>>> I dont understand what you are trying to say?
>>> Amos
> 
> you guys had 2 patch for  4447 bug right  the first patch work the one in
> bug report http://bugs.squid-cache.org/show_bug.cgi?id=4447
> 
> so i re download latest patched Squid Cache: Version 3.5.15-20160229-r13997
> 
> and the bug show up in my cache.log again 
> 

Oh. The fixes went in after that rev.

I've just kicked another tarball to be generated. Small issues with the
build system, which has now been fixed.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Eliezer Croitoru 

On 02/03/2016 21:33, Yuri Voinov wrote:


Yes, and in some places the law prohibit SSL bump completely

But AFAIK here is technical list, not lawer, is it?;)


Yuri,

You are right but since some of us do have legal obligations to some 
laws and do not live in a desert on the moon or the sun like Google or 
other services, I do tend to mention this side since it's not obviates 
to everybody.


Also I do understand why netflix would want to preserve their profits 
and investment in any of their services. Eventually they like many 
others do not like their plate of food being taken while smelling or 
tasting the result of their cooking skills.
There is a saying about eating raw non cooked food which I fully 
understand and this is the same for this scenario. If it was cooked, you 
need to at-least say thank you and in many ways the only way to do so is 
by paying couple bucks.
The only case which I think that it will be allowed by the cook and the 
owner of the food to be taken is when it will not heart him or any of 
the related parties life\soul.
Eventually maybe not everybody sees it this way but the possibility of 
pinning a certificate is reserved for anyone that needs to have a basic 
safety-net for his basic needs. The way I see it, the only case that I 
will live in a country that prohibit the use of certificate pinning is 
when this country will provide me the basic safety-net for a way to earn 
my food(and couple other basic needs..).


If for example the "lets encrypt" idea\program was designed to give a 
safety-net for many organizations which are fighting to survive in this 
very wide Internet with so many predators within it, then I vote +1 for 
them but if the idea was meant to or will cripple the encryption world I 
would vote -10^100.


So it's not really a lawyer thing but rather a simple understanding of 
this very very beautiful and amazing world.


Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sudden but sustained high bandwidth usage

2016-03-02 Thread Heiler Bemerguy 


Hello guys..

Thanks for the tips. I've ajusted some stuff here and noticed these 
repeated GETS below.. they are HITS, but why is this happening? lol

I have "*range_offset_limit none*" for this domain (*ws.microsoft.com*) and:

*/refresh_pattern -i 
(microsoft|windowsupdate)\.com.*\.(cab|exe|ms[i|u|f]|dat|zip|psf|appx|esd) 
483840 80% 483840 override-expire ignore-reload/**/

/**/ignore-must-revalidate ignore-private ignore-no-store store-stale/*

These GETs have a "?" in the end, and some options which aren't logged 
but I tcpdumped it: 
*P1=1456938099&P2=1&P3=1&P4=GlQQBGsBJE22%2bm1FQr3q1RnmAb8%3d*


Best Regards,

--
Heiler Bemerguy - (91) 98151-4894
Assessor Técnico - CINBESA (91) 3184-1751



1456953828.014  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953828.748  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953829.686  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953830.314  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953830.670  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953831.468  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953832.297  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953833.310  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953833.797  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953834.638  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953835.376  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953835.766  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953836.560  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953837.372  0 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953838.138  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953838.951  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953839.810  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt/2015/07/096c4bbc-4bc2-4ba1-8fd7-2e8cf3fb1937_132a7d6799d3bd625b0e5b375aa13552593bf0ed.appxbundle? 
- HIER_NONE/- application/octet-stream
1456953840.466  1 10.101.1.50 TCP_HIT/206 402 GET 
http://bg.v4.a.dl.ws.microsoft.com/dl/content/d/updt

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
acl GetSNI at_step SslBump1
acl NoSSLIntercept ssl::server_name netflix.com ntflx.com ntflximg.com
ntflxvideo.com
ssl_bump peek GetSNI
ssl_bump splice NoSSLIntercept
ssl_bump bump all


03.03.16 3:12, Bmahak2005 пишет:
> Ok i read the doc but I am afraid i do not know where yo start
> I know that netflix traffic comes from these server domains
> .netflix.com 
> .ntflx.com 
> .ntflximg.com 
> .ntflxvideo.com 
> But how can I setup my config file to just tell squid do not bump
netflix traffic and i am not interested in caching it or guarding against it
> How can I use splice for that?
>
> Sent from my iPhone
>
> On Mar 2, 2016, at 12:48 PM, Yuri Voinov mailto:yvoi...@gmail.com>> wrote:
>
>>
> With peek and splice feature.
>
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> 03.03.16 2:45, Bmahak2005 пишет:
> > Thanks for the hint. How can I
>   do that ?
>
>
>
>
>
>   > Sent from my iPhone
>
>
>
>   >> On Mar 2, 2016, at 11:09 AM, Yuri Voinov
>wrote:
>
>   >>
>
>   >>
>
>   > Nobody can fight SSL pinning in proprietary apps.
>
>
>
>   > The only way I see is to put Netflex under splice ACL and do
>   not do SSL
>
>   > bump for all Netflex CDN.
>
>
>
>   > 02.03.16 22:29, bma пишет:
>
>   > >>> I have installed squid 3.15 on ubuntu 15.10
>   server. squid was setup with
>
>   > >>> sslbump for https traffic. The functionality
>   work without any problem
>
>   > i.e. :
>
>   > >>> all traffic from both http and https goes
>   through squid and all
>
>   > internet can
>
>   > >>> be accessed on all devices where certificates
>   are installed. With one
>
>   > >>> exception : 'Netflix APP' no longer works on IOS
>   devices (iPhone,
>
>   > iPad). no
>
>   > >>> matter what I do. All other internet services
>   (safari, and other apps)
>
>   > work
>
>   > >>> properly on those devices. And I was able to run
>   Netflix from browser on
>
>   > >>> linux boxes and even OS X safari. The only thing
>   that is not working is
>
>   > >>> Netflix APP on IOS.
>
>   > >>>
>
>   > >>> Of course if I disable sslbump and only allow
>   http to go through squid
>
>   > >>> netflix works. I tried both transparent mode and
>   proxy mode on the iPhone,
>
>   > >>> still not working.
>
>   > >>>
>
>   > >>> Did anyone manage to make Netflix APP on IOS
>   devices work with squid with
>
>   > >>> sslbump enabled ?
>
>   > >>>
>
>   > >>>
>
>   > >>>
>
>   > >>> --
>
>   > >>> View this message in context:
>
>
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
>
>   > >>> Sent from the Squid - Users mailing list archive
>   at Nabble.com .
>
>   > >>> ___
>
>   > >>> squid-users mailing list
>
>   > >>> squid-users@lists.squid-cache.org
>
>   > >>>
>   http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>   >>
>
>   >> <0x613DEC46.asc>
>
>   >> ___
>
>   >> squid-users mailing list
>
>   >> squid-users@lists.squid-cache.org
>
>   >> http://lists.squid-cache.org/listinfo/squid-users
>
>>
>> <0x613DEC46.asc>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW11qyAAoJENNXIZxhPexGOK0IAJSid5eBZirWSyv78E6Dqj0U
tSoanZ/LCBVPbYjnukKJ/OwIcR3TnglnHpYXMde4iwwGm3Z+RDG5qEaTor89ieED
68JUTV1VqM7sxghE/Sm9L4VYH1Cme9vz0E7apE53tz/yKKYmJG5reYzBQKBWM4i+
J/gFmDX1ageXoH14zQ5XbFdOoz8YfKIFkLxtFO7Karjwp/H97X6KhbBfPMBouO5U
qEp0/dbmkgHgCqr9bQzYM/quypXoiJoMiYnm0XBP4Q2gMjoBMcYcZSqhJNnwgUxi
F79VzEJajUVDqW+/w9g8V7idm2Zj9OTU+TABpiknlXanxo6TMbKuaADZV9mTfcU=
=GBtP
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Bmahak2005 
Ok i read the doc but I am afraid i do not know where yo start
I know that netflix traffic comes from these server domains
.netflix.com
.ntflx.com
.ntflximg.com
.ntflxvideo.com
But how can I setup my config file to just tell squid do not bump netflix 
traffic and i am not interested in caching it or guarding against it
How can I use splice for that?

Sent from my iPhone

> On Mar 2, 2016, at 12:48 PM, Yuri Voinov  wrote:
> 
> 
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>  
> With peek and splice feature.
> 
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> 03.03.16 2:45, Bmahak2005 пишет:
> > Thanks for the hint. How can I
>   do that ?
> 
>   >
> 
>   >
> 
>   > Sent from my iPhone
> 
>   >
> 
>   >> On Mar 2, 2016, at 11:09 AM, Yuri Voinov
>wrote:
> 
>   >>
> 
>   >>
> 
>   > Nobody can fight SSL pinning in proprietary apps.
> 
>   >
> 
>   > The only way I see is to put Netflex under splice ACL and do
>   not do SSL
> 
>   > bump for all Netflex CDN.
> 
>   >
> 
>   > 02.03.16 22:29, bma пишет:
> 
>   > >>> I have installed squid 3.15 on ubuntu 15.10
>   server. squid was setup with
> 
>   > >>> sslbump for https traffic. The functionality
>   work without any problem
> 
>   > i.e. :
> 
>   > >>> all traffic from both http and https goes
>   through squid and all
> 
>   > internet can
> 
>   > >>> be accessed on all devices where certificates
>   are installed. With one
> 
>   > >>> exception : 'Netflix APP' no longer works on IOS
>   devices (iPhone,
> 
>   > iPad). no
> 
>   > >>> matter what I do. All other internet services
>   (safari, and other apps)
> 
>   > work
> 
>   > >>> properly on those devices. And I was able to run
>   Netflix from browser on
> 
>   > >>> linux boxes and even OS X safari. The only thing
>   that is not working is
> 
>   > >>> Netflix APP on IOS.
> 
>   > >>>
> 
>   > >>> Of course if I disable sslbump and only allow
>   http to go through squid
> 
>   > >>> netflix works. I tried both transparent mode and
>   proxy mode on the iPhone,
> 
>   > >>> still not working.
> 
>   > >>>
> 
>   > >>> Did anyone manage to make Netflix APP on IOS
>   devices work with squid with
> 
>   > >>> sslbump enabled ?
> 
>   > >>>
> 
>   > >>>
> 
>   > >>>
> 
>   > >>> --
> 
>   > >>> View this message in context:
> 
>   >
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
> 
>   > >>> Sent from the Squid - Users mailing list archive
>   at Nabble.com.
> 
>   > >>> ___
> 
>   > >>> squid-users mailing list
> 
>   > >>> squid-users@lists.squid-cache.org
> 
>   > >>>
>   http://lists.squid-cache.org/listinfo/squid-users
> 
>   >
> 
>   >>
> 
>   >> <0x613DEC46.asc>
> 
>   >> ___
> 
>   >> squid-users mailing list
> 
>   >> squid-users@lists.squid-cache.org
> 
>   >> http://lists.squid-cache.org/listinfo/squid-users
> 
> -BEGIN PGP SIGNATURE- 
> Version: GnuPG v2 
>  
> iQEcBAEBCAAGBQJW11GEAAoJENNXIZxhPexGsMIIAIJemE2gpPVJCo8Licrt6Hs6 
> vIxFb8KHUkq+sXRlRtJbqjwmHPU8m59wcHsVnsJfBFpDdOkd5sMDiBKs9xeTDKAQ 
> dFgtVW9LORvrienTKca3IhRoBlka/BdePA4vF00OosaGw47fQ20KjmjgPmgRihEs 
> I5RI1qxnB8RAmmQjMcS+vS6qtXYUkNBJlH6e6vDiuI2FlPDzuLWcGXD78PLJceGd 
> wWgIVWtQv6zjsBe4eMQzWC61xQ1ms+1ISTaihlyyBIztq1hIFtrOaoghXCJ1Ue6r 
> pdp+nqIuXbvbgC15fYC1gGJjaznenpPrJJ9gMszAKRuL9gfNGMHjCPZCbv4U/NE= 
> =TXwl 
> -END PGP SIGNATURE- 
> 
> <0x613DEC46.asc>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
With peek and splice feature.

http://wiki.squid-cache.org/Features/SslPeekAndSplice

03.03.16 2:45, Bmahak2005 пишет:
> Thanks for the hint. How can I do that ?
>
>
> Sent from my iPhone
>
>> On Mar 2, 2016, at 11:09 AM, Yuri Voinov  wrote:
>>
>>
> Nobody can fight SSL pinning in proprietary apps.
>
> The only way I see is to put Netflex under splice ACL and do not do SSL
> bump for all Netflex CDN.
>
> 02.03.16 22:29, bma пишет:
> >>> I have installed squid 3.15 on ubuntu 15.10 server. squid was
setup with
> >>> sslbump for https traffic. The functionality work without any problem
> i.e. :
> >>> all traffic from both http and https goes through squid and all
> internet can
> >>> be accessed on all devices where certificates are installed. With one
> >>> exception : 'Netflix APP' no longer works on IOS devices (iPhone,
> iPad). no
> >>> matter what I do. All other internet services (safari, and other apps)
> work
> >>> properly on those devices. And I was able to run Netflix from
browser on
> >>> linux boxes and even OS X safari. The only thing that is not
working is
> >>> Netflix APP on IOS.
> >>>
> >>> Of course if I disable sslbump and only allow http to go through squid
> >>> netflix works. I tried both transparent mode and proxy mode on the
iPhone,
> >>> still not working.
> >>>
> >>> Did anyone manage to make Netflix APP on IOS devices work with
squid with
> >>> sslbump enabled ?
> >>>
> >>>
> >>>
> >>> --
> >>> View this message in context:
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
> >>> Sent from the Squid - Users mailing list archive at Nabble.com.
> >>> ___
> >>> squid-users mailing list
> >>> squid-users@lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>>
>> <0x613DEC46.asc>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW11GEAAoJENNXIZxhPexGsMIIAIJemE2gpPVJCo8Licrt6Hs6
vIxFb8KHUkq+sXRlRtJbqjwmHPU8m59wcHsVnsJfBFpDdOkd5sMDiBKs9xeTDKAQ
dFgtVW9LORvrienTKca3IhRoBlka/BdePA4vF00OosaGw47fQ20KjmjgPmgRihEs
I5RI1qxnB8RAmmQjMcS+vS6qtXYUkNBJlH6e6vDiuI2FlPDzuLWcGXD78PLJceGd
wWgIVWtQv6zjsBe4eMQzWC61xQ1ms+1ISTaihlyyBIztq1hIFtrOaoghXCJ1Ue6r
pdp+nqIuXbvbgC15fYC1gGJjaznenpPrJJ9gMszAKRuL9gfNGMHjCPZCbv4U/NE=
=TXwl
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Youtube wont work on squid

2016-03-02 Thread Baselsayeh 
Thanks


Yuri Voinov wrote
> 02.03.16 2:34, Baselsayeh пишет:
>> Yuri Voinov wrote
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>   
>>> Did you read
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>>>
>>> this first?
>>>
>>> Look once more to examples.
>>>
>>> 02.03.16 2:15, Baselsayeh пишет:
 Yuri Voinov wrote
 Seems to some else misconfiguration in peek-n-splice section.

 Where is your at_step peek definition?

 02.03.16 2:08, Baselsayeh пишет:
>>> Yuri Voinov wrote
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Aha.

 You must know, that stare is client initiated handshake. This is
>>> a bit
 specific option, which is useless in most usecases (IMHO).

 More reliable configuration is peek then bump.

 Did you client (android) contains your cache CA public key?
 ___
 squid-users mailing list
 squid-users@.squid-cache
 http://lists.squid-cache.org/listinfo/squid-users


 0x613DEC46.asc (2K)

>>> ;
>>> now new error after changing config to peek then bump
>>>
>>> access.log :  http://pastebin.com/j97k953r
 ;
>>> cache.log :  http://pastebin.com/2jF6nqeM
>>> ;
>>>
>>> squid.config :  http://pastebin.com/FDuHtCDD
 ;
>>> and now youtube works but when i enter a video it loads for a
>>> little bit
>>> then says
>>> "Connection to the server lost"
>>> "tap to retry"
>>>
>>> i tried more than 10 videos and none of them worked
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-wont-work-on-squid-tp4676349p4676359.html
>>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>> ___
>>> squid-users mailing list
>>>
 squid-users@.squid-cache

>>> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@.squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> 0x613DEC46.asc (2K)
>
>>> ;
 what do you mean?

 this?

 http_port 3428 intercept
 https_port 3429 intercept ssl-bump generate-host-certificates=on
 dynamic_cert_mem_cache_size=200MB cert=/home/basel/squid/rootCAcert.pem
 key=/home/basel/squid/rootCAkey.key
 ssl_bump peek all
 ssl_bump bump all
 sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M
 200MB
 sslcrtd_children 3 startup=1 idle=1




 --
 View this message in context:
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-wont-work-on-squid-tp4676349p4676361.html
 Sent from the Squid - Users mailing list archive at Nabble.com.
 ___
 squid-users mailing list

>>> squid-users@.squid-cache
 http://lists.squid-cache.org/listinfo/squid-users
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2
>>>   
>>> iQEcBAEBCAAGBQJW1f9dAAoJENNXIZxhPexGcSkH/0sykbFIcW+et28E9VUiT6r6
>>> ShcfP89O15nYTFJgsrTGslTv5EX1+fwproBljHLT1VSkZg8Ftl/RcrthP0z4F/F8
>>> Pe83prBkD/EuvpElP9OuKL+CE3IhSKTDya0+VTUUmskr/CFpl51R+tL7Va6BLJc/
>>> MWC3X+B7Ywkujaf3Y1iuxw3pG7bawRHQVYaIhKnCIRwJ3MrfUS4WX31r5bhNplUj
>>> fTq4owWWycq0RjzlJ6gait8p4lRTOts1IBQ+dzzVxuPo+3CdPWd6UXSusWJ7NQUT
>>> Tj9w878S09xkVoGDRsEHB21MgjnbB0GQ7AmjTyPTQvS5tm/msAPMtpsgCS5oz9I=
>>> =WmcI
>>> -END PGP SIGNATURE-
>>>
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@.squid-cache
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> 0x613DEC46.asc (2K)
>>> ;
>> it works now
>>
>> http_port 3428 intercept
>> https_port 3429 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=200MB cert=/home/basel/squid/rootCAcert.pem
>> key=/home/basel/squid/rootCAkey.key
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> ssl_bump peek step1
>> ssl_bump bump all
>> sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M 200MB
>> sslcrtd_children 3 startup=1 idle=1
>>
>> is it correct?
> Seems correct.
>>
>> do i need sslproxy_cafile?
> Not at all cases. By default openssl can take it own CA bundle installed 
> with it.
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nab

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Bmahak2005 
Thanks for the hint. How can I do that ?


Sent from my iPhone

> On Mar 2, 2016, at 11:09 AM, Yuri Voinov  wrote:
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Nobody can fight SSL pinning in proprietary apps.
> 
> The only way I see is to put Netflex under splice ACL and do not do SSL
> bump for all Netflex CDN.
> 
> 02.03.16 22:29, bma пишет:
>> I have installed squid 3.15 on ubuntu 15.10 server. squid was setup with
>> sslbump for https traffic. The functionality work without any problem
> i.e. :
>> all traffic from both http and https goes through squid and all
> internet can
>> be accessed on all devices where certificates are installed. With one
>> exception : 'Netflix APP' no longer works on IOS devices (iPhone,
> iPad). no
>> matter what I do. All other internet services (safari, and other apps)
> work
>> properly on those devices. And I was able to run Netflix from browser on
>> linux boxes and even OS X safari. The only thing that is not working is
>> Netflix APP on IOS.
>> 
>> Of course if I disable sslbump and only allow http to go through squid
>> netflix works. I tried both transparent mode and proxy mode on the iPhone,
>> still not working.
>> 
>> Did anyone manage to make Netflix APP on IOS devices work with squid with
>> sslbump enabled ?
>> 
>> 
>> 
>> --
>> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJW1zpkAAoJENNXIZxhPexGv1AH/2TuqgXJj3PgJfj0oefFxxiB
> JyMLRrhzIE5o7NUBivkJfzWHKddevZZnb6jFDK2FVabNtrvESXUAiBwumBDoJuc8
> KE5g6js1cBJMoOoYNUgusUkw4QtLWofYdVv7CLgnTuCy3uTe6hWMQDVEB+FrKiJ2
> OOs3W6751Zns8+lPyDlpiXU74MhKLGDX5ZLzyuSMRKhwfwz4lFkqxod4EUNM5w6f
> djD7vIWEY9Z3AbLILk8SWcBPMcfmXokXR4Ew99RLoVxfn84iZcK2xISAr3XDj/gB
> 9G1iAm2254hif84mtaP2Jl9F40v9TGkWPBo9gehhlEEXTz7VCtLtrm3rzTIAFG4=
> =XfoF
> -END PGP SIGNATURE-
> 
> <0x613DEC46.asc>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ssl bump with upstream proxy

2016-03-02 Thread Baselsayeh 
What about B?
Will it forward https to parent proxy petfectly?


Amos Jeffries wrote
> On 2/03/2016 9:48 a.m., Baselsayeh wrote:
>> Yuri Voinov wrote
>> Aha, I'm stupid.
>> 
>>  Squid can't re-crypted peer connections. You need to splice peered
>> URL's before tunnel it into your peer.
>> 
>> 28.02.16 2:07, Baselsayeh пишет:
> No
> What I need i need is
> Get ssl info from browser - squid - upstream proxy - internet
> Using cache_peer
> With ssl_bump
> But for some reason the upstream proxy wont get the https requests
> All I want is https -> sslbump -> upstream proxy via CONNECT request
>
>
>>>
>>>
>>> 0x613DEC46.asc (2K)
>>> ;
>> 
>> the parent proxy dont support anything but a plain Connect method http
>> and
>> (s)
>> 
>> is it possible in squid?
>> 
>> config example?
>> 
> 
> Squid can:
> 
>  A) relay CONNECT message from client to any upstream proxy.
> 
>  B) generate CONNECT message on arriving intercepted HTTPS and relay
> that to upstream proxy *IF* (and only if) ssl_bump selects the 'splice'
> action.
> 
>  C) relay https:// URLs to an upstream TLS proxy.
> 
> 
> That is all at present.
> 
> Squid cannot (yet) generate CONNECT messages to try and fetch TLS
> details via a non-TLS cache_peer. If you are able to sponsor that
> enhancement work patches are welcome, or sponsorship $$ to help pay
> persons working on these things (Christos / measurement-factory) are
> also welcome.
> 
> Amos
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bump-with-upstream-proxy-tp4676279p4676389.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
 and, excluding pinning, all of this is not technical problems.. :)

03.03.16 1:51, Matus UHLAR - fantomas пишет:
>> On 02/03/2016 21:09, Yuri Voinov wrote:
>>> Nobody can fight SSL pinning in proprietary apps.
>>>
>>> The only way I see is to put Netflex under splice ACL and do not do SSL
>>> bump for all Netflex CDN.
>
> On 02.03.16 21:19, Eliezer Croitoru wrote:
>> In some places the law can prohibit the usage of pinned certificates.
>
> and in some places neflix can refuse to provide services...
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW10U7AAoJENNXIZxhPexGV8AIALYwGcBR1DEnX04r8BxsvV3m
aGxQhLRQcr4dNqbH5YNaB4/MU42lQeLqAJKbZ2kSyWv8EKqPy8gR/S8liX8z6zR8
PDSql2q4PSukFW/vnSN/mSZMGFQ1Avl2TQghuK8dlt1xBJlJjIEgK5X0aD9+dkLc
j0HWsvoGWwCqgC658hwleGXUFPs0pKJD2D1NId5eWckN3nZ/Ea1g0WeM+OzCsD6M
hci6Et6LttLeGv7yCdUVkv8AguyMJ2oVkSwrLOFVNbdAAvPn//wqn//WqdmOoWRu
TlkssiaA9WEn+/TlrhYkj8YLelm4gybtnCzOniKpi0qXsbOk2PjV0B3hB6QErgY=
=8AFS
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Matus UHLAR - fantomas 

On 02/03/2016 21:09, Yuri Voinov wrote:

Nobody can fight SSL pinning in proprietary apps.

The only way I see is to put Netflex under splice ACL and do not do SSL
bump for all Netflex CDN.


On 02.03.16 21:19, Eliezer Croitoru wrote:

In some places the law can prohibit the usage of pinned certificates.


and in some places neflix can refuse to provide services...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Yes, and in some places the law prohibit SSL bump completely

But AFAIK here is technical list, not lawer, is it? ;)

03.03.16 1:19, Eliezer Croitoru пишет:
> In some places the law can prohibit the usage of pinned certificates.
>
> Eliezer
>
> On 02/03/2016 21:09, Yuri Voinov wrote:
>> Nobody can fight SSL pinning in proprietary apps.
>>
>> The only way I see is to put Netflex under splice ACL and do not do SSL
>> bump for all Netflex CDN.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW10ADAAoJENNXIZxhPexGuTEIAMCBlWzVtzHrdBPvlms3YwSo
tetjS1kPjMXp9Z0DImvDUdPwLCOGt8sTDR1pbwnE37WUqHataV8D8HnRlWbn0CIB
sltEGu6/aKsx4kJyP/zMOMqHTZG9U79MN1GPInIRjgtZmrOIjKGqoKhAlAklUGQB
YY2QNNI2JlzazcIpsbVKeytscBvIwUs0075EY7UQkxROpRkuWLrpe7KNiaK2o8V6
r5XIdivavEJ5ylrRBHLnZBg1jCkpUWHeOaC8AppMGWLohVE93dvhIFSWJ3oenVYZ
ZnSRfgWzCxjVjqaLfhIwhTkZN4xTcVLlThRHl8ai9vfNnxeeGuVH01Zc1UYLwvE=
=vYsW
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Eliezer Croitoru 

In some places the law can prohibit the usage of pinned certificates.

Eliezer

On 02/03/2016 21:09, Yuri Voinov wrote:

Nobody can fight SSL pinning in proprietary apps.

The only way I see is to put Netflex under splice ACL and do not do SSL
bump for all Netflex CDN.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Nobody can fight SSL pinning in proprietary apps.

The only way I see is to put Netflex under splice ACL and do not do SSL
bump for all Netflex CDN.

02.03.16 22:29, bma пишет:
> I have installed squid 3.15 on ubuntu 15.10 server. squid was setup with
> sslbump for https traffic. The functionality work without any problem
i.e. :
> all traffic from both http and https goes through squid and all
internet can
> be accessed on all devices where certificates are installed. With one
> exception : 'Netflix APP' no longer works on IOS devices (iPhone,
iPad). no
> matter what I do. All other internet services (safari, and other apps)
work
> properly on those devices. And I was able to run Netflix from browser on
> linux boxes and even OS X safari. The only thing that is not working is
> Netflix APP on IOS.
>
> Of course if I disable sslbump and only allow http to go through squid
> netflix works. I tried both transparent mode and proxy mode on the iPhone,
> still not working.
>
> Did anyone manage to make Netflix APP on IOS devices work with squid with
> sslbump enabled ?
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW1zpkAAoJENNXIZxhPexGv1AH/2TuqgXJj3PgJfj0oefFxxiB
JyMLRrhzIE5o7NUBivkJfzWHKddevZZnb6jFDK2FVabNtrvESXUAiBwumBDoJuc8
KE5g6js1cBJMoOoYNUgusUkw4QtLWofYdVv7CLgnTuCy3uTe6hWMQDVEB+FrKiJ2
OOs3W6751Zns8+lPyDlpiXU74MhKLGDX5ZLzyuSMRKhwfwz4lFkqxod4EUNM5w6f
djD7vIWEY9Z3AbLILk8SWcBPMcfmXokXR4Ew99RLoVxfn84iZcK2xISAr3XDj/gB
9G1iAm2254hif84mtaP2Jl9F40v9TGkWPBo9gehhlEEXTz7VCtLtrm3rzTIAFG4=
=XfoF
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid with sslbump blocking Netflix

2016-03-02 Thread bma 
I have installed squid 3.15 on ubuntu 15.10 server. squid was setup with
sslbump for https traffic. The functionality work without any problem i.e. :
all traffic from both http and https goes through squid and all internet can
be accessed on all devices where certificates are installed. With one
exception : 'Netflix APP' no longer works on IOS devices (iPhone, iPad). no
matter what I do. All other internet services (safari, and other apps) work
properly on those devices. And I was able to run Netflix from browser on
linux boxes and even OS X safari. The only thing that is not working is
Netflix APP on IOS. 

Of course if I disable sslbump and only allow http to go through squid
netflix works. I tried both transparent mode and proxy mode on the iPhone,
still not working. 

Did anyone manage to make Netflix APP on IOS devices work with squid with
sslbump enabled ?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-sslbump-blocking-Netflix-tp4676381.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] rev 3.5.15

2016-03-02 Thread joe 
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on second
attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/assets/skins/sam/autocomplete.css'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/assets/skins/sam/calendar.css'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/skins/standard/show_bug.css'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/skins/standard/global.css'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/yahoo-dom-event/yahoo-dom-event.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:18 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/cookie/cookie-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:18 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/datasource/datasource-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/connection/connection-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/json/json-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/autocomplete/autocomplete-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/global.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/yui/calendar/calendar-min.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/util.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/field.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:48:19 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://extention-file.squid.internal.bugs.squid-cache.org/js/comments.js'
'accept-encoding="gzip,%20deflate,%20sdch"'
2016/03/02 16:48:19 kid1| clientProcessHit: Vary object loop!
2016/03/02 16:53:28 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://image3.putlocker.is/images/covers/renegade-girl-online-free-putlocker.jpg'
'accept-encoding="gzip,%20deflate"'
2016/03/02 16:53:28 kid1| clientProcessHit: Vary object loop!
2016/03/02 17:01:52 kid1| assertion failed: FwdState.cc:447:
"serverConnection() == conn"
2016/03/02 17:01:56 kid1| Set Current Directory to /var/cache/squid
2016/03/02 17:01:56 kid1| Starting Squid Cache version
3.5.15-20160229-r13997 for x86_64-unknown-linux-gnu...
2016/03/02 17:01:56 kid1| Service Name: squid




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/rev-3-5-15-tp4676243p4676380.html
Sent from the Squid - Users mailing list archive at Nabble.com.
__

Re: [squid-users] rev 3.5.15

2016-03-02 Thread joe 

>>I dont understand what you are trying to say?
>>Amos

you guys had 2 patch for  4447 bug right  the first patch work the one in
bug report http://bugs.squid-cache.org/show_bug.cgi?id=4447

so i re download latest patched Squid Cache: Version 3.5.15-20160229-r13997

and the bug show up in my cache.log again 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/rev-3-5-15-tp4676243p4676379.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Youtube wont work on squid

2016-03-02 Thread Jorgeley Junior 
I'm not sure if this can solve the problem, but, in my squid.conf I deny
youtube to cache using "cache_deny"

2016-03-02 3:04 GMT-03:00 Yuri Voinov :

>
>
> 02.03.16 2:34, Baselsayeh пишет:
>
>> Yuri Voinov wrote
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>   Did you read
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>>>
>>> this first?
>>>
>>> Look once more to examples.
>>>
>>> 02.03.16 2:15, Baselsayeh пишет:
>>>
 Yuri Voinov wrote
 Seems to some else misconfiguration in peek-n-splice section.

 Where is your at_step peek definition?

 02.03.16 2:08, Baselsayeh пишет:

> Yuri Voinov wrote
>>>
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Aha.

 You must know, that stare is client initiated handshake. This is

>>> a bit
>>>
 specific option, which is useless in most usecases (IMHO).

 More reliable configuration is peek then bump.

 Did you client (android) contains your cache CA public key?
 ___
 squid-users mailing list
 squid-users@.squid-cache
 http://lists.squid-cache.org/listinfo/squid-users


 0x613DEC46.asc (2K)

 <
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/attachment/4676357/0/0x613DEC46.asc>
>>> ;
>>>
 now new error after changing config to peek then bump
>>>
>>> access.log :  http://pastebin.com/j97k953r
>>>
>> ;

> cache.log :  http://pastebin.com/2jF6nqeM
>>> ;
>>>
>>> squid.config :  http://pastebin.com/FDuHtCDD
>>>
>> ;

> and now youtube works but when i enter a video it loads for a
>>>
>> little bit
>>>
 then says
>>> "Connection to the server lost"
>>> "tap to retry"
>>>
>>> i tried more than 10 videos and none of them worked
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>>
>>
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-wont-work-on-squid-tp4676349p4676359.html
>>>
 Sent from the Squid - Users mailing list archive at Nabble.com.
>>> ___
>>> squid-users mailing list
>>>
>>> squid-users@.squid-cache

 http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
> ___
> squid-users mailing list
> squid-users@.squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> 0x613DEC46.asc (2K)
>
> <
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/attachment/4676360/0/0x613DEC46.asc>
>>> ;
>>>
>>> what do you mean?

 this?

 http_port 3428 intercept
 https_port 3429 intercept ssl-bump generate-host-certificates=on
 dynamic_cert_mem_cache_size=200MB cert=/home/basel/squid/rootCAcert.pem
 key=/home/basel/squid/rootCAkey.key
 ssl_bump peek all
 ssl_bump bump all
 sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M 200MB
 sslcrtd_children 3 startup=1 idle=1




 --
 View this message in context:

>>>
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-wont-work-on-squid-tp4676349p4676361.html
>>>
 Sent from the Squid - Users mailing list archive at Nabble.com.
 ___
 squid-users mailing list

 squid-users@.squid-cache
>>>
 http://lists.squid-cache.org/listinfo/squid-users

>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2
>>>   iQEcBAEBCAAGBQJW1f9dAAoJENNXIZxhPexGcSkH/0sykbFIcW+et28E9VUiT6r6
>>> ShcfP89O15nYTFJgsrTGslTv5EX1+fwproBljHLT1VSkZg8Ftl/RcrthP0z4F/F8
>>> Pe83prBkD/EuvpElP9OuKL+CE3IhSKTDya0+VTUUmskr/CFpl51R+tL7Va6BLJc/
>>> MWC3X+B7Ywkujaf3Y1iuxw3pG7bawRHQVYaIhKnCIRwJ3MrfUS4WX31r5bhNplUj
>>> fTq4owWWycq0RjzlJ6gait8p4lRTOts1IBQ+dzzVxuPo+3CdPWd6UXSusWJ7NQUT
>>> Tj9w878S09xkVoGDRsEHB21MgjnbB0GQ7AmjTyPTQvS5tm/msAPMtpsgCS5oz9I=
>>> =WmcI
>>> -END PGP SIGNATURE-
>>>
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@.squid-cache
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> 0x613DEC46.asc (2K)
>>> <
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/attachment/4676362/0/0x613DEC46.asc>
>>> ;
>>>
>> it works now
>>
>> http_port 3428 intercept
>> https_port 3429 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=200MB cert=/home/basel/squid/rootCAcert.pem
>> key=/home/basel/squid/rootCAkey.key
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> ssl_bump peek step1
>> ssl_bump bump all
>> sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M 200MB
>> sslcrtd_childr

Re: [squid-users] Squid ssl bump with upstream proxy

2016-03-02 Thread Baselsayeh 
Amos Jeffries wrote
> On 2/03/2016 3:02 p.m., Baselsayeh wrote:
>> My proxy supports connecting to https website by using
>> (Connect Website:443) (as if normal proxy in browser sittings)
>> The problem is that the proxy dosent support tunnels
> 
> Yes, that is what we have been trying to tell you.
> 
> But then you ask for a config to magically make tunnel support exist:
> 
>> Can you give me a config example
>> A  isnt my option because I use intercepter https port
>> 
> 
> There is no magic config to make non-existent code exist.
> 
> Amos
> 
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

Ok thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bump-with-upstream-proxy-tp4676279p4676377.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] rev 3.5.15

2016-03-02 Thread Amos Jeffries 
On 2/03/2016 10:35 p.m., joe wrote:
> Squid Cache: Version 3.5.15-20160229-r13997
> first patch work fine until the second patch
> 
> 
> assertion failed: FwdState.cc:447: "serverConnection() == conn"
> assertion failed: BodyPipe.cc:232: "!theConsumer"
> assertion failed: store.cc:1890: "isEmpty()"
> 
> 

I dont understand what you are trying to say?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] rev 3.5.15

2016-03-02 Thread joe 
Squid Cache: Version 3.5.15-20160229-r13997
first patch work fine until the second patch


assertion failed: FwdState.cc:447: "serverConnection() == conn"
assertion failed: BodyPipe.cc:232: "!theConsumer"
assertion failed: store.cc:1890: "isEmpty()"





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/rev-3-5-15-tp4676243p4676375.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squidcllient making request

2016-03-02 Thread Amos Jeffries 
On 2/03/2016 6:05 p.m., John Pearson wrote:
> Hi,
> 
> I have squid installed on a machine with two NICs.
> eth0 - wan
> eth1 - lan - 10.0.1.1
> 
> Squid server is running on eth1.
> I am trying to use the squidclient to fetch a url so that squid will cache
> it. Like prefetching.
> 
> Example:
> 
> squidclient -v -h 10.0.1.1 -p 3128 -m GET http://www.apple.com
> 

Problem #1;
 you are missing a '/' on the end of the URL. That type of URL is not
valid in HTTP/1.0. It has only recently become acceptible in HTTP/1.1,
so not all services support it.


> Result
> ---
> Request:
> GET http://www.apple.com HTTP/1.0
> Host: www.apple.com
> User-Agent: squidclient/3.5.9
> Accept: */*
> Connection: close
> 
> .
> 
> 
> 
> The cursor just blinks below the dot (after "Connection:close". Hard to
> see) and nothing happens. I have to manually exit.
> 
> When I exit, squid log shows A LOT of these lines:
> 
> 10.0.1.1 TCP_MISS_ABORTED/000 0 GET http://www.apple.com - ORIGINAL_DST/
> 10.0.1.1 -

Problem #2;
  you are sending the request to an intercept port without having gone
through the NAT system.
 If you left it to run, your machine would eventually crash as all
networking sockets and resources were consumed by the forwarding loop.


squidclient needs to use a forward-proxy port to connect to Squid.
Usually that is 3128, which is the port registered for Squid
forward-proxy ctraffic.

Recommended practice is to leave port 3128 for proxy administrative
access and tools like squidclient. Movine the intercept port to another
random number and firewall it (in iptables with mangle tables rule) to
prevent anything except NAT'd traffic reaching that random port.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users