[squid-users] Any problems with %ssl::>sni in 3.5.16?

2016-04-11 Thread Dan Charlesworth 
We have an External ACL Type with %ssl::>sni and %URI

We get access log lines that record the %ssl::>sni just fine, but the 
corresponding line sent to our external ACL is missing it.

For example, from the same request;

Log: 12/Apr/2016-15:42:47608 10.0.1.60 TAG_NONE 200 0 CONNECT 
23.111.9.31:443 code.jquery.com - peek - ORIGINAL_DST/23.111.9.31 - -

Line sent to Ext. ACL: 23.111.9.31:443 -

—

Not sure if many people on this list use external ACLs as much, but anyone 
encountered this?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP RDP on squid Pfsense not woking

2016-04-11 Thread Eliezer Croitoru 

  
  
Did you tried to enable all traffic as I suggested in the other
email?

Eliezer

On 11/04/2016 23:54, --Ahmad-- wrote:


  
  
  
  
  
  
  
  

  
On Apr 11, 2016, at 9:40 AM, --Ahmad--
  <> wrote:


  
  Hi
dev ,


when i use socks5 client on my pc to
  connect to squid proxy on centos  , i can tunnel RDP
  traffic using squid .


recently when i changed to pfsense , 
I’m unable to use RDP  using proxy .


MY CACHE PEER proxy is 10.12.0.32 , if  i
  use it directly i can use RDP.


but RDP from pfsense always forbidden and
  i already allowed rdp port in the ports in pfsense
  squid config .!




i will paste my squid config below and the
  error i face when i try .


===

  [2.2.2-RELEASE][admin@pfSense]/root: squid
  -k parse
  2016/04/11
09:25:53| Startup: Initializing Authentication
Schemes ...
  2016/04/11
09:25:53| Startup: Initialized Authentication Scheme
'basic'
  2016/04/11
09:25:53| Startup: Initialized Authentication Scheme
'digest'
  2016/04/11
09:25:53| Startup: Initialized Authentication Scheme
'negotiate'
  2016/04/11
09:25:53| Startup: Initialized Authentication Scheme
'ntlm'
  2016/04/11
09:25:53| Startup: Initialized Authentication.
  2016/04/11
09:25:53| Processing Configuration File:
/usr/local/etc/squid/squid.conf (depth 0)
  2016/04/11
09:25:53| Processing: http_port 10.12.140.254:8080
  2016/04/11
09:25:53| Processing: http_port 127.0.0.1:8080
  2016/04/11
09:25:53| Processing: icp_port 0
  2016/04/11
09:25:53| Processing: dns_v4_first off
  2016/04/11
09:25:53| Processing: pid_filename
/var/run/squid/squid.pid
  2016/04/11
09:25:53| Processing: cache_effective_user proxy
  2016/04/11
09:25:53| Processing: cache_effective_group proxy
  2016/04/11
09:25:53| Processing: error_default_language en
  2016/04/11
09:25:53| Processing: icon_directory
/usr/pbi/squid-amd64/local/etc/squid/icons
  2016/04/11
09:25:53| Processing: visible_hostname mpwh
  2016/04/11
09:25:53| Processing: cache_mgr admin@localhost
  2016/04/11
09:25:53| Processing: access_log
/var/squid/logs/access.log
  2016/04/11
09:25:53| Processing: cache_log
/var/squid/logs/cache.log
  2016/04/11
09:25:53| Processing: cache_store_log none
  2016/04/11
09:25:53| Processing: netdb_filename
/var/squid/logs/netdb.state
  2016/04/11
09:25:53| Processing: pinger_enable on
  2016/04/11
09:25:53| Processing: pinger_program
/usr/pbi/squid-amd64/local/libexec/squid/pinger
  2016/04/11
09:25:53| Processing: logfile_rotate 0
  2016/04/11
09:25:53| Processing: debug_options rotate=0
  2016/04/11
09:25:53| Processing: shutdown_lifetime 3 seconds
  2016/04/11
09:25:53| Processing: acl localnet src 
10.12.140.0/24 127.0.0.0/8
  2016/04/11
09:25:53| Processing: forwarded_for on
  2016/04/11
09:25:53| Processing: uri_whitespace strip
  2016/04/11
09:25:53| Processing: acl dynamic urlpath_regex
cgi-bin \?
  2016/04/11
09:25:53| Processing: cache deny dynamic
  20

Re: [squid-users] TCP RDP on squid Pfsense not woking

2016-04-11 Thread --Ahmad-- 




> On Apr 11, 2016, at 9:40 AM, --Ahmad-- <> wrote:
> 
> Hi dev ,
> 
> when i use socks5 client on my pc to connect to squid proxy on centos  , i 
> can tunnel RDP traffic using squid .
> 
> recently when i changed to pfsense , 
> I’m unable to use RDP  using proxy .
> 
> MY CACHE PEER proxy is 10.12.0.32 , if  i use it directly i can use RDP.
> 
> but RDP from pfsense always forbidden and i already allowed rdp port in the 
> ports in pfsense squid config .!
> 
> 
> i will paste my squid config below and the error i face when i try .
> 
> ===
> [2.2.2-RELEASE][admin @ 
> pfSense ]/root: 
> squid -k parse
> 2016/04/11 09:25:53| Startup: Initializing Authentication Schemes ...
> 2016/04/11 09:25:53| Startup: Initialized Authentication Scheme 'basic'
> 2016/04/11 09:25:53| Startup: Initialized Authentication Scheme 'digest'
> 2016/04/11 09:25:53| Startup: Initialized Authentication Scheme 'negotiate'
> 2016/04/11 09:25:53| Startup: Initialized Authentication Scheme 'ntlm'
> 2016/04/11 09:25:53| Startup: Initialized Authentication.
> 2016/04/11 09:25:53| Processing Configuration File: 
> /usr/local/etc/squid/squid.conf (depth 0)
> 2016/04/11 09:25:53| Processing: http_port 10.12.140.254:8080
> 2016/04/11 09:25:53| Processing: http_port 127.0.0.1:8080
> 2016/04/11 09:25:53| Processing: icp_port 0
> 2016/04/11 09:25:53| Processing: dns_v4_first off
> 2016/04/11 09:25:53| Processing: pid_filename /var/run/squid/squid.pid
> 2016/04/11 09:25:53| Processing: cache_effective_user proxy
> 2016/04/11 09:25:53| Processing: cache_effective_group proxy
> 2016/04/11 09:25:53| Processing: error_default_language en
> 2016/04/11 09:25:53| Processing: icon_directory 
> /usr/pbi/squid-amd64/local/etc/squid/icons
> 2016/04/11 09:25:53| Processing: visible_hostname mpwh
> 2016/04/11 09:25:53| Processing: cache_mgr admin@localhost
> 2016/04/11 09:25:53| Processing: access_log /var/squid/logs/access.log
> 2016/04/11 09:25:53| Processing: cache_log /var/squid/logs/cache.log
> 2016/04/11 09:25:53| Processing: cache_store_log none
> 2016/04/11 09:25:53| Processing: netdb_filename /var/squid/logs/netdb.state
> 2016/04/11 09:25:53| Processing: pinger_enable on
> 2016/04/11 09:25:53| Processing: pinger_program 
> /usr/pbi/squid-amd64/local/libexec/squid/pinger
> 2016/04/11 09:25:53| Processing: logfile_rotate 0
> 2016/04/11 09:25:53| Processing: debug_options rotate=0
> 2016/04/11 09:25:53| Processing: shutdown_lifetime 3 seconds
> 2016/04/11 09:25:53| Processing: acl localnet src  10.12.140.0/24 127.0.0.0/8
> 2016/04/11 09:25:53| Processing: forwarded_for on
> 2016/04/11 09:25:53| Processing: uri_whitespace strip
> 2016/04/11 09:25:53| Processing: acl dynamic urlpath_regex cgi-bin \?
> 2016/04/11 09:25:53| Processing: cache deny dynamic
> 2016/04/11 09:25:53| Processing: cache_mem 64 MB
> 2016/04/11 09:25:53| Processing: maximum_object_size_in_memory 256 KB
> 2016/04/11 09:25:53| Processing: memory_replacement_policy heap GDSF
> 2016/04/11 09:25:53| Processing: cache_replacement_policy heap LFUDA
> 2016/04/11 09:25:53| Processing: minimum_object_size 0 KB
> 2016/04/11 09:25:53| Processing: maximum_object_size 4 MB
> 2016/04/11 09:25:53| Processing: cache_dir ufs /var/squid/cache 100 16 256
> 2016/04/11 09:25:53| Processing: offline_mode off
> 2016/04/11 09:25:53| Processing: cache_swap_low 90
> 2016/04/11 09:25:53| Processing: cache_swap_high 95
> 2016/04/11 09:25:53| Processing: cache allow all
> 2016/04/11 09:25:53| Processing: refresh_pattern ^ftp:1440  20%  10080
> 2016/04/11 09:25:53| Processing: refresh_pattern ^gopher:  1440  0%  1440
> 2016/04/11 09:25:53| Processing: refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
> 2016/04/11 09:25:53| Processing: refresh_pattern .0  20%  4320
> 2016/04/11 09:25:53| Processing: acl allsrc src all
> 2016/04/11 09:25:53| Processing: acl safeports port 3389 21 70 80 210 280 443 
> 488 563 591 631 777 901  8080 3129 1025-65535
> 2016/04/11 09:25:53| Processing: acl sslports port 443 563
> 2016/04/11 09:25:53| Processing: acl safeports port 3389 12345
> 2016/04/11 09:25:53| Processing: acl purge method PURGE
> 2016/04/11 09:25:53| Processing: acl connect method CONNECT
> 2016/04/11 09:25:53| Processing: acl HTTP proto HTTP
> 2016/04/11 09:25:53| Processing: acl HTTPS proto HTTPS
> 2016/04/11 09:25:53| Processing: http_access allow manager localhost
> 2016/04/11 09:25:53| Processing: http_access deny manager
> 2016/04/11 09:25:53| Processing: http_access allow purge localhost
> 2016/04/11 09:25:53| Processing: http_access deny purge
> 2016/04/11 09:25:53| Processing: http_access deny !safeports
> 2016/04/11 09:25:53| Processing: http_access deny CONNECT !sslports
> 2016/04/11 09:25:53| Processing: request_body_max_size 0 KB
> 2016/04/11 09:25:53| Processing: delay_pools 1
> 2016/04/11 09:25:53| Processing: delay_class 1 2
> 2016/04/11 09:25:53| Processing: delay_parameters 1 -1/-1 -1/-1
> 2016

Re: [squid-users] FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied

2016-04-11 Thread Eliezer Croitoru 

  
  
Hey,

There are couple things which are unclear about both the system you
are running and the situation.
In the post mentioned a CentOS 6.5 and SElinux policy for a specific
thing.
The specific policy in the post seems "sensible" but the default
policy for squid in CentOS works fine as far as I can tell.
It is mentioned that after installing squid 3.5.0 on CentOS this
issue appeared. Since I am building the unofficial CentOS RPMs it's
pretty simple for me to understand that there are scenarios which
you would be better without SElinux or other restrictions or
"binding" tools by the OS of the running process\software\script.
Specifically the pid file is not related in any way to the SElinux
mentioned in the blog post..
If you can post the content of the "te" file of the audit2allow
result it would help to understand the issue better.

Have you tried my RPMs? If something is missing in them let me know
please.

Eliezer

On 11/04/2016 22:11, amadaan wrote:


  So I actually dig deeper into this issue and found stack traced error of 
squid: ERROR: Could not read pid file
	/var/run/squid.pid: (13) Permission denied

Tried one of the responses from one of the forums. Saying the issue is with
SELinux being enabled.
I disabled that and it worked fine after that. 

But that means I am removing security from my system. Now this awesome blog
tells me how to add policy rules to allow your new software to run when
SELinux is enabled.

http://sharadchhetri.com/2014/03/07/selinux-squid-service-failed-startrestart/

Quite helpful but not sure if that is real solution. Can any changes be done
on squid end to ignore above steps . Any suggestions on this will be of
help.

Thanks


  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied

2016-04-11 Thread amadaan 
So I actually dig deeper into this issue and found stack traced error of 
squid: ERROR: Could not read pid file
/var/run/squid.pid: (13) Permission denied

Tried one of the responses from one of the forums. Saying the issue is with
SELinux being enabled.
I disabled that and it worked fine after that. 

But that means I am removing security from my system. Now this awesome blog
tells me how to add policy rules to allow your new software to run when
SELinux is enabled.

http://sharadchhetri.com/2014/03/07/selinux-squid-service-failed-startrestart/

Quite helpful but not sure if that is real solution. Can any changes be done
on squid end to ignore above steps . Any suggestions on this will be of
help.

Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-Ipc-Mem-Segment-create-failed-to-shm-open-squid-cf-metadata-shm-13-Permission-denied-tp4677044p4677045.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5 no traffic saving

2016-04-11 Thread Amos Jeffries 
On 9/04/2016 9:06 p.m., Muhammad Faisal wrote:
> Hi,
> I have deployed squid 3.5.16 as transparent proxy. I'm using squid store
> ID help for CDN content caching despite all efforts i dont see any
> traffic saving on upstream. From access logs most of the content is
> generating from CDNs streaming videos and downloads which always comes
> from destination despite using Store-ID helper.
> 
> If someone has deployed and have working configs please help me out.
> 

see my answre to johnzeng yesterday about ORIGINAL_DST and caching.


There is also a regression bug (#4481) in 3.5.16 which prevents Vary
caching properly. The patch for that just went into 3.5 so will be fixed
in tomorrows snapshot (r14022 or later).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid ftp-proxy

2016-04-11 Thread Axel.Eberhardt 
Hi Amos,

>Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im Auftrag 
>von Amos Jeffries

>>On 5/04/2016 9:08 p.m., axel.eberha...@t-systems.com wrote:
>> Hello,
>> 
>> Maybe someone can give me a hint :-)
>> 
>> I try to enable the Native ftp proxying.
>> The documentation I have found is:
>> http://wiki.squid-cache.org/Features/FtpRelay
>> 
>> But there is no example for this. Also in the Mail Archives I was not able 
>> to find a hint.
>> 
>> I have configured the ftp proxy with parameter:
>>  ftp_port 21
>> 

>AFAIK that port is intended either for use as above when the Squid IP address 
>or hostname is given to the client FTP tool as the FTP server >IP/host.

Yes, that is correct. But I'am not sure if this is the only necessary option. 
Maybe I have to configure more options. 

> Or when intercepting port 21 traffic - with the 'intercept' option on the 
> port config line.

>It is still a new / experimental and rarely used feature so YMMV.


.

>> Now my problem.
>> 
>> I am able to connect via ftp client to the squid.
>> Also the login will be correct:  
>>  example:  anonym...@ftp.informatik.rwth-aachen.de
>>  
>> But after a command which use a data channel the connection fails:
>>  421 Service not available, remote server has closed connection
>> 
>> 
>> I try a tcpdump but I cannot find a failure. 
>> The only different between a native ftp session and a connection over the 
>> squid is a missing TCP ACK after the last ftp data package. 
>>

>Um, missing ACK on which of the four connections involved?
>  and from which of the three software involved?

I have traced the network interface at the squid server. 
The ftp connection was established from localhost. So I cannot see the traffic 
between squid and ftp client.
The missing ACK I have seen comes from the ftp server. Maybe the ftp server 
answer is different between 'ftp over http' and ftp.
But this issue is similar to different ftp servers.

>Amos

Axel
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP RDP on squid Pfsense not woking

2016-04-11 Thread Eliezer Croitoru 

  
  
Hey,

Since it's a local net proxy and if the proxy is firewalled on the
network level I would run the next test(related to the output):


On 11/04/2016 09:40, --Ahmad-- wrote:


  2016/04/11 09:25:53|
Processing: http_access allow rdp
  2016/04/11 09:25:53|
Processing: dns_nameservers 8.8.8.8 10.12.0.33
  2016/04/11 09:25:53|
Processing: never_direct allow all
  2016/04/11 09:25:53|
Processing: cache_peer  10.12.0.32 parent  80 0 no-query
no-digest default
  2016/04/11 09:25:53|
Processing: http_access allow localnet
  2016/04/11 09:25:53|
Processing: http_access deny allsrc
  2016/04/11 09:25:53|
Initializing https proxy context


I would add to the first line of squid.conf for a test
acl connect method CONNECT
http_access allow all CONNECT
http_access allow all

Use "squid -kreconf" to reload the settings and it should be
allowed.
If it works then you will need to just allow the CONNECT using an
acl with the RDP port.

I am not sure how squid is ok with this line:
2016/04/11 09:25:53| Processing: acl rdp dat
  .XX.70.0/24

It should be something like "src" instead of "dat" and also you
might want to restrict using the http_access rules the CONNECT with
the destination rdp port.

http://www.squid-cache.org/Doc/config/acl/

The other option is to add the acl:
acl Safe_ports port 3389        # RDP

Eliezer
  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users