Re: [squid-users] FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied

[Amos Jeffries]

On 13/04/2016 1:41 a.m., amadaan wrote:
> 
> Also, can you give me link to your unofficial RPMs.
> 

That would be 

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I suggests the matter can be openssl not OS:

root @ cthulhu /patch # openssl version -a
OpenSSL 1.0.1s  1 Mar 2016
built on: Tue Mar  1 15:42:26 2016
platform: solaris64-x86_64-cc-sunw
options:  bn(64,64) rc4(16x,int) des(ptr,cisc,16,int) idea(int)
blowfish(ptr)
compiler: /opt/solarisstudio12.4/bin/cc -I. -I.. -I../include  -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so" -DHAVE_ISSETUGID
-DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa -DL_ENDIAN
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/opt/csw/ssl"


13.04.16 2:29, Yuri Voinov пишет:
>
> root @ cthulhu /patch # dig www.cloudflare.com
>
> ; <<>> DiG 9.6-ESV-R11-P4 <<>> www.cloudflare.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32548
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.cloudflare.com.IN  A
>
> ;; ANSWER SECTION:
> www.cloudflare.com. 86400   IN  A   198.41.214.162
> www.cloudflare.com. 86400   IN  A   198.41.215.162
>
> ;; Query time: 538 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Apr 13 02:28:34 ALMT 2016
> ;; MSG SIZE  rcvd: 68
>
> root @ cthulhu /patch # uname -a
> SunOS cthulhu 5.10 Generic_150401-30 i86pc i386 i86pc Solaris
>
> But I think OS does not matter here.
>
> 13.04.16 2:02, Eliezer Croitoru пишет:
> > What "dig www.cloudflare.com"
>   results with?
>
>   > Also what OS are you using? I am using CentOS 7 up to date...
>
>
>
>   > Eliezer
>
>
>
>   > On 12/04/2016 21:39, Yuri Voinov wrote:
>
>   >> root @ cthulhu /patch # openssl s_client -cipher
>   'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org
>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXDVyBAAoJENNXIZxhPexGpbAIALBIKKiTm3MsZYgftZ9sNzjg
CU0EzJIWxAnkVLfqcZEHOe+LyTV5wVLsHvv6jE2WjHmk84OL13OQh2vxSgB0uDa/
KwPfVr1cnibUku4KrA/+gScSIxjk0chkjugHjFGIlBz1wb8ARV3Rb7Ug5KbFMEbt
1QYuOX/iOntzzZYaXi0a2xL2+9e3r75GLZc39NStYBq169qFI9WsO2nweB/0WZMO
pcWX8Q5rxy6ha3xgxS4vLmyGdNNYVP3JBHQFJurDtd32zV+CJpZjK2OB0Pqj74kN
PMrUi3voUZNG2QZRVUwxkIHCWK4o44F7ZZvRjWbIhoLhQi8MP0m63gY+xS12KYU=
=DEfh
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
root @ cthulhu /patch # dig www.cloudflare.com

; <<>> DiG 9.6-ESV-R11-P4 <<>> www.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32548
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cloudflare.com.IN  A

;; ANSWER SECTION:
www.cloudflare.com. 86400   IN  A   198.41.214.162
www.cloudflare.com. 86400   IN  A   198.41.215.162

;; Query time: 538 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 13 02:28:34 ALMT 2016
;; MSG SIZE  rcvd: 68

root @ cthulhu /patch # uname -a
SunOS cthulhu 5.10 Generic_150401-30 i86pc i386 i86pc Solaris

But I think OS does not matter here.

13.04.16 2:02, Eliezer Croitoru пишет:
> What "dig www.cloudflare.com" results with?
> Also what OS are you using? I am using CentOS 7 up to date...
>
> Eliezer
>
> On 12/04/2016 21:39, Yuri Voinov wrote:
>> root @ cthulhu /patch # openssl s_client -cipher
'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXDVqcAAoJENNXIZxhPexGwDUH/0QxKY59wZ5+epR1ccrhKYRK
IqNdZFSTAkVgdy+q9FwAJX4gunI/+l2iexI0Ry8lPPd3m6aGSBMZeHjFuD9Fip4U
GSfg93OXM3x9YkPIuuVY7VRt2lIkRg9nBw312GoqDcRvRisxw6ciDpiHIoiV70kq
Eh9RpyV7VYMGEk1BlF981Li9TZ9Kj+9lTXOgKY0+/gGB55/Bbvroyt3JG7tZNgqv
Zu6BII7WWrun1Xa88lzDD3W2XKgyPDyYGA0cdM45cWyd+MCKFOTT0mV4Y6nhV7Sj
2Z+rqfjweWVGqzwfOZZQZ6T3mEeoeULUDbVq5Zja64dpZSKzac12HOcg+DAjLFI=
=jmpr
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Eliezer Croitoru]

  
  
What "dig www.cloudflare.com" results with?
Also what OS are you using? I am using CentOS 7 up to date...

Eliezer

On 12/04/2016 21:39, Yuri Voinov wrote:

root @
  cthulhu /patch # openssl s_client -cipher
  'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443

  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
My openssl test show the next Cloudflare cipher:

ECDHE-ECDSA-AES128-GCM-SHA256

So, result is:

root @ cthulhu /patch # openssl s_client -cipher
'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443
CONNECTED(0003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 4710875, 1.3.6.1.4.1.311.60.2.1.3 = US,
1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private
Organization, C = US, postalCode = 94107, ST = California, L = San
Francisco, street = "655 Third Street, Suite 200", O = "CloudFlare,
Inc.", OU = COMODO EV Multi-Domain SSL
verify return:1
- ---
Certificate chain
 0
s:/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Extended Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Extended Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
- ---
Server certificate
- -BEGIN CERTIFICATE-
MIIFiTCCBS+gAwIBAgIQBmy2JcYivinKaUJSCKGtKDAKBggqhkjOPQQDAjCBkjEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT
L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTE1MTIwMTAwMDAwMFoXDTE2MTEzMDIzNTk1OVowggERMRAwDgYDVQQFEwc0
NzEwODc1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERl
bGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMC
VVMxDjAMBgNVBBETBTk0MTA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMSQwIgYDVQQJExs2NTUgVGhpcmQgU3RyZWV0LCBTdWl0
ZSAyMDAxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIzAhBgNVBAsTGkNPTU9E
TyBFViBNdWx0aS1Eb21haW4gU1NMMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
mPbUxrSaUGUh0fWajjE6zyy35uwYkOwNOKll7E0jKcJvxJLR9IC2ySQduynfb2Mo
t5+rzrL5k3RWt7ZCMDsyWaOCAuMwggLfMB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3
YVNHO6d3j/iKMB0GA1UdDgQWBBT/eDUPVHJ3p6neXJv8NVND7rkLIDAOBgNVHQ8B
Af8EBAMCBYAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYd
aHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwVgYDVR0fBE8wTTBLoEmgR4ZF
aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYBBQUH
MAKGRWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFs
aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSCDmNsb3VkZmxhcmUuY29tghJ3d3cu
Y2xvdWRmbGFyZS5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBo9pj4H2SC
vjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xVFfF/KGAAAEAwBHMEUCIQCYn9hT
zH7HDl8ssKN1YWXtk09MEMbNCAgONEM33Orv6gIgH99BJXaehbgEQmEBW7372nPv
x3/hqhO9svDabmNm1vIAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ
3QAAAVFfF++7AAAEAwBIMEYCIQDlr9Q35uiX37IciNrb8I3lSIKAEB73zB0YMPVl
TSl/yQIhAMCcle0L3Gu11iud65NFRogfrOmk9mtuW3ruf5Mt63D5MAoGCCqGSM49
BAMCA0gAMEUCIQDuxJ4FoYrW0fnaNkRajRSwqKcXb8XpV1dYklpVVGxQOgIgRA96
apf7bQLXWdoGLBJg0M7sRB1Bv9Fh+MIzLKhn5lg=
- -END CERTIFICATE-
subject=/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Extended Validation Secure Server CA
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3826 bytes and written 289 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID:
46639E396A6540A888C8A9B1994C744D03810678A4F95951A5BBA293DD4BE284
Session-ID-ctx:
Master-Key:
26F7F58D4913230F3F93872E2E7390C7D762CDC3E46FC5AAA300866F316ED5A283A813DAFF738457C5B8F5E1340CC156
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
 - 94 71 18 10 6e 8b 7b d3-b1 a7 d9 d7 65 8f a6 ea  
.q..n.{.e..

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Eliezer Croitoru]

  
  
Hey Yuri,

I will try to test it with couple versions of 4.0.x.
But it's weird...
The reason it's weird is since some kind of trust or understand this
test:
https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest

I am not an SSL expert in general but I can use openssl client to
test and verify things.
I have tested this scenario with openssl like this:
# openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect
www.cloudflare.com:443
CONNECTED(0003)
139990857013152:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 119 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

And it seems that openssl does something which might be my fault but
if squid 3.5.16 works fine with it and 4.0.8 it might be connected
to the connection between openssl library to the service and squid
only displays the issue in the nice html page.
I do not know what service cloudflare uses and how it all works but
if openssl states that there is an issue with what the service is
either sending or itself analyzing then the issue is in the openssl
level rather then squid.

I am sure that both cloudflare and openssl and squid users, admins
and devs wants to resolve the issue.

Eliezer

On 12/04/2016 18:29, Yuri Voinov wrote:


  
  
  -BEGIN PGP SIGNED MESSAGE- 
  Hash: SHA256 
   
  UPDATE:
  
  Every failed connect produce the next sequence in access.log:
  
  1460474791.631  15444 192.168.100.103 NONE_ABORTED/200 0 CONNECT
  198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 -
  1460474791.658  0 192.168.100.103 NONE/503 3951 GET https://www.cloudflare.com/*
  - HIER_NONE/- text/html
  
  Note: 198.41.215.162 is current cloudflare.com IP.
  
  Also: NONE_ABORTED/200 is often occurs in access.log with another
  accessible sites.
  
  12.04.16 20:03, Yuri Voinov пишет:
  >

  > UPDATE:

  >

  > https://i1.someimage.com/b8w5dFz.png

  >

  > This is answer from Cloudflare support.

  >

  > But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not?

  >

  > 12.04.16 17:55, Yuri Voinov пишет:

  > > Does anybody faces this problem with 4.0.8:

  >

  > > https://i1.someimage.com/3lD2cvV.png

  >

  > > ?

  >

  > > It accomplished this error in cache.log:

  >

  > > 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD
  54:

  > error::lib(0):func(0):reason(0) (5/0/0)

  >

  > > and "NONE/503" in access.log.

  >

  > > Without proxy works like sharm. 3.5.16 with the similar
  squid.conf

  > works like sharm.

  >

  > > NB: Cloudflare support said, that they key feature for
  SSL is SNI and

  > ECDSA now. AFAIK, 4.0.8 is fully supports this features.

  >

  > > Any advice will be helpful.

  >

  > > Yes, I know this looks like DDoS protection on
  Cloudflare. But WTF?

  > Any workaround required. Half-Internet is hosted on
  Cloudflare.

  >

  > > WBR, Yuri

  >

  >
  
  -BEGIN PGP SIGNATURE-
  
  Version: GnuPG v2
  
   
  iQEcBAEBCAAGBQJXDRRPAAoJENNXIZxhPexGmZcIAI1gcVCHUjCrDk0vI/f7omMP
  
  ALa5XYk0VrsoOioc5cIh0DuIRN8THqkdXxtRXdKnxC8hgRfvOxN6h7NFilZhVAiT
  
  tvgQkmKxAXXkCXik03AYU5DBoElMDcCgznksAxcckvXGCyWxN7pFwSY2p87WPHa/
  
  5G/K5BTG1rf30OjVYIMPRtsfkHyA5xWIPNHKcbu6bCsV7H+oXh8x8oCNHdF06Q1i
  
  s3U1kiFEudOKC1bMGVY4RJlzqDgGdANsHMSh0/v3rS4it5KBFxPsuz/DDcU1DlkO
  
  MIEMF7FgvxORtgBZPUnxa+sF5gunZqDuv2R2aJuxJpYK2OriOC7+e40dZiw7xpQ=
  
  =/LGq
  
  -END PGP SIGNATURE-
  
  
  
  
  
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
UPDATE:

Every failed connect produce the next sequence in access.log:

1460474791.631  15444 192.168.100.103 NONE_ABORTED/200 0 CONNECT
198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 -
1460474791.658  0 192.168.100.103 NONE/503 3951 GET
https://www.cloudflare.com/* - HIER_NONE/- text/html

Note: 198.41.215.162 is current cloudflare.com IP.

Also: NONE_ABORTED/200 is often occurs in access.log with another
accessible sites.

12.04.16 20:03, Yuri Voinov пишет:
>
> UPDATE:
>
> https://i1.someimage.com/b8w5dFz.png
>
> This is answer from Cloudflare support.
>
> But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not?
>
> 12.04.16 17:55, Yuri Voinov пишет:
> > Does anybody faces this problem with 4.0.8:
>
> > https://i1.someimage.com/3lD2cvV.png
>
> > ?
>
> > It accomplished this error in cache.log:
>
> > 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD 54:
> error::lib(0):func(0):reason(0) (5/0/0)
>
> > and "NONE/503" in access.log.
>
> > Without proxy works like sharm. 3.5.16 with the similar squid.conf
> works like sharm.
>
> > NB: Cloudflare support said, that they key feature for SSL is SNI and
> ECDSA now. AFAIK, 4.0.8 is fully supports this features.
>
> > Any advice will be helpful.
>
> > Yes, I know this looks like DDoS protection on Cloudflare. But WTF?
> Any workaround required. Half-Internet is hosted on Cloudflare.
>
> > WBR, Yuri
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXDRRPAAoJENNXIZxhPexGmZcIAI1gcVCHUjCrDk0vI/f7omMP
ALa5XYk0VrsoOioc5cIh0DuIRN8THqkdXxtRXdKnxC8hgRfvOxN6h7NFilZhVAiT
tvgQkmKxAXXkCXik03AYU5DBoElMDcCgznksAxcckvXGCyWxN7pFwSY2p87WPHa/
5G/K5BTG1rf30OjVYIMPRtsfkHyA5xWIPNHKcbu6bCsV7H+oXh8x8oCNHdF06Q1i
s3U1kiFEudOKC1bMGVY4RJlzqDgGdANsHMSh0/v3rS4it5KBFxPsuz/DDcU1DlkO
MIEMF7FgvxORtgBZPUnxa+sF5gunZqDuv2R2aJuxJpYK2OriOC7+e40dZiw7xpQ=
=/LGq
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied

[amadaan]

Hey Eliezer,

Thanks for looking into details.

Here is my te file

module MYPOLICY 1.0;

require {
type unconfined_t;
type var_run_t;
type usr_t;
type syslogd_t;
type user_tmpfs_t;
type squid_t;
type tmpfs_t;
class process signal;
class file { getattr read create unlink open };
class dir { write remove_name add_name };
}

#= squid_t ==
# The source type 'squid_t' can write to a 'dir' of the following types:
# var_log_t, var_run_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t,
squid_log_t, cluster_var_lib_t, cluster_var_run_t, root_t,
krb5_host_rcache_t, cluster_conf_t, tmp_t

allow squid_t tmpfs_t:dir { write remove_name add_name };
allow squid_t tmpfs_t:file { create unlink };
allow squid_t unconfined_t:process signal;
allow squid_t user_tmpfs_t:file unlink;
allow squid_t var_run_t:file { read getattr open };

#= syslogd_t ==
# The source type 'syslogd_t' can write to a 'dir' of the following
types:
# var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t,
innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t,
root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow syslogd_t usr_t:dir write;




Also, can you give me link to your unofficial RPMs.

Thanks
Aashima



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-Ipc-Mem-Segment-create-failed-to-shm-open-squid-cf-metadata-shm-13-Permission-denied-tp4677044p4677061.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
UPDATE:

https://i1.someimage.com/b8w5dFz.png

This is answer from Cloudflare support.

But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not?

12.04.16 17:55, Yuri Voinov пишет:
> Does anybody faces this problem with 4.0.8:
>
> https://i1.someimage.com/3lD2cvV.png
>
> ?
>
> It accomplished this error in cache.log:
>
> 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD 54:
error::lib(0):func(0):reason(0) (5/0/0)
>
> and "NONE/503" in access.log.
>
> Without proxy works like sharm. 3.5.16 with the similar squid.conf
works like sharm.
>
> NB: Cloudflare support said, that they key feature for SSL is SNI and
ECDSA now. AFAIK, 4.0.8 is fully supports this features.
>
> Any advice will be helpful.
>
> Yes, I know this looks like DDoS protection on Cloudflare. But WTF?
Any workaround required. Half-Internet is hosted on Cloudflare.
>
> WBR, Yuri

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXDQBOAAoJENNXIZxhPexGKx4H/3V9jDRNKu1xVzQhLbyVMB2u
uu9+N6umos9wi9GTRnIbMyHVS99BKUbQZf8DpdnJL+k4CPdaiHdgh/Z2QsfJoA3h
KZyI6/fpQPcsXX0xgtfpDLSPmHt61H3Dni9lRmR77BNFkq7JUKLFe71rW+8XcDBz
QeynTNi3EWfnufj332tMPj6LESZWTA5paREB1Y39sTl13kZqlmoe8hFrkckkNGRJ
38p3dl6HkMkb5eznP8fkMOjnCo61UA5BKrnzlTpFwjF21Fdv6zlrIApW8ljc7s2B
B+VkTXmuPUY/WjDybMnxdDvAYbtRAfcE4K8pE74CbHsJ/tbmfk1e0VdhD/TfpAk=
=4ka+
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 4: Cloudflare SSL connection problem

[Yuri Voinov]

Does anybody faces this problem with 4.0.8:

https://i1.someimage.com/3lD2cvV.png

?

It accomplished this error in cache.log:

2016/04/12 17:39:38 kid1| Error negotiating SSL on FD 54: 
error::lib(0):func(0):reason(0) (5/0/0)


and "NONE/503" in access.log.

Without proxy works like sharm. 3.5.16 with the similar squid.conf works 
like sharm.


NB: Cloudflare support said, that they key feature for SSL is SNI and 
ECDSA now. AFAIK, 4.0.8 is fully supports this features.


Any advice will be helpful.

Yes, I know this looks like DDoS protection on Cloudflare. But WTF? Any 
workaround required. Half-Internet is hosted on Cloudflare.


WBR, Yuri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

Amos I don't know if this is related or not, but I have a lot of

2016/04/12 13:00:50| Could not parse headers from on disk object
2016/04/12 13:00:50| Could not parse headers from on disk object
2016/04/12 13:00:50| Could not parse headers from on disk object
2016/04/12 13:00:50| Could not parse headers from on disk object
2016/04/12 13:00:51| Could not parse headers from on disk object
2016/04/12 13:00:51| Could not parse headers from on disk object
2016/04/12 13:00:56| Could not parse headers from on disk object
2016/04/12 13:00:56| Could not parse headers from on disk object
2016/04/12 13:00:56| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object
2016/04/12 13:00:57| Could not parse headers from on disk object

My cache was cleaned and squid patched

Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Cache: Version 3.5.16 and ext_ldap_group_acl

[Thomas Elsäßer]

Am 12-04-2016 10:58, schrieb Amos Jeffries:

On 12/04/2016 8:36 p.m., Thomas Elsäßer wrote:

Dear all,

I call from Shell:

/usr/local/squid/libexec/ext_ldap_group_acl -d -R -b
"OU=UMW,DC=a,DC=b,DC=de" -D "...@a.b.de" -w "XXX" \
 -f
"(&(objectClass=person)(sAMAccountName=%v)(MemberOf=CN=%g,OU=DomLokaleGruppen,OU=Gruppen,OU=Benutzer,OU=Min-PRD,OU=XXX,DC=a,DC=b,DC=de))"
-h dc.a.b.de





And i trace the helper process, i can see that squid replace the %v 
with

usern...@a.b.de
So the helper give an ERR return to squid.

Where can i this configure , that passed variable is only the username 
?


That is the user name/label as provided to Squid by the auth helper. It
depends on whether the particular auth helper(s) you are using allow 
the

credentials domain to be cropped away.

Since it is using "@" symbol look at the Negotiate auth helper options.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
yes - sorry for the stupid questions - the minus r option is that what i 
need. thanks again!!!
auth_param negotiate program 
/usr/local/squid/libexec/negotiate_kerberos_auth -d -r -s  HTTP/...


Best wishes
Thomas
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Cache: Version 3.5.16 and ext_ldap_group_acl

[Amos Jeffries]

On 12/04/2016 8:36 p.m., Thomas Elsäßer wrote:
> Dear all,
> 
> I call from Shell:
> 
> /usr/local/squid/libexec/ext_ldap_group_acl -d -R -b
> "OU=UMW,DC=a,DC=b,DC=de" -D "...@a.b.de" -w "XXX" \
>  -f
> "(&(objectClass=person)(sAMAccountName=%v)(MemberOf=CN=%g,OU=DomLokaleGruppen,OU=Gruppen,OU=Benutzer,OU=Min-PRD,OU=XXX,DC=a,DC=b,DC=de))"
> -h dc.a.b.de
> 

> 
> And i trace the helper process, i can see that squid replace the %v with
> usern...@a.b.de
> So the helper give an ERR return to squid.
> 
> Where can i this configure , that passed variable is only the username ?

That is the user name/label as provided to Squid by the auth helper. It
depends on whether the particular auth helper(s) you are using allow the
credentials domain to be cropped away.

Since it is using "@" symbol look at the Negotiate auth helper options.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Cache: Version 3.5.16 and ext_ldap_group_acl

[Thomas Elsäßer]

Dear all,

I call from Shell:

/usr/local/squid/libexec/ext_ldap_group_acl -d -R -b 
"OU=UMW,DC=a,DC=b,DC=de" -D "...@a.b.de" -w "XXX" \
 -f 
"(&(objectClass=person)(sAMAccountName=%v)(MemberOf=CN=%g,OU=DomLokaleGruppen,OU=Gruppen,OU=Benutzer,OU=Min-PRD,OU=XXX,DC=a,DC=b,DC=de))" 
-h dc.a.b.de



I type:

username groupname

and the command return OK

If i configure this in squid:(same command how type in shell)

external_acl_type ldap_group %LOGIN 
/usr/local/squid/libexec/ext_ldap_group_acl -d -R -b 
"OU=UMW,DC=a,DC=b,DC=de" -D "...@a.b.de" -w "XXX" \
 -f 
"(&(objectClass=person)(sAMAccountName=%v)(MemberOf=CN=%g,OU=DomLokaleGruppen,OU=Gruppen,OU=Benutzer,OU=Min-PRD,OU=XXX,DC=a,DC=b,DC=de))" 
-h dc.a.b.de



And i trace the helper process, i can see that squid replace the %v with 
usern...@a.b.de

So the helper give an ERR return to squid.

Where can i this configure , that passed variable is only the username ?

Thanks for help,
Thomas
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] i have two question about https_port tproxy

[Amos Jeffries]

On 12/04/2016 7:04 p.m., johnzeng wrote:
> 
> Hello Dear Sir :
> 
> i will optimize https traffic recently at bridge tproxy environment , i
> know squid will https_port tproxy ,
> 
> question one : Whether the feature ( https_port) will be stable at squid
> 3.5 ?

https_port is not a feature. It is a config directive used by many
features. So feature stability depends on how you will be using it.

If you mean MITM - then no. The SSL-Bump feature which does that MITM is
still being stabilized.

The TPROXY feature usually can be considered stable, but depends on the
specific environment you use it in. Regardless of which Squid port type
you use it on.

> 
> question two : https_proxy will optimize special website url via acl or
> https_proxy can optimize full https website .

That is a statement. If I assume you mean *can* it optimize? the port
directive itself does not do any optimizing. It is simply telling Squid
what type of traffic will be arriving there. The features using it or
the features applied to the traffic after it has arrived through a port
(any port) may or may not optimize.


Squid (as a whole) does optimization. But "optimize" may not mean what
you think it does. What happens to traffic arriving at a partiular port
changes depending on what a) could be done with that traffic, and b)
been configured to be done.

Optimize could mean anything from simply re-arranging message headers
into a format that is faster to process at the server end. Through to
dropping requests as they arrive. Or many other things in between.

Processing the traffic also has a cost. So optimizing for one thing may
make other things get worse.


> 
> Sorry , i have't more experience about https_port .
> 
> Which direction will be suitable for small isp environtment
> 
> if possible , please give me some advisement .


An ISP usually does not have the ability (both technical and legal
abilities are required) to install self-signed custom CA certificates
onto all the client devices and/or software. That means that full HTTPS
interception cannot be performed by ISP. They are usually limited to
doing splice or block that traffic.
 That limited amount of action is enough to perform some types of
optimization such as rejecting traffic based on SNI values. But not
sufficient to do others such as caching.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[Amos Jeffries]

On 8/04/2016 1:23 a.m., Amos Jeffries wrote:
> On 7/04/2016 1:42 a.m., joe wrote:
>> yes
>>
>> FredB wrote

 Attached is a patch which I think will fix 3.5.16 (should apply fine
 on
 4.0.8 too) without needing the cache reset. Anyone able to test it
 please?

>>>
>>> Reset the cache still needed, at least in my case 
>>>
> 
> Hmm. I'm not sure why that reset would be needed. I just ran a series of
> tests with detailed debugging of the vary details being loaded from disk
> and it seems the last patch was correctly erasing the \0 terminators
> (and they were wrongly being stored).
> 
> So at least this new regression is fixed. Anything else seen in Vary is
> a separate bug.
> 
> FYI Ralf reported bug 4481 to track it. I have updated the bug with an
> explanation of the issue and applied that last patch to Squid-4 now. It
> should be in 3.5 in a day or two.
> 
And for those following this thread instead of bugzilla that 3.5 patch
is now up at


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] i have two question about https_port tproxy

[johnzeng]

Hello Dear Sir :

i will optimize https traffic recently at bridge tproxy environment , i
know squid will https_port tproxy ,

question one : Whether the feature ( https_port) will be stable at squid
3.5 ?

question two : https_proxy will optimize special website url via acl or
https_proxy can optimize full https website .

Sorry , i have't more experience about https_port .

Which direction will be suitable for small isp environtment

if possible , please give me some advisement .


Thanks
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users