Re: [squid-users] URL/P2P blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Just for information: http://pastebin.com/dBYV9Zzb Here is completely actual Cisco NBAR filtering capabilities from one of my front 2901 with IOS 15.5 + actual NBAR2 protocol pack. Just take a look. You can see there P2P, Torrents, FB, YT, etc.etc.etc. Not as Squid's antagonist - but just as attitional tools to filter. Note: Cisco also has time-based ACL's. 05.05.16 3:28, Yuri Voinov пишет: > > Finally, > > read this thread too: > > http://www.spinics.net/lists/squid/msg81113.html > > Some questions already answered here. > > 05.05.16 3:26, Yuri Voinov пишет: > > > > As a part of solution I recommend (by my own experience) > consider to use this: > > > > > https://www.urlfilterdb.com/products/ufdbguard.html > > > > > But I repeat: this is NOT magic button "Disable all". This is > relatively effective tool to block categories. > > > > > This is only URL/HTTP based tool, which required some more > forces to use it with HTTPS. > > > And this can't be other means to replace when it comes to > other protocols. > > > > > Squid is only HTTP/HTTPS proxy. Not at all existing > protocols. > > > > > 05.05.16 3:18, Yuri Voinov пишет: > > > > > > > > Generally, for effective blocking of everything > better design > > > would first consider - as everyone and everything is > engeneered, > > > > > > and then look for the magic button "to disable all > to hell." > > > > > > > > > > Then it becomes clear what is possible and what > means - and > > > what is not. > > > > > > > > > > Especially P2P - this is at all not about Squid. > > > > > > > > > > 05.05.16 3:11, Yuri Voinov пишет: > > > > > > > > > > > > > > > Facebook uses Akamai as background CDN, > so you > > > need to block > > > > > > Akamai (related URL's, which can be > difficult, so > > > consider to use > > > > > > Cisco NBAR DPI functionality). too in case > to > > > completely block FB. > > > > > > > > > > > > > > > > > > > YT still uses QUIC/SPDY, so read this > > > > > > > > > > > > > > > > > > > > > > > http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol > > > > > > > > > > > > > > > > > > > About P2P/Torrents said enough here > > > > > > > > > > > > > > > > > > > > > > http://wiki.squid-cache.org/ConfigExamples/TorrentFiltering > > > > > > > > > > > > > > > > > > > Note: Using Cisco NBAR required valid > service > > > contract. > > > > > > Protocol packs is not lying at all angles, > and are > > > updated > > > > > > monthly. > > > > > > > > > > > > > > > > > > > > > > > > > > > 05.05.16 3:04, Maile Halatuituia пишет: > > > > > > > > > > > > > > > > > > > > > > > > > > > > Someone with ideas on how > to block > > > > > > Facebook,Youtube, P2P > > > > > > > > > > > Traffic though my squid box. > Facebook seems > > > to be > > > > > > working but > > > > > > > > > > > likely some users bypass to > youtube.com and > > > the rest > > > > > > are blocked. > > > > > > > > > > > Also am looking to block P2P > traffic , BITS > > > proticols, > > > > > > etc etc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Confidentiality Notice: This > email > > > (including any > > > > > > attachment) > > > > > > > > > > > is intended for internal use > only. Any > > > unauthorized > > > > > > use, > > > > > > > > > > > dissemination or copying of the > content is > > > prohibited. > > > > > > If you are > > > > > > > > > > > not the intended recipient and > have received > > > this > > > > > > e-mail in error, > > > > > > > > > > > please notify the sender by email > and delete > > > this email > > > > > > and any > > > > > > > > > > > attachment. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > > > > > > > > > > > > > > >
Re: [squid-users] URL/P2P blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Finally, read this thread too: http://www.spinics.net/lists/squid/msg81113.html Some questions already answered here. 05.05.16 3:26, Yuri Voinov пишет: > > As a part of solution I recommend (by my own experience) consider to use this: > > https://www.urlfilterdb.com/products/ufdbguard.html > > But I repeat: this is NOT magic button "Disable all". This is relatively effective tool to block categories. > > This is only URL/HTTP based tool, which required some more forces to use it with HTTPS. > And this can't be other means to replace when it comes to other protocols. > > Squid is only HTTP/HTTPS proxy. Not at all existing protocols. > > 05.05.16 3:18, Yuri Voinov пишет: > > > > Generally, for effective blocking of everything better design > would first consider - as everyone and everything is engeneered, > > > and then look for the magic button "to disable all to hell." > > > > > Then it becomes clear what is possible and what means - and > what is not. > > > > > Especially P2P - this is at all not about Squid. > > > > > 05.05.16 3:11, Yuri Voinov пишет: > > > > > > > > Facebook uses Akamai as background CDN, so you > need to block > > > Akamai (related URL's, which can be difficult, so > consider to use > > > Cisco NBAR DPI functionality). too in case to > completely block FB. > > > > > > > > > > YT still uses QUIC/SPDY, so read this > > > > > > > > > > > http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol > > > > > > > > > > About P2P/Torrents said enough here > > > > > > > > > > > http://wiki.squid-cache.org/ConfigExamples/TorrentFiltering > > > > > > > > > > Note: Using Cisco NBAR required valid service > contract. > > > Protocol packs is not lying at all angles, and are > updated > > > monthly. > > > > > > > > > > > > > > 05.05.16 3:04, Maile Halatuituia пишет: > > > > > > > > > > > > > > > Someone with ideas on how to block > > > Facebook,Youtube, P2P > > > > > > Traffic though my squid box. Facebook seems > to be > > > working but > > > > > > likely some users bypass to youtube.com and > the rest > > > are blocked. > > > > > > Also am looking to block P2P traffic , BITS > proticols, > > > etc etc > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > Confidentiality Notice: This email > (including any > > > attachment) > > > > > > is intended for internal use only. Any > unauthorized > > > use, > > > > > > dissemination or copying of the content is > prohibited. > > > If you are > > > > > > not the intended recipient and have received > this > > > e-mail in error, > > > > > > please notify the sender by email and delete > this email > > > and any > > > > > > attachment. > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > > > > > > > > squid-users mailing list > > > > > > > > > > > squid-users@lists.squid-cache.org > > > > > > > > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > > > > > > > > > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXKmmSAAoJENNXIZxhPexG2jQIAJ5pQcfnv12LW2wg7ygamFZt +ms5HjYM+/vB0k7Zg5lxp/cnJeKEFV3cGH4fPFHekh0Qt3sL1ttzauqfnf0rOELA xFg+7XuQ8VgXF7+eBqmnvu2k7yjDqE8OjJUcssiBEmBvRQFFLSclAuyM9gWIKBDT VPN9XkvwPN2zo5NsBg/7zgFUmKfant1pWNh/2bObBoUo3+kL4bGzPfDUoO251RxU mrZLff3rgAw9RdYhy5JX3AICYXke9CDrLZcQHJ/4BSlSpmYOq0YBHWqd+rqMEeZO Zn7hQcpKd1Dw4XaEo6BuVy6Pg7aFXFiaPzzXsSPzKIWSYOIT9AcEppDBQKNppa8= =tkwj -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL/P2P blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As a part of solution I recommend (by my own experience) consider to use this: https://www.urlfilterdb.com/products/ufdbguard.html But I repeat: this is NOT magic button "Disable all". This is relatively effective tool to block categories. This is only URL/HTTP based tool, which required some more forces to use it with HTTPS. And this can't be other means to replace when it comes to other protocols. Squid is only HTTP/HTTPS proxy. Not at all existing protocols. 05.05.16 3:18, Yuri Voinov пишет: > > Generally, for effective blocking of everything better design would first consider - as everyone and everything is engeneered, > and then look for the magic button "to disable all to hell." > > Then it becomes clear what is possible and what means - and what is not. > > Especially P2P - this is at all not about Squid. > > 05.05.16 3:11, Yuri Voinov пишет: > > > > Facebook uses Akamai as background CDN, so you need to block > Akamai (related URL's, which can be difficult, so consider to use > Cisco NBAR DPI functionality). too in case to completely block FB. > > > > > YT still uses QUIC/SPDY, so read this > > > > > http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol > > > > > About P2P/Torrents said enough here > > > > > http://wiki.squid-cache.org/ConfigExamples/TorrentFiltering > > > > > Note: Using Cisco NBAR required valid service contract. > Protocol packs is not lying at all angles, and are updated > monthly. > > > > > > > 05.05.16 3:04, Maile Halatuituia пишет: > > > > > > > > Someone with ideas on how to block > Facebook,Youtube, P2P > > > Traffic though my squid box. Facebook seems to be > working but > > > likely some users bypass to youtube.com and the rest > are blocked. > > > Also am looking to block P2P traffic , BITS proticols, > etc etc > > > > > > > > > > Cheers > > > > > > > > > > Confidentiality Notice: This email (including any > attachment) > > > is intended for internal use only. Any unauthorized > use, > > > dissemination or copying of the content is prohibited. > If you are > > > not the intended recipient and have received this > e-mail in error, > > > please notify the sender by email and delete this email > and any > > > attachment. > > > > > > > > > > > > > > ___ > > > > > > squid-users mailing list > > > > > > squid-users@lists.squid-cache.org > > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXKmjzAAoJENNXIZxhPexGb+QH/iHk6tT2poZdpt0wgfjUmRaK nHwSQIBvt1K5ntbB948AGQb+mcbLTn74oLafdmiV41CirSs4v/ZRT4c1gQ9mY3Pp xm5tLX9L9180KOMWShqALjtFUedM7lgN85whB+JDk4SPJjz4LmYsn/6sbzauo4kN PaGlyGYkvwFGmfNcalzrmlVFMxHQGrxSkw6j0vqICPd448/arJDNuWJOIbUbaAP5 YP76XQI9DlolwofYewB0t8675mSbq+ehJCwf2bA2t6331kVXjy4NyoLMxA63Ef33 bGzrhenBFj5fMx/KexRkEm9/qpAv1NP91DgwSW5R15XpgtKyrNVpOdkJMsnHGU8= =Q7Aj -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL/P2P blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Generally, for effective blocking of everything better design would first consider - as everyone and everything is engeneered, and then look for the magic button "to disable all to hell." Then it becomes clear what is possible and what means - and what is not. Especially P2P - this is at all not about Squid. 05.05.16 3:11, Yuri Voinov пишет: > > Facebook uses Akamai as background CDN, so you need to block Akamai (related URL's, which can be difficult, so consider to use Cisco NBAR DPI functionality). too in case to completely block FB. > > YT still uses QUIC/SPDY, so read this > > http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol > > About P2P/Torrents said enough here > > http://wiki.squid-cache.org/ConfigExamples/TorrentFiltering > > Note: Using Cisco NBAR required valid service contract. Protocol packs is not lying at all angles, and are updated monthly. > > > 05.05.16 3:04, Maile Halatuituia пишет: > > > > Someone with ideas on how to block Facebook,Youtube, P2P > Traffic though my squid box. Facebook seems to be working but > likely some users bypass to youtube.com and the rest are blocked. > Also am looking to block P2P traffic , BITS proticols, etc etc > > > > > Cheers > > > > > Confidentiality Notice: This email (including any attachment) > is intended for internal use only. Any unauthorized use, > dissemination or copying of the content is prohibited. If you are > not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any > attachment. > > > > > > > ___ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > > http://lists.squid-cache.org/listinfo/squid-users > > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXKmckAAoJENNXIZxhPexGyi8H/0NyB8++RvYU7b1x5EVbkaxL uMZT8P6dGvKeQdYIBPrZyTXPwOuefSkNGtH3BeAQ/YbRktOptYqr6tyQIVVzT4M9 4O4TlhGt9E9VlGyAZf9cVhjzlryioDvYBg05pp0Sft+h0Wa1b4+fvp4hflfE15KQ CdNQs+yrmWfSZ4Lk5AFGag5R28wsBZeIyxodChQmpmkyfIGzUH9Dn7p6IdQFW0Ke qbJXGrxqdzIFJoHsnANtxo2vxEB34fFo1reDBBSh3RSbWytpyS9uoLJy9Nr9Bkfc KKIUxTH0gubMEMIuVr2KzRTS49dfZ9bztZINWETnInowMDRLsXD2gBIbTg2pNQw= =VZCI -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL/P2P blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Facebook uses Akamai as background CDN, so you need to block Akamai (related URL's, which can be difficult, so consider to use Cisco NBAR DPI functionality). too in case to completely block FB. YT still uses QUIC/SPDY, so read this http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol About P2P/Torrents said enough here http://wiki.squid-cache.org/ConfigExamples/TorrentFiltering Note: Using Cisco NBAR required valid service contract. Protocol packs is not lying at all angles, and are updated monthly. 05.05.16 3:04, Maile Halatuituia пишет: > > Someone with ideas on how to block Facebook,Youtube, P2P Traffic though my squid box. Facebook seems to be working but likely some users bypass to youtube.com and the rest are blocked. Also am looking to block P2P traffic , BITS proticols, etc etc > > Cheers > > Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXKmWLAAoJENNXIZxhPexGqEYH/2a7JzZZ14barKq+RT5gv7Tj 0i6uF79DYmgupYhcoLyN5dErAq4Pi6AQh/03puxfIIV3LFFuGc3Qp1ZEJUkIMIGR QLAIhHbdc+0fqwdEeh+NUwnppp56WoQVcW5rXSWLP+mjeAysUGKn5ftAZdCxRqVR tFtWRj7K/dnIpJYlM+QSGxbcasv6c142+CJ5/4Iaa5ufpb7uTWtbOfvWm0c7YgYa 7+FLOwh520qqGrMX0Ue8mdABfSS/H3B4cKqxSTQ0bHq/977/dhSdDYuIIQ/Q1w/C GIXTIJNYAF5ZuLQXUoipN3NiYfJSpajIwtU2M7t5m0MzzB4QRVuCEdxANJkx5Qc= =tfMf -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] URL/P2P blocking
?Someone with ideas on how to block Facebook,Youtube, P2P Traffic though my squid box. Facebook seems to be working but likely some users bypass to youtube.com and the rest are blocked. Also am looking to block P2P traffic , BITS proticols, etc etc Cheers Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ldap authentication with encrypted credentials
In addition, due to last samba and windows security fixes there was a behavior change. So beware with squid and samba/winbind/ldap/windows auth. Read : https://www.samba.org/samba/history/samba-4.4.2.html This was a big impact.. BUt beware, use samba 4.2.12 4.3.9 or 4.4.3 All version bug release (4.4.2 4.3.8 4.2.11 ) had some nasty bugs. I had to reconfigure my squid auth. I've tested with latest squid 3.5.17 on my debian jessie, all fine again. And to Sampei, add a samba 4 AD ( preffered 4.4.3 ) to you domain, Move FSMO roles to samba, and drop your unsupported windows AD. I dropped all my windows servers, only samba now. Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Amos Jeffries > Verzonden: woensdag 4 mei 2016 14:23 > Aan: Sampei; squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] ldap authentication with encrypted > credentials > > On 4/05/2016 11:56 p.m., Sampei wrote: > > I'll explain better: > > Squid is running on Debian 5 older server and every Windows (XP/7/10) > > client uses it to surf on web. > > Clients are configured in outofdate Microsoft domain where Domain > > Controllers are based on Windows 2000 server. > > So far I permit Internet access to clients by specify IP address of > > computers in squid.conf file but now I'd like to manage internet access > > by asking to user its AD credentials. > > Now I'm not able to update systems so I have to schedule it upgrade for > > next year. > > I've been in those shoes myself, and recommed you may want to keep the > IP based authorization until you can get a better AD system. > > > > Look into Negotiate/Kerberos authentication. You will need that for > the Win7 and Win10 clients anyway > > For Windows 7/10 clients, the Basic authentication (Squid 2.7) with LDAP > > helper will not able to work ? > > While Kerberos will work both with older clients and newer ones? > > > > Yes they all still support Basic, but you said that was not desirable. > > The secure methods that leaves you with are NTLMv2 (definitely *not* > NTLMv1) or Negotiate/Kerberos. > > NTLM was deprecated by MS in 2006. All software produced by MS since > then is increasingly hostile to NTLM being used and preferring Kerberos. > XP can handle Kerberos with maybe a little config. And it is both more > secure and faster so a double-win once you get over the learning curve > for its management tools. > > I'm not sure if or how the Win2k server can handle Kerberos. You will > need to find that out. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ldap authentication with encrypted credentials
On 4/05/2016 11:56 p.m., Sampei wrote: > I'll explain better: > Squid is running on Debian 5 older server and every Windows (XP/7/10) > client uses it to surf on web. > Clients are configured in outofdate Microsoft domain where Domain > Controllers are based on Windows 2000 server. > So far I permit Internet access to clients by specify IP address of > computers in squid.conf file but now I'd like to manage internet access > by asking to user its AD credentials. > Now I'm not able to update systems so I have to schedule it upgrade for > next year. I've been in those shoes myself, and recommed you may want to keep the IP based authorization until you can get a better AD system. > Look into Negotiate/Kerberos authentication. You will need that for the Win7 and Win10 clients anyway > For Windows 7/10 clients, the Basic authentication (Squid 2.7) with LDAP > helper will not able to work ? > While Kerberos will work both with older clients and newer ones? > Yes they all still support Basic, but you said that was not desirable. The secure methods that leaves you with are NTLMv2 (definitely *not* NTLMv1) or Negotiate/Kerberos. NTLM was deprecated by MS in 2006. All software produced by MS since then is increasingly hostile to NTLM being used and preferring Kerberos. XP can handle Kerberos with maybe a little config. And it is both more secure and faster so a double-win once you get over the learning curve for its management tools. I'm not sure if or how the Win2k server can handle Kerberos. You will need to find that out. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
04.05.16 18:05, Amos Jeffries пишет: On 4/05/2016 11:20 p.m., Ser de Bronce wrote: Hi there, Maybe someone already knows any solution: I have transparent proxy and according to some reasons I can’t use login/password authentication. However I still need to control who can access my proxy. I can install certificates to my users. Is it possible to allow connection only if a user has the certificate issued by my CA? You seem not to quite understand what the "some reasons" actually are. If you did you would not have to ask. Firstly, there is only one reason behind it all. The reason is that the client thinks it's talking to some service that is *not your proxy*. That is very important. Secondly, there is one criteria that determines what works and what fails. That criteria is "authentication". Specifically in-band authentication. Any type of in-band authentication WILL fail. Any type. Not just passwords. TLS client certificate is just another type of in-band authentication. * Which answers your question: No. It wont work the way you want. If you can install certificates that easily. Then surely you can just as easily assign explicit proxy settings. Doing that would avoid all the issues with interception. Also, Think about all the passive details / metadata you get from the client traffic and how you can use it to authorize access without actively engaging the client across the intercepted connection. There are quite a lot of things you can do. Methods like RADIUS or DHCP assigned IP addresses. Static IPs, or MAC address registrations a proxy external ACL helper can lookup to identify the client account. Just in addition. DHCP with infinite lease, or static binding, or IDENT ;) Or, yes, RADIUS Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
On 4/05/2016 11:20 p.m., Ser de Bronce wrote: > Hi there, > > > Maybe someone already knows any solution: > > > I have transparent proxy and according to some reasons I can’t use > login/password authentication. However I still need to control who can > access my proxy. > > > I can install certificates to my users. Is it possible to allow connection > only if a user has the certificate issued by my CA? You seem not to quite understand what the "some reasons" actually are. If you did you would not have to ask. Firstly, there is only one reason behind it all. The reason is that the client thinks it's talking to some service that is *not your proxy*. That is very important. Secondly, there is one criteria that determines what works and what fails. That criteria is "authentication". Specifically in-band authentication. Any type of in-band authentication WILL fail. Any type. Not just passwords. TLS client certificate is just another type of in-band authentication. * Which answers your question: No. It wont work the way you want. If you can install certificates that easily. Then surely you can just as easily assign explicit proxy settings. Doing that would avoid all the issues with interception. Also, Think about all the passive details / metadata you get from the client traffic and how you can use it to authorize access without actively engaging the client across the intercepted connection. There are quite a lot of things you can do. Methods like RADIUS or DHCP assigned IP addresses. Static IPs, or MAC address registrations a proxy external ACL helper can lookup to identify the client account. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
