Re: [squid-users] Can Traffic Management Settings be configured for other TCP protocols?

[Amos Jeffries]

On 2016-05-17 07:49, J Green wrote:

Sorry, I was looking for logging of traffic management events, where
maximum download/upload size has been violated.  Thank you.



The Squid native format logs size of things delivered to the client, not 
the upload/request size.


You will need to define a custom log format. See the "SIZE COUNTERS" 
section of  for the 
available size measurement codes. You probably want %st.


And as Alex said tunnels and large uploads will not be logged and 
reported until they are finished. You cannot catch someone in the act 
using logs.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

[admin]

Thanks for answer, Alex! 

Alex Rousskov писал 2016-05-17 00:24:

> When access is prohibited via http_access deny, Squid needs to send an
> "Access Denied" error response to the user (this is how http_access
> works). To send that error to the user, Squid needs to establish a
> secure connection with the user (this is how HTTPS works). To do that,
> Squid has to use its own SSL certificate (this is how SSL works).
> 
> If you want to use a splice-or-terminate design, do not deny access via
> http_access. Limit yourself to "ssl_bump terminate" rules.

Is feature planned to squid gave when ERR_ACCESS_DENIED then terminate?

What are some other ways to deny HTTPS in intercept mode?___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can Traffic Management Settings be configured for other TCP protocols?

[Alex Rousskov]

On 05/16/2016 01:49 PM, J Green wrote:
> Sorry, I was looking for logging of traffic management events, where
> maximum download/upload size has been violated.

When it comes to logging, I recommend that you think in terms of
transactions rather than traffic management events because Squid logs
transactions, not events (except for extraordinary events logged in
cache.log that should not be abused for your purposes).

If Squid abnormally terminates a transaction for any reason, including
exceeding size restrictions, the corresponding access log entry should
reflect that. I do not know whether the logged details would be
sufficient to identify the particular events you are interested in.


Furthermore, if you can express "maximum download/upload size has been
violated" condition using existing Squid ACLs, then you can log all
transactions that meet that condition to a special access log (and/or
log no other transactions).

  http://www.squid-cache.org/Doc/config/access_log/

If you cannot express that condition using existing Squid ACLs, you may
facilitate adding new Squid ACLs that would allow you to do so. If you
have to go this route, please define exactly what transactions each new
ACLs will match. The more transactions an ACL can apply to (i.e., can be
evaluated against), the better.

Alex.


> On Mon, May 16, 2016 at 12:39 PM, Alex Rousskov wrote:
> 
> On 05/16/2016 12:37 PM, J Green wrote:
> > Re logging, does this eventually get logged by Squid, somewhere?
> 
> All transactions accessing Squid must be logged in access.log. If a
> transaction is not logged, it is a Squid bug.
> 
> Please note that Squid logs transactions when they complete, not when
> they start. Thus, tunneled transactions should be logged when the tunnel
> is closed, which may take a very long time in some cases.
> 
> Alex.
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid unable to send full PNG file

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Which side to this refers squid? Check the need to configure another server.

17.05.16 2:23, Aashima Madaan пишет:
> Hi,
>
> I have a PNG file uploaded on server.
> As part of Download process, it passes through SQUID to another server
for scanning and then to Client .
>
> When I send request to Download , the response sends only 27kb of
image back from server of of 700kb file
>
> But when I turn off the respmod in squid.conf file
>
> #adaptation_access service_resp allow all
>
> The client gets full file. This is happening only with PNG files. Did
anyone encounter this kind of issue and has suggestions in this case?
>
> Appreciate your help.
>
>
> Thanks
>
> Aashima
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXOjE9AAoJENNXIZxhPexGkBcH/RJiKqsngYCiXJ7EhWCbYyMw
RNvrG/g0FWC1vF7cIJiTyplrKPWEcOo4fdPStrlDzfpnK/RgW9dTADA9sjqGmkxh
DMdh/QMeQuVpYIEGU73sOzwcReDBDWUirxnw1CyJXHS14+Q3Bni1RabXsj9fe4TJ
eNnsIRhp18AI/LNLLobAP8GrUKDl8Hlc2mp8Fmy/+lGrJuT7nmjjTZDhhpXyy+nY
x9SiyiAbwkd7eD+Orfedpvnq7kVazAmWZW4A0SXtzvXW6JMradXosfrh6pRsD8Az
lRuK58HqIawOU0cUa7+i61AlUizgEB+RSpHdM52cfIzMw+/a70xEbsfXdL2SMBc=
=LMY3
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can Traffic Management Settings be configured for other TCP protocols?

[J Green]

Sorry, I was looking for logging of traffic management events, where
maximum download/upload size has been violated.  Thank you.

On Mon, May 16, 2016 at 12:39 PM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 05/16/2016 12:37 PM, J Green wrote:
> > Re logging, does this eventually get logged by Squid, somewhere?
>
> All transactions accessing Squid must be logged in access.log. If a
> transaction is not logged, it is a Squid bug.
>
> Please note that Squid logs transactions when they complete, not when
> they start. Thus, tunneled transactions should be logged when the tunnel
> is closed, which may take a very long time in some cases.
>
> Alex.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can Traffic Management Settings be configured for other TCP protocols?

[Alex Rousskov]

On 05/16/2016 12:37 PM, J Green wrote:
> Re logging, does this eventually get logged by Squid, somewhere?

All transactions accessing Squid must be logged in access.log. If a
transaction is not logged, it is a Squid bug.

Please note that Squid logs transactions when they complete, not when
they start. Thus, tunneled transactions should be logged when the tunnel
is closed, which may take a very long time in some cases.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL-Bump and generated certificates ...

[Alex Rousskov]

On 05/16/2016 10:47 AM, Walter H. wrote:

> I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the
> generated certificates are now SHA2 and not SHA1,
> can I influence somewhere to generate still SHA1 certificates?

Yes, you can:
http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

[Alex Rousskov]

On 05/16/2016 04:47 AM, admin wrote:
>>> acl blocked_https ssl::server_name  "/etc/squid/urls/block-url"
>>> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2
>>> connection-auth=off cert=/etc/squid/squidCA.pem
>>> acl step1 at_step SslBump1
>>> ssl_bump peek step1
>>> ssl_bump terminate blocked_https
>>>
>>> It works.

>> Obviously not. There is no instruction what to do other than terminate.
>> Squid is left to other circumstances to decide what is needed...

> it works! :) if you have the opportunity to check on the virtual machine

Your configuration works by accident. You should not expect it to work
across Squid upgrades, for example. It may continue to work or may stop
working. To fix the problem, be explicit regarding what to do when the
terminate rule does not match:

  ssl_bump peek step1
  ssl_bump terminate blocked_https
  ssl_bump splice all



> http_access deny users_no_inet

> Why, if access is
> allowed everything works, and if the ban on access to HTTP, you must
> first see a message stating that my certificate has not been able to
> match, and then later ERR_ACCESS_DENIED.


When access is allowed, Squid works as a TCP relay. Client bytes are
sent to the origin server. Server bytes are sent to the client. No
errors or certificates to worry about.

When access is prohibited via http_access deny, Squid needs to send an
"Access Denied" error response to the user (this is how http_access
works). To send that error to the user, Squid needs to establish a
secure connection with the user (this is how HTTPS works). To do that,
Squid has to use its own SSL certificate (this is how SSL works).


If you want to use a splice-or-terminate design, do not deny access via
http_access. Limit yourself to "ssl_bump terminate" rules.


HTH,

Alex.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can Traffic Management Settings be configured for other TCP protocols?

[J Green]

Re logging, does this eventually get logged by Squid, somewhere?

For this implementation, I was going to use pfSense.  Turns out that Sarg
is no longer included in the package list for pfSense (current version).



On Tue, May 10, 2016 at 2:43 PM, J Green  wrote:

> Very interesting, thank you both.
>
> On Tue, May 10, 2016 at 2:23 PM, Yuri Voinov  wrote:
>
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>>
>>
>> 11.05.16 2:57, Eliezer Croitoru пишет:
>> >
>> > Hey,
>> >
>> >
>> >
>> > You can always use a TOS from squid to mark connections and\or users
>> and to somehow create some policy case on that.
>>
>> Sure, Eliezer. I've forgot about TOS. Good point.
>> >
>> > I have used more then once the Linux "tc" to "jail" a user which was
>> abusing his unbound bandwidth policy.
>> >
>> > I do not like the idea but I have asked couple networking experts about
>> the most used approach compared to the most efficient and it's seems pretty
>> reasonable from the business aspect of networking to slow(not hog) a user.
>> > Specifically there are places which defines the Internet as a WEB only
>> ie port 80 and 443 and for HTTP only traffic.
>> >
>> > For these purposes squid is great while there are other approaches to
>> the subject.
>> >
>> >
>> >
>> > Eliezer
>> >
>> >
>> >
>> > 
>> >
>> > Eliezer Croitoru 
>> 
>> > Linux System Administrator
>> > Mobile: +972-5-28704261
>> > Email: elie...@ngtech.co.il
>> >
>> >
>> >
>> > *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org
>> ] *On Behalf Of *J Green
>> > *Sent:* Tuesday, May 10, 2016 8:42 PM
>> > *To:* Yuri Voinov
>> > *Cc:* squid-users@lists.squid-cache.org
>> > *Subject:* Re: [squid-users] Can Traffic Management Settings be
>> configured for other TCP protocols?
>> >
>> >
>> >
>> > That is fair, re intended use.  But yes, management want to know if
>> users are attempting to circumvent policy.  Re analyzing logs, I did not
>> see this logged anywhere.  Is there perhaps a debug mode which I need to
>> enable?
>> >
>> > Thank you.
>> >
>> >
>> >
>> > On Tue, May 10, 2016 at 10:29 AM, Yuri Voinov >  > wrote:
>> >
>> >
>> > First, upload is PUT method usage. Most common HTTP/HTTPS is GET/HEAD
>> methods.
>> >
>> > Second, logging of all things is not my goal.
>> >
>> > For me, it is sufficient that the restrictions imposed by me in
>> accordance with the policy. The amount of downloads for my count analyzers
>> logs, if management is interesting to read the reports independently.
>> >
>> > 10.05.16 23:25, J Green пишет:
>> > > So back to the intended use cases for HTTP, HTTPS, & FTP , how can
>> you log violations of maximum download/upload size?  I see an error message
>> generated on the client system, but not w/in Squid.  Thank you.
>> >
>> > > On Mon, May 9, 2016 at 10:12 AM, Yuri Voinov >   
>>   >
>> wrote:
>> >
>> >
>> > > Squid is not a proxy server every imaginable the TCP-usage protocol.
>> >
>> > > AFAIK HTTP/HTTPS/FTP. That's all, folks.
>> >
>> >
>> > > 09.05.16 23:07, J Green пишет:
>> > > > Hello all:
>> >
>> >
>> >
>> > >   > Can Traffic Management Settings be configured for TCP
>> > >   protocols other than HTTP?
>> >
>> >
>> >
>> > >   > Would like to limit maximum upload and download sizes for
>> > >   other TCP protocols:  SMB, NFS, FTP, and RDP.
>> >
>> >
>> >
>> > >   > Is this possible?  If so, how?
>> >
>> >
>> >
>> > >   > Thank you.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > >   > ___
>> >
>> > >   > squid-users mailing list
>> >
>> > >   > squid-users@lists.squid-cache.org
>> 
>> 
>> 
>> 
>> 
>> 
>> >
>> > >   > http://lists.squid-cache.org/listinfo/squid-users
>> >
>> >
>> >
>> > > ___
>> > > squid-users mailing list
>> > > squid-users@lists.squid-cache.org
>> 
>> 
>> 
>> 
>> 
>> 
>> > > http://lists.squid-cache.org/listinfo/squid-users
>> >
>> >
>> >
>> >
>> >
>> >
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2
>>
>> iQEcBAEBCAAGBQJXMlFEAAoJENNXIZxhPexGO6AH/RsDrJKihobs93E9OLhT7uuB
>> 

[squid-users] squid, SMP and authentication and service regression over time

[Eugene M. Zheganin]

Hi.

I'm using squid for a long time, I'm using it to authenticate/authorize 
users accessing the Internet with LDAP in a Windows corporate 
enviromnent (Basic/NTLM/GSS-SPNEGO) and recently (about several months 
ago) I had to switch to the SMP scheme, because one process started to 
eat the whole core sometimes, thus bottlenecking users on it. Situation 
with CPU effectiveness improved, however I discovered several issues. 
The first I was aware of, it's the non-functional SNMP (since there's no 
solution, I just had to sacrifice it). But the second one is more 
disturbing. I discovered that after a several uptime (usually couple of 
weeks, a month at it's best) squid somehow degrades and stops 
authorizing users. I have about active 600 users on my biggest site 
(withount SNMP I'm not sure how many simultaneous users I got) but 
usually this starts like this: someone (this starts with one person) 
complains that he lost his access to the internet - not entirely, no. At 
first the access is very slow, and the victim has to wait several 
minutes for the page to load. Others are unaffected at this time. From 
time to time the victim is able to load one of two tabs in the browser, 
eventually, but at the end of the day this becomes unuseable, and my 
support has to come in. Then this gots escalated to me. First I was 
debugging various kerberos stuff, NTLM, victim's machine domain 
membership and so on. But today I managed to figure out that all I have 
to do is just restart squid, yeah (sounds silly, but I don't like to 
restart things, like in the "IT Crowd" TV Series, this is kinda last 
resort measure, when I'm desperate). If I'm stubborn enough to continue 
the investigation, soon I got 2 users complaining, then 3, then more. 
During previous outages eventually I used to restart squid (to change 
the domain controller in kerberos config, if I blame one; to disable the 
external Kerberos/LDAP helper connection pooling, if I blame one) - so 
each time there was a candidate to blame. But this time I just decided 
to restart squid, since I started to think it's the main reason, et 
voila. I should also mention that I run this AAA scheme in squid for 
years, and I didn't have this issue previously. I also have like dozen 
of other squids running same (very similar) config, - same AAA stuff - 
Basic/NTLM/GSS-SpNego, same AD group checking, but only for the 
different groups membership - and none of it has this issue. I'm 
thinking there's SMP involved, really.


I realize this is a poor problem report. "Something degrades, I restart 
squid, please help, I think it's SMP-related". But the thing is - I 
don't know where to start to narrow this stuff. If anyone's having a 
good idea please let me know.


Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL-Bump and generated certificates ...

[Eliezer Croitoru]

Hey Walter,

I am not sure if it's the ssl_crtd which does such a thing but this is my
main suspect.
If you can extract the ssl_crtd binary from 3.4.X(newest) and test it before
maybe Alex will respond then it will verify some of the doubt.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Walter H.
Sent: Monday, May 16, 2016 7:48 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] SSL-Bump and generated certificates ...

Hello,

I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the
generated certificates are now SHA2 and not SHA1, can I influence somewhere
to generate still SHA1 certificates?
(I have devices which use this proxy and are not able to handle SHA2)

Thanks,
Walter



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL-Bump and generated certificates ...

[Walter H.]

Hello,

I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the 
generated certificates are now SHA2 and not SHA1,

can I influence somewhere to generate still SHA1 certificates?
(I have devices which use this proxy and are not able to handle SHA2)

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid_ldap_auth: WARNING, LDAP search error 'Referral'

[Manduva, Ranga Sai]

Hello,

I am receiving this error while authenticating a user with the AD and the 
internet access is denied. I know there is a switch '-R' to explicitly enable 
do not follow referrals which I am not using here.

Did anyone faced similar issue ? My AD is using nested groups between domains 
where the users and groups are from different domains.

Got stuck with this issue for a while.. appreciate anyone's help in this regard.

Thank you.

Regards,
Ranga


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] New StoreID helper: squid_dedup

[Hans-Peter Jansen]

Hi Eliezer,

Thanks for your feedback, much appreciated, /especially/ from you.

The most important part is in dedup.py. I've kept an eye on efficiency without 
sacrificing readability (much) and extendability:

https://github.com/frispete/squid_dedup/blob/master/squid_dedup/dedup.py

A big part of the rest is related to configuration management, which tries to 
maximize convenience (as many config files as wanted, automatic reload option 
on changes, etc..)

Depending on public interest, it would be cool to create a public CDN 
collection, that is shared among users, or even distributed automatically.

Pete

On Montag, 16. Mai 2016 03:44:29 Eliezer Croitoru wrote:
> Thanks for sharing!
> 
> I didn't had enough time to understand the tool structure since I am not
> a python expert but,
> This is the first squid helper I have seen which is based on python and
> implements concurrency.
> 
> Thanks!!
> Eliezer Croitoru
> 
> On 10/05/2016 00:56, Hans-Peter Jansen wrote:
> > Hi,
> > 
> > I'm pleased to announce the availability of squid_dedup, a helper for
> > deduplicating CDN accesses, implementing the squid 3 StoreID protocol.
> > 
> > It is a multi-threaded tool, written in python3, with no further
> > dependencies, hosted at: https://github.com/frispete/squid_dedup
> > available at: https://pypi.python.org/pypi/squid-dedup
> > 
> > For openSUSE users, a ready made rpm package is available here:
> > https://build.opensuse.org/package/show/home:frispete:python3/squid_dedup
> > 
> > Any feedback is greatly appreciated.
> > 
> > Cheers,
> > Pete

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

[admin]

Amos Jeffries писал 2016-05-16 13:34:

> Please upgrade to 3.5.19.

Upgrade to 3.5.19

>> acl blocked_https ssl::server_name  "/etc/squid/urls/block-url"
>> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2
>> connection-auth=off cert=/etc/squid/squidCA.pem
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump terminate blocked_https
>> 
>> It works.
> 
> Obviously not. There is no instruction what to do other than terminate.
> Squid is left to other circumstances to decide what is needed...

it works! :) if you have the opportunity to check on the virtual machine

>> But if I use
>> 
>> acl users_no_inet src "/etc/squid/ip-groups/no-inet"
>> http_access deny users_no_inet
> 
> ... you force bumping to happen in order to deliver the HTTP error message.
> 
> Try adding this rule above the peek (and the ACL line too):
> ssl_bump terminate users_no_inet

trying, no success :(

I just do not understand the reason for such behavior. Why, if access is
allowed everything works, and if the ban on access to HTTP, you must
first see a message stating that my certificate has not been able to
match, and then later ERR_ACCESS_DENIED. Sorry for my English___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[Eliezer Croitoru]

Hey Tim,

I have been working for quite some time on packages for couple Linux 
distributions and in them Ubuntu and Debian.
I was planning to publish them(Ubuntu + Debian) inside a tar.xz and to attach 
them a tiny "update\install" script.
This is since I was trying to use the deb packaging system for quite some time 
and to try and build using them but compared to RPMs I keep forgetting every 
time what I did last time.
So in the next couple weeks I will try to publish the next tar.xz
- Ubuntu 14.04 32+64 bit
- Ubuntu 16.04 32+64 bit
- Debian 8 32+64 bit
- Debian 7 32+64 bit

This is a part of my trial to somehow publish a binary version of squid per 
release.
I hope to have some time and to make it possible so also squid 4.X will also 
get the same attention.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Tim Bates
Sent: Saturday, May 14, 2016 12:36 PM
To: squid-us...@squid-cache.org
Subject: [squid-users] Are there any distros with SSL Bump compiled by default?

Are there any Linux distros with pre-compiled versions of Squid with SSL Bump 
support compiled in?

Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that 
includes SSL Bump?

TB
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[admin]

https://itcrowd72.ru/cloud/index.php/s/W4Sv8ojnf5dVKvc

squid 3.5.19 with SSL. Compiled and build deb in Debian 8. Enjoy :)



Amos Jeffries писал 2016-05-16 14:25:


Please update those to 3.5.19. A dozen CVE's went out these past few
months. :-(

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[Amos Jeffries]

On 16/05/2016 7:20 p.m., Matus UHLAR - fantomas wrote:
>>> Tim Bates писал 2016-05-14 14:36:
>>>
>>> Are there any Linux distros with pre-compiled versions of Squid with SSL
>>> Bump support compiled in?
>>>
>>> Alternatively, does anyone reputable do a 3rd party repo for
>>> Debian/Ubuntu that includes SSL Bump?
> 
>>> On 16.05.16 10:36, admin wrote:
 I make deb's compiled squid in Debian 8:
 3.5.8
 3.5.17

Please update those to 3.5.19. A dozen CVE's went out these past few
months. :-(

 4.0.10
> 
>> Matus UHLAR - fantomas писал 2016-05-16 11:55:
>>> OpenSSL?
> 
> On 16.05.16 12:05, admin wrote:
>> Yes
> 
>> Can send to email if needed
> 
> I just wanted to point out that distrib uting GPL'ed software (squid)
> depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation
> and
> therefore illegal copying...


What is being attempted above is not a GPL violation AFAIK. So long as
the Squid ./configure && make system is used to construct the binary and
Squid source is not altered in any way by the builder.

* GPL permits linking against OpenSSL because both softwares sources are
available publicly.

* It is GPL violation to distribute the OpenSSL and Squid sources
together as parts of someting else. In source form.

Thus distributors like Diladele can provide binary-only formats with no
source changes to Squid or OpenSSL.
  Each component of the offering is publicly available (GPL compliant)
and the pieces of OpenSSL, Squid and the packaging source code are
distributed via separate channels (OpenSSL compliant).

Debian and Ubuntu distribute sources of all binaries as part of their OS
repository. The very act of adding package install scripts causes the
issue here. The repository would contain all of Squid + OpenSSL +
packaging scripts source code.


But, but, but

* It is OpenSSL violation to distribute any binary that does not
advertise OpenSSL usage. In the binary outputs, even those not using
OpenSSL logic (Ouch!). Unless the OS provides the library as part of its
core system.

Debian and Ubuntu use GnuTLS as the system preferrd library. OpenSSL
license not being GPL compliant also makes it not DFSG compliant and so
not part of the core OS repository. It and anything using it are in the
non-free optional extras repository instead.
 There are some suggestions to build and put a version of Squid in
there. But that still collides with the previous GPL issue about sources
being together in the repo.


Adding advertising clauses in the way required by OpenSSL would make
Squid binaries no longer be GPL compliant unless we got explicit written
permission from everyone who contributed patches. A lot of contributors
have long-dead emails, requested anonimity or some in fact are now
physically deceased. So we are stuck at our end as well even with that.

I am working on GnuTLS support as a side project, and the OpenSSL people
are apparently working on fixing their license to be GPL compliant. It
is a lot of work and going quite slow on both fronts. You can see some
of my work reflected in the squid.conf changes of Squid-4, and the
latest Debian/Ubuntu squidclient packages :-)

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

[Amos Jeffries]

On 16/05/2016 5:48 p.m., admin wrote:
> Hi!
> 
> Squid 3.5.17 with SSL, intercept.

Please upgrade to 3.5.19.

> 
> I use SSL-Bump only step1 that get SNI and terminate HTTPS sites by
> domain name. The certificate's is not replaced !

The certificate is never replaced. Though if you dont know how TLS works
and look at it only from the client perspective it can appear to be so.
The reality is you either have one TLS connection or two with different
certificates on each.

> 
> acl blocked_https ssl::server_name  "/etc/squid/urls/block-url"
> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2
> connection-auth=off cert=/etc/squid/squidCA.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump terminate blocked_https
> 
> It works.

Obviously not. There is no instruction what to do other than terminate.
Squid is left to other circumstances to decide what is needed...

> 
> But if I use
> 
> acl users_no_inet src "/etc/squid/ip-groups/no-inet"
> http_access deny users_no_inet

... you force bumping to happen in order to deliver the HTTP error message.

Try adding this rule above the peek (and the ACL line too):
  ssl_bump terminate users_no_inet


> 
> I see NET::ERR_CERT_AUTHORITY_INVALID in browser. I import my squid
> cert, but I see NET::ERR_CERT_COMMON_NAME_INVALID
> 
> Why in this case, the squid trying to replace the certificate?

There is no server connection or certificate in existence. So nothing
exists to be replaced.

What you are seeing is Squid using its own certificate to get a TLS
connection it can deliver the HTTP error message through.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Would it be possible to run a http to https gateway using squid?

[Amos Jeffries]

On 16/05/2016 12:53 p.m., Eliezer Croitoru wrote:
> Hey Amos,
> 
> You are right that it seems like there is no point since you already
> decrypt the connection.
> But in the real world the price of maintaining an encrypted session for
> many users for a long period is not the same as maintaining them for
> short burst.

Yes, the short connections have higher cost on almost all metrics.

The maintenance cost of either TCP or TLS connectison is a fixed
per-packet cost in both memory holding connection state and CPU cycles
handling the packet. The number of handshakes and open/close cycles adds
a burst of extra cost.


> 
> Since all YouTube traffic is done on HTTPS it would be pretty simple
> with these days tools to use some kind of a "https to http bridge"
> software that would
> fetch the pages for the clients(most of the pages are tiny) and it will
> help the clients to be able to handle less secured traffic.
> 

YT is secured as an attempt to protect privacy. You are ignoring the
most annoying part of the privacy equation.

For any piece of privacy critical information A, there is another piece
of metadata information B = uses(A) which can be correlated and thus
needs to be treated as equivalent in privacy to A itself.
 And of course that makes the start of a slippery slope in the
definition of privacy: B is private so it has its own C = uses(B), etc, etc.

So for example; given a YouTube video of some baby saying their first word:
 * That video as private,
 * meaning where its stored is private,
 * meaning who accessed that URL is private,
 * meaning pages containing the URL is private,
 * meaning who accesses YT pages is private,
 * meaning who tries to contact YT is private,
 * ... and is gets more paranoid from there.

There is a similar chain from other details about the video; the timing
of the video creation, who posted it, what type it is, how long it is,
file size, etc. It is all metadata and enough of that can be correlated.

In a world like ours where mass surveillance exists if those minor
details are not all 100% secured then privacy is lost.




> I know that with these days hardware it's almost not needed but inside a
> trusted network there is no point for using end to end HTTPS.(to my
> understanding)
> Some will might not believe that there are trusted networks in the wild
> but I know that these do exist and in many of these such a GW is required.

The Internet is not qualifying as a trusted network.

If you are talking about inbound connections from Internet / WAN into a
trusted network. That is the definition of a CDN / reverse-proxy and
"https_port 443 accel" has been doing that securely and very well since
Squid-2.6.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[Matus UHLAR - fantomas]

Tim Bates писал 2016-05-14 14:36:

Are there any Linux distros with pre-compiled versions of Squid with SSL
Bump support compiled in?

Alternatively, does anyone reputable do a 3rd party repo for
Debian/Ubuntu that includes SSL Bump?



On 16.05.16 10:36, admin wrote:

I make deb's compiled squid in Debian 8:
3.5.8
3.5.17
4.0.10



Matus UHLAR - fantomas писал 2016-05-16 11:55:

OpenSSL?


On 16.05.16 12:05, admin wrote:

Yes



Can send to email if needed


I just wanted to point out that distrib uting GPL'ed software (squid)
depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation and
therefore illegal copying...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[admin]

Yes 

Can send to email if needed 

Matus UHLAR - fantomas писал 2016-05-16 11:55:

> On 16.05.16 10:36, admin wrote: 
> 
>> I make deb's compiled squid in Debian 8:
>> 
>> 3.5.8
>> 
>> 3.5.17
>> 
>> 4.0.10
> 
> OpenSSL?
> 
> Tim Bates писал 2016-05-14 14:36:
> 
> Are there any Linux distros with pre-compiled versions of Squid with SSL Bump 
> support compiled in?
> 
> Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu 
> that includes SSL Bump?___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Are there any distros with SSL Bump compiled by default?

[Matus UHLAR - fantomas]

On 16.05.16 10:36, admin wrote:

I make deb's compiled squid in Debian 8:

3.5.8

3.5.17

4.0.10


OpenSSL?


Tim Bates писал 2016-05-14 14:36:


Are there any Linux distros with pre-compiled versions of Squid with SSL Bump 
support compiled in?

Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that 
includes SSL Bump?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users