[squid-users] Yet another new cipher?

[James Lay]

Yugh...starting around 10:00 facebook no longer works via peek/splice.
 pcap contents show:

1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1

after the threeway handshake and an instant reset.  Anyone know what
this is?  Cause I haven't a cluescreenshot of success after
bypassing included.  Thank you.

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] url_write_program: redirecting fails when intercepting https

[Moataz Elmasry]

Hi all,

I'm writing a small bash program script to redirect any request to say
www.google.com. This script is able to redirect any http script to
google.com, but not https requests.
I read the documentation
http://wiki.squid-cache.org/Features/HTTPS
But this seem quite complex for my task. Basically I just want to redirect
any domain, without looking into the full path. Knowing the domain name
should not be counted as violation or interception of https I hope

Here's the script which works with http but not https:

"
#!/bin/bash
while true;
do
  read input;
  if [[ "$old_url" =~ ".google.com" ]]; then
echo "ERB"
  else
echo "echo '303:https://www.google.com;
  fi
done
"

Any ideas how to solve that?

Regards and thanks
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Subject: Bandwidth Ceiling

[Alex Rousskov]

On 06/29/2016 01:29 PM, squid-ca...@pixelrebel.com wrote:
> I'm sort of out of my league here so I may just quit and wait for v4.

Squid v4 may suffer from similar performance problems unless you test it
now, when it is still not too late to fix v4.

Please do not _assume_ that others observe, care about, and/or fix
performance problems that you observe and care about. A large number of
different deployment environments/requirements combined with poor
understanding of change side-effects often result in performance
surprises. If you do not have a concrete evidence that your specific
problem has been addressed, then do your own testing and bug reporting.


Thank you,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] url_rewrite_program is ignored by squid

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


30.06.2016 2:34, Eliezer Croitoru пишет:
>
> Hey Moataz,( is this the first name?)
>
> 
>
> I would be able to test it later next week on a testing machine.
>
> It's not clear what you expect to happen.
>
> What are seeing in the squid access.log file at the same time you are
using the proxy?
>
> It should show something when you load a simple HTTP page such as:
>
> http://www.squid-cache.org/
>
> 
>
> And Yuri,
>
> As was mentioned here in another thread.
>
> Indeed SquidGuard is not maintained anymore for at least 2 years but
it works for more then once place.
>
> If it works and does good work for the users, then what is the blocker
from using it?
Actually, it uses copy all databases for every helper instance. Thus it
absorbs all the RAM, no matter how much it was not, especially with
large lists.
>
> If it will work, what then?
Second. It does not work with HTTPS. Absolutely. What in the world, with
80% consisting of HTTPS - as something silly, is not it? And reduce its
value to nearly zero.

Of course, someone mare - bride  But really - why not? If only the
mare was too happy. :-D
>
> 
>
> Eliezer
>
> 
>
> 
>
> Eliezer Croitoru 
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
> 
>
> *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
*On Behalf Of *Yuri Voinov
> *Sent:* Wednesday, June 29, 2016 8:20 PM
> *To:* squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] url_rewrite_program is ignored by squid
>
> 
>
>
> Squidguard abandoned for years. Drop it out.
>
>
> 29.06.2016 23:12, Moataz Elmasry пишет:
> > Hi all,
>
>
>
>   > I'm trying to use squid with squidguard, but it seems that
>
>   squid3 is somehow ignoring the url_rewrite_program completely.
>
>   While starting squid I'm getting the message:
>
>
>
>   > "
>
>   > helperOpenServers: Starting 0/20 'squidGuard' processes
>
>   > helperOpenServers: No 'squidGuard' processes needed
>
>   > "
>
>
>
>   > And nothing is being directed to squidguard.
>
>   > Just to be sure, I tried a simple bash program as well as a
>
>   php program to handle the redirection, and I'm receiving a similar
>
>   message and nothing is being redirected.
>
>   > Config files are listed below. All files are owned by the
>
>   user "proxy"
>
>   > OS: ubuntu 16.04
>
>   > squid: 3.5.12-1ubuntu7.2
>
>   > squidguard: 1.5-5
>
>
>
>   > Here's  squid.conf
>
>
>
>   > "
>
>   > pinger_enable off
>
>   > url_rewrite_access allow all
>
>   > url_rewrite_program /usr/bin/squidGuard -c
>
>   /etc/squidguard/squidGuard.conf
>
>   > acl SSL_ports port 443
>
>   > acl Safe_ports port 80  # http
>
>   > acl Safe_ports port 443 # https
>
>   > acl Safe_ports port 1025-65535  # unregistered ports
>
>   > acl CONNECT method CONNECT
>
>   > http_access deny !Safe_ports
>
>   > http_access deny CONNECT !SSL_ports
>
>   > http_access allow localhost manager
>
>   > http_access deny manager
>
>   > http_access allow localhost
>
>   > acl whitelist dstdomain play.google.com
>
>    
>
>   > http_access allow whitelist
>
>   > http_access deny all
>
>   > http_port 3128
>
>   > coredump_dir /var/spool/squid
>
>
>
>   > "
>
>
>
>   > And here's squidGuard.conf
>
>
>
>   > "
>
>   > dbhome /var/lib/squidguard/db
>
>   > logdir /var/log/squidguard
>
>
>
>   > dest ads {
>
>   > domainlist ads/domains
>
>   > }
>
>
>
>   > dest whitelist {
>
>   > domainlistwhitelist/domains
>
>   > }
>
>
>
>   > acl {
>
>   > default {
>
>   > pass whitelist none
>
>   > redirect http://www.contensi.com
>
>   > }
>
>   > }
>
>
>
>   > "
>
>
>
>   > Any ideas what the problem is?
>
>
>
>   > Thanks
>
>   > Moataz
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org

>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdD3rAAoJENNXIZxhPexGs70H/RNa45xO/L3PlNTpHbX4bgea
9csGDMx3+grzn5bocmKSXU1bMekEhp6ty20LZZb8PYXhwAuuzBGPJ6/wnp4e41fj
4+e3tQwZiVrBf6pl1uM4MsjiMIcfkT77MYPNea8VktMWRp7TmFRQqa5zhGcqzKsz
T+zdHkgJspYsfJsEguYy2lNknsPtifD5uX6jlo8//eiIuS4dBje1YaQjUZDDtXsp
7pZ4GBw65ezEA1pdv6g1r9p7InXDKsf4+La/CAi0nWRDehbrmbvfC0UW04mCFG3L
r419KdWcTRnK/AwYgpe1JWCJPYfVzKrYaHA+TL8iRpvIIysE6JLW/sW28pYzxSM=
=mM3G
-END PGP SIGNATURE-

Re: [squid-users] url_rewrite_program is ignored by squid

[Eliezer Croitoru]

Hey Moataz,( is this the first name?)

 

I would be able to test it later next week on a testing machine.

It's not clear what you expect to happen.

What are seeing in the squid access.log file at the same time you are using the 
proxy?

It should show something when you load a simple HTTP page such as:

http://www.squid-cache.org/

 

And Yuri,

As was mentioned here in another thread.

Indeed SquidGuard is not maintained anymore for at least 2 years but it works 
for more then once place.

If it works and does good work for the users, then what is the blocker from 
using it?

If it will work, what then?

 

Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Wednesday, June 29, 2016 8:20 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] url_rewrite_program is ignored by squid

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Squidguard abandoned for years. Drop it out.


29.06.2016 23:12, Moataz Elmasry пишет:
> Hi all,



  >



  > I'm trying to use squid with squidguard, but it seems that

  squid3 is somehow ignoring the url_rewrite_program completely.

  While starting squid I'm getting the message: 



  >



  > "



  > helperOpenServers: Starting 0/20 'squidGuard' processes



  > helperOpenServers: No 'squidGuard' processes needed



  > "



  >



  > And nothing is being directed to squidguard. 



  > Just to be sure, I tried a simple bash program as well as a

  php program to handle the redirection, and I'm receiving a similar

  message and nothing is being redirected. 



  > Config files are listed below. All files are owned by the

  user "proxy"



  > OS: ubuntu 16.04



  > squid: 3.5.12-1ubuntu7.2



  > squidguard: 1.5-5



  >



  > Here's  squid.conf



  >



  > "



  > pinger_enable off



  > url_rewrite_access allow all



  > url_rewrite_program /usr/bin/squidGuard -c

  /etc/squidguard/squidGuard.conf



  > acl SSL_ports port 443



  > acl Safe_ports port 80  # http



  > acl Safe_ports port 443 # https



  > acl Safe_ports port 1025-65535  # unregistered ports



  > acl CONNECT method CONNECT



  > http_access deny !Safe_ports



  > http_access deny CONNECT !SSL_ports



  > http_access allow localhost manager



  > http_access deny manager



  > http_access allow localhost



  > acl whitelist dstdomain play.google.com

    



  > http_access allow whitelist



  > http_access deny all



  > http_port 3128



  > coredump_dir /var/spool/squid



  >



  > "



  >



  > And here's squidGuard.conf



  >



  > "



  > dbhome /var/lib/squidguard/db



  > logdir /var/log/squidguard



  >



  > dest ads {



  > domainlist ads/domains



  > }



  >



  > dest whitelist {



  > domainlistwhitelist/domains



  > }



  >



  > acl {



  > default {



  > pass whitelist none



  > redirect http://www.contensi.com



  > }



  > }



  >



  > "



  >



  > Any ideas what the problem is?



  >



  > Thanks 



  > Moataz



  >



  >



  > ___



  > squid-users mailing list



  > squid-users@lists.squid-cache.org 
 



  > http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE- 
Version: GnuPG v2 
 
iQEcBAEBCAAGBQJXdANQAAoJENNXIZxhPexGR3wH/RPyuwxWqbSvIHnjSpUMoXBd 
muVKH3FDM61X2sB0qOHt5vNQneNkGvQctnRAzJHQFm3ljtPV0W+YmNGR9z7ie1XW 
CO0eREMLfKtCcmkIaXJA5GwRwV4qWh6I9/J9dDOokocila1SXudXwNW8nH4etaKd 
kKOloVER1MsPNBJOp3QZ9PbJU4vSj4o56iyfPn9nnnaTGOeKmqhnKBycC/t71TjC 
NnVlLh5NndW6Jvd59fjNLuJkd6XxxXVAF0rvoBUi5WtdHOFXf7gKuIC+4IzvOUAi 
wnT9HJKZzLYoejMeA/rKsK8v6qzYM6NO/iZRwHCYOcbBQYurQtqrgSor7vrtPzc= 
=5u95 
-END PGP SIGNATURE- 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache economy calculation

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Yep. Sure.


30.06.2016 0:57, Eduardo Carneiro пишет:
> Thank you again. In this case, I think that I'll exclude the "DENIED" of my
> query. Theoretically this access don't go to the internet. That's correct?
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-economy-calculation-tp4678292p4678300.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdCw0AAoJENNXIZxhPexGETUIALFvZVmQ4TAsubu2zgWvee/j
kx/8y8gL+GBBW7C+DiwhrDdwKTCCHH8TeG9WEfzzjPDAenFd1hmuZKsxweEAQxsK
ptZ/08Zc9hIhwNLoa3FoFqvXmsGEMStnqVgiqdcznCo/m55UgalmxufVjc3RrGPO
pn1wzIyHDMUsluhcLUTzVCSZOxpLTiSWRI9Rp6AvFu/r3u25ZVvM9GRpKsLULryq
kOE5B7G4M9kme2KJGDF/Oa2kWyy2PiRssbaRMWy0YnnCHGX8Yt22L3pTpZjbvK+v
GMhIL7R3v075TYW528vMKiaFhAxvwTgRtT+r6egoIxlXRieIlT4Tu7a32288HPI=
=UoUt
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache economy calculation

[Eduardo Carneiro]

Thank you again. In this case, I think that I'll exclude the "DENIED" of my
query. Theoretically this access don't go to the internet. That's correct?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-economy-calculation-tp4678292p4678300.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Subject: Bandwidth Ceiling

[squid-cache]

Thanks for the tip Amos.  I tried compiling my own version with BUFSIZ set to 
32KB, but 
it didn't seem to help.  The TCP buffer size on my system is 212992 bytes, I 
tried
64KB too, but that also didn't improve my situation.  Aside from adjsting the 
read_ahead_gap, is there anything else I'm missing?  I'm sort of out of my 
league here
so I may just quit and wait for v4. ;)

Thanks,
Jamie

>Sadly, that is kind of expected at present for any single client
>connection. We have some evidence that Squid is artificially lowering
>packet sizes in a few annoying ways. Used to make sense on slower
>networks, but not nowdays.
>
>Nathan Hoad has been putting a lot of work into this recently to figure
>out what can be done and has a performance fix in Squid-4. That is not
>going to make it into 3.5 because it relies on some major restructuring
>done only in Squid-4 code.
>
>
>But, if you are okay with playing around in the code his initial patch
>submission shows the key value to change:
>
>which should be the same in Squid-3. The 64KB bump in that patch leads
>to some pain so dont just apply that. In the end we went with 16KB to
>avoid huge per-connection memory requirements. It should really be tuned
>to about 1/2 or 1/4 the TCP buffer size on your system.
>After bumping up that read_ahead_gap directive also needs to be bumped
>up to a minimum of whatever value you choose there.
>
>HTH
>Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache economy calculation

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Ah,

there is better solution exists. You can re-write Calamaris to get
source data from DB - it written on perl, simple. Just add DB adapter
from CPAN. :)

P.S. I think, you will be surprised, how low is your _real_ byte hit
:)))

30.06.2016 1:16, Yuri Voinov пишет:
>
> Eh, if you have access.log in SQL database, you cah simple write SQL
> query - viola!
>
> select (TCP_HIT/TCP_MISS)*100 from access_log; // Cache hit
>
> select (field_with_bytes_from_access_log_table *
> TCP_HIT_count/field_with_bytes_from_access_log_table *
> TCP_MISS)*1024*1024 from access_log; // Byte hit
>
>
> 30.06.2016 0:29, Eduardo Carneiro пишет:
> > Hello everyone.
>
> > I am using Squid 3.5.19 with dynamic and static caching feature
activated.
> > It's working very well. All entries of the access.log are in a postgres
> > database. I am looking for the best way to calculate the cache economy.
>
> > Someone could tell me how to do this?
>
> > Best regards.
> > Eduardo
>
>
>
> > --
> > View this message in context:
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-economy-calculation-tp4678292.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdB8bAAoJENNXIZxhPexG8o4H/2EUtBMEnLH+ewMhdJRhsoOW
jG7XCO9NqqSC+bxLX6Y1dHBj7MFS5RBvUs/a4piDGLnOZM7/La57/WK9UU9OmTmw
vWjxD/LU7M1yUt9pgCe6K4PRDPJaionnheKNHtY///Xih9G9IgIzOWJgzmVa39pZ
hrXdT0qKf/7lAdYIjZPW5Tlm/yxEab3LBWBj823AjJgiXBpPUuMD1G0VMaBz4KG0
5GbgYBLQE57N8pl5ufrOIQY0PFRaaWpr6Ct0Y65feXz3Hm0ax0P6VIlU3Suh3nQg
8YU6H8PQniGWy+Mj1MebrVqZwLID4YYbQ8w+b6F9+Un8Z5cExBIVQd6cm8pl+eo=
=m5mo
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache economy calculation

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Eh, if you have access.log in SQL database, you cah simple write SQL
query - viola!

select (TCP_HIT/TCP_MISS)*100 from access_log; // Cache hit

select (field_with_bytes_from_access_log_table *
TCP_HIT_count/field_with_bytes_from_access_log_table *
TCP_MISS)*1024*1024 from access_log; // Byte hit


30.06.2016 0:29, Eduardo Carneiro пишет:
> Hello everyone.
>
> I am using Squid 3.5.19 with dynamic and static caching feature activated.
> It's working very well. All entries of the access.log are in a postgres
> database. I am looking for the best way to calculate the cache economy.
>
> Someone could tell me how to do this?
>
> Best regards.
> Eduardo
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-economy-calculation-tp4678292.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdB58AAoJENNXIZxhPexGBA8H/0mojJPon2kX2PH+uUf2sDxU
7/e3FBTjWrUT44SRZxL4CJ3voCZYKmLx5B5Zp/fSMmUGdtIOWxbQjMX3F9/YGcIr
t/aLW5VozvD8coGhACzYk+3pyCVwwmDWnfw7YwvLF1dMrlNpgPpscJWrhEQK9Qc0
khmvzCXqIoFJvYgY9W38bViWZKhIGRTRTFoDU1o8l+p+5aR3x/y/PN4kCUzqykxH
rCw6QuB4QaYlAEUaOVc9E9tOHuc5LJE6MlkMWgToHntL099KwHR16NvR10xGzItL
hnNxMZKwJp1lh1wNpPEjHeXJsVphP1OCPOKGm/+iZTz+W28nCuJU/OAA3qUfuQQ=
=BHnu
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache economy calculation

[Eduardo Carneiro]

No, no. Only for management purposes.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cache-economy-calculation-tp4678292p4678294.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Skype Issues

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
No, the problem in another place.

This option about ICQ, not about Skype.

29.06.2016 22:58, Renato Jop пишет:
> I've installed squid4 and the problems still persists. I've added the 
> following acl:
> # define what Squid errors indicate receiving non-HTTP traffic:
> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
> # define what Squid errors indicate receiving nothing:
> acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
> # tunnel everything that does not look like HTTP:
> on_unsupported_protocol tunnel foreignProtocol
> # tunnel if we think the client waits for the server to talk first:
> on_unsupported_protocol tunnel serverTalksFirstProtocol
> # in all other error cases, just send an HTTP "error page" response:
> on_unsupported_protocol respond all
>
> Renato Jop
>
> On Wed, Jun 29, 2016 at 8:21 AM, Renato Jop > wrote:
>
> I've installed LibreSSL 2.2.9 and the issue still persists.
> I think I am going to have install squid4 even if it's still in
beta to solve this issues.
> Thanks for your help.
>
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 9:36 AM, Renato Jop > wrote:
>
> Is there a way to verify that the SSL library doesn't support
SSLv3?
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 8:43 AM, Yuri > wrote:
>
> Looks like your SSL library does not contain SSLv3
protocol support already, but site announce it.
>
>
> 27.06.2016 20:42, Renato Jop пишет:
>> I removed the NO_SSLv2, NO_SSLv3 however, right before
the SSL3_GET_RECORD:wrong version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>>
>> Renato Jop
>>
>> On Mon, Jun 27, 2016 at 8:29 AM, Yuri > wrote:
>>
>> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2
already not supported everywhere, RC4/3DES is SSLv3 ciphers, so it can
be confuse software. I.e., you use custom ciphers/protocols
combinations, which can lead issue.
>>
>>
>> 27.06.2016 20:25, Renato Jop пишет:
>>> Thank you both for your valuable help.
>>> I've configured the tls-dh param with a strong
Diffie-Hellman group (2048 bits) and configured the cipher as Yuri
specified and I was able to get pass the unknown cipher, however now I
get a "SSL routines:SSL3_GET_RECORD:wrong version number". Here's the
configuration I changed:
>>> 
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
tls-dh=/usr/local/etc/squid/dhparams.pem
>>>
>>>
>>>
>>> Renato Jop
>>>
>>> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov
> wrote:
>>>
>>>
>
>
> 25.06.2016  23:09, Amos Jeffries пишет:
> > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
> >>
> >> Amos, you are a wrong.
> >>
> >> No Squid-4. It's unstable and not ready for production. Whenever it's
> >> features.
>
> > So some beta software has bugs therefore nobody should ever use it for
> > anything. I find that to be a strange and sad view of the world.
>
> > Care to guess why I listed it as the last option amongst several?
> >  Or why 4.0.11 exists as a beta still?
> > It *is* an option for the mentioned problem(s) though whatever its
> utility.
> Agreed.
>
>
>
> >>
> >> Some time ago I have the same issue and know what happens exactly.
> >>
> >> Skype initial connection site uses RC4 cipher. Which is disabled in
most
> >> squid's configuration.
>
> > Your "know what happens exactly" differs from at least two other peoples
> > debugging experiences with Skype.
>
> > RC4 is on the hitlist for most of the big vendors for the past year or
> > so. IIRC there were several Windows Updates to remove it and other
> > broken bits from a lot of things over the past year.
> > If Skype is still using RC4 it might be part of this problem.
> I'm sure this is problem and this problem exists. MS do nothing to make
> they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself
> this time. With strong siphers there is no way to setup WU via Squid.
> I've spent much time to identify this problem in my setup and find
> working workaround.
>
> Another part of problem is: MS often uses it's own self-signed roots,
> which is exists in Windows, but nowhere else. And which has not
> cross-signed by well-known root CA's. They think it make MS services
> more secure. They wrong. But we can't do anything with it. So, this is
> forced us to add self-signed MS roots to our Squid's CA bundles to
> bump/splice.
>
>
> >>
> >> To make it works (as by as most M$ update sites) it's require
simple use
> >> this cipher's suite:
> >>
> >> 

Re: [squid-users] large downloads got interrupted

[Eugene M. Zheganin]

Hi.

On 29.06.16 05:26, Amos Jeffries wrote:
> On 28/06/2016 8:46 p.m., Eugene M. Zheganin wrote:
>> Hi,
>>
>> recently I started to get the problem when large downloads via squid are
>> often interrupted. I tried to investigate it, but, to be honest, got
>> nowhere. However, I took two tcpdump captures, and it seems to me that
>> for some reason squid sends FIN to it's client and correctly closes the
>> connection (wget reports that connection is closed), and in the same
>> time for some reason it sends like tonns of RSTs towards the server. No
>> errors in logs are reported (at least on a  ALL,1 loglevel).
>>
> It sounds like a timeout or such has happened inside Squid. We'd need to
> see your squid.conf to see if that was it.
Well... it quite long, since it's at large production site. I guess you
don't need the acl and auth lines, so without them it's as follows
(nothing secret in them, just that they are really numerous):

===Cut===
# cat /usr/local/etc/squid/squid.conf | grep -v http_access | grep -v
acl | grep -v http_reply_access | egrep -v '^#' | egrep -v '^$'
visible_hostname proxy1.domain1.com
debug_options ALL,1
http_port [fd00::301]:3128 ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
http_port [fd00::316]:3128 ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
http_port 192.168.3.1:3128 ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
http_port 127.0.0.1:3128 ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
http_port 127.0.0.1:3129 intercept
http_port [::1]:3128
http_port [::1]:3129 intercept
https_port 127.0.0.1:3131 intercept ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
https_port [::1]:3131 intercept ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
icp_port 3130
dns_v4_first off
shutdown_lifetime 5 seconds
workers 2
no_cache deny QUERY
cache_mem 256 MB
cache_dir rock /var/squid/cache 1100
cache_access_log stdio:/var/log/squid/access.fifo
cache_log /var/log/squid/cache.log
cache_store_log none
cache_peer localhost parent 8118 0 no-query defaultauth_param negotiate
program /usr/local/libexec/squid/negotiate_wrapper_auth --ntlm
/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/local
authenticate_ip_ttl 60 seconds
positive_dns_ttl 20 minutes
negative_dns_ttl 120 seconds
negative_ttl 30 seconds
pid_filename /var/run/squid/squid.pid
ftp_user anonymous
ftp_passive on
ipcache_size 16384
fqdncache_size 16384
redirect_children 10
refresh_pattern -i . 0 20% 4320
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl -M 4MB
sslcrtd_children 15
auth_param negotiate program
/usr/local/libexec/squid/negotiate_wrapper_auth --ntlm
/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/local/libexec/squid/negotiate_kerberos_auth -s
HTTP/proxy1.domain1@domain.com
auth_param negotiate children 40 startup=5 idle=5
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 60
auth_param basic program /usr/local/libexec/squid/basic_pam_auth
auth_param basic children 35 startup=5 idle=2
auth_param basic realm Squid
auth_param basic credentialsttl 10 minute
auth_param basic casesensitive off
authenticate_ttl 10 minute
authenticate_cache_garbage_interval 10 minute
snmp_access allow fromintranet
snmp_access allow localhost
snmp_access deny all
snmp_port 340${process_number}
snmp_incoming_address 192.168.3.22
tcp_outgoing_address 192.168.3.22 intranet
tcp_outgoing_address fd00::316 intranet6
tcp_outgoing_address 86.109.196.3 ad-megafon
redirector_access deny localhost
redirector_access deny SSL_ports
icp_access allow children
icp_access deny all
always_direct deny fuck-the-system-dstdomain
always_direct deny fuck-the-system
always_direct deny onion
always_direct allow all
never_direct allow fuck-the-system-dstdomain
never_direct allow fuck-the-system
never_direct allow onion
never_direct deny all
miss_access allow manager
miss_access allow all
cache_mgr e...@domain1.com
cache_effective_user squid
cache_effective_group squid
sslproxy_cafile /usr/local/etc/squid/certs/ca.pem
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
deny_info ERR_NO_BANNER banner
deny_info ERR_UNAUTHORIZED unauthorized
deny_info ERR_OVERQUOTA overquotasall
deny_info ERR_ENTERTAINMENT 

Re: [squid-users] Skype Issues

[Renato Jop]

I've installed LibreSSL 2.2.9 and the issue still persists.
I think I am going to have install squid4 even if it's still in beta to
solve this issues.
Thanks for your help.


Renato Jop

On Mon, Jun 27, 2016 at 9:36 AM, Renato Jop  wrote:

> Is there a way to verify that the SSL library doesn't support SSLv3?
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 8:43 AM, Yuri  wrote:
>
>> Looks like your SSL library does not contain SSLv3 protocol support
>> already, but site announce it.
>>
>> 27.06.2016 20:42, Renato Jop пишет:
>>
>> I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_
>> RECORD:wrong version number the SSL
>> routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>>
>> Renato Jop
>>
>> On Mon, Jun 27, 2016 at 8:29 AM, Yuri  wrote:
>>
>>> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
>>> supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse
>>> software. I.e., you use custom ciphers/protocols combinations, which can
>>> lead issue.
>>>
>>> 27.06.2016 20:25, Renato Jop пишет:
>>>
>>> Thank you both for your valuable help.
>>> I've configured the tls-dh param with a strong Diffie-Hellman group
>>> (2048 bits) and configured the cipher as Yuri specified and I was able to
>>> get pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_
>>> RECORD:wrong version number". Here's the configuration I changed:
>>>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>> tls-dh=/usr/local/etc/squid/dhparams.pem
>>>
>>>
>>>
>>> Renato Jop
>>>
>>> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov < 
>>> yvoi...@gmail.com> wrote:
>>>

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256



 25.06.2016 23:09, Amos Jeffries пишет:
 > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
 >>
 >> Amos, you are a wrong.
 >>
 >> No Squid-4. It's unstable and not ready for production. Whenever it's
 >> features.
 >
 > So some beta software has bugs therefore nobody should ever use it for
 > anything. I find that to be a strange and sad view of the world.
 >
 > Care to guess why I listed it as the last option amongst several?
 >  Or why 4.0.11 exists as a beta still?
 > It *is* an option for the mentioned problem(s) though whatever its
 utility.
 Agreed.
 >
 >
 >
 >>
 >> Some time ago I have the same issue and know what happens exactly.
 >>
 >> Skype initial connection site uses RC4 cipher. Which is disabled in
 most
 >> squid's configuration.
 >
 > Your "know what happens exactly" differs from at least two other
 peoples
 > debugging experiences with Skype.
 >
 > RC4 is on the hitlist for most of the big vendors for the past year or
 > so. IIRC there were several Windows Updates to remove it and other
 > broken bits from a lot of things over the past year.
 > If Skype is still using RC4 it might be part of this problem.
 I'm sure this is problem and this problem exists. MS do nothing to make
 they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself
 this time. With strong siphers there is no way to setup WU via Squid.
 I've spent much time to identify this problem in my setup and find
 working workaround.

 Another part of problem is: MS often uses it's own self-signed roots,
 which is exists in Windows, but nowhere else. And which has not
 cross-signed by well-known root CA's. They think it make MS services
 more secure. They wrong. But we can't do anything with it. So, this is
 forced us to add self-signed MS roots to our Squid's CA bundles to
 bump/splice.
 >
 >
 >>
 >> To make it works (as by as most M$ update sites) it's require simple
 use
 >> this cipher's suite:
 >>
 >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
 >>
 >> That works for me in 5 SSL bumped setups. There is no matter which
 squid
 >> version installed.
 >
 > Thank you. Thats another option then. I'd rate that below trying the
 EC
 > ciphers, and above library updates.
 You are welcome.

 Just for information: MS has own IT infrastructure, with some strange
 configured and non well-managed elements. I can't guarantee this
 workaround will work everywhere or for every MS service.

 When I made my research, I've seen some strange security TLS
 combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2.
 Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
 potentially dangerous combinations. And - they support ignores all
 requests. As usual.

 To my regret, I can not order all of its users to abandon the use of
 Windows. So far, in my 

Re: [squid-users] cafile and capath not working as expected with SSL bump

[Amos Jeffries]

On 29/06/2016 10:01 p.m., Bruce Rosenberg wrote:
> Hi,
> 
> I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the
> most part is working great.
> The issue I have is I need to install some additional CA certs that are not
> provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file
> (symlinked to /etc/pki/tls/certs/ca-bundle.crt).
> I've tried adding both the cafile and capath options to the http_port entry
> but neither seems to have any affect.
> With the cafile option I can see squid open the file via an strace but when
> I connect to the server it fails with a 503 as the SSL session to the
> remote side is failing to verify.
> With the capath option, strace shows that squid never attempts to open any
> files in that directory.
> Dynamic certificate generation between squid and the client is working fine
> however.
> 
...
> 
> Are the cafile and capath options supposed to work like this i.e. do they
> allow you to complement the OS supplied CA certs for remote site
> verification or have I completely misread the documentation?

The options *on http_port* are supposed to act like that, yes.

I think you have just mistaken the distinction between the three types
of connection Squid has to juggle.


http(s)_port is for links between client and Squid. Those parameters
used for verifying *client certificates*.

sslproxy_* set of directives are for direct Squid->server links. The
sslproxy_cafile and/or sslproxy_capath load the extra special CA you
want to add to the system default ones.

cache_peer is for static links to a known server/peer. It has its own
cafile= and capath= options for CA to verify that specific server.
Ideally the system CAs would not be used here.


If I'm understanding your needs correctly then you want to be
configuring sslproxy_cafile and/or sslproxy_capath.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problems with ACL's using squid as intercept proxy

[C. L. Martinez]

On Wed 29.Jun'16 at 13:11:20 +1200, Amos Jeffries wrote:
> On 29/06/2016 2:18 a.m., C. L. Martinez wrote:
> > I have configured new PF rules in this new FreeBSD host:
> > 
> > rdr pass on $vpnif proto tcp from $int_network to any port http tag 
> > intlans-to-inet -> lo0 port 5144
> > 
> >  .. And the result is:
> > 
> > 1467122773.928  0 127.0.0.1 TCP_MISS/403 4357 GET 
> > http://www.osnews.com/ - HIER_NONE/- text/html
> > 1467122773.928 35 172.22.55.1 TCP_MISS/403 4489 GET 
> > http://www.osnews.com/ - ORIGINAL_DST/127.0.0.1 text/html
> > 1467122774.068  0 172.22.55.1 TCP_MEM_HIT/200 13096 GET 
> > http://fbsdprx.my.domain.com:3128/squid-internal-static/icons/SN.png - 
> > HIER_NONE/- image/png
> > 1467122774.102  0 127.0.0.1 TCP_MISS/403 4314 GET 
> > http://www.osnews.com/favicon.ico - HIER_NONE/- text/html
> > 1467122774.103  2 172.22.55.1 TCP_MISS/403 4446 GET 
> > http://www.osnews.com/favicon.ico - ORIGINAL_DST/127.0.0.1 text/html
> > 
> >  .. What is the problem?? Are ACL's wrong?? Why?? At first stage, I was 
> > thinking about a problem with the pf rules ... but, now, I am not sure 
> > because packets arrives to squid ...
> > 
> 
> The current releases of Squid need to be built with:
>   ./configure --with-nat-devpf
> 
> for the old PF version on FreeBSD or NetBSD to work.
> 
> 
> Amos
> 
Thanks Amos, but squid is compiled with --with-nat-devpf option:

Squid Cache: Version 3.5.19
Service Name: squid
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' 
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' 
'--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' 
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' 
'--without-gnutls' '--enable-auth' '--enable-build-info' 
'--enable-loadable-modules' '--enable-removal-policies=lru heap' 
'--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' 
'--disable-translation' '--disable-arch-native' '--enable-eui' 
'--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' 
'--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' 
'--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' 
'--enable-kqueue' '--with-large-files' '--enable-http-violations' 
'--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 
'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' 
'--enable-ssl-crtd' '--disable-stacktraces' '--enable-ipf-transparent' 
'--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' 
'--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' 
'--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe  -fstack-protector 
-fno-strict-aliasing' 'LDFLAGS=-L/usr/lib  -pthread  -fstack-protector' 
'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' 
'--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake 
getpwnam NIS' '--enable-auth-digest=file' 
'--enable-external-acl-helpers=file_userip time_quota unix_group' 
'--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' 
'--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon 
AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' 
'--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' 
'--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' 
'--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 
'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector 
-fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience


-- 
Greetings,
C. L. Martinez
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cafile and capath not working as expected with SSL bump

[Bruce Rosenberg]

Hi,

I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the
most part is working great.
The issue I have is I need to install some additional CA certs that are not
provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file
(symlinked to /etc/pki/tls/certs/ca-bundle.crt).
I've tried adding both the cafile and capath options to the http_port entry
but neither seems to have any affect.
With the cafile option I can see squid open the file via an strace but when
I connect to the server it fails with a 503 as the SSL session to the
remote side is failing to verify.
With the capath option, strace shows that squid never attempts to open any
files in that directory.
Dynamic certificate generation between squid and the client is working fine
however.


cafile strace (strace -fp  -e trace=open):

[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532] open("/etc/localtime", O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem",
O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem",
O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem",
O_RDONLY) = 4
[pid 27532]
open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem",
O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13


Subsequent error in the access log:

[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_DIRECT/200
"CONNECT www.example.com:443 HTTP/1.1" - www.example.com 130 0 - 14
[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_NONE/503 "GET
https://www.example.com/postorders/postorders.php HTTP/1.1" - - 249 4699 - -


Relevant config:

sslproxy_options NO_SSLv2
sslproxy_cert_sign signTrusted
sslproxy_cert_sign_hash sha1
sslcrtd_children 8 startup=1 idle=1

acl step1 at_step SslBump1
ssl_bump peek step1 sslbump_src
ssl_bump bump sslbump_dst sslbump_src

ssl_bump none all

#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB capath=/etc/squid/ssl/cacerts/
key=/etc/squid/ssl_cert/mitm_root_ca.key
 cert=/etc/squid/ssl_cert/mitm_root_ca.crt
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB cafile=/etc/squid/ssl/cafile.pem
key=/etc/squid/ssl_cert/mitm_root_ca.key
 cert=/etc/squid/ssl_cert/mitm_root_ca.crt


I can work around the issue by appending the additional CA certs to the
Redhat managed /etc/pki/tls/certs/ca-bundle.crt file but this is not ideal.

Are the cafile and capath options supposed to work like this i.e. do they
allow you to complement the OS supplied CA certs for remote site
verification or have I completely misread the documentation?

cafile= File containing additional CA certificates to
use when verifying client certificates. If unset
clientca will be used.

capath= Directory containing additional CA certificates
and CRL lists to use when verifying client certificates.

Many thanks and any help greatly appreciated,
Bruce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.19 how to find banking server name for no bump

[Eliezer Croitoru]

Hey,

 

I have seen that you are using squid in intercept mode either on Linux or some 
BSD.

If there is a site\server that you don't want to enter squid at all you will 
need to bypass it in the FW\IPTABLES level.

In linux you would be able to use some ipset list that will be bypassed from 
being intercepted.

If you are interested reply and I will try to give you an example how to use it.

 

Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Stanford Prescott
Sent: Wednesday, June 29, 2016 2:56 AM
To: Amos Jeffries
Cc: squid-users
Subject: Re: [squid-users] Squid 3.5.19 how to find banking server name for no 
bump

 

I forgot to mention, I am using squid 3.5.19

 

On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott  > wrote:

When I enter .wellsfargo.com   in

 

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n

acl tls_allowed_hsts ssl::server_name .akamaihd.net  

acl tls_server_is_bank ssl::server_name .wellsfargo.com  

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

 

ssl_bump peek tls_s1_connect all

ssl_bump splice tls_s2_client_hello tls_to_splice

ssl_bump stare tls_s2_client_hello all

ssl_bump bump tls_s3_server_hello all

 

it appears that the banking site is still getting bumped i.e.like in this 
access.log snippet

 

1467156887.817257 10.40.40.100 TAG_NONE/200 0 CONNECT 54.149.224.177:443 
  - ORIGINAL_DST/54.149.224.177 
  -

1467156888.008 94 10.40.40.100 TCP_MISS/200 213 POST 
https://tiles.services.mozilla.com/v2/links/view - ORIGINAL_DST/54.149.224.177 
  application/json

1467156893.774 75 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156893.847117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156893.875120 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 
  - ORIGINAL_DST/172.230.221.75 
  -

1467156893.875111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156893.875117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 
  - ORIGINAL_DST/172.230.221.75 
  -

1467156893.875117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 
  - ORIGINAL_DST/172.230.221.75 
  -

1467156893.875112 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156893.875111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156894.109307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156894.109306 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156894.109307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156894.109308 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 
  - ORIGINAL_DST/172.230.102.185 
  -

1467156895.488 72 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.98:443 
  - ORIGINAL_DST/216.58.194.98  
 -

1467156895.513 98 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.70:443 
  - ORIGINAL_DST/216.58.194.70  
 -

1467156895.648 66 10.40.40.100 TCP_MISS/302 739 GET 
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0
 

 =ON=0=== - 
ORIGINAL_DST/216.58.194.98   image/gif

1467156895.664 82 10.40.40.100 TCP_MISS/200 649 GET 
https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808?
 - ORIGINAL_DST/216.58.194.70   image/gif