Re: [squid-users] NOTICE: Authentication not applicable on intercepted requests.

[Alex Rousskov]

On 06/30/2016 01:19 PM, Eugene M. Zheganin wrote:
> On 30.06.2016 17:04, Amos Jeffries wrote:
>> Use a myportname ACL to prevent Squid attempting impossible things like
>> authentication on intercepted traffic.


> Sorry, but I still didn't get the idea. I have one port that squid is
> configured to intercept traffic on, and another for plain proxy
> requests. 

That is OK/normal, of course.


> How do I tell squid not to authenticate anyone on the intercept one? 

By making your authentication rules port-specific. Squid does not
authenticate by default so you are explicitly telling it to authenticate
[some] users. You need to adjust those rules to exclude intercepted
transactions.


> From what I know, squid will send the authentication
> sequence as soon as it encounters the authentication-related ACL in the
> ACL list for the request given. Do have to add myportname ACL with
> non-intercepting port for all the occurences of the auth-enabled ACLs,
> or may be there's a simplier way ?

I do not think there is. We could, in theory, [add an option to] ignore
authentication-related ACLs when dealing with intercepted transactions,
but I am not sure that doing so would actually solve more problems than
it will create.

Please note that, in many cases, your myportname ACLs can go at the very
beginning of the authentication-sensitive rules to exclude intercepted
transactions -- you may not have to prefix each auth-enabled ACL
individually (because none of them will be reached after early
myportname ACL guards).


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Just fantasy required :) :) :)
And Google-fu :)

01.07.2016 2:52, Yuri Voinov пишет:
>
> IDK when user is only one :) There is no Cisco required :)
>
>
> 01.07.2016 2:05, reinerotto пишет:
> > There is no need for cisco stuff.
> > dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
> > dnscrypt servers form this list:
>
>
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
>
> > In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
> > connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list
> above.
> > Make sure, squid uses this local dnsmasq as dns server.
> > Finally, use iptables to redirect all dns-requsts from clients to your
> > dnsmasq.
>
>
>
>
>
>
>
>
> > --
> > View this message in context:
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdYdmAAoJENNXIZxhPexGb/YH/2AGFrKlobnL7fVQRBRDmwA2
wCuByAha0RjVEKGPvZoiC741GeFVKMXhqNTwsiAsCH1xXjHDdlMekA595ofdonPP
KYdJByCuCqKOaPXLWcJkfmc+KpcTO7rHcq1Lm5yyZG6Y76TjpRqa1uFFwigrk9Tb
sCrrHZDL4C0+x1V+zPQMP0apf6fLiuWwv+nFzF59yzUNpJUYMRXk52Y2q/AqaQS0
r5Pc3oUcGWV0BUYU41HfAgn3MfYnjY9hGsqolwi0YlGjrXAjBFyIwi+1rJgtz1JA
fzyq4GwNfWLhC5NNoYOCmXoEdLmXTwykYXWjl3rDV+vPZ5AXNjgG1oOZIfBtRQw=
=Biv4
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
IDK when user is only one :) There is no Cisco required :)


01.07.2016 2:05, reinerotto пишет:
> There is no need for cisco stuff.
> dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
> dnscrypt servers form this list:
>
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
>
> In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
> connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list
above.
> Make sure, squid uses this local dnsmasq as dns server.
> Finally, use iptables to redirect all dns-requsts from clients to your
> dnsmasq.
>
>
>
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdYZ1AAoJENNXIZxhPexGBpQIAM2Bc+6spxFL4ROPBxXFYYCv
7jpTfRXJkzZtqRxMPpCBWN2/zuV8Xhwaf30O2pS0B6WhnY9usblpazScnER3NYF2
zBy7W4OOmKiaeOO3aEV7AgK/zmaxqZ8nSWt+rGCpvs+8Af2kxFpmn5vfI/pj9wiJ
jIckvxMUANqtjPIfDsc0+Xs1qw297xada40TMB3YqozeZmTYSzobSm9fCTreeVwY
3+SF+vhTY+BGJhb6CgyY3quyoWMdfJ9T8GU5k0kIF1JPSc/yArHjAt2Qj/xkcRSC
BYyJPPoRf92cF7bLi9TZt5idAVwmXHhi4z6EsKdEtMcaAb+SbzxFuPFzgqKBKGE=
=3wyd
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[reinerotto]

There is no need for cisco stuff. 
dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
dnscrypt servers form this list:
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list above.
Make sure, squid uses this local dnsmasq as dns server. 
Finally, use iptables to redirect all dns-requsts from clients to your
dnsmasq. 








--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I'm wrong. 11,50$
http://www.ebay.com/itm/Cisco-1800-Series-1841-Router-With-64MB-Flash-Card-w-Power-Cord-/142035497145

01.07.2016 1:35, Yuri Voinov пишет:
>
> PS. Initial level Cisco router cost at eBay is less than 40$. It's a
garbage.
>
>
> 01.07.2016 1:33, Chris Horry пишет:
>
>
>
>
>   > On 06/30/2016 15:30, Yuri Voinov wrote:
>
>   >>
>
>   >> I've google-fu for you:
>
>   >>
>
>   >> !
>
>   >>
>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>
>   >>
>
>   >> ip access-list extended transparent_dns
>
>   >> permit udp any any eq 53
>
>   >>
>
>   >> route-map redirect_dns permit 10
>
>   >> match ip address transparent_dns
>
>   >> set ip next-hop ip.of.your.server
>
>   >> route-map redirect_dns permit 20
>
>   >>
>
>   >> interface fax/x
>
>   >> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>
>   >> ip policy route-map redirect_dns
>
>   >>
>
>
>
>   > I implemented something very similar to this but using SSH
>   (since I
>
>   > don't have a Cisco router, this is a home setup!).
>
>
>
>   > Chris
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org
>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXUBAAoJENNXIZxhPexGtDcH/3ooFSdpZnSnkp6OtQPs48Bm
enKgEazSDkBR84VymCTcRsMRz3z0v2yc3qT6S1ebOxzhDAFuHna6T229eNdiOKxS
G+dBW6ZX7dpQbyAE+N6F7+BUWy/ZIEqzFwEiBLE4FMzTaNoaIEZQc1w50UJfBrOH
SRZaT5t54JvYL/PJ4v+z1vAYzvAeAi88mUmcEzB2oGu1hDEEhBad2AMKZZXC8wMG
pjOFTV7TgEcGGFWnbKoMHl3r0DxhJ2YVVIw+qHC7OSG8fl8KJEhZx1aX00PMO2WW
3fihokSU9Fw7eERVJc3rlTe8ZF/RTgU3AUCoovm6AnePPbmXQzyKDVwIpIGRifo=
=gNk+
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
PS. Initial level Cisco router cost at eBay is less than 40$. It's a
garbage.


01.07.2016 1:33, Chris Horry пишет:
>
>
> On 06/30/2016 15:30, Yuri Voinov wrote:
>>
>> I've google-fu for you:
>>
>> !
>>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>>
>> ip access-list extended transparent_dns
>> permit udp any any eq 53
>>
>> route-map redirect_dns permit 10
>> match ip address transparent_dns
>> set ip next-hop ip.of.your.server
>> route-map redirect_dns permit 20
>>
>> interface fax/x
>> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>> ip policy route-map redirect_dns
>>
>
> I implemented something very similar to this but using SSH (since I
> don't have a Cisco router, this is a home setup!).
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXSFAAoJENNXIZxhPexGYvsIALYc+IjGOcxdRIjfACXHOj9l
JozmL/VQGjpfDkvEWB+OVhhEB+DgfM5/1BlUQ4ZlVaUtSdRiXvstrN5Us+PtP7lq
vX2aEs/8GX9LZQMcYMZiqFhaHe71gNOoDSsUx2cqiV2L2T45XzIx9DK8QbXxKuut
BNPIrqlMpUtpNf647IGsJ3WFWzpwULy1AnnluSm57CZqNQb469PDhwjTAkpoh17X
I0DU78LAOmAidlE8KS2NuEDp314O3n95pil9PL39Fc+ZbSUjnRQv1Tt+eQm/BlC8
De559O44QApg3hQqQtX36ATZqWgeHzXe/5l8SSveRkc5vt8KayIoy81obNADBKg=
=ya8i
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
DNScrypt is not required any crypto. it encrypted itself. Just Google-fu
it. :)


01.07.2016 1:33, Chris Horry пишет:
>
>
> On 06/30/2016 15:30, Yuri Voinov wrote:
>>
>> I've google-fu for you:
>>
>> !
>>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>>
>> ip access-list extended transparent_dns
>> permit udp any any eq 53
>>
>> route-map redirect_dns permit 10
>> match ip address transparent_dns
>> set ip next-hop ip.of.your.server
>> route-map redirect_dns permit 20
>>
>> interface fax/x
>> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>> ip policy route-map redirect_dns
>>
>
> I implemented something very similar to this but using SSH (since I
> don't have a Cisco router, this is a home setup!).
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXRGAAoJENNXIZxhPexG4pQH/iQikKeQnzZQVoiafEa0sfAh
Wsnnk3A28QJaofgoL2BbvDY9oDV6K5StIWEu8S/GwJeb+KufcTC5YHNS1DgPFNbp
gvfBD5ARV2nlTM2ZTJJdrneDwEzEu9opqqswb2PRDE8UhNmabyl/M7DDCCM/fckB
zWcsGyalzp2rj8Hn4DKHigfaBN8YzQDjccerhF3Tw2V8IRF6K3ctQpWR26fFwoJt
F8hiRfUH9OsE46l4mNG7SFpHVMZGDJ7t9y+4TK9oHX7CW6+FPlVUZWp+YUnuKXlJ
FFGLXRVTRWxmgFieLNh11uv1tPnrFFBbk0FezvMKbK3tnJz6L7Qn38yRQ7vTpss=
=9XH8
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Chris Horry]

On 06/30/2016 15:30, Yuri Voinov wrote:
> 
> I've google-fu for you:
> 
> !
> http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
> 
> ip access-list extended transparent_dns
> permit udp any any eq 53
> 
> route-map redirect_dns permit 10
> match ip address transparent_dns
> set ip next-hop ip.of.your.server
> route-map redirect_dns permit 20
> 
> interface fax/x
> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> ip policy route-map redirect_dns
> 

I implemented something very similar to this but using SSH (since I
don't have a Cisco router, this is a home setup!).

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
This is no f*cking problem. Intercept DNS queries first, resolve it by
DNSCrypt, output for your users. Viola, profit!

01.07.2016 1:26, Jorgeley Junior пишет:
> I'm not sure, but, if your ISP is intercepting your DNS queries, maybe you 
> could use the mangle
netfilter table to change your DNS queries and so deceive your ISP, but
I'm almost sure that the root servers will not recognize. It was just an
idea.
>
> 2016-06-30 16:16 GMT-03:00 Yuri Voinov >:
>
>
> Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
127.0.0.1:53  as your squid's DNS resolver finally.
>
>
> 01.07.2016 1:07, Chris Horry пишет:
>
>
>
>
>   > On 06/30/2016 14:55, Alex Crow wrote:
>
>   >>
>
>   >>
>
>   >> On 30/06/16 19:40, brendan kearney wrote:
>
>   >>>
>
>   >>> Nscd or name server caching daemon may be of help.  I
>   believe you can
>
>   >>> run your own bind instqnce and point it at the roots,
>   instead of using
>
>   >>> your isp's broken implementation
>
>   >>>
>
>   >>> On Jun 30, 2016 2:21 PM, "Chris Horry"
>   
>
>   >>>  > wrote:
>
>   >>
>
>   >> If the ISP is intercepting and redirecting all
>   connections to UDP/53,
>
>   >> which seems to be the case, I'm not sure this would help,
>   unless the
>
>   >> roots support TCP access.
>
>   >>
>
>   >> Chris, can you confirm this seems to be your ISP's
>   behaviour? If so,
>
>   >> avoiding sending *any* queries in cleartext via UDP/53 is
>   the only way
>
>   >> to do it.
>
>
>
>   > That is indeed my ISP's behaviour, they force redirect UDP/53
>   to their
>
>   > broken implementation so the only option I have is to use
>   TCP.
>
>
>
>   > Chris
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org

>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
> --
> *_
> _*
> *_
> _*

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXK0AAoJENNXIZxhPexG18QIALd3PhGiRehrvqSEVE+x7i29
VNLJzkAgswlKB5HSIkyF1LPwFzJ5hErfdN8gEY/QAyEEi7XbDLN63CzKmMHfuwJY
LxGWEYlWN26eciJtchpA7wM3s1yGDXRO7jnsGPwUV6Ctm5g72Q/Hpyr5Lr5dUZX5
6zdNCKnMlbO//PS943YBJHCAUbl1xxgQwGIowDYjUnEcXhuMBGZXqrErNQfNFAoi
ymoKleAmqOb2BAlvCloo2ZyLIzsoslWxhKktNEnfPb5hBh9XXGRmrRQ3ikSyKXKW
nSbhQlwXbu/GJJQkmuXEvKS/WfaAjDzggBX4j7+4APnmfxQTriVB4VJ3iTEXk3A=
=XMR0
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Jorgeley Junior]

I'm not sure, but, if your ISP is intercepting your DNS queries, maybe you
could use the mangle netfilter table to change your DNS queries and so
deceive your ISP, but I'm almost sure that the root servers will not
recognize. It was just an idea.

2016-06-30 16:16 GMT-03:00 Yuri Voinov :

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
> 127.0.0.1:53 as your squid's DNS resolver finally.
>
>
> 01.07.2016 1:07, Chris Horry пишет:
> >
> >
> > On 06/30/2016 14:55, Alex Crow wrote:
> >>
> >>
> >> On 30/06/16 19:40, brendan kearney wrote:
> >>>
> >>> Nscd or name server caching daemon may be of help.  I believe you can
> >>> run your own bind instqnce and point it at the roots, instead of using
> >>> your isp's broken implementation
> >>>
> >>> On Jun 30, 2016 2:21 PM, "Chris Horry"  >>>  > wrote:
> >>
> >> If the ISP is intercepting and redirecting all connections to UDP/53,
> >> which seems to be the case, I'm not sure this would help, unless the
> >> roots support TCP access.
> >>
> >> Chris, can you confirm this seems to be your ISP's behaviour? If so,
> >> avoiding sending *any* queries in cleartext via UDP/53 is the only way
> >> to do it.
> >
> > That is indeed my ISP's behaviour, they force redirect UDP/53 to their
> > broken implementation so the only option I have is to use TCP.
> >
> > Chris
> >
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXdXAkAAoJENNXIZxhPexGYlAH/A8NZGERE0+0i6N3IWQsvR1o
> LV9GIrmHZ6fBuMTgYWdul7YUDcUV5OT1kZ6GslbHdG/cfT7EqXDmWEUOy36kdTc6
> 50sIDLDGgD4XU3J0AFDyKV+yma1kuO8D3ZcE3nYMbSveX/MmdSZkoatIKwVKJkIP
> W1DFWFhHICC9Xzxia2t+qnRQ3TpXNnTEQbg2j4uMVbgeeYqOWkjg2VG/RcaxIrk6
> AQsXfPzwHC4Dy1GmDSEEEzu2+Q5lfL/IXStLENi9x4izmy+236/5ZOybv3Co6NRG
> 2EQdOoSeLvz2MgEbrNbHYABDkqt4Pjo7JKjONdAbnEBAAIgNKwW5pUSCBQok5+4=
> =paVE
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


--
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NOTICE: Authentication not applicable on intercepted requests.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


01.07.2016 1:19, Eugene M. Zheganin пишет:

Interceprion proxy don't support auth. By default. End of discussion.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXErAAoJENNXIZxhPexGHuwIAIlMz0C0PIyIQ1iL3eS71M0d
85SHy+iET55da6R2qn8rVtEaoQmBWERyITR7GRhZ6b0OiRz35fh9MKjfCTZVSCW4
fWLqk0Z9ZU2hlUEfeezS22oVWSNqQh6nTnFB/C2yfJTFk9sslC/WGO8xoXr89r5r
lj2Spmg/apP3FvhIqMSVFXIfUtx24ASinL/Xt26y4dsowwfQwO13K/KnJ3kEFJfb
A/YEYlsb809ptTA5ZmL6qJ7MKS+juWo0sruOhmtCOPGJw7eBFjVNG5uOYQB3Mru9
4wq6qr1BbY+kw0f3fvWWuK67ouAUX9P5422Y5ih6l7GXNFCiLCHp4JmfLyOW70I=
=hAVC
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NOTICE: Authentication not applicable on intercepted requests.

[Eugene M. Zheganin]

Hi.

On 30.06.2016 17:04, Amos Jeffries wrote:

On 30/06/2016 9:21 p.m., Eugene M. Zheganin wrote:

Hi,

Could this message be moved on loglevel 2 instead of 1 ?
I think that this message does 95% of the logs of the intercept-enabled
caches with authentication.

At least some switch would be nice, to switch this off instead of
switching the while facility to 0.

This message only happens when your proxy is misconfigured.

Well, it may be.


Use a myportname ACL to prevent Squid attempting impossible things like
authentication on intercepted traffic.


Sorry, but I still didn't get the idea. I have one port that squid is 
configured to intercept traffic on, and another for plain proxy requests. How 
do I tell squid not to authenticate anyone on the intercept one ? From what I 
know, squid will send the authentication sequence as soon as it encounters the 
authentication-related ACL in the ACL list for the request given. Do have to 
add myportname ACL with non-intercepting port for all the occurences of the 
auth-enabled ACLs, or may be there's a simplier way ?

Thanks.
Eugene.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
127.0.0.1:53 as your squid's DNS resolver finally.


01.07.2016 1:07, Chris Horry пишет:
>
>
> On 06/30/2016 14:55, Alex Crow wrote:
>>
>>
>> On 30/06/16 19:40, brendan kearney wrote:
>>>
>>> Nscd or name server caching daemon may be of help.  I believe you can
>>> run your own bind instqnce and point it at the roots, instead of using
>>> your isp's broken implementation
>>>
>>> On Jun 30, 2016 2:21 PM, "Chris Horry" >> > wrote:
>>
>> If the ISP is intercepting and redirecting all connections to UDP/53,
>> which seems to be the case, I'm not sure this would help, unless the
>> roots support TCP access.
>>
>> Chris, can you confirm this seems to be your ISP's behaviour? If so,
>> avoiding sending *any* queries in cleartext via UDP/53 is the only way
>> to do it.
>
> That is indeed my ISP's behaviour, they force redirect UDP/53 to their
> broken implementation so the only option I have is to use TCP.
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXAkAAoJENNXIZxhPexGYlAH/A8NZGERE0+0i6N3IWQsvR1o
LV9GIrmHZ6fBuMTgYWdul7YUDcUV5OT1kZ6GslbHdG/cfT7EqXDmWEUOy36kdTc6
50sIDLDGgD4XU3J0AFDyKV+yma1kuO8D3ZcE3nYMbSveX/MmdSZkoatIKwVKJkIP
W1DFWFhHICC9Xzxia2t+qnRQ3TpXNnTEQbg2j4uMVbgeeYqOWkjg2VG/RcaxIrk6
AQsXfPzwHC4Dy1GmDSEEEzu2+Q5lfL/IXStLENi9x4izmy+236/5ZOybv3Co6NRG
2EQdOoSeLvz2MgEbrNbHYABDkqt4Pjo7JKjONdAbnEBAAIgNKwW5pUSCBQok5+4=
=paVE
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Chris Horry]

On 06/30/2016 14:55, Alex Crow wrote:
> 
> 
> On 30/06/16 19:40, brendan kearney wrote:
>>
>> Nscd or name server caching daemon may be of help.  I believe you can
>> run your own bind instqnce and point it at the roots, instead of using
>> your isp's broken implementation
>>
>> On Jun 30, 2016 2:21 PM, "Chris Horry" > > wrote:
> 
> If the ISP is intercepting and redirecting all connections to UDP/53,
> which seems to be the case, I'm not sure this would help, unless the
> roots support TCP access.
> 
> Chris, can you confirm this seems to be your ISP's behaviour? If so,
> avoiding sending *any* queries in cleartext via UDP/53 is the only way
> to do it.

That is indeed my ISP's behaviour, they force redirect UDP/53 to their
broken implementation so the only option I have is to use TCP.

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Alex Crow]

Packt Publishing has a book about FreeSWAN (don't use that) which is
almost all applicable to LibreSWAN (do use this, it's a newer fork).

Easiest is to set up a tunnel with PSKs, more secure is with RSA keys or
X509 certs.

Alex

On 30/06/16 19:20, Chris Horry wrote:
>
> On 06/30/2016 13:34, Alex Crow wrote:
>> I'd suggest changing IP as this practice is
>>
>> a) a violation of trust, forcing you to use a potentially compromised
>> resource you have no control over
>> b) a clear violation of net-neutrality
>> c) a violation of standards (as it's probably one of those that instead
>> of returning NXDOMAIN as required sends you to an advertising page.
>> )
> Tell me about it.  My ISP and I are having a pitched battle about it
> now.  Unfortunately my options are limited in my current area but at
> least it's not Comcast!
>
>> I'm pretty sure you /can/ configure BIND to work like that. I should
>> imagine you could set up forwarders to TCP-based DNS servers.
>>
>> The other option is to get a DNS server set up on a VPS and tunnel your
>> requests to it via IPSEC.
> Sounds like a good idea, time to learn IPSEC!
>
> Thanks,
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[brendan kearney]

Nscd or name server caching daemon may be of help.  I believe you can run
your own bind instqnce and point it at the roots, instead of using your
isp's broken implementation
On Jun 30, 2016 2:21 PM, "Chris Horry"  wrote:

>
>
> On 06/30/2016 13:34, Alex Crow wrote:
> > I'd suggest changing IP as this practice is
> >
> > a) a violation of trust, forcing you to use a potentially compromised
> > resource you have no control over
> > b) a clear violation of net-neutrality
> > c) a violation of standards (as it's probably one of those that instead
> > of returning NXDOMAIN as required sends you to an advertising page.
> > )
>
> Tell me about it.  My ISP and I are having a pitched battle about it
> now.  Unfortunately my options are limited in my current area but at
> least it's not Comcast!
>
> > I'm pretty sure you /can/ configure BIND to work like that. I should
> > imagine you could set up forwarders to TCP-based DNS servers.
> >
> > The other option is to get a DNS server set up on a VPS and tunnel your
> > requests to it via IPSEC.
>
> Sounds like a good idea, time to learn IPSEC!
>
> Thanks,
>
> Chris
>
> --
> Chris Horry
> zer...@gmail.com
> http://www.twitter.com/zerbey
> PGP:638C3E7A
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Chris Horry]

On 06/30/2016 13:34, Alex Crow wrote:
> I'd suggest changing IP as this practice is
> 
> a) a violation of trust, forcing you to use a potentially compromised
> resource you have no control over
> b) a clear violation of net-neutrality
> c) a violation of standards (as it's probably one of those that instead
> of returning NXDOMAIN as required sends you to an advertising page.
> )

Tell me about it.  My ISP and I are having a pitched battle about it
now.  Unfortunately my options are limited in my current area but at
least it's not Comcast!

> I'm pretty sure you /can/ configure BIND to work like that. I should
> imagine you could set up forwarders to TCP-based DNS servers.
> 
> The other option is to get a DNS server set up on a VPS and tunnel your
> requests to it via IPSEC.

Sounds like a good idea, time to learn IPSEC!

Thanks,

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

[Alex Crow]

I'd suggest changing IP as this practice is

a) a violation of trust, forcing you to use a potentially compromised
resource you have no control over
b) a clear violation of net-neutrality
c) a violation of standards (as it's probably one of those that instead
of returning NXDOMAIN as required sends you to an advertising page.
)
I'm pretty sure you /can/ configure BIND to work like that. I should
imagine you could set up forwarders to TCP-based DNS servers.

The other option is to get a DNS server set up on a VPS and tunnel your
requests to it via IPSEC.

Alex

On 30/06/16 18:21, Chris Horry wrote:
> Hello,
>
> My ISP have started forcing DNS queries to pass through their own DNS
> server, which appears to have many issues (can't resolve twitter.com for
> one).  I won't bore the list with my conversations with them over that part.
>
> They are not actively blocking TCP DNS queries so I have a workaround.
>
> Recognising that DNS over TCP is not an ideal solution
>
> 1. Can Squid be configured to use TCP by default for DNS inquiries?  If
> not consider this a feature request :)
> 2. Is there a DNS caching server that can do this instead (BIND9 doesn't
> seem to have it as an option)
>
> Any help appreciated.
>
> Thanks,
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Force DNS queries over TCP?

[Chris Horry]

Hello,

My ISP have started forcing DNS queries to pass through their own DNS
server, which appears to have many issues (can't resolve twitter.com for
one).  I won't bore the list with my conversations with them over that part.

They are not actively blocking TCP DNS queries so I have a workaround.

Recognising that DNS over TCP is not an ideal solution

1. Can Squid be configured to use TCP by default for DNS inquiries?  If
not consider this a feature request :)
2. Is there a DNS caching server that can do this instead (BIND9 doesn't
seem to have it as an option)

Any help appreciated.

Thanks,

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] static caching for specific website for specific time

[Antony Stone]

On Thursday 30 June 2016 at 17:38:32, Henry7 wrote:

> Sometimes a  WiFi Blocker Jammer
>    is
> all you need. People are so obnoxious these days. They do whatever they
> want without caring about what others feels and that's not good at all. A
> jammer can help you to solve the problem and you're good to go.

I cannot find the original question which this is a response to.

Please enlighten us to what problem with squid this is a proposed solution 
for?


Thanks,


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] static caching for specific website for specific time

[Henry7]

Sometimes a  WiFi Blocker Jammer
   is
all you need. People are so obnoxious these days. They do whatever they want
without caring about what others feels and that's not good at all. A jammer
can help you to solve the problem and you're good to go. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/static-caching-for-specific-website-for-specific-time-tp4664943p4678322.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Skype Issues

[Marcus Kool]

On 06/30/2016 09:10 AM, Amos Jeffries wrote:
...

  The on_unsupported_protocol directive is about what its name says *any*
unsupported protocol. Not ICQ specific.

I think the issue here is that Skype looks at the binary level like TLS.
TLS being a supported protocol if it looks close enough then it would be
seen as invalid/broken TLS, not some non-TLS.


Applications may use any protocol that they desire to tunnel through a proxy.
They may use TLS+SMTP, TLS+HTTP, TLS+XYZ, RC4+FOO, SSH, VPN, BAR, TXT and
many others.
Since bumping is intended to only interfere with TLS+HTTP, Squid should bump
_only_ TLS+HTTP and not interfere with all other protocols.

Squid 3.5 finally made a lot of progress with bumping TLS+HTTP and the
missing piece to be able to use it in many environments is a
mechanism to deal with all other protocols (non TLS+HTTP).
The first step is to not break applications. The second step is
to have mechanisms to decide what to do with the other
protocols, since most admins want to block SSH and VPN,
while allowing Skype and BAR.

Marcus


Sory Renato, with that not working I'm not sure where to go next.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Yet another new cipher?

[James Lay]

On Fri, 2016-07-01 at 01:04 +1200, Amos Jeffries wrote:
> On 1/07/2016 12:43 a.m., James Lay wrote:
> > 
> > On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote:
> > > 
> > > Yugh...starting around 10:00 facebook no longer works via
> > > peek/splice.  pcap contents show:
> > > 
> > > 1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1
> > > 
> > > after the threeway handshake and an instant reset.  Anyone know
> > > what
> > > this is?  Cause I haven't a cluescreenshot of success after
> > > bypassing included.  Thank you.
> > > 
> > I guess I should also say that this is from the official Facebook
> > app
> > on Android...just updated on Tuesday.
> FWIW: I identified the last one from your posted wireshark details.
> Looking at the "Unknown Ciphers:" list and looking up the hex codes
> listed there in the IANA registry.
> 
> The details posted so far about this issue tells me nothing except
> that
> FB suddenly stopped working.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
That's fair...I'm including a successful handshake...wireshark just
sees this as data.  Thanks Amos!
James

192.168.1.101-stream5.pcapng
Description: application/pcapng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Yet another new cipher?

[Amos Jeffries]

On 1/07/2016 12:43 a.m., James Lay wrote:
> On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote:
>> Yugh...starting around 10:00 facebook no longer works via
>> peek/splice.  pcap contents show:
>>
>> 1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1
>>
>> after the threeway handshake and an instant reset.  Anyone know what
>> this is?  Cause I haven't a cluescreenshot of success after
>> bypassing included.  Thank you.
>>
> I guess I should also say that this is from the official Facebook app
> on Android...just updated on Tuesday.

FWIW: I identified the last one from your posted wireshark details.
Looking at the "Unknown Ciphers:" list and looking up the hex codes
listed there in the IANA registry.

The details posted so far about this issue tells me nothing except that
FB suddenly stopped working.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Yet another new cipher?

[James Lay]

On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote:
> Yugh...starting around 10:00 facebook no longer works via
> peek/splice.  pcap contents show:
> 
> 1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1
> 
> after the threeway handshake and an instant reset.  Anyone know what
> this is?  Cause I haven't a cluescreenshot of success after
> bypassing included.  Thank you.
> 
> James
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
I guess I should also say that this is from the official Facebook app
on Android...just updated on Tuesday.
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] large downloads got interrupted

[Amos Jeffries]

On 30/06/2016 2:24 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> On 29.06.16 05:26, Amos Jeffries wrote:
>> On 28/06/2016 8:46 p.m., Eugene M. Zheganin wrote:
>>> Hi,
>>>
>>> recently I started to get the problem when large downloads via squid are
>>> often interrupted. I tried to investigate it, but, to be honest, got
>>> nowhere. However, I took two tcpdump captures, and it seems to me that
>>> for some reason squid sends FIN to it's client and correctly closes the
>>> connection (wget reports that connection is closed), and in the same
>>> time for some reason it sends like tonns of RSTs towards the server. No
>>> errors in logs are reported (at least on a  ALL,1 loglevel).
>>>
>> It sounds like a timeout or such has happened inside Squid. We'd need to
>> see your squid.conf to see if that was it.
> Well... it quite long, since it's at large production site. I guess you
> don't need the acl and auth lines, so without them it's as follows
> (nothing secret in them, just that they are really numerous):

Okay. I was kind of hoping you had set some of the timeouts to a
unusually low value. Since its all default, then I think its one of the
much more difficult bug related issues.


> 
> The download I test this issue on is:
> - a large iso file, 4G from Yandex mirror
> - goes via plain http (so no sslBump)
> - client is authenticated using basic authentication
> - you can see a delay pools in squid.config, but this is just a
> definition, no clients are assigned into it
> 
> 
> When connection is closed the client receives FIN sequence, and squid
> sends a lt of RSTs towards target server I'm downloading the file from.
> 
>>
>> What version are you using? there have been a few bugs found that can
>> cause unrelated connections to be closed early like this.
> I noticed this problem on squid 3.5.11, but it's reproducible on 3.5.19
> as well.
> 
>> Screen dump of packet capture does not usually help. We usually only ask
>> for packet captures when one of the dev needs to personally analyse the
>> full traffic behaviour.
>>
>> A cache.log trace at debug level 11,2 shows all the HTTP messages going
>> through in an easier format to read. There might be hints in there, but
>> if it is a timeout like I suspect probably not.
> Well... do you need it already ? I should say that it will be way huge.
> May be there's a way to grep only the interesting parts ?
> 

Okay, I wasn't suggesting you post it here. Its likely to be too big for
that.

I would look for the messages about the large object, and its FD. Then,
for anthing about why it was closed by Squid. Not sure what tha would be
at this point though.
There are some scripts in the Squid sources scripts/ directory that
might help wade through the log. Or the grep tool.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Skype Issues

[Amos Jeffries]

On 30/06/2016 5:19 a.m., Yuri Voinov wrote:
> 
> No, the problem in another place.
> 
> This option about ICQ, not about Skype.
> 
> 29.06.2016 22:58, Renato Jop пишет:
>> I've installed squid4 and the problems still persists. I've added the 
>> following acl:
>> # define what Squid errors indicate receiving non-HTTP traffic:
>> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
>> # define what Squid errors indicate receiving nothing:
>> acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
>> # tunnel everything that does not look like HTTP:
>> on_unsupported_protocol tunnel foreignProtocol
>> # tunnel if we think the client waits for the server to talk first:
>> on_unsupported_protocol tunnel serverTalksFirstProtocol
>> # in all other error cases, just send an HTTP "error page" response:
>> on_unsupported_protocol respond all
> 


What are you on today Yuri?
 The on_unsupported_protocol directive is about what its name says *any*
unsupported protocol. Not ICQ specific.

I think the issue here is that Skype looks at the binary level like TLS.
TLS being a supported protocol if it looks close enough then it would be
seen as invalid/broken TLS, not some non-TLS.

Sory Renato, with that not working I'm not sure where to go next.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NOTICE: Authentication not applicable on intercepted requests.

[Amos Jeffries]

On 30/06/2016 9:21 p.m., Eugene M. Zheganin wrote:
> Hi,
> 
> Could this message be moved on loglevel 2 instead of 1 ?
> I think that this message does 95% of the logs of the intercept-enabled
> caches with authentication.
> 
> At least some switch would be nice, to switch this off instead of
> switching the while facility to 0.

This message only happens when your proxy is misconfigured.

Use a myportname ACL to prevent Squid attempting impossible things like
authentication on intercepted traffic.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] url_write_program: redirecting fails when intercepting https

[Amos Jeffries]

On 30/06/2016 12:16 p.m., Moataz Elmasry wrote:
> Hi all,
> 
> I'm writing a small bash program script to redirect any request to say
> www.google.com. This script is able to redirect any http script to
> google.com, but not https requests.
> I read the documentation
> http://wiki.squid-cache.org/Features/HTTPS
> But this seem quite complex for my task. Basically I just want to redirect
> any domain, without looking into the full path. Knowing the domain name
> should not be counted as violation or interception of https I hope

What you want and reality do not match. Encryption is not plain ASCII text.

If you want to play around with the plain-text form of encrypted
services like Google and are not the valid owner osf that service, then
you have to MITM / hijack and decrypt the crypto in real-time. Which is
not a simple process.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] NOTICE: Authentication not applicable on intercepted requests.

[Eugene M. Zheganin]

Hi,

Could this message be moved on loglevel 2 instead of 1 ?
I think that this message does 95% of the logs of the intercept-enabled
caches with authentication.

At least some switch would be nice, to switch this off instead of
switching the while facility to 0.

Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump Certificates

[Antony Stone]

On Thursday 30 June 2016 at 10:53:57, i...@comunicacionesman.com wrote:

> What I'm trying to do now is to use an external certificate from a
> trusted certificate authority (in this case I'm using a free SSL
> certificate from comodo), but I can't see my certificate in the
> certificates list when enabling SSL Man in the middle. I can only see
> CA's, which are certificate authorities, but when I upload comodo's Root
> CA certificate and select it, service does not start. Throws this error:
> 
> Jun 30 08:52:40   squid   No valid signing SSL certificate 
> configured
> for HTTP_port 192.168.1.1:3128
> 
> Does Squid not accept a SSL Certificate from external authorities or am
> I missing something?

Squid would be quite happy to accept a certificate from external authorities, 
but you will never get one.

You're missing the significance of the word "signing" in that error message.

What you have from Comodo is a signED certificate (and you also have the CA 
certificate to prove that they signed it).

What you do not have is a signING certificate (together with the accompanying 
private key) to be able to create and sign certificates on the fly, which is 
what Squid does for SSL MITM interception.

You will never get an appropriate key and certificate for this purpose from an 
external CA, because if they gave you those, you could forge certificates for 
any website on the Internet and their trust model would collapse.

SSL MITM has to be done with a self-signed certificate, and a self-generated CA 
certificate on the clients.


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Proxy SSL Bump Certificates

[info]

Hi.

I've configured a firewall in our company with pfSense using Squid as 
proxy server. I made it work combined with Diladele to show graphs, 
filter logs, configure blocked sites, etc.


What I'm trying to do now is to use an external certificate from a 
trusted certificate authority (in this case I'm using a free SSL 
certificate from comodo), but I can't see my certificate in the 
certificates list when enabling SSL Man in the middle. I can only see 
CA's, which are certificate authorities, but when I upload comodo's Root 
CA certificate and select it, service does not start. Throws this error:


Jun 30 08:52:40	squid		No valid signing SSL certificate configured for 
HTTP_port 192.168.1.1:3128


Does Squid not accept a SSL Certificate from external authorities or am 
I missing something?


Thanks in advance.

Best regards.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] url_write_program: redirecting fails when intercepting https

[Eliezer Croitoru]

What squid.conf are you using with this script?

 

Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Moataz Elmasry
Sent: Thursday, June 30, 2016 3:16 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] url_write_program: redirecting fails when intercepting 
https

 

Hi all,

 

I'm writing a small bash program script to redirect any request to say 
www.google.com  . This script is able to redirect any 
http script to google.com  , but not https requests. 

I read the documentation

http://wiki.squid-cache.org/Features/HTTPS

But this seem quite complex for my task. Basically I just want to redirect any 
domain, without looking into the full path. Knowing the domain name should not 
be counted as violation or interception of https I hope

 

Here's the script which works with http but not https:

 

"

#!/bin/bash

while true;

do

  read input;

  if [[ "$old_url" =~ ".google.com  " ]]; then

echo "ERB"

  else

echo "echo '303:https://www.google.com;

  fi

done

"

 

Any ideas how to solve that?

 

Regards and thanks

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users