Re: [squid-users] How can I complete this tutorial?

[james82]

i'm really sorry. can you check the link in my post again. I can't find that
line,really. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/How-can-I-complete-this-tutorial-tp4678837p4678852.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Large memory leak with ssl_peek (now partly understood)

[Dan Charlesworth]

Pretty sure this is affecting our 3.5.x systems as well — we use a very
similar splicing implementation.

I'll keep an eye out in hope someone adapts that patch!

Dan

On 12 August 2016 at 06:22, Alex Rousskov 
wrote:

> On 08/11/2016 10:56 AM, Steve Hill wrote:
>
> > At ssl_bump step 2 we splice the connection and Squid does verification
> ...
> > Unfortunately, when verification fails, rather than actually dropping
> > the client's connection, Squid just leaves the client hanging.
>
> Hi Steve,
>
> This sounds very similar to Squid bug 4508. Factory proposed a fix
> for that bug, but the patch is for Squid v4. You may be able to adapt it
> to v3. Testing (with any version) is very welcomed, of course:
>
>   http://bugs.squid-cache.org/show_bug.cgi?id=4508
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] X-Squid-Error

[Amos Jeffries]

On 12/08/2016 9:10 a.m., joe wrote:
> only on latest squid 4 happen
> Squid Cache: Version 4.0.13-20160809-r14785
> -
> HTTP/1.1 400 Bad Request
> Server: squid
> Mime-Version: 1.0
> Date: Thu, 11 Aug 2016 21:02:46 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 3367
> X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
> X-Cache: MISS from proxy.netgatesss.com
> Connection: close
> 

In response to what?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Inconsistent Cache Peer Selection in Accelerator mode - Squid 3.3.8

[Amos Jeffries]

On 12/08/2016 6:31 a.m., Antony Stone wrote:
> On Thursday 11 August 2016 at 20:25:04, Adam Vollrath wrote:
> 
>> Good afternoon! I'm configuring Squid 3.3.8 on Ubuntu 14.04.5 LTS.  It's
>> in reverse proxy mode and has some explicit peers specified.  My issue
>> is that sometimes requests get forwarded to that specified peer, but
>> sometimes squid just forwards directly itself.
>>
>> `squid.conf` has these lines:
>>
>> http_port 127.0.1.2:80 accel ignore-cc act-as-origin allow-direct
> 
>> Can I prevent it from forwarding requests directly?
> 
> I'm not an expert on reverse proxy mode, but do you think "allow-direct" 
> might 
> be your problem?
> 
> That sounds to me as though you are telling Squid it is allowed to forward 
> requests directly, instead of having to rely on peers...

Exactlys so.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How can I complete this tutorial?

[james82]

I want to do this tutorial :
https://www.linode.com/docs/networking/squid/squid-http-proxy-ubuntu-12-04,
but these are something I don't understand so much, please help me. Here is
my squid.conf file: https://ghostbin/paste/kw7pp. I can't find line
http_access like in tutorial, because have so much line 'example' have name
'http_access'. Can you edit file for me and tell me how to start squid with
it?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/How-can-I-complete-this-tutorial-tp4678837.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Large memory leak with ssl_peek (now partly understood)

[Steve Hill]

I've been suffering from a significant memory leak on multiple servers 
running Squid 3.5 for months, but was unable to reproduce it in a test 
environment.  I've now figured out how to reproduce it and have done 
some investigation:


When using TPROXY, Squid generates fake "CONNECT 192.0.2.1:443" 
requests, using the IP address that the client connected to.  At 
ssl_bump step 1, we peek and Squid generates another fake "CONNECT 
example.com:443" request containing the SNI from the client's SSL handshake.


At ssl_bump step 2 we splice the connection and Squid does verification 
to make sure that example.com does actually resolve to 192.0.2.1.  If it 
doesn't, Squid is supposed to reject the connection in 
ClientRequestContext::hostHeaderVerifyFailed() to prevent clients from 
manipulating the SNI to bypass ACLs.


Unfortunately, when verification fails, rather than actually dropping 
the client's connection, Squid just leaves the client hanging. 
Eventually the client (hopefully) times out and drops the connection 
itself, but the associated ClientRequestContext is never destroyed.


This is testable by repeatedly executing:
openssl s_client -connect 17.252.76.30:443 -servername 
courier.push.apple.com


That is a traffic pattern that we see in the real world and is now 
clearly what is triggering the leak: Apple devices make connections to 
addresses within the 17.0.0.0/8 network with an SNI of 
"courier.push.apple.com".  courier.push.apple.com resolves to a CNAME 
pointing to courier-push-apple.com.akadns.net, but 
courier-push-apple.com.akadns.net doesn't exist.  Since Squid can't 
verify the connection, it won't allow it and after 30 seconds the client 
times out.  Each Apple device keeps retrying the connection, leaking a 
ClientRequestContext each time, and before long we've leaked several 
gigabytes of memory (on some networks I'm seeing 16GB or more of leaked 
RAM over 24 hours!).


Unfortunately I'm a bit lost in the Squid code and can't quite figure 
out how to gracefully terminate the connection and destroy the context.


--
 - Steve Hill
   Technical Director
   Opendium Limited http://www.opendium.com

Sales / enquiries:
   Email:sa...@opendium.com
   Phone:+44-1792-824568 / sip:sa...@opendium.com

Support:
   Email:supp...@opendium.com
   Phone:+44-1792-825748 / sip:supp...@opendium.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] A problem with a refresh pattern rule

[C. L. Martinez]

On Thu 11.Aug'16 at 22:38:13 +1200, Amos Jeffries wrote:
> On 11/08/2016 7:04 p.m., C. L. Martinez wrote:
> > Hi all,
> > 
> >  I am doing some modifications in refresh_patterns rules in a squid host 
> > (release 3.5.20) and it seems they are working, with the exception of this 
> > one:
> > 
> > refresh_pattern -i 
> > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)  129600  80%  
> > 129600  override-expire override-lastmod reload-into-ims ignore-reload
> > 
> >  When I run 'squid -k parse' returns me the following error:
> > 
> > 2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i 
> > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600  80% 
> >  129600  override-expire override-lastmod reload-into-ims ignore-reload
> > 2016/08/11 06:57:33| refreshAddToList: Invalid regular expression 
> > '\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty 
> > (sub)expression
> > 
> >  Searching where I am doing the mistake, I don't find any problem with 
> > "\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I 
> > doing the mistake??
> > 
> 
> That pattern works fine for me. Must be something to do with the regex
> library on your system.
> 
> I think the error message is about the (x-|)flv piece. The absence of
> anything between | and ) is the only bit that coudl be called an 'empty
> sub-expression' there. You might have to change that to x-flv|flv.

Perfect!!! .. That was, thanks Amos.
> 
> 
> >  On the other side, I see the following warnings also:
> > 
> > 2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' 
> > violates HTTP
> > 2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in 
> > 'refresh_pattern' violates HTTP
> > 2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' 
> > violates HTTP
> > 2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' 
> > violates HTTP
> > 
> >  I have enabled these options "override-expire override-lastmod 
> > reload-into-ims ignore-reload" on some other patterns. Is this wrong??
> 
> Those are WARNINGs. Not an error. They instruct Squid to do things which
> are outside the HTTP specification. You may encounter trouble with some
> traffic because of that changed behaviour.
> 
> The warnings are there to make sure you awre aware something risky is
> being done, and when you run into trouble with those options it is
> probably not Squid bugs but your choice to violate the standard HTTP
> behaviour which caused it.
> 
> Amos

 Understood. I will remove those options, then.

Many thanks.

-- 
Greetings,
C. L. Martinez
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] large downloads got interrupted

[Eugene M. Zheganin]

Hi.

On 30.06.16 17:19, Amos Jeffries wrote:
>
> Okay, I wasn't suggesting you post it here. Its likely to be too big for
> that.
>
> I would look for the messages about the large object, and its FD. Then,
> for anthing about why it was closed by Squid. Not sure what tha would be
> at this point though.
> There are some scripts in the Squid sources scripts/ directory that
> might help wade through the log. Or the grep tool.
>
>
I enabled logLevel 2 for all squid facilities, but so far I didn't
fugura out any pattern from log. The only thing I noticed - is that for
large download the Recv-Q value reported by the netstat for a particular
squid-to-server connection is extremely high, so is the Send-Q value for
a connection from squid to client. I don't know if it's a cause or a
consequence, but from my point of view this may indicate that buffers
are overflown for some reason, I think this may cause, in turn, RSTs and
connection closing - am I right ?. I still don't know whether it's a
squid fault of may be it's local OS misconfiguration.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with SSL client setting in case of erverse proxy

[Amos Jeffries]

On 10/08/2016 6:49 p.m., Frosch Martin wrote:
> Hello,
> 
> I hope I am right here.
> 
> I use Squid Version 3.5.20 as reverse Proxy for Outlook (2010)
> Anywhere and OWA. The problem is that I cannot transfer Files bigger
> than 2MB since the Microsoft Update
> https://technet.microsoft.com/de-de/library/security/3042058. This
> Update brings new Cipher Versions to IIS. Now I want to use older
> Cipher Sites but the following line of Squid config is not working
> 100%.

Why do you want to force bad security when better is available?

> 
> cache_peer X.X.X.X parent 443 0 ssl no-query originserver
> sslflags=DONT_VERIFY_PEER
> ssloptions=NO_SSLv2:NO_SSLv3:ALL:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_TICKET

Process those options (instructions) from left-to-right in your head.
You should see that all things *enabled* at the end of it. That includes
SSLv2 and SSLv3 being enabled.

Hint: "ALL" force-enables everything the library is capable of.
Restrictions can only follow after it in the options list.

> sslcipher=AES256-SHA login=PASS name=exchangeServer standby=5
> 
> Squid as Client uses always 38 Cipher Suites, no matter what I define
> as ssloptions or sslcipher.
> 

cipher= is very rarely needed to be explicitly set. The library already
enables good ciphers, and options can enable others manually if needed.


Use of ALL in the options is often recommended by people without
understanding what it does. It enables *everything* the library is
capable of doing. Basically using it means the admin (or whoever wrote
the tutorial) thinks they know security better than the experts who
wrote the library. Then the admin/author goes and lists removal of the
(often few) things they know are bad (at that point in time) - often
missing out lots of custom hacks they dont know the library just enabled
as instructed, or crypto things which are broken but long forgotten.

The best thing to do is to start with neither cipher nor options
configured at all and test what the library tries to offer. Use that
test to add specific disable/enable options to the options= list. Repeat
as necessary until what the library does meets your need.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] A problem with a refresh pattern rule

[Amos Jeffries]

On 11/08/2016 7:04 p.m., C. L. Martinez wrote:
> Hi all,
> 
>  I am doing some modifications in refresh_patterns rules in a squid host 
> (release 3.5.20) and it seems they are working, with the exception of this 
> one:
> 
> refresh_pattern -i 
> \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)  129600  80%  
> 129600  override-expire override-lastmod reload-into-ims ignore-reload
> 
>  When I run 'squid -k parse' returns me the following error:
> 
> 2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i 
> \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600  80%  
> 129600  override-expire override-lastmod reload-into-ims ignore-reload
> 2016/08/11 06:57:33| refreshAddToList: Invalid regular expression 
> '\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty 
> (sub)expression
> 
>  Searching where I am doing the mistake, I don't find any problem with 
> "\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I 
> doing the mistake??
> 

That pattern works fine for me. Must be something to do with the regex
library on your system.

I think the error message is about the (x-|)flv piece. The absence of
anything between | and ) is the only bit that coudl be called an 'empty
sub-expression' there. You might have to change that to x-flv|flv.


>  On the other side, I see the following warnings also:
> 
> 2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' 
> violates HTTP
> 2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in 'refresh_pattern' 
> violates HTTP
> 2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' 
> violates HTTP
> 2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' 
> violates HTTP
> 
>  I have enabled these options "override-expire override-lastmod 
> reload-into-ims ignore-reload" on some other patterns. Is this wrong??

Those are WARNINGs. Not an error. They instruct Squid to do things which
are outside the HTTP specification. You may encounter trouble with some
traffic because of that changed behaviour.

The warnings are there to make sure you awre aware something risky is
being done, and when you run into trouble with those options it is
probably not Squid bugs but your choice to violate the standard HTTP
behaviour which caused it.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] A problem with a refresh pattern rule

[C. L. Martinez]

Hi all,

 I am doing some modifications in refresh_patterns rules in a squid host 
(release 3.5.20) and it seems they are working, with the exception of this one:

refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)  
129600  80%  129600  override-expire override-lastmod reload-into-ims 
ignore-reload

 When I run 'squid -k parse' returns me the following error:

2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i 
\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600  80%  
129600  override-expire override-lastmod reload-into-ims ignore-reload
2016/08/11 06:57:33| refreshAddToList: Invalid regular expression 
'\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty 
(sub)expression

 Searching where I am doing the mistake, I don't find any problem with 
"\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I doing 
the mistake??

 On the other side, I see the following warnings also:

2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' 
violates HTTP
2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in 'refresh_pattern' 
violates HTTP
2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' 
violates HTTP
2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' 
violates HTTP

 I have enabled these options "override-expire override-lastmod reload-into-ims 
ignore-reload" on some other patterns. Is this wrong??

Thanks.

-- 
Greetings,
C. L. Martinez
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users