Re: [squid-users] How can I complete this tutorial?
i'm really sorry. can you check the link in my post again. I can't find that line,really. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/How-can-I-complete-this-tutorial-tp4678837p4678852.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Large memory leak with ssl_peek (now partly understood)
Pretty sure this is affecting our 3.5.x systems as well — we use a very similar splicing implementation. I'll keep an eye out in hope someone adapts that patch! Dan On 12 August 2016 at 06:22, Alex Rousskovwrote: > On 08/11/2016 10:56 AM, Steve Hill wrote: > > > At ssl_bump step 2 we splice the connection and Squid does verification > ... > > Unfortunately, when verification fails, rather than actually dropping > > the client's connection, Squid just leaves the client hanging. > > Hi Steve, > > This sounds very similar to Squid bug 4508. Factory proposed a fix > for that bug, but the patch is for Squid v4. You may be able to adapt it > to v3. Testing (with any version) is very welcomed, of course: > > http://bugs.squid-cache.org/show_bug.cgi?id=4508 > > Alex. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] X-Squid-Error
On 12/08/2016 9:10 a.m., joe wrote: > only on latest squid 4 happen > Squid Cache: Version 4.0.13-20160809-r14785 > - > HTTP/1.1 400 Bad Request > Server: squid > Mime-Version: 1.0 > Date: Thu, 11 Aug 2016 21:02:46 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 3367 > X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0 > X-Cache: MISS from proxy.netgatesss.com > Connection: close > In response to what? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Inconsistent Cache Peer Selection in Accelerator mode - Squid 3.3.8
On 12/08/2016 6:31 a.m., Antony Stone wrote: > On Thursday 11 August 2016 at 20:25:04, Adam Vollrath wrote: > >> Good afternoon! I'm configuring Squid 3.3.8 on Ubuntu 14.04.5 LTS. It's >> in reverse proxy mode and has some explicit peers specified. My issue >> is that sometimes requests get forwarded to that specified peer, but >> sometimes squid just forwards directly itself. >> >> `squid.conf` has these lines: >> >> http_port 127.0.1.2:80 accel ignore-cc act-as-origin allow-direct > >> Can I prevent it from forwarding requests directly? > > I'm not an expert on reverse proxy mode, but do you think "allow-direct" > might > be your problem? > > That sounds to me as though you are telling Squid it is allowed to forward > requests directly, instead of having to rely on peers... Exactlys so. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How can I complete this tutorial?
I want to do this tutorial : https://www.linode.com/docs/networking/squid/squid-http-proxy-ubuntu-12-04, but these are something I don't understand so much, please help me. Here is my squid.conf file: https://ghostbin/paste/kw7pp. I can't find line http_access like in tutorial, because have so much line 'example' have name 'http_access'. Can you edit file for me and tell me how to start squid with it? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/How-can-I-complete-this-tutorial-tp4678837.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Large memory leak with ssl_peek (now partly understood)
I've been suffering from a significant memory leak on multiple servers running Squid 3.5 for months, but was unable to reproduce it in a test environment. I've now figured out how to reproduce it and have done some investigation: When using TPROXY, Squid generates fake "CONNECT 192.0.2.1:443" requests, using the IP address that the client connected to. At ssl_bump step 1, we peek and Squid generates another fake "CONNECT example.com:443" request containing the SNI from the client's SSL handshake. At ssl_bump step 2 we splice the connection and Squid does verification to make sure that example.com does actually resolve to 192.0.2.1. If it doesn't, Squid is supposed to reject the connection in ClientRequestContext::hostHeaderVerifyFailed() to prevent clients from manipulating the SNI to bypass ACLs. Unfortunately, when verification fails, rather than actually dropping the client's connection, Squid just leaves the client hanging. Eventually the client (hopefully) times out and drops the connection itself, but the associated ClientRequestContext is never destroyed. This is testable by repeatedly executing: openssl s_client -connect 17.252.76.30:443 -servername courier.push.apple.com That is a traffic pattern that we see in the real world and is now clearly what is triggering the leak: Apple devices make connections to addresses within the 17.0.0.0/8 network with an SNI of "courier.push.apple.com". courier.push.apple.com resolves to a CNAME pointing to courier-push-apple.com.akadns.net, but courier-push-apple.com.akadns.net doesn't exist. Since Squid can't verify the connection, it won't allow it and after 30 seconds the client times out. Each Apple device keeps retrying the connection, leaking a ClientRequestContext each time, and before long we've leaked several gigabytes of memory (on some networks I'm seeing 16GB or more of leaked RAM over 24 hours!). Unfortunately I'm a bit lost in the Squid code and can't quite figure out how to gracefully terminate the connection and destroy the context. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Sales / enquiries: Email:sa...@opendium.com Phone:+44-1792-824568 / sip:sa...@opendium.com Support: Email:supp...@opendium.com Phone:+44-1792-825748 / sip:supp...@opendium.com ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] A problem with a refresh pattern rule
On Thu 11.Aug'16 at 22:38:13 +1200, Amos Jeffries wrote: > On 11/08/2016 7:04 p.m., C. L. Martinez wrote: > > Hi all, > > > > I am doing some modifications in refresh_patterns rules in a squid host > > (release 3.5.20) and it seems they are working, with the exception of this > > one: > > > > refresh_pattern -i > > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% > > 129600 override-expire override-lastmod reload-into-ims ignore-reload > > > > When I run 'squid -k parse' returns me the following error: > > > > 2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i > > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% > > 129600 override-expire override-lastmod reload-into-ims ignore-reload > > 2016/08/11 06:57:33| refreshAddToList: Invalid regular expression > > '\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty > > (sub)expression > > > > Searching where I am doing the mistake, I don't find any problem with > > "\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I > > doing the mistake?? > > > > That pattern works fine for me. Must be something to do with the regex > library on your system. > > I think the error message is about the (x-|)flv piece. The absence of > anything between | and ) is the only bit that coudl be called an 'empty > sub-expression' there. You might have to change that to x-flv|flv. Perfect!!! .. That was, thanks Amos. > > > > On the other side, I see the following warnings also: > > > > 2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' > > violates HTTP > > 2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in > > 'refresh_pattern' violates HTTP > > 2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' > > violates HTTP > > 2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' > > violates HTTP > > > > I have enabled these options "override-expire override-lastmod > > reload-into-ims ignore-reload" on some other patterns. Is this wrong?? > > Those are WARNINGs. Not an error. They instruct Squid to do things which > are outside the HTTP specification. You may encounter trouble with some > traffic because of that changed behaviour. > > The warnings are there to make sure you awre aware something risky is > being done, and when you run into trouble with those options it is > probably not Squid bugs but your choice to violate the standard HTTP > behaviour which caused it. > > Amos Understood. I will remove those options, then. Many thanks. -- Greetings, C. L. Martinez ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] large downloads got interrupted
Hi. On 30.06.16 17:19, Amos Jeffries wrote: > > Okay, I wasn't suggesting you post it here. Its likely to be too big for > that. > > I would look for the messages about the large object, and its FD. Then, > for anthing about why it was closed by Squid. Not sure what tha would be > at this point though. > There are some scripts in the Squid sources scripts/ directory that > might help wade through the log. Or the grep tool. > > I enabled logLevel 2 for all squid facilities, but so far I didn't fugura out any pattern from log. The only thing I noticed - is that for large download the Recv-Q value reported by the netstat for a particular squid-to-server connection is extremely high, so is the Send-Q value for a connection from squid to client. I don't know if it's a cause or a consequence, but from my point of view this may indicate that buffers are overflown for some reason, I think this may cause, in turn, RSTs and connection closing - am I right ?. I still don't know whether it's a squid fault of may be it's local OS misconfiguration. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with SSL client setting in case of erverse proxy
On 10/08/2016 6:49 p.m., Frosch Martin wrote: > Hello, > > I hope I am right here. > > I use Squid Version 3.5.20 as reverse Proxy for Outlook (2010) > Anywhere and OWA. The problem is that I cannot transfer Files bigger > than 2MB since the Microsoft Update > https://technet.microsoft.com/de-de/library/security/3042058. This > Update brings new Cipher Versions to IIS. Now I want to use older > Cipher Sites but the following line of Squid config is not working > 100%. Why do you want to force bad security when better is available? > > cache_peer X.X.X.X parent 443 0 ssl no-query originserver > sslflags=DONT_VERIFY_PEER > ssloptions=NO_SSLv2:NO_SSLv3:ALL:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_TICKET Process those options (instructions) from left-to-right in your head. You should see that all things *enabled* at the end of it. That includes SSLv2 and SSLv3 being enabled. Hint: "ALL" force-enables everything the library is capable of. Restrictions can only follow after it in the options list. > sslcipher=AES256-SHA login=PASS name=exchangeServer standby=5 > > Squid as Client uses always 38 Cipher Suites, no matter what I define > as ssloptions or sslcipher. > cipher= is very rarely needed to be explicitly set. The library already enables good ciphers, and options can enable others manually if needed. Use of ALL in the options is often recommended by people without understanding what it does. It enables *everything* the library is capable of doing. Basically using it means the admin (or whoever wrote the tutorial) thinks they know security better than the experts who wrote the library. Then the admin/author goes and lists removal of the (often few) things they know are bad (at that point in time) - often missing out lots of custom hacks they dont know the library just enabled as instructed, or crypto things which are broken but long forgotten. The best thing to do is to start with neither cipher nor options configured at all and test what the library tries to offer. Use that test to add specific disable/enable options to the options= list. Repeat as necessary until what the library does meets your need. HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] A problem with a refresh pattern rule
On 11/08/2016 7:04 p.m., C. L. Martinez wrote: > Hi all, > > I am doing some modifications in refresh_patterns rules in a squid host > (release 3.5.20) and it seems they are working, with the exception of this > one: > > refresh_pattern -i > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% > 129600 override-expire override-lastmod reload-into-ims ignore-reload > > When I run 'squid -k parse' returns me the following error: > > 2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i > \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% > 129600 override-expire override-lastmod reload-into-ims ignore-reload > 2016/08/11 06:57:33| refreshAddToList: Invalid regular expression > '\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty > (sub)expression > > Searching where I am doing the mistake, I don't find any problem with > "\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I > doing the mistake?? > That pattern works fine for me. Must be something to do with the regex library on your system. I think the error message is about the (x-|)flv piece. The absence of anything between | and ) is the only bit that coudl be called an 'empty sub-expression' there. You might have to change that to x-flv|flv. > On the other side, I see the following warnings also: > > 2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' > violates HTTP > 2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in 'refresh_pattern' > violates HTTP > 2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' > violates HTTP > 2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' > violates HTTP > > I have enabled these options "override-expire override-lastmod > reload-into-ims ignore-reload" on some other patterns. Is this wrong?? Those are WARNINGs. Not an error. They instruct Squid to do things which are outside the HTTP specification. You may encounter trouble with some traffic because of that changed behaviour. The warnings are there to make sure you awre aware something risky is being done, and when you run into trouble with those options it is probably not Squid bugs but your choice to violate the standard HTTP behaviour which caused it. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] A problem with a refresh pattern rule
Hi all, I am doing some modifications in refresh_patterns rules in a squid host (release 3.5.20) and it seems they are working, with the exception of this one: refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% 129600 override-expire override-lastmod reload-into-ims ignore-reload When I run 'squid -k parse' returns me the following error: 2016/08/11 06:57:33| /etc/squid/squid.conf line 173: refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 80% 129600 override-expire override-lastmod reload-into-ims ignore-reload 2016/08/11 06:57:33| refreshAddToList: Invalid regular expression '\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)': empty (sub)expression Searching where I am doing the mistake, I don't find any problem with "\.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv)". Where am I doing the mistake?? On the other side, I see the following warnings also: 2016/08/11 06:57:33| WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP 2016/08/11 06:57:33| WARNING: use of 'override-lastmod' in 'refresh_pattern' violates HTTP 2016/08/11 06:57:33| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP 2016/08/11 06:57:33| WARNING: use of 'ignore-reload' in 'refresh_pattern' violates HTTP I have enabled these options "override-expire override-lastmod reload-into-ims ignore-reload" on some other patterns. Is this wrong?? Thanks. -- Greetings, C. L. Martinez ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users