Re: [squid-users] How to bypass Squid proxy in intercept mode using acl/always_direct

[Matus UHLAR - fantomas]

On 26.12.16 14:07, mabi wrote:

I am using Squid 3.5.20 in intercept mode for HTTP and HTTPS traffic with
my OpenBSD 6.0 firewall.  For some internal servers located on two
different subdomains I would like to access these directly and as such
bypass the Squid proxy.  Is this possible to achieve that using the an acl
and always_direct parameters of Squid? 


No. It is NOT possible to configure bypassing on the squid proxy.
Proxy can only handle connections that did NOT bypass it.
Bypassing means that connections will NOT be done to squid.

That means, when a connection reaches squid, it's already too late to bypass
it.

The only way to bypass squid is to configure router not to send connections
to it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Eliezer Croitoru]

And what shows in the access.log when you fetch this object?
The response headers are missing couple things.
Also you are using a heuristic refresh_pattern that should not work and it's
wrong to use such.
The first thing is to change the refresh pattern to something more connected
to reality rather then science fiction.
refresh_pattern -i
\.(jp[eg]{1,2}|pdf|gif|pn[pg]|bmp|tiff|ico|swf|css|js|ad|png)$ 1800 80% 7200

Try It and see if it changes something.
And a refence for the available options that can be used with enough details
to start to understand what you are doing:
http://www.squid-cache.org/Versions/v4/cfgman/refresh_pattern.html

In this specific case there is a cache server.. Oracle at the other side and
the logs are the only one which will give us a glimpse into what is going on
for real.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Heiler Bemerguy
Sent: Tuesday, December 27, 2016 7:31 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

Hi,
refresh_pattern -i
\.(jp[eg]{1,2}|pdf|gif|pn[pg]|bmp|tiff|ico|swf|css|js|ad|png)$ 10080 80%
120960 ignore-no-store ignore-reload ignore-must-revalidate ignore-private
override-expire store-stale
But it shouldn't change the length of the object, the encoding type of the
object, the "Server" header of the object. or am I wrong?


-- 
Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

Em 27/12/2016 14:26, Eliezer Croitoru escreveu:
May I ask how did you manager to tell squid to cache a no-cache object?
From the dump it states:
Cache-Control: max-age=0, no-cache, no-store, must-revalidate

Which means it should not be cached….
 
Eliezer
 

http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:elie...@ngtech.co.il

 
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Heiler Bemerguy
Sent: Tuesday, December 27, 2016 4:03 PM
To: mailto:squid-us...@squid-cache.org
Subject: Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!
 
 
The server doesn't define any "content-encoding". This is the original
server reply, tcpdumped:
HTTP/1.1 200 OK 
Set-Cookie: ACE-STICKY=R1291873686; path=/; expires=Mon, 26-Dec-2016 
23:51:26 GMT 
Date: Mon, 26 Dec 2016 19:36:06 GMT 
Accept-Ranges: bytes 
Content-Length: 152264 
Content-Type: text/css; charset=UTF-8 
X-Powered-By: Servlet/3.0 JSP/2.2 
Cache-Control: max-age=0, no-cache, no-store, must-revalidate 
Pragma: no-cache 
Content-Language: en 
Set-Cookie: 
JSESSIONID=DCLCYhxGPHvpfnPNsPv51cGkS55GPqB4b3xJsybLgLJpyqPZZhNW!-162452808; 
path=/; HttpOnly 



-- 
Best Regards,
 
Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751
 
Em 26/12/2016 21:07, Alex Rousskov escreveu:
On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote: 



*Accept-Encoding: none* 



*Content-Encoding: gzip* 

These are end-to-end headers. Squid does not modify or add them (unless you
tell it to do that). 

The origin server does not honor the bogus "none" content coding requested
by the client. 

HTH, 

Alex. 


 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Heiler Bemerguy]

Hi,

refresh_pattern -i 
\.(jp[eg]{1,2}|pdf|gif|pn[pg]|bmp|tiff|ico|swf|css|js|ad|png)$ 10080 80% 
120960 ignore-no-store ignore-reload ignore-must-revalidate 
ignore-private override-expire store-stale


But it shouldn't change the length of the object, the encoding type of 
the object, the "Server" header of the object. or am I wrong?



--
Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751


Em 27/12/2016 14:26, Eliezer Croitoru escreveu:


May I ask how did you manager to tell squid to cache a no-cache object?

From the dump it states:

Cache-Control: max-age=0, no-cache, no-store, must-revalidate


Which means it should not be cached….

Eliezer



Eliezer Croitoru 
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

*From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
*On Behalf Of *Heiler Bemerguy

*Sent:* Tuesday, December 27, 2016 4:03 PM
*To:* squid-us...@squid-cache.org
*Subject:* Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

The server doesn't define any "content-encoding". This is the 
*original **server *reply, tcpdumped:


HTTP/1.1 200 OK
Set-Cookie: ACE-STICKY=R1291873686; path=/; expires=Mon, 26-Dec-2016
23:51:26 GMT
Date: Mon, 26 Dec 2016 19:36:06 GMT
Accept-Ranges: bytes
Content-Length: 152264
Content-Type: text/css; charset=UTF-8
X-Powered-By: Servlet/3.0 JSP/2.2
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Language: en
Set-Cookie:
JSESSIONID=DCLCYhxGPHvpfnPNsPv51cGkS55GPqB4b3xJsybLgLJpyqPZZhNW!-162452808;

path=/; HttpOnly



--
Best Regards,
Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

Em 26/12/2016 21:07, Alex Rousskov escreveu:

On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote:


*Accept-Encoding: none*



*Content-Encoding: gzip*


These are end-to-end headers. Squid does not modify or add them
(unless you tell it to do that).

The origin server does not honor the bogus "none" content coding
requested by the client.

HTH,

Alex.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Eliezer Croitoru]

May I ask how did you manager to tell squid to cache a no-cache object?

>From the dump it states:

Cache-Control: max-age=0, no-cache, no-store, must-revalidate


Which means it should not be cached..

 

Eliezer

 



Eliezer Croitoru  
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Heiler Bemerguy
Sent: Tuesday, December 27, 2016 4:03 PM
To: squid-us...@squid-cache.org
Subject: Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

 

 

The server doesn't define any "content-encoding". This is the original
server reply, tcpdumped:

HTTP/1.1 200 OK 
Set-Cookie: ACE-STICKY=R1291873686; path=/; expires=Mon, 26-Dec-2016 
23:51:26 GMT 
Date: Mon, 26 Dec 2016 19:36:06 GMT 
Accept-Ranges: bytes 
Content-Length: 152264 
Content-Type: text/css; charset=UTF-8 
X-Powered-By: Servlet/3.0 JSP/2.2 
Cache-Control: max-age=0, no-cache, no-store, must-revalidate 
Pragma: no-cache 
Content-Language: en 
Set-Cookie: 
JSESSIONID=DCLCYhxGPHvpfnPNsPv51cGkS55GPqB4b3xJsybLgLJpyqPZZhNW!-162452808; 
path=/; HttpOnly 





-- 
Best Regards,
 
Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

 

Em 26/12/2016 21:07, Alex Rousskov escreveu:

On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote: 




*Accept-Encoding: none* 





*Content-Encoding: gzip* 


These are end-to-end headers. Squid does not modify or add them (unless you
tell it to do that). 

The origin server does not honor the bogus "none" content coding requested
by the client. 

HTH, 

Alex. 



 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL and outgoing IP

[Antony Stone]

On Tuesday 27 December 2016 at 17:03:52, qdmetro wrote:

> I have a squid connected behind a firewall. On the firewall, only the Ip of
> the squid (192.168.1.1) is allowed to go on Internet.
> 
> Usually, when a user authenticate itself on the proxy, all the requests use
> the outgoing IP of the squid (192.168.1.1) so the can access to the
> website. I want to allow some websites to be reachable without
> authentication (especially for the activation of windows licences). I've
> tried this :
> 
> /acl Microsoft dstdomain .microsoft.com
> http_access allow Microsoft/
> 
> With this configuration, the requests don't use the outgoing Ip of the
> proxy anymore, so they come to my firewall with the source IP of the
> client (which is not allowed to go on the Internet).
> I've tried this to force the outgoing IP for this acl :
> 
> /tcp_outgoing_address 192.168.1.1 Microsoft/
> 
> but the request still don't use the IP of the proxy.
> 
> Maybe this kind of configuration isn't possible, or I miss something...

Show us your full squid.conf (just post it here in a reply, omitting comments 
and blank lines).

That should give us more useful information to go on.


Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ACL and outgoing IP

[qdmetro]

Hello,
I have an issue with acl and outgoing ip address.

I have a squid connected behind a firewall. On the firewall, only the Ip of
the squid (192.168.1.1) is allowed to go on Internet.

Usually, when a user authenticate itself on the proxy, all the requests use
the outgoing IP of the squid (192.168.1.1) so the can access to the website.
I want to allow some websites to be reachable without authentication
(especially for the activation of windows licences). I've tried this :

/acl Microsoft dstdomain .microsoft.com
http_access allow Microsoft/

With this configuration, the requests don't use the outgoing Ip of the proxy
anymore, so they come to my firewall with the source IP of the client (which
is not allowed to go on the Internet).
I've tried this to force the outgoing IP for this acl :

/tcp_outgoing_address 192.168.1.1 Microsoft/

but the request still don't use the IP of the proxy.

Maybe this kind of configuration isn't possible, or I miss something...
Any idea to help me ? 

Thanks !



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ACL-and-outgoing-IP-tp4680990.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Heiler Bemerguy]

The server doesn't define any "content-encoding". This is the *original 
**server *reply, tcpdumped:


   HTTP/1.1 200 OK
   Set-Cookie: ACE-STICKY=R1291873686; path=/; expires=Mon, 26-Dec-2016
   23:51:26 GMT
   Date: Mon, 26 Dec 2016 19:36:06 GMT
   Accept-Ranges: bytes
   Content-Length: 152264
   Content-Type: text/css; charset=UTF-8
   X-Powered-By: Servlet/3.0 JSP/2.2
   Cache-Control: max-age=0, no-cache, no-store, must-revalidate
   Pragma: no-cache
   Content-Language: en
   Set-Cookie:
   JSESSIONID=DCLCYhxGPHvpfnPNsPv51cGkS55GPqB4b3xJsybLgLJpyqPZZhNW!-162452808;

   path=/; HttpOnly


--
Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751



Em 26/12/2016 21:07, Alex Rousskov escreveu:

On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote:


*Accept-Encoding: none*



*Content-Encoding: gzip*


These are end-to-end headers. Squid does not modify or add them 
(unless you tell it to do that).


The origin server does not honor the bogus "none" content coding 
requested by the client.


HTH,

Alex.




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Heiler Bemerguy]

Hey dudes, thanks for the replies..

Client GET say it won't accept any encoding format. Why is squid 
compressing it and sending as compressed to a client that explicity says 
it doesn't accept encoding?


Is this really correct? Because no browser is liking it here. Even more, 
I think no data is sent back to the browser, as "Content-Length = 0"



--
Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751


Em 27/12/2016 09:00, Amos Jeffries escreveu:

On 2016-12-27 13:07, Alex Rousskov wrote:

On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote:


*Accept-Encoding: none*



*Content-Encoding: gzip*


These are end-to-end headers. Squid does not modify or add them
(unless you tell it to do that).

The origin server does not honor the bogus "none" content coding
requested by the client.



More importantly there is no Vary header. The origin server is 
claiming to produce *only* the one response object. That happens to be 
in gzip encoded format.


Since there are no other variants, the client Accept-* headers do not 
matter. Simple as that.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.17 accept-encoding.. sending gzip?!

[Amos Jeffries]

On 2016-12-27 13:07, Alex Rousskov wrote:

On December 26, 2016 10:11:55 AM Heiler Bemerguy wrote:


*Accept-Encoding: none*



*Content-Encoding: gzip*


These are end-to-end headers. Squid does not modify or add them
(unless you tell it to do that).

The origin server does not honor the bogus "none" content coding
requested by the client.



More importantly there is no Vary header. The origin server is claiming 
to produce *only* the one response object. That happens to be in gzip 
encoded format.


Since there are no other variants, the client Accept-* headers do not 
matter. Simple as that.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Websocket Issue

[Hardik Dangar]

Hey Alex,

actually its reverse. If i remove !serverIsws somehow websockets will not
work. conversion does not happen and i get 400 bad request. whereas if i
put !serverIsws then request is converted and status code is 101

acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all

So above works but if i remove serverIsws then it will not work at all i.e.

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump all

above does not work

This is actually surprising for me too :) I did lot of tests with other
websocket apps used by my network and when i remove rules from bump it will
not work. May be amos could tell us something that we don't understand
about acls.


On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 12/20/2016 02:42 AM, Hardik Dangar wrote:
> > Following changes in config works and whatsapp starts working,
> >
> > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
> >
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump splice serverIsws
> > ssl_bump bump !serverIsws all
>
> You do not need the "!serverIsws" part because if serverIsws matches,
> then the splice rule wins, and Squid does not reach the bump rule. This
> configuration is sufficient:
>
>   ssl_bump peek step1
>   ssl_bump splice serverIsws
>   ssl_bump bump all
>
> In theory, adding "!serverIsws" does not hurt. However, negating complex
> ACLs is tricky/dangerous and should be avoided when possible.
>
> Alex.
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users