Re: [squid-users] Is this proper usage of Squid?

[Eddie B]

Thanks Amos. Looks like we will be using eCAP.

 

One other possible scenario comes to mind -  I am not sure if this is
feasible. When the block is via DNS (not IP, not all video streaming block),
could we:

 

. create CNAMEs for all vimeo domains involved in delivering video

. serve the our modified player/resources from and pointing to these
CNAMES

. then route thru squid all the request and response traffic running
eCAP on both headers and body, both ways

 

?

 

Thanks again

 

---

On 2017-01-08 10:59, Eddie B wrote:

> 

> Can we accomplish the above using Squid?

> 

 

A basic CDN / reverse-proxy setup does most of what you ask. You will 

need to then throw in some content adaptation (ICAP or eCAP) to handle 

URLs in the response HTML and any scripts.

 

Not knowing what the "firewalls" will trigger on may be a problem 

though.

 

Amos

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is this proper usage of Squid?

[Amos Jeffries]

On 2017-01-08 10:59, Eddie B wrote:


Can we accomplish the above using Squid?



A basic CDN / reverse-proxy setup does most of what you ask. You will 
need to then throw in some content adaptation (ICAP or eCAP) to handle 
URLs in the response HTML and any scripts.


Not knowing what the "firewalls" will trigger on may be a problem 
though.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Is this proper usage of Squid?

[Eddie B]

We have embedded Vimeo videos on a site accessible only to logged in users.
Because of different firewalls, using different types of blocks, the videos
sometimes do not work for the client.

 

Aside from cases where the firewall blocks any video streaming, we want to
serve video to clients that have Vimeo blocked (by IP or DNS) via this
setup:

 

1.   our application detects Vimeo is being blocked

2.   tells the browser to load up a different player

3.   this new player loads every needed resource (video, JS, json, etc)
from domains that we control (and thus have valid SSL certificates for),
instead of Vimeo/Akamai domains.

4.   our server will download the appropriate version of the video from
Vimeo on the fly (maybe cache it for an hour) and serve it to the client.
The other resources necessary to play the video (JS, JSON) are permanently
stored on our server, and are modified to tell the client to request the
video from our servers. This is where Squid comes in.

 

In our situation, we cannot:

 

. know which kind of block the videos trigger on these firewalls

. ask the clients to change any settings on their browsers

. ask the clients to request a change to firewall settings

 

Can we accomplish the above using Squid?

 

TIA

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Citrix Receiver client with Squid transparent proxy to access Citrix XenApp Server

[mabi]

Hi,

Is it possible using a Citrix Receiver client behind a Squid 3.5.20 transparent 
proxy to connect to a Citrix XenApp server on the internet?

If someone already managed to achieve this I would be interested to know how. 
For me it simply does not work, the Citrix Receiver client throws the following 
SSL errorr: A network error occured (SSL error 4).

So before wasting time trying to figure out how to make it work I was wondering 
already managed to make this work...

Regards,
M.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] keep source ip when user connect over squid using ip:port

[--Ahmad--]

I’m using  squid as bridge like injecting some urls

thats it 

thanks 
> On Jan 7, 2017, at 8:35 PM, Antony Stone  
> wrote:
> 
> On Saturday 07 January 2017 at 19:23:47, --Ahmad-- wrote:
> 
>> hey mate i total understand Tporxy with CISCO /wccp
>> 
>> but I’m asking here other way like connecting ip:port and keep squid using
>> my original ip  as source
> 
> So, where do you expect the reply packets from the remote web server to end 
> up?
> 
> If you're trying to cache content, they have to arrive at your Squid server, 
> which means the source of the requests has to be the Squid server's address 
> (or at least, some address which gets routed from the Internet via your Squid 
> server).
> 
> If you're not trying to cache content, and you want the replies to come 
> directly back to your browser, what are you using Squid for in this setup?
> 
> 
> Antony.
> 
> -- 
> I wasn't sure about having a beard at first, but then it grew on me.
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] keep source ip when user connect over squid using ip:port

[Antony Stone]

On Saturday 07 January 2017 at 19:23:47, --Ahmad-- wrote:

> hey mate i total understand Tporxy with CISCO /wccp
> 
> but I’m asking here other way like connecting ip:port and keep squid using
> my original ip  as source

So, where do you expect the reply packets from the remote web server to end 
up?

If you're trying to cache content, they have to arrive at your Squid server, 
which means the source of the requests has to be the Squid server's address 
(or at least, some address which gets routed from the Internet via your Squid 
server).

If you're not trying to cache content, and you want the replies to come 
directly back to your browser, what are you using Squid for in this setup?


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] keep source ip when user connect over squid using ip:port

[--Ahmad--]

hey mate i total understand Tporxy with CISCO /wccp

but I’m asking here other way like connecting ip:port and keep squid using my 
original ip  as source 

cheers

> On Jan 7, 2017, at 8:20 PM, Matus UHLAR - fantomas  wrote:
> 
> On 07.01.17 19:25, --Ahmad-- wrote:
>> hey folks .
>> 
>> I’m just wondering if possible .
>> 
>> i have a basic squid on ip:port .
>> 
>> i want to connect over it using ip:port from my browser .
>> also …
>> 
>> when i visit websites …. i want my ip (router ip) not squid ip to be shown 
>> to the websites .
>> 
>> is that possible ?
>> 
>> i know its weird … but i want squid as like bridging mode and i want the 
>> requests to be sourced from the original ip of mine ..like my router ip
> 
> It's called "tproxy", http://wiki.squid-cache.org/Features/Tproxy4 
> 
> 
> - I'm not sure whether it works when you configure proxy manually   the wiki 
> page describes it in intercepting mode
> 
> - your router MUST support that, so is sends incoming traffic to the proxy
>  instead of your computer, while the destination IP is your compurer's
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk  ; 
> http://www.fantomas.sk/ 
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "One World. One Web. One Program." - Microsoft promotional advertisement
> "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users 
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] keep source ip when user connect over squid using ip:port

[Matus UHLAR - fantomas]

On 07.01.17 19:25, --Ahmad-- wrote:

hey folks .

I’m just wondering if possible .

i have a basic squid on ip:port .

i want to connect over it using ip:port from my browser .
also …

when i visit websites …. i want my ip (router ip) not squid ip to be shown to 
the websites .

is that possible ?

i know its weird … but i want squid as like bridging mode and i want the 
requests to be sourced from the original ip of mine ..like my router ip


It's called "tproxy", http://wiki.squid-cache.org/Features/Tproxy4

- I'm not sure whether it works when you configure proxy manually 
  the wiki page describes it in intercepting mode


- your router MUST support that, so is sends incoming traffic to the proxy
  instead of your computer, while the destination IP is your compurer's
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] keep source ip when user connect over squid using ip:port

[--Ahmad--]

hey folks .

I’m just wondering if possible .

i have a basic squid on ip:port .

i want to connect over it using ip:port from my browser .
also …

when i visit websites …. i want my ip (router ip) not squid ip to be shown to 
the websites .

is that possible ?

i know its weird … but i want squid as like bridging mode and i want the 
requests to be sourced from the original ip of mine ..like my router ip 

thank you Guys .
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_bump with intermediate CA

[senor]

Thank you Amos. I agree that adding the anchor is generally harmless and
you've chosen your battles wisely.
Also thank you Garri. I must have missed your response confirming the same.

For current squid versions the wiki page is misleading according to all
credible references I can find. Any application failing because the root
is missing is buggy itself and that is not a squid problem. There are
several very good arguments for excluding it, including to expose bad
apps. Trusting a root cert sent from a server is like trusting a
politician because all promises end with "trust me".

I'll submit a request for the description of cafile/tls-cafile to change
and move the discussion to there.

Thanks all,
Senor

On 1/6/2017 2:06, Amos Jeffries wrote:
> On 2017-01-06 21:27, senor wrote:
>> Thank you for the response but I think my question is still unanswered.
>> Comments below:
>>
>> On 1/5/2017 16:57, Bruce Rosenberg wrote:
>>> The cafile option specifies the "chain" file squid should send back to
>>> the client along with the cert, exactly as you would normally do with
>>> Apache httpd or Nginx.
>> (For clarity: I'm using 3.5.23. cafile was replaced in squid-4)
>> This may be what cafile is used for but that does not match the
>> directive description.
>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html
>> My suspicion is that the description is a confusion between the same
>> option in openssl and web server options (Apache SSLCACertificateFile
>> and similar).
>> What's it really used for? Chain completion, client cert verification or
>> both?
> 
> It is used for chain completion. *which* chain is being completed
> depends on the traffic mode.
> 
> clientca= should be the one used *only* for client cert verification (I
> think). But neither was used consistently in Squid-3, so YMMV based on
> the traffic modes.
> 
>>
>>> In the example the generated server cert is depth 0, CA2 is depth 1 and
>>> CA1 is depth 2.
>>> If the client has CA1 installed as a trust anchor then technically you
>>> don't need to send CA1 as it is discarded by the client once the trust
>>> relationship for CA2 is established.
>>> It's good practice to send the full chain though as it makes
>>> troubleshooting easier.
>>> From a client perspective you can quickly grab the whole chain with
>>> openssl s_client and check if CA1 is in the trust store.
>> I have to disagree with this. The anchor (CA1) is discarded regardless.
>> It cannot be used. If included it bloats the TLS handshake. Even openssl
>> will discard it and then look in the trusted CA store.
>>
>> I see with a packet cap that the mimicked server cert and the signing
>> cert are both included even without the cafile option specified.
>>
>> So is it safe to say that the referenced wiki page has just become
>> outdated? If cafile is used to fill in the cert chain it wouldn't be
>> needed unless there were additional intermediate certs between the mitm
>> cert and the trusted CA known to the client. (As in CA1 is trusted by
>> clients, CA1 signs CA2 which signs CA3 which is used as MITM cert,
>> cafile=CA2)
> 
> That wiki page was incorrect at the time of creation. But the author
> refuses to agree that root cert are discarded so I left it there instead
> of inciting an edit war. Saving the root CA into the file should be
> harmless anyway.
> 
> Amos
> 
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid memory leak on ubuntu 14.04

[Amos Jeffries]

On 2017-01-07 17:33, Eliezer  Croitoru wrote:

I will try to build a binary package for 12.04 and 14.04 of 3.5.23.


Please do that by taking the official source .deb package and just 
re-building it (and libecap3 package) for the older systems. No special 
changes.


There are several transitions tangled together in the 3.5 packages for 
both Debian and Ubuntu. These will break during future upgrades if the 
package manager detects a 3.5 install already on the machine that was 
done without the special handling in the official Debian/Ubuntu package 
scripts.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users