Re: [squid-users] Configuration for cache_peer doesn't work

2017-01-19 Thread Amos Jeffries 
On 20/01/2017 4:39 a.m., salil GK wrote:
> Hello
> 
>   I am new to squid and I have a use case that I need to configure a
> forward proxy with squid. But there will be two squid servers chained to
> isolate the networks. So when client machine wanted to access some internet
> site, they will specify proxy as my first squid server. This proxy in turn
> will forward the packet to squid server 2 and from there traffic will be
> forwarded to origin server and response will come through the same path.
> 

Okay. Reasonable.


> ~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf
> 
> 2017/01/19 21:04:24| parse_peer: token='ssl'
> 
> FATAL: Bungled minsquid.conf line 12: cache_peer 10.106.251.90 parent 3223
> 0 no-query default ssl sslcert="/tmp/server_90.pem"
> sslkey="/tmp/privkey_90.pem"
> 
> Squid Cache (Version 3.1.19): Terminated abnormally.

You appear to be using an extremely old verson of Squid. Is this the
Ubuntu Precise by chance?

The Debian/Ubuntu packages are not (for legal reasons) linked to
OpenSSL. So they cannot be configured with any TLS/SSL settings like this.

You will have to make a custom build of Squid.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Users inserted incorrectly in access.log

2017-01-19 Thread Amos Jeffries 
On 20/01/2017 2:37 a.m., Eduardo Carneiro wrote:
> Hi everyone.
> 
> I have a environment with one frontend server and three parent servers in
> culster. The frontend server receives all client connections and forward
> them to parent servers. There is no exist any authentication method in the
> frontend server. In the parent servers the requests are authenticated via
> KERBEROS.
> 
> The problem is, when there are simultaneous accesses to any site, usernames,
> many times, are inserted incorrectly in the access.log. Per example, the
> user "userA" accesses microsoft.com, but on access.log, shows "userB".
> 
> On the frontend server, there are these three lines:
> 
> cache_peer server1.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on
> cache_peer server2.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on
> cache_peer server3.domain.com parent 8080 3130 round-robin sourcehash
> no-query login=PASSTHRU connection-auth=on


Please start by selecting one of round-robin and sourcehash. They are
very different selection algorithms.

Given that Kerberos auth requires HTTP/1 multiplexing to be disabled for
the auth to work I suggest that you drop the round-robin. It forces
multiplexing to be used.

If the problem still remains try adding the connection-auth=on to those
Squid's listening ports as well.


> 
> I noticed that when the access is direct to some parent server, this problem
> do not occurs. Only if connection pass by frontend.
> 
> Is this a bug?
> 

Maybe. What version of Squid are you using?
This was a problem back in 3.2 and older IIRC.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Dst and dstdomain ACLs

2017-01-19 Thread creditu 
Had a question about dst and dstdomain acls.  Given the sample below:

http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
acl www dstdomain www.example.com dev.example.com
cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10.10.1 allow www
cache_peer_access 10.10.10.1 deny all
...
http_access allow www
http_access deny all

When someone tries to access the site by specifying an IP
(192.168.100.1) instead of the name the client gets a standard access
denied squid page.  It seems that a separate acl needs to be defined for
when someone tries to access the site using an IP?  For instance:
acl dst www_ip 192.168.100.1
 
If we wanted to pass to the backend we would need to add a extra
cache_peer_access statement
 cache_peer_access 10.10.10.1 allow www_ip

Then add:
http_access allow www_ip

Is that correct?  If we wanted to not allow IP based requests we would
still define the acl and use a http_access deny www_ip  and then use
deny_info to redirect or send a TCP Reset?  Thanks.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.5.23 memory usage

2017-01-19 Thread Ivan Larionov 
Hello.

I'm pretty sure this question has been asked multiple times already, but
after reading everything I found I still can't figure out squid memory
usage patterns.

We're currently trying to upgrade from squid 2.7 to squid 3.5 and memory
usage on squid 3 is much much higher compared to squid 2 with the same
configuration.

What do I see:

squid running for several days with low traffic:

# top
 PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
 7367 squid 20   0 4780m 4.4g 5224 S  6.0 60.6 105:01.76 squid -N

So it uses 4.4GB resident memory. Ok, let's see important config options:

cache_mem 2298756 KB
maximum_object_size_in_memory 8 KB
memory_replacement_policy lru
cache_replacement_policy lru

cache_dir aufs /mnt/services/squid/cache 445644 16 256

minimum_object_size 64 bytes # none-zero so we dont cache mistakes
maximum_object_size 102400 KB

So we configured 2.2GB memory cache and 500GB disk cache. Disk cache is
quite big but current usage is only 3GB:

# du -sh /mnt/services/squid/cache # cache_dir
3.0G  /mnt/services/squid/cache

Now I'm looking into this page
http://wiki.squid-cache.org/SquidFaq/SquidMemory and see:

14 MB of memory per 1 GB on disk for 64-bit Squid

Which means disk cache should use ~50MB of RAM.

All these means we have ~2.2GB ram used for everything else except
cache_mem and disk cache index.

Let's see top pools from mgr:mem:

Pool  (KB) %Tot
mem_node  2298833  55.082
Short Strings 622365   14.913
HttpHeaderEntry   404531   9.693
Long Strings  284520   6.817
MemObject 182288   4.368
HttpReply 155612   3.729
StoreEntry739651.772
Medium Strings711521.705
cbdata MemBuf (12)355730.852
LRU policy node   304030.728
MD5 digest113800.273
16K Buffer1056 0.025

These pools consume ~35% of total squid memory usage: Short Strings,
HttpHeaderEntry, Long Strings, HttpReply. Looks suspicious. On squid 2 same
pools use 10 times less memory.

I found a bug which looks similar to our experience:
http://bugs.squid-cache.org/show_bug.cgi?id=4084.

I'm attaching our config, mgr:info, mgr:mem and some system info I
collected.

Could someone say if this is normal and why it's so much different from
squid 2?

-- 
With best regards, Ivan Larionov.
HTTP/1.1 200 OK
Server: squid/3.5.23
Mime-Version: 1.0
Date: Thu, 19 Jan 2017 23:39:50 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 19 Jan 2017 23:39:50 GMT
Last-Modified: Thu, 19 Jan 2017 23:39:50 GMT
X-Cache: MISS from ip-172-22-10-120
X-Cache-Lookup: MISS from ip-172-22-10-120:3128
Connection: close

Squid Object Cache: Version 3.5.23
Build Info: 
Service Name: squid
Start Time: Fri, 13 Jan 2017 23:35:32 GMT
Current Time:   Thu, 19 Jan 2017 23:39:50 GMT
Connection information for squid:
Number of clients accessing cache:  (client_db off)
Number of HTTP requests received:   8195690
Number of ICP messages received:0
Number of ICP messages sent:0
Number of queued ICP replies:   0
Number of HTCP messages received:   0
Number of HTCP messages sent:   0
Request failure ratio:   0.00
Average HTTP requests per minute since start:   948.1
Average ICP messages per minute since start:0.0
Select loop called: 73529108 times, 7.054 ms avg
Cache information for squid:
Hits as % of all requests:  5min: 29.2%, 60min: 28.9%
Hits as % of bytes sent:5min: 89.0%, 60min: 89.1%
Memory hits as % of hit requests:   5min: 0.0%, 60min: 0.0%
Disk hits as % of hit requests: 5min: 100.0%, 60min: 100.0%
Storage Swap size:  2915344 KB
Storage Swap capacity:   0.6% used, 99.4% free
Storage Mem size:   2276524 KB
Storage Mem capacity:   99.0% used,  1.0% free
Mean Object Size:   4.00 KB
Requests given to unlinkd:  0
Median Service Times (seconds)  5 min60 min:
HTTP Requests (All):   0.01745  0.01745
Cache Misses:  0.02899  0.02451
Cache Hits:0.00091  0.00091
Near Hits: 0.0  0.0
Not-Modified Replies:  0.0  0.0
DNS Lookups:   0.0  0.00094
ICP Queries:   0.0  0.0
Resource usage for squid:
UP Time:518657.265 seconds
CPU Time:   6265.444 seconds
CPU Usage:  1.21%
CPU Usage, 5 minute avg:6.43%
CPU Usage, 60 minute avg:   5.11%
Maximum Resident Size: 18579360 KB
Page faults with physical i/o: 0
Memory accounted for:
Total accounted:   -20826 KB
memPoolAlloc calls: 2192400061
memPoolFree calls:  2194290230
File descriptor usage for squid:
Maximum number of file descriptors:   524288
Largest file desc currently in use:

Re: [squid-users] Configuration for cache_peer doesn't work

2017-01-19 Thread salil GK 
could there be a problem with the ssl support
the output of `squid3 -v`

Squid Cache: Version 3.1.19

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security'
--with-squid=/build/squid3-nkylXD/squid3-3.1.19


I tried to recompile squid source with the following options


./configure --with-openssl --enable-ssl


When I build this binary and run, it throws error like this

~ # ~/squid -N -Y -d 5 -f /tmp/minsquid.conf

/tandberg/squid: /lib/x86_64/libcrypto.so.1.0.0: no version information
available (required by /tandberg/squid)

/tandberg/squid: /lib/x86_64/libssl.so.1.0.0: no version information
available (required by /tandberg/squid)

2017/01/20 05:35:57| ERROR: MIME Config Table
/usr/local/squid/etc/mime.conf: (2) No such file or directory

FATAL: MIME Config Table /usr/local/squid/etc/mime.conf: (2) No such file
or directory

Squid Cache (Version 3.1.23): Terminated abnormally.

CPU Usage: 0.032 seconds = 0.031 user + 0.001 sys

Maximum Resident Size: 28368 KB

Page faults with physical i/o: 0



On 20 January 2017 at 04:01, salil GK  wrote:

> Could some one please provide me some information on this. This is a kind
> of urgent for me now. Sorry for bothering too much.
>
> Thanks
> ~S
>
>
> On 19 January 2017 at 21:09, salil GK  wrote:
>
>> Hello
>>
>>   I am new to squid and I have a use case that I need to configure a
>> forward proxy with squid. But there will be two squid servers chained to
>> isolate the networks. So when client machine wanted to access some internet
>> site, they will specify proxy as my first squid server. This proxy in turn
>> will forward the packet to squid server 2 and from there traffic will be
>> forwarded to origin server and response will come through the same path.
>>
>>   I could achieve this by configuring cache_peer.
>>
>> >  configuration in SquidServer1
>>
>> http_port 3223
>>
>> include "/etc/squid3/blockedhosts.lst"
>>
>> http_access allow all
>>
>> cache_peer 10.106.251.90 parent 3223 0 no-query default
>>
>> <
>>
>> So this will forward packets to SquidServer2 ( 10.106.251.90 ) and then
>> will be forwarded further from there to origin server
>>
>>
>> Now I want to make ssl connection between SquidServer1 and SquidServer2.
>>
>> I tried the following line for cache_peer
>>
>> 
>>
>> cache_peer 10.106.251.90 parent 3223 0 no-query default ssl
>> sslcert="/tmp/server_90.pem" sslkey="/tmp/privkey_90.pem"
>>
>> <
>>
>> But this doesn't work.
>>
>> when I try to start quid - it gives the following error
>>
>> >>
>>
>> ~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf
>>
>> 2017/01/19 21:04:24| parse_peer: token='ssl'
>>
>> FATAL: Bungled minsquid.conf line 12: cache_peer 10.106.251.90 parent
>> 3223 0 no-query default ssl sslcert="/tmp/server_90.pem"
>> sslkey="/tmp/privkey_90.pem"
>>
>> Squid Cache (Version 3.1.19): Terminated abnormally.
>>
>> CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
>>
>> Maximum Resident Size: 28224 KB
>>
>> Page faults with physical i/o: 0
>>
>> <<
>>
>> what could be the issue .
>>
>> -
>>
>> In SquidServer2 I think I need to specify https port for the client to
>> access. I have put this line in config file
>>
>> >
>>
>> https_port 3224  cert=self_s_cert.pem key=key.pem
>>
>> <
>>
>> There while executing squid, getting the following error
>>

[squid-users] squid reverse proxy (accelerator) for MS Exchange OWA

2017-01-19 Thread Vieri 
Hi,

I'm trying to set up Squid as a reverse proxy on a host with IP address 
10.215.144.91 so that web browsers can connect to it on port 443 and request 
pages from an OWA server at 10.215.144.21:443.

I have this in my squid.conf:

https_port 10.215.144.91:443 accel cert=/etc/ssl/squid/owa_cert.cer 
key=/etc/ssl/squid/owa_key.pem defaultsite=webmail2.mydomain.org

cache_peer 10.215.144.21 parent 443 0 no-query originserver login=PASS ssl 
sslcert=/etc/ssl/squid/client.cer sslkey=/etc/ssl/squid/client_key.pem 
ssloptions=ALL sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=owaServer
# cache_peer 10.215.144.21 parent 80 0 no-query originserver login=PASS 
front-end-https=on name=owaServer

acl OWA dstdomain webmail2.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA

http_access allow OWA
http_access deny all
miss_access allow OWA
miss_access deny all

Note that if I comment out the "cache_peer parent 443" line above and uncomment 
the "cache_peer parent 80" line then the web browser client successfully 
connects and can view the OWA pages after logging in.

However, the connection fails if I use 443 between squid at 10.215.144.91 and 
the OWA backend at 10.215.144.21. The client views a Squid error page with an 
SSL handshake error.

Here's the cache log when I try to connect with a client:

2017/01/20 00:10:42.284 kid1| Error negotiating SSL on FD 16: 
error::lib(0):func(0):reason(0) (5/0/0)
2017/01/20 00:10:42.284 kid1| TCP connection to 10.215.144.21/443 failed
2017/01/20 00:10:42.285 kid1| 5,5| comm.cc(1038) comm_remove_close_handler: 
comm_remove_close_handler: FD 16, AsyncCall=0x80d93a00*2
2017/01/20 00:10:42.285 kid1| 9,5| AsyncCall.cc(56) cancel: will not call 
Ssl::PeerConnector::commCloseHandler [call453] because comm_remove_close_handler
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCall.cc(93) ScheduleCall: 
PeerConnector.cc(742) will call FwdState::ConnectedToPeer(0x80d8b9f0, 
local=10.215.144.91:55948 remote=10.215.144.21:443 FD 16 flags=1, 
0x809d49a0/0x809d49a0) [call451]
2017/01/20 00:10:42.285 kid1| 93,5| AsyncJob.cc(137) callEnd: 
Ssl::PeerConnector::negotiateSsl() ends job [ FD 16 job42]
2017/01/20 00:10:42.285 kid1| 83,5| PeerConnector.cc(58) ~PeerConnector: Peer 
connector 0x80d8b590 gone
2017/01/20 00:10:42.285 kid1| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob 
destructed, this=0x80d8b5b4 type=Ssl::PeerConnector [job42]
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCallQueue.cc(55) fireNext: entering 
FwdState::ConnectedToPeer(0x80d8b9f0, local=10.215.144.91:55948 
remote=10.215.144.21:443 FD 16 flags=1, 0x809d49a0/0x809d49a0)
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCall.cc(38) make: make call 
FwdState::ConnectedToPeer [call451]
2017/01/20 00:10:42.285 kid1| 17,3| FwdState.cc(415) fail: 
ERR_SECURE_CONNECT_FAIL "Service Unavailable"
https://webmail2.mydomain.org/Exchange2/
2017/01/20 00:10:42.285 kid1| TCP connection to 10.215.144.21/443 failed

I don't understand the "Service Unavailable" bit above.
I can connect just fine from the command line on the squid server at 
10.215.144.91 as you can see below.

# wget --no-check-certificate -O -  https://10.215.144.21 
--2017-01-20 00:41:10--  https://10.215.144.21/
Connecting to 10.215.144.21:443... connected.
WARNING: cannot verify 10.215.144.21's certificate, issued by 
'/C=xx/ST=xx/O=xx/OU=xx/CN=xxx/emailAddress=x...@xx.xxx':
Unable to locally verify the issuer's authority.
WARNING: certificate common name 'XYZ' doesn't match requested host name 
'10.215.144.21'.
HTTP request sent, awaiting response... 200 OK
Length: 1546 (1.5K) [text/html]

What can I try?

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.23 is available - Article and new tools by NgTech

2017-01-19 Thread Eliezer Croitoru 
When is the kid considered stable?
Or
When is the software stable enough?
[http://www1.ngtech.co.il/wpe/wp-content/uploads/2017/01/dessert_sushi_by_outlawxvega-300x225.jpg]

Take a look at the page to get the full article: 
http://www1.ngtech.co.il/wpe/?p=374


Specially for this release I am releasing couple new tools based on the DRBL 
peers library I wrote.
On the plate:

* CA certificate test and installation html 
page[https://github.com/elico/ca-cert-test-page] (example 
page[http://moodle.ngtech.co.il/ca-test/])
* Windows Root CA installation 
script[https://github.com/elico/windows-rootca-autodeploy-create] (example 
page[http://ngtech.co.il/myca/])
* Debian and Ubuntu Stable  and Beta versions repository(without ecap 
support).. takes time to prepare
ICAP DRBL query service[http://moodle.ngtech.co.il/drbl-icap-service/]
– Package of Binaries Sources and 
scripts[http://moodle.ngtech.co.il/drbl-icap-service/]
– Sources and startup scripts on 
github[https://github.com/elico/drbl-icap-service]
– I have hope to publish the tool in RPM and DEB format
* Squid 4.0.17 Basic functionality tests .. takes time to prepare

References:
* Squid-Cache CentOS repository 
details[http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5]

Eliezer Croitoru

* If you need some help with the new tools contact me.


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Saturday, December 17, 2016 6:05 PM
To: squid-annou...@lists.squid-cache.org
Subject: [squid-users] [squid-announce] Squid 3.5.23 is available

The Squid HTTP Proxy team is very pleased to announce the availability of the 
Squid-3.5.23 release!


Amos Jeffries

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Configuration for cache_peer doesn't work

2017-01-19 Thread salil GK 
Could some one please provide me some information on this. This is a kind
of urgent for me now. Sorry for bothering too much.

Thanks
~S

On 19 January 2017 at 21:09, salil GK  wrote:

> Hello
>
>   I am new to squid and I have a use case that I need to configure a
> forward proxy with squid. But there will be two squid servers chained to
> isolate the networks. So when client machine wanted to access some internet
> site, they will specify proxy as my first squid server. This proxy in turn
> will forward the packet to squid server 2 and from there traffic will be
> forwarded to origin server and response will come through the same path.
>
>   I could achieve this by configuring cache_peer.
>
> >  configuration in SquidServer1
>
> http_port 3223
>
> include "/etc/squid3/blockedhosts.lst"
>
> http_access allow all
>
> cache_peer 10.106.251.90 parent 3223 0 no-query default
>
> <
>
> So this will forward packets to SquidServer2 ( 10.106.251.90 ) and then
> will be forwarded further from there to origin server
>
>
> Now I want to make ssl connection between SquidServer1 and SquidServer2.
>
> I tried the following line for cache_peer
>
> 
>
> cache_peer 10.106.251.90 parent 3223 0 no-query default ssl
> sslcert="/tmp/server_90.pem" sslkey="/tmp/privkey_90.pem"
>
> <
>
> But this doesn't work.
>
> when I try to start quid - it gives the following error
>
> >>
>
> ~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf
>
> 2017/01/19 21:04:24| parse_peer: token='ssl'
>
> FATAL: Bungled minsquid.conf line 12: cache_peer 10.106.251.90 parent 3223
> 0 no-query default ssl sslcert="/tmp/server_90.pem"
> sslkey="/tmp/privkey_90.pem"
>
> Squid Cache (Version 3.1.19): Terminated abnormally.
>
> CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
>
> Maximum Resident Size: 28224 KB
>
> Page faults with physical i/o: 0
>
> <<
>
> what could be the issue .
>
> -
>
> In SquidServer2 I think I need to specify https port for the client to
> access. I have put this line in config file
>
> >
>
> https_port 3224  cert=self_s_cert.pem key=key.pem
>
> <
>
> There while executing squid, getting the following error
>
>
> 
>
> ~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf
>
> 2017/01/19 15:37:40| cache_cf.cc(381) parseOneConfigFile: minsquid.conf:4
> unrecognized: 'https_port'
>
> 
>
>
> Thanks
>
> ~S
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] HTTPS site filtering

2017-01-19 Thread roadrage27 
I was able to solve my previous issue of no connections and now have a
working squid along with http site filtering and regex working nicely.

My current issue is the need to allow only certain sites which do include
some HTTPS sites.  If i leave the line

http_access deny CONNECT !SSL_ports

within my conf file, no HTTPS traffic works, commenting it out and putting
in

http_access allow CONNECT SSL_ports 

allows SSL but it allows all sites that are available to work with SSL to be
accessed.  

Is there a way to limit this access with an ACL and if so what is they
syntax?  I have been crawling over the squid docs and cannot get it figured
out at this point.

Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-site-filtering-tp4681198.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Configuration for cache_peer doesn't work

2017-01-19 Thread salil GK 
Hello

  I am new to squid and I have a use case that I need to configure a
forward proxy with squid. But there will be two squid servers chained to
isolate the networks. So when client machine wanted to access some internet
site, they will specify proxy as my first squid server. This proxy in turn
will forward the packet to squid server 2 and from there traffic will be
forwarded to origin server and response will come through the same path.

  I could achieve this by configuring cache_peer.

>  configuration in SquidServer1

http_port 3223

include "/etc/squid3/blockedhosts.lst"

http_access allow all

cache_peer 10.106.251.90 parent 3223 0 no-query default

<

So this will forward packets to SquidServer2 ( 10.106.251.90 ) and then
will be forwarded further from there to origin server


Now I want to make ssl connection between SquidServer1 and SquidServer2.

I tried the following line for cache_peer



cache_peer 10.106.251.90 parent 3223 0 no-query default ssl
sslcert="/tmp/server_90.pem" sslkey="/tmp/privkey_90.pem"

<

But this doesn't work.

when I try to start quid - it gives the following error

>>

~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf

2017/01/19 21:04:24| parse_peer: token='ssl'

FATAL: Bungled minsquid.conf line 12: cache_peer 10.106.251.90 parent 3223
0 no-query default ssl sslcert="/tmp/server_90.pem"
sslkey="/tmp/privkey_90.pem"

Squid Cache (Version 3.1.19): Terminated abnormally.

CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys

Maximum Resident Size: 28224 KB

Page faults with physical i/o: 0

<<

what could be the issue .

-

In SquidServer2 I think I need to specify https port for the client to
access. I have put this line in config file

>

https_port 3224  cert=self_s_cert.pem key=key.pem

<

There while executing squid, getting the following error




~ # /usr/sbin/squid3 -N -Y -d 5 -f /tmp/minsquid.conf

2017/01/19 15:37:40| cache_cf.cc(381) parseOneConfigFile: minsquid.conf:4
unrecognized: 'https_port'




Thanks

~S
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Users inserted incorrectly in access.log

2017-01-19 Thread Eduardo Carneiro 
Hi everyone.

I have a environment with one frontend server and three parent servers in
culster. The frontend server receives all client connections and forward
them to parent servers. There is no exist any authentication method in the
frontend server. In the parent servers the requests are authenticated via
KERBEROS.

The problem is, when there are simultaneous accesses to any site, usernames,
many times, are inserted incorrectly in the access.log. Per example, the
user "userA" accesses microsoft.com, but on access.log, shows "userB".

On the frontend server, there are these three lines:

cache_peer server1.domain.com parent 8080 3130 round-robin sourcehash
no-query login=PASSTHRU connection-auth=on
cache_peer server2.domain.com parent 8080 3130 round-robin sourcehash
no-query login=PASSTHRU connection-auth=on
cache_peer server3.domain.com parent 8080 3130 round-robin sourcehash
no-query login=PASSTHRU connection-auth=on

I noticed that when the access is direct to some parent server, this problem
do not occurs. Only if connection pass by frontend.

Is this a bug?

Someone could help me? 




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Users-inserted-incorrectly-in-access-log-tp4681196.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Connect strongSwan and Squid on same server

2017-01-19 Thread Varun Singh 
On Thu, Jan 19, 2017 at 2:59 PM, Amos Jeffries  wrote:
> On 19/01/2017 8:00 p.m., Varun Singh wrote:
>> Hi,
>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>> 16.04 server and I am trying to connect both. By connect I mean, I am
>> trying to achieve following:
>>
>> [VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]
>>
>> My objective is to connect a VPN client to VPN server and use Squid
>> for filtering out blocked Urls. strongSwan and Squid work fine on
>> their own. I can access internet when connected to VPN server and also
>> when configured HTTP Proxy without VPN.
>>
>
> Is the VPN acting as an interface on the client machine through which
> trafffic is gatewayed?
>  or as a transparent tunnel to the proxy?
>
>
>> From what I understand, to achieve what I want, I am supposed to
>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>> enter following IPTables rule:
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>
> What are the squid.conf ports configured as?
>
>> Once I do this and try to access internet from a connected VPN client,
>> I get error. Pasting a log of /var/log/squid/access.log
>>
>>
>
> These are explicit-proxy requests (port 3128 syntax):
>
>> 1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>> 1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>> - HIER_NONE/- text/html
>> 1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>> - HIER_NONE/- text/html
>> 1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>> 1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>> - HIER_NONE/- text/html
>> 1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>> 1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>> HIER_NONE/- text/html
>> 1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>> 1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>> text/html
> 
>
>
> What you are expected by to do on Debian and Ubuntu installs is setup
> the "localnet" ACL to be apropriate for your LAN. It is commented out by
> default.
>  Search squid.conf for "#http_access allow localnet" and "#acl localnet"
>
> When that is done the above should work. No NAT needed.
>
>
> These are origin requests (port 80 syntax):
>
>> 1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>> - HIER_NONE/- text/html
>> 1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>> 1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1=1=18%2F0%2F2017%2016%3A57%3A40%203%20-330=21A4DCCB11396F92-26B205C305B2B2DF=apple%20-%20index%2Ftab%20%28us%29=http%3A%2F%2Fwww.apple.com%2F=USD=www.us.homepage=new%20approach%20ac-analytics=aos%3A%20us=D%3Dg=ipad=ios%209.3.5=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29=aos%3A%20us=direct%20entry=4=D%3D2C39962A85032063-4000118780008FDC=http%3A%2F%2Fwww.apple.com%2F=www.us.homepage=768x1024=32=1.6=N=Y=768=960=1
>> - HIER_NONE/- text/html
>> 1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- 
>> text/html
>> 1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484739057.106  0 10.99.1.1 TAG_NONE/400 3994 GET
>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
> 
>
> Notice how both those sets of requests are reaching your proxy properly.
> The VPN is still working just fine.
>
>>
>>
>> My /etc/squid/squid.conf file has only one change and that is:
>> http_access allow all
>>
>
> Where? order and position is important.
>
>
> You have not added the squid.conf line required for Squid to receive the
> iptables packets from NAT.
>   
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Thanks. Doing the following solved the problem:
"You have not added the squid.conf line required for Squid to

Re: [squid-users] Connect strongSwan and Squid on same server

2017-01-19 Thread Amos Jeffries 
On 19/01/2017 8:00 p.m., Varun Singh wrote:
> Hi,
> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
> 16.04 server and I am trying to connect both. By connect I mean, I am
> trying to achieve following:
> 
> [VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]
> 
> My objective is to connect a VPN client to VPN server and use Squid
> for filtering out blocked Urls. strongSwan and Squid work fine on
> their own. I can access internet when connected to VPN server and also
> when configured HTTP Proxy without VPN.
> 

Is the VPN acting as an interface on the client machine through which
trafffic is gatewayed?
 or as a transparent tunnel to the proxy?


> From what I understand, to achieve what I want, I am supposed to
> redirect incoming HTTP traffic from port 80 to port using IPTables. I
> enter following IPTables rule:
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 

What are the squid.conf ports configured as?

> Once I do this and try to access internet from a connected VPN client,
> I get error. Pasting a log of /var/log/squid/access.log
> 
> 

These are explicit-proxy requests (port 3128 syntax):

> 1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
> 1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
> - HIER_NONE/- text/html
> 1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
> - HIER_NONE/- text/html
> 1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
> 1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
> - HIER_NONE/- text/html
> 1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> init.itunes.apple.com:443 - HIER_NONE/- text/html
> 1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
> HIER_NONE/- text/html
> 1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
> 1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
> text/html



What you are expected by to do on Debian and Ubuntu installs is setup
the "localnet" ACL to be apropriate for your LAN. It is commented out by
default.
 Search squid.conf for "#http_access allow localnet" and "#acl localnet"

When that is done the above should work. No NAT needed.


These are origin requests (port 80 syntax):

> 1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
> - HIER_NONE/- text/html
> 1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
> 1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1=1=18%2F0%2F2017%2016%3A57%3A40%203%20-330=21A4DCCB11396F92-26B205C305B2B2DF=apple%20-%20index%2Ftab%20%28us%29=http%3A%2F%2Fwww.apple.com%2F=USD=www.us.homepage=new%20approach%20ac-analytics=aos%3A%20us=D%3Dg=ipad=ios%209.3.5=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29=aos%3A%20us=direct%20entry=4=D%3D2C39962A85032063-4000118780008FDC=http%3A%2F%2Fwww.apple.com%2F=www.us.homepage=768x1024=32=1.6=N=Y=768=960=1
> - HIER_NONE/- text/html
> 1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- 
> text/html
> 1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484739057.106  0 10.99.1.1 TAG_NONE/400 3994 GET
> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html


Notice how both those sets of requests are reaching your proxy properly.
The VPN is still working just fine.

> 
> 
> My /etc/squid/squid.conf file has only one change and that is:
> http_access allow all
> 

Where? order and position is important.


You have not added the squid.conf line required for Squid to receive the
iptables packets from NAT.
  

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Will squid core dump with worker threads? Investigating squid crash, 3.5.23

2017-01-19 Thread squid 

>>
>> assertion failed: MemBuf.cc:216: "0 <= tailSize && tailSize <= cSize"
>>
> 
> This is . We have


Is there a workaround for this - something that I can put in the config
perhaps?  I'm getting the same issue a few times a day.  I suspect it's
mainly due to clients accessing Windows Updates, but difficult to tell.

I am automatically restarting squid, but the delays for other users
while all this is happening can generate a poor browsing experience.

Thanks
Mark




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users