[squid-users] Rock store size not decreasing
Hey all I'm fairly new to rock caching. With aufs, if you reduce the cache size in the config it'll start slowly reducing it down the new size. I've done that with a ~137GB rock store (reduced it to 10240MB) but it 'aint changing after reloading the config. cache_dir rock /var/spool/squid/rock 10240 # du --max-depth=1 /var/spool/squid/ -h 137G /var/spool/squid/rock What am I missing? Best, Dan ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
On 19/05/17 01:20, erdosain9 wrote: And... for last How i read this?? Delay pools configured: 5 Pool: 1 Class: 2 Aggregate: Max: 100 Restore: 100 Current: 100 Individual: Max: 512000 Restore: 5 Current: 124:512000 67:512000 120:512000 127:512000 9:512000 26:214810 64:512000 169:512000 156:512000 For each delay pool in your squid.conf it describes the details you have configured. The "Current:" section lists the number of active connections which are using that pool, and how much bandwidth each has available. eg, clients #124, 67, 120, 127, 9, 64, 169, 156 are connected by not used any bandwidth this second. Whereas client #26 has used about half their allocation. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
On 19/05/17 04:33, erdosain9 wrote: Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 35 of 35 (0 shutting down) requests sent: 39928 replies received: 39893 queue length: 40 avg service time: 854 msec Two things to take note of with these reports. First is the queue length vs how many helpers are running. Each helper running has one row in the table. Your initial report with 20 helpers had no queue, and showed that all 20 helpers had been needed at one point, but the top-5 only needed a few times. IMO that is not overkill, but close to what you actually need. In a perfect world there should be some helpers not needed at all, but peak traffic does happen. Second thing to notice is the "avg service time". In that same initial report it showed avg was 9ms - that is good (might be better if you tune the auth backend for speed, but a few ms is okay). These later reports when you were experimenting it fluctuates between 300ms and 850ms. That can be kind of bad - if it remains high with just normal traffic that is something to fix. That said it may have been an artifact from the delay caused by reconfiguring and restarting all the helpers, which is supported by the low number of requests processed by the heaviest used helper (~500). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid custom error page
On 05/18/2017 11:40 AM, chcs wrote: > HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript > autority > One more cuestion: > With 2 CA differents certificates to block twitter.com >> differents results > > Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET > https://www.twitter.com/ - HIER_NONE/- text/html > Result: no problem, it's show me squid custom error page > > Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT > www.twitter.com:443 - HIER_NONE/- text/html > Result: It doesnt show me squid custom error page Let's Encrypt does not issue CA certificates. You need a CA certificate for an SslBump setup to work for more than one site. Let's Encrypt also does not issue leaf certificates for www.twitter.com unless you control www.twitter.com. When you generated a self-signed certificate, you probably generated a CA certificate. If you did not, then you will encounter problems if you try to import that certificate in browsers/clients that require CA certificates. See the OpenSSL command below for one way to check what you have generated. CA certificates have an x509 "Basic Constraints" extension with a CA:TRUE constraint. For example: > $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic' > X509v3 Basic Constraints: > CA:TRUE HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid custom error page
On 18.05.2017 19:40, chcs wrote: One more cuestion: With 2 CA differents certificates to block twitter.com>> differents results Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html Result: no problem, it's show me squid custom error page Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT www.twitter.com:443 - HIER_NONE/- text/html Result: It doesnt show me squid custom error page Why? and what is the end entity certificate where the issuer is Let's encrypt? (this might be the reason) smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid custom error page
One more cuestion: With 2 CA differents certificates to block twitter.com >> differents results Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html Result: no problem, it's show me squid custom error page Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT www.twitter.com:443 - HIER_NONE/- text/html Result: It doesnt show me squid custom error page Why? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-custom-error-page-tp4682433p4682470.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 35 of 35 (0 shutting down) requests sent: 39928 replies received: 39893 queue length: 40 avg service time: 854 msec ID # FD PID # Requests # Replies Flags Time Offset Request 209 1137534 856 855 B R 2.022 0 YR YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACCjggSQYYIEjDCCBIigAwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRowGBsESFRUUBsQc3F1aWQuZW1wZGRoLmxhbqOCBEwwggRIoAMCARKhAwIBAqKCBDoEggQ2jpSodyZYVva7UV1lpeFDneeTonYRIuPbWQrRHapGngHJsxJ0Sb/saB97FH3aC3DuJgDF5eJIgrDqh38gksmi+zd7WhOWF7r9iRudcgHSnYmSYS9hxrMNEaoyBd0kKlO2it11WDBYb0tdd8OZKlFzYF+T4r714kl52a2fvHrJl5M3RB0QcHlrqngBoANinyZkvCZLpWkLtGJ5PC0jutoRvCX0KT6Znth2GwotJjOUftR4rQR0SfgQuxGkqcOsku2/xhJ88pMMo+7R6F3Crx0d391NS0F/4DWSk/JYsPOfEoemFKQPRWGQyQvLJ4Y78obg48PnMv9xhtsbUGB+LdYMWIAjKGFUDK4RGFPJtEnmhsOt6LIHi+Yqo3Ravna0mq61+xSFtzGJRuHTptpACxy/F+3tsSIIWsTdyVMHIBY4TH/5IXgFG2xc06kt8XmQaWvvByxZhBWn97W8ynrgR0y9Eg3YwqDi1YZtDGKc1XqbExMAw2bWlRNI3Oo6F8czcekK/H0Yrzm9sgXmmHHqFGGoJBBeqNZXQ+j8FhJ7LuXLg3B1Vki8XWaIP21LQcR/kLj2QvmMdZzLo2lglJIaUVlPnTFBEA3/ACAT2NHm0j4rZhEirf5+k45w/gz6fAlkbYWfISAqw20prIDbjMuzV+Z9XcxU9mZH0QuSIhV4wYNfZMh1VakBw00B9/5il/xqoXf15ra/vvopOib8WHztAsUwi+NLWsLichIh7fmrW2+U1D0XfSj8G2HhNus71ZsffYN0HZHsxz4ESlhAoxOLj/7eZLyNXL/zchrQspw+1URE1aizx6ui4oOZ0u/2QjPF0as/1+XjvS9VzSSCypx6gLMCXUAVPnVQayG0HF1OumIXvdHEhn5lyzng6qk5KYqbJcFGi+yHsQGLzaBjvv704ldsSucKnrXtmjxyZIapt10frNXVHa42yp+DAfaCGJBTQdsbD/6Y1OIvgpOzr0VEkzUFaYoGCMMqT7yRdWxdXewvpb8hLNYwTNJwepIYO15Y6n2a+R5HLCh5l1arnAgn1iIdiB86NoL0gMNhgQ8sg6ow3oNRnjzylQN/wqNFgouymk8fpp/Z1/vr3zq3wn8GEpoEKFgkYlM8S9b700lai85apEO5RF/92Fu150+kk6j/zBgkASdCHF7NHu4ljVcaUQ2Pn/vjNKopQ2AfAw/eLvbEoi47tRbvq+cQo71VJxrbqu+d6N+9Me1K6RIjrauPhnxmqtv8jmzUEd7eMSlFS1Nhcm/zbiXffS1z1+sattSADqr/r9vz/stT1UIPUvTGECSGscwzO9eBx2KqNd64Y8ijgo8r7oZfGPy5BEYc6Kme8iehWdXMjIW4CDoKJd5rbJ+mn2l0ZKsm4141ZOjr/N64PZZRMFTax3ejDyefXs101kKJpfkCJjPugzFCu6MGvk5ZcvrtSjefCqSCAU8wggFLoAMCARKiggFCBIIBPjn6rQcWetD40MjHTaQZMbYCFGOnmn3lPMSMq3jkNp2nxo1g5rGujD4V+mmDbEDBOtY45nomauhEX/mc3h2uMcS7MxtE+4JPOgjmNbLUomrvNBgCHAzgtymjaDV8eYifkpwL/m2EtctQH9Ok8GOL0llbWREGfvoDyH719IYqeCA6k1ln8Lybn5lMYAQmWIHUmWw85HCkjGLFr6hDAc3g4VJdKoAGxx5Y8ynEz6/8l7stt7pLfmFXPNSsV1+zKZAIagRO09uQXtWxyztRCVwKMkgkdRc+u7ftxJb124zuQts7MS4nccPRo0rQWm4A7YFAsI+RjSstuJg1BiA1/AAYbslJ+vURS3Pw1+c6+OrDj/Ml8VGtfM63ybUHLtQcPAConUYPi9XmR0htUz1zdDHsNjydIrrvow9BOSYwqcNsxw==\n 210 1317535 764 763 B R 0.104 0 YR YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACCjggT7YYIE9zCCBPOgAwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRowGBsESFRUUBsQc3F1aWQuZW1wZGRoLmxhbqOCBLcwggSzoAMCARKhAwIBAqKCBKUEggSh6BIcpOgKmOzdAzXqeuwTnHZv+Bb/lGfsybU3n6OhmI5vPBFkl5widreDlQfqr3i6d3I0F2ZZbe2rGGR1tS8/t7mbJiIDymyeY4GWQi6hrwnVzrTNNA+VbhpwkaLXcK9ZeFpZni/MiFFJAaDba/jrCZy9tiEmcFY6Zzk2vAN9V3LeOnOtHRtUwGgWItcpJfJbBZxlrq8sw3bA/XlcGDJQmYMB6noTzEoXGa0izWJLX/K78XIBtywS/cxucXPAnBRHwQ8crlCgAW5s3BqpzvcwluOKAV0ThJCzOSWG4F+Jd6REJrCknKJJwqyhYFvYKsIbY+0QpLetnkQhfROvkVV+5yVRuOewkisLjlldQbpYgvJrozs5l/bffikq4hYTRfqaO0FzhiOnmvGncWwIUMLhnBskJ8s4EnPpkyE7Wc7aXLTSAUGjoStgwNXObnM2EM+u5b7Qm89Mz6Tz8F0vUr2CvzSoT/Zq5F2CpOmdV/qT30er7UpwJP74bhdTOcM7UEoBdeTSdW5mOfujMfglFPrhAY6AEHw2poJzqiRFGfbRgQo7z2P1wSJMePi3ZHfBMgGv/rz13Sjbwp+aYyROG6xKX9Kq0c/7u7ucEfRi486n+lHWNlQkFEpFTHoeC3uYKF1hH2nwbAVJTZc0pG6fAVBzLWIvqbdyjPXka82Up/j7in980vrywJXVpMBg49LZYCJ8u6v3k2N1u+iVRMJM5DVdFukmJtgVPIPXKkULr7lpBz6IuWMguJel/NFKVD8arUqpegqsmKBHJbu7y7MtBVNqYxGQJEzMGEaYzWLi/+DYaVDXZYv+zx02wr6vmUx2iQ6YLqg+R5HTsOoLT5TmRJu51t8zHyWVRBfxfNm+P9JP9woTX2cvG0/gWG0oF8ySomZiAPCtOfkV7gTVrydBenYj99BVNV1M4w4GT/erb/tzpwQROs5JlZV1IQKlbqMkT9WVXiA+2W+nQ/5wJXJLUKvuqrprsKYZRo0OX5VeNMm8J8iJ5A5fLKy6KmYgwozYcf7aAmQ6xU/AFFkkH58URg1csrWhmdyuE9gLz9PDX5mqYaXvWlRYamBFhRDufXBphM5FHUPbCQX7bwOR3HCvnrUQxJIa17xaYEsgx4NA1FFsAosz+G2iF6E4Nof2iAFMix48oHXN2EIyjVBo6hDEX7E52osdrxhnNc+IG8BG6jA/4IZAArrRiBlDdpB2+C/b81KASTMDvu+pZ1105uxkLmzi4UibZvxphF+g/bdNti0tfpdaHzpSGnm9P2cYJF0ohxuVGkp/TRQi3ASyLwYJCfV3vKE9eVjQnD2WUN0A3ulfwiyhfS4MHhWjK4Ge8iR1hmufYMPpd+7fetxPVFTi5xKiGGxZ6Pl3BVVXrW7VNT0k2oUzm7blGK7V2rmUf97YpakXA7sGvYywUQqsfXY+tD5QF23KeWOLW+W6K75BCwPEhMXgBzMW9vTonYubKNn/7YqAMbKYT0+fKYk+iFDWnACNN/YG7H9U65q/x6pqczHj9a1gkKjH1NcpfPn1/bepBHxqmakD/uvl8A75lUX50TLmFhsYVhLs6TvsFO+6ALSg4nA2pIIBUjCCAU6gAwIBEqKCAUUEggFBJRiZb5C3YdW63PF3NdcurSp9CcNKGziOk5Z+55zSaYxjK1OVA+PLh9rmBzPCMnGWtLjjwOz77kTaivz+KmT6oXFc9KmGbCIHwYg2UGp2dqlTc8Pdto3zx6djLAdF2BwyIOkFZHmJzxeuAnzLwndEd9HWIQn7azmzg92NSDpU/sH+cFlAQhv317shNi2AMSE6ph1AMguDMGwAwiBjTkQoXqvyNf2vdcrKPIEMNZcQvLk3+3OxC7baWxPlHmnQT5J46YbF4Kn3A1qSoB8MNacXCOXeGai5SPwJacgZwva1j/JMLCOyRETNgsN07EIv9hVVWp1kJCe8AV4jtl6++zbq/QqCeJt36iaiAe5Gr5SnnrYU8AdqF3/AwmV4zGntRiaGj2BMJCpxzjxlpwDPovbQAp/KxJuywd5kK7r5wZ40U4RJ\n 211 144
Re: [squid-users] Documentation for squidclient?
and 35, someone it's eating...and by the way the first "error" (a lot of numbers and letters its happening) Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 35 of 35 (0 shutting down) requests sent: 35222 replies received: 35221 queue length: 0 avg service time: 105 msec ID # FD PID # Requests # Replies Flags Time Offset Request 209 1137534 557 556 B R 0.000 0 YR YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACCjggSQYYIEjDCCBIigAwIBBaEMGwpFTVBEREguTEFOoiMwIaADAgECoRo wGBsESFRUUBsQc3F1aWQuZW1wZGRoLmxhbqOCBEwwggRIoAMCARKhAwIBAqKCBDoEggQ2jpSodyZYVva7UV1lpeFDneeTonYRIuPbWQrRHapGngHJsxJ0Sb/saB97FH3aC3DuJgDF5eJIgrDqh38gksmi+zd7WhOWF7r9iRudcgHSnYmSYS9hxrMNEaoyBd0kKlO2it11WDBYb0tdd8OZKlFzYF+T4r714kl52a2fvHrJl5M3RB0QcHlrqngBoANinyZkvCZLpWkLtGJ5PC0jutoRvCX0KT6Znth2GwotJjOUftR4rQR0SfgQuxGkqcOsku2/xhJ88pMMo+7R6F3Crx0d391NS0F/4DWSk/JYsPOfEoemFKQPRWGQyQvLJ4Y78obg48PnMv9xhtsbUGB+LdYMWIAjKGFUDK4RGFPJtEnmhsOt6LIHi+Yqo3Ravna0mq61+xSFtzGJRuHTptpACxy/F+3tsSIIWsTdyVMHIBY4TH/5IXgFG2xc06kt8XmQaWvvByxZhBWn97W8ynrgR0y9Eg3YwqDi1YZtDGKc1XqbExMAw2bWlRNI3Oo6F8czcekK/H0Yrzm9sgXmmHHqFGGoJBBeqNZXQ+j8FhJ7LuXLg3B1Vki8XWaIP21LQcR/kLj2QvmMdZzLo2lglJIaUVlPnTFBEA3/ACAT2NHm0j4rZhEirf5+k45w/gz6fAlkbYWfISAqw20prIDbjMuzV+Z9XcxU9mZH0QuSIhV4wYNfZMh1VakBw00B9/5il/xqoXf15ra/vvopOib8WHztAsUwi+NLWsLichIh7fmrW2+U1D0XfSj8G2HhNus71ZsffYN0HZHsxz4ESlhAoxOLj/7eZLyNXL/zchrQspw+1URE1aizx6ui4oOZ0u/2QjPF0as/1+XjvS9VzSSCypx6gLMCXUAVPnVQayG0HF1OumIXvdHEhn5lyzng6qk5KYqbJcFGi+yHsQGLzaBjvv704ldsSucKnrXtmjxyZIapt10frNXVHa42yp+DAfaCGJBTQdsbD/6Y1OIvgpOzr0VEkzUFaYoGCMMqT7yRdWxdXewvpb8hLNYwTNJwepIYO15Y6n2a+R5HLCh5l1arnAgn1iIdiB86NoL0gMNhgQ8sg6ow3oNRnjzylQN/wqNFgouymk8fpp/Z1/vr3zq3wn8GEpoEKFgkYlM8S9b700lai85apEO5RF/92Fu150+kk6j/zBgkASdCHF7NHu4ljVcaUQ2Pn/vjNKopQ2AfAw/eLvbEoi47tRbvq+cQo71VJxrbqu+d6N+9Me1K6RIjrauPhnxmqtv8jmzUEd7eMSlFS1Nhcm/zbiXffS1z1+sattSADqr/r9vz/stT1UIPUvTGECSGscwzO9eBx2KqNd64Y8ijgo8r7oZfGPy5BEYc6Kme8iehWdXMjIW4CDoKJd5rbJ+mn2l0ZKsm4141ZOjr/N64PZZRMFTax3ejDyefXs101kKJpfkCJjPugzFCu6MGvk5ZcvrtSjefCqSCAU8wggFLoAMCARKiggFCBIIBPnk2DODYIW0g4hXFKmoKlnIHRezRwxL/E22eI7mjihUd/z7PQ2V6IQdx/ScsgKyMHcsaG5naiQliCf7/Sl7QQbpxypdbT0/7THdMBd67fMLNZ3/7I78+dS90BD+XODtWJyC/+vQdfHGBOSFfAnetzaFJGsfbni4qMrF1V8onHnmwq800CrN1WoQt6ADBwBwFbMIHqSLUbaBmye3AQiZ16L646xGw7GqCwPKeFUkrXeG17iD0NRQKUr3nPD0UZtOf36YK5J+/HQ68+ou6d2as4Rjx7FHQVR9RLKeCj6ZnBZKeAp5P/SmLaj1+0k5F5Ra71KZslWyzLDFw7/unGUksNkpP71Gl9B3XMavdhPqfOSrczGnW5Rr4nJ7oLikj06IdsCSmhub+TUN1qxn3/XNfHu08wA0lJv9mEZpCpaKSdA==\n 210 1317535 490 490 0.332 0 (none) 211 1447536 435 435 0.550 0 (none) 212 1897537 398 398 0.825 0 (none) 213 277538 364 364 0.566 0 (none) 214 2147539 331 331 0.783 0 (none) 215 2257540 307 307 0.500 0 (none) 216 2387541 284 284 0.838 0 (none) 217 967542 288 288 0.587 0 (none) 218 767543 272 272 0.626 0 (none) 219 2277544 245 245 0.796 0 (none) 220 2757545 241 241 0.427 0 (none) 221 2997546 236 236 0.694 0 (none) 222 3087547 228 228 0.784 0 (none) 223 2417548 215 215 0.919 0 (none) 224 2657549 210 210 0.842 0 (none) 225 3187550 198 198 0.728 0 (none) 226 3217551 190 190 0.770 0 (none) 227 2337552 183 183 0.527 0 (none) 228 2427553 171 171 0.819 0 (none) 229 1907554 169 169 0.690 0 (none) 230 2727555 155 155 0.636 0 (none) 231 3537588 147 147 0.683 0 (none) 232 3577589 138 138 0.623 0 (none) 233 3407590 122 122 0.750 0 (none) 234 3627591 98 98 0.529 0 (none) 235 3657592 87 87 0.655 0 (none) 236 2077593
Re: [squid-users] Documentation for squidclient?
Look this Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 25 of 25 (0 shutting down) requests sent: 27331 replies received: 27306 queue length: 11 avg service time: 389 msec I change to 25... and in this moment i have queue length 11... there is a way to know who is taken this? Because its strange, before this is not happening... can be a virus? there is some way to know from what pc came this? (really sorry for my english... i know this is not to readable). -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682467.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] custom error pages with stylesheets doesn't work for me
On 05/18/2017 03:17 AM, Dieter Bloms wrote: > I wrote some custom error pages and activated style sheets in the header of > the error pages like: > > > %l > > > In the squid.conf file I set err_page_stylesheet to my stylesheet file and I > restarted squid. > My expectation was, that the content of this style sheet file will be > included in the error page at the %l position. Your expectation was correct. > But the place between and is empty. > Does anybody know how can I insert the content of the style sheet file to the > error pages? The steps you described above appear correct to me. Did you check for errors in cache.log when starting Squid? Squid should complain if it cannot load err_page_stylesheet but, unfortunately, Squid thinks that you do not really care much about style and keeps running despite any loading failures. Temporary renaming the stylesheet file (so that Squid cannot load it) will help you test whether you are looking for errors in the right place. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
On 05/18/2017 06:46 AM, arun.xavier wrote: > is it possible to configure squid to peek/splice pinned requests? It is impossible. The TLS client decides which certificates are pinned to which servers. Squid cannot know that because the client commitment to pin is not expressed in the TLS protocol. Said that, please do pay attention to Yuri's response quoted below. Yuri has identified your immediate problem, which is _not_ pinning. Alex. > On 05/18/2017 07:55 AM, Yuri wrote: >> The issue is crystal: >> >> tlsv1 alert unknown ca >> >> Check you configured CA bundle available for squid. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
Thanks you all! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682464.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for Cache Manager?
On 05/18/2017 06:48 AM, erdosain9 wrote: > Where i can find documentation for the opcion on squidclient, many of them > are self-explanatory but for example this: You are not looking for squidclient documentation! You are looking for Cache Manager reports (a.k.a. pages) documentation. The "mgr:X" URN that you use with squidclient is just a convenient shorthand for a Cache Manager page X URL. http://wiki.squid-cache.org/Features/CacheManager Some Cache Manager reports are documented at the above URL. When you figure out what an undocumented report means, please consider adding a wiki page to document what you have found. IIRC, Squid Books have documentation for some of the cache manager pages that are not documented on Squid wiki. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
W dniu 18.05.2017 o 15:07, erdosain9 pisze: And for example, if i have this Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 20 of 20 (0 shutting down) requests sent: 23980 replies received: 23980 queue length: 0 avg service time: 8 msec ID # FD PID # Requests # Replies Flags Time Offset Request 21 182159 15266 15266 0.034 0 (none) 22 20216040164016 0.167 0 (none) 23 26216118271827 0.225 0 (none) 24 34216210631063 0.142 0 (none) 25 362167 674 674 0.113 0 (none) 26 402169 427 427 0.134 0 (none) 27 442170 251 251 0.134 0 (none) 28 482172 171 171 0.073 0 (none) 29 552174 106 106 0.299 0 (none) 302133167 64 64 0.298 0 (none) 312163168 41 41 0.297 0 (none) 322183169 26 26 0.250 0 (none) 332173170 15 15 0.297 0 (none) 37 996631 10 10 0.243 0 (none) 381066632 7 7 0.171 0 (none) 391247630 4 4 0.112 0 (none) 401297631 4 4 0.306 0 (none) 41263 18079 3 3 0.306 0 (none) 42266 18080 3 3 0.404 0 (none) 43108 18081 2 2 0.401 0 (none) Flags key: B = BUSY C = CLOSING R = RESERVED S = SHUTDOWN PENDING P = PLACEHOLDER 20 of 20 authenticators are in use but, there is no busy... so... i have to increase the number of authenticators or not? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682458.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users No need to. Although, in corporate reality there is always sooner or later situation when someone sends an e-mail to all users "Go to www.some.domain and do something instantly. These are the cases that may make life hard. Above shows that 20 is overkill , but only in the period of time when stats were collected. -- Greets, Dijx. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
The issue is crystal: tlsv1 alert unknown ca Check you configured CA bundle available for squid. Either FB, Twitter works via browser. Apps (usually uses from mobiles) also required to install proxy CA into devices. If they pinned, just write splice acl to pass it without bump. 18.05.2017 16:26, arun.xavier пишет: > tlsv1 alert unknown ca signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
W dniu 18.05.2017 o 14:48, erdosain9 pisze: Hi. Where i can find documentation for the opcion on squidclient, many of them are self-explanatory but for example this: [root@squid ~]# squidclient mgr:external_acl HTTP/1.1 200 OK Server: squid/3.5.20 Mime-Version: 1.0 Date: Thu, 18 May 2017 12:40:54 GMT Content-Type: text/plain;charset=utf-8 Expires: Thu, 18 May 2017 12:40:54 GMT Last-Modified: Thu, 18 May 2017 12:40:54 GMT X-Cache: MISS from squid.xxx.lan X-Cache-Lookup: MISS from squid.xxx.lan:3128 Connection: close External ACL Statistics: i-full Cache size: 13 program: /usr/lib64/squid/ext_kerberos_ldap_group_acl number active: 5 of 5 (0 shutting down) requests sent: 48 replies received: 48 queue length: 0 avg service time: 11 msec ID # FD PID # Requests # Replies Flags Time Offset Request 6 232134 48 48 0.011 0 (none) 7 252135 0 0 0.000 0 (none) 8 272136 0 0 0.000 0 (none) 9 292137 0 0 0.000 0 (none) 10 312138 0 0 0.000 0 (none) Flags key: B = BUSY W = WRITING C = CLOSING S = SHUTDOWN PENDING External ACL Statistics: i-limitado Cache size: 29 program: /usr/lib64/squid/ext_kerberos_ldap_group_acl number active: 5 of 5 (0 shutting down) requests sent: 110 replies received: 110 queue length: 0 avg service time: 101 msec ID # FD PID # Requests # Replies Flags Time Offset Request 11 332139 110 110 0.014 0 (none) 12 352140 0 0 0.000 0 (none) 13 372141 0 0 0.000 0 (none) 14 392142 0 0 0.000 0 (none) 15 412143 0 0 0.000 0 (none) Flags key: B = BUSY W = WRITING C = CLOSING S = SHUTDOWN PENDING External ACL Statistics: i-sinlimite Cache size: 51 program: /usr/lib64/squid/ext_kerberos_ldap_group_acl number active: 5 of 5 (0 shutting down) requests sent: 195 replies received: 195 queue length: 0 avg service time: -1441 msec ID # FD PID # Requests # Replies Flags Time Offset Request 16 432144 191 191 0.050 0 (none) 17 452145 1 1 0.175 0 (none) 18 472146 1 1 0.185 0 (none) 19 492147 1 1 0.130 0 (none) 20 512148 1 1 0.229 0 (none) Flags key: B = BUSY W = WRITING C = CLOSING S = SHUTDOWN PENDING I know that i dont have any user in External ACL Statistics: i-sinlimite... then why those statistics (with request and replies and 5 of 5). Thanks to all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users As far as I remember, you have some ldap group-based ACLs in your config. If any user is trying to access site listed in that kind of ACL, this helper is checking is user is in AD group that allows or disallows this action. You may not have any user in i-sinlimite, but you DO HAVE this ACL, so squid will always check that group and find out that the result is negative. If you have no users in this group and not going to have in near future, analyze your ACL logic and remove this rule from configuration - this will make squid faster for sure. Your config is: ===begin conf sample=== http_access allow localhost http_access allow i-sinlimite http_access allow sin_autenticacion http_access allow i-limitado #!dominios_denegados http_access allow i-full #!dominios_denegados # And finally deny all other access to this proxy http_access deny all ===end=== You have no user in this group, yet since it is the first rule, EVERY user has to be checked is he/she ini-sinlim...@xxx.lan group. What for, if group is not used? And it is not used in delay_class either. When squid knows that user is not allowed by i-sinlimite, next rule (sin_autenticacion) is launched, but this is different, list-based ACL, don't now what is on the list - my guess is that's
Re: [squid-users] Documentation for squidclient?
And... for last How i read this?? Delay pools configured: 5 Pool: 1 Class: 2 Aggregate: Max: 100 Restore: 100 Current: 100 Individual: Max: 512000 Restore: 5 Current: 124:512000 67:512000 120:512000 127:512000 9:512000 26:214810 64:512000 169:512000 156:512000 Pool: 2 Class: 2 Aggregate: Max: 100 Restore: 100 Current: 100 Individual: Max: 512000 Restore: 5 Current: 238:512000 124:512000 67:512000 120:512000 127:512000 26:512000 64:512000 156:512000 149:512000 Pool: 3 Class: 1 Aggregate: Max: 100 Restore: 100 Current: 100 Pool: 4 Class: 3 Aggregate: Max: 300 Restore: 300 Current: 300 Network: Max: 100 Restore: 100 Current: 1:100 2:100 Individual: Max: 512000 Restore: 256000 Current [Network 1]: 238:512000 127:512000 124:512000 17:512000 63:512000 149:512000 120:512000 155:512000 156:512000 26:512000 9:512000 Current [Network 2]: 68:512000 61:512000 67:512000 64:512000 169:512000 66:512000 12:512000 Pool: 5 Class: 3 Aggregate: Max: 150 Restore: 150 Current: 150 Network: Max: 75 Restore: 75 Current: 1:75 Individual: Max: 512000 Restore: 256000 Current [Network 1]: 48:512000 75:512000 121:512000 151:512000 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682459.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Documentation for squidclient?
And for example, if i have this Negotiate Authenticator Statistics: program: /lib64/squid/negotiate_kerberos_auth number active: 20 of 20 (0 shutting down) requests sent: 23980 replies received: 23980 queue length: 0 avg service time: 8 msec ID # FD PID # Requests # Replies Flags Time Offset Request 21 182159 15266 15266 0.034 0 (none) 22 20216040164016 0.167 0 (none) 23 26216118271827 0.225 0 (none) 24 34216210631063 0.142 0 (none) 25 362167 674 674 0.113 0 (none) 26 402169 427 427 0.134 0 (none) 27 442170 251 251 0.134 0 (none) 28 482172 171 171 0.073 0 (none) 29 552174 106 106 0.299 0 (none) 30 2133167 64 64 0.298 0 (none) 31 2163168 41 41 0.297 0 (none) 32 2183169 26 26 0.250 0 (none) 33 2173170 15 15 0.297 0 (none) 37 996631 10 10 0.243 0 (none) 38 1066632 7 7 0.171 0 (none) 39 1247630 4 4 0.112 0 (none) 40 1297631 4 4 0.306 0 (none) 41 263 18079 3 3 0.306 0 (none) 42 266 18080 3 3 0.404 0 (none) 43 108 18081 2 2 0.401 0 (none) Flags key: B = BUSY C = CLOSING R = RESERVED S = SHUTDOWN PENDING P = PLACEHOLDER 20 of 20 authenticators are in use but, there is no busy... so... i have to increase the number of authenticators or not? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Documentation-for-squidclient-tp4682457p4682458.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
Hello Amos, The issue seems to be certificate pinning, is it possible to configure squid to peek/splice pinned requests and to bump all other requests? - - Arun Xavier -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451p4682456.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
Thanks for the quick response, I have tried different versions of squid & luckily now I have already configured squid-4.0.19, so I will try /on_unsupported_protocol/ directive. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451p4682455.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
On 18/05/17 22:59, Marcus Kool wrote: You have not stated which version of Squid you are using but my guess is that it is 3.5.x. facebook app and other apps use port 443 but do not use HTTPS and therefore Squid does not how to bump it and consequently the app does not work. What you need is the not yet stable Squid 4.0 and use the option on_unsupported_protocol tunnel all so that the non-HTTPS protocols get through without being bumped. Also apps are more likely to have certificate pinning in operation since the domains they need to contact is much smaller than a general-use browser. If that is done the traffic cannot be bump'ed (only peek, stare, splice or terminate work). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate
On 18/05/17 21:41, Flashdown wrote: Dear Eliezer, Please have look into http://bugs.squid-cache.org/show_bug.cgi?id=4711 the patches for this issue are already done. Many thx to Christos Tsantilas! @Amos: I hope you consider adding the patch to Squid 3.5 as well, since for now it just has been added to Squid 4, maybe the reason is a testing period or something similar. Would be nice to get an update like will be added into upcoming release 3.5.xx :) Aye, its on the list just waiting for me to get time for backporting. Since Christos has provided patches already that has good chances of happening next week. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
You have not stated which version of Squid you are using but my guess is that it is 3.5.x. facebook app and other apps use port 443 but do not use HTTPS and therefore Squid does not how to bump it and consequently the app does not work. What you need is the not yet stable Squid 4.0 and use the option on_unsupported_protocol tunnel all so that the non-HTTPS protocols get through without being bumped. Marcus On 18/05/17 07:26, arun.xavier wrote: I have configured squid with ssl-bump (intercept mode) and it works as expected while accessing secure sites from browsers. What I have done so far. - Configured squid. - created a root& intermediate certificate for dynamic cert generation in squid. installed the same root certificate in mobile device(iphone 6 -iOS-10). - Every website works on chrome/safari. But apps like facebook,twitter are not working(showing network error). When checking cache log of squid, I found the below log. /Error negotiating SSL connection on FD 12: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) / It looks like initial CONNECT/Handshake is not working. what I have changed in squid.conf - acl localnet src 172.16.0.0/12 acl localnet src fe80::/10 acl allow localnet ssl_bump bump all always_direct allow all http_port localhost:3128 http_port localhost:3129 intercept https_port localhost:3130 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/cert/cert.pem key=/etc/squid/cert/key.pem strip_query_terms off Any idea how to fix this? or where to check? What might be my mistake ? PS: I use squid to get logs of all internet traffic from mobile devices. Overview of my intented system is like this: SmartPhone>VPN--->Squid--->Internet -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
I have configured squid with ssl-bump (intercept mode) and it works as expected while accessing secure sites from browsers. What I have done so far. - Configured squid. - created a root& intermediate certificate for dynamic cert generation in squid. installed the same root certificate in mobile device(iphone 6 -iOS-10). - Every website works on chrome/safari. But apps like facebook,twitter are not working(showing network error). When checking cache log of squid, I found the below log. /Error negotiating SSL connection on FD 12: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0) / It looks like initial CONNECT/Handshake is not working. what I have changed in squid.conf - acl localnet src 172.16.0.0/12 acl localnet src fe80::/10 acl allow localnet ssl_bump bump all always_direct allow all http_port localhost:3128 http_port localhost:3129 intercept https_port localhost:3130 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/cert/cert.pem key=/etc/squid/cert/key.pem strip_query_terms off Any idea how to fix this? or where to check? What might be my mistake ? PS: I use squid to get logs of all internet traffic from mobile devices. Overview of my intented system is like this: SmartPhone>VPN--->Squid--->Internet -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate
Dear Eliezer, Please have look into http://bugs.squid-cache.org/show_bug.cgi?id=4711 the patches for this issue are already done. Many thx to Christos Tsantilas! @Amos: I hope you consider adding the patch to Squid 3.5 as well, since for now it just has been added to Squid 4, maybe the reason is a testing period or something similar. Would be nice to get an update like will be added into upcoming release 3.5.xx :) Am 2017-05-18 11:05, schrieb Eliezer Croitoru: Hey List, Since one of the subjects is SSL and specifically SSL-BUMP I noticed a change today and found out that: For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. Google source: https://support.google.com/chrome/a/answer/7391219?hl=en So if someone will see something weird... it might not even be related directly to squid! Regards, Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] custom error pages with stylesheets doesn't work for me
Hello, I use squid 3.5.25 compiled with following options: Squid Cache: Version 3.5.25 Service Name: squid configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=24576' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-external-acl-helpers=session' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--disable-strict-error-checking' '--with-openssl=/opt/dv-openssl1' 'CFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' 'LDFLAGS= -fPIC -pie' 'CPPFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' I wrote some custom error pages and activated style sheets in the header of the error pages like: %l In the squid.conf file I set err_page_stylesheet to my stylesheet file and I restarted squid. My expectation was, that the content of this style sheet file will be included in the error page at the %l position. But the place between and is empty. Does anybody know how can I insert the content of the style sheet file to the error pages ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + IPv6
I think that the answers on how to re-compile squid for windows with special options might be the diladale part of the issue. They compile squid with mostly default and they have enough experience and knowledge on how to recompile squid to match the requirement of the thread. I still think that it's better to run Squid ontop of a linux and even in a VM ontop of windows compared to squid native binary(but it's my preference). All The Bests, Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Amos Jeffries Sent: Wednesday, May 17, 2017 4:33 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid + IPv6 Holdup guys. There is no limit on tcp_outgoing_address in Squid. So Jared; * what did you mean by "the entirety of squid immediately stops working" in your original mail? crash? errors? something else? * what is your Windows system per-process handle limit? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate
Hey List, Since one of the subjects is SSL and specifically SSL-BUMP I noticed a change today and found out that: For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. Google source: https://support.google.com/chrome/a/answer/7391219?hl=en So if someone will see something weird... it might not even be related directly to squid! Regards, Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users