Re: [squid-users] Squid issue of caching the m3u8 file

[Amos Jeffries]

On 08/06/17 02:04, joseph wrote:

right

lets say i have obj  with this header
if server  send the same  obj  with different Set-Cookie value that will be
MISS i was refairing to this
not to the vary if it has cookie sorry if i did not explain it correctly


Cookie(s) have nothing to do with MISS unless it is listed in Vary.

The fact that the object is coming from a server without involving any 
object in the proxies own cache is what makes a transaction be 
classified as MISS.


By comparison; things that involve both an object in the proxies cache 
and a server are REFRESH, and things that _only_ involve the proxy cache 
are HIT.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[Alex Rousskov]

On 06/07/2017 03:37 AM, Jason Chiu wrote:

> 1495699856.074  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129

> *Need to adjust which part of the settings?*

If that connection is really trying to connect to 127.0.0.1:3129 from
Squid point of view, then your interception setup is probably deficient.
Intercepted to-port 443 connections should be seen by Squid as going to
port 443 (while being received at Squid port 3129). Interception is not
(or should not be) just port redirection. This has nothing to do with
Squid configuration though.

Once you fix interception (or if you refuse to fix it), if Squid is
denying access, then you should adjust your http_access rules. Your
rules must allow fake CONNECT request that represent intercepted HTTPS
connections. For example, the above TCP_DENIED line is probably logged
because your current interception setup triggers this (correct) rule:

> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports


And yes, it might have "worked" in the past because earlier Squids were
doing fewer checks that they should be doing.

Alex.


> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/squid/cache/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> 
> #http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump bump all
> 
> # sslcrtd
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
> 10MB
> sslcrtd_children 5
> 
> # sslproxy setting
> sslproxy_capath /var/squid/ssl_db/certs
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
> #sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cert_error allow all
> sslproxy_cert_adapt setValidAfter all
> 
> sslproxy_flags DONT_VERIFY_PEER
> 
> 
> pf.conf
> ---
> #internal interface
> int_if = '{em1}'
> 
> # Normalization: reassemble fragments resolve or reduce traffic ambiguities.
> scrub in all
> set skip on lo0
> 
> #sslTP rdr setting
> rdr_from = 'any'
> rdr_to = 'any;
> rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 ->
> 127.0.0.1 port 3129
> pass in all no state
> pass out all no state
> pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any
> keep state
> 
> 
> 
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid issue of caching the m3u8 file

[Amos Jeffries]

On 08/06/17 01:00, joseph wrote:

so if the  server send   same obj  with new Cookie it will be miss  since the
Cookie dose not match in cached obj


No, the Vary header does not say Cookie is part of the variance AFAICT. 
Just URL plus Accept-Encoding.


The Cookie/Set-Cookie being accurate is just related to whether the 
client browsing session is kept continuous or breaks. Depending on 
whether this transaction is part of a purchase or something similar that 
may be significant, or not.


At a guess since this is a media related object from Apple I suspect it 
is linked to an iTunes account of some sort. So the Cookie might be 
needed by the client for something. In that case getting a reply without 
one (as a pure cache HIT would appear to the client) may have problems.


That is just speculation though to show that this traffic behaviour is 
not completely unreasonable. Only the site and client software authors 
actually know for sure what is intended to be going on and why.



So, to get back on topic. Yes Squid should be caching it. But don't 
expect to see the letters "HIT" in the log anymore for this particular URL.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port

[Amos Jeffries]

On 08/06/17 03:28, Adiel Plasencia Herrera wrote:


Hello,

They would help me with a configuration of my squid that I want to 
implement.


My proxy passes all traffic to a parent proxy and I want clients to 
connect to my proxy via https.


Can you help me how to implement the connection to my proxy via https?

To better explain what I want attached 2 pictures. The image with 
1.jpg name shows my proxy configuration with type HTTp that connects 
well to internet.


What I want is for the connection to my proxy to be by the form of the 
2.jpg image that uses the HTTPS type.


Or if it is possible then leave the 2 forms.


What operating system are you using, and what applications are you 
wanting to use this proxy connection?


The normal configuration is simply to add an https_port line with cert= 
parameter to your squid.conf. More details on that below.






This is my current configuration:
acl trabajadores src 10.5.7.3 10.5.7.5





http_access allow trabajadores
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


You custom http_access rules ("allow trabajadores") should be down here 
after the basic security checks.



http_access deny all


http_port 3128


The above port is for receiving plain-text connections to the proxy. 
Most software supports this, with a few exceptions (usually Java apps).



To accept TLS connections to the proxy (not HTTPS *over* the proxy), 
what you do is add an https_port line here. That https_port line needs a 
cert= parameter containing the proxy server certificate. You may need 
other TLS/SSL parameters to fine tune what the TLS does, but just start 
with getting that basic setup to work.

 

For example:
  https_port 3129 cert=/etc/squid/proxy.pem

(the proxy.pem file here contains both the public server cert and 
private server key for that cert).


Many GUI applications (most notably browsers) do not support this type 
of connection to a proxy (or not well if they do). Which is where the 
Q's about your OS and applications come in. You may need to setup 
environment variables or PAC files to get the applications to work.



Note that this is *very* different situation to intercepting port 443 
traffic. Much more different than port 3128 vs. intercepted port 80. 
HTTPS traffic goes through these TLS proxy connections with 
double-layered encryption, so this setup does *not* magically make the 
proxy able to see inside HTTPS if that is what you are really after.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error while writing to TCP socket: Permission denied

[Amos Jeffries]

On 07/06/17 22:54, Ишаяhу Ластов wrote:


I use squid on freebsd 10.3. When I set proxy adress in web brouser, I 
can't attach files to mail on mail.ru. Whithout proxy it works. In 
access.log there are no errors. In cache.log I've got:


|2017/05/29 21:12:16 kid1| local=217.151.68.36:34572 
remote=217.69.139.216:443 FD 44 flags=1: read/write failure: (13) 
Permission denied 2017/05/29 21:12:16 kid1| local=217.151.68.36:36057 
remote=217.69.139.216:443 FD 44 flags=1: read/write failure: (13) 
Permission denied |


FD can change If I understand right, how to use lson, then



FD in this case is an open network connection. Each TCP connection has 
exactly one FD in Squid. They get re-used like ports, but it should 
remain unchanged as long as the TCP connection exists. Another identical 
TCP connection made later may get a different FD.


> How can I solve that problem?


It is rather odd to have "Permission denied" (filesystem error!) on a 
network socket. The network equivalent is a failure to connect in the 
first place, or a sudden close event if already open. I suspect a bug in 
your OS kernel or whatever security system it has controlling access to 
system resources.


If this were Linux I would point at SELinux misconfiguration, but I'm 
not sure what (if anything) FreeBSD has doing that sort of control.



Sorry
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid issue of caching the m3u8 file

[Amos Jeffries]

On 07/06/17 21:42, joseph wrote:

is Set-Cookie:  saved in cached file as well ?? amos


Yes it is. The header on the cached object only gets removed on delivery 
to a client.

Squid does not comply with the Cookie specifications in this regard.

With the extra wrinkle that the mandatory revalidation on these objects 
may provide a new Set-Cookie header that gets added for delivery to the 
new client after the old/cached header was removed. So you may still see 
Set-Cookie on the revalidated HIT (aka REFRESH_UNMODIFIED). Adding a new 
Set-Cookie is usually the purpose of the revalidation being required on 
these sort of objects.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port

[Adiel Plasencia Herrera]

Hello,


They would help me with a configuration of my squid that I want to 
  implement.



My proxy passes all traffic to a parent proxy and I want clients to
   connect to my proxy via https.



Can you help me how to implement the connection to my proxy via   
https?



To better explain what I want attached 2 pictures. The
   image with 1.jpg name shows my proxy configuration with type HTTp that

   connects well to internet.



What I want is for the connection to my proxy to be by the form of the 
  2.jpg image that uses the HTTPS type.



Or if it is possible then leave the 2 forms.





This is my current configuration:







acl trabajadores src 10.5.7.3 10.5.7.5



acl SSL_ports port 443

acl Safe_ports port 3128# proxy server

acl Safe_ports port 80# http

acl Safe_ports port 21# ftp

acl Safe_ports port 443# https

acl Safe_ports port 70# gopher

acl Safe_ports port 210# wais

acl Safe_ports port 1025-65535# unregistered ports

acl Safe_ports port 280# http-mgmt

acl Safe_ports port 488# gss-http


acl Safe_ports port 591# filemaker

acl Safe_ports port 777# multiling 
  http

acl CONNECT method CONNECT



http_access allow trabajadores

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all





http_port 3128





cache_peer 10.5.7.2   parent  3128 0  no-query default   
login=PASS

forwarded_for on



#hierarchy_stoplist cgi-bin ?



cache_swap_low 90

cache_swap_high 95



#update_headers on

cache_mem 128 MB

#cache_access_log 

cache_dir ufs /var/spool/squid3 512 16 256



access_log daemon:/var/log/squid3/access.log squid

cache_log /var/log/squid3/cache.log

cache_store_log daemon:/var/log/squid3/store.log





refresh_pattern ^ftp:  
144020%10080

refresh_pattern ^gopher:1440  
0%1440

refresh_pattern -i (/cgi-bin/|\?) 00%  
0

refresh_pattern .0  
20%4320







cache_mgr ad...@example.com

#visible_hostname proxy.example.com

#unique_hostname proxy.example.com





nonhierarchical_direct off



dns_nameservers 10.5.7.2

coredump_dir /var/spool/squid3



max_filedescriptors 3200
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CacheManager::ParseUrl: action 'digestauthenticator' not found

[Amos Jeffries]

On 07/06/17 13:00, Михаил wrote:

Hi everybody!
Sometimes i get in cache.log this message:
"CacheManager::ParseUrl: action 'digestauthenticator' not found"

Tell me what it means?


For some reason the Squid process answering a manager HTTP(S) request 
does not have the Digest authentication component registered. Your build 
options do not prohibit that component from existing, so it should be 
registered but that is still process dependent.


The parts of the log line which you omitted contain the information 
about which process that was reported by, what type of process it was 
and when the manager request happened.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Huge amount of time_wait connections after upgrade from v2 to v3

[Amos Jeffries]

On 07/06/17 12:13, Ivan Larionov wrote:

Hi!

We recently updated from squid v2 to v3 and now see huge increase in 
connections in TIME_WAIT state on our squid servers (verified that 
this is clients connections).


The biggest change between 2.7 and 3.5 in this area is that 2.7 was 
HTTP/1.0 which closed TCP connections after each request by default, and 
3.5 is HTTP/1.1 which does not. So connections are more likely to 
persist until they hit some TCP timeout then enter the slow TIME_WAIT 
process.


There were also some other bugs identified in older 3.5 releases which 
increased the TIME_WAIT specifically. I thought those were almost all 
fixed by now, but YMMV whether you hit the remaining issues.
 A workaround it to set 
 to a 
shorter value than the default  2min. eg you might want it to be 30sec 
or so.






See versions and amount of such connections under the same load with 
the same configs (except some incompatible stuff):


squid 2.7.STABLE9

configure options:  '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' 
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--exec_prefix=/usr' '--bindir=/usr/sbin' 
'--libexecdir=/usr/lib/squid' '--localstatedir=/var' 
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' 
'--enable-removal-policies=heap,lru' '--enable-storeio=aufs' 
'--enable-delay-pools' '--with-pthreads' '--enable-cache-digests' 
'--enable-useragent-log' '--enable-referer-log' '--with-large-files' 
'--with-maxfd=16384' '--enable-err-languages=English'


# netstat -tn | grep TIME_WAIT | grep 3128 | wc -l
95

squid 3.5.25

configure options:  '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc/squid' '--libdir=/usr/lib' 
'--libexecdir=/usr/lib/squid' '--includedir=/usr/include' 
'--datadir=/usr/share' '--sharedstatedir=/usr/com' 
'--localstatedir=/var' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--enable-epoll' 
'--enable-removal-policies=heap,lru' '--enable-storeio=aufs' 
'--enable-delay-pools' '--with-pthreads' '--enable-cache-digests' 
'--enable-useragent-log' '--enable-referer-log' '--with-large-files' 
'--with-maxfd=16384' '--enable-err-languages=English' '--enable-htcp'


FYI, these options are not doing anything for Squid-3:
  '--enable-useragent-log' '--enable-referer-log' 
'--enable-err-languages=English'





# netstat -tn | grep TIME_WAIT | grep 3128 | wc -l
11277

Config:

http_port 0.0.0.0:3128 

acl localnet src 10.0.0.0/8  # RFC1918 possible 
internal network
acl localnet src 172.16.0.0/12   # RFC1918 
possible internal network
acl localnet src 192.168.0.0/16  # RFC1918 
possible internal network

acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly 
plugged) machines


acl SSL_ports port 443

acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535  # unregistered ports

acl CONNECT method CONNECT

### START CUSTOM
acl Purge_method method PURGE

# Allow localhost to selectively flush the cache
http_access allow localhost Purge_method
http_access deny Purge_method
### END CUSTOM

### ALLOW ACCESS TO ALL PORTS
# http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all

### START CUSTOM
# Disable icp
icp_port 0
# Allow ICP queries from local networks only
icp_access allow localnet
icp_access allow localhost
icp_access deny all

# Disable htcp
htcp_port 0
# Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access allow localhost
htcp_access deny all


FYI: setting icp_access and htcp_access is pointless when the relevant 
port is 0. That port 0 disables the entire component.




# Check for custom request header
acl custom_acl req_header x-use-custom-proxy -i true
# Check for x-use-new-proxy request header
acl custom_new_acl req_header x-use-new-proxy -i true

# first_proxy
cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=first_proxy
cache_peer_access first_proxy deny custom_acl
cache_peer_access first_proxy deny custom_new_acl

# second_proxy
cache_peer 127.0.0.1 parent 18079 0 no-query no-digest name=second_proxy
cache_peer_access second_proxy 

[squid-users] Error while writing to TCP socket: Permission denied

[Ишаяhу Ластов]

I use squid on freebsd 10.3. When I set proxy adress in web brouser, I can't 
attach files to mail on mail.ru. Whithout proxy it works. In access.log there 
are no errors. In cache.log I've got:
2017/05/29 21:12:16 kid1| local=217.151.68.36:34572 remote=217.69.139.216:443 
FD 44 flags=1: read/write failure: (13) Permission denied
2017/05/29 21:12:16 kid1| local=217.151.68.36:36057 remote=217.69.139.216:443 
FD 44 flags=1: read/write failure: (13) Permission denied
FD can change If I understand right, how to use lson, then
root@bkp_router:/home/ishayahu # lsof -d44
COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
squid   30197 squid   44u  IPv4 0xf80029788810  0t0  TCP 
broadband-68-36.clients.extel.ru:48387->e.mail.ru:https (ESTABLISHED)
broadband-68-36.clients.extel.ru is ISP's router
How can I solve that problem?
PS: settings like
#request_body_max_size 0
#reply_body_max_size 0
#request_header_max_size 64 KB
#reply_header_max_size 64 KB
#client_request_buffer_max_size 50 Mb
#acl post method POST
#http_access allow post localnet
doesn't help
#ktrace -d -p 667 kdump>kdump.out
Searching in kdump.out for denied:
4529011-  6776 squidGIO   fd 5 read 32 bytes
4529052-   0x 1b00    feff 1000   400f   
     |@...|
4529197-
4529198-  6776 squidRET   kevent 1
4529229-  6776 squidCALL  write(0x1b,0x8057c3000,0x5b4)
4529281:  6776 squidRET   write -1 errno 13 Permission denied
4529339-  6776 squidCALL  write(0x4,0x802dbf000,0x88)
4529389-  6776 squidGIO   fd 4 wrote 136 bytes
4529432:   "2017/06/04 17:34:06 kid1| local=217.151.68.36:42442 
remote=217.69.139.216:443 FD 27 flags=1: read/write failure: (13) Permission 
denied
4529576-   "
4529585-  6776 squidRET   write 136/0x88
4529622-  6776 squidCALL  close(0x1b)
4529656-  6776 squidRET   close 0
4529686-  6776 squidCALL  close(0x19)
In kdump.out I see, that socekt was opened, was bunch of reading/writing to it, 
and without any seeing reason it ends with error.
Here socket opens:

root@bkp_router:/home/ishayahu # cat kdump.out | grep -b10 "RET socket 27/0x1b"
4534031-  6776 squidGIO   fd 25 read 196 bytes
4534074-   "CONNECT e.mail.ru:443 HTTP/1.1\r
4534115-User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) 
Gecko/20100101 Firefox/55.0\r
4534204-Proxy-Connection: keep-alive\r
4534236-Connection: keep-alive\r
4534262-Host: e.mail.ru:443\r
4534285-\r
4534289-   "
4534298-  6776 squidRET   read 196/0xc4
4534334-  6776 squidCALL  socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)
4534396:  6776 squidRET   socket 27/0x1b
4534433-  6776 squidCALL  fcntl(0x1b,F_GETFD,0)
4534477-  6776 squidRET   fcntl 0
4534507-  6776 squidCALL  fcntl(0x1b,F_SETFD,FD_CLOEXEC)
4534560-  6776 squidRET   fcntl 0
4534590-  6776 squidCALL  fcntl(0x1b,F_GETFL,0)
4534634-  6776 squidRET   fcntl 2
4534664-  6776 squidCALL  fcntl(0x1b,F_SETFL,0x6)
4534729-  6776 squidRET   fcntl 0
4534759-  6776 squidCALL  setsockopt(0x1b,0x6,0x1,0x7fffe484,0x4)
4534825-  6776 squidRET   setsockopt 0


-- 
Ишаяhу Ластов

+7-906-772-88-86___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid issue of caching the m3u8 file

[joseph]

is Set-Cookie:  saved in cached file as well ?? amos




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-issue-of-caching-the-m3u8-file-tp4682674p4682714.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[Jason Chiu]

I also tested the following cases 
test case 1: 

add the following settings in squid.conf 

acl bumpedPorts myportname 3129 
http_access allow CONNECT bumpedPorts 

test results:  ssl bump is failed
1. access.log no record 
2. web browser has been waiting , no response 

-- 

test case 2: 
1. squid.conf  use  http_port 3129 ssl-bump
cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB 
2. web browser use proxy server x.x.x.x 3129 

test result :  ssl bump is OK 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682713.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[Jason Chiu]

I had a FreeBSD 9.1 bridge (em0, em1) environment,
Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1:
3129)

Squid *3.3.11* ssl bump is OK.


The following is the setting of squid 3.3.11

Squid Cache: Version 3.3.11-20140220-r12672
Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc
/ squid' '--localstatedir = / var / squid' '--datadir = / usr / share /
squid' Enable-icap-client '' --enable-ssl '' --with-pthreads ''
--enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap ''
PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience


Recently in order to allow squid can signing generated sha256 certificates 
, 
upgrade squid to 3.5.24 version.


But ssl bump * is not OK *

Access.log always appears the following message:
1495699856.074  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495699857.720  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.054  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.717  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.060  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.354  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -

*Need to adjust which part of the settings?*



The following is my settings: 

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/squid' '--datadir=/usr/share/squid'
'--enable-icap-client' '--enable-ssl' '--with-pthreads'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap'
'--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
--enable-ltdl-convenience


squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

#http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all

# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
10MB
sslcrtd_children 5

# sslproxy setting
sslproxy_capath /var/squid/ssl_db/certs
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
#sslproxy_cipher

Re: [squid-users] Huge amount of time_wait connections after upgrade from v2 to v3

[Dieter Bloms]

Hi Ivan,

On Tue, Jun 06, Ivan Larionov wrote:

> We recently updated from squid v2 to v3 and now see huge increase in
> connections in TIME_WAIT state on our squid servers (verified that this is
> clients connections).

I can confirm that since 3.5.22 to our ICAP scanners.
with 3.5.21 we had no problems on SLES11 SP4 operating system.
We did some tests with RHEL7 and we had much less TIME_WAIT.
Do you use an older operation system ?


-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users