Re: [squid-users] Cache peer help

[Alejandro Delgado Moreno]

Hi Amos,

Here is the squid.conf file:

acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default

cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8881

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


And this is an extract of the log:

[Thu Jun  8 09:47:15 2017].269 57 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:16 2017].128 57 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:16 2017].331 56 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:20 2017].258111 172.18.2.45 TCP_MISS/200 967 POST 
http://ocsp.usertrust.com/ - HIER_DIRECT/178.255.83.1 application/ocsp-response
[Thu Jun  8 09:47:21 2017].250 56 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:21 2017].459 47 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:23 2017].744185 172.18.2.45 TCP_MISS/302 615 GET 
http://wos.fecyt.es/ - HIER_DIRECT/185.79.129.106 text/html
[Thu Jun  8 09:47:24 2017].005104 172.18.2.45 TCP_MISS/200 2067 POST 
http://ss.symcd.com/ - HIER_DIRECT/23.37.171.27 application/ocsp-response
[Thu Jun  8 09:47:25 2017].902   5105 172.18.2.45 TCP_TUNNEL/200 5792 CONNECT 
www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:27 2017].980 65 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].394211 172.18.2.45 TCP_MISS/200 488 GET 
http://detectportal.firefox.com/success.txt - HIER_DIRECT/88.221.254.202 
text/plain
[Thu Jun  8 09:47:28 2017].786 46 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].809   8785 172.18.2.45 TCP_TUNNEL/200 54093 CONNECT 
www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

As you can see, always is going direct, but when going to idp.fecyt.es should 
be going through the peer, as the file UPF_LIST.txt has:

https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
 
among other lines.

Regards,

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: martes, 6 de junio de 2017 18:18
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Cache peer help

On 07/06/17 02:24, Alejandro Delgado Moreno wrote:
> Sorry for this mistake,
>
> It's:
>
> acl journals dstdomain "/etc/squid/x

[squid-users] Cache peer help

[Alejandro Delgado Moreno]

Hi Amos,

Here is the squid.conf file:

acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default

cache_peer_access proxy-inst.upf.edu allow journals always_direct allow journals


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT 
!SSL_ports

# Only allow cachemgr access from localhost http_access allow localhost manager 
http_access deny manager

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy http_access deny all

# Squid normally listens to port 3128
http_port 8881

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


And this is an extract of the log:

[Thu Jun  8 09:47:15 2017].269 57 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:16 2017].128 57 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:16 2017].331 56 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:20 2017].258111 172.18.2.45 TCP_MISS/200 967 POST 
http://ocsp.usertrust.com/ - HIER_DIRECT/178.255.83.1 application/ocsp-response
[Thu Jun  8 09:47:21 2017].250 56 172.18.2.45 TCP_MISS/200 874 POST 
http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 
application/ocsp-response
[Thu Jun  8 09:47:21 2017].459 47 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:23 2017].744185 172.18.2.45 TCP_MISS/302 615 GET 
http://wos.fecyt.es/ - HIER_DIRECT/185.79.129.106 text/html
[Thu Jun  8 09:47:24 2017].005104 172.18.2.45 TCP_MISS/200 2067 POST 
http://ss.symcd.com/ - HIER_DIRECT/23.37.171.27 application/ocsp-response
[Thu Jun  8 09:47:25 2017].902   5105 172.18.2.45 TCP_TUNNEL/200 5792 CONNECT 
www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:27 2017].980 65 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].394211 172.18.2.45 TCP_MISS/200 488 GET 
http://detectportal.firefox.com/success.txt - HIER_DIRECT/88.221.254.202 
text/plain
[Thu Jun  8 09:47:28 2017].786 46 172.18.2.45 TCP_MISS/200 924 POST 
http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].809   8785 172.18.2.45 TCP_TUNNEL/200 54093 CONNECT 
www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

As you can see, always is going direct, but when going to idp.fecyt.es should 
be going through the peer, as the file UPF_LIST.txt has:

https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
 
among other lines.

Regards,

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: martes, 6 de junio de 2017 18:18
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Cache peer help

On 07/06/17 02:24, Alejandro Delgado Moreno wrote:
> Sorry for this mistake,
>
> It's:
>
> acl journals dstdomain "/etc/squid

Re: [squid-users] Cache peer help

[Amos Jeffries]

On 08/06/17 19:51, Alejandro Delgado Moreno wrote:

Hi Amos,

Here is the squid.conf file:

acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default

cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals


There you go. Problem #1:  "always_direct allow" prohibits any 
cache_peer being used by that request (by requiring that DIRECT be used, 
mandatory). Remove that and some of the journal traffic will start going 
to the peer.



And this is an extract of the log:

[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT 
idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -


CONNECT and a few other things are normally sent DIRECT because that is 
way faster than doing another hop.


To make those prefer going through the peer add this line:

  nonhierarchical_direct off

And if that is not enough, you can add "never_direct allow journals" to 
forbid DIRECT being used. They will then fail completely if the peer is 
not used for any reason.




As you can see, always is going direct, but when going to idp.fecyt.es should 
be going through the peer, as the file UPF_LIST.txt has:

https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*


Your squid.conf said these were being loaded into a dstdomain ACL. But 
the above lines are URLs, not domain names.


dstdomain syntax is a domain name with maybe a wildcard to match all 
sub-domains. see 




HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] A youtube acl tool sketch

[Eliezer Croitoru]

I have been working on couple tools that will help to filter content on
youtube.
If you are not an education facility you don't have the ability to manage
youtube content or force some policy on your users.
The basic issue is that you don't want any video to be seen by your users.
We can start categorizing and build a DB that will contain a black and
whitelilst but I have written a sketch for a tool that will help to build a
squid external_acl helper to acl youtube videos access.
The tool is at:
https://gist.github.com/elico/cbda8a6918cb71918616d39b560c90d8

It's BSD licensed and free for all.

There is a cgi script in ruby that can be patched to response with a pretty
json output and help external tools to use it as an API. There is also an
example in GoLang which receives a videoid argument and returns the channel
or the user which it belongs to.

Let say you are a business and you want to allow access to youtube videos
which was published by mikrotik or another company or a specific tutorial
maker but not news or other distracting things you can build an external_acl
helper based on this.

If someone is interested that  will complete this tool to work with a
specific DB or a specific text file that will be the whitelist and all the
others are banned, just contact me and with hope that I will schedule it to
the next squid release.

I am now working on the article for the release of squid 3.5.26 and 4.0.20
RPM's
(The RPM's are  out..)

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[Jason Chiu]

I also tested the following cases 
test case 1: 

add the following settings in squid.conf 

acl bumpedPorts myportname 3129 
http_access allow CONNECT bumpedPorts 

test results:  ssl bump is failed 
1. access.log no record 
2. web browser has been waiting , no response 

-- 

test case 2: 
1. squid.conf  use  http_port 3129 ssl-bump
cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB 
2. web browser use proxy server x.x.x.x 3129 

test result :  ssl bump is OK



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682734.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[Jason Chiu]

test case 1 : 
-
I changed my squid setting (don't use intercept mode)

http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

thab client Web Browser set proxy to 192.168.95.81:3129

squid ssl-bump * OK *
squid access.log has the client access log.

test case 2:
-
but I want use transparent mode (intercept with PF rdr).
intercept mode add the following acl rule :

acl bumpedPorts myportname 3129
http_access allow CONNECT bumpedPorts
.
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 

access.log no appear TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 
but client web browser has been waiting and no response.





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682735.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users