Re: [squid-users] source spoofing without tproxy?

[David Kewley]

Thanks for your reply, Amos.

On Mon, Jun 12, 2017 at 9:50 PM, Amos Jeffries  wrote:

> On 13/06/17 13:48, David Kewley wrote:
>
>> I want my clients to explicitly address squid as a proxy (not use
>> tproxy), but have squid spoof the source addresses in the forwarded
>> connection, so that further hops know the original source address from the
>> IPv4 headers.
>>
>> I could find no indication that anyone else has done this, and when I
>> tried various things, I could not get it working.
>>
>> Is this possible today? If not, is it worth considering as a future
>> feature? Or am I overlooking a reason that this cannot work even in theory?
>>
>
> It is not possible.
>
> No, it is a terrible idea.
>
> It is prohibited by the OS kernel as part of the anti-malware protections,
> in this case to prevent the local machine being used to attack its
> surrounding network nodes. And by Squid to make it harder to use Squid as
> viral payload and damage the brand reputation.
>

What exactly is the "it" that you're saying is prohibited by the OS kernel?
Source spoofing alone, or something else?

Also, HTTP contains multiplexing and persistent connections. So there is no
> particular relation between one incoming/client connection and the
> outgoing/server connection(s) the traffic from that client goes out on.
> Added to that, a client request may generate multiple outgoing requests of
> various types, or Squid may itself generate traffic for its own needs
> without any client interaction.
>
> So doing this just degrades the proxy performance. And not in a small way
> - intercepted traffic pinning everything as this would need comes out about
> 10% nominal (90% reduction), and at the extreme end proxies with NTLM going
> through to an origin see only 1% of nominal performance. Nominal for me
> being what I clocked a big clients network doing in real-world traffic a
> few years back: ~2 requests per second a few years back (Squid Project
> got approx 2x that in controlled lab tests).


Good to know there are strong performance implications, thanks. I don't
understand these systems deeply enough to have anticipated this, so I
appreciate the heads-up. Too many systems to learn, too quickly...

I got the nearly-equivalent functionality working for reverse proxying
>> using nginx, but so far I've found no way to do it with forward proxying.
>> Nginx doesn't do https forward proxying (no handling of CONNECT).
>>
>
> So Nginx can be used to attack networks from inside. Good no know we now
> have to watch out for that in viral payloads too.


"Can be used to attack" because of source spoofing, or something else?

If squid can't do what I'm looking for today, I would welcome pointers to
>> other possible approaches.
>>
>
> Squid supports X-Forwarded-For fully - it was invented by Squid devs back
> in the day, and Squid is still the authoritative implementation for how it
> is supposed to work. As an old feature just about all other HTTP server and
> intermediary software have support for that too so you should have no issue
> pulling the data out at the receiving end, or in HTTP processing DPI
> software / firewalls etc. It is sent on all outgoing Squid messages unless
> you explicitly configure something else to happen with the forwarded_for
> directive.
>  
>

I'll ask the team managing the next-hop device to evaluate that
possibility; it looks to me from the docs like it might work. Thanks for
the suggestion.

David
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Norbert Naveen]

Hello 
  The Make output can be found at 
  https://drive.google.com/open?id=0B_dDVNpzSGEKcFlMSlBVZWs5c2c

Thanks 
Naveen

-Original Message-
From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
Sent: Tuesday, June 13, 2017 2:12 AM
To: norbert.nav...@tayana.in; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1
on CentOS Linux release 7.3.1611

On 06/12/2017 11:29 AM, Norbert Naveen wrote:

> I have attached Outputs of both Configure and Make And  libecap.pc 
> contents are as below

Your ./configure output and libecap.pc contents look good to me, but there
is no sign of the eCAP library (-lecap) being linked with Squid during
"make". If running "make clean; ./configure ...; make" does not fix this,
then please find a way to post a link to the _entire_ build log. Something
along these lines should be able to capture it:

  $ make -k clean; (./configure ...; make) > /tmp/build.log 2>&1

You may want to compress /tmp/build.log. Please post a link to some public
file sharing site here instead of the file itself. Even compressed, it may
be too big to email.

Also, what does the following command output?

  $ grep 'EXT_LIBECAP_.*=' src/adaptation/ecap/Makefile

(adjust the Makefile path if necessary if you are not building Squid its
source directory)


Cheers,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] source spoofing without tproxy?

[Amos Jeffries]

On 13/06/17 13:48, David Kewley wrote:
I want my clients to explicitly address squid as a proxy (not use 
tproxy), but have squid spoof the source addresses in the forwarded 
connection, so that further hops know the original source address from 
the IPv4 headers.


I could find no indication that anyone else has done this, and when I 
tried various things, I could not get it working.


Is this possible today? If not, is it worth considering as a future 
feature? Or am I overlooking a reason that this cannot work even in 
theory?


It is not possible.

No, it is a terrible idea.

It is prohibited by the OS kernel as part of the anti-malware 
protections, in this case to prevent the local machine being used to 
attack its surrounding network nodes. And by Squid to make it harder to 
use Squid as viral payload and damage the brand reputation.



Also, HTTP contains multiplexing and persistent connections. So there is 
no particular relation between one incoming/client connection and the 
outgoing/server connection(s) the traffic from that client goes out on. 
Added to that, a client request may generate multiple outgoing requests 
of various types, or Squid may itself generate traffic for its own needs 
without any client interaction.


So doing this just degrades the proxy performance. And not in a small 
way - intercepted traffic pinning everything as this would need comes 
out about 10% nominal (90% reduction), and at the extreme end proxies 
with NTLM going through to an origin see only 1% of nominal performance. 
Nominal for me being what I clocked a big clients network doing in 
real-world traffic a few years back: ~2 requests per second a few 
years back (Squid Project got approx 2x that in controlled lab tests).




I got the nearly-equivalent functionality working for reverse proxying 
using nginx, but so far I've found no way to do it with forward 
proxying. Nginx doesn't do https forward proxying (no handling of 
CONNECT).


So Nginx can be used to attack networks from inside. Good no know we now 
have to watch out for that in viral payloads too.




If squid can't do what I'm looking for today, I would welcome pointers 
to other possible approaches.


Squid supports X-Forwarded-For fully - it was invented by Squid devs 
back in the day, and Squid is still the authoritative implementation for 
how it is supposed to work. As an old feature just about all other HTTP 
server and intermediary software have support for that too so you should 
have no issue pulling the data out at the receiving end, or in HTTP 
processing DPI software / firewalls etc. It is sent on all outgoing 
Squid messages unless you explicitly configure something else to happen 
with the forwarded_for directive.

 


There is also newer HTTP "Forwarded" header which supercedes 
X-Forwarded-For and some very newly written servers might only support 
that. Squid lacks the built-in support for that directive so its no good 
on received traffic. But if you have to it can be sent to an upstream 
server fine with the request_header_add directive, like so:

  request_header_add Forwarded for=%>a


HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Content / Message JS Injection for HTTP Pages Only

[Amos Jeffries]

On 13/06/17 08:36, Eliezer Croitoru wrote:

Hey Naveen,

ECAP and ICAP been in use for such things very long ago.
This is one of the reasons for the movement in the network to encrypt
traffic and also to pin certificates in the applications.
You will need to choose to go either with ECAP or ICAP and from there the
direction is pretty simple.
I was thinking of publishing an example using an ICAP service which is based
on this example:
https://github.com/elico/icap/blob/master/example/redirect.go

But I am not sure if it would be a good idea to do so.
I believe that if you will be able to grasp the example you would be able to
mangle it a bit to act as "proxy" in a way and then to inject content into
the body of the response.
You will need some skills and experimentation with the GoLang language and
concepts to make it work.
It's not a beginner task so don't expect it to be accomplished in one week.

Let me know if you need some more guidance.

Eliezer


And don't forget that the content going through is often copyrighted by 
someone else. Being publicly accessible does not make it any less 
proprietary or restricted by its owners. Under copyright legislation 
altering other peoples content can be a form of theft.


Naveen: please get some legal advice about the above before going any 
further. This idea of injecting JS banners and notices into other 
peoples pages has a history lined with companies having major PR fallout 
or collapsing into bankruptcy in a few cases as a direct result of 
consumer and copyrigth content owners reaction to the injection.


Amos




http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Norbert Naveen
Sent: Monday, June 12, 2017 8:49 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Content / Message JS Injection for HTTP Pages Only

Hello Squid Admins
Squid 3.5 acts as HTTP Proxy only and does not allow any other kind of
Traffic
For Such a Setup where only HTTP traffic flows through Squid
I want to Insert a Banner / Java Script based Dynamic Page in the HTTP
response , to notify the users or alert the users based on their usage

Would like to know how to go about the same
Should I use ICAP or ECAP or any other suggestions ?
Has anybody set up anything similar to this ?
Any words of advice is welcome

Thanks
Naveen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Content / Message JS Injection for HTTP Pages Only

[Norbert Naveen]

Hello Eliezer 
  Thanks for your response shall have a look at it and revert 
  Between ECAP & ICAP which one is optimal ? 
  Something I have for reference is  below 
  http://wiki.squid-cache.org/SquidFaq/ContentAdaptation#Summary
 Kindly suggest 

Thanks 
Naveen

-Original Message-
From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] 
Sent: Tuesday, June 13, 2017 2:07 AM
To: norbert.nav...@tayana.in
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Content / Message JS Injection for HTTP Pages
Only

Hey Naveen,

ECAP and ICAP been in use for such things very long ago.
This is one of the reasons for the movement in the network to encrypt
traffic and also to pin certificates in the applications.
You will need to choose to go either with ECAP or ICAP and from there the
direction is pretty simple.
I was thinking of publishing an example using an ICAP service which is based
on this example:
https://github.com/elico/icap/blob/master/example/redirect.go

But I am not sure if it would be a good idea to do so.
I believe that if you will be able to grasp the example you would be able to
mangle it a bit to act as "proxy" in a way and then to inject content into
the body of the response.
You will need some skills and experimentation with the GoLang language and
concepts to make it work.
It's not a beginner task so don't expect it to be accomplished in one week.

Let me know if you need some more guidance.

Eliezer 


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Norbert Naveen
Sent: Monday, June 12, 2017 8:49 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Content / Message JS Injection for HTTP Pages Only

Hello Squid Admins
Squid 3.5 acts as HTTP Proxy only and does not allow any other kind of
Traffic For Such a Setup where only HTTP traffic flows through Squid I want
to Insert a Banner / Java Script based Dynamic Page in the HTTP response ,
to notify the users or alert the users based on their usage 

Would like to know how to go about the same Should I use ICAP or ECAP or any
other suggestions ? 
Has anybody set up anything similar to this ? 
Any words of advice is welcome 

Thanks
Naveen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] client-->iptables-->squid-proxy->another-proxy

[Amos Jeffries]

On 13/06/17 08:33, JerylCook wrote:

I've been stuck on this for a few days :P...

  I 'thought' I had a fairly good understanding of squid + ssl_bump but not
so sure.

In a nutshell i am having an issue linking a second proxy server via
cache_peer.

we have 2 boxes.

*Configuration:*
1 box, has iptables configured to send all outbound traffic to 10.0.0.1:8999
which is the second box's squid server and port(8999)

2nd box, has squid running on 8999, we have another server running on 8998.
both proxy servers are using the same 'CA'.

https 10.0.0.1:8999 transparent ssl-bump generate-host-certificates=on.

cache_peer 10.0.0.1:8998 8998 0 ssl default no-query no-digest
sslflags=DONT_VERIFY_PEER

use-case:
wget https://facebook.com --ca-cert=/dat/sharedCa.cer  , on box 1 through
iptables..
1. squid on box 2 generates and signs a certificate with CN=facebook.com for
the client


That sounds a little suspicious to me. FB have a more complicated CN in 
their real certs. You omitted your ssl_bump rules, so the type of 
bumping and details available are unknown - but I suspect they may not 
be doing what you expect in that case.



2. client trusts the CA and cert.


Which if the three CA involved? they need to trust the one being used by 
the frontend Squid cert generator.
 Only frontend Squid needs to trust the backend peer CA. And likewise, 
only the backend peer needs to trust the origin CA.



3.we want squid to send this proxied https request to the second proxy
server on :8998. this proxy server is set to generate impersonation certs as
well using the same rootCAKey that squid uses...


This is where the current behaviour is lacking AFAIK. SSL-Bump assumes 
the client (frontend Squid) is either sending a CONNECT request to get 
the server details from, or that it is working with intercepted TLS 
rather than a TLS explicit proxy connection. So the backend behaviour is 
still very much just receive a request for https:// URL and do the serve 
TLS thing - no mimicing on its client connection (AFAIK).



however, we keep getting
"Failed to establish a secure connection, SQUID_ERR_SSL_HANDSHAKE",
Handshake with SSL Server failed: error:140770FC:SSL routines
SSL23_GET_SERVER_HELLO: unknown protocol"

Does squid 3.5.20 support PROXY Protocol in cache_peer if you need to link a
second proxy? or is my configuration messed up.


Squid only supports receiving PROXY Protocol on the http_port directive. 
Not yet sending to a cache_peer. Though I don't see any relevance to 
PROXY Protocol in anything you have described about your configuration.


If the peer is sending an error back to Squid when it gets TLS instead 
of PROXY intro octets that would explain the SSL errors. It also would 
if the peer was sending back HTTP messages instead of TLS (HTTPS), which 
is a more common problem when the peer is an older Squid.



SSL-Bump is supported to cache_peer when the peer connection is a 
TLS/SSL connection. Though be aware that the "server" frontend Squid 
mimics would then be the backend peer's certificate, not the origin server.


Also, avoid DONT_VERIFY_PEER, it is really doing more harm than anything 
useful. Since this is a peer you know about you should also know its CA 
in advance. So use "sslflags=NO_DEFAULT_CA sslcafile=..." and Squid can 
do all the security checks just fine regardless of whether its a custom 
CA or not.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] source spoofing without tproxy?

[David Kewley]

I want my clients to explicitly address squid as a proxy (not use tproxy),
but have squid spoof the source addresses in the forwarded connection, so
that further hops know the original source address from the IPv4 headers.

I could find no indication that anyone else has done this, and when I tried
various things, I could not get it working.

Is this possible today? If not, is it worth considering as a future
feature? Or am I overlooking a reason that this cannot work even in theory?

I got the nearly-equivalent functionality working for reverse proxying
using nginx, but so far I've found no way to do it with forward proxying.
Nginx doesn't do https forward proxying (no handling of CONNECT).

If squid can't do what I'm looking for today, I would welcome pointers to
other possible approaches.

Thanks,
David
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] client-->iptables-->squid-proxy->another-proxy

[JerylCook]

I've been stuck on this for a few days :P...

 I 'thought' I had a fairly good understanding of squid + ssl_bump but not
so sure.

In a nutshell i am having an issue linking a second proxy server via
cache_peer.

we have 2 boxes.

*Configuration:*
1 box, has iptables configured to send all outbound traffic to 10.0.0.1:8999
which is the second box's squid server and port(8999)

2nd box, has squid running on 8999, we have another server running on 8998. 
both proxy servers are using the same 'CA'.

https 10.0.0.1:8999 transparent ssl-bump generate-host-certificates=on.

cache_peer 10.0.0.1:8998 8998 0 ssl default no-query no-digest
sslflags=DONT_VERIFY_PEER

use-case:
wget https://facebook.com --ca-cert=/dat/sharedCa.cer  , on box 1 through
iptables..
1. squid on box 2 generates and signs a certificate with CN=facebook.com for
the client
2. client trusts the CA and cert.
3.we want squid to send this proxied https request to the second proxy
server on :8998. this proxy server is set to generate impersonation certs as
well using the same rootCAKey that squid uses...

however, we keep getting 
"Failed to establish a secure connection, SQUID_ERR_SSL_HANDSHAKE",
Handshake with SSL Server failed: error:140770FC:SSL routines
SSL23_GET_SERVER_HELLO: unknown protocol" 

Does squid 3.5.20 support PROXY Protocol in cache_peer if you need to link a
second proxy? or is my configuration messed up.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/client-iptables-squid-proxy-another-proxy-tp4682759.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Alex Rousskov]

On 06/12/2017 11:29 AM, Norbert Naveen wrote:

> I have attached Outputs of both Configure and Make
> And  libecap.pc contents are as below 

Your ./configure output and libecap.pc contents look good to me, but
there is no sign of the eCAP library (-lecap) being linked with Squid
during "make". If running "make clean; ./configure ...; make" does not
fix this, then please find a way to post a link to the _entire_ build
log. Something along these lines should be able to capture it:

  $ make -k clean; (./configure ...; make) > /tmp/build.log 2>&1

You may want to compress /tmp/build.log. Please post a link to some
public file sharing site here instead of the file itself. Even
compressed, it may be too big to email.

Also, what does the following command output?

  $ grep 'EXT_LIBECAP_.*=' src/adaptation/ecap/Makefile

(adjust the Makefile path if necessary if you are not building Squid its
source directory)


Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Content / Message JS Injection for HTTP Pages Only

[Eliezer Croitoru]

Hey Naveen,

ECAP and ICAP been in use for such things very long ago.
This is one of the reasons for the movement in the network to encrypt
traffic and also to pin certificates in the applications.
You will need to choose to go either with ECAP or ICAP and from there the
direction is pretty simple.
I was thinking of publishing an example using an ICAP service which is based
on this example:
https://github.com/elico/icap/blob/master/example/redirect.go

But I am not sure if it would be a good idea to do so.
I believe that if you will be able to grasp the example you would be able to
mangle it a bit to act as "proxy" in a way and then to inject content into
the body of the response.
You will need some skills and experimentation with the GoLang language and
concepts to make it work.
It's not a beginner task so don't expect it to be accomplished in one week.

Let me know if you need some more guidance.

Eliezer 


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Norbert Naveen
Sent: Monday, June 12, 2017 8:49 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Content / Message JS Injection for HTTP Pages Only

Hello Squid Admins 
Squid 3.5 acts as HTTP Proxy only and does not allow any other kind of
Traffic 
For Such a Setup where only HTTP traffic flows through Squid 
I want to Insert a Banner / Java Script based Dynamic Page in the HTTP
response , to notify the users or alert the users based on their usage 

Would like to know how to go about the same 
Should I use ICAP or ECAP or any other suggestions ? 
Has anybody set up anything similar to this ? 
Any words of advice is welcome 

Thanks 
Naveen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Office 365 Support for Squid Proxy

[Eliezer Croitoru]

The main question is if it uses websockets or not and if you are using SSL-BUMP 
or not.
If you are using SSL-BUMP it's one thing while if you are not it’s another 
story.
Also it will be different if you are using the proxy in INTERCEPT mode or a 
regular forward proxy mode.
We would be able to answer you more with more details on your setup.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Blason R
Sent: Monday, June 12, 2017 12:05 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Office 365 Support for Squid Proxy

Hello All,

If someone can confirm if squid can very well work with Office 365? If anyone 
has any documentation can someone please forward that to me? I do have almost 
around 400 Office 365 users hence wanted to know what configuration I might 
need for Office 365 traffic?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Office 365 Support for Squid Proxy

[Leonardo Rodrigues]

i have a lot of customers who access Office 365 through squid 
proxies and have no problem at all. Office 365 is just another website, 
there's absolutely no need for special configurations for it to simply work.



Em 12/06/17 06:05, Blason R escreveu:

Hello All,

If someone can confirm if squid can very well work with Office 365? If 
anyone has any documentation can someone please forward that to me? I 
do have almost around 400 Office 365 users hence wanted to know what 
configuration I might need for Office 365 traffic?




--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Content / Message JS Injection for HTTP Pages Only

[Norbert Naveen]

Hello Squid Admins 

Squid 3.5 acts as HTTP Proxy only and does not allow any other kind of
Traffic 

For Such a Setup where only HTTP traffic flows through Squid 

I want to Insert a Banner / Java Script based Dynamic Page in the HTTP
response , to notify the users or alert the users based on their usage 

 

Would like to know how to go about the same 

Should I use ICAP or ECAP or any other suggestions ? 

Has anybody set up anything similar to this ? 

Any words of advice is welcome 

 

Thanks 

Naveen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Norbert Naveen]

Hello Alex, 
  Output of configure as below 

squid-3.5.26]# ./configure '--enable-ecap'
'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '0' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
configure: CPU arch native optimization enabled: auto
checking whether compiler accepts -march=native... yes
checking simplified host os... linux (version )
checking what kind of compiler we're using... gcc
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... yes
checking for ranlib... ranlib
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for egrep... /usr/bin/egrep
checking for sh... /usr/bin/sh
checking for false... /usr/bin/false
checking for true... /usr/bin/true
checking for mv... /usr/bin/mv
checking for mkdir... /usr/bin/mkdir
checking for ln... /usr/bin/ln
checking for chmod... /usr/bin/chmod
checking for tr... /usr/bin/tr
checking for rm... /usr/bin/rm
checking for cppunit-config... false
checking for perl... /usr/bin/perl
checking for pod2man... /usr/bin/pod2man
checking for ar... /usr/bin/ar
checking for linuxdoc... /usr/bin/false
configure: strict error checking enabled: yes
checking whether to use loadable modules... yes
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/fgrep
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to
x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain
format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... (cached) ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared
libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... yes
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking how to run the C++ preprocessor... g++ -E
checking for ld used b

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Norbert Naveen]

Hello Alex
  Sorry and Thanks for the response , I have attached Outputs of both
Configure and Make
  And  libecap.pc contents are as below 

# cat /usr/local/lib/pkgconfig/libecap.pc
prefix=/usr/local
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include

Name: eCAP
Description: Allows a network application to outsource content analysis and
adaptation to a loadable module.
URL: http://www.e-cap.org/
Version: 1.0.1
Libs: -L${libdir} -lecap
Cflags: -I${includedir}


&&& From make the first instance would be 

libtool: link: rm -f .libs/squid.nm .libs/squid.nmS .libs/squid.nmT
libtool: link: rm -f ".libs/squid.nmI"
libtool: link: (cd .libs && gcc -Wall -g -O2 -c -fno-builtin "squidS.c")
libtool: link: rm -f ".libs/squidS.c" ".libs/squid.nm" ".libs/squid.nmS"
".libs/squid.nmT" ".libs/squid.nmI"

libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow
-Woverloaded-virtual -Werror -pipe -D_REENTRANT -g -O2 -march=native
-std=c++11 .libs/squidS.o -g -o squid AclRegs.o AuthReg.o AccessLogEntry.o
AsyncEngine.o YesNoNone.o cache_cf.o CacheDigest.o cache_manager.o carp.o
cbdata.o ChunkedCodingParser.o client_db.o client_side.o client_side_reply.o
client_side_request.o BodyPipe.o clientStream.o CollapsedForwarding.o
CompletionDispatcher.o ConfigOption.o ConfigParser.o CpuAffinity.o
CpuAffinityMap.o CpuAffinitySet.o debug.o disk.o DiskIO/DiskIOModule.o
DiskIO/ReadRequest.o DiskIO/WriteRequest.o dlink.o dns_internal.o
DnsLookupDetails.o errorpage.o ETag.o event.o EventLoop.o external_acl.o
ExternalACLEntry.o FadingCounter.o fatal.o fd.o fde.o filemap.o fqdncache.o
FwdState.o gopher.o helper.o htcp.o http.o HttpHdrCc.o HttpHdrRange.o
HttpHdrSc.o HttpHdrScTarget.o HttpHdrContRange.o HttpHeader.o
HttpHeaderTools.o HttpBody.o HttpMsg.o HttpParser.o HttpReply.o
RequestFlags.o HttpRequest.o HttpRequestMethod.o icp_v2.o icp_v3.o int.o
internal.o ipc.o ipcache.o SquidList.o main.o MasterXaction.o mem.o
mem_node.o MemBuf.o MemObject.o mime.o mime_header.o multicast.o neighbors.o
Notes.o Packer.o Parsing.o pconn.o peer_digest.o peer_proxy_negotiate_auth.o
peer_select.o peer_sourcehash.o peer_userhash.o PeerPoolMgr.o redirect.o
refresh.o RemovalPolicy.o send-announce.o MemBlob.o SBuf.o SBufExceptions.o
SBufDetailedStats.o SBufStatsAction.o snmp_core.o snmp_agent.o SquidMath.o
SquidNew.o stat.o StatCounters.o StatHist.o String.o StrList.o stmem.o
store.o StoreFileSystem.o store_io.o StoreIOState.o store_client.o
store_digest.o store_dir.o store_key_md5.o store_log.o store_rebuild.o
store_swapin.o store_swapmeta.o store_swapout.o StoreMetaUnpacker.o
StoreMeta.o StoreMetaMD5.o StoreMetaSTD.o StoreMetaSTDLFS.o StoreMetaURL.o
StoreMetaVary.o StoreStats.o StoreSwapLogData.o SwapDir.o Transients.o
MemStore.o time.o tools.o tunnel.o unlinkd.o url.o urn.o wccp.o wccp2.o
whois.o wordlist.o LoadableModule.o LoadableModules.o
DiskIO/DiskIOModules_gen.o err_type.o err_detail_type.o globals.o
hier_code.o icp_opcode.o LogTags.o lookup_t.o repl_modules.o swap_log_op.o
DiskIO/AIO/AIODiskIOModule.o DiskIO/Blocking/BlockingDiskIOModule.o
DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o
DiskIO/DiskThreads/DiskThreadsDiskIOModule.o
DiskIO/IpcIo/IpcIoDiskIOModule.o DiskIO/Mmapped/MmappedDiskIOModule.o
-Wl,--export-dynamic  /root/install/squid-3.5.26/libltdl/./.libs/dlopen.a
auth/.libs/libacls.a ident/.libs/libident.a acl/.libs/libacls.a
acl/.libs/libstate.a auth/.libs/libauth.a libAIO.a libBlocking.a
libDiskDaemon.a libDiskThreads.a libIpcIo.a libMmapped.a acl/.libs/libapi.a
base/.libs/libbase.a ./.libs/libsquid.a ip/.libs/libip.a fs/.libs/libfs.a
ipc/.libs/libipc.a mgr/.libs/libmgr.a anyp/.libs/libanyp.a
comm/.libs/libcomm.a eui/.libs/libeui.a helper/.libs/libhelper.a
http/.libs/libsquid-http.a icmp/.libs/libicmp.a icmp/.libs/libicmp-core.a
log/.libs/liblog.a format/.libs/libformat.a clients/.libs/libclients.a
servers/.libs/libservers.a ftp/.libs/libftp.a repl/liblru.a -lpthread
-lcrypt adaptation/.libs/libadaptation.a snmp/.libs/libsnmp.a
../lib/snmplib/.libs/libsnmplib.a parser/.libs/libsquid-parser.a
../lib/.libs/libmisccontainers.a ../lib/.libs/libmiscencoding.a
../lib/.libs/libmiscutil.a -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
../compat/.libs/libcompat-squid.a -lm -lnsl -lresolv -lrt -L..
../libltdl/.libs/libltdlc.a -ldl
adaptation/.libs/libadaptation.a(libsquid_ecap_la-Host.o): In function
`Adaptation::Ecap::Host::Host()':
/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:41: undefined
reference to `libecap::headerTransferEncoding'
/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:41: undefined
reference to `libecap::Name::assignHostId(int) const'
/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:42: undefined
reference to `libecap::headerReferer'
/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:42: undefined
reference to `libecap::Name::assignHostId(int) const'
/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:43: undefined
reference to `libecap::headerContentLength'
/root/insta

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Alex Rousskov]

On 06/12/2017 10:36 AM, Norbert Naveen wrote:
> I have CentOS Linux release 7.3.1611 64 bit

> cd libecap-1.0.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> gmake
> gmake install-strip


> cd squid-3.5.26
> ./configure '--enable-ecap' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
> make

> Towards the end receive the error as below . Attaching the complete
> /root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:41: undefined
> reference to `libecap::headerTransferEncoding'

It looks like Squid found eCAP header files but did not find libecap.
Posting ./configure output and the failed linker command (should be
right above the first "undefined reference" error) may help triage this
further. Linking to a complete build log (starting with ./configure) may
reduce the number of follow up questions.

Also, what does /usr/local/lib/pkgconfig/libecap.pc contain?

HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[Norbert Naveen]

Hello 

 

I have CentOS Linux release 7.3.1611 64 bit 

 On the same I tried to Install the below 

 

cd libecap-1.0.1

./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'

gmake

gmake install-strip

 

cd squid-3.5.26

./configure '--enable-ecap' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'

make 

 

Towards the end receive the error as below . Attaching the complete 

 

 

adaptation/.libs/libadaptation.a(libsquid_ecap_la-Host.o): In function
`Adaptation::Ecap::Host::Host()':

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:41: undefined
reference to `libecap::headerTransferEncoding'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:41: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:42: undefined
reference to `libecap::headerReferer'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:42: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:43: undefined
reference to `libecap::headerContentLength'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:43: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:44: undefined
reference to `libecap::headerVia'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:44: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:48: undefined
reference to `libecap::protocolHttp'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:48: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:49: undefined
reference to `libecap::protocolHttps'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:49: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:50: undefined
reference to `libecap::protocolFtp'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:50: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:51: undefined
reference to `libecap::protocolGopher'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:51: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:52: undefined
reference to `libecap::protocolWais'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:52: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:53: undefined
reference to `libecap::protocolUrn'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:53: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:54: undefined
reference to `libecap::protocolWhois'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:54: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:55: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:56: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:58: undefined
reference to `libecap::Name::assignHostId(int) const'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:60: undefined
reference to `libecap::Name::assignHostId(int) const'

adaptation/.libs/libadaptation.a(libsquid_ecap_la-Host.o):/root/install/squi
d-3.5.26/src/adaptation/ecap/Host.cc:61: more undefined references to
`libecap::Name::assignHostId(int) const' follow

adaptation/.libs/libadaptation.a(libsquid_ecap_la-Host.o): In function
`Adaptation::Ecap::Host::Register()':

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:178: undefined
reference to `libecap::VersionString()'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:180: undefined
reference to
`libecap::RegisterHost(std::tr1::shared_ptr const&)'

adaptation/.libs/libadaptation.a(libsquid_ecap_la-Host.o): In function
`_GLOBAL__sub_I_Host.cc':

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:22: undefined
reference to `libecap::Name::NextId()'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:22: undefined
reference to `libecap::Name::Name(std::string const&, int)'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:23: undefined
reference to `libecap::Name::NextId()'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:23: undefined
reference to `libecap::Name::Name(std::string const&, int)'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:24: undefined
reference to `libecap::Name::NextId()'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:24: undefined
reference to `libecap::Name::Name(std::string const&, int)'

/root/install/squid-3.5.26/src/adaptation/ecap/Host.cc:26: undefined
reference 

[squid-users] Office 365 Support for Squid Proxy

[Blason R]

Hello All,

If someone can confirm if squid can very well work with Office 365? If
anyone has any documentation can someone please forward that to me? I do
have almost around 400 Office 365 users hence wanted to know what
configuration I might need for Office 365 traffic?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users