Re: [squid-users] Squid box for two networks

2017-07-20 Thread joseph 
well this work almost 10 year

an u can do 2 mark if you want to   make shur u use same marking
new-routing-mark=http 
on each range 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-box-for-two-networks-tp4683119p4683197.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Eliezer Croitoru 
First take joseph advice.
This is the right way of doing things.
And since I have here couple MikroTik devices sitting I took one to create the 
same scenario that you have and the full configuration can be seen at:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MikroTik-Route-To-Intercept-Squid

And on my site at:
http://ngtech.co.il/paste/1786/raw/

Technically since the px is on the same segment as the MikroTik it's better to 
accept traffic(in both the mangle and the filter tables) by the mac address of 
the px rather then the ip but for your case the ip should play fine with the 
combination of the interface which the traffic from the px flows in\at.
When it will all work for you as expected I will add this scenario with your 
network diagram as an example to the wiki(if it's fine with you that the 
project will use the diagram..).

Thanks,
Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 21:51
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid box for two networks

Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's 
http://192.168.110.0/24 (Work!) and http://192.168.115.0/24 (Fail!). The mark 
line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\
sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \
routeado hacia Proxy03" !connection-bytes !connection-limit \
connection-mark=no-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \
!fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table src-address=http://192.168.115.0/24 
!src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
"TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
!connection-limit connection-mark=conn_proxy !connection-nat-state \
!connection-rate !connection-state !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
"TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
!out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
!packet-size passthrough=no !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru  
wrote:
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are 
leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just 
plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help 
you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Pablo Ruben Maldonado 
Joseph, these lines already exists in my setup. Thanks.

Remember you what my Squid box work for my primary lan (192.168.110.0/24)
but don't work to the second lan (192.168.115.0/24)

On Thu, Jul 20, 2017 at 4:49 PM, joseph  wrote:

>  you might need his configuration
>
> /ip firewall address-list
> add address=192.168.110.0/24 comment="one route port 80" list=http-route
> add address=192.168.115.0/24 comment="two route port 80" list=http-route
>
> /ip firewall mangle
> add action=mark-routing chain=prerouting comment=\
> "Clients HTTP route to cache" dst-port=80 \
> new-routing-mark=http passthrough=yes protocol=tcp
> src-address-list=http-route
>
> /ip route
> add comment="Cache route" distance=1 gateway=192.168.1.1 routing-mark=http
>
> using squid as gateway
> ps 192.168.10.1  is squid box so put yours
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.
> 1019090.n4.nabble.com/Squid-box-for-two-networks-tp4683119p4683193.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

2017-07-20 Thread joseph 
>> ROUTERWIFI( WANstatic ip 192.168.1.40/24 gw 192.168.1.20) LAN
192.168.0.1/24) 
is it mikrotik or other specify pls



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683194.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread joseph 
 you might need his configuration

/ip firewall address-list
add address=192.168.110.0/24 comment="one route port 80" list=http-route
add address=192.168.115.0/24 comment="two route port 80" list=http-route

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Clients HTTP route to cache" dst-port=80 \
new-routing-mark=http passthrough=yes protocol=tcp
src-address-list=http-route

/ip route
add comment="Cache route" distance=1 gateway=192.168.1.1 routing-mark=http  

using squid as gateway 
ps 192.168.10.1  is squid box so put yours




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-box-for-two-networks-tp4683119p4683193.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

2017-07-20 Thread erdosain9 
Hi, and thank you all.

Well this is the diagram.



INTERNET
+
+
FIREWALL (10.1.158.1/24)
+
+
+
SQUID (2 interfaces) 10.1.158.2/24
192.168.1.20/24
+
+
+
ROUTERWIFI( WANstatic ip 192.168.1.40/24 gw 192.168.1.20) LAN
192.168.0.1/24)

squid config:

acl red1 src 192.168.1.0/24

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 2
acl SSL_ports port 1
acl SSL_ports port 2083

acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443# httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080# edesur y otros
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access allow red1

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.20:3128
http_port 192.168.1.20:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xx.lan

---

I probe this, nothing work..
-

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
192.168.1.20:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP 



iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

---

A hand??
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683192.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Version 3.5.20 Any Ideas

2017-07-20 Thread Cherukuri, Naresh 
Thank you Yuri! Appreciate your help.

From: Yuri [mailto:yvoi...@gmail.com]
Sent: Wednesday, July 19, 2017 5:15 PM
To: Cherukuri, Naresh; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas




20.07.2017 3:09, Cherukuri, Naresh пишет:
Yuri,

I am new to squid I learned it through searching google. My question is I 
generated self-signed SSL certificates and install certificates on IE all 
clients. I didn’t install proxy public key. Can you tell me where  I have to 
put proxy public key on clients. Appreciate you help!
Ah. Based on my experience,

you require to take *public* proxy key (not private, your use keypair to setup 
ssl-bump configuration; do not mistake it) and install it at least into two 
places on client's PC:

1. Into system trusted CA storage (uses by IE/Chrome/some IM etc.)
2. Into Firefox own storage (if applicable).
3. Sometimes it is also required to setup proxy's CA public key into old JRE 
existing on clients. But AFAIK modern JRE uses system CA's storage and no more 
required this step.

Actually, this should be enough.


Thanks,
Naresh

From: Yuri [mailto:yvoi...@gmail.com]
Sent: Wednesday, July 19, 2017 5:06 PM
To: Cherukuri, Naresh; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


Related OpenSSL public CA bundle - in theory it should be installed together 
with OpenSSL.

20.07.2017 2:49, Cherukuri, Naresh пишет:
Thanks Yuri for quick turnover!

We inly installed root certificate on all clients. We didn’t install proxy CA’s 
public key on clients. So you suggestion fix that we need to install both 
certificate and proxy ca’s public key on clients.

Thanks,
Naresh

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri
Sent: Wednesday, July 19, 2017 2:25 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas


One out of two. Either the Squid does not see the OpenSSL/system root CAs 
bundle, or the proxy CA's public key is not installed in the clients. It's all.

19.07.2017 23:30, Walter H. пишет:
Hello,

this seems not to be the problem, as the error messages are in cache.log, which 
is not a browser problem ...

the question: are the SSL bumped sites in intranet, which use a self signed CA 
cert itself, which squid doesn't know?

On 19.07.2017 17:36, Yuri wrote:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png

19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,



I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA 
certificates,  My users are complaining about certificate errors. When I looked 
at cache.log I see so many error messages like below. Below is my squid.conf 
file. Any ideas how to address below errors.






Cache.log



2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 
(1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 
(1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 
(1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 
(1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 
(1/0)







___

squid-users mailing list

squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Version 3.5.20 Any Ideas

2017-07-20 Thread Cherukuri, Naresh 
Thank you Amos! Appreciate your help.

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, July 19, 2017 8:55 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20 Any Ideas

On 20/07/17 09:10, Yuri wrote:
> Aha,
> 
> 
> 20.07.2017 3:04, Cherukuri, Naresh пишет:
>>
>> Yuri,
>>
>> I am sorry I didn’t get you I already installed certificate on all 
>> clients(trusted root certificate authorities). You want me install 
>> proxy public key also on clients, if so were should I put the proxy 
>> public key. Below is my squid.conf file.
>>
>> Squid.conf
>>
>> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ proxy ca 
>> public key??
>>
> This is proxy private key AFAIK.

Correct. It should be the proxy private key. If the public key is put in there 
and startup actually succeeds I'm not sure what broken runtime errors will 
occur - nothing good anyhow.

Also, note that cert= parameter should be configured *before* the key= 
parameter so Squid loads them from the right place. The very latest releases 
(v4+) will fail to start if the ordering is wrong, so best to prepare for that 
now.


I suspect that part of the problem here is what is being configured in that 
cert= parameter. For SSL-Bump ports in current Squid it needs to contains the 
self-signed *CA* certificate that Squid is using to generate other certs from, 
the key= being the private key of that CA cert.

If you generate a regular proxy cert and load it there (like normal proxy cert= 
would use) the bumping process will get all broken.


The ConfigExample page Yuri linked to earlier had the exact and full 
process to follow for setting up the multiple different certs, keys and 
file types involved with SSL-Bump.


>>
>> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \(installed 
>> certificate on IE all clients as a trusted root certificate authorities)
>>
> Yes, if it installed into clients - this is ok.
> 
> So. The only reason I can see - proxy can't see OpenSSL CA's bundle.
> 
> To make it work you should add to your squid's config one of this:
> 
> #  TAG: sslproxy_cafile
> #file containing CA certificates to use when verifying server
> #certificates while proxying https:// URLs
> #Default:
> # none
> 
> #  TAG: sslproxy_capath
> #directory containing CA certificates to use when verifying
> #server certificates while proxying https:// URLs
> #Default:
> # none

Er, those are for Squid->server connections. You were correct about the 
errors referring to client->Squid connections, so these are irrelevant.

If anything, the  cafile= parameter of the ssl-bump port might be 
needed. Then it should point at the same CA's found in the cert= 
parameter (bit weird, but that is bugs in the SSL-Bump config design).

FTR: those particular errors occur when Squid accepts a connection from 
a client, begins the TLS handshake and the client suddenly disconnects 
before the handshake is complete.
  The "certificate unknown" seems to be saying that either 1) the client 
sent a client-cert to Squid and OpenSSL did not accept it, or 2) that 
the client did not accept the auto-generated cert Squid sent.

If (1) is happening it s because the browser was not correctly 
configured with the self-signed CA public cert.

If (2) is happening, then probably the cert=, key=, cafile= parameters 
on the ssl-bump port are not configured right, OR browser was not 
correctly configured with the self-signed CA public cert.

Or, maybe bugs in that particular Squid release SSL-Bump code. We are 
constantly fixing them and 3.5.20 is now a whole year behind with 
SSL-Bump fixes - many of them rather major behaviour fixes.


==> Best Practice to follow with SSL-Bump is that when having *any* 
problems with the SSL-Bump process try the latest Squid release first 
before spending time trying to figure it out.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Pablo Ruben Maldonado 
Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's 192.168.110.0/24
(Work!) and 192.168.115.0/24 (Fail!). The mark line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP
de\
sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing.
Ser\E1 \
routeado hacia Proxy03" !connection-bytes !connection-limit \
connection-mark=no-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80
\
!fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi
\
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-connection-mark=conn_proxy !nth
!out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table src-address=192.168.115.0/24
!src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
"TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
!connection-limit connection-mark=conn_proxy !connection-nat-state \
!connection-rate !connection-state !connection-type !content
disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth
!out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
"TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state
!connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address dst-address-list=!clientslist !dst-address-type !dst-limit
\
!dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
!out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
!packet-size passthrough=no !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port
!tcp-flags \
!tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru 
wrote:

> Hey Pablo,
>
> I am working as a tech support for MikroTik devices and the tcpdump dumps
> are leaving couple things unknown.
> Can you share the MikroTik rules PBR rules you are using?
> Are you using any kind of connection marking and tracking in the mix or
> just plain source based routing?
> I am pretty sure that the issue is in the reverse path and not backwards.
> If you can export your MikroTik configuration I might be able to try and
> help you find the right rules if these are wrong.
> Also make sure that the squid box has reverse path filtering disabled
> using:
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#
> Set_Reverse_Path_Filter_machine_globally_script
>
> And also take a peek at:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_
> Squid_Configuration
>
> I planned to add into the wiki an article\tutorial how to setup squid with
> MikroTik since there are more than a dozen of articles\tutorials that just
> do not do it the right way.
>
> Eliezer
>
> * you can send me the configuration privately if these are sensitive
>
> 
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Pablo Ruben Maldonado
> Sent: Thursday, July 20, 2017 16:41
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid box for two networks
>
> The packets are routing using a mark and later routing rules inside my
> principal router (Mikrotik). Attach images with examples of packets
> arriving to Squid box.
>
> On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone  open.source.it> wrote:
> On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:
>
> > Hi, i add information missing in original post. Thanks for assistance:
> >
> > The Squid Box has setup for Intercept Mode.

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Eliezer Croitoru 
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are 
leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just 
plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help 
you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script

And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

I planned to add into the wiki an article\tutorial how to setup squid with 
MikroTik since there are more than a dozen of articles\tutorials that just do 
not do it the right way.

Eliezer

* you can send me the configuration privately if these are sensitive 


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid box for two networks

The packets are routing using a mark and later routing rules inside my 
principal router (Mikrotik). Attach images with examples of packets arriving to 
Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone 
 wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:pablo.ruben.maldon...@gmail.com> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages 
> > come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from http://192.168.110.0/24

b) from http://192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
mailto:squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Pablo Ruben Maldonado 
The packets are routing using a mark and later routing rules inside my
principal router (Mikrotik). Attach images with examples of packets
arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <
antony.st...@squid.open.source.it> wrote:

> On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:
>
> > Hi, i add information missing in original post. Thanks for assistance:
> >
> > The Squid Box has setup for Intercept Mode. Iptables rules here:
> >
> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> > -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>
> How are you routing the packets from the firewall to Squid?
>
> > The config paste in https://pastebin.com/Witg3cG1
> >
> > Thanks
> >
> > On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
> >
> > pablo.ruben.maldon...@gmail.com> wrote:
> > > Hello, I have a squid box 3.5 working without problems for the lan
> > > 192.168.110.0/24 for several months. Now I want setup to another lan
> > > 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages
> come
> > > to squid box. But in Squid's log I do not see anything. Can they give
> me
> > > some tip?
>
> Can you give us any examples of packets as seen by tcpdump on the Squid
> box:
>
> a) from 192.168.110.0/24
>
> b) from 192.168.115.0/24
>
>
> Antony.
>
> --
> BASIC is to computer languages what Roman numerals are to arithmetic.
>
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Antony Stone 
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
> 
> The Squid Box has setup for Intercept Mode. Iptables rules here:
> 
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
> 
> Thanks
> 
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
> 
> pablo.ruben.maldon...@gmail.com> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > 192.168.110.0/24 for several months. Now I want setup to another lan
> > 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from 192.168.110.0/24

b) from 192.168.115.0/24


Antony.

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

2017-07-20 Thread Pablo Ruben Maldonado 
Hi, i add information missing in original post. Thanks for assistance:

The Squid Box has setup for Intercept Mode. Iptables rules here:

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

The config paste in https://pastebin.com/Witg3cG1

Thanks

On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
pablo.ruben.maldon...@gmail.com> wrote:

> Hello, I have a squid box 3.5 working without problems for the lan
> 192.168.110.0/24 for several months. Now I want setup to another lan
> 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> to squid box. But in Squid's log I do not see anything. Can they give me
> some tip?
>


Network map.pdf
Description: Adobe PDF document
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] This list generates a forward loop ...

2017-07-20 Thread Amos Jeffries 

On 20/07/17 21:43, Matus UHLAR - fantomas wrote:

On 20.07.17 17:16, Amos Jeffries wrote:
Your DKIM signature covers the Subject and To headers. Any normal 
mailing list will modify those,


I disagree - IMHO sane listservers don't modify those headers.



Sadly, sane != normal. I'm referring to the common popular list servers. 
We have used several of them over the years.



so your server cannot do that on list postings. Content-Type is also 
changed sometimes by our listserver due to the list policy on binary 
attachments, I dont know whether that is a common practice too but I 
suspect it might be. The others should be fine AFAIK.


This is a better example. However, mailserver supporting DKIM should strip
the DKIM header if it's going to modify anything signed.
Other solution is to refuse message (when the signer domain SKIM policy is
signall).




 and the discussions it links to explain 
the issues around DKIM in a fair bit of detail, including why even 
removal does not work.


(/me reading that page is brining on a greybeard moment. DKIM vs SPF was 
the hot topic when I switched from mail to proxy focused work. Heck, 10 
years of Squid).


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

2017-07-20 Thread Amos Jeffries 

On 20/07/17 19:24, Kurczewski, Bartłomiej (WP.PL) wrote:

Hi Amos,
As I wrote to Eliezer, his solution works.
Thank you for your help as well.



Eliezers 'solution' was to outright delete the headers HTTP uses to 
protect your server against forwarding loops (Via), and to allow 
back-tracking of abusive transactions (X-Forwarded-For / Forwarded).


Both quite important things to leave working if you can. Which is why I 
suggested trying them one at a time and using the least amount of 
traffic manipulation that would actually fix the problem.


FWIW a lot of the server-side brokenness regarding those headers is a 
result of beginner web developers never having encountered such headers 
in their narrow periods of time looking at headers. The more experience 
that can be thrown in their direction through real traffic the more 
benefits we all get as proxy admin - through less broken site codes.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] This list generates a forward loop ...

2017-07-20 Thread Matus UHLAR - fantomas 

On 20.07.17 17:16, Amos Jeffries wrote:
Your DKIM signature covers the Subject and To headers. Any normal 
mailing list will modify those,


I disagree - IMHO sane listservers don't modify those headers.

so your server cannot do that on list 
postings. Content-Type is also changed sometimes by our listserver 
due to the list policy on binary attachments, I dont know whether 
that is a common practice too but I suspect it might be. The others 
should be fine AFAIK.


This is a better example. However, mailserver supporting DKIM should strip
the DKIM header if it's going to modify anything signed.
Other solution is to refuse message (when the signer domain SKIM policy is
signall).

The other members mailserver does something unusually nasty - it 
simply loops the message back at the list instead of bouncing with a 
proper error to you. And since your address is still the envelope 
sender our server rejects with that loop error bouncing back at you.


which is exactly what I have guessed :-)
And this is why header of original attached message were useful:

Received: from ScrolloutF1.linguitronics.com (203-74-122-103.HINET-IP.hinet.net 
[203.74.122.103])
by lists.squid-cache.org (Postfix) with ESMTPS id 15AD7E1196
for ; Thu, 20 Jul 2017 03:44:49 + 
(UTC)
Received: by ScrolloutF1.linguitronics.com (Postfix, from userid 0)
id 3xCfsX5v6DzHpF4; Thu, 20 Jul 2017 11:44:32 +0800 (CST)
Received: from 192.168.1.204 (192.168.1.204:143) by
  mailgateway.linguitronics.com with IMAP4; 20 Jul 2017 03:44:32 -

Received: from ScrolloutF1.linguitronics.com (unknown [192.168.1.205])
by tw.linguitronics.com (Postfix) with ESMTP id 5A3E64023A
for ; Thu, 20 Jul 2017 11:35:56 +0800 (CST)
Received: from localhost (localhost [127.0.0.1])
by ScrolloutF1.linguitronics.com (Postfix) with ESMTP id 3xCfgc5PKRzHr9d
for ; Thu, 20 Jul 2017 11:35:56 +0800 (CST)
Received: from ScrolloutF1.linguitronics.com ([127.0.0.1])
by localhost (scrolloutf1.linguitronics.com [127.0.0.1]) (amavisd-new, port 
10024)
with LMTP id uAebWOExfOQd for ;
Thu, 20 Jul 2017 11:35:55 +0800 (CST)
Received: from lists.squid-cache.org (lists.squid-cache.org [104.130.201.120])
by ScrolloutF1.linguitronics.com (Postfix) with ESMTP id 3xCfgP4p5LzHr9b
for ; Thu, 20 Jul 2017 11:35:39 +0800 (CST)

[yes I wish our sysadmin could stop that bouncing, but the tools seem 
to be limited].


removing ak...@linguitronics.com from recipients should fix the problem.
I'm sending Cc: there so the culprit knows what to fix on their side.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

2017-07-20 Thread WP.PL 
Hi Eliezer,
According to your and Amos suggestions I have change squid.conf by
making "via on" and setting only "forwarded_for transparent".
And I can login to TechData website (which is not a bank, but IT
technology distributor) without any problems.
Thank you for you advice and help.

Rgdrs,
iziz1

W dniu 2017-07-20 o 10:04, Eliezer Croitoru pisze:
> Hey iziz1,
> 
> Try to work with what Amos suggested.
> Try to first turn on the via ie:
> via on
> 
> and see if still works fine.
> If indeed it works fine then try to change the 
> forwarded_for delete
> into
> forwarded_for transparent
> 
> and see what works for you.
> It’s better to leave the via on and not off.
> But from what I understand it seems that this site(is it a bank?) is broken 
> and their webmaster and security personal should be aware of your findings 
> for their sake.
> It can cause their system act in a very weird way.
> 
> All The Bests,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> 
> -Original Message-
> From: Kurczewski, Bartłomiej (WP.PL) [mailto:iz...@poczta.wp.pl] 
> Sent: Thursday, July 20, 2017 10:20
> To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with login to website by Squid web proxy 
> 3.5.20 on Centos 7
> 
> Hi Eliezer,
> First of all I would like to thank you for fast answer.
> And my second "thanks" is for your help.
> Your solution works, and the problem has been solved.
> 
> Regards,
> iziz1
> 
> W dniu 2017-07-19 o 20:08, Eliezer Croitoru pisze:
>> Hey iziz1,
>>
>> Can you try to add squid.conf the next and see if it affects anything:
>> forwarded_for delete
>> via off
>>
>> http://www.squid-cache.org/Doc/config/via/
>> http://www.squid-cache.org/Doc/config/forwarded_for/
>>
>> And see if it changes anything?
>>
>> Let Me Know if something changes,
>> Eliezer
>>
>> 
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: elie...@ngtech.co.il
>>
>>
>>
>> -Original Message-
>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
>> Behalf Of Kurczewski, Bart?omiej (WP.PL)
>> Sent: Tuesday, July 18, 2017 15:56
>> To: squid-users@lists.squid-cache.org
>> Subject: [squid-users] Problem with login to website by Squid web proxy 
>> 3.5.20 on Centos 7
>>
>> Hi,
>> I have a problem to login to one website (http://intouch.techdata.com)
>> using Squid 3.5.20 on Centos 7 with default Squid configuration, which
>> is acting as web proxy (non-transparent) on 3128 port in my network:
>>
>> --
>> #
>> # Recommended minimum configuration:
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 10.0.0.0/8  # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12   # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16  # RFC1918 possible internal network
>> acl localnet src fc00::/7   # RFC 4193 local private network range
>> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
>> machines
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80   # http
>> acl Safe_ports port 21   # ftp
>> acl Safe_ports port 443  # https
>> acl Safe_ports port 70   # gopher
>> acl Safe_ports port 210  # wais
>> acl Safe_ports port 1025-65535   # unregistered ports
>> acl Safe_ports port 280  # http-mgmt
>> acl Safe_ports port 488  # gss-http
>> acl Safe_ports port 591  # filemaker
>> acl Safe_ports port 777  # multiling http
>> acl CONNECT method CONNECT
>>
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> http_access allow localnet
>> http_access allow localhost
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> #cache_dir ufs

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

2017-07-20 Thread Eliezer Croitoru 
Hey iziz1,

Try to work with what Amos suggested.
Try to first turn on the via ie:
via on

and see if still works fine.
If indeed it works fine then try to change the 
forwarded_for delete
into
forwarded_for transparent

and see what works for you.
It’s better to leave the via on and not off.
But from what I understand it seems that this site(is it a bank?) is broken and 
their webmaster and security personal should be aware of your findings for 
their sake.
It can cause their system act in a very weird way.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: Kurczewski, Bartłomiej (WP.PL) [mailto:iz...@poczta.wp.pl] 
Sent: Thursday, July 20, 2017 10:20
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with login to website by Squid web proxy 
3.5.20 on Centos 7

Hi Eliezer,
First of all I would like to thank you for fast answer.
And my second "thanks" is for your help.
Your solution works, and the problem has been solved.

Regards,
iziz1

W dniu 2017-07-19 o 20:08, Eliezer Croitoru pisze:
> Hey iziz1,
> 
> Can you try to add squid.conf the next and see if it affects anything:
> forwarded_for delete
> via off
> 
> http://www.squid-cache.org/Doc/config/via/
> http://www.squid-cache.org/Doc/config/forwarded_for/
> 
> And see if it changes anything?
> 
> Let Me Know if something changes,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Kurczewski, Bart?omiej (WP.PL)
> Sent: Tuesday, July 18, 2017 15:56
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Problem with login to website by Squid web proxy 
> 3.5.20 on Centos 7
> 
> Hi,
> I have a problem to login to one website (http://intouch.techdata.com)
> using Squid 3.5.20 on Centos 7 with default Squid configuration, which
> is acting as web proxy (non-transparent) on 3128 port in my network:
> 
> --
> #
> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 144020% 10080
> refresh_pattern ^gopher:  14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
> refresh_pattern . 0   20% 4320
> --
> 
> 
> In a FF browser with my Squid ser

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

2017-07-20 Thread WP.PL 
Hi Amos,
As I wrote to Eliezer, his solution works.
Thank you for your help as well.

Rgrds,
iziz1

W dniu 2017-07-20 o 02:04, Amos Jeffries pisze:
> On 20/07/17 06:08, Eliezer Croitoru wrote:
>> Hey iziz1,
>>
>> Can you try to add squid.conf the next and see if it affects anything:
>> forwarded_for delete
>> via off
>>
>> http://www.squid-cache.org/Doc/config/via/
>> http://www.squid-cache.org/Doc/config/forwarded_for/
>>
>> And see if it changes anything?
>>
> 
> Er, try those one at a time.
> 
> If the forwarded_for delete works, also try "forwarded_for transparent"
> and use just that if sufficient.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

2017-07-20 Thread WP.PL 
Hi Eliezer,
First of all I would like to thank you for fast answer.
And my second "thanks" is for your help.
Your solution works, and the problem has been solved.

Regards,
iziz1

W dniu 2017-07-19 o 20:08, Eliezer Croitoru pisze:
> Hey iziz1,
> 
> Can you try to add squid.conf the next and see if it affects anything:
> forwarded_for delete
> via off
> 
> http://www.squid-cache.org/Doc/config/via/
> http://www.squid-cache.org/Doc/config/forwarded_for/
> 
> And see if it changes anything?
> 
> Let Me Know if something changes,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Kurczewski, Bart?omiej (WP.PL)
> Sent: Tuesday, July 18, 2017 15:56
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Problem with login to website by Squid web proxy 
> 3.5.20 on Centos 7
> 
> Hi,
> I have a problem to login to one website (http://intouch.techdata.com)
> using Squid 3.5.20 on Centos 7 with default Squid configuration, which
> is acting as web proxy (non-transparent) on 3128 port in my network:
> 
> --
> #
> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 144020% 10080
> refresh_pattern ^gopher:  14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
> refresh_pattern . 0   20% 4320
> --
> 
> 
> In a FF browser with my Squid server settings I put correct password on
> techdata website, but webpage redirect me to the same web form and
> doesn't allow to login. The password is correct, because when I put
> wrong password I got JavaScript alert from this website that password is
> incorrect.
> 
> When I disable using Squid proxy in FF and use normal PAT connection via
> my Juniper firewall everything works perfect on the same machine and I
> can login to TechData website.
> I Squid access.log I can see only this:
> 
> -
> 1500364995.497140 10.48.22.33 TCP_MISS/302 735 GET
> http://intouch.techdata.com/intouch/Home.aspx? -
> HIER_DIRECT/192.230.78.204 text/html
> -
> 
> I suspect some problems with redirection on TechData website, but spend
> hours in Internet to find solution, unfortunately without success