Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

You r welcome ;)


08.09.2017 5:25, L A Walsh пишет:
> Yuri wrote:
>
 Check all CA's chain. It is possible your root CA's bundle not
 complete.
   
>>> ---
>>>    Likely problem...
>
>
> Fixed as per URL:
>
>
>> I use this URL:
>> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>
> and working now...
>
> Thanks!
> Linda




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[L A Walsh]

Yuri wrote:


Check all CA's chain. It is possible your root CA's bundle not complete.
  

---
   Likely problem...



Fixed as per URL:



I use this URL:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt


and working now...

Thanks!
Linda
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Amos Jeffries]

On 08/09/17 09:52, Yuri wrote:



08.09.2017 3:49, Yuri пишет:


08.09.2017 3:46, L A Walsh пишет:

Yuri wrote:



But in addition I'm using Squid 5.x with working cert's downloader ;)
   


:^/  --- hmmm and I'm not even running 4.x... *ouch*...

3.5.26 (last known) works with relatively complete intermediates and
with some manually added root CA's.


Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
or is it 4.x=beta and 5.x=devel?

AFAIK it's not planning to backport it to 3.x, can't say about current
4.x. A bit long time migrated to development 5.x. Due to required features.


Should be working in v4 (beta) now.

And yes, no plans for backport to v3.5 - it is big code change.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

08.09.2017 3:49, Yuri пишет:
>
> 08.09.2017 3:46, L A Walsh пишет:
>> Yuri wrote:
>>> Ops,
>>>
>>> miss end of message :)
>>>   
>> ---
>>    I did search first! ;^)
>>
>>
>>
>>> Check all CA's chain. It is possible your root CA's bundle not complete.
>>>   
>> ---
>>    Likely problem...
>>
>>
>>> I usually use root CA's from Mozilla (added to squid.conf as one file)
>>> and own self-supported intermediate CA's list (file).
>>>   
>> 
>> How often do they update?  I.e. should I set up a cron job to download
>> and concatenate the CA's?  Is there a preferred D/L URL?
> I added to cron once per month update. Script (specific to my setups) to
> update and reconfigure squid.
> I use this URL:
> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>
>>
>>
>>
>>
>>> But in addition I'm using Squid 5.x with working cert's downloader ;)
>>>   
>> 
>> :^/  --- hmmm and I'm not even running 4.x... *ouch*...
3.5.26 (last known) works with relatively complete intermediates and
with some manually added root CA's.
>>
>> Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
>> or is it 4.x=beta and 5.x=devel?
AFAIK it's not planning to backport it to 3.x, can't say about current
4.x. A bit long time migrated to development 5.x. Due to required features.
>>
>>
>> Tnx!
>> -l
>>
>>
>>
>




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

08.09.2017 3:46, L A Walsh пишет:
> Yuri wrote:
>> Ops,
>>
>> miss end of message :)
>>   
> ---
>    I did search first! ;^)
>
>
>
>> Check all CA's chain. It is possible your root CA's bundle not complete.
>>   
> ---
>    Likely problem...
>
>
>> I usually use root CA's from Mozilla (added to squid.conf as one file)
>> and own self-supported intermediate CA's list (file).
>>   
> 
> How often do they update?  I.e. should I set up a cron job to download
> and concatenate the CA's?  Is there a preferred D/L URL?
I added to cron once per month update. Script (specific to my setups) to
update and reconfigure squid.
I use this URL:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

>
>
>
>
>
>> But in addition I'm using Squid 5.x with working cert's downloader ;)
>>   
> 
> :^/  --- hmmm and I'm not even running 4.x... *ouch*...
>
> Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
> or is it 4.x=beta and 5.x=devel?
>
>
> Tnx!
> -l
>
>
>




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Looking for assistance with setting up a TLS proxy

[Amos Jeffries]

On 08/09/17 07:28, Rohit Sodhia wrote:

Greetings,

I'm a backend dev who's been suddenly assigned a task to create a squid 
proxy to intercept cURL/wget requests. We've got old servers that don't 
support TLS 1.2 and some of the services we use will be requiring it 
soon, so the decision was made to route cURL and wget requests through a 
pair of squid servers. Unfortunately, I'm not a sysop (or even really 
knowledgeable in this area) and am having some trouble, hoping someone 
wouldn't mind helping me out.


I've been through the squid documentation and been playing around with 
the examples on the squid site, including finding one for creating an 
interception proxy. However, if I'm correct, for squid to be able to 
upgrade the TLS requests from their current 1.0 to 1.2, squid would need 
to decrypt the incoming request, then reencrypt it?


Yes. The TLS messaging needs replacing to negotiate TLS/1.0 variants of 
things, and often the server cert itself needs replacing entirely due to 
TLS/1.1+ extension bits inside it.



I'm hoping someone 
out there may be willing to help point me in the right direction; I've 
been given a tight deadline, and both learning about the technologies 
and find an effective solution is straining.


Thank you,



The feature details for Squid TLS interception capabilities is 



The more you know about TLS messaging the easier it is to grasp what 
Squid is doing. But the basics as covered on that pages' second section 
should be sufficient to use the feature.


Some things that might trip you up:

* the "stare" and "splice" actions we normally advise using cannot be 
used when translating TLS versions. They deliver the client TLS version 
(at least) on messages to the server.


* bump at step1 (maybe step2) will do exactly what you need. This 
emulates the client-first bumping action which is documented as "causes 
a lot of problems" mostly in terms of adding major TLS vulnerabilities 
to the whole system - so minimize use as much as possible.


* TLS SNI and similar extensions are generally not sent by TLS/1.0 
clients. Which makes it difficult to tell what service is being 
requested, and thus to do that above minimization.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[L A Walsh]

Yuri wrote:

Ops,

miss end of message :)
  

---
   I did search first! ;^)




Check all CA's chain. It is possible your root CA's bundle not complete.
  

---
   Likely problem...



I usually use root CA's from Mozilla (added to squid.conf as one file)
and own self-supported intermediate CA's list (file).
  


How often do they update?  I.e. should I set up a cron job to download
and concatenate the CA's?  Is there a preferred D/L URL?






But in addition I'm using Squid 5.x with working cert's downloader ;)
  


:^/  --- hmmm and I'm not even running 4.x... *ouch*...

Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
or is it 4.x=beta and 5.x=devel?


Tnx!
-l



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

Hi, Raf. Just checking on two my servers - works like charm without any
movings :) I'm already have good intermediate CA's bundle :)


08.09.2017 3:42, Rafael Akchurin пишет:
> Hello LA, Yuri,
>
> The server analysis at 
> https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com=52.0.220.87
>  shows the certificate chain presented by the remote server is indeed 
> incomplete, specifically the following certificate is not presented:
>
> ---
> Symantec Class 3 Secure Server CA - G4
> Fingerprint SHA256: 
> eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
> Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
> RSA 2048 bits (e 65537) / SHA256withRSA
> ---
>
> Adding it to the intermediate certificate file as indicated on 
> https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended
>  and reloading Squid 3.5.23 allows to successfully see and bump the site.
>
> Our UI generates exactly the same config setting as you have tried:
> sslproxy_foreign_intermediate_certs 
> /opt/websafety/etc/squid/foreign_intermediate_certs.pem
>
> So it must be working :)
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
>
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of L A Walsh
> Sent: Thursday, September 7, 2017 11:15 PM
> To: squid-us...@squid-cache.org
> Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas 
> on what I'm doing wrong?
>
> Got an error message from squid where I'm doing https-bumping:
>
> --
> The following error was encountered while trying to retrieve the URL: 
> https://help.ea.com/
>
> *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
> (71) Protocol error (TLS code: 
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually acceptable 
> security settings for handling your request. It is possible that the remote 
> host does not support secure connections, or the proxy is not satisfied with 
> the host security credentials.
>
> 
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced in 
> parallel chains).  The two certs looked like:
>
> -BEGIN CERTIFICATE-
> ...hexstuff==
> -END CERTIFICATE-
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
>
> Looking for a clue... ;-)
>
> Thanks!
> -l
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Rafael Akchurin]

Hello LA, Yuri,

The server analysis at 
https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com=52.0.220.87 
shows the certificate chain presented by the remote server is indeed 
incomplete, specifically the following certificate is not presented:

---
Symantec Class 3 Secure Server CA - G4
Fingerprint SHA256: 
eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
RSA 2048 bits (e 65537) / SHA256withRSA
---

Adding it to the intermediate certificate file as indicated on 
https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended
 and reloading Squid 3.5.23 allows to successfully see and bump the site.

Our UI generates exactly the same config setting as you have tried:
sslproxy_foreign_intermediate_certs 
/opt/websafety/etc/squid/foreign_intermediate_certs.pem

So it must be working :)

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of L A Walsh
Sent: Thursday, September 7, 2017 11:15 PM
To: squid-us...@squid-cache.org
Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on 
what I'm doing wrong?

Got an error message from squid where I'm doing https-bumping:

--
The following error was encountered while trying to retrieve the URL: 
https://help.ea.com/

*Failed to establish a secure connection to 52.0.220.87*

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the remote 
host does not support secure connections, or the proxy is not satisfied with 
the host security credentials.



Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced in 
parallel chains).  The two certs looked like:

-BEGIN CERTIFICATE-
...hexstuff==
-END CERTIFICATE-


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

Also. Symantec's root's can be already removed from most bundles (you
should hear about it, is it?).

So. May be can be required to add Symantec's root(s) manually to proxy
root CA bundle.


08.09.2017 3:24, Yuri пишет:
> Ops,
>
> miss end of message :)
>
> Check all CA's chain. It is possible your root CA's bundle not complete.
>
> I usually use root CA's from Mozilla (added to squid.conf as one file)
> and own self-supported intermediate CA's list (file).
>
> But in addition I'm using Squid 5.x with working cert's downloader ;)
>
>
> 08.09.2017 3:14, L A Walsh пишет:
>> Got an error message from squid where I'm doing https-bumping:
>>
>> --
>> The following error was encountered while trying to retrieve the URL:
>> https://help.ea.com/
>>
>>    *Failed to establish a secure connection to 52.0.220.87*
>>
>> The system returned:
>>
>>    (71) Protocol error (TLS code:
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>
>>    SSL Certficate error: certificate issuer (CA) not known:
>>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>>    Class 3 Secure Server CA - G4
>>
>> This proxy and the remote host failed to negotiate a mutually
>> acceptable security settings for handling your request. It is possible
>> that the remote host does not support secure connections, or the proxy
>> is not satisfied with the host security credentials.
>>
>> 
>>
>> Googling found:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>>
>>
>> Used openssl.com to get the intermediate certs (2 hosts are referenced
>> in parallel chains).  The two certs looked like:
>>
>> -BEGIN CERTIFICATE-
>> ...hexstuff==
>> -END CERTIFICATE-
>>
>>
>> Added the certs to a file and that filename to my squid.conf on a line:
>>
>> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>>
>> restarted squid, but am still getting same error.
>>
>> Am I missing some obvious step?
>>
>> Looking for a clue... ;-)
>>
>> Thanks!
>> -l
>>
>>
>>
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Yuri]

08.09.2017 3:14, L A Walsh пишет:
> Got an error message from squid where I'm doing https-bumping:
>
> --
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
>    *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>    (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>    SSL Certficate error: certificate issuer (CA) not known:
>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>    Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> 
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains).  The two certs looked like:
>
> -BEGIN CERTIFICATE-
> ...hexstuff==
> -END CERTIFICATE-
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
Yup :)

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

>
> Looking for a clue... ;-)
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?highlight=%28Ssl%29%7C%28Bump%29%7C%28explicit%29#Missing_intermediate_certificates
>
> Thanks!
> -l
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[L A Walsh]

Got an error message from squid where I'm doing https-bumping:

--
The following error was encountered while trying to retrieve the URL: 
https://help.ea.com/


   *Failed to establish a secure connection to 52.0.220.87*

The system returned:

   (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

   SSL Certficate error: certificate issuer (CA) not known:
   /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
   Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.




Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced
in parallel chains).  The two certs looked like:

-BEGIN CERTIFICATE-
...hexstuff==
-END CERTIFICATE-


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Looking for assistance with setting up a TLS proxy

[Rohit Sodhia]

Greetings,

I'm a backend dev who's been suddenly assigned a task to create a squid 
proxy to intercept cURL/wget requests. We've got old servers that don't 
support TLS 1.2 and some of the services we use will be requiring it 
soon, so the decision was made to route cURL and wget requests through a 
pair of squid servers. Unfortunately, I'm not a sysop (or even really 
knowledgeable in this area) and am having some trouble, hoping someone 
wouldn't mind helping me out.


I've been through the squid documentation and been playing around with 
the examples on the squid site, including finding one for creating an 
interception proxy. However, if I'm correct, for squid to be able to 
upgrade the TLS requests from their current 1.0 to 1.2, squid would need 
to decrypt the incoming request, then reencrypt it? I'm hoping someone 
out there may be willing to help point me in the right direction; I've 
been given a tight deadline, and both learning about the technologies 
and find an effective solution is straining.


Thank you,

--
Rohit Sodhia

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

[Amos Jeffries]

On 08/09/17 02:48, erdosain9 wrote:

By the way,

   totalusedfree  shared  buff/cache
available
Mem:   3,7G3,0G122M 13M554M
422M
Swap:  2,0G160M1,8G



How much of that 3GB of RAM is Squid using?
 Your swap need to be at least twice that number.

The fork() starting each helper *doubles* the amount of memory the 
kernel counts as being Squid's (once for Squid, once for helper) BUT 
this extra helper memory is virtual and thus almost all placed inside 
the 'swap' area.


So you need a lot of swap space for the kernel to (pretend to) use with 
Squid helpers. The helper itself should use a much smaller amount of 
real RAM so should be no problem there if the fork() can do its thing.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

[Amos Jeffries]

On 08/09/17 02:44, erdosain9 wrote:

Hi to all.
all was working fine.. but today Im having this issue


2017/09/07 11:34:49 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:49 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.



How much RAM does this machine have?

What are your cache_mem and cache_dir settings?

How much RAM is Squid using when these fork's happen?

How much RAM is Squid normally using?

Does the machine have memory 'swap' enabled?

Any per-process limits on RAM consumption?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ipcCreate: fork: (12) Cannot allocate memory

[erdosain9]

By the way,

  totalusedfree  shared  buff/cache  
available
Mem:   3,7G3,0G122M 13M554M   
422M
Swap:  2,0G160M1,8G




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ipcCreate: fork: (12) Cannot allocate memory

[erdosain9]

Hi to all.
all was working fine.. but today Im having this issue


2017/09/07 11:34:49 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:49 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:50 kid1| WARNING: Cannot run
'/lib64/squid/negotiate_kerberos_auth' process.
2017/09/07 11:34:50 kid1| Starting new ssl_crtd helpers...
2017/09/07 11:34:50 kid1| helperOpenServers: Starting 1/32 'ssl_crtd'
processes
2017/09/07 11:34:51 kid1| Starting new ssl_crtd helpers...
2017/09/07 11:34:51 kid1| helperOpenServers: Starting 1/32 'ssl_crtd'
processes
2017/09/07 11:34:51 kid1| ipcCreate: fork: (12) Cannot allocate memory
2017/09/07 11:34:51 kid1| WARNING: Cannot run '/usr/lib64/squid/ssl_crtd'
process.


Can somebody give me a hand??
Thanks to all.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup squid as reverse proxy to intercept Office365 traffic

[Antony Stone]

On Thursday 07 September 2017 at 16:34:02, SShukla wrote:

> Thanks for replying Antony
> 
> So one requirement for our solution is that, a user in a group using our
> setup would have their traffic always pass through our proxy(Squid proxy +
> ICAP), whether they are in their office on the company network, or at home
> on their own internet, or anywhere else using their mobile data connection.
> This was one of the key reasons we settled on using a reverse proxy.

For me, this still does not compute.

How is a user at home or on a mobile data connection going to find your reverse 
proxy?

How is this easier than having their equipment configured to use a forwarding 
proxy?

What is your understanding of the purpose of a reverse proxy?

> In our current deployment, however, we do not have the unique circumstances
> that Office 365 presents.  It’s entirely possible that a forward proxy is
> the ONLY way to accomplish a similar end result in this environment, but if
> a reverse proxy is possible ? , it would be our first choice.

Give me an example - what DNS name would a user connect to, and what would 
that DNS name resolve to, in order to end up on your reverse proxy?


Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup squid as reverse proxy to intercept Office365 traffic

[SShukla]

Thanks for replying Antony 

So one requirement for our solution is that, a user in a group using our
setup would have their traffic always pass through our proxy(Squid proxy +
ICAP), whether they are in their office on the company network, or at home
on their own internet, or anywhere else using their mobile data connection. 
This was one of the key reasons we settled on using a reverse proxy.  

In our current deployment, however, we do not have the unique circumstances
that Office 365 presents.  It’s entirely possible that a forward proxy is
the ONLY way to accomplish a similar end result in this environment, but if
a reverse proxy is possible ? , it would be our first choice.





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache config

[Amos Jeffries]

On 07/09/17 01:26, Alex Gutiérrez Martínez wrote:
Hi everyone, i have 100 GB on my cache partition, but squid only use 1.5 
GB. My internet connection its incredibly slow, any advice on how 
optimize my connection will be appreciated.




You are missing details of;
* what Squid version you are using (squid -v output), and
* how much traffic is going through the proxy, and
* roughly how many users this cache is servicing, and
* what HIT rates you are currently achieving, and
* what (the 'info' cache manager report - "squidclient mgr:info" or 
cachemgr.cgi page or http://example.local:3128/squid-internal-mgr/info)



Some things to keep in mind (in no particular order):

* A proxy cache is best for large numbers of clients. The fewer users 
exist the more likely the data is being cached on the client machine 
itself (eg in Browser caches) - an aggregating proxy cache will not 
store much of it unless their traffic is significantly different AND the 
proxy cache is larger than the client caches. As user count grows the 
per-user differences build up and proxy shows more caching benefits.


* Some traffic is simply not cacheable. Cacheability is determined by 
the type of domains and sites being contacted, what they do etc. 
Sometimes traffic is simply not cacheable.


* Caches take time to fill up, the fill rate decreases exponentially. 
Each new object added requires that it has not already been used before. 
It is very likely that your users only visited a small number of sites 
and thus only a small amount of content actually is being used. Again 
the more clients use the proxy the more data differences grow the cache.
 Have you given it enough time for more than a few GB of HTTP traffic 
to go through the proxy?


* HTTPS is not cacheable in its encrypted form. As the Internet drive 
towards HTTPS grows increasingly less content is cacheable without 
performing an MITM on the traffic.



* a 64-bit build of Squid is needed to operate well with more than a few 
GB of data. 'Large file' support does not help much as the size of 
individual files is not he problem, size counters for cache management 
need to be 64-bit.

 1.5GB looks suspiciously like the 32-bit numerical wrap happening.



This is the configuration of my cache.

maximum_object_size 300 MB
cache_dir aufs /var/cache/squid3 1024000 16 256


The above cache uses just under 1 TB of disk space, not 100 GB.

Try 97280 for a 100GB disk. That is 97% of the drive of cache and 3% bit 
for OS use and temporary oversize object storage.




cache_mem 256 MB
cache_store_log /var/cache/squid3/cache_store.log
coredump_dir /var/cache/squid3/dump
minimum_expiry_time 600 seconds


This maybe part of your problem. The larger this value is the more 
likely that dynamic content will *not* be cached.


It is checking whether objects are fresh or stale 600sec in the future 
and only caching the ones that will be fresh at that time. Which is very 
unlikely to be true for any dynamic content.


My recommendation is to remove this from your config file or configure 
it a bit smaller than the default 60sec - but not too much smaller.




cache_swap_low 87
cache_swap_high 90


Raise these back to the default 90-95% thresholds for data purging.
You can do that by removing the directives entirely.

NP: the closer these are to 100% the more cache will be able to be 
filled during normal use. But also the more work Squid will do when 
purging to make space for new stuff - which can slow down all 
transactions underway is one of the transactions need a lot of space.
 It is a slow job tuning these properly and requires the cache to be 
relatively full first.


Remove the duplicate ones below anyway.



client_db off
offline_mode off
cache_swap_low 87
cache_swap_high 90
cache_replacement_policy heap GDSF
maximum_object_size_in_memory 128 KB
chunked_request_body_max_size 4096 KB
half_closed_clients off

# establecemos los archivos de volcado en /var/cache/squid3/
coredump_dir /var/cache/squid3/
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 
override-expire ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 
432000 override-expire ignore-no-store ignore-private
refresh_pattern -i 
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90% 
43200 override-expire ignore-no-store ignore-private

refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup squid as reverse proxy to intercept Office365 traffic

[Antony Stone]

On Wednesday 06 September 2017 at 19:34:15, SShukla wrote:

> * Why do you want to set up a *reverse* proxy for Office 365 traffic? *
> 
> We need to use reverse proxy to direct the traffic going to Office 365
> through an ICAP Server.

I still don't understand why you think this needs to be a reverse proxy rather 
than a standard forwarding proxy.

> While trying to configure Squid to do so, we have encountered a few issues,
> for example: since Office 365 has an IP range, one of the issue is to
> figure out the IP used by Office 365 which can then be specified in squid
> configuration

Well, quite.

A forwarding proxy wouldn't need to be configured with this information.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users