[squid-users] get many logentries "ACL is used in context without an ALE state. Assuming mismatch" after upgrade from 3.5 to 4.0.21 when using external helper

[Dieter Bloms]

Hello,

I used external helper with squid 3.5.xx several years without any
problem.
Now I tried to upgrade to squid 4.0.21 and squid seems to work fine, but
I get many logentries like:

--snip--
2017/09/14 07:43:12 kid3| WARNING: blockhostsdomain ACL is used in context 
without an ALE state. Assuming mismatch.
2017/09/14 07:43:12 kid3| WARNING: blockhostsip ACL is used in context without 
an ALE state. Assuming mismatch.
2017/09/14 07:44:12 kid4| WARNING: blockhostsdomain ACL is used in context 
without an ALE state. Assuming mismatch.
2017/09/14 07:44:12 kid4| WARNING: blockhostsip ACL is used in context without 
an ALE state. Assuming mismatch.
--snip--

when I switched the acls to a file list, the warnings are gone.

my acls for external helpers look like:

external_acl_type blockhostiptype ttl=3600 negative_ttl=3600 grace=50 
children-max=10 children-startup=2 %DST /usr/bin/dnsbl-ip.pl bl
acl blockhostsip external blockhostiptype
external_acl_type blockhostdomaintype ttl=3600 negative_ttl=3600 grace=50 
children-max=10 children-startup=2 %DST /usr/bin/dnsbl.pl dbl
acl blockhostsdomain external blockhostdomaintype

when I replaced to above lines with this two, the warnings are gone:

acl blockhostsip dst "/etc/squid/blockhosts.ips"
acl blockhostsdomain dstdomain "/etc/squid/blockhosts.domains"

but I want to use the external helpers, because the lists were updated
many times a day and a reconfigure of squid has an impact of 2-3 seconds.

As I said before, squid works fine and checks the acls, but I get many
warnings in the cache.log and don't know the cause of it.


-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-users Digest, Vol 37, Issue 30

[Yuri]

For a change, I agree with Eliezer. And about the documentation of
OpenSource is best mournfully silent.


14.09.2017 0:02, Eliezer Croitoru пишет:
> I do not care if someone asks even if the docs are answering.
> The docs of squid-cache are not something anyone should be able to remember 
> by heart or even browse and just "find" a solution or a direction.
> We(at least me) are here to try and help even for the cases which the docs 
> already cover.
>
> All The Bests,
> Eliezer
>
> 
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Adrian Miller
> Sent: Monday, September 11, 2017 23:31
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] squid-users Digest, Vol 37, Issue 30
>
> Jesus, never seen so many messages that could have been answered by reading 
> the basic squid docs.
>
> Tempted to unsubsheesh
>
> On 12 Sep. 2017 6:19 am,  
> wrote:
> Send squid-users mailing list submissions to
> mailto:squid-users@lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> mailto:squid-users-requ...@lists.squid-cache.org
>
> You can reach the person managing the list at
> mailto:squid-users-ow...@lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
>   crashing too quickly (Rohit Sodhia)
>
>
> --
>
> Message: 1
> Date: Mon, 11 Sep 2017 16:18:39 -0400
> From: Rohit Sodhia 
> To: Yuri 
> Cc: mailto:squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Need assistance debugging Squid error:
> ssl_ctrd helpers crashing too quickly
> Message-ID:
> 
> 
> Content-Type: text/plain; charset="utf-8"
>
> Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
> I'll have to learn how to compile it myself; never compiled a package
> before.
>
> On Mon, Sep 11, 2017 at 4:17 PM, Yuri  wrote:
>
>> Hardly,
>>
>> most probably something in repo's package. However, upgrade is always
>> recommended, especially with modern functionality. It changes fast enough.
>>
>> 12.09.2017 2:15, Rohit Sodhia пишет:
>>
>> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
>> problem?
>>
>> On Mon, Sep 11, 2017 at 4:07 PM, Yuri  wrote:
>>
>>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>>> closed or closed.
>>>
>>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>>> running.
>>>
>>> Repositories software sometimes has strange quirks, or sometimes rancid.
>>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>>
>>> I'll try to find it, but I read a few articles/SO questions that
>>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>>> I'd be glad to go forward. Should I be removing the yum squid package and
>>> compile my own? Is 3.5 problematic besides being old?
>>>
>>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri  wrote:
>>>
 Wait. Squid 3.5.20? So ancient?

 12.09.2017 1:58, Rohit Sodhia пишет:

 sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

 I used the line from the Stack Overflow question I linked earlier.

 On Mon, Sep 11, 2017 at 3:41 PM, Yuri  wrote:

> Well. Let's check more deep.
>
> Show me parameter sslcrtd_program in your squid.conf
>
> 12.09.2017 1:23, Rohit Sodhia пишет:
>
> Unfortunately, no luck yet. Thank you again for your help before.
>
> I found that the user squid and group squid existed already, so I added
>
> cache_effective_user squid
> cache_effective_group squid
>
> to my config (first two lines), made sure /var/lib/ssl_db and it's
> contents were set to squid:squid and restarted the service, but I'm still
> getting the same error :(
>
> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia 
> 
> wrote:
>
>> I'll try that immediately, thanks! I appreciate all your advice;
>> hopefully I won't have to reach out again :p
>>
>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri  wrote:
>>
>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>> probably it runs as nobody user.
>>>
>>> 

Re: [squid-users] squid-users Digest, Vol 37, Issue 30

[Eliezer Croitoru]

I do not care if someone asks even if the docs are answering.
The docs of squid-cache are not something anyone should be able to remember by 
heart or even browse and just "find" a solution or a direction.
We(at least me) are here to try and help even for the cases which the docs 
already cover.

All The Bests,
Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Adrian Miller
Sent: Monday, September 11, 2017 23:31
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid-users Digest, Vol 37, Issue 30

Jesus, never seen so many messages that could have been answered by reading the 
basic squid docs.

Tempted to unsubsheesh

On 12 Sep. 2017 6:19 am,  
wrote:
Send squid-users mailing list submissions to
mailto:squid-users@lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
mailto:squid-users-requ...@lists.squid-cache.org

You can reach the person managing the list at
mailto:squid-users-ow...@lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Need assistance debugging Squid error: ssl_ctrd helpers
  crashing too quickly (Rohit Sodhia)


--

Message: 1
Date: Mon, 11 Sep 2017 16:18:39 -0400
From: Rohit Sodhia 
To: Yuri 
Cc: mailto:squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Need assistance debugging Squid error:
ssl_ctrd helpers crashing too quickly
Message-ID:


Content-Type: text/plain; charset="utf-8"

Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
I'll have to learn how to compile it myself; never compiled a package
before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri  wrote:

> Hardly,
>
> most probably something in repo's package. However, upgrade is always
> recommended, especially with modern functionality. It changes fast enough.
>
> 12.09.2017 2:15, Rohit Sodhia пишет:
>
> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
> problem?
>
> On Mon, Sep 11, 2017 at 4:07 PM, Yuri  wrote:
>
>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>> closed or closed.
>>
>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>> running.
>>
>> Repositories software sometimes has strange quirks, or sometimes rancid.
>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>
>> I'll try to find it, but I read a few articles/SO questions that
>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>> I'd be glad to go forward. Should I be removing the yum squid package and
>> compile my own? Is 3.5 problematic besides being old?
>>
>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri  wrote:
>>
>>> Wait. Squid 3.5.20? So ancient?
>>>
>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>> I used the line from the Stack Overflow question I linked earlier.
>>>
>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri  wrote:
>>>
 Well. Let's check more deep.

 Show me parameter sslcrtd_program in your squid.conf

 12.09.2017 1:23, Rohit Sodhia пишет:

 Unfortunately, no luck yet. Thank you again for your help before.

 I found that the user squid and group squid existed already, so I added

 cache_effective_user squid
 cache_effective_group squid

 to my config (first two lines), made sure /var/lib/ssl_db and it's
 contents were set to squid:squid and restarted the service, but I'm still
 getting the same error :(

 On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia 
 
 wrote:

> I'll try that immediately, thanks! I appreciate all your advice;
> hopefully I won't have to reach out again :p
>
> On Mon, Sep 11, 2017 at 2:39 PM, Yuri  wrote:
>
>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>> probably it runs as nobody user.
>>
>> Ah, yes:
>>
>> #  TAG: cache_effective_user
>> #If you start Squid as root, it will change its effective/real
>> #UID/GID to the user specified below.  The default is to change
>> #to UID of nobody.
>> #see also; cache_effective_group
>> #Default:
>> # cache_effective_user nobody
>>
>

Re: [squid-users] [squid for windows] article on how to enable sslbump

[Rafael Akchurin]

Hello Yuri,

We tried building it several times, but it was not  clear why it failed.. so we 
keep postponing :(

Best regards,
Rafael Akchurin


Op 13 sep. 2017 om 18:07 heeft Yuri 
mailto:yvoi...@gmail.com>> het volgende geschreven:



13.09.2017 21:32, Rafael Akchurin пишет:

Greetings everyone,



For all those using Squid version for Microsoft Windows – here is the article 
explaining how to enable HTTPS decryption (sslbump) on Windows platforms.

Please see https://docs.diladele.com/faq/squid/sslbump_squid_windows.html



If you find any errors please tell us at 
supp...@diladele.com



--

Best regards,

Rafael Akchurin

Diladele B.V.

https://www.diladele.com


P.S. Build of Squid 3.5.27 for Microsoft Windows is still on the way :( …
BTW, Raf. Why not to build 4.0.21 already? Now 2017, 3.5.x is so ancient, ever 
on Win64. :) I would like to see cert downloader also on my laptop ;)



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid for windows] article on how to enable sslbump

[Yuri]

13.09.2017 21:32, Rafael Akchurin пишет:
>
> Greetings everyone,
>
>  
>
> For all those using Squid version for Microsoft Windows – here is the
> article explaining how to enable HTTPS decryption (sslbump) on Windows
> platforms.
>
> Please see https://docs.diladele.com/faq/squid/sslbump_squid_windows.html
>
>  
>
> If you find any errors please tell us at supp...@diladele.com
> 
>
>  
>
> --
>
> Best regards,
>
> Rafael Akchurin
>
> Diladele B.V.
>
> https://www.diladele.com
>
>  
>
> P.S. Build of Squid 3.5.27 for Microsoft Windows is still on the way :( …
>
BTW, Raf. Why not to build 4.0.21 already? Now 2017, 3.5.x is so
ancient, ever on Win64. :) I would like to see cert downloader also on
my laptop ;)
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid for windows] article on how to enable sslbump

[Rafael Akchurin]

Greetings everyone,



For all those using Squid version for Microsoft Windows - here is the article 
explaining how to enable HTTPS decryption (sslbump) on Windows platforms.

Please see https://docs.diladele.com/faq/squid/sslbump_squid_windows.html



If you find any errors please tell us at 
supp...@diladele.com



--

Best regards,

Rafael Akchurin

Diladele B.V.

https://www.diladele.com


P.S. Build of Squid 3.5.27 for Microsoft Windows is still on the way :( ...
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid cache takes a break

[Vieri]

Thanks for the suggestion. I'm sure ufdbguard works great even though it's not 
maintained/updated on my distro (Gentoo).

I use ready-made helpers/redirectors like squidGuard on other systems.
However, on this system I wanted to avoid depending on extra software. I also 
wanted to make my own helper so I could then combine Squid ACLs and do things 
such as:
- block access to blacklisted URLs on a Squid setup with transparent ssl_bump 
(no proxy auth)

- show custom deny web page with optional auth form to bypass this restriction
- authenticate via LDAP using a custom web form, and insert the user's client 
IP address into a database with a timeout
- auto-redirect the request to the restricted web site so the user on a 
particular client host can access the site for a given time frame

- use a squid ACL to look up the user's host IP address in the DB, and decide 
to allow or not


In any case, I've been experiencing lots of issues with Squid during the past 2 
weeks. I can finally say that I've fine-tuned my setup thanks to the great help 
I found on this ML. One of the things that were nagging me was the helper part. 
Knowing how helpers work, and how they can be optimized on heavy traffic loads 
is "a good thing". For starters, I did not know how to use the concurrency 
option and how the use of it could benefit overall performance.


Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users