Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Amos Jeffries 
On 08/02/18 12:44, setuid wrote:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> 
> Yes, my ipfw configuration is:
> 
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 6 permit ip from any to any


Earlier you wrote:


> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==


Your IPFW rules are sending intercepted traffic to port 3128.

HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port
"mode" for matches the type of traffic arriving to maintain traffic
integrity in the face of security vulnerabilities relevant (or not) to
each traffic type.

This adds some natural limitations which were not previously visible in
Squid-2 which was broken, just not informing you of the problem(s).

These are:

* you MUST configure NAT on the same device / machine / VM that Squid is
running on. Squid requires access directly to the kernel NAT tables.

* you MUST only send traffic of a given type to the port with matching
"mode" flag.
 - explicit/forward proxy is implied when *no* more specific mode is
supplied,
 - NAT traffic requires "intercept" flag,
 - TPROXY traffic requires "tproxy" flag, and
 - interception of HTTPS traffic requires "ssl-bump" flag (which can be
combined with the others)



Also, were the build options displayed earlier the same ones you used
for testing *BSD and Linux systems?
 The Linux Netfilter and *BSD PF NAT systems will never work if you
disable them and permit *only* IPFW-transparent in the Squid build.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri 
Where ipfw runs? In virtual machine, or on hypervisor?


08.02.2018 05:44, setuid пишет:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> Yes, my ipfw configuration is:
>
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 6 permit ip from any to any

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 2/7/18 6:36 PM, Yuri wrote:
> Did you used ipfw NAT configuration on same box with squid?

Yes, my ipfw configuration is:

$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
src-ip 192.168.1.1
$cmd add 6 permit ip from any to any
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri 
Squid is relatively difficult to run with transparent mode on virtual
platforms due to NAT limitations on virtual platforms (this is not
squid's issue, this is issue if virtual platforms).

I'm using squid only in transparent mode (only in transparent mode)
several years on Solaris (bare metal) without any issues in HTTP/HTTPS
interception. With IPFilter. With 1-2-6-8 interfaces with different LAN
topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All
without serious problems.

But on bare-metal.

08.02.2018 05:25, setuid пишет:
> On 2/7/18 5:37 PM, Rafael Akchurin wrote:
>> How is your network configured? Your rules indicate you have 2 nics but you 
>> later say you have one..
> Originally, I started with 1 NIC (it's a VM), and added 2 more, because
> I read that pf/ipfw can't rewrite ingress packets on the same interface
> it used for egress, but I haven't tried creating a bridge and routes to
> attempt to make that work yet.
>
> The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
> routable IP bound to eth0) and the secondary NIC sits on the "backup"
> network (LAN-side) on 192.168.2.x.
>
> Let's break it down:
>
> [WAN router]
>   |-- LAN: 192.168.1.1 (wired LAN)
>   `-- WWAN: 10.0.1.1 (wireless clients)
>
> BSD VM: 192.168.1.25
>
> Ubuntu VM:
>   |-- INET: 32.215.x.x
>   `-- LAN: 192.168.2.x
>
> The WAN router is what sends traffic sent over it on :80, over to .1.25
> (BSD) to cache.
>
> Previously, I had it pointed to Squid 2.6 sitting on my NAS
> (192.168.1.20) and that would work perfectly as a transparent proxy.
>
> When I pointed the WAN router to .25 instead of .20, and upgraded the
> version of Squid by using BSD's version from ports on .25, this process
> all fell apart.
>
> So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
> requirement to get transparent proxying working with anything using
> Squid 3.x or later?
>
> Can this be done with a single NIC sitting on an Internet-facing LAN
> segment?
>
> If so, how?
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri 
If you configured squid with

'--enable-ipfw-transparent'

you should use manual for ipfw configuration.

Did you used ipfw NAT configuration on same box with squid?

08.02.2018 05:14, setuid пишет:
> On 2/7/18 4:31 PM, Yuri wrote:
>> I'm not seen your configuration options for squid. Not squid.conf. Just
>> ./configure options.
> Here's what I'm building with (from 'make config' in ports tree)
>
> '--bindir=/usr/local/sbin'
> '--build=amd64-portbld-freebsd11.1'
> '--datadir=/usr/local/etc/squid'
> '--disable-arch-native'
> '--disable-ecap'
> '--disable-epoll'
> '--disable-esi'
> '--disable-ipf-transparent'
> '--disable-ipv6'
> '--disable-linux-netfilter'
> '--disable-linux-tproxy'
> '--disable-pf-transparent'
> '--disable-silent-rules'
> '--disable-snmp'
> '--disable-ssl'
> '--disable-ssl-crtd'
> '--disable-stacktraces'
> '--disable-translation'
> '--enable-auth'
> '--enable-auth-basic=DB
> '--enable-auth-digest=file'
> '--enable-auth-negotiate=none'
> '--enable-auth-ntlm=fake
> '--enable-build-info'
> '--enable-cache-digests'
> '--enable-delay-pools'
> '--enable-disk-io=DiskThreads
> '--enable-eui'
> '--enable-external-acl-helpers=file_userip
> '--enable-follow-x-forwarded-for'
> '--enable-forw-via-db'
> '--enable-htcp'
> '--enable-http-violations'
> '--enable-icap-client'
> '--enable-icmp'
> '--enable-ident-lookups'
> '--enable-ipfw-transparent'
> '--enable-kqueue'
> '--enable-loadable-modules'
> '--enable-log-daemon-helpers=file'
> '--enable-removal-policies=lru
> '--enable-security-cert-validators=fake'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-storeio=aufs
> '--enable-url-rewrite-helpers=fake'
> '--enable-wccp'
> '--enable-wccpv2'
> '--enable-zph-qos'
> '--infodir=/usr/local/info/'
> '--libexecdir=/usr/local/libexec/squid'
> '--localstatedir=/var'
> '--mandir=/usr/local/man'
> '--prefix=/usr/local'
> '--sbindir=/usr/local/sbin'
> '--sysconfdir=/usr/local/etc/squid'
> '--with-default-user=squid'
> '--with-large-files'
> '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache'
> '--without-gnutls'
> '--without-gss'
> '--without-heimdal-krb5'
> '--without-mit-krb5'
> '--without-nat-devpf'
> '--without-nettle'

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 2/7/18 5:37 PM, Rafael Akchurin wrote:
> How is your network configured? Your rules indicate you have 2 nics but you 
> later say you have one..

Originally, I started with 1 NIC (it's a VM), and added 2 more, because
I read that pf/ipfw can't rewrite ingress packets on the same interface
it used for egress, but I haven't tried creating a bridge and routes to
attempt to make that work yet.

The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
routable IP bound to eth0) and the secondary NIC sits on the "backup"
network (LAN-side) on 192.168.2.x.

Let's break it down:

[WAN router]
  |-- LAN: 192.168.1.1 (wired LAN)
  `-- WWAN: 10.0.1.1 (wireless clients)

BSD VM: 192.168.1.25

Ubuntu VM:
  |-- INET: 32.215.x.x
  `-- LAN: 192.168.2.x

The WAN router is what sends traffic sent over it on :80, over to .1.25
(BSD) to cache.

Previously, I had it pointed to Squid 2.6 sitting on my NAS
(192.168.1.20) and that would work perfectly as a transparent proxy.

When I pointed the WAN router to .25 instead of .20, and upgraded the
version of Squid by using BSD's version from ports on .25, this process
all fell apart.

So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
requirement to get transparent proxying working with anything using
Squid 3.x or later?

Can this be done with a single NIC sitting on an Internet-facing LAN
segment?

If so, how?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 2/7/18 4:31 PM, Yuri wrote:
> I'm not seen your configuration options for squid. Not squid.conf. Just
> ./configure options.

Here's what I'm building with (from 'make config' in ports tree)

'--bindir=/usr/local/sbin'
'--build=amd64-portbld-freebsd11.1'
'--datadir=/usr/local/etc/squid'
'--disable-arch-native'
'--disable-ecap'
'--disable-epoll'
'--disable-esi'
'--disable-ipf-transparent'
'--disable-ipv6'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-pf-transparent'
'--disable-silent-rules'
'--disable-snmp'
'--disable-ssl'
'--disable-ssl-crtd'
'--disable-stacktraces'
'--disable-translation'
'--enable-auth'
'--enable-auth-basic=DB
'--enable-auth-digest=file'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake
'--enable-build-info'
'--enable-cache-digests'
'--enable-delay-pools'
'--enable-disk-io=DiskThreads
'--enable-eui'
'--enable-external-acl-helpers=file_userip
'--enable-follow-x-forwarded-for'
'--enable-forw-via-db'
'--enable-htcp'
'--enable-http-violations'
'--enable-icap-client'
'--enable-icmp'
'--enable-ident-lookups'
'--enable-ipfw-transparent'
'--enable-kqueue'
'--enable-loadable-modules'
'--enable-log-daemon-helpers=file'
'--enable-removal-policies=lru
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-storeio=aufs
'--enable-url-rewrite-helpers=fake'
'--enable-wccp'
'--enable-wccpv2'
'--enable-zph-qos'
'--infodir=/usr/local/info/'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var'
'--mandir=/usr/local/man'
'--prefix=/usr/local'
'--sbindir=/usr/local/sbin'
'--sysconfdir=/usr/local/etc/squid'
'--with-default-user=squid'
'--with-large-files'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--with-swapdir=/var/squid/cache'
'--without-gnutls'
'--without-gss'
'--without-heimdal-krb5'
'--without-mit-krb5'
'--without-nat-devpf'
'--without-nettle'
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin 
Thats strange. 
How is your network configured? Your rules indicate you have 2 nics but you 
later say you have one..

Best regards,
Rafael Akchurin

> Op 7 feb. 2018 om 23:31 heeft setuid  het volgende 
> geschreven:
> 
>> On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
>> If you do not mind looking at other tutorials - these are what we have in 
>> the test lab.
> 
>> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> 
> I can confirm that the instructions in this tutorial results in the same
> exact failure scenario as all previous attempts and tests (once I
> removed the unnecessary Apache/Web Safety bits).
> 
> Firewall rules are:
> 
> -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT
> 
> Squid config is generic, with the exception of:
> 
> http_port 3126 intercept
> 
> There is a single interface on the host, which resides on the LAN _and_
> is Internet-facing (eth0).
> 
> The result is that I get the same as before:
> 
> ==> /var/log/squid3/access.log <==
> 1518042565.613  0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
> text/html
> 
> If I point the client (curl, browser, perl + LWP) at the proxy directly
> on 3128, it works as expected.
> 
> I am firmly convinved that _transparent_ proxying with squid, is 100%
> non-functional. The proxy works fine, but transparent proxying is
> demonstrably broken in anything later than 3.x.
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have in the 
> test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html

I can confirm that the instructions in this tutorial results in the same
exact failure scenario as all previous attempts and tests (once I
removed the unnecessary Apache/Web Safety bits).

Firewall rules are:

-A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT

Squid config is generic, with the exception of:

http_port 3126 intercept

There is a single interface on the host, which resides on the LAN _and_
is Internet-facing (eth0).

The result is that I get the same as before:

==> /var/log/squid3/access.log <==
1518042565.613  0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
text/html

If I point the client (curl, browser, perl + LWP) at the proxy directly
on 3128, it works as expected.

I am firmly convinved that _transparent_ proxying with squid, is 100%
non-functional. The proxy works fine, but transparent proxying is
demonstrably broken in anything later than 3.x.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin 
No unfortunately nothing like this is in our lab for FreeBSD - but default 
Squid package in pfSense runs transparently without issues I have heard (or 
with other issues than you have).

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: setuid [mailto:set...@gmail.com] 
Sent: Wednesday, February 7, 2018 10:45 PM
To: Rafael Akchurin ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy 
(NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.htm
> l 
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.h
> tml

Thanks for the quick reply. Do you have a version of these that is BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using Linux 
as a means to validate that the functionality to do transparent proxying was 
broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should be 
decoupled as they're not required to get this working (and are likely 
prohibited in many-to-most enterprises who would deploy a proxy in this 
fashion).


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Thanks for the quick reply. Do you have a version of these that is
BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using
Linux as a means to validate that the functionality to do transparent
proxying was broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should
be decoupled as they're not required to get this working (and are likely
prohibited in many-to-most enterprises who would deploy a proxy in this
fashion).


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin 
Hello setuid,

If you do not mind looking at other tutorials - these are what we have in the 
test lab.

https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

First one for Squid running on the gateway and the second one for separate 
Squid that intercepts  traffic re-routed from the router using 
Policy-Based-Routing.
The tutorials are working, I test it with every release of our ICAP web filter.

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of setuid
Sent: Wednesday, February 7, 2018 10:11 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT 
https)

I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, 
ipfilter) does not work at all, when configured as a transparent proxy. Full 
stop.

I went through hundreds of posts on dozens of forums, blogs and other 
resources, tried dozens and dozens of configurations suggested by those posts, 
tried all 3 firewall options on BSD, tried two versions of Ubuntu and the 
various versions of Squid from the apt repos, as well as those in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my 
configuration was set to. That result, is that _every single http request I 
make_ when Squid is configured as a transparent proxy, results in the following 
response being logged:

==
07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
==

When I point a client directly at the proxy, using a browser, curl or anything 
else, I see:

==
07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") 
==

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is 
_identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config, with 
the exception of the following lines:

==
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
==

I've tried all of the obvious links, blogs and resources I could Google up, and 
100% of them fail to function as described. Most people I've seen on the forums 
who attempt to get this working, throw their hands up in defeat and end up 
configuring the proxy directly on every client that needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

==
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 
-j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 
-j DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT 
--to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp 
--dport $PROXY_PORT -j ACCEPT ==

This takes every packet that hits the router on :80, and sends it to my Squid 
server on .25, which mangles it and sends it back to 192.168.1.1 (router), and 
onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same exact 
configuration, but http_port was set to 'accel', and I didn't need _any_ 
NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to (but 
direct-to and direct-reply aren't supported on FreeBSD's pf, only OpenBSD's pf 
supports that syntax), and iptables PREROUTING and POSTROUTING mojo (also 
fails).

Here's a list of some of the resources I've tried, with 100% failure in every 
case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* https://ubuntuforums.org/showthread.php?t=2210987
*

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri 
One stupid idiotic question.

Did you build your squid with transparent NAT support?

This is mandatory prerequisite for transparent squid.

I'm not seen your configuration options for squid. Not squid.conf. Just
./configure options.


08.02.2018 03:11, setuid пишет:
> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ==
>   07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ==
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ==
>   07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ==
>
> These were the same exact request against the same exact Squid instance.
> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ==
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>
> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".
>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>
> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
> * https://www.benzedrine.ch/transquid.html
> *
> https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
> *
> https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
> *
> https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
> * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
> * https://ubuntuforums.org/showthread.php?t=2210987
> *
> http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
> *
> http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
>
> I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
> (helpful folks there, but they too, failed to get this working).
>
> So I'm at an impasse. Is this just 100%

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
On 02/07/2018 04:11 PM, setuid wrote:
> That router has a firewall script on it that says:
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25

Yes, this is a typo here in email but is correct in the router's
firewall script.

This should be either 192.168.2.20 or 192.168.1.25; both are Squid
caches inside my LAN on Ubuntu and BSD respectively.

Here's an example of my ipfw rules, for comparison:

==
$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80
via em0
$cmd 00810 fwd 127.0.0.1,3128 ip from any to any dst-port 21 src-ip
192.168.1.0/24
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.1
src-ip 192.168.1.0/24
==

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid 
I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
ipf, ipfilter) does not work at all, when configured as a transparent
proxy. Full stop.

I went through hundreds of posts on dozens of forums, blogs and other
resources, tried dozens and dozens of configurations suggested by those
posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
and the various versions of Squid from the apt repos, as well as those
in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my
configuration was set to. That result, is that _every single http
request I make_ when Squid is configured as a transparent proxy, results
in the following response being logged:

==
07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
==

When I point a client directly at the proxy, using a browser, curl or
anything else, I see:

==
07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
==

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
_identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config,
with the exception of the following lines:

==
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
==

I've tried all of the obvious links, blogs and resources I could Google
up, and 100% of them fail to function as described. Most people I've
seen on the forums who attempt to get this working, throw their hands up
in defeat and end up configuring the proxy directly on every client that
needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

==
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
--dport $PROXY_PORT -j ACCEPT
==

This takes every packet that hits the router on :80, and sends it to my
Squid server on .25, which mangles it and sends it back to 192.168.1.1
(router), and onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same
exact configuration, but http_port was set to 'accel', and I didn't need
_any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to
(but direct-to and direct-reply aren't supported on FreeBSD's pf, only
OpenBSD's pf supports that syntax), and iptables PREROUTING and
POSTROUTING mojo (also fails).

Here's a list of some of the resources I've tried, with 100% failure in
every case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* https://ubuntuforums.org/showthread.php?t=2210987
*
http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
*
http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https

I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
(helpful folks there, but they too, failed to get this working).

So I'm at an impasse. Is this just 100% decoupled from the current
codebase, and doesn't work at all? Or is this really meant to be some
lengthy archaeology to find the right, working solution for getting this
configured in Linux or BSD?

It seems like with the hundreds of posts from people out there failing
to do this correctly, that there's a great opportunity here to a.) make
it work again like it did in v2.6, and b.) document the _precise steps_
required to make it function as a transparent http

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

2018-02-07 Thread steveno 
OK this may be irrelevant to the "host_verify_strict" setting, its just when
I looked at the messages like "2018/02/07 17:57:45 kid1| SECURITY ALERT: on
URL: sqs.us-west-2.amazonaws.com:443" in the cache.log it led me to believe
this was a feature of "RFC 2616 section 14.23" and that the default setting
of host_verify_strict off would log these errors and allow access to these
sites.

On 3.5.20 the access log appeared to have very few 409 status returns.

Since going to 3.5.25 and now 3.5.27 incase recent changes fixed the
behavior I was seeing there are many 409 status returned in the logs and
many more SSL issues talking to sites like AWS that use a number of IP
address's that might not be able to be verified.

It seems either I use 3.5.20 and restart squid when the FD's get close to
maximum or I have these SSL problems with client connections, what is needed
to try and investigate this further as it appears to have changed with the
bug fix 4508.

Thanks.

Steve.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

2018-02-07 Thread Yuri 
This irrelevant to host_verify_strict. This is effect of server side CDN
IP changes. Squid threats it as security alert.

08.02.2018 00:03, steveno пишет:
> I was using squid 3.5.20 I encountered an issue running out of File
> Descriptors on Centos7, the scebario was that sockets would be abandoned in
> a "CLOSE_WAIT" state forever until the server ran out of FD's.
> Searching I found the following BUG. 
> https://bugs.squid-cache.org/show_bug.cgi?id=4508
> This is listed as being a fix at 3.5.25, so I installed that version, once
> installed the FD problem seemed to be resolved, but now there is another
> issue "Default Value: host_verify_strict off" seems to be lost, in my access
> logs I get an number of entries:
> 2018-02-07 17:10:42  0 10.x.x.x TAG_NONE/409 3941 CONNECT
> sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/-
> text/html
>
> Cache logs I get:
> 2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL:
> sqs.us-west-2.amazonaws.com:443
>
> And the clients making those requests tend to see dropped connections with a
> "SSL: UNKNOWN_PROTOCOL" error.
>
> I tried setting the value "host_verify_strict off" but it did not appear to
> have any effect.
>
> It looks like this fix for the File Descriptors has broken something else.
>
> Thanks.
>
> Steven Oakley.
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

2018-02-07 Thread steveno 
I was using squid 3.5.20 I encountered an issue running out of File
Descriptors on Centos7, the scebario was that sockets would be abandoned in
a "CLOSE_WAIT" state forever until the server ran out of FD's.
Searching I found the following BUG. 
https://bugs.squid-cache.org/show_bug.cgi?id=4508
This is listed as being a fix at 3.5.25, so I installed that version, once
installed the FD problem seemed to be resolved, but now there is another
issue "Default Value:   host_verify_strict off" seems to be lost, in my access
logs I get an number of entries:
2018-02-07 17:10:42  0 10.x.x.x TAG_NONE/409 3941 CONNECT
sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/-
text/html

Cache logs I get:
2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL:
sqs.us-west-2.amazonaws.com:443

And the clients making those requests tend to see dropped connections with a
"SSL: UNKNOWN_PROTOCOL" error.

I tried setting the value "host_verify_strict off" but it did not appear to
have any effect.

It looks like this fix for the File Descriptors has broken something else.

Thanks.

Steven Oakley.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V 
I'm thinking of adding a routine to cron to restart squid as soon as lunch
break ends.
Is there any other less invasive way to reset an ssl connection and force
another CONNECT to squid?

Em qua, 7 de fev de 2018 às 12:22, Amos Jeffries 
escreveu:

> On 08/02/18 02:50, Danilo V wrote:
> > I'm not using SSL intercept configuration. Now i see is required, even
> > for explicit mode.
>
> Only because you want *Squid* to be the process controlling HTTPS
> things. If you did the controls at the network traffic level (eg
> iptables, pf) instead then you would not have to worry about these type
> of differences.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Amos Jeffries 
On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V 
I'm not using SSL intercept configuration. Now i see is required, even for
explicit mode.
Thank you for explanation.

Danilo




Em qua, 7 de fev de 2018 às 11:00, Amos Jeffries 
escreveu:

>
> On 08/02/18 01:37, Danilo V wrote:
> > - Squid.conf:
> >
> > /http_port 3128
> > /
> > /acl social dstdomain -i .facebook.com  .fbcdn.net
> >  .twitter.com 
> > /
> > /acl LUNCH time 12:00-13:00/
> > /http_access allow social LUNCH/
> > /http_access deny social/
> >
> > 1. Adjust time in acl to your local test time.
> > 2. Open facebook and twitter tabs in browser within allowed hours.
> > 3. Once the interval expires try to scroll pages down or click internal
> > links.
> > 4. It's still working here. :-(
> >
>
> So what https_port and/or SSL-Bump settings do you use to actually
> access the HTTPS requests?
>
> Without either explicit TLS or SSL-Bump there is only an initial CONNECT
> tunnel setup. The time ACLs are applied at that point and HTTP ends once
> the tunnel starts. No ACLs or other checking is possible on the TCP
> connection.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Amos Jeffries 

On 08/02/18 01:37, Danilo V wrote:
> - Squid.conf:
> 
> /http_port 3128
> /
> /acl social dstdomain -i .facebook.com  .fbcdn.net
>  .twitter.com 
> /
> /acl LUNCH time 12:00-13:00/
> /http_access allow social LUNCH/
> /http_access deny social/
> 
> 1. Adjust time in acl to your local test time.
> 2. Open facebook and twitter tabs in browser within allowed hours.
> 3. Once the interval expires try to scroll pages down or click internal
> links.
> 4. It's still working here. :-(
> 

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V 
- Squid.conf:


*http_port 3128*

*acl social dstdomain -i .facebook.com  .fbcdn.net
 .twitter.com *
*acl LUNCH time 12:00-13:00*
*http_access allow social LUNCH*
*http_access deny social*

1. Adjust time in acl to your local test time.
2. Open facebook and twitter tabs in browser within allowed hours.
3. Once the interval expires try to scroll pages down or click internal
links.
4. It's still working here. :-(

Best,
Danilo

Em qua, 7 de fev de 2018 às 09:16, Antony Stone <
antony.st...@squid.open.source.it> escreveu:

> On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:
>
> > Hello all, time acl is not working for dynamic HTTPS pages such as social
> > networks.
> >
> > I set it to release any content during lunch time. In this period
> > everything works, but when the interval expires, the already open network
> > media pages continue to receive updates and are not blocked as expected.
> On
> > the other hand HTTP pages and some static HTTPS do not occur this
> problem.
> >
> > The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> > and in sites such as Facebook, Twitter and Instagram.
> >
> > The problem is very simple to simulate. The only workaround found is to
> > restart the squid.
> >
> > Can someone help me?
>
> Show us how to reproduce the problem.
>
>
> Antony.
>
> --
> Users don't know what they want until they see what they get.
>
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 3.5.20 run out of my memory.

2018-02-07 Thread Amos Jeffries 

On 07/02/18 19:34, minh hưng đỗ hoàng wrote:
> Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode.
> With basic config in squid.conf, but squid is run out of my server's memory.
> Here is my configure option :
...
> 
> https_port 3130 tproxy ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn

Please add sslflags=NO_DEFAULT_CA to the above config line. That should
reduce the memory usage a lot.

If the problems remains please try:
 a) removing that patch. It makes your Squid vulnerable to the worst
security issues Squid has faced this century.
 (One of the MANY effects of that vulnerability is ability of remote
attackers to consume large amounts of your network resources without any
traceability or visibility.)

  b) upgrade to Squid-4. The version is still in beta due to a few
issues, but overall MUCH better for SSL-Bump than Squid-3.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.23 release in Debian

2018-02-07 Thread TarotApprentice 

I’ve already raised a Debian bug regarding startup script issues with it. Maybe 
that will receive some attention.

> On 7 Feb 2018, at 9:25 pm, L.P.H. van Belle  wrote:
> 
> Hi, 
> 
> If you want a squid 3.5.27 for debian stretch. (amd64 only builded) 
> Have a look here :  http://downloads.van-belle.nl/squid/
> The tar.gz contains, build log, sources used and debs.
> 
> My changelog.
> squid3 (3.5.27-0.1) stretch; urgency=medium
> 
>  * Non-maintainer upload.
>  * Builded from squid-cache.org sources.
>  * base 3.5.23 from buster.
>  * No changes.
> 
> The exact version is : 
> Squid Cache: Version 3.5.27-20171101-re69e56c
> 
> So nothing fancy, just the debian standards. If you want a bit newer. 
> Go here: http://www.squid-cache.org/Versions/v3/3.5
> And look if there is any intersting you want and add the patches or get a 
> daily tar.gz.
> And replace the source.tar.gz. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
>> -Oorspronkelijk bericht-
>> Van: squid-users 
>> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Flashdown
>> Verzonden: woensdag 7 februari 2018 10:23
>> Aan: Eliezer Croitoru
>> CC: squid-users@lists.squid-cache.org
>> Onderwerp: Re: [squid-users] 4.0.23 release in Debian
>> 
>> FYI:
>> There is already progress on Squid 4.0.23 over here: 
>> https://packages.debian.org/source/experimental/squid
>> 
>> BTW: Hope I may get a response this time from anybody over 
>> there, then I 
>> would package 3.5.27..
>> 
>> Am 2018-02-05 10:21, schrieb Flashdown:
>>> Well, I've forwarded my old mail just now after subcribing to this
>>> list which I did sent directly to luigi and manty because I was
>>> unaware of these mailing lists. Thank you Amos!
>>> 
>>> Am 2018-02-05 04:00, schrieb Eliezer Croitoru:
 It seems they are not even trying to block spam...
 
 Eliezer
 
 
 Eliezer Croitoru
 Linux System Administrator
 Mobile: +972-5-28704261
 Email: elie...@ngtech.co.il
 
 
 
 -Original Message-
 From: squid-users 
>> [mailto:squid-users-boun...@lists.squid-cache.org]
 On Behalf Of Amos Jeffries
 Sent: Sunday, February 4, 2018 20:40
 To: Enrico Heine ; 
 squid-users@lists.squid-cache.org
 Subject: Re: [squid-users] 4.0.23 release in Debian
 
> On 05/02/18 00:06, Enrico Heine wrote:
> Already asked the responsible guys, if I can support them by 
> packaging
> squid for debian since this is what I already do for my 
>> company and
> there is no reason for not sharing it or building it in 
>> my spare time 
> at
> home. Unfortunately I never got an answer so I thought 
>> ok, I can't 
> force
> them to allow me to contribute something back. I would 
>> also have been
> gratefull for just becoming an uploader to experimental only. Saad
> story, I guess they are to busy to even listening for 
>> people trying 
> to help.
> 
 
 Who did you contact? The Debian 'squid' and 'squid3' packages are 
 being
 maintained by a team these days. I have not seen any 
>> messages from you
 going to that mailing list:
 
 
 
 Amos
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Time acl not working

2018-02-07 Thread Antony Stone 
On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
> 
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
> 
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
> 
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
> 
> Can someone help me?

Show us how to reproduce the problem.


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Time acl not working

2018-02-07 Thread Danilo V 
Hello all, time acl is not working for dynamic HTTPS pages such as social
networks.

I set it to release any content during lunch time. In this period
everything works, but when the interval expires, the already open network
media pages continue to receive updates and are not blocked as expected. On
the other hand HTTP pages and some static HTTPS do not occur this problem.

The issue was verified in both squid3 and squidguard 1.5 in explicit mode
and in sites such as Facebook, Twitter and Instagram.

The problem is very simple to simulate. The only workaround found is to
restart the squid.

Can someone help me?

Danilo Teixeira
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.23 release in Debian

2018-02-07 Thread L . P . H . van Belle 
Hi, 

If you want a squid 3.5.27 for debian stretch. (amd64 only builded) 
Have a look here :  http://downloads.van-belle.nl/squid/
The tar.gz contains, build log, sources used and debs.

My changelog.
squid3 (3.5.27-0.1) stretch; urgency=medium

  * Non-maintainer upload.
  * Builded from squid-cache.org sources.
  * base 3.5.23 from buster.
  * No changes.

The exact version is : 
Squid Cache: Version 3.5.27-20171101-re69e56c

So nothing fancy, just the debian standards. If you want a bit newer. 
Go here: http://www.squid-cache.org/Versions/v3/3.5
And look if there is any intersting you want and add the patches or get a daily 
tar.gz.
And replace the source.tar.gz. 


Greetz, 

Louis

 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Flashdown
> Verzonden: woensdag 7 februari 2018 10:23
> Aan: Eliezer Croitoru
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] 4.0.23 release in Debian
> 
> FYI:
> There is already progress on Squid 4.0.23 over here: 
> https://packages.debian.org/source/experimental/squid
> 
> BTW: Hope I may get a response this time from anybody over 
> there, then I 
> would package 3.5.27..
> 
> Am 2018-02-05 10:21, schrieb Flashdown:
> > Well, I've forwarded my old mail just now after subcribing to this
> > list which I did sent directly to luigi and manty because I was
> > unaware of these mailing lists. Thank you Amos!
> > 
> > Am 2018-02-05 04:00, schrieb Eliezer Croitoru:
> >> It seems they are not even trying to block spam...
> >> 
> >> Eliezer
> >> 
> >> 
> >> Eliezer Croitoru
> >> Linux System Administrator
> >> Mobile: +972-5-28704261
> >> Email: elie...@ngtech.co.il
> >> 
> >> 
> >> 
> >> -Original Message-
> >> From: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org]
> >> On Behalf Of Amos Jeffries
> >> Sent: Sunday, February 4, 2018 20:40
> >> To: Enrico Heine ; 
> >> squid-users@lists.squid-cache.org
> >> Subject: Re: [squid-users] 4.0.23 release in Debian
> >> 
> >> On 05/02/18 00:06, Enrico Heine wrote:
> >>> Already asked the responsible guys, if I can support them by 
> >>> packaging
> >>> squid for debian since this is what I already do for my 
> company and
> >>> there is no reason for not sharing it or building it in 
> my spare time 
> >>> at
> >>> home. Unfortunately I never got an answer so I thought 
> ok, I can't 
> >>> force
> >>> them to allow me to contribute something back. I would 
> also have been
> >>> gratefull for just becoming an uploader to experimental only. Saad
> >>> story, I guess they are to busy to even listening for 
> people trying 
> >>> to help.
> >>> 
> >> 
> >> Who did you contact? The Debian 'squid' and 'squid3' packages are 
> >> being
> >> maintained by a team these days. I have not seen any 
> messages from you
> >> going to that mailing list:
> >> 
> >> 
> >> 
> >> Amos
> >> ___
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.23 release in Debian

2018-02-07 Thread Flashdown 

FYI:
There is already progress on Squid 4.0.23 over here: 
https://packages.debian.org/source/experimental/squid


BTW: Hope I may get a response this time from anybody over there, then I 
would package 3.5.27..


Am 2018-02-05 10:21, schrieb Flashdown:

Well, I've forwarded my old mail just now after subcribing to this
list which I did sent directly to luigi and manty because I was
unaware of these mailing lists. Thank you Amos!

Am 2018-02-05 04:00, schrieb Eliezer Croitoru:

It seems they are not even trying to block spam...

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Amos Jeffries
Sent: Sunday, February 4, 2018 20:40
To: Enrico Heine ; 
squid-users@lists.squid-cache.org

Subject: Re: [squid-users] 4.0.23 release in Debian

On 05/02/18 00:06, Enrico Heine wrote:
Already asked the responsible guys, if I can support them by 
packaging

squid for debian since this is what I already do for my company and
there is no reason for not sharing it or building it in my spare time 
at
home. Unfortunately I never got an answer so I thought ok, I can't 
force

them to allow me to contribute something back. I would also have been
gratefull for just becoming an uploader to experimental only. Saad
story, I guess they are to busy to even listening for people trying 
to help.




Who did you contact? The Debian 'squid' and 'squid3' packages are 
being

maintained by a team these days. I have not seen any messages from you
going to that mailing list:



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 3.5.20 run out of my memory.

2018-02-07 Thread Vacheslav 
I cron those for memory, try it.
0 */1 *   *   *  root   
/usr/sbin/sysctl -w vm.drop_caches=3

0 */1 *   *   *  root   
/bin/sync && /bin/echo 3 | /usr/bin/tee /proc/sys/vm/drop_cache

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of minh hung d? hoang
Sent: Wednesday, February 7, 2018 9:35 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] 3.5.20 run out of my memory.

 

Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode.

With basic config in squid.conf, but squid is run out of my server's memory.

Here is my configure option :

'--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info' 
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' 
'--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-gnuregex' '--enable-delay-pools' '--enable-cache-digests' 
'--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' 
'--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' 
'--enable-http-violations' '--enable-ssl-crtd' '--enable-linux-netfilter' 
'--enable-ltdl-install' '--enable-ltdl-convenience' 
'--enable-x-accelerator-vary' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 
'--disable-translation' '--disable-ipv6' '--disable-ident-lookups' 
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24' 
'--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536' 
'--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'
--



And i apply this patch before compile for disabling host forgery checks :

+diff -ur squid-3.5.20-orig/src/client_side_request.cc 
squid-3.5.20/src/client_side_request.cc
+--- squid-3.5.20-orig/src/client_side_request.cc2016-07-01 
13:37:50.0 +0200
 squid-3.5.20/src/client_side_request.cc2017-03-10 16:48:08.920084072 
+0100
+@@ -530,6 +530,10 @@
+ }
+ debugs(85, 3, HERE << "validate IP " << clientConn->local << " 
non-match from Host: IP " << ia->in_addrs[i]);
+ }
++// disable fogery check. See 
https://code.nethesis.it/Nethesis/dev/issues/5088
++http->request->flags.hostVerified = true;
++http->doCallouts();
++return;
+ }
+ debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " 
possible from Host:");
+ hostHeaderVerifyFailed("local IP", "any domain IP");

 

And here is my squid.conf ( i don't post my http_access for clearly view :()

###
# Squid normally listens to port 3128
###

https_port 3130 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB 
cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn
http_port 3129 tproxy
http_port 3128

###
# squid ssl_bump option
###
acl step1 at_step SslBump1
acl block ssl::server_name "/etc/squid/block_domain.txt"
ssl_bump peek step1
ssl_bump terminate block
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher  
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

###
## LOGFILE OPTIONS
###

mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid

include /etc/squid/logging.conf
###
## OPTIONS FOR TROUBLESHOOTING
###

coredump_dir /var/spool/squid
debug_options ALL,1
cache_effective_user squid
cache_effective_group squid
###
## PERSISTENT CONNECTION HANDLING
###
 
detect_broken_pconn off
client_persistent_connections off
server_persistent_connections on

###
## ERROR PAGE OPTIONS