date:20180214

[squid-users] How to combine two proxies into one?

2018-02-14 Thread Peng Yu

Hi,

Here are the conf files for two proxies. The first is a reverse proxy
(proxied on server1 and server2) and the second is a forward proxy. Is
there a way to combine the two into one (supporting both 3129 and
3128)? Thanks.

$ grep -v '^#' squid.conf|grep -v '^$'
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3129
cache_peer server1 parent 3128 0 round-robin no-query
cache_peer server2 parent 3128 0 round-robin no-query
forwarded_fordelete
coredump_dir /usr/local/var/cache/squid
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

$ grep -v '^#' squid.conf|grep -v '^$'
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320
forwarded_for delete

-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid4 with ssl-bump single_dh_use unknown

2018-02-14 Thread Peter Viskup

Crypto part of the configure log:

checking for nettle_md5_init in -lnettle... yes
checking nettle/md5.h usability... yes
checking nettle/md5.h presence... yes
checking for nettle/md5.h... yes
checking nettle/base64.h usability... yes
checking nettle/base64.h presence... yes
checking for nettle/base64.h... yes
checking for Nettle 3.4 API compatibility... no
configure: Using Nettle cryptographic library: yes
checking for crypt in -lcrypt... yes
checking for MD5Init in -lmd5... no
checking for LIBGNUTLS... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking gnutls/x509.h usability... yes
checking gnutls/x509.h presence... yes
checking for gnutls/x509.h... yes
configure: GnuTLS library support: auto  -lgnutls
checking openssl/bio.h usability... yes
checking openssl/bio.h presence... yes
checking for openssl/bio.h... yes
checking openssl/crypto.h usability... yes
checking openssl/crypto.h presence... yes
checking for openssl/crypto.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
checking openssl/md5.h usability... yes
checking openssl/md5.h presence... yes
checking for openssl/md5.h... yes
checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/x509v3.h usability... yes
checking openssl/x509v3.h presence... yes
checking for openssl/x509v3.h... yes
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking openssl/txt_db.h usability... yes
checking openssl/txt_db.h presence... yes
checking for openssl/txt_db.h... yes
checking for LIBOPENSSL... yes
checking for EVP_PKEY_get0_RSA in -lcrypto... yes
checking for BIO_meth_new in -lcrypto... yes
checking for BIO_get_init in -lcrypto... yes
checking for ASN1_STRING_get0_data in -lcrypto... yes
checking for X509_STORE_CTX_get0_cert in -lcrypto... yes
checking for X509_VERIFY_PARAM_get_depth in -lcrypto... yes
checking for X509_STORE_CTX_get0_untrusted in -lcrypto... yes
checking for X509_STORE_CTX_set0_untrusted in -lcrypto... yes
checking for X509_up_ref in -lcrypto... yes
checking for X509_CRL_up_ref in -lcrypto... yes
checking for DH_up_ref in -lcrypto... yes
checking for X509_get0_signature in -lcrypto... yes
checking for SSL_CIPHER_find in -lssl... yes
checking for SSL_CTX_set_tmp_rsa_callback in -lssl... no
checking for SSL_SESSION_get_id in -lssl... yes
checking for TLS_method in -lssl... yes
checking for TLS_client_method in -lssl... yes
checking for TLS_server_method in -lssl... yes
checking for SSL_CTX_get0_certificate in -lssl... yes
checking whether SSL_CTX_new and similar openSSL API functions require
'const SSL_METHOD *'"... yes
checking whether SSL_get_new_ex_index() dup callback accepts 'const
CRYPTO_EX_DATA *'"... yes
checking whether SSL_CTX_sess_set_get_cb() callback accepts a const ID
argument"... yes
checking "whether X509_get0_signature() accepts const parameters"... yes
checking whether the TXT_DB use OPENSSL_PSTRING data member... yes
checking whether the squid workaround for buggy versions of
sk_OPENSSL_PSTRING_value should used... no
checking whether the workaround for OpenSSL IMPLEMENT_LHASH_  macros
should used... yes
checking whether hello message can be overwritten in SSL struct... no
configure: OpenSSL library support: yes  -lssl -lcrypto

On Wed, Feb 14, 2018 at 2:02 PM, Peter Viskup  wrote:
> Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not 
> known.
> Older build of squid 3.5.21 on Debian 8 doesn't report it.
> According the documentation [1] it should be known and supported.
>
> [1] http://www.squid-cache.org/Doc/config/http_port/
>
> Is it a bug?
>
> Peter
>
> $ /usr/sbin/squid -v
> Squid Cache: Version 4.0.23
> Service Name: squid
> Squid built with SSLBump
>
> This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions
> on distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
> -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
> -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
> -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian
> linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid'
> '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
>

[squid-users] Squid4 with ssl-bump single_dh_use unknown

2018-02-14 Thread Peter Viskup

Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not known.
Older build of squid 3.5.21 on Debian 8 doesn't report it.
According the documentation [1] it should be known and supported.

[1] http://www.squid-cache.org/Doc/config/http_port/

Is it a bug?

Peter

$ /usr/sbin/squid -v
Squid Cache: Version 4.0.23
Service Name: squid
Squid built with SSLBump

This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions
on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
-fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian
linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid'
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--disable-loadable-modules' '--enable-storeio=aufs,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-external-acl-helpers=file_userip,session,SQL_session,time_quota,unix_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--disable-esi'
'--enable-icmp' '--enable-zph-qos' '--disable-ecap'
'--disable-translation' '--disable-ident-lookups'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-security-cert-generators=file'
'--enable-ssl-crtd' '--with-openssl' '--without-mit-krb5'
'--without-heimdal-krb5' '--disable-wccp' '--disable-wccpv2'
'--disable-ipv6' '--enable-build-info=Squid built with SSLBump'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
-O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
-Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro
-Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=.
-fstack-protector-strong -Wformat -Werror=format-security'

$ /usr/sbin/squid -k parse -d 9 -n test
2018/02/14 13:33:41| Startup: Initializing Authentication Schemes ...
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'basic'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'digest'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'negotiate'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'ntlm'
2018/02/14 13:33:41| Startup: Initialized Authentication.
2018/02/14 13:33:41| WARNING: BCP 177 violation. IPv6 transport forced
OFF by build parameters.
2018/02/14 13:33:41| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2018/02/14 13:33:41| Processing: acl localnet src 10.0.0.0/8
 # RFC 1918 local private network (LAN)
2018/02/14 13:33:41| Processing: acl SSL_ports port 443 990
2018/02/14 13:33:41| Processing: acl Safe_ports port 80 # http
2018/02/14 13:33:41| Processing: acl Safe_ports port 21 # ftp
2018/02/14 13:33:41| Processing: acl Safe_ports port 443# https
2018/02/14 13:33:41| Processing: acl Safe_ports port 70 # gopher
2018/02/14 13:33:41| Processing: acl Safe_ports port 210# wais
2018/02/14 13:33:41| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2018/02/14 13:33:41| Processing: acl Safe_ports port 280
 # http-mgmt
2018/02/14 13:33:41| Processing: acl Safe_ports port 488
 # gss-http
2018/02/14 13:33:41| Processing: acl Safe_ports port 591
 # filemaker
2018/02/14 13:33:41| Processing: acl Safe_ports port 777
 # multiling http
2018/02/14 13:33:41| Processing: acl Safe_ports port 990# ftps
2018/02/14 13:33:41| Processing: acl CONNECT method CONNECT
2018/02/14 13:33:41| Processing: acl purge method PURGE
2018/02/14 13:33:41| Processing: http_access deny !Safe_ports
2018/02/14 13:33:41| Processing: http_access deny CONNECT !SSL_ports
2018/02/14 13:33:41| Processing: http_access allow localhost manager
2018/02/14 13:33:41| Processing: http_access deny manager
2018/02/14 13:33:41| Processing: http_access allow localhost purge
2018/02/14 13:33:41| Processing: http_access deny purge
2018/02/14 13:33:41| Processing: http_access allow localhost
2018/02/14 13:33:41| Processing: http_access deny all
2018/02/14 13:33:41| Processing: include /etc/squid/conf.d/test-http_port.conf
2018/02/14 13:33:41| Processing Configuration File:

[squid-users] How to combine two proxies into one?

Re: [squid-users] Squid4 with ssl-bump single_dh_use unknown

[squid-users] Squid4 with ssl-bump single_dh_use unknown

3 matches

Site Navigation

Mail list logo

Footer information