Re: [squid-users] Squid proxychains problem

[Amos Jeffries]

On 29/03/18 02:34, Thomas Schmiedl wrote:
> Hello,
> 
> I use xupnpd2 (http://xupnpd.org/xupnpd2_en.html) on my MIPS-based
> router to restream some HLS-streams from the internet to my TV. This app
> doesn't support https and has no proxy support. The author doesn't want
> to provide a newer version of xupnpd2.
> 

Well that sucks. Do you have any alternatives?


> I try to restream webcams from Skyline-webcams (e.g.
> http://www.skylinewebcams.com/de/webcam/czech-republic/prague/prague/old-town-bridge-tower.html),
> which uses https. But it's possible to receive the m3u8-file (the URL
> including query-string is in old-town-bridge-tower.html) in http. The
> m3u8-file contains https URLs (ts-video-files, which also can downloaded
> in http).
> 
> My idea is to use a filter proxy to replace the https URLs in the
> m3u8-file by http URLs. I use Squid 3.5.12 in Ubuntu 16 with these
> eCap-sample-adapter to replace "https" by "http" in the server response:
> http://www.e-cap.org/docs/ (victim=https and replacement=http).
> 
> A first test with a local http-server worked (URLs were replaced):
> curl --proxy 127.0.0.1:3128 http://192.168.178.25:8080/live.m3u8
> 

What I'm not clear on is why you think you need proxychains? a simple
DNAT intercept should do.

The eCAP plugin sounds like it is handling the embedded URL issues that
occur with re-writing for the xupnpd2 response traffic. All you should
need is a way to convert the http:// request URLs from xupnpd2 back into
https:// ones - in theory the eCAP adapter should do both alterations so
they reliably match up, otherwise a URL-rewrite helper can do this later
part.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay-pool based on authentication

[Amos Jeffries]

On 29/03/18 07:31, vvv25 wrote:
> 
>> On 27/03/18 02:51, vvv25 wrote:
>>> Thank you for your time Amos,
>>>
>>> the thing is, I want to have the connection to be restricted by default.
>>> May be I don't understand how to define acl's in the right order.
>>> Or I cannot figure out how to separate authenticated users from not
>>> authenticated.
>>
>> You misunderstand. All pools which can match a transaction affect it. To
>> setup this "no restriction" for your certain clients you need to exclude
>> them from the restricted pools.
> Oh, I see. Thank you for clarification.
> 
>> Setting them to have one restricted and one un-restricted does not help
>> - they will just get the minimum available bandwidth of the two.
> 
> Yes, How then can I achieve following:
> * limited access for non authenticated users (without credentials)
> * unlimited access for those who have credentials ?

Yes, using the config pattern I gave in my first post to this thread.
Just replace the exclusion 'deny' with 'allow'.

"
Use:
  delay_access 2 allow !users all
"

> 
> Is it possible with one instance of squid or do I have to configure 2
> instances
> one with authentication on and
> one with authentication off?
> 

Of course.

> Or are there other ways to try?
> 

There are other ways as well. The most efficient is note ACLs which I
also mentioned in my first post.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay-pool based on authentication

[vvv25]

On 27/03/18 02:51, vvv25 wrote:

Thank you for your time Amos,

the thing is, I want to have the connection to be restricted by default.
May be I don't understand how to define acl's in the right order.
Or I cannot figure out how to separate authenticated users from not
authenticated.


You misunderstand. All pools which can match a transaction affect it. To
setup this "no restriction" for your certain clients you need to exclude
them from the restricted pools.

Oh, I see. Thank you for clarification.


Setting them to have one restricted and one un-restricted does not help
- they will just get the minimum available bandwidth of the two.


Yes, How then can I achieve following:
* limited access for non authenticated users (without credentials)
* unlimited access for those who have credentials ?

Is it possible with one instance of squid or do I have to configure 2  
instances

one with authentication on and
one with authentication off?

Or are there other ways to try?

Many thanks and best regards,

Vitaly
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid client or cache manager under Multi instance squid /SMP

[Peter Viskup]

Hello Ahmad,
your instances should have different ports opened. Use squidclient's
options -p -h to request the appropriate instance.

Example from our server:

proxy02:/etc/squid $ squidclient -p 8080 cache_object://localhost/
mgr:info|grep "Start Time"
Start Time: Thu, 22 Mar 2018 13:09:24 GMT
proxy02:/etc/squid $ squidclient -p 3128 cache_object://localhost/
mgr:info|grep "Start Time"
Start Time: Fri, 23 Mar 2018 13:03:20 GMT

Not sure whether it is possible to get per-thread stats.

It also depends on the Squid's version as stated on wiki [1]. Only versions
3.5+ can be run as multi-instance with SMP enabled.
More information about how the load is distributed across SMP threads is on
another wiki page [2].

[1] https://wiki.squid-cache.org/MultipleInstances#SMP_enabled_Squid
[2]
https://wiki.squid-cache.org/Features/SmpScale#Who_decides_which_worker_gets_the_request.3F

-- 
Peter

On Wed, Mar 28, 2018 at 2:53 PM, --Ahmad--  wrote:

> Hello Guys ,
>
> i have no idea who to use squid client or cache manager when i have
> multiple instances of squid running .
>
> say i have 2 instances
>
> squid -n 1 -f 1.conf
> squid -n 2 -f 2.conf
>
>
> all what i need is to see the request rate hitting each instance above .
> how can i use the cache manager ?
>
> is there an option for squid client app ?
>
>
> more Q
> if i have both ( multi instance with SMP say 4 workers )
>
> how can i see the request rate on the total instance and request rate on
> the kids of this instance   ?
>
>
>
> kind regards
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Assertion failed on Squid 4 when peer restarted.

[Alex Crow]

On 28/03/18 02:22, Amos Jeffries wrote:

On 28/03/18 03:24, Alex Crow wrote:

I have a squid 4.0.22 running peered with a 3.5.24 proxy. The latter
machine stopped responding and I had to reboot it, and then the 4.0.22
one crashed. Here's a log snippet:

2018/03/27 15:01:48 kid1| WARNING: failed to unpack metadata because
store entry metadata is too big
2018/03/27 15:04:09 kid1| Detected DEAD Sibling: webproxy.ifa.net
2018/03/27 15:04:09 kid1| Detected REVIVED Sibling: webproxy.ifa.net
2018/03/27 15:06:01 kid1| Detected DEAD Sibling: webproxy.ifa.net
2018/03/27 15:06:01 kid1| Detected REVIVED Sibling: webproxy.ifa.net
2018/03/27 15:06:44 kid1| Error negotiating SSL connection on FD 216:
(104) Connection reset by peer
2018/03/27 15:06:57 kid1| Error negotiating SSL connection on FD 199:
(104) Connection reset by peer
2018/03/27 15:06:57 kid1| Error negotiating SSL connection on FD 169:
(104) Connection reset by peer
2018/03/27 15:06:57 kid1| Error negotiating SSL connection on FD 29:
(104) Connection reset by peer
2018/03/27 15:06:57 kid1| Error negotiating SSL connection on FD 188:
(104) Connection reset by peer
2018/03/27 15:06:57 kid1| Error negotiating SSL connection on FD 190:
(104) Connection reset by peer
2018/03/27 15:07:12 kid1| Error negotiating SSL connection on FD 912:
(104) Connection reset by peer
2018/03/27 15:07:13 kid1| Error negotiating SSL connection on FD 514:
(104) Connection reset by peer
2018/03/27 15:07:26 kid1| ERROR: negotiating TLS on FD 236:
error::lib(0):func(0):reason(0) (5/-1/104)

2018/03/27 15:07:41 kid1| Error negotiating SSL connection on FD 129:
(104) Connection reset by peer
2018/03/27 15:08:17 kid1| assertion failed: store.cc:1690: "!mem_obj"

Any ideas?


First idea is to check bugzilla. I see nothing there.

Second is to upgrade to the latest v4 beta release (4.0.24 right now).

Third idea is to report to bugzilla or ask on squid-dev.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


I'll probably upgrade and if we still see it raise a BZ.

Cheers

Alex


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid proxychains problem

[Thomas Schmiedl]

Hello,

I use xupnpd2 (http://xupnpd.org/xupnpd2_en.html) on my MIPS-based 
router to restream some HLS-streams from the internet to my TV. This app 
doesn't support https and has no proxy support. The author doesn't want 
to provide a newer version of xupnpd2.


I try to restream webcams from Skyline-webcams (e.g. 
http://www.skylinewebcams.com/de/webcam/czech-republic/prague/prague/old-town-bridge-tower.html), 
which uses https. But it's possible to receive the m3u8-file (the URL 
including query-string is in old-town-bridge-tower.html) in http. The 
m3u8-file contains https URLs (ts-video-files, which also can downloaded 
in http).


My idea is to use a filter proxy to replace the https URLs in the 
m3u8-file by http URLs. I use Squid 3.5.12 in Ubuntu 16 with these 
eCap-sample-adapter to replace "https" by "http" in the server response: 
http://www.e-cap.org/docs/ (victim=https and replacement=http).


A first test with a local http-server worked (URLs were replaced):
curl --proxy 127.0.0.1:3128 http://192.168.178.25:8080/live.m3u8

But with proxychains it doesn't work:
proxychains curl http://192.168.178.25:8080/live.m3u8

I also contacted the author of proxychains. He replied, I should use 
sniffing, but I have no sniffing experience.


Maybe someone in this mailing-list could help me?

Best regards,
Thomas
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid client or cache manager under Multi instance squid /SMP

[--Ahmad--]

Hello Guys ,

i have no idea who to use squid client or cache manager when i have multiple 
instances of squid running .

say i have 2 instances 

squid -n 1 -f 1.conf
squid -n 2 -f 2.conf


all what i need is to see the request rate hitting each instance above .
how can i use the cache manager ?

is there an option for squid client app ?


more Q
if i have both ( multi instance with SMP say 4 workers )

how can i see the request rate on the total instance and request rate on the 
kids of this instance   ?



kind regards 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

[Eliezer Croitoru]

I yet to fully understand the scenario but I might have some ready to use 
services for some of these options.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Saturday, March 17, 2018 15:48
To: Patrick Nick 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid as Kerberos client?

On 17/03/18 06:41, Patrick Nick wrote:
> Thank you. It doesn't seem that the "originserver" makes a difference to
> may case though.
> 
> I was able to resolve my issue after I understood that I forgot to pay
> attention to cookies. The API expects the client to use cookies, which I
> didn't do until now, which resulted in a continuous "401 Unauthorized" loop.
> 

Ah, Cookies. The bane of the Internet. They can be dealt with, but you
are not going to like the difficulty level.

Your choices AFAIK (in order of easiest to seriously tricky) are to
write an eCAP module, ICAP service, or custom external ACL helper(s)
with fairly complex squid.conf settings to use the latter.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL intercept in explicit mode

[Eliezer Croitoru]

Hey Danilo,

 

I have tried to understand the issue and scenario from 0 but now I’m now sure I 
understood it.

What have achieved until now in your setup?

Any network can be “simplified” in order to understand on what you do have 
control and what you do not.

>From your words:

“applications that dont support proxy - i.e. dont forward requests to proxy?”

 

I understand that you are talking about some kind of client such as a browser 
or a other software.

Can you be more specific?

 

>From the older posts I understand it might involve ssl-bump but I am missing 
>some details on the clients.

 

Please provide more details on your environment so we can somehow make a 
summery for your use case.

 

Thanks,

Eliezer



Eliezer Croitoru  
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users  On Behalf Of 
Danilo V
Sent: Tuesday, March 13, 2018 15:45
To: squid-users@lists.squid-cache.org
Subject: [squid-users] SSL intercept in explicit mode

 

Is it possible/feasible to configure squid in explicit mode with ssl intercept?

Due to architecture of my network it is not possible to implement transparent 
proxy.

What would be the behavior of applications that dont support proxy - i.e. dont 
forward requests to proxy?

Any guides?

 

Danilo

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users