Re: [squid-users] IP auth, simple username/pass authentication, if ip not authorized?

[xpro6000]

This should do it

acl Allowed_IPs src "/etc/squid/Allowed_IPs.txt"
http_access allow Allowed_IPs

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#http_access allow localhost
http_access deny all
#http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


On Fri, Apr 13, 2018 at 11:30 PM, xpro  wrote:

> Right now I'm using Squid with IP based authentication. Would it be
> possible to also allow the user access if their IP is not allowed, but they
> provide username/pass?
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] IP auth, simple username/pass authentication, if ip not authorized?

[xpro]

Right now I'm using Squid with IP based authentication. Would it be 
possible to also allow the user access if their IP is not allowed, but 
they provide username/pass?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

[Alex Rousskov]

On 04/13/2018 02:41 PM, MK2018 wrote:

> Alex Rousskov wrote
>> Believe it or not, there are still many Squid use cases where bumping is
>> unnecessary. This includes, but is not limited to, HTTPS proxying cases
>> with peek/splice/terminate rules and environments where Squid possesses
>> the certificate issued by CAs trusted by clients. There are also IETF
>> attempts to standardize transmission of encrypted but proxy-cachable
>> content.
>>
>> I agree that Squid user base will shrink if nobody can bump 3rd party
>> traffic, but that reduction alone will not kill Squid.

> I would definitely disagree.

With what? Nothing you said afterwards contradicts what I said above.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is very slow after moving to production environment

[MK2018]

Roberto Carna wrote
> Thanks to everybody...
> 
> I've reviewed what you tell me. I've executed "squid -k parse" and
> everything is ok, and I've restarted de Squid entire server.
> 
> When I use the server with IP#1, it works OK, is fastbut when I
> change its IP to IP#2 (the IP from the current Squid that I want to
> replace), the navigation is very very slow, just 20/30 concurrent
> users.
> 
> So I think the Squid configuration parameters are OK, because with
> IP#1 the proxy runs perfectly.
> 
> Why just an IP change affected the performance of web browsing 
> Maybe because of something relative to Dansguardian ???
> 
> Thanks and regards !!!

From your description, this looks like a loadbalancing issue, specifically
if you are using DNS round-robin to loadbalance the 2 servers. In most
cases, users will hit the second (or last IP), because DNS round-robin works
from the bottom up.

To get away from guess work, please examine all your log files (cache.log,
access.log,...etc) they will give you a clear picture of what really
happens.

Another quick guess: a "slow" squid is usually an indication of a
"repeatedly crashing" squid, due to overload or system configuration issues.

Logs are your friend.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

[MK2018]

MK2018 wrote
> Alex Crow-2 wrote
>>> Unless the protocol design changes to expose full URLs and/or MIME
>>> types,
>>> nothing will replace Squid Bumping.
>>>
>>> That being said, we are headed to the vortex by 2018.05.01. Let's drown
>>> together, while we yell and curse at Google!
>>>
>>> MK
>>>
>>>
>>>
>> 
>> Erm, can someone elucidate the issue here? Can't see anything about this 
>> in the last year of mails from this list ;-)
>> 
>> Alex
>> 
>> -
> 
> 
> :D :D Sure thing, here it is:
> https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/
> 
> I had to know from AWS, otherwise I would have been terrorized on May 1st
> all the sudden, just like how Google does it each time.
> 
> Chrome is most probably going to spit fire at all non-CT-Logged CA
> certificate. Naturally, 99% of Squid-Bumping feature users use self-signed
> certs
> (or otherwise own all real CAs in the world and still violate CA rules),
> so
> they will end up getting into war with all Chrome users (which is
> basically like 80% of users).
> 
> Hope that clears it up!

I might have overlooked this: "Certificates issued from locally-trusted or
enterprise CAs that are added by users or administrators are not subject to
this requirement."

https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/wHILiYf31DE

Think there is still hope?



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

[MK2018]

Alex Crow-2 wrote
>> Unless the protocol design changes to expose full URLs and/or MIME types,
>> nothing will replace Squid Bumping.
>>
>> That being said, we are headed to the vortex by 2018.05.01. Let's drown
>> together, while we yell and curse at Google!
>>
>> MK
>>
>>
>>
> 
> Erm, can someone elucidate the issue here? Can't see anything about this 
> in the last year of mails from this list ;-)
> 
> Alex
> 
> -


:D :D Sure thing, here it is:
https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/

I had to know from AWS, otherwise I would have been terrorized on May 1st
all the sudden, just like how Google does each time.

Chrome is most probably going to spit fire at all non-CT-Logged CA
certificate. Naturally, 99% of Squid-Bumping feature use self-signed certs
(or otherwise own all real CAs in the world and still violate CA rules), so
they will end up getting into war with all Chrome users.

Hope that clears it up!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL intercept in explicit mode

[MK2018]

Aaron Turner wrote
> Thanks Yuri.  That helps.  As for the "sslproxy_flags
> DONT_VERIFY_PEER", yes I understand the risks.  In my specific case,
> where my "users" are actually a bunch of automated web clients doing
> some web crawling it's the right thing to do.
> --
> Aaron Turner

I tried using bump all myself with actual human beings (200+) using browsers
ranging from Mozilla Firefox, Seamonkey, Chrome, to Safari and Opera.

I don't know why I had to face it, but with bump all I got many errors with
many websites. It only worked with me like this:

http_port 3128 ssl-bump cert=/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=999MB
sslcrtd_children 100
ssl_bump none BadSSL
ssl_bump server-first all

Like you see, I'm using server-first word in place of bump word. This is the
only way I got it to work with natural human browsing. I also could not use
intercept mode, because every major browser considers it a crime to let it
go! They would just spit all sorts of errors at user's face and have you
clean the spitting up :D :D

Of course, BadSSL above is the ACL for all sites using the new fiasco of
hardcoded certificates (certificate-pinning), otherwise, they don't pass at
all!




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

[Alex Crow]

Unless the protocol design changes to expose full URLs and/or MIME types,
nothing will replace Squid Bumping.

That being said, we are headed to the vortex by 2018.05.01. Let's drown
together, while we yell and curse at Google!

MK





Erm, can someone elucidate the issue here? Can't see anything about this 
in the last year of mails from this list ;-)


Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 6.2 web filter plugin for Squid proxy is Release Candidate

[Rafael Akchurin]

Greetings all,

Next version of Web Safety web filter for Squid proxy (version 6.2.0.FD48, 
built on April 13, 2018, Release Candidate) is now available for download.
This version contains the following fixes and improvements:


*Added new dynamic site categorization module. This module works on 
both requests and response. When categorizing requests URL, Referer and Host 
headers are scanned. When categorizing responses - textual contents of pages 
are scanned. Currently there are dynamic categorizer for Nudity Pornography, 
Adult Themes Sexuality, Drugs and Gambling categories, but more and more 
categorizers will be added with each release. We target to finally have all 
available categories covered.


*Redesigned and re-implemented deep content inspection engine. The 
speed of content inspection is a little improved. Detection is now done faster. 
The amount of used RAM when performing adult language detection is greatly 
decreased (approximately 10 times).

Pre-configured virtual appliance is available from 
https://www.diladele.com/download_next_version.html (should be run in VMWare 
ESXi/vSphere or Microsoft Hyper-V). GitHub repo with automation scripts we used 
to build this virtual appliance from stock Ubuntu 16 LTS image is at 
https://github.com/diladele/websafety-virtual-appliance/tree/release-6.2.0 .

Direct link to virtual appliance:


*
http://packages.diladele.com/websafety/6.2.0.FD48/va/ubuntu16/websafety.zip

Please deploy this version is non-too-critical environments only. Your 
questions/issues/bugs are welcome at 
supp...@diladele.com
Version 6.3 will include re-implemented Surfing Now page and CTIRU URL 
prevention list (provided by Home Office UK).

You can join our community to get free early access to next development builds 
at https://www.diladele.com/community.html .

Thanks to all of you for making this possible!

Best regards,
Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users