Re: [squid-users] [squid-announce] Squid 4.1 is available

[TarotApprentice]

I’ve emailed the packaging team. The more people that ask the more likely they 
are to act on it so if anyone else is interested please drop them an email.

MarkJ

> On 6 Jul 2018, at 3:52 pm, Amos Jeffries  wrote:
> 
>> On 06/07/18 14:27, TarotApprentice wrote:
>> Hopefully the Debian guys will push this through to Stretch-backports
>> this time. 3.5.27 only made it as far as buster (testing).
>> Unfortunately libc 2.27 is in there and that meant it wanted to
>> update many other packages.
>> 
> 
> You can post a request to sq...@packages.debian.org, or file a bug. One
> of the uploaders in the team may act earlier if they are aware of interest.
> 
> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] question about squid and https connection .

[Eliezer Croitoru]

OK so it makes more sense when you say it's intentional.

I do not agree with this approach and it's a bit off topic but I got my answer.

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
Sent: Friday, July 20, 2018 6:17 PM
To: Eliezer Croitoru ; 'Squid Users' 

Subject: Re: [squid-users] question about squid and https connection .

On 07/20/2018 03:04 AM, Eliezer Croitoru wrote:
> I think we can use MD5/SHA1/SHA256 or even CRC32 to show the "freshness" of 
> the certificate.

Sorry, you lost me: I see no connection between the previous discussion
about CA keys and your new statement about something you call
certificate "freshness".


> Also this way the ssl_db folder will be free of the burden of tight 600 or 
> 700 permissions.
> 
> Did I got it right?

The stored generated certificates include their private keys so the
database should use tight permissions.


Alex.


> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Sent: Thursday, July 19, 2018 11:29 PM
> To: Eliezer Croitoru ; 'Squid Users' 
> 
> Subject: Re: [squid-users] question about squid and https connection .
> 
> On 07/19/2018 12:08 PM, Eliezer Croitoru wrote:
> 
>> So the ROOT CA key which squid is using is being used for all the fake 
>> certificates, why do we need so many copies of it?
> 
> FWIW, I cannot think of any reason to store the CA certificate key in
> the database of generated certificates. That key is only used to sign a
> freshly generated certificate, and the certificate generator never
> regenerates certificates, so I do not see the need to reuse that CA key.
> 
> Alex.
> 
> 
>> -Original Message-
>> From: Alex Rousskov [mailto:rouss...@measurement-factory.com]
>> Sent: Wednesday, July 18, 2018 11:45 PM
>> To: Eliezer Croitoru ; 'Squid Users' 
>> 
>> Subject: Re: [squid-users] question about squid and https connection .
>>
>> On 07/18/2018 02:23 PM, Eliezer Croitoru wrote:
>>
>>
>>> Every certificate have the same properties of the original one except 
>>> the "RSA key" part which it's certifiying.
>>
>> Assuming you are talking about the generated certificates for the same real 
>> certificate X, then yes, they will all have the same (mimicked) fields. 
>> Whether they will be signed by the same CA depends on Squid configuration. 
>> In my answers, I assumed that all those Squids are configured with the same 
>> CA (including the same private key).
>>
>>
>>> So what I'm saying is that you cannot say that every certificate which 
>>> will be created with the same CA will be the same for two different 
>>> 2048 bits RSA keys.
>>
>> ... unless the keys are also the same, which was my and, AFAICT, OP 
>> assumption.
>>
>> Also, unless you are doing something nasty, it probably does not make sense 
>> to configure a bumping Squid with a public CA certificate that is identical 
>> to some other public CA certificate but has a different private key. In 
>> other words, if you are using 200 Squids with a single public CA 
>> certificate, then all those Squids should use the same private key.
>>
>> Alex.
>>
>>
>>
>>> -Original Message-
>>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
>>> On Behalf Of Alex Rousskov
>>> Sent: Friday, July 13, 2018 2:01 AM
>>> To: 'Squid Users' 
>>> Subject: Re: [squid-users] question about squid and https connection .
>>>
>>> On 07/12/2018 02:35 PM, Eliezer Croitoru wrote:
>>>
 Every RSA key and certificate pair regardless to the origin server 
 and the SSL-BUMP enabled proxy can be different.
>>>
>>> I cannot find a reasonable interpretation of the above that would 
>>> contradict what I have said. Yes, each unique certificate has its own 
>>> private key, but that is not what Ahmad was asking about AFAICT.
>>>
>>>
 Will it be more accurate to say that just as long as these 200 squid 
 instances(different squid.conf and couple other local variables) use 
 the same exact ssl_db cache directory  then it's probable that they 
 will use the same certificate.
>>>
>>> That statement is incorrect. Squids configured with different CA 
>>> certificates will generate different fake certificates for the same 
>>> real certificate.
>>>
>>> I assume that Ahmad was asking about a situation where 200 Squid 
>>> instances had the same configuration (including CA certificates).
>>>
>>> Please note that the certificate generator helper gets the signing 
>>> (CA) certificate as a parameter with each generation request (because 
>>> different Squid ports may use different CA certificates). Also, Squid 
>>> probably does not officially support sharing the certificate directory 
>>> across Squid instances (even if it works).
>>>
>>>
 Or these 200 squid instances are in SMP mode with 200 workers... If 
 these 200 instances do not share memory and 

[squid-users] Strange error to load http web pages in parents servers.

[Darvin Rivera Aguilar]

In all Machines

OS: Debian
Version: 9.5
Squid Cache: Version 3.5.23

I have one private ip address for public squid (10.20.0.183) and two
parents squid: one for facebook and other for *.ch domain

                                      > Parent1 (10.20.0.41) (Only Facebook)
                                     |
Client -> Public Squid (10.20.0.183) -> All other traffic
                                     |
                                      > Parent2 (10.20.0.42) (Only *.ch 
domain)

Parent1 and parent2 configuration are the same.


The Problem:

Browser Url: http://films.server.ch/Ingles/Baby Daddy/

Client Error:

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL:
/Ingles/Baby%20Daddy/

    Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

    Missing or incorrect access protocol (should be "http://; or similar)

    Missing hostname

    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.

Your cache administrator is webmaster.


Log Public Squid (10.20.0.183)
1531925462.144    525 10.20.1.12 TCP_MISS/400 3875 GET 
http://films.server.ch/Ingles/Baby%20Daddy/ username FIRSTUP_PARENT/10.20.0.42 
text/html

Log Squid Parrent2 (10.520.0.42)
1531928082.425  0 10.20.0.183 TAG_NONE/400 3586 GET /Ingles/Baby%20Daddy/ - 
HIER_NONE/- text/html


Nota: I user parent1 for facebook and never give this error. Facebook
use https and the error is only in parent2 with http.

How the client solve this error:
When i push F5 in browser the the page reload with out problem,
sometimes i need to push 5 or 8 times F5 to page reload.

Parent2 Full config:

http_port 3128
httpd_suppress_version_string on
visible_hostname parent2.localhost
dns_nameservers 10.20.0.61
acl proxy src 0.20.0.183/32
http_access allow proxy
http_access deny all
cache_access_log /var/log/squid/access.log

Public Squid Basic config

http_port 10.20.0.183:3128
http_port 127.0.0.1:3128
httpd_suppress_version_string on

#
# TAG: Recommended minimum configuration
#
acl port_80 port 80
acl port_443 port 443

acl Safe_method method CONNECT GET HEAD POST
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !Safe_method
http_access deny CONNECT !SSL_ports

#
# TAG: PARENT
#
acl redir_facebook  dstdom_regex    -i "/etc/squid/acl/cache_peer_facebook"
acl db_domain   dstdom_regex    -i "/etc/squid/acl/cache_peer_domain"

cache_peer 10.20.0.41 parent 3128 0 default
cache_peer 10.20.0.42 parent 3128 0 default

cache_peer_access 10.20.0.41 allow redir_facebook
cache_peer_access 10.20.0.42 allow db_domain

never_direct allow redir_facebook
never_direct allow db_domain


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

[Andrea Venturoli]

On 7/23/18 2:59 AM, Amos Jeffries wrote:


FYI: The template delivered has inline javascript for hiding the
messages that are irrelevant to this particular request.


Sorry, I'm not sure I understand: template = squid's error page?




If you open the
URL in the browser (not debugging) it should reduce down to the ones
which are relevant.


That's what I've done (and what I reported came after I did this).




You could also look at the debugger info abut the request message sent
and compare those values yourself.


Again, please forgive me... maybe I'm too ignorant about web 
applications, but I'm not understanding what you suggest I should do.




 bye & Thanks
av.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users