Re: [squid-users] Do I need to be technical to use squid proxy?

[Oldman]

Thanks a lot . I take your advice  delete every thing and install a new os
but I will need help 
Can you please point me to one online tutuorial that is easy to understand
and I can just
enter command ?  I will install centos I suppose



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Adam Majer]

On 08/15/2018 08:34 PM, Oldman wrote:
> No sir I do not understand that is why I am here trying to just come up with
> some configuration that helps me keep the squid swimming :)
> 
> About being dangerous  please guide me what to remove or add  
> 
> I suppose you are telling me that
>> acl SSL_ports port 1-65535 
>> acl Safe_ports port 1-65535
> 
> Are dangerous ?  Please guide me should I remove them all?

It's dangerous to run random code from random site. The things you list
downloads,

wget -O /etc/squid/squid.conf
https://raw.githubusercontent.com/hidden-refuge/squid-proxy-installer/master/spi-rhel5664.conf
--no-check-certificate;;

which is a big WTF in the first place.

1. the --no-check-certificate flag
2. the file there is different from the repository file

If you want to install squid, install it from your distribution's
source, not just run some random program you find in Google's search
engine. All distros have squid available. And at least those squid
versions don't come with malicious config files.

Best of luck,
Adam
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Oldman]

No anthony I did not change the conf file as I said in my first post I used
an automated squid installation script and installed it in my vps

this is the one

https://github.com/centminmod/squid-proxy-installer/blob/master/spi

Now can you kindly send me the default squid conf file ?

Thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

[Amos Jeffries]

On 16/08/18 11:58, David Touzeau wrote:
> Hi,
> 
>  
> 
> I have written my own url_rewrite helper
> 
>  
> 
> On SSL sites, the helper answering a redirect to a remote denied php  page.
> 

No your helper *rewrite* the URL without changing any other properties
of the request message. This can be seen clearly in the use of
"rewrite-url=" instead of "url=".

The difference is important when it comes to the type of message being
processed.

> 
> With HTTP, no issue but on SSL there is a different behavior
> 
> My helper return
> 
> rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0&;
> 
> but according to debug, the Uri.cc understand : host='https',
> port='443', path=''
> 
> In this case, squid try to connect to an https machine name and return
> bad 503
> 
>  
...
> 
> Did i miss something ???
> 

Look at the input received by the helper. HTTPS uses CONNECT requests.
Those messages have authority-form URI not URLs. The above behaviour is
what happens when your helpers response is interpreted according to
authority-form syntax.




You can prevent the SSL-Bump CONNECT messages being sent to the
re-writer with:
  url_rewrite_access deny CONNECT

OR,
 you can try to do a proper redirect by having the helper send:
  OK status=302 url=...


The latter *might* work. Depending on whether the client handles
redirection on CONNECT requests. Browsers don't support anything other
than 200 status. Other clients have a mix of behaviours so its somewhat
unreliable.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

[David Touzeau]

Hi, 

 

I have written my own url_rewrite helper

 

On SSL sites, the helper answering a redirect to a remote denied php  page.

 

With HTTP, no issue but on SSL there is a different behavior

 

My helper return 

 

rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0

&SquidGuardIPWeb=aHR0cDovLzE5Mi4xNjguMS4xMjI=&clientaddr=192.168.1.1&clientn
ame=192.168.1.1&clientuser=unknown&clientgroup=default&targetgroup=P109&url=
http%3A%2F%2Fwww.youporn.com

 

but according to debug, the Uri.cc understand : host='https', port='443',
path=''

 

In this case, squid try to connect to an https machine name and return bad
503

 

 

 

018/08/16 01:42:59.681 kid1| 84,3| Reply.cc(63) finalize: helper Result = OK

2018/08/16 01:42:59.681 kid1| 61,5| redirect.cc(83) redirectHandleReply:
reply={result=OK, notes={webfiltering: block,0,P109; status: 302;
rewrite-url:
https://192.168.1.122:443/myguard.php?rule-id=0&SquidGuardIPWeb=aHR0cDovLzE5
Mi4xNjguMS4xMjI=&clientaddr=192.168.1.1&clientname=192.168.1.1&clientuser=un
known&clientgroup=default&targetgroup=P109&url=http%3A%2F%2Fwww.youporn.com;
}}

2018/08/16 01:42:59.681 kid1| 85,5| client_side_request.cc(1197)
clientRedirectDone: 'www.youporn.com:443' result={result=OK,
notes={webfiltering: block,0,P109; status: 302; rewrite-url:
https://192.168.1.122:443/myguard.php?rule-id=0&SquidGuardIPWeb=aHR0cDovLzE5
Mi4xNjguMS4xMjI=&clientaddr=192.168.1.1&clientname=192.168.1.1&clientuser=un
known&clientgroup=default&targetgroup=P109&url=http%3A%2F%2Fwww.youporn.com;
}}

 

Here  ---> Uri.cc did not understand correctly the returned
URL.

 

2018/08/16 01:42:59.681 kid1| 23,3| Uri.cc(371) parse: Split URL
'https://192.168.1.122:443/myguard.php?rule-id=0&SquidGuardIPWeb=aHR0cDovLzE
5Mi4xNjguMS4xMjI=&clientaddr=192.168.1.1&clientname=192.168.1.1&clientuser=u
nknown&clientgroup=default&targetgroup=P109&url=http%3A%2F%2Fwww.youporn.com
' into proto='', host='https', port='443', path=''

 

 

2018/08/16 01:42:59.681 kid1| 24,7| SBuf.cc(212) append: from c-string to id
SBuf346713

2018/08/16 01:42:59.681 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 0 for
SBuf346713

2018/08/16 01:42:59.681 kid1| 24,7| SBuf.cc(167) rawSpace: SBuf346713 not
growing

2018/08/16 01:42:59.681 kid1| 24,6| SBuf.cc(99) assign: SBuf346714 from
c-string, n=4294967295)

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(212) append: from c-string to id
SBuf346714

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 0 for
SBuf346714

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(167) rawSpace: SBuf346714 not
growing

2018/08/16 01:42:59.682 kid1| 24,6| SBuf.cc(99) assign: SBuf346709 from
c-string, n=4294967295)

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(212) append: from c-string to id
SBuf346709

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 0 for
SBuf346709

2018/08/16 01:42:59.682 kid1| 24,7| SBuf.cc(167) rawSpace: SBuf346709 not
growing

 

Here > Address.cc did not find the https machine.

2018/08/16 01:42:59.682 kid1| 14,3| Address.cc(382) lookupHostIP: Given
Non-IP 'https.domain.local': Name or service not known

 

 

Did i miss something ???

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] What is a typical squid conf file

[Antony Stone]

On Wednesday 15 August 2018 at 21:07:43, Oldman wrote:

> For a typical user

That's an "interesting" thing to define :)

> who uses squid proxy at home for caching purpose
> have dropbox , google drive etc  skype running
> on pc , mac , ios  all together 5

My recommendation is to use the default squid.conf file and see if you run into 
any problems.  If you do, come back and ask here with as much detail as you 
can gather on what the problem is, what shows up in the Squid log files when 
the problem is occurring, and how to trigger the problem.

> Main reason is caching

You should be aware that caching is less and less effective with modern web 
server practices.

I'm not saying it's not worth doing, but you won't get the cache hit rates we 
enjoyed 10 years ago.

> and controling kids

Maybe you need to define "controlling" a little more so we know what you want 
to do?

For example, is your primary objective to prevent them getting to sites you 
don't approve of, or finding out what sites they've been looking at after 
they've been there?


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Antony Stone]

On Wednesday 15 August 2018 at 21:09:57, Oldman wrote:

> Thanks
> 
> I won't change any thing unless I am sure here.

Well, you've certainly changed quite a lot of the standard config in the file 
you showed us earlier.

> What was dangerous ?  Did you mean I could be hacked with that
> configuration file?

I seriously doubt you can be "hacked" (whatever you specifically mean by that) 
but only because you are running the Squid proxy on a domestic network and it 
is therefore almost certainly unreachable from the Internet.

However, defining "safe ports" to be "any port at all" means your proxy can be 
used for quite a number of protocols other than HTTP/S (for example, SMTP) and 
since this is almost certainly not what you want this proxy to be (ab)used 
for, you should stick the the default definition of safe ports which is 
designed to prevent this sort of abuse.

Just out of interest, what made you make the changes you did to the standard 
config?


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Oldman]

Thanks

I won't change any thing unless I am sure here. 

What was dangerous ?  Did you mean I could be hacked with that configuration
file?



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] What is a typical squid conf file

[Oldman]

For a typical user who uses squid proxy at home for caching purpose
have dropbox , google drive etc  skype running 
on pc , mac , ios  all together 5 

Main reason is caching and controling kids 


Thanks

I am not technical 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Antony Stone]

On Wednesday 15 August 2018 at 20:34:26, Oldman wrote:

> No sir I do not understand

Okay, "/dev/null" means "discard the output".  That is why:

cache_log /dev/null

produces no cache log file.

> that is why I am here trying to just come up with some configuration that
> helps me keep the squid swimming :)
> 
> About being dangerous  please guide me what to remove or add
> 
> I suppose you are telling me that
> 
> > acl SSL_ports port 1-65535
> > acl Safe_ports port 1-65535
> 
> Are dangerous ?  Please guide me should I remove them all?

I recommend you simply do not change them from the defaults.

In general, do not change anything in the default Squid config file unless you 
know why you need to change it.


Regards


Antony.

-- 
It may not seem obvious, but (6 x 5 + 5) x 5 - 55 equals 5!

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Oldman]

No sir I do not understand that is why I am here trying to just come up with
some configuration that helps me keep the squid swimming :)

About being dangerous  please guide me what to remove or add  

I suppose you are telling me that
>acl SSL_ports port 1-65535 
> acl Safe_ports port 1-65535

Are dangerous ?  Please guide me should I remove them all?







--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Antony Stone]

On Wednesday 15 August 2018 at 19:27:07, Oldman wrote:

> What do you think about my squid configuration?  here ? I can't see any
> cache logs

> cache_log /dev/null

You do understand what "/dev/null" means, do you?

> acl SSL_ports port 1-65535
> acl Safe_ports port 1-65535

This suggests to me that your lack of familiarity with networking may be 
dangerous.


Antony.

-- 
Police have found a cartoonist dead in his house.  They say that details are 
currently sketchy.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Oldman]

Thanks
I know a little on how to use ssh , install some thing etc.
Just creating squid proxy for home use , my kids  and I was also curious 

Every thing is installed and it seems to work except some log files that I
have no idea what it means and how I can resolve. I searched in internet but
the answers seem to be complicated.

OK my question

What do you think about my squid configuration?  here ? I can't see any
cache logs

https://pastebin.com/raw/5jghjapu





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Do I need to be technical to use squid proxy?

[Antony Stone]

On Wednesday 15 August 2018 at 18:26:16, Oldman wrote:

> I found a script and automatically created squid proxy in a centos vps
> then set up the proxy in my pc and am using it
> I am good in learning but not very technical . while trying to figure out
> all those tcp denied and other logs I realized it is very technical
> Isn't there easy to manage  way for non technical person like me?

Sorry, but why is a non-technical person trying to manage a proxy server?

To answer the question in your subject line "Do I need to be technical to use 
squid proxy?", the answer is definitely "no".  So long as you can use a 
browser, you can use Squid proxy, but if you want to *manage* the proxy, 
that's a different matter, and you need to have at least a certain amount of 
familiarity with networking concepts and client-server communications.

Maybe it helps to look at your request completely differently - what are you 
trying to *achieve* with Squid?  Tell us that and we might be able to help you 
do it.


Regards,


Antony.

-- 
René Descartes walks in to a bar.
The barman asks him "Do you want a drink?"
Descartes says "I think not," and disappears.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Do I need to be technical to use squid proxy?

[Oldman]

I found a script and automatically created squid proxy in a centos vps
then set up the proxy in my pc and am using it 
I am good in learning but not very technical . while trying to figure out 
all those tcp denied and other logs I realized it is very technical
Isn't there easy to manage  way for non technical person like me?



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS Connection Upgrade for Windows

[Amos Jeffries]

On 15/08/18 21:19, De Leon, Ma Katrina B. wrote:
> Hi,
> 
> I've seen several discussions on using Squid proxy to upgrade client TLS 
> connections using ssl_bump. But all of the existing discussions applies to 
> Linux/Unix Systems.
> Can anyone confirm if this is also applicable or possible for Windows? I am 
> trying to integrate our application (SAP PI) which uses TLS 1.0 to Salesforce 
> which only allows TLS 1.1 and above.

The SSL-Bump features are not specific to any OS. They rely solely on
the Squid and OpenSSL versions being used.

The problems you will encounter with Windows is its lack of NAT or
TPROXY capabilities. So port 443 traffic cannot be intercepted into the
proxy in the first place (same for port 80, etc).

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TLS Connection Upgrade for Windows

[De Leon, Ma Katrina B.]

Hi,

I've seen several discussions on using Squid proxy to upgrade client TLS 
connections using ssl_bump. But all of the existing discussions applies to 
Linux/Unix Systems.
Can anyone confirm if this is also applicable or possible for Windows? I am 
trying to integrate our application (SAP PI) which uses TLS 1.0 to Salesforce 
which only allows TLS 1.1 and above.
Any response is very much appreciated. Thank you!

Best Regards,
De Leon




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy. Your privacy is important to us. Accenture uses your personal data only 
in compliance with data protection laws. For further information on how 
Accenture processes your personal data, please see our privacy statement at 
https://www.accenture.com/us-en/privacy-policy.
__

www.accenture.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] microsoft list

[Eliezer Croitoru]

Well..
It's a Squid-Cache mailing list but you wrote a very long sentence and it's 
hard to understand.
Health is important and trusting the Wizard is only when he proved himself 
worthy of it.
Microsoft have been proving that it's worth honor
If you specifically do not like their updates or caching computability or 
security then you are in the right place.
Microwave is nice and has benefits and losses but.. it gives easier lives to 
many.

Here we try to be direct and to not hold a mystery in the text.
You are welcome to add some more technical details to the subject if we do not 
know about it.

I will try to look at the git repository and learn.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vacheslav
Sent: Tuesday, August 14, 2018 2:08 PM
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

Well since you asked and are actually interested, I am going to reveal the 
secret just like Vanunu and  Rabin. The program is called disable win track!
But what I don't understand is that too many people get to understand stuff 
like split and peak and tls and even tougher technical stuff but when it comes 
to health, they just trust their wizard is giving them the right magic potion!
No one would break a thermometer and drink its contents but that is exactly 
what most do to their dearest beloved ones with disaster loaded needles!

-Original Message-
From: Eliezer Croitoru  
Sent: Tuesday, August 14, 2018 11:01 AM
To: 'Vacheslav' 
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] microsoft list

>Can you share this git with us?
>We are probably not updated enough.
>It will probably help others too so.

Can you please share it with us?

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vacheslav
Sent: Wednesday, August 1, 2018 9:19 AM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, July 31, 2018 7:34 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] microsoft list

On 31/07/18 23:32, Vacheslav wrote:
> Satanic greetings, you really think you are the smartest of us all that we 
> can't think of your stupid suggestion?
> 

>Please be civil. The response you received was a reasonable answer to your 
>question.

You won't find any more civil love than that.

>Both the TechNet article linked and the Squid FAQ config example for Windows 
>Update contains lists of domains that service uses.

>Blocking the rest of Microsoft and all of Akamai *by URL* is a much more 
>difficult proposition. Between them they host a very large percentage of 
>Internet domains.

Your last sentence is totally false. I found an open source handy piece of 
software which lets you choose how much you would like to block, even skype if 
desired, too bad there isn't a donate button on github or am I missing it?
So I just copied the domains inserted in the hosts file and plugged it in 
ufdbguard and the people who use this squid have considerably less traffic than 
others.

>Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users