Re: [squid-users] problem compiling squid 4 on ubuntu 18.04

2019-02-27 Thread Rafael Akchurin 
Hello Alex,

Please take a look at how we recompile Squid 4.6 for Ubuntu 18.
It compiles and runs nicely without errors.

See https://docs.diladele.com/howtos/build_squid_4_on_ubuntu/index.html

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users  On Behalf Of Alex 
Gutiérrez Martínez
Sent: Wednesday, 27 February 2019 22:48
To: squid-users@lists.squid-cache.org
Subject: [squid-users] problem compiling squid 4 on ubuntu 18.04

Hello comunity, can someone be so nice to tell me what i´m doing wrong


Im compiling squid 4.5 on ubuntu 18.04


this are the dependency i have installed


apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev libldap2-dev 
libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl
libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils


this are the options for squid

./configure --build=x86_64-linux-gnu --enable-delay-pools 
--enable-cache-digests --enable-icap-client --enable-ssl --enable-ssl-crtd 
--with-openssl --enable-follow-x-forwarded-for 
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" 
--enable-auth-digest="file,LDAP" --prefix=/usr --includedir=${prefix}/include 
--mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc 
--localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. 
--disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules 
--datadir=/usr/share/squid --sysconfdir=/etc/squid --mandir=/usr/share/man 
--enable-inline --disable-arch-native
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock
--enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests 
--enable-icap-client --enable-follow-x-forwarded-for 
--enable-auth-negotiate=kerberos,wrapper
--enable-auth-ntlm=fake,smb_lm
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi --enable-zph-qos 
--enable-ecap --disable-translation --with-swapdir=/var/spool/squid 
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid 
--with-filedescriptors=65536 --with-large-files --with-default-user=proxy 
--enable-ssl --with-open-ssl=/etc/ssl/openssl.cnf --enable-linux-netfilter 
'CFLAGS=-g
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security'


im getting this error


error: NTLM auth helper smb_lm ... not found


thanks in advance


--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump

2019-02-27 Thread Amos Jeffries 
On 28/02/19 2:31 am, leomessi983 wrote:
> Hi all
> Can i use this conf only for blocking purpose?!

You could.

I suggest you keep the default security Safe_ports and SSL_ports ACL and
http_access rules though. They exist to protect your proxy against
malicious attacks and Dos situations.

Your custom settings should go below these defaults at the place where
default squid.conf says "INSERT YOUR RULES HERE".


> Is set dynamic_cert_mem_cache_size=0MB wrong?

Probably fine. You have disabled certificate generating. So there is
nothing to go in that cache. So no need for it to exist.


> I have more than 1000 clients and i only want to block http and https
> pages.

There is no such thing as 'page' in HTTP or HTTPS. What we humans call a
page is a collection of many objects from HTTP viewpoint. You can block
some or all of these objects individually to prevent the display
happening, but it is difficult block abstract things like "pages".

Your config implies things very different to what you stated above.

 * it has no way to receive HTTP traffic happening on port 80 or 3128.
Implying you do not care about http:// stuff.

 * is splices some TLS traffic. Indicating that you do *not* want to
block some https:// traffic.




> 
> My configurations is like this:
> -
> https_port 3130 tproxy ssl-bump \
>     cert=/etc/squid/ssl_cert/myCA.pem \
>     generate-host-certificates=off dynamic_cert_mem_cache_size=0MB
> sslcrtd_program /usr/lib64/squid/security_file_certgen
> 
> 
> acl blk ssl::server_name "/var/blk.list"
> ssl_bump bump blk
> http_access deny blk

The value checked by 'blk' ACL can change when the bump action is
performed. That means these ssl_bump and http_access may produce
different match results.

Since you are only intercepting traffic I suggest your http_access rule
be this instead:

  acl HTTPS proto HTTPS
  http_access deny HTTPS
  http_access allow CONNECT localnet


> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
> -

Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTP2

2019-02-27 Thread Amos Jeffries 
On 28/02/19 6:30 am, Andrej van der Zee wrote:
> Hi,
> 
> I understood that http2 is work in progress. Is there anything to say
> about when this might be released? 
> 

No ETA sorry. Progress has slowed down so much I stopped even saying
"soon-ish" a year ago.

If anyone wants to jump in and lend a hand my HTTP/2 work is up on
github. IMO the best tasks to collaborate on would be designing cppunit
tests to ensure the code correctness of the HPACK coder, and/or to find
h2/h2c Parser bugs. Drop me a mail if that sounds interesting.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used

2019-02-27 Thread Amos Jeffries 
On 28/02/19 12:25 pm, Stilyan Georgiev wrote:
> When testing like so: openssl s_client -connect google.com:443
> I get tls1.2 back
> 
> Via mobile chrome browser (android) and the proxy I get tls1.3
> Truly don't understand :)
> 

I expect that Chrome is using their own custom SSL library and HTTP/3
protocol which does not go through Squid.

The openssl test will be strictly using a single TCP connection with a
CONNECT tunnels through your Squid. The SSL-Bump process you have setup
will be bumpign that and Squid begotiating teh TLS versio you have
configured.

The Chrome on the other hand may be negotiating TLS/1.3 handshake via
side channels and then resuming it as a normal TLS session resumption
over the Squid connection, OR possibly not even going via the proxy at
all (aka QUIC, HTTP/3).

Google products also has a preference for using Googles custom SSL
library rather than OpenSSL - so your custom OpenSSL may not be relevant
at the client endpoint. Whereas the openssl tools will be naturally be
using libssl like Squid.


If you are not using SSL-Bump in the way(s) indicated previously by
Alex, then your custom OpenSSL build and squid.conf options are
irrelevant. The CONNECT traffic would be going straight through the
proxy without being touched. To have any control over TLS the proxy must
be an _active_ agent participating in the TLS handshake.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem compiling squid 4 on ubuntu 18.04

2019-02-27 Thread Amos Jeffries 
On 28/02/19 10:47 am, Alex Gutiérrez Martínez wrote:
> Hello comunity, can someone be so nice to tell me what i´m doing wrong
> 
> 
> Im compiling squid 4.5 on ubuntu 18.04
> 

...
> 
> 
> im getting this error
> 
> 
> error: NTLM auth helper smb_lm ... not found
> 





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used

2019-02-27 Thread Stilyan Georgiev 
Thanks for the input Alex.
I had many, many issues compiling openssl without tls1.3. At first i tried
doing it side by side with version I had in OS but failed miserably, with
squid continuing to use the OS package.
Eventually I release upgraded the OS and now have the 1.1.1-1 package from
repo, rebuilt it with no-tls1_3 in CONFARGS

And to my amazement squid continues serving tls1.3 :)

Any suggestions on to how to allow tls1.1 and tls1.2 only are very welcome.
Maybe tls_outgoing_options cipher= ...

Thanks in advance for helping out!

On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 2/26/19 4:55 AM, Stilyan Georgiev wrote:
>
> > Squid 4.5 with openssl support here.
> > SSL bumping can't obtain SNI / cert domain to perform filtering when
> > tls1.3 is used.
> > I want to disable support for tls1.3 in config but don't find way to do
> > so. There's the outdated sslproxy_options config directive which doesn't
> > appear to be supported in 4.5
> >
> > The goal is - allow everything , besides tls1.3
>
> Good question!
>
> TLS v1.3 clients that use "Middlebox Compatibility Mode", including
> OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients
> that attempt to restore a non-existent TLS session. Squid probably does
> not have ACLs that can detect those lies. However, if you think you can
> detect them, you can pass TLS Hello to your external ACL via the
> %>handshake logformat code.
>
> If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then
> I suspect the answer is "yes, but only if you bump the client connection
> first": A peeking Squid cannot negotiate a different TLS version with
> the client. If TLS downgrade is what you want, you can probably use an
> OpenSSL version that does not support TLS v1.3. There may also be an
> OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I
> have not research that.
>
> Finally, there may be a bug in earlier versions of Squid that breaks
> peeking at TLS v1.3 servers during step2. Staring works. We have not
> tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers
> is largely pointless because useful information in TLS v1.3 Server Hello
> is encrypted.
>
>
> HTH,
>
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Yours Sincerely,

*Stilyan Georgiev*
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread Van Order, Drew (US - Hermitage) 
Wow. This is very generous Eliezer. I am humbled by your generosity!

Before I try your proxy for Windows, I've decided it's time to eliminate the OS 
as a variable. I quickly tacked up Squid running on a sandbox RHEL, and 
submitted a ticket to have it added to the F5 VIP. 

If the issue vanishes, bye bye Windows, and some folks are going to have to 
teach themselves Linux quickly :-) 

Stay tuned...

-Original Message-
From: elie...@ngtech.co.il  
Sent: Wednesday, February 27, 2019 4:28 PM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

Forgot to mention that this simple proxy:
http://secure-web.cisco.com/11Ju3FBMy81J840cSoCXGXdubwW80knGlevOiEwmFux7MQTjMwodNApLbJYerezA5dSOY7bJJChXO2aVi80fseEIMDaEj12mh4Ig4yNYzxviiWXlGyk_IUiyoo4tIFc-tnaWbefXsQ49afvPY1yTX-B3H7BK3voG5Dfw2WmyZJ1N8lEwnCwquwbLcdnYnYw8zp5qIMe-Rq4fl-399jML9snz7QIUgE4jK46s-OgXDOPlHDlMfqgp66UhJL7cw-AkWDYfQV_uIGnUEWpvvmS1qEfhOLC89KnTzH3WCIRGR-Zh3LgWUo5yr4vW_nmyO0deNOGfNP4t2D-JjK85rZEahU_JLuFgzQLJC95M-uzoATapIbxqkCdSJ9ibyDaLhZWNdCyV6H64olDKlBBonUSnOTeu2C-RaoCUoOPhOL4I2zX_vyKrB5zGX2qWpo4TVQxRWd1z-WVIOJb0AS9J9m86mpQ-Op-Govz_L9XwqaMOHngH2bb1UB9JWMHbW8fcZny9nFZR2VeG6N9X87shN9Ek1dQ/http%3A%2F%2Fgogs.ngtech.co.il%2Felicro%2Fgolang-http-proxy

Is a simple forward proxy I wrote.
A binary packaged for any OS that GoLang supports including Windows 2k16 is 
there:
http://secure-web.cisco.com/1ySd839vtqkoCLOWAs5SXi2Fzc8RNRQd0Vk53qQWH0XChRYXvX7qhbT1_QhocdaqgeVsDhkDZscU9PQNRd-4mhsOlnZHRKyqrSW4zlw4x-BaRogwP4jInaTbDEhCTTt4wUSiKS9VaahRIdiCoI81Sy46jhpq4i14fB5KSHtSywhD1SzmqDQfokkEr0vUFP0x2RdYtkY9axCTbSljyVgdDMk0QQfIPQ8nmFs5FULbfd4Xrts9UPlcmoNleo0YXHCWlrizaT2JCuRqW23kq9baAB8VOk06MtwBkmdFLY7AMT49HqRhTwgHHPTuL2jyL7IA4FYG-RAlo3JU0GyLgZWeX2ruEk66ZhadtuwLNkyucJwAoyoQMIyhM5ps0lC2DdHWEamYLT8M7NoW4TZju03jD76ixc8xMPzbnN0IBFznWcnZPYIooUHeAxyAaYEBp47vR-pAMV4kur_zcuU_Exv7B2jY9lfXLPAnPUW-c20el5ZGTosbPeV6bF9D7XofMf6FvnbsqTkf_VgUDynE-tnLDsw/http%3A%2F%2Fgogs.ngtech.co.il%2FNgTech-LTD%2Fgolang-http-proxy%2Fsrc%2Fmaster%2Fgolang-http-proxy.tar.xz

You will need some software to make it a service but these are easy to find.
If you need a recommendation for one I will try to find.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users  On Behalf Of 
elie...@ngtech.co.il
Sent: Wednesday, February 27, 2019 22:44
To: 'Van Order, Drew (US - Hermitage)' 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

So just to be on the clear.
You need a basic forward proxy that does CONNECT requests for any LAN client to 
safe ports?

Do you have any other requirements then being Windows 2k16 compatbile and the 
mentioned ACL's?

If you Insist on a Windows proxy there are couple I collected...
http://secure-web.cisco.com/17a99t4PIGRmHeQmTLY5KRhYDoGTUPwyYGXT0fAV0DVh9MsSteT4Pi-0sb_DM-mY6nLb-NLB1ftORaQ0bC7KstwyrnAci2lsLoKWzNgOiKHwBGQSVL7MMHSGJ1zHRTGIcyEuDlGdldzgihQb6_79nG9yppR2yvpbWX2uvTAEr-qZB46PVCd_d3YtLah9RzDxyJymPdDeyaAw66X6Agmqs512eb5uI1oCN3auT9qbjI11NDr8edlo3R04C-tHHqBAka4hQXEs9LavQUNcBcHFWhME6PEBNCdLVBeitC3d9ZF2rtYKIP5iFYZs1w72GL_-Xh0zawz7uiX9GcwN60Tx0m8MJQQoEMPp4v3cfSiM-pFHI7YAJRvcCfFENvZcgNXFQrzX4ZVaLIxPkV5q2fN8uGObAZKRTWkqAXwo2LE40s9waGLpTDmiXy76gE6sGFerW5m1mImQElzPWjajbWJfqSi8aD7W1TC0w42AGOqQJ60VnXhZw4CuupXzmylyd8E6D_GPtTtAdp5VPrXTEQCT20w/http%3A%2F%2Fwww1.ngtech.co.il%2Fwpe%2F2016%2F05%2F02%2Fproxy-per-internet-user-is-it-realis
tic/

I know that RedWood might be good for your needs to compare...:
http://secure-web.cisco.com/1ETToAy7lpIzQDnVWVx4VN460yeA4V0c0irlIMN9P5wE50B-0kLELWsz8usawuOgy7IZPOJ6iV2FTApPTEaJH1nHFLR-pnUkuG7C5E6f_fZdUofEV5UX__yh2g0MRKI7XB3x1uEdiMhlhtodTsSeJYzqWK_5Zij6_rNjYlWlY8573ATbmhIZNgkfwcaoRJl4FwO50zEAueB_tlGyikPc8FfJGgKZbcRYa7frdZcwsn9JKeQh_GISsi-_BpAETFQf6ZeZ5SGXQ5TB4z9GoPlncAf0vxingBSktcPgqF-jRLgxwHQ9nv6a-Ses-94UmCser4hIzsd6pTOHLVYY8u0OWUjlB5rRqROlH_IMkslBcFtEXaRYl1Fy2LEgL9RWaSuNFG-wRWmFw4BRtweHIpRnypuF24a2vKjwnN929-EHwHv-t-rCk8FSTQ5OfkHkP78sN0ErpcZv9GFBXOPA_7y0MTp3evd2SWbD4YBfXSZ5a3BCL4iM2Jx4KfG9SBK5KIz2TkdGzjQXIWujLFeWtOd5KIw/http%3A%2F%2Fngtech.co.il%2Fstatic%2Fredwood%2Fredwood-0.2.0.tar.xz
https://secure-web.cisco.com/14Y9nKqTcPsVkJBCkyIkxFkE_XO9jqzDvqIf1yzNdAIfhtJDiPPfe1HdfUmXxsFWMojRBhFGJfxGogPbIh16U9bdtA5l-XZkZAXM-KcwTAto3X-WRpC6ogpKA9wuNMuWwgKlRAPdgz1hvOAho8mcmXlY3Zct0t1WX6qy5RJ4Yjm_Nwfk5gBzAn_HXuCRAVkwmXYtzSqdwxpxhZ7bG-nsO4bHr0CwqU2WmvzUSsTQEHERFcVTMX0B5PrzmySJtmZlzv33zvGFFwrW8SSSTSqVrxZtiiHJly8tc9e42bpY2v7tmkhkacmX50Vn5w7FcsqjKVew6Qey7TAPp2K6_7n-Dr15pHPvpunEiHUVC-ewcE5OXL3uf1bruR-XsF2xLNe1UN2TxTQdLNO5od_wmbO1KzFAq70T8o5gS7Tf5xPbUqX_GHNbHWi53302aJvDUpIH6Dlr7llzwKR1J51WdEL2XCiu61T2w-Sn7rmzQnoS8kkwzadmdrJAxXyaOcJTO82wmRT8W4fcPPWVIRzwdyAXjqg/https%3A%2F%2Fgithub.com%2Fandybalholm%2Fredwood

I wrote a tiny proxy the other day which should also work fine for you as long 
as you have a

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread eliezer 
Forgot to mention that this simple proxy:
http://gogs.ngtech.co.il/elicro/golang-http-proxy

Is a simple forward proxy I wrote.
A binary packaged for any OS that GoLang supports including Windows 2k16 is 
there:
http://gogs.ngtech.co.il/NgTech-LTD/golang-http-proxy/src/master/golang-http-proxy.tar.xz

You will need some software to make it a service but these are easy to find.
If you need a recommendation for one I will try to find.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users  On Behalf Of 
elie...@ngtech.co.il
Sent: Wednesday, February 27, 2019 22:44
To: 'Van Order, Drew (US - Hermitage)' 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

So just to be on the clear.
You need a basic forward proxy that does CONNECT requests for any LAN client
to safe ports?

Do you have any other requirements then being Windows 2k16 compatbile and
the mentioned ACL's?

If you Insist on a Windows proxy there are couple I collected...
http://www1.ngtech.co.il/wpe/2016/05/02/proxy-per-internet-user-is-it-realis
tic/

I know that RedWood might be good for your needs to compare...:
http://ngtech.co.il/static/redwood/redwood-0.2.0.tar.xz
https://github.com/andybalholm/redwood

I wrote a tiny proxy the other day which should also work fine for you as
long as you have a working and properly configured firewall on the Server.
Let me know if something fit your needs.
If so you can try and test and maybe find the right culprit(ie windows or
linux).

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage)  
Sent: Wednesday, February 27, 2019 17:55
To: elie...@ngtech.co.il
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Business objective is to enable MSFT Azure MMA's (Microsoft Monitoring
Agents) blocked from the internet to send agent data to Azure Log Analytics

Simple proxy
No SSL bump
Squid config is attached
I tried disabling caching with Squid, found it crashed more frequently
Squid was chosen this is intended to be a stopgap solution, and it's free.
It's a battle to win over security in order to have tcp/443 opened
everywhere.

I'm not sure Squid is the problem, I have an identically configured Squid
that bypasses the F5 working beautifully, but it's only 50 clients (MMA's)
connecting, Each client takes roughly 5 connections. The clients are still
going through a firewall(s). 

Our network folks say that neither the FW or F5 leading up to Squid report
congestion. 

It's possible that Squid for Windows + F5 VIP are not intended to work
together, but it makes sense to just have one proxy IP address.

I'm getting ready to Skype with our F5 guy to compare what I'm seeing with
what he's seeing. Also trying to get how many clients are going through the
F5 to compare to my 'good' Squid

-Original Message-
From: elie...@ngtech.co.il  
Sent: Wednesday, February 27, 2019 9:20 AM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what
and why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage) 
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin

Cc: 'Amos Jeffries' ;
squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time
learning squidclient, and have determined that the server is not in any way
resource constrained. I've attached the output from mgr:info,
mgr:client_list, and mgr:filedescriptors in between crashes. Was wondering
if someone could explain Tout, which I presume is timeout. Of interest are
the ones set to 86400, which I presume is one day. That seems like a big
problem--but where is it coming from? I'm using the Cygwin Squid config
defaults.

There seems to be a lot of Reading next request going on before Squid
recycles. I wonder if the F5 VIP is dealing with congestion through the
firewall, which, in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking
questions, in particular why all the F5 traffic is coming over just one IP
address in the pool.

In case

Re: [squid-users] Squid with custom openssl path is using the openssl installed in default path

2019-02-27 Thread Stilyan Georgiev 
On Thu, Feb 28, 2019 at 12:05 AM Stilyan Georgiev 
wrote:

> Tried everything , including upgrading the system to version that has
> openssl1.1.1-1 , recompiling the package to exclude TLS 1.3 support , using
> -- tls_outgoing_options options=NO_TLSv1_3 where NO_TLSv1_3 simply wasn't
> recognized as something of use.
> TLS1.3 is still being used for sites, and our blocking based on SNI
> doesn't work.
>
> 1 thing left to try - specify list of ciphers where tls1.3 ciphers are not
> included. If that doesn't work we're probably switching to nginx , so we
> can use their config - ssl_protocols TLSv1.2; as too many hours were
> already spent on solving the problem here :(
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Any way to get the client's connecting port number?

2019-02-27 Thread Alex Rousskov 
On 2/27/19 2:22 PM, Russel McDonald wrote:
> is there any way to get the port number of the connecting client
> available to the adapter through ECAP interface?

Yes, there is: http://www.squid-cache.org/Doc/config/adaptation_meta/

For example, the following configuration snippet relays (where
available) the MAC address (or equivalent), the source IP address, and
the TCP source port of the client-to-Squid connection to the adaptation
transaction via the X-Client-Details ICAP header or the eCAP meta-header:

  adaptation_meta X-Client-Details "%>eui@%>a:%>p"

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem compiling squid 4 on ubuntu 18.04

2019-02-27 Thread Alex Gutiérrez Martínez 

Hello comunity, can someone be so nice to tell me what i´m doing wrong


Im compiling squid 4.5 on ubuntu 18.04


this are the dependency i have installed


apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev 
libldap2-dev libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl 
libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils



this are the options for squid

./configure --build=x86_64-linux-gnu --enable-delay-pools 
--enable-cache-digests --enable-icap-client --enable-ssl 
--enable-ssl-crtd --with-openssl --enable-follow-x-forwarded-for 
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" 
--enable-auth-digest="file,LDAP" --prefix=/usr 
--includedir=${prefix}/include --mandir=${prefix}/share/man 
--infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var 
--libexecdir=${prefix}/lib/squid --srcdir=. --disable-maintainer-mode 
--disable-dependency-tracking --disable-silent-rules 
--datadir=/usr/share/squid --sysconfdir=/etc/squid 
--mandir=/usr/share/man --enable-inline --disable-arch-native 
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock 
--enable-removal-policies=lru,heap --enable-delay-pools 
--enable-cache-digests --enable-icap-client 
--enable-follow-x-forwarded-for --enable-auth-negotiate=kerberos,wrapper 
--enable-auth-ntlm=fake,smb_lm 
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group 
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi 
--enable-zph-qos --enable-ecap --disable-translation 
--with-swapdir=/var/spool/squid --with-logdir=/var/log/squid 
--with-pidfile=/var/run/squid.pid --with-filedescriptors=65536 
--with-large-files --with-default-user=proxy --enable-ssl 
--with-open-ssl=/etc/ssl/openssl.cnf --enable-linux-netfilter 'CFLAGS=-g 
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE 
-fstack-protector-strong -Wformat -Werror=format-security'



im getting this error


error: NTLM auth helper smb_lm ... not found


thanks in advance


--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Any way to get the client's connecting port number?

2019-02-27 Thread Russel McDonald 
Hi, is there any way to get the port number of the connecting client available 
to the adapter through ECAP interface? Not just the IP but the port number as 
well. I found that I can do that by a tiny change but it has to be int he squid 
source:In adaptation\ecap\XActionRep.cc, method clientIpValue:I added the 
sprintf:sprintf([strlen(ntoabuf)], ":%d", client_addr.port());          
  return libecap::Area::FromTempBuffer(ntoabuf, strlen(ntoabuf));
The adapter then has access to the client's connecting port. I use that 
information to then look up the PID of the connecting process and hence user, 
using a Windows dll and method with increased privs.
So is there any existing way to get that port without a squid change? And if 
not then would the team be amenable to my joining as a dev contributor and 
submitting that? It could be as a separate value/option so as to not break any 
existing apps relying on that particular string just having the IP.
Russel McDonald
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread eliezer 
So just to be on the clear.
You need a basic forward proxy that does CONNECT requests for any LAN client
to safe ports?

Do you have any other requirements then being Windows 2k16 compatbile and
the mentioned ACL's?

If you Insist on a Windows proxy there are couple I collected...
http://www1.ngtech.co.il/wpe/2016/05/02/proxy-per-internet-user-is-it-realis
tic/

I know that RedWood might be good for your needs to compare...:
http://ngtech.co.il/static/redwood/redwood-0.2.0.tar.xz
https://github.com/andybalholm/redwood

I wrote a tiny proxy the other day which should also work fine for you as
long as you have a working and properly configured firewall on the Server.
Let me know if something fit your needs.
If so you can try and test and maybe find the right culprit(ie windows or
linux).

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage)  
Sent: Wednesday, February 27, 2019 17:55
To: elie...@ngtech.co.il
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Business objective is to enable MSFT Azure MMA's (Microsoft Monitoring
Agents) blocked from the internet to send agent data to Azure Log Analytics

Simple proxy
No SSL bump
Squid config is attached
I tried disabling caching with Squid, found it crashed more frequently
Squid was chosen this is intended to be a stopgap solution, and it's free.
It's a battle to win over security in order to have tcp/443 opened
everywhere.

I'm not sure Squid is the problem, I have an identically configured Squid
that bypasses the F5 working beautifully, but it's only 50 clients (MMA's)
connecting, Each client takes roughly 5 connections. The clients are still
going through a firewall(s). 

Our network folks say that neither the FW or F5 leading up to Squid report
congestion. 

It's possible that Squid for Windows + F5 VIP are not intended to work
together, but it makes sense to just have one proxy IP address.

I'm getting ready to Skype with our F5 guy to compare what I'm seeing with
what he's seeing. Also trying to get how many clients are going through the
F5 to compare to my 'good' Squid

-Original Message-
From: elie...@ngtech.co.il  
Sent: Wednesday, February 27, 2019 9:20 AM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what
and why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage) 
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin

Cc: 'Amos Jeffries' ;
squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time
learning squidclient, and have determined that the server is not in any way
resource constrained. I've attached the output from mgr:info,
mgr:client_list, and mgr:filedescriptors in between crashes. Was wondering
if someone could explain Tout, which I presume is timeout. Of interest are
the ones set to 86400, which I presume is one day. That seems like a big
problem--but where is it coming from? I'm using the Cygwin Squid config
defaults.

There seems to be a lot of Reading next request going on before Squid
recycles. I wonder if the F5 VIP is dealing with congestion through the
firewall, which, in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking
questions, in particular why all the F5 traffic is coming over just one IP
address in the pool.

In case folks wonder what the IP's are in the file descriptor output

1310 Socket  8986044*2806  40.71.12.224:443
593a6510-ebfc-4d6b-a8f0-a0411dfee098.ods.opinsights.azure.com:443 (this is
Squid forwarding Windows event/perf data from an agent to Azure Log
Analytics)
1311 Socket  8993015*9208  10.26.25.220:61088Reading next
request (10.26.25.220) is the pool IP address of the F5 in use)
1312 Socket  8992690*8826  10.26.25.220:61436Reading next
request
1313 Socket  8999169*2884  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443 (Squid to Azure)
1314 Socket  8998787*2508  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443
1315 Socket  118 119*3924  10.26.25.220:52153Idle client:
Waiting for next request
1316 Socket  900

[squid-users] HTTP2

2019-02-27 Thread Andrej van der Zee 
Hi,

I understood that http2 is work in progress. Is there anything to say about
when this might be released?

Thank you,
Andrej
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread Rafael Akchurin 
I would try deploying Squid on Linux machine running within Hyper-V just to be 
sure the Squid part itself works fine. Then only specifics of it running on 
Cygwin will remain to be uncovered. Should be very easy to setup. Couple of 
hours at most (you have already dedicated much more time to this).

For example here is how we do it 
https://github.com/diladele/websafety-virtual-appliance/blob/master/scripts.ubuntu18/03_squid.sh
It is even easier if you do not need to sslbump. Just

apt-get update && apt-get install -y squid

And voila!

-Original Message-
From: squid-users  On Behalf Of Van 
Order, Drew (US - Hermitage)
Sent: Wednesday, 27 February 2019 16:55
To: elie...@ngtech.co.il
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

Business objective is to enable MSFT Azure MMA's (Microsoft Monitoring Agents) 
blocked from the internet to send agent data to Azure Log Analytics

Simple proxy
No SSL bump
Squid config is attached
I tried disabling caching with Squid, found it crashed more frequently Squid 
was chosen this is intended to be a stopgap solution, and it's free. It's a 
battle to win over security in order to have tcp/443 opened everywhere.

I'm not sure Squid is the problem, I have an identically configured Squid that 
bypasses the F5 working beautifully, but it's only 50 clients (MMA's) 
connecting, Each client takes roughly 5 connections. The clients are still 
going through a firewall(s). 

Our network folks say that neither the FW or F5 leading up to Squid report 
congestion. 

It's possible that Squid for Windows + F5 VIP are not intended to work 
together, but it makes sense to just have one proxy IP address.

I'm getting ready to Skype with our F5 guy to compare what I'm seeing with what 
he's seeing. Also trying to get how many clients are going through the F5 to 
compare to my 'good' Squid

-Original Message-
From: elie...@ngtech.co.il 
Sent: Wednesday, February 27, 2019 9:20 AM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what and 
why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage) 
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin 

Cc: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time 
learning squidclient, and have determined that the server is not in any way 
resource constrained. I've attached the output from mgr:info, mgr:client_list, 
and mgr:filedescriptors in between crashes. Was wondering if someone could 
explain Tout, which I presume is timeout. Of interest are the ones set to 
86400, which I presume is one day. That seems like a big problem--but where is 
it coming from? I'm using the Cygwin Squid config defaults.

There seems to be a lot of Reading next request going on before Squid recycles. 
I wonder if the F5 VIP is dealing with congestion through the firewall, which, 
in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking 
questions, in particular why all the F5 traffic is coming over just one IP 
address in the pool.

In case folks wonder what the IP's are in the file descriptor output

1310 Socket  8986044*2806  40.71.12.224:443
593a6510-ebfc-4d6b-a8f0-a0411dfee098.ods.opinsights.azure.com:443 (this is 
Squid forwarding Windows event/perf data from an agent to Azure Log
Analytics)
1311 Socket  8993015*9208  10.26.25.220:61088Reading next
request (10.26.25.220) is the pool IP address of the F5 in use)
1312 Socket  8992690*8826  10.26.25.220:61436Reading next
request
1313 Socket  8999169*2884  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443 (Squid to Azure)
1314 Socket  8998787*2508  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443
1315 Socket  118 119*3924  10.26.25.220:52153Idle client:
Waiting for next request
1316 Socket  9001382*8697  10.26.25.220:54786Reading next
request

This is from a box that restarts squid every few minutes. Typical cache.log 
snippet

2019/02/26 21:24:22 kid1| storeDirWriteCleanLogs: Starting...
2019/02/26 21:24:22 kid1|   Finished.  Wrote 0 entries.
2019/02/26 21:24:22 kid1|   Took 0.00 seconds (  0.00

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread Van Order, Drew (US - Hermitage) 
Business objective is to enable MSFT Azure MMA's (Microsoft Monitoring Agents) 
blocked from the internet to send agent data to Azure Log Analytics

Simple proxy
No SSL bump
Squid config is attached
I tried disabling caching with Squid, found it crashed more frequently
Squid was chosen this is intended to be a stopgap solution, and it's free. It's 
a battle to win over security in order to have tcp/443 opened everywhere.

I'm not sure Squid is the problem, I have an identically configured Squid that 
bypasses the F5 working beautifully, but it's only 50 clients (MMA's) 
connecting, Each client takes roughly 5 connections. The clients are still 
going through a firewall(s). 

Our network folks say that neither the FW or F5 leading up to Squid report 
congestion. 

It's possible that Squid for Windows + F5 VIP are not intended to work 
together, but it makes sense to just have one proxy IP address.

I'm getting ready to Skype with our F5 guy to compare what I'm seeing with what 
he's seeing. Also trying to get how many clients are going through the F5 to 
compare to my 'good' Squid

-Original Message-
From: elie...@ngtech.co.il  
Sent: Wednesday, February 27, 2019 9:20 AM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what and 
why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage) 
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin 

Cc: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time 
learning squidclient, and have determined that the server is not in any way 
resource constrained. I've attached the output from mgr:info, mgr:client_list, 
and mgr:filedescriptors in between crashes. Was wondering if someone could 
explain Tout, which I presume is timeout. Of interest are the ones set to 
86400, which I presume is one day. That seems like a big problem--but where is 
it coming from? I'm using the Cygwin Squid config defaults.

There seems to be a lot of Reading next request going on before Squid recycles. 
I wonder if the F5 VIP is dealing with congestion through the firewall, which, 
in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking 
questions, in particular why all the F5 traffic is coming over just one IP 
address in the pool.

In case folks wonder what the IP's are in the file descriptor output

1310 Socket  8986044*2806  40.71.12.224:443
593a6510-ebfc-4d6b-a8f0-a0411dfee098.ods.opinsights.azure.com:443 (this is 
Squid forwarding Windows event/perf data from an agent to Azure Log
Analytics)
1311 Socket  8993015*9208  10.26.25.220:61088Reading next
request (10.26.25.220) is the pool IP address of the F5 in use)
1312 Socket  8992690*8826  10.26.25.220:61436Reading next
request
1313 Socket  8999169*2884  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443 (Squid to Azure)
1314 Socket  8998787*2508  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443
1315 Socket  118 119*3924  10.26.25.220:52153Idle client:
Waiting for next request
1316 Socket  9001382*8697  10.26.25.220:54786Reading next
request

This is from a box that restarts squid every few minutes. Typical cache.log 
snippet

2019/02/26 21:24:22 kid1| storeDirWriteCleanLogs: Starting...
2019/02/26 21:24:22 kid1|   Finished.  Wrote 0 entries.
2019/02/26 21:24:22 kid1|   Took 0.00 seconds (  0.00 entries/sec).
2019/02/26 21:24:26 kid1| Set Current Directory to /var/cache/squid
2019/02/26 21:24:26 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2019/02/26 21:24:26 kid1| Service Name: squid
2019/02/26 21:24:26 kid1| Process ID 1796
2019/02/26 21:24:26 kid1| Process Roles: worker
2019/02/26 21:24:26 kid1| With 3200 file descriptors available
2019/02/26 21:24:26 kid1| Initializing IP Cache...
2019/02/26 21:24:26 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2019/02/26 21:24:26 kid1| DNS Socket created at [::], FD 5
2019/02/26 21:24:26 kid1| DNS Socket created at 0.0.0.0, FD 6
2019/02/26 21:24:26 kid1| Adding nameserver 208.67.220.220 from squid.conf
2019/02/26 21:24:26 kid1| Adding nameserver 208.67.222.222 from squid.conf
2019/02/26 21:24:26 kid1|

Re: [squid-users] Squid for Windows Repeatedly Crashing

2019-02-27 Thread eliezer 
The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what
and why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage)  
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin

Cc: 'Amos Jeffries' ;
squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time
learning squidclient, and have determined that the server is not in any way
resource constrained. I've attached the output from mgr:info,
mgr:client_list, and mgr:filedescriptors in between crashes. Was wondering
if someone could explain Tout, which I presume is timeout. Of interest are
the ones set to 86400, which I presume is one day. That seems like a big
problem--but where is it coming from? I'm using the Cygwin Squid config
defaults.

There seems to be a lot of Reading next request going on before Squid
recycles. I wonder if the F5 VIP is dealing with congestion through the
firewall, which, in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking
questions, in particular why all the F5 traffic is coming over just one IP
address in the pool.

In case folks wonder what the IP's are in the file descriptor output

1310 Socket  8986044*2806  40.71.12.224:443
593a6510-ebfc-4d6b-a8f0-a0411dfee098.ods.opinsights.azure.com:443 (this is
Squid forwarding Windows event/perf data from an agent to Azure Log
Analytics)
1311 Socket  8993015*9208  10.26.25.220:61088Reading next
request (10.26.25.220) is the pool IP address of the F5 in use)
1312 Socket  8992690*8826  10.26.25.220:61436Reading next
request
1313 Socket  8999169*2884  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443 (Squid to Azure)
1314 Socket  8998787*2508  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443
1315 Socket  118 119*3924  10.26.25.220:52153Idle client:
Waiting for next request
1316 Socket  9001382*8697  10.26.25.220:54786Reading next
request

This is from a box that restarts squid every few minutes. Typical cache.log
snippet

2019/02/26 21:24:22 kid1| storeDirWriteCleanLogs: Starting...
2019/02/26 21:24:22 kid1|   Finished.  Wrote 0 entries.
2019/02/26 21:24:22 kid1|   Took 0.00 seconds (  0.00 entries/sec).
2019/02/26 21:24:26 kid1| Set Current Directory to /var/cache/squid
2019/02/26 21:24:26 kid1| Starting Squid Cache version 3.5.28 for
x86_64-unknown-cygwin...
2019/02/26 21:24:26 kid1| Service Name: squid
2019/02/26 21:24:26 kid1| Process ID 1796
2019/02/26 21:24:26 kid1| Process Roles: worker
2019/02/26 21:24:26 kid1| With 3200 file descriptors available
2019/02/26 21:24:26 kid1| Initializing IP Cache...
2019/02/26 21:24:26 kid1| parseEtcHosts: /etc/hosts: (2) No such file or
directory
2019/02/26 21:24:26 kid1| DNS Socket created at [::], FD 5
2019/02/26 21:24:26 kid1| DNS Socket created at 0.0.0.0, FD 6
2019/02/26 21:24:26 kid1| Adding nameserver 208.67.220.220 from squid.conf
2019/02/26 21:24:26 kid1| Adding nameserver 208.67.222.222 from squid.conf
2019/02/26 21:24:26 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2019/02/26 21:24:26 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2019/02/26 21:24:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2019/02/26 21:24:26 kid1| Store logging disabled
2019/02/26 21:24:26 kid1| Swap maxSize 3072000 + 262144 KB, estimated 256472
objects
2019/02/26 21:24:26 kid1| Target number of buckets: 12823
2019/02/26 21:24:26 kid1| Using 16384 Store buckets
2019/02/26 21:24:26 kid1| Max Mem  size: 262144 KB
2019/02/26 21:24:26 kid1| Max Swap size: 3072000 KB
2019/02/26 21:24:26 kid1| Rebuilding storage in /cygdrive/e/squid/cache
(clean log)
2019/02/26 21:24:26 kid1| Using Least Load store dir selection
2019/02/26 21:24:26 kid1| Set Current Directory to /var/cache/squid
2019/02/26 21:24:26 kid1| Finished loading MIME types and icons.
2019/02/26 21:24:26 kid1| HTCP Disabled.
2019/02/26 21:24:26 kid1| Squid plugin modules loaded: 0
2019/02/26 21:24:26 kid1| Adaptation support is off.
2019/02/26 21:24:26 kid1| Accepting HTTP Socket connections at
local=10.26.24.65:3128 remote=[::] FD 12 flags=9
2019/02/26 21:24:26 kid1| Done reading /cygdrive/e/squid/cache swaplog (0
entries)
2019/02/26 21:24:26 kid1| Store rebuilding is 0.00% complete
2019/02/26 21:24:26 kid1| Finished rebuilding storage from disk.
2019/02/26 21:24:26 kid1| 0 Entries scanned

[squid-users] ssl-bump

2019-02-27 Thread leomessi...@yahoo.com 
-
-
-
-
-
Hi all
Can i use this conf only for blocking purpose?!Is set 
dynamic_cert_mem_cache_size=0MB wrong?I have more than 1000 clients and i only 
want to block http and https pages and show err page for both of those. 
 
My configurations is like this:
-
https_port 3130 tproxy ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=off dynamic_cert_mem_cache_size=0MB
sslcrtd_program /usr/lib64/squid/security_file_certgen


acl blk ssl::server_name "/var/blk.list"
ssl_bump bump blk
http_access deny blk
acl step1 at_step SslBump1ssl_bump peek step1
ssl_bump splice all
-

tanx___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] /64 ipv6

2019-02-27 Thread Amos Jeffries 
On 28/02/19 2:38 am, mzgmedia wrote:
> we like too add maybe 1 million of IPv6 on a single squid server but probably
> the squid will crash because the config file will be too big
> 

Squid will not crash. It will determine that there are too many HTTP
ports being attempted and cleanly shutdown with an error message about that.


Use the wildcard functionality instead. Like so:

 http_port 3128

This will open *:3128 and traffic destined to _any_ IP assigned to the
machine will arrive at Squid.


PS. From the other posts in this thread you seem to be caught up on the
idea that IP addresses are somehow static things which can persist
across a proxy. This is not true, especially in IPv6 where the so-called
'privacy addressing' can cause any IP to change at any time.

HTTP is designed for this dynamic environment and has stateless
multiplexing of traffic. This means a single client<->Squid connection
can contain requests for any URL and any Squid<->server connection can
handle traffic for any client.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with custom openssl path is using the openssl installed in default path

2019-02-27 Thread Amos Jeffries 
On 27/02/19 11:39 pm, Stilyan Georgiev wrote:
> Modified Makefile, replacing LIBOPENSSL_CFLAGS = -I/usr/local/include
> with LIBOPENSSL_CFLAGS = -I/usr/local/include/openssl
> 

Please do not touch the Makefile.

To set build environment variables such as those you simply pass them as
arguments to ./configure.

Like so:

 ./configure LIBOPENSSL_CFLAGS="-I/usr/local/include/openssl"


Though the best solution is to fix the issue with your OpenSSL build my
earlier response mentions.



> Afterwards I got squid reporting it uses my custom-path openssl:
> 
> -- 
> Squid Cache: Version 4.5-20190208-r568e66b7c
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1b  26 Feb 2019. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
> 
> configure options:  '--prefix=/usr/local/squid' '--with-openssl=/usr/local'
> -- 
> 
> And even though I built the openssl without tls 1.3 support, I'm still
> being able to use it when browsing through the proxy.
> 
> Also tried tls_outgoing_options options=NO_TLSv1_3 in config .. then in
> cache.log I got -- 2019/02/27 10:32:10 kid1| ERROR: Unknown TLS option
> NO_TLSv1_3

That squid.conf directive controls connections *leaving * Squid towards
origin servers.

Also, your build of OpenSSL explicitly disabled TLS/1.3 functionality.
That included disabling the ability of external programs like Squid to
control whether or not TLS/1.3 is used.


> 
> Which makes me thing even though squid reports it uses openssl 1.1.1 ,
> it lies to me and still uses the ubuntu version :)
> 

No lie. That version number is not something built into Squid. It is a
string produced by the specific libssl library loaded at runtime.
So unless the library is lying about its own version that is actually
the library being loaded and used.


Keep in mind that there are multiple TCP connections, and thus multiple
agents involved. Any of the agents may be using either of the libraries
you have installed on your system.

Whatever agent you are connecting to Squid with is using one library,
Squid using the one claimed by 'squid -v', and the remote server is
using whatever exists out there.


Depending on exactly what setup you are using and how you are testing it
there are also between 1 and 3 "TLS connections" going on with TLS
version negotiated separately for each. You may only get one of those
reported by some test approaches.

If you want some assistance figuring out if our tests are accurate
and/or how to better see what is going on please provide details of whet
your production setup is intended to be, any differences in your test
setup, and how you are testing (what commands exactly). As much details
as you can provide would be helpful to anyone following up (exact crypto
key/cert values do not matter, though cert _type_ may).


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] /64 ipv6

2019-02-27 Thread mzgmedia 
we like too add maybe 1 million of IPv6 on a single squid server but probably
the squid will crash because the config file will be too big



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ssl bump

2019-02-27 Thread leomessi...@yahoo.com 
Hi allCan i use this conf only for blocking purpose?!Is set 
dynamic_cert_mem_cache_size=0MB wrong?I have more than 1000 clients and i only 
want to block http and https pages. 
 
My configurations is like 
this:-https_port 3130 tproxy ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=off dynamic_cert_mem_cache_size=0MB
sslcrtd_program /usr/lib64/squid/security_file_certgen


acl blk ssl::server_name "/var/blk.list"
ssl_bump bump blk
http_access deny blk
acl step1 at_step SslBump1ssl_bump peek step1
ssl_bump splice all
-

tanx
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with custom openssl path is using the openssl installed in default path

2019-02-27 Thread Amos Jeffries 
On 27/02/19 9:59 pm, Stilyan Georgiev wrote:
> Hi,
> 
> Trying to build squid using custom path for openssl and related
> libraries. My goal is to use openssl 1.1.1 which is installed in /usr/local
> 
> -- 
> /usr/local/bin/openssl version
> OpenSSL 1.1.1b  26 Feb 2019
> -- 
> 
> I did install it like that:
> 
> -- 
>  ./config --prefix=/usr/local --openssldir=/usr/local/lib/ssl
> --libdir=lib 


The build instructions for OpenSSL indicate that unless one is an expert
with the library those --prefix and --openssldir paths should be set to
exactly the same value, *and* avoid setting them to any default system
paths (eg. /usr).

Once you have both built and *installed* the library files. You should
use *exactly* the same path for Squids ./configure --with-openssl=PATH
value.


>  --with-openssl=/usr/local

Notice how your paths are all different at each of those three places.
This is causing a very mixed up installation.

When Squid goes looking for the headers + binaries the only consistent
thing it can fine is the default system library. So of course that is
what gets linked to.


I suggest using /usr/local/openssl-1.1.1 as your custom library path.

Build openssl with --prefix=/usr/local/openssl-1.1.1
--openssldir=/usr/local/openssl-1.1.1

Build Squid with --with-openssl=/usr/local/openssl-1.1.1

That should work a lot better without needing any edits of the build system.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with custom openssl path is using the openssl installed in default path

2019-02-27 Thread Stilyan Georgiev 
Modified Makefile, replacing LIBOPENSSL_CFLAGS = -I/usr/local/include 
with LIBOPENSSL_CFLAGS = -I/usr/local/include/openssl


Afterwards I got squid reporting it uses my custom-path openssl:

--
Squid Cache: Version 4.5-20190208-r568e66b7c
Service Name: squid

This binary uses OpenSSL 1.1.1b  26 Feb 2019. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr/local/squid' '--with-openssl=/usr/local'
--

And even though I built the openssl without tls 1.3 support, I'm still 
being able to use it when browsing through the proxy.


Also tried tls_outgoing_options options=NO_TLSv1_3 in config .. then in 
cache.log I got -- 2019/02/27 10:32:10 kid1| ERROR: Unknown TLS option 
NO_TLSv1_3


Which makes me thing even though squid reports it uses openssl 1.1.1 , 
it lies to me and still uses the ubuntu version :)


Truly blocked with this.

On 2/27/2019 10:59 AM, Stilyan Georgiev wrote:

Hi,

Trying to build squid using custom path for openssl and related 
libraries. My goal is to use openssl 1.1.1 which is installed in 
/usr/local


--
/usr/local/bin/openssl version
OpenSSL 1.1.1b  26 Feb 2019
--

I did install it like that:

--
 ./config --prefix=/usr/local --openssldir=/usr/local/lib/ssl 
--libdir=lib '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-tls1_3 
no-ssl3 no-idea no-mdc2 no-rc5 no-zlib enable-unit-test enable-rfc3779 
enable-cms

--

On the system (Ubuntu 18.04.02) I've got earlier version of openssl 
installed , which is dependency for other packages.


--
dpkg --list |grep ssl
ii  libgnutls-openssl27:amd64 3.5.18-1ubuntu1
ii  libio-socket-ssl-perl 2.056-1
ii  libnet-smtp-ssl-perl  1.04-1
ii  libnet-ssleay-perl    1.84-1build1
ii  libssl-doc    1.1.0g-2ubuntu4.3
ii  libssl1.0.0:amd64 1.0.2n-1ubuntu5.2
ii  libssl1.1:amd64   1.1.0g-2ubuntu4.3
ii  libxmlsec1-openssl:amd64  1.2.25-1build1
ii  libzstd1:amd64    1.3.3+dfsg-2ubuntu1
ii  openssl   1.1.0g-2ubuntu4.3
ii  perl-openssl-defaults:amd64   3build1
ii  python3-openssl   17.5.0-1ubuntu1
rc  ssl-cert  1.0.39

--

I also had the libssl-dev which I successfully uninstalled in 
desperate attempts but that didn't help.


This is how I config squid (4.5 incl. latest bugfixes):

--
./configure --prefix=/usr/local/squid --with-openssl=/usr/local
--

During config I saw the line: configure: OpenSSL library support: yes 
-L/usr/local/lib -L/usr/local/lib -lssl -lcrypto


However after installation I'm pulling my hair over this:

--
/usr/local/squid/sbin/squid -v
Squid Cache: Version 4.5-20190208-r568e66b7c
Service Name: squid

This binary uses OpenSSL 1.1.0g  2 Nov 2017. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr/local/squid' 
'--with-openssl=/usr/local'

--

Instead of using openssl 1.1.1 from path I gave it uses the system 
package.


Desperate attempts:

I've also tried configuring squid like so with same end result - 
non-custom openssl used


--
./configure  --prefix=/usr/local/squid --with-openssl 
'LIBOPENSSL_CFLAGS=-I/usr/local/include/openssl -L/usr/local/lib'

--

Tried config of openssl like so (note openssldir not 
/usr/local/lib/ssl) with same end result:


--
./config --prefix=/usr/local --openssldir=/usr/local/lib --libdir=lib 
'-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-tls1_3 no-ssl3 no-idea 
no-mdc2 no-rc5 no-zlib enable-unit-test enable-rfc3779 enable-cms

--

I'm really, really desperate over here.

Thanks in advance for helping out.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with custom openssl path is using the openssl installed in default path

2019-02-27 Thread Stilyan Georgiev 

Hi,

Trying to build squid using custom path for openssl and related 
libraries. My goal is to use openssl 1.1.1 which is installed in /usr/local


--
/usr/local/bin/openssl version
OpenSSL 1.1.1b  26 Feb 2019
--

I did install it like that:

--
 ./config --prefix=/usr/local --openssldir=/usr/local/lib/ssl 
--libdir=lib '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-tls1_3 
no-ssl3 no-idea no-mdc2 no-rc5 no-zlib enable-unit-test enable-rfc3779 
enable-cms

--

On the system (Ubuntu 18.04.02) I've got earlier version of openssl 
installed , which is dependency for other packages.


--
dpkg --list |grep ssl
ii  libgnutls-openssl27:amd64 3.5.18-1ubuntu1
ii  libio-socket-ssl-perl 2.056-1
ii  libnet-smtp-ssl-perl  1.04-1
ii  libnet-ssleay-perl    1.84-1build1
ii  libssl-doc    1.1.0g-2ubuntu4.3
ii  libssl1.0.0:amd64 1.0.2n-1ubuntu5.2
ii  libssl1.1:amd64   1.1.0g-2ubuntu4.3
ii  libxmlsec1-openssl:amd64  1.2.25-1build1
ii  libzstd1:amd64    1.3.3+dfsg-2ubuntu1
ii  openssl   1.1.0g-2ubuntu4.3
ii  perl-openssl-defaults:amd64   3build1
ii  python3-openssl   17.5.0-1ubuntu1
rc  ssl-cert  1.0.39

--

I also had the libssl-dev which I successfully uninstalled in desperate 
attempts but that didn't help.


This is how I config squid (4.5 incl. latest bugfixes):

--
./configure --prefix=/usr/local/squid --with-openssl=/usr/local
--

During config I saw the line: configure: OpenSSL library support: yes 
-L/usr/local/lib -L/usr/local/lib -lssl -lcrypto


However after installation I'm pulling my hair over this:

--
/usr/local/squid/sbin/squid -v
Squid Cache: Version 4.5-20190208-r568e66b7c
Service Name: squid

This binary uses OpenSSL 1.1.0g  2 Nov 2017. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr/local/squid' '--with-openssl=/usr/local'
--

Instead of using openssl 1.1.1 from path I gave it uses the system package.

Desperate attempts:

I've also tried configuring squid like so with same end result - 
non-custom openssl used


--
./configure  --prefix=/usr/local/squid --with-openssl 
'LIBOPENSSL_CFLAGS=-I/usr/local/include/openssl -L/usr/local/lib'

--

Tried config of openssl like so (note openssldir not /usr/local/lib/ssl) 
with same end result:


--
./config --prefix=/usr/local --openssldir=/usr/local/lib --libdir=lib 
'-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-tls1_3 no-ssl3 no-idea 
no-mdc2 no-rc5 no-zlib enable-unit-test enable-rfc3779 enable-cms

--

I'm really, really desperate over here.

Thanks in advance for helping out.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users