date:20191208

[squid-users] deny_info redirect with URL placeholder

2019-12-08 Thread Vieri Di Paola

Hi,

Is there a way to add a URL variable name to a deny_info 302
configuration directive?

Suppose I have the following:

external_acl_type location_rewriter ttl=86400 negative_ttl=86400
children-max=80 children-startup=10 children-idle=3 concurrency=8
%http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-08 Thread Amos Jeffries

On 9/12/19 10:41 am, GeorgeShen wrote:
> Hi Amos,
> 
> i downloaded the 4.9 latest, and compiled with "./configure
> --with-default-user=proxy --with-openssl --enable-ssl-crtd", not redo the
> openssl and proxy certificate part, start squid with 4.9, still seeing
> failure. Have not debugged in detail. 
> Quick question, when compile for the bump usage case, do i need to use the
> with-gnutls option also?

No, GnuTLS is just an alternative to OpenSSL for those where the OpenSSL
license vs GPL incompatibility matters (anyone distributing both OPenSSL
and Squid packages - eg Ubuntu itself).

It still lacks most of the the SSL-Bump features. So eventually you
might be able to choose between them, but right now OpenSSL is needed to
do interception of HTTPS.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-08 Thread GeorgeShen


the version 4.9 has the same behavior, can not finish negotiate with the
client.
I have setup two different client machines, one is macOS, the other alpine
linux.

I finally got the macOS wget https to work through the squid 4.9 proxy with
ssl-bump.
So the squid config is ok.

The alpine linux, using the wget https, got error message ssl_client:
handshake failed: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3
alert handshake failure (on the proxy log, it is the same thing, can not
somehow retrieve the ssl session, probably due to some TLS mismatch)

I'm wondering if you know normally what kind of mismatch this is between the
client and proxy.
if i'm using wget https for testing, what kind of parameters I need to
change to match them.

thanks.
- George



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-08 Thread GeorgeShen

Hi Amos,

i downloaded the 4.9 latest, and compiled with "./configure
--with-default-user=proxy --with-openssl --enable-ssl-crtd", not redo the
openssl and proxy certificate part, start squid with 4.9, still seeing
failure. Have not debugged in detail. 
Quick question, when compile for the bump usage case, do i need to use the
with-gnutls option also?
just wondering.

thanks.
- George



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-08 Thread GeorgeShen

Hi Amos,

thanks for the comments. I'll first try the later version as you pointed out
4.9 and see if I get the issues. Will report back.
thanks.

- George



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-08 Thread Amos Jeffries

On 8/12/19 7:53 pm, George Sheng wrote:
> 
> Hi,
> 
> I’m new to this group. I just setup a squid ver 4.5 on my ubuntu

When using SSL-Bump one does need to use the latest release. Which is
4.9 now.

Since this is a custom build (4.5 has never been a release in Ubuntu)
you may find Squid-5 has even less issues for SSL-Bump.

...
> 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc (347)
> get_session_cb: Request to search for SSL_SESSION of
> len: 321019023443:419801955
> 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc (156)
> openForReading: trying to open slot for
> key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache]
> 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc (177)
> openForReadingAt: trying to open slot at 18 for reading in
> map [tls_session_cache]
> 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc (169)
> openForReading: failed to open slot for
> key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache]
> 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc (362)
> get_session_cb: Failed to retrieve SSL_SESSION from cache
> ***

This is talking about Squid's internal cache of TLS sessions that
clients have negotiated previously with this Squid. It means the client
is attempting to use/resume a TLS session ID that does not exist. There
is nothing anyone can do about that.

> 
> Here is my squid.conf:
> 
...
> https_port 3130 intercept ssl-bump
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/usr/local/
> squid/etc/ssl_cert/myCA.pem
> 

FYI: with cert= and key= pointing at the same file you do not need the
key= option.

> ##
> 
> I’m wondering if this problem is a bug, my proxy config issue, or the
> client does not send the correct TLS parameters.
> thanks for your help in advance.
> 

The problem is most likely the client.

If the session ID actually was negotiated previously with this Squid
there may be shared-memory issues on your machine. Even with only one
worker this cache uses SMP functionality

If you only just started this Squid, the session may have been
negotiated with the origin or previous Squid instance. In that case it
is normal to get at least a few of these until they timeout and/or get
renegotiated.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https inception gives 503 error

2019-12-08 Thread Amos Jeffries

On 9/12/19 12:38 am, mandev wrote:
> Thank you for reply. Long time i have been using squidguard. Maybe it is time
> to change or start writing a new one with comminity. Thank for the help. 
> 

There is ufdbguard.

But the fundamental thing is that you cannot respond to a TCP SYN packet
 or TLS clientHello handshake with an HTML web page. That is essentially
what your redirector is telling Squid to do.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https inception gives 503 error

2019-12-08 Thread mandev

Thank you for reply. Long time i have been using squidguard. Maybe it is time
to change or start writing a new one with comminity. Thank for the help. 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https inception gives 503 error

2019-12-08 Thread Amos Jeffries

On 8/12/19 8:35 pm, mandev wrote:
> Hi,
> 
> I am using pfsense with squid and squidguard for web filtering without
> client side certificate installation. I did manage to block pages and mostly
> error free internet traffic. But for the last thing i cannot work it. I want
> to redirect users to a block page and i did this with http but cannot do
> this with https. 

You cannot redirect a CONNECT transaction. It is a request to open a tunnel.

If you wish to continue using the very obsolete and unmaintained
squidguard tool you will need to add this to your squid.conf:

 url_rewrite_access deny CONNECT

To do anything like send error pages to users with intercepted HTTPS
traffic requires SSL-Bump to decrypt the tunnel contents first.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https inspection gives 503 error

2019-12-08 Thread mandev

Thank you for the reply. Is it not possible with squid or technicly because
fortigate can do this. If you look logs that i write at first message. It's
looks like there is an error in redirects. It trys to redirect 'http'
address there is no address like 'http'.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] deny_info redirect with URL placeholder

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Re: [squid-users] Https inception gives 503 error

Re: [squid-users] Https inception gives 503 error

Re: [squid-users] Https inception gives 503 error

Re: [squid-users] Https inspection gives 503 error

10 matches

Site Navigation

Mail list logo

Footer information