Re: [squid-users] deny_info redirect with URL placeholder

2019-12-09 Thread Amos Jeffries 
On 9/12/19 8:49 pm, Vieri Di Paola wrote:
> Hi,
> 
> Is there a way to add a URL variable name to a deny_info 302
> configuration directive?
> 

 or as I showed
earlier with logformat codes. Though sorry that does require a later
Squid version that the one you have.


> Suppose I have the following:
> 
> external_acl_type location_rewriter ttl=86400 negative_ttl=86400
> children-max=80 children-startup=10 children-idle=3 concurrency=8
> % acl bad_Location external location_rewriter
> deny_info 302:URL_FROM_LOCATION_REWRITER bad_Location
> acl 302 http_status 302
> http_reply_access deny 302 bad_Location
> 
> How can I dynamically replace URL_FROM_LOCATION_REWRITER with the URL
> redirection value produced by the helper script /my/rewrite_helper.pl?
> Could it be possible to refer to the values of "message=" or "tag="
> depending on the result output of the helper script?

Not in Squid-3. The tag= is not supported by the deny_info template
codes. Only the message= can be used.


> How could I refer to these values in the deny_info 302:%* line?

 deny_info 302:https:%o bad_Location

This should do it for Squid-3 (and avoids the config parser bug). You
just have to have the helper produce the URL (without the "https:"
scheme name) as its message= value.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] deny_info redirect with URL placeholder

2019-12-09 Thread Vieri Di Paola 
On Mon, Dec 9, 2019 at 10:04 AM Amos Jeffries  wrote:
>
> > Is there a way to add a URL variable name to a deny_info 302
> > configuration directive?
> >
>
>  or as I showed
> earlier with logformat codes. Though sorry that does require a later
> Squid version that the one you have.

I set up a test server with the latest stable Squid release:

2019/12/09 10:17:43| FATAL: status 302 requires a URL on
'302:%note{location-rewrite}'
2019/12/09 10:17:43| FATAL: Bungled /etc/squid/squid.aida.include line
60: deny_info 302:%note{location-rewrite} bad_Location
2019/12/09 10:17:43| Squid Cache (Version 4.9): Terminated abnormally.

This is the offending configuration line:

deny_info 302:%note{location-rewrite} bad_Location

Is the syntax OK?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] deny_info redirect with URL placeholder

2019-12-09 Thread Vieri Di Paola 
On Mon, Dec 9, 2019 at 10:04 AM Amos Jeffries  wrote:
>
> > How could I refer to these values in the deny_info 302:%* line?
>
>  deny_info 302:https:%o bad_Location
>
> This should do it for Squid-3 (and avoids the config parser bug). You
> just have to have the helper produce the URL (without the "https:"
> scheme name) as its message= value.

Almost, but still not there yet.
All "/" chars are translated to %2f, as in:
https://%2f%2fserver%2fpath...
I guess I need to encode the string somehow.
The helper script is in perl and it looks something like this:

chomp;
my $string = $_;
$string =~ m/^([0-9]+)\s(\S+)$/;
my ($cid, $uri_location) = ($1, $2);
[...]
$status = $cid." OK message=\"".$uri_location."\"";
print $status."\n";

Any ideas?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http://www1.ngtech.co.il/ - Down?

2019-12-09 Thread Rudi Kramer 
Still no word on this issue?

On Wed, 4 Dec 2019 at 08:17, Rudi Kramer  wrote:

> Hello,
>
> As far as I can tell, http://www1.ngtech.co.il/ is down at the moment.
>
> Any word on how long this will be?
>
> Thanks
> Rudi
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http://www1.ngtech.co.il/ - Down?

2019-12-09 Thread Rafał Stanilewicz 
The mirror on
http://linuxsoft.cern.ch/mirror/www1.ngtech.co.il/repo/ still works.

HtH

On Mon, 9 Dec 2019 at 10:42, Rudi Kramer  wrote:
>
> Still no word on this issue?
>
> On Wed, 4 Dec 2019 at 08:17, Rudi Kramer  wrote:
>>
>> Hello,
>>
>> As far as I can tell, http://www1.ngtech.co.il/ is down at the moment.
>>
>> Any word on how long this will be?
>>
>> Thanks
>> Rudi
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



-- 
Zanim wydrukujesz, pomyśl o środowisku.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-09 Thread Alex Rousskov 
On 12/8/19 1:53 AM, George Sheng wrote:

> From the debug I can also see the proxy  connects towards the remote
> server, and proxy has negotiated fine with the server. the proxy
> receives 3 certificates from the server,
> and verification was fine to the server. But when the proxy trying to
> proceed with client negotiation, I got this error:

> 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc(362)
> get_session_cb: Failed to retrieve SSL_SESSION from cache

As Amos has said, this failure to find a cached session is not an error
in itself. It is a cache miss. Look for problems after this log line.


> The alpine linux, using the wget https, got error message ssl_client:
> handshake failed: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3
> alert handshake failure 

OK.


> (on the proxy log, it is the same thing, can not
> somehow retrieve the ssl session, probably due to some TLS mismatch)

What happens on Squid side _after_ the TLS session is not found in the
cache?

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] deny_info redirect with URL placeholder

2019-12-09 Thread Vieri Di Paola 
Is there a way to tell squid to treat %o as-is in deny_info?

In Apache2 with mod_proxy ProxyPass directives, I require to write a
config directive such as:

Header edit Location "(^http[s]?://)([^/]+)" ""

Using %note or %o in squid 4.x or 3.x would be fine, but both have
issues. The config parser in 4.x still complains that a complete URI
is required for deny_info 302.

Still in 4.x, even if I trick it into using this:

deny_info 302:https://%note{location-rewrite} bad_Location

and the helper script outputs something like:

OK location-rewrite="domain without leading protocol://"

I still get the wrong result in the client browser which is literally
trying to connect to https://%note{location-rewrite} (no variable
expansion).

Any thoughts?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] one site not working

2019-12-09 Thread simon ben 

Dear All,

 

I am usingSquid version 3.5.2 on Centos  7 64 bit and its working fine with no 
issuebut recently got a complain from one user saying that the below site Is 
notopening..  just says page cannot be displayed

 

https://my.esri.com

 

but if I use a machine without squid itsworking fine

 

the access logs is showing me as below

 

 

1575869460.673  6034 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 -

1575869461.235   559 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 - 
HIER_DIRECT/34.210.189.55-

1575869461.801   562 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 -

1575869462.096   291 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 –

 

 

Itried to google around and found that the the ip4 prefrence has to enabled 
forDNS so I did the below in squid config

 

dns_v4_firston

 

butno luck

 

appreciateyour help and advice

 

 

thanksand regards

 

simon

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-09 Thread GeorgeShen 

Hi Alex,

this time I tried, a little different, this is the log from got the server
certs to colose the
SSL with error, and at the end, it is also saying security_file_certgen
crashes rapidly!!!

below the output of log
thanks.
- George


geyBC5spVGniTZ9g4/4EALHmrmP0d4vcbw0FJugljU7jWmdiUQEpoZZCovZY+lyX
IGRmShEZ6Enq77nr6xgMpW080lJojSBBE0bG7tJj8sUeU03xVyHJZJ4cNX7VD/Dn
g0KNg0PA4UvJLMoKal8UqHzxNXjZZ778O7mOOyvdHfkHgUsFdp9a25/nzduUFQ4R
8faCm0U26P8C
-END CERTIFICATE-

2019/12/09 09:39:32.243 kid1| 83,5| helper.cc(136) Submit: request from
0x256a4a8 as crtGenRq12500/1
2019/12/09 09:39:32.243 kid1| 84,5| helper.cc(1247) GetFirstAvailable:
GetFirstAvailable: Running servers 5
2019/12/09 09:39:32.243 kid1| 5,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
helperDispatchWriteDone constructed, this=0x2557fe0 [call2906]
2019/12/09 09:39:32.243 kid1| 5,5| Write.cc(35) Write: local=[::]
remote=[::] FD 10 flags=1: sz 5266: asynCall 0x2557fe0*1
2019/12/09 09:39:32.243 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 10,
type=2, handler=1, client_data=0x2091e30, timeout=0
2019/12/09 09:39:32.243 kid1| 84,5| helper.cc(1379) helperDispatch:
helperDispatch: Request sent to
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/logs/ssl_db -M 4MB #Hlpr1, 5266 bytes
2019/12/09 09:39:32.243 kid1| 17,4| AsyncJob.cc(154) callEnd: Http1::Server
status out: [ job203]
2019/12/09 09:39:32.243 kid1| 17,4| AsyncCallQueue.cc(57) fireNext: leaving
ConnStateData::ConnStateData::httpsPeeked(local=192.168.1.35:46896
remote=X.Y.82.162:443 FD 15 flags=1, request=0x20fb630*3)
2019/12/09 09:39:32.243 kid1| 93,5| AsyncCallQueue.cc(55) fireNext: entering
Initiate::noteInitiatorAborted()
2019/12/09 09:39:32.243 kid1| 93,5| AsyncCall.cc(38) make: make call
Initiate::noteInitiatorAborted [call2905]
2019/12/09 09:39:32.243 kid1| 93,5| AsyncCall.cc(56) cancel: will not call
Initiate::noteInitiatorAborted [call2905] because job gone
2019/12/09 09:39:32.243 kid1| 93,5| AsyncCall.cc(48) make: will not call
Initiate::noteInitiatorAborted [call2905] because of job gone
2019/12/09 09:39:32.243 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving
Initiate::noteInitiatorAborted()
2019/12/09 09:39:32.243 kid1| 50,3| ModDaemon.cc(110) logfileHandleWrite:
daemon:/usr/local/squid/var/logs/access.log: write returned 106
2019/12/09 09:39:32.243 kid1| 5,5| Write.cc(66) HandleWrite: local=[::]
remote=[::] FD 10 flags=1: off 0, sz 5266.
2019/12/09 09:39:32.243 kid1| 5,5| Write.cc(108) HandleWrite: write()
returns 5266
2019/12/09 09:39:32.243 kid1| 5,3| IoCallback.cc(116) finish: called for
local=[::] remote=[::] FD 10 flags=1 (0, 0)
2019/12/09 09:39:32.243 kid1| 5,5| AsyncCall.cc(93) ScheduleCall:
IoCallback.cc(135) will call helperDispatchWriteDone(local=[::] remote=[::]
FD 10 flags=1, data=0x20b4b18, size=5266, buf=0x20ea960) [call2906]
2019/12/09 09:39:32.243 kid1| 5,5| AsyncCallQueue.cc(55) fireNext: entering
helperDispatchWriteDone(local=[::] remote=[::] FD 10 flags=1,
data=0x20b4b18, size=5266, buf=0x20ea960)
2019/12/09 09:39:32.243 kid1| 5,5| AsyncCall.cc(38) make: make call
helperDispatchWriteDone [call2906]
2019/12/09 09:39:32.243 kid1| 5,5| AsyncCallQueue.cc(57) fireNext: leaving
helperDispatchWriteDone(local=[::] remote=[::] FD 10 flags=1,
data=0x20b4b18, size=5266, buf=0x20ea960)
2019/12/09 09:39:32.243 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 20,
type=2, handler=0, client_data=0, timeout=0
2019/12/09 09:39:32.243 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 10,
type=2, handler=0, client_data=0, timeout=0
2019/12/09 09:39:32.244 kid1| 5,3| Read.cc(145) HandleRead: FD 10, size
32767, retval 3401, errno 0
2019/12/09 09:39:32.244 kid1| 5,3| IoCallback.cc(116) finish: called for
local=[::] remote=[::] FD 10 flags=1 (0, 0)
2019/12/09 09:39:32.244 kid1| 5,4| AsyncCall.cc(93) ScheduleCall:
IoCallback.cc(135) will call helperHandleRead(local=[::] remote=[::] FD 10
flags=1, data=0x20b4b18, size=3401, buf=0x20b4d40) [call2841]
2019/12/09 09:39:32.244 kid1| 5,4| AsyncCallQueue.cc(55) fireNext: entering
helperHandleRead(local=[::] remote=[::] FD 10 flags=1, data=0x20b4b18,
size=3401, buf=0x20b4d40)
2019/12/09 09:39:32.244 kid1| 5,4| AsyncCall.cc(38) make: make call
helperHandleRead [call2841]
2019/12/09 09:39:32.244 kid1| 84,5| helper.cc(963) helperHandleRead:
helperHandleRead: 3401 bytes from
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/logs/ssl_db -M 4MB #Hlpr1
2019/12/09 09:39:32.244 kid1| 84,3| helper.cc(991) helperHandleRead:
helperHandleRead: end of reply found
2019/12/09 09:39:32.244 kid1| 84,3| Reply.cc(41) finalize: Parsing helper
buffer
2019/12/09 09:39:32.244 kid1| 84,3| Reply.cc(59) finalize: Buff length is
larger than 2
2019/12/09 09:39:32.244 kid1| 84,3| Reply.cc(63) finalize: helper Result =
OK
2019/12/09 09:39:32.244 kid1| 83,5| helper.cc(158) HandleGeneratorReply: to
0x256a4a8 in crtGenRq12500/1
2019/12/09 09:39:32.244 kid1| 33,5| client_side.cc(2870) sslCrtdHandleReply:
Certificate for X.Y.82.162 was successfully r

[squid-users] Security concerns with using squidclient from a host separate from the server

2019-12-09 Thread Tom Karches 
Are there any security concerns with running squidclient anywhere except on
the local host? I have been told that squidclient "exposes a lot of data".
Is that because transactions are passed over an insecure connection? If so,
is there a workaround that solves this problem?

Tom

-- 
Thomas Karches
NCSU OIT CSI - Systems Specialist
M.E Student - Technology Education
Hillsborough 319 / 919.515.5508
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] one site not working using squid

2019-12-09 Thread simon ben 

Dear All,

 

I am usingSquid version 3.5.2 on Centos  7 64 bit and its working fine with no 
issuebut recently got a complain from one user saying that the below site Is 
notopening..  just says page cannot be displayed

 

https://my.esri.com

 

but if I use a machine without squid itsworking fine

 

the access logs is showing me as below

 

 

1575869460.673  6034 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 -

1575869461.235   559 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 - 
HIER_DIRECT/34.210.189.55-

1575869461.801   562 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 -

1575869462.096   291 172.16.2.175 TCP_TUNNEL/200 0 CONNECT my.esri.com:443 
-HIER_DIRECT/34.210.189.55 –

 

 

Itried to google around and found that the the ip4 prefrence has to enabled 
forDNS so I did the below in squid config

 

dns_v4_firston

 

butno luck

 

appreciateyour help and advice

 

 

thanksand regards

 

simon



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-09 Thread GeorgeShen 

I'm wondering if this issue reported last year is fixed:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-4-security-file-certgen-helpers-crashing-td4687098.html

or is there a work around.
thanks.

- George



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

2019-12-09 Thread Amos Jeffries 
On 10/12/19 6:46 pm, GeorgeShen wrote:
> 
> I'm wondering if this issue reported last year is fixed:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-4-security-file-certgen-helpers-crashing-td4687098.html
> 

That question implies that you are not using the latest Squid release,
or you already have the answer. When using SSL-Bump features (cert
generation being one) it is best to follow the updates.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Security concerns with using squidclient from a host separate from the server

2019-12-09 Thread Amos Jeffries 
On 10/12/19 9:08 am, Tom Karches wrote:
> Are there any security concerns with running squidclient anywhere except
> on the local host?

No more than with any HTTP software. Less than some.


> I have been told that squidclient "exposes a lot of
> data". Is that because transactions are passed over an insecure
> connection? If so, is there a workaround that solves this problem?
> 

Depends on what you consider exposure. Of what? to whom? and how?

squidclient prints the HTTP response headers and payload to its stdout.
How that info was received is up to the server/proxy being connected to.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] one site not working

2019-12-09 Thread Amos Jeffries 
On 10/12/19 5:52 am, simon ben wrote:
> Dear All,
> 
>  
> 
> I am using Squid version 3.5.2 on Centos  7 64 bit and its working fine
> with no issue but recently got a complain from one user saying that the
> below site Is not opening..  just says page cannot be displayed
> 

That would be one issue. Likely many others you are just not noticing.

Please upgrade. v3.5.2 is over 5 years old and obsolete. Current Squid
release is v4.9.


 
> 
> 1575869460.673   6034 172.16.2.175 TCP_TUNNEL/200 0 CONNECT
> my.esri.com:443  - HIER_DIRECT/34.210.189.55
>  -
> 
> 1575869461.235    559 172.16.2.175 TCP_TUNNEL/200 0 CONNECT
> my.esri.com:443  - HIER_DIRECT/34.210.189.55
>  -
> 
> 1575869461.801    562 172.16.2.175 TCP_TUNNEL/200 0 CONNECT
> my.esri.com:443  - HIER_DIRECT/34.210.189.55
>  -
> 
> 1575869462.096    291 172.16.2.175 TCP_TUNNEL/200 0 CONNECT
> my.esri.com:443  - HIER_DIRECT/34.210.189.55
>  –
> 
>  
> 
>  
> 
> I tried to google around and found that the the ip4 prefrence has to
> enabled for DNS so I did the below in squid config
> 

No it does not. Your proxy is already connecting the tunnel to that
sites IPv4 address.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users