[squid-users] Squid - Can't visit (government site and Banking Site) - Please help

[russel0901]

I am having a problem on my squid proxy

this settings is allow all but i can't visit sites like bancnetonline, rcbc,
philhealth (govt and bank site)

sometimes it can be visited, sometimes not... (weird???)

Please Help thank you.


here is my squid conf...

max_filedesc 4096
request_header_access X-Forwarded-For allow all
via off
httpd_suppress_version_string on

http_port 
icp_port 3535

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
maximum_object_size 5480 KB
cache_dir ufs /home/squidcache 6000 16 256
#cache_dir ufs /home/squidcache2 6000 16 256
cache_access_log /home/squidcache/access.log
cache_log /dev/null
cache_store_log none
ftp_user sq...@mds.com.sg
dns_defnames on
request_body_max_size 1 MB
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
negative_ttl 1 minute
negative_dns_ttl 5 minute
connect_timeout 60 minute
read_timeout 5 minute
request_timeout 60 second
client_lifetime 4 hour
half_closed_clients off
pconn_timeout 240 second
shutdown_lifetime 5 second
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053
acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method purge
acl manager proto cache_object
acl apache src 10.20.0.245

acl QUERY urlpath_regex -i owa
acl QUERY2 urlpath_regex cgi-bin \?
acl QUERY3 urlpath_regex -i php
acl dontcache dstdomain "/etc/squid/dontcache"
no_cache deny QUERY
no_cache deny QUERY2
no_cache deny QUERY3
always_direct allow dontcache


#allowed sites
acl blockedsites dstdomain "/etc/squid/blockedsites"
acl allowedsites dstdomain "/etc/squid/authorizedsites"
acl tahiti src 172.16.20.254/32
acl elmo src 10.20.0.254/32
acl mnlnet2 src "/etc/squid/authorized"


http_access allow dontcache
http_access allow manager apache
http_access allow all
http_access allow elmo
#http_access allow localhost
#http_access allow purge localhost
#http_access allow manager localhost
http_access allow mnlnet2
http_access allow tahiti
http_access deny !Safe_ports
#http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny purge
http_access deny blockedsites


#icp_access  allow  localhost
icp_access allow all
icp_access allow elmo
icp_access allow tahiti
icp_access allow mnlnet2
miss_access allow all

cache_mgr xx

cache_effective_user squid
cache_effective_group squid
visible_hostname xx
append_domain .globalsources.com
memory_pools off
log_icp_queries off
client_db off

check_hostnames off



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] failing https requests

[Amos Jeffries]

On 25/04/20 3:46 am, Adam Weremczuk wrote:
> Hi all,
> 
> I run squid-3.5.27_3 on pfSense 2.4.4 as well as in house Sugar CRM server.
> 
> Recently Sugar license validation and updates checks made to
> https://updates.sugarcrm.com/heartbeat/soap.php started failing (no
> changes made at our end).
> 
> In squid logs requests only produce 2 lines:
> 
> 1587737506.670  0 192.168.5.30 TAG_NONE/400 4360 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1587737506.978    301 192.168.5.30 TCP_MISS/301 464 POST
> http://updates.sugarcrm.com/heartbeat/soap.php -
> HIER_DIRECT/54.177.58.238 text/html
> 
> It looks like client error followed by a redirection to http.
> 
> Direct requests (no web proxy) as well as telnet, wget and curl work fine.
> 
> Could somebody explain what exactly the errors mean and why the requests
> fail?
> 

It means the client delivered some bytes which do not in any way conform
to HTTP request syntax. Not even similar.

The best thing to do is to get a full-packet capture and investigate
with wireshark what is going on.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] failing https requests

[Adam Weremczuk]

Hi all,

I run squid-3.5.27_3 on pfSense 2.4.4 as well as in house Sugar CRM server.

Recently Sugar license validation and updates checks made to 
https://updates.sugarcrm.com/heartbeat/soap.php started failing (no 
changes made at our end).


In squid logs requests only produce 2 lines:

1587737506.670  0 192.168.5.30 TAG_NONE/400 4360 NONE 
error:invalid-request - HIER_NONE/- text/html
1587737506.978    301 192.168.5.30 TCP_MISS/301 464 POST 
http://updates.sugarcrm.com/heartbeat/soap.php - 
HIER_DIRECT/54.177.58.238 text/html


It looks like client error followed by a redirection to http.

Direct requests (no web proxy) as well as telnet, wget and curl work fine.

Could somebody explain what exactly the errors mean and why the requests 
fail?


Thanks,
Adam


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy sslbump and user authentication

[Vieri]

On Tuesday, April 21, 2020, 2:41:02 PM GMT+2, Matus UHLAR - fantomas 
 wrote: 

>>On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries 
>> wrote:
>>>
>>> Please see the FAQ:
>>> 
>>>
>>> Why bother with the second proxy at all? The explicit proxy has access
>>> to all the details the interception one does (and more - such as
>>> credentials). It should be able to do all filtering necessary.
>
> On 21.04.20 12:33, Vieri wrote:
>>Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with 
>>ICAP + squidclamav, for instance?
>
> yes.
>
>>Simply put, will I be able to block, eg. 
>> https://secure.eicar.org/eicarcom2.zip not by mimetype, file extension,
>> url matching, etc., but by analyzing its content with clamav via ICAP?
>
> without bumping, you won't be able to block by anything, only by 
> secure.eicar.org hostname.

Hi,

I'm not sure I understand how that should be configured.

I whipped up a test instance with the configuration I'm showing below.

My browser can authenticate via kerberos and access several web sites (http & 
https) if I explicitly set it to proxy everything to squid10.mydomain.org on 
port 3228.
However, icap/clamav filtering is "not working" for neither http nor https.
My cache log shows a lot of messages regarding "icap" when I try to download an 
eicar test file. So something is triggered, but before sending a huge log to 
the mailing list, what should I be looking for exactly, or is there a specific 
loglevel I should set?

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

pid_filename /run/squid.testexplicit.pid
access_log daemon:/var/log/squid/access.test.log squid
cache_log /var/log/squid/cache.test.log

acl explicit myportname 3227
acl explicitbump myportname 3228
acl interceptedssl myportname 3229

http_port 3227
# http_port 3228 tproxy
http_port 3228 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem 
sslflags=NO_DEFAULT_CA
https_port 3229 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem 
sslflags=NO_DEFAULT_CA
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db_test -M 
16MB
sslcrtd_children 40 startup=20 idle=10

cache_dir diskd /var/cache/squid.test 32 16 256

external_acl_type nt_group ttl=0 children-max=50 %LOGIN 
/usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s 
HTTP/squid10.mydomain.org@MYREALNAME
auth_param negotiate children 60
auth_param negotiate keep_alive on

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl localnet src 172.16.0.1
acl localnet src fc00::/7

acl ORG_all proxy_auth REQUIRED

http_access deny explicit !ORG_all
#http_access deny explicit SSL_ports
http_access deny explicitbump !localnet
http_access deny explicitbump !ORG_all
http_access deny interceptedssl !localnet
http_access deny interceptedssl !ORG_all

http_access allow CONNECT interceptedssl SSL_ports

http_access allow localnet
http_reply_access allow localnet

http_access allow ORG_all

debug_options rotate=1 ALL,9
# debug_options rotate=1 ALL,1

append_domain .mydomain.org

ssl_bump stare all
ssl_bump bump all

http_access allow localhost

http_access deny all

coredump_dir /var/cache/squid

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
icap_service_failure_limit -1
icap_persistent_connections off


--
Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.11 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

The online repository with latest Squid 4.11 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid411.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation. Scripts for Ubuntu 16 are also available in that 
repo.
We plan to add Ubuntu 20 in the near future too.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid411.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid411.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient

Hope you will find this useful. Note that older repo of squid410.diladele.com 
will be taken down in 1 year.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 4.11 will be part of upcoming Web Safety 7.4 planned for release 
in early June, this version has some improvements in the report generation 
module and support for delay pools per policy. It is now very easy to restrict 
bandwidth usage by Active Directory groups directly from Admin UI. Download the 
latest virtual appliance from https://docs.diladele.com/index.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users