[squid-users] websockets through Squid

[Vieri]

I'm compiling on a Gentoo Linux system the tarball taken from 
http://www.squid-cache.org/Versions/v5/squid-5.0.4.tar.gz.

The build log (failed) is here (notice the call to make -j1):

https://drive.google.com/file/d/1no0uV3Ti1ILZavAaiOyFIY9W0eLRv87q/view?usp=sharing

If I build from git f4ade36 all's well:

https://drive.google.com/file/d/1y-3wlDT_OrwSp7epvDq63xpkYv8gu9Pq/view?usp=sharing

So now I'm just going to have to spot the difference.

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure squid to not cache

[Ronan Lucio]

I'm sorry. My bad.
Just found it

On Tue, Oct 13, 2020 at 8:20 AM Ronan Lucio  wrote:
>
> Hi,
> I'd like to configure squid for proxy only, no caching any content.
>
> Looking at squid docs, it instructs to use "cache deny all", but I
> didn't find this option for Squid-4:
> http://www.squid-cache.org/Versions/v4/cfgman/
>
> I didn't set any cache_dir directive, but I'm still wondering about cache_mem.
>
> Any help would be appreciated,
> Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to configure squid to not cache

[Ronan Lucio]

Hi,
I'd like to configure squid for proxy only, no caching any content.

Looking at squid docs, it instructs to use "cache deny all", but I
didn't find this option for Squid-4:
http://www.squid-cache.org/Versions/v4/cfgman/

I didn't set any cache_dir directive, but I'm still wondering about cache_mem.

Any help would be appreciated,
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

[Eliezer Croitor]

Hey Dixit,

 

Have you seen the next bug report:

https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4

 

Alex/Amos: I assume that this specific issue deserve a DEBUG which will 
describe and relate to this BUG:5067 report.

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: DIXIT Ankit  
Sent: Friday, September 25, 2020 4:22 PM
To: Eliezer Croitor ; 'Squid Users' 

Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer/Team,

 

Any help would be appreciated.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit 
Sent: Tuesday, September 15, 2020 1:24 PM
To: Eliezer Croitor mailto:ngtech1...@gmail.com> >; 
'Squid Users' mailto:squid-users@lists.squid-cache.org> >
Subject: SSL issue on Squid version 4 after blacklisting

 

Subject changed

 

Elizer/Team,

 

Connecting with you again after we upgraded to Squid version 4.

 

We have blacklisted the domain categories  on Squid Proxy, but we are getting 
below exception in cache.log and due to this internet is not flowing from 
client servers via squid. 

This blacklist category is having thousands of blacklisted domains.

 

kid1| Error negotiating SSL on FD 33: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer

 

Is there any specific ssl certificate, we need to configure? Or any other 
issue, you see here?

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit 
Sent: Monday, July 6, 2020 8:50 AM
To: Eliezer Croitor mailto:ngtech1...@gmail.com> >; 
'Squid Users' mailto:squid-users@lists.squid-cache.org> >
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

SSL was failing for few applications but was working fine for other 
applications. So we reverted back to old version.

I am not sure what ssl certificate dependency was there. 

 

Would be great, if you can suggest memory leak solutions in 3.12 version.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor mailto:ngtech1...@gmail.com> > 
Sent: Sunday, July 5, 2020 5:58 PM
To: DIXIT Ankit mailto:ankit.di...@eurostar.com> >; 
'Squid Users' mailto:squid-users@lists.squid-cache.org> >
Cc: SETHI Konica mailto:konica.se...@eurostar.com> >
Subject: RE: [squid-users] Squid memory consumption problem

 




 

Hey,

 

What happen with this issue?

I am waiting for any input about this issue to understand with what I can try 
to help.

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: DIXIT Ankit [mailto:ankit.di...@eurostar.com] 
Sent: Tuesday, June 30, 2020 12:35 PM
To: Eliezer Croitoru; Squid Users
Cc: SETHI Konica
Subject: RE: [squid-users] Squid memory consumption problem

 

For your information, we have added below configurations but again same issue.

 

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

 

tls_outgoing_options 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit 
Sent: Tuesday, June 30, 2020 10:25 AM
To: Eliezer Croitoru mailto:ngtech1...@gmail.com> >; 
Squid Users mailto:squid-users@lists.squid-cache.org> >
Cc: SETHI Konica mailto:konica.se...@eurostar.com> >
Subject: RE: [squid-users] Squid memory consumption problem

 

Eliezer,

 

Clients are facing some SSL related issues after upgrade. I could see below 
error. Please suggest, its little urgent.

 

quid[6706]: Error negotiating SSL connection on FD 167: 
error:0001:lib(0):func(0):reason(1) (1/0)
Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77
Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75: 
error:0001:lib(0):func(0):reason(1) (1/0)

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitoru mailto:ngtech1...@gmail.com> > 
Sent: Tuesday, June 30, 2020 9:10 AM
To: Squid Users mailto:squid-users@lists.squid-cache.org> >; DIXIT Ankit 
mailto:ankit.di...@eurostar.com> >
Subject: RE: [squid-users] Squid memory consumption problem

 




 

The first thing to do is look at:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 

It should clear couple doubts for 

Re: [squid-users] sslproxy_options on squid 3.5.20

[Eliezer Croitor]

Hey Nisa,

 

Just wondering, if it’s only a whitelist filtering proxy for TLS/SSL/443
Wouldn’t it be better to use a basic SNI proxy with a whitelist?

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of Nisa 
Balakrishnan
Sent: Wednesday, October 7, 2020 4:23 AM
To: Amos Jeffries 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] sslproxy_options on squid 3.5.20

 

Thanks Amos.

 

I have verified that squid build is done with openssl that supports 1.2 but not 
1.3.

I am worried that squid does not pass the flag set via options.

I am able to lock squid to tls 1.2 only with sslproxy_version 

 

To be a bit more clear, the squid implementation is a whitelist filtering 
proxy. It does not bump ssl requests. It does peek and splice on intercept.

 

On Tue, 6 Oct 2020 at 20:34, Amos Jeffries mailto:squ...@treenet.co.nz> > wrote:

On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
> 
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
> 

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
> 
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> 
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
> 

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org  
http://lists.squid-cache.org/listinfo/squid-users




 

-- 

 


   

   

Nisa Balakrishnan  AutomationEngineer | m:   0473942819 | 
p:   03 9081 3700
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article  

 here

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] I want to know the concerns of load testing

[m k]

>
> hello,
>
> Switching from NTLM certification to Kerberos certification.
> Sure enough, I'm in trouble.
>
> Kerberos authentication doesn't work.
> Please let me know if there is a mistake in the settings.
>
>
> SPN creation
> WINTEST(Active Directory)
> ktpass.exe /princ HTTP/
> c0528004l.wintest.example.co...@wintest.example.co.jp /mapuser
> s139821ad...@wintest.example.co.jp /crypto AES256-SHA1 /ptype
> KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
>
>
> PTR record setting
> # nslookup 10.217.192.22
> 22.192.217.10.in-addr.arpa  name = c0528004l.wintest.example.co.jp.
>
>
> # klist
> Ticket cache: KCM:1001
> Default principal: lx17070028ad...@win.example.co.jp
>
> Valid starting   Expires  Service principal
> 10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/
> a9413001l.win.example.co...@win.example.co.jp
> renew until 10/13/2020 02:04:04
> 10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/
> win.example.co...@win.example.co.jp
> renew until 10/13/2020 02:04:04
> 10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/
> a9401002l.win.example.co...@win.example.co.jp
> renew until 10/13/2020 02:04:04
>
>
> config setting
> /etc/squid/squid.conf
> # Kerberos Auth
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
> /etc/squid/squid.keytab -s HTTP/
> c0528004l.wintest.example.co...@wintest.example.co.jp
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
> acl kerb-auth proxy_auth REQUIRED
> http_access allow kerb-auth
>
> --->I get a windows security pop-up in IE.
>
>
> error message
> /var/log/squid/cache.log
> 2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user.
> Result: {result=BH, notes={message: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Service
> key not available; }}
>
>
> Create SPN from server
> c0528004l(CentOS8.1)
> # net ads keytab create -U s139821ad...@wintest.example.co.jp
> Warning: "kerberos method" must be set to a keytab method to use keytab
> functions.
> Enter s139821ad...@wintest.example.co.jp's password:
> ads_keytab_open: Invalid kerberos method set (0)
>
> ---> An error occurs and keytab cannot be created.
>
>
> Please let me know if you have any other information you need.
>
> Hi Eliezer,
>
> docker is already installed.
> We are considering a configuration of at least 6 servers.
> Whether it will be 8 or 10 has not been verified.
>
>
> thank you,
> kitamura
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] I want to know the concerns of load testing

[Eliezer Croitor]

Hey Amos,

Just wondering if someone is willing to host RPM's?
These can be built using:
https://github.com/elico/squid-docker-build-nodes

I can build the RPMs however I cannot host them.

Eliezer

* In any case 4 GB of RAM for 45k Clients on a single proxy would probably 
result high SWAPPING at peek hours..


Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Friday, October 2, 2020 9:08 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] I want to know the concerns of load testing

On 2/10/20 3:15 pm, m k wrote:
> Hello,
> 
> I'm planning a proxy renewal for a company with 45k clients.
> I'm looking at the performance of a single Squid to determine the number
> of Squids.
> 
> Environment: Virtual (OpenStack)
> OS: CentOS8.1
> CPU: 4 cores
> MEM: 8GB
> DISK: SATA30GB / 100GB

See our notes on relative disk JBOD / RAID performances.



> Squid 4.4

I know it can be hard to get hold of newer packages on CentOS. Please do
try hard to upgrade to the 4.13 release for production. There have been
more than a few critical security issues fixed this past year.


>  SSL Bump
>  Blacklist: 1,700k
>  auth: NTLM

NTLM is a major performance issue. With every request needing to be sent
twice it will essentially halve the traffic your proxy can serve to clients.

I do know that Squid used to be able to handle way more RPS than Windows
DC would like to handle. So the DC may be a bottleneck there.

Negotiate/Kerberos auth is the solution to all those problems. If you
are really interested in good performance avoid NTLM.


>  cache: 4GB
> 
> In an environment with authentication disabled and SSL decoding enabled
> A load test was performed with Jmeter.
> 
> Result: CPU high load (100rps-1000rps: CPU Usage 80-90%)
> (Confirm with top command)
> 

If the proxy is not using 100% of the core(s) it is supposed to be
using. Then you have not reached the capacity limits of the proxy.

What you do about that depends on whether you are trying to find
theoretical limits, or performance for a specific traffic profile.


For a specific traffic profile the measurement is likely hitting disk
I/O or network I/O limits. Double-check which it was - that is what to
change to improve performance.


For theoretical limits the same detail about I/O applies. But also to
max the proxy out fully you may need to tune the test traffic load for
either higher TCP connection concurrency, or to utilize less resource
consuming features. eg requests that will HIT on memory cached (small)
objects and only need simple fast-type ACL checks. Memory-only traffic
is approximately 100x faster than any involving disk I/O.

 To be clear this is to find the theoretical maximum performance. You
cannot tune clients real traffic like this.



> Added multi-core support settings to squid.conf
> "workers 4"
> 
> A load test with Jmeter was performed again.
> 
> Result: CPU load is distributed to 4 cores (CPU Usage 20-40%)
> (Confirm with top command)

See above. That 20% implies the same 80% is spread over 4 cores.


> 
> Question
> 1. 1. How much will CPU Usage increase if NTLM authentication is enabled?

NTLM requires 2 HTTP messages to authenticate every new TCP connection.
So there will be one extra HTTP message on every set of pipelined requests.

It depends on how many requests are pipelined on each TCP connection as
to how much impact that auth overhead is.


After disk I/O capacity the CPU cycles are what limit Squid most. The
RPS achievable is capped out when all CPU cores assigned for Squid reach
100%.


> 2. 2. Are there any concerns other than CPU Usage in Squid?

The usual bottlenecks:

 * disk I/O limits
 * Network latency (DNS in particular. In general, TCP to _everywhere_)
 * features used (CPU drains)
 * memory

The order is my own experience of service impact, YMMV


> 3. 3. When I enabled the cache in this test, the CPU Usage decreased,
> but in general, does the Squid cache increase the CPU Usage?


In general cache should have little effect on CPU. Processing HTTP
headers is by far the major use of CPU cycles in Squid. SSL-Bump is
expected to be a close second, especially if decrypting.

In some cases it can. A large number of small cache objects can consume
many cycles CPU searching for an object. Or Range requests on very large
objects can spend a lot of cycles to generate the Range response HIT
payload.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users