Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled

[‪Amos Jeffries‬]

The config you have is doing client-first bumping (bump at step). It happens before the real cert or server details are available. As such any number of TLS features or extensions may be missing (or added) by squid that indicate problems to the browser.If you can use a config the peek/stare/splice at the step 1-2 and bump only at step it may work better.If you require this config, or have issues even with a step bump you will need to trace the TLS details being negotiated on both squid-browser and squid-server connections.Amos Original message From: Dieter Bloms Date: Thu, 21 Jan 2021, 00:25To: squid-users@lists.squid-cache.orgSubject: [squid-users] chromium based browsers don't play a video, when sslbump is enabledHello,I use squid 4.13 with enabled sslbump.Chromium based browsers like chrome and edge don't play this videohttps://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4The firefox browser and the old internet explorer have no problems.When I disable sslbumping for this destination the chromium basedbrowsers work as well.Here are some parts of my config:--snip--http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pemsslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MBsslcrtd_children 32 startup=10 idle=3tls_outgoing_options capath=/etc/ssl/certs min-version=1.2tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"ssl_bump splice nobumpingssl_bump bump all--snip--with wget or curl I can download the mp4 file in both cases (with and without sslbump)Can anybody try to view the video in a chromium based browser with enabled sslbump ?Thank you very much.-- Regards  Dieter--I do not get viruses because I do not use MS software.If you use Outlook then please do not put my email address in youraddress-book so that WHEN you get a virus it won't use my address in theFrom field.___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't notice AD group changes

[‪Amos Jeffries‬]

The issue is many layers of caching and interdependent data.Once the auth backend system is producing the right output the group helper cache needs to expire, then lookups by that helper will be correct.Then all the tcp connections holding onto that users credentials need to close. Only once all that happens will there be no user+group1 link to confuse.If any of the old tcp connections remain open they cache the old credentials which were linked to the old group1. New tcp connections will be linked to their cached username state.In modern squid the kerberos auth helper gives squid the list of groups at the same time as username. So there is no external ACL helper and its caching to get things mixed up. You should use the note ACL type to check those group SSIDs.At worst you may still have to wait for tcp connections closure part.Amos___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't notice AD group changes

[Eliezer Croitoru]

Have You tried to use external_acl_type for group membership checks?

 

Something like this should do the trick:

external_acl_type ad_group_member_check ttl=120 %LOGIN 
/usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=ng,dc=tech" -D 
sq...@ng.tech -W /etc/squid/ldappass.txt  -f 
"(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=ng,DC=tech))" -h 
ngtech-dc.ng.tech

 


Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email:   ngtech1...@gmail.com

Zoom: Coming soon

 

 

From: squid-users  On Behalf Of 
heimarbeit123...@web.de
Sent: Wednesday, January 20, 2021 3:51 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid doesn't notice AD group changes

 

Hello all! :)

 

I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to 
my AD), so I can check for AD groups and therefore block websites and so on. 
Thanks to the very good documentation everything looks good so far!

But there is one realy big problem: Squid does not recognize AD group 
membership changes.

What does that mean?

 

Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join 
TestUser1 to Testgroup1 everything is working(the first time ever, this 
specific user is getting member of one of these two groups). SSO works and the 
forbidden websites get blocked. So far so good ;)

But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, 
shit is about to hit the fan!

After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, 
that TestUser1 is not member of TestGroup1 anymore, but now is a member of 
Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would 
still be in TestGroup1.

But if I now add a completly new user TestUser2 to the AD and then to 
Testgroup2, squid will treat this user corretly. If I then remove TestUser2 
from Testgroup2 and add this user to TestGroup1, same shit again: winbind 
recognizes the change, but squid still treats TestUser2 like he would be member 
of TestGroup2.

 

What I tried:

-remove cache (net cache flush, "cache deny all", "no_cache deny all")

-remove squid with "purge" and reinstall it, still same problem

 

Can anyone help???

 

remember: Everything works with a new user, so I dont think kerberos is the 
problem. And winbind recognizes the change, so I think winbind is well 
configured too. Maybe squid is caching something(only explanation for me) but I 
don't see any caching.. Maybe someone had the same issue. Would be awesome, if 
someone could help me!

 

Regards

Philipp

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Data tricking implementation is on ICAP side or Squid side?

[Alex Rousskov]

On 1/20/21 3:21 PM, John Zhu wrote:

> I implemented ICAP in java. I have questions regarding the “data
> trickling” to handle slow response for large file scanning from ICAP.

> 1) Java libraries available for data trickling at ICAP side, if any?

FWIW, implementing a production ICAP server from scratch (in any
language) is usually a bad idea -- there are too many poorly documented
and barely understood protocol areas. There are production ICAP servers
that support data trickling.

Unfortunately, I am not familiar with Java libraries, but there were two
ICAP projects in Java:
https://wiki.squid-cache.org/Features/ICAP#ICAP_Servers


> 2) Need any configuration change for trickling feature on Squid side?
> 3) Need any code change on Squid side?

I do not recall any required changes. Squid itself can be unaware that
data trickling is going on. However, it is possible that, in some
extreme cases (e.g., trickling one byte at a time), some configuration
or code adjustments would be needed to force "flushing" of that data
through Squid or to fix Squid metadata parsing bugs.


> 3) The trickling (in a very slow speed data send to Squid) is
> implemented only ICAP server side, correct?

The ICAP client side must not buffer (as in "delay to aggregate") data
trickled by the ICAP server.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users