date:20210526

Re: [squid-users] blocking mime types works for adobe, not for teams

2021-05-26 Thread squid3


On 2021-05-27 06:58, robert k Wild wrote:

found a really good website to check http headers and i found the mime
type

https://gf.dev/http-headers-test

On Wed, 26 May 2021 at 15:11, robert k Wild wrote:


hi all,

i have in my squid config this

#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access deny mimetype

mimedeny.txt

application/octet-stream
application/x-msi
application/zip
application/x-7z-compressed
application/vnd.ms-cab-compressed

it works as it blocks adobe reader download, but the url has an exe
at the end so maybe this is why


No. Mime type is unrelated to any characters in the URL.




https://admdownload.adobe.com/bin/live/readerdc_uk_d_crd_install.exe



This response has "Content-Type: application/octet-stream" which is 
listed in your blocklist.




but it doesnt block ms teams from downloading



https://go.microsoft.com/fwlink/p/?LinkID=869426=0x809=en-gb=GB=deeplink=groupChatMarketingPageWeb=directDownloadWin64


it just doesnt intercept the download at all and gives me the option
to "save file" its an exe

do you think this is because its a direct download link?


No. It is because the mime type is still not in your blocklist.

The tool at  tells me the download is hidden behind 
a number of redirections then eventually the actual resource comes up 
with a "Content-Type: application/x-msdownload" header.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] blocking mime types works for adobe, not for teams

2021-05-26 Thread robert k Wild

found a really good website to check http headers and i found the mime type

https://gf.dev/http-headers-test

On Wed, 26 May 2021 at 15:11, robert k Wild  wrote:

> hi all,
>
> i have in my squid config this
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> http_reply_access deny mimetype
>
> mimedeny.txt
>
> application/octet-stream
> application/x-msi
> application/zip
> application/x-7z-compressed
> application/vnd.ms-cab-compressed
>
> it works as it blocks adobe reader download, but the url has an exe at the
> end so maybe this is why
>
> https://admdownload.adobe.com/bin/live/readerdc_uk_d_crd_install.exe
>
> but it doesnt block ms teams from downloading
>
>
> https://go.microsoft.com/fwlink/p/?LinkID=869426=0x809=en-gb=GB=deeplink=groupChatMarketingPageWeb=directDownloadWin64
>
> it just doesnt intercept the download at all and gives me the option to
> "save file" its an exe
>
> do you think this is because its a direct download link?
>
> thanks,
> rob
>
> --
> Regards,
>
> Robert K Wild.
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Alex Rousskov

On 5/26/21 4:25 AM, Odhiambo Washington wrote:
> 
> On Wed, May 26, 2021 at 10:18 AM Matus UHLAR wrote:
> 
> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
> >>I installed this on my Windows 10 but gave up when I could not make
> >>it to cache anything.
> 
> On 26.05.21 12:57, Amos Jeffries wrote:
> >Squid by default uses a memory based cache these days. Unless your
> >traffic is non-cacheable you should be seeing some things stored there
> >without any configuration.
> 
> The main problem is that most of web content it HTTPS, which means it's
> hardly cacheable outside of web browsers.
> 
> with https, proxy only sees stream of encrypted data:
> the "s" in https means "secure" so no third party sees your data.
> 
> caching it requires decrypting of the connection, which means doing
> man-in-the-mittle attack.  It requires private certififacion authority
> installed on squid and in the browser, and for some domains using CAA
> browsers will still complain, or you'll have to fake DNS CAA
> records, which
> is harder with when using DNSSES, DoT or DoH.

> In the light of the foregoing, what is the standard way of deploying
> Squid these days?
> Is the use of the ssl_bump becoming standard or no one needs any caching
> within Squid these days so that Squid
> has become a tool for filtering and access control only?

There is no one "standard way" to deploy such versatile software like
Squid: Some deployments bump as much as they can while caching nothing.
Some encrypt everything and cache a lot. There are forward/interception
proxies versus reverse proxies. SaaS proxies versus highly customized
corporate deployments versus in-home installations. Deployments that
contribute a lot to the Squid Project versus those that we have never
heard of. And everything in between.

In most cases, the "standard" does not really matter. Focus on _your_
needs and make sure they can be and are supported well.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] blocking mime types works for adobe, not for teams

2021-05-26 Thread robert k Wild

hi all,

i have in my squid config this

#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access deny mimetype

mimedeny.txt

application/octet-stream
application/x-msi
application/zip
application/x-7z-compressed
application/vnd.ms-cab-compressed

it works as it blocks adobe reader download, but the url has an exe at the
end so maybe this is why

https://admdownload.adobe.com/bin/live/readerdc_uk_d_crd_install.exe

but it doesnt block ms teams from downloading

https://go.microsoft.com/fwlink/p/?LinkID=869426=0x809=en-gb=GB=deeplink=groupChatMarketingPageWeb=directDownloadWin64

it just doesnt intercept the download at all and gives me the option to
"save file" its an exe

do you think this is because its a direct download link?

thanks,
rob

-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Evan Pierce

Hi

We can do Thursday at 12:30 after our SAM meeting



From: squid-users  on behalf of 
Odhiambo Washington 
Date: Wednesday, 26 May 2021 at 10:36
To: "squid-users@lists.squid-cache.org" 
Subject: Re: [squid-users] Caching configuration for Squid on Windows



On Wed, May 26, 2021 at 11:32 AM Matus UHLAR - fantomas 
mailto:uh...@fantomas.sk>> wrote:
>> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
>> >>I installed this on my Windows 10 but gave up when I could not make
>> >>it to cache anything.
>>
>> On 26.05.21 12:57, Amos Jeffries wrote:
>> >Squid by default uses a memory based cache these days. Unless your
>> >traffic is non-cacheable you should be seeing some things stored there
>> >without any configuration.

>On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas 
>mailto:uh...@fantomas.sk>>
>wrote:
>> The main problem is that most of web content it HTTPS, which means it's
>> hardly cacheable outside of web browsers.
>>
>> with https, proxy only sees stream of encrypted data:
>> the "s" in https means "secure" so no third party sees your data.
>>
>> caching it requires decrypting of the connection, which means doing
>> man-in-the-mittle attack.  It requires private certififacion authority
>> installed on squid and in the browser, and for some domains using CAA
>> browsers will still complain, or you'll have to fake DNS CAA records, which
>> is harder with when using DNSSES, DoT or DoH.

On 26.05.21 11:25, Odhiambo Washington wrote:
>In the light of the foregoing, what is the standard way of deploying Squid
>these days?
>Is the use of the ssl_bump becoming standard or no one needs any caching
>within Squid these days so that Squid
>has become a tool for filtering and access control only?

I guess it's the latter.

I personally think in cases of e.g.  public documents where the only privacy
issue is that you know who accesses what content, simpler version of
security could be enough: confirmation of authenticity (the content was not
modified). Such content could be cacheable.

Thank you for clarifying this.
So ideally, outbound access control and reverse proxying :)


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Odhiambo Washington

On Wed, May 26, 2021 at 11:32 AM Matus UHLAR - fantomas 
wrote:

> >> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
> >> >>I installed this on my Windows 10 but gave up when I could not make
> >> >>it to cache anything.
> >>
> >> On 26.05.21 12:57, Amos Jeffries wrote:
> >> >Squid by default uses a memory based cache these days. Unless your
> >> >traffic is non-cacheable you should be seeing some things stored there
> >> >without any configuration.
>
> >On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas <
> uh...@fantomas.sk>
> >wrote:
> >> The main problem is that most of web content it HTTPS, which means it's
> >> hardly cacheable outside of web browsers.
> >>
> >> with https, proxy only sees stream of encrypted data:
> >> the "s" in https means "secure" so no third party sees your data.
> >>
> >> caching it requires decrypting of the connection, which means doing
> >> man-in-the-mittle attack.  It requires private certififacion authority
> >> installed on squid and in the browser, and for some domains using CAA
> >> browsers will still complain, or you'll have to fake DNS CAA records,
> which
> >> is harder with when using DNSSES, DoT or DoH.
>
> On 26.05.21 11:25, Odhiambo Washington wrote:
> >In the light of the foregoing, what is the standard way of deploying Squid
> >these days?
> >Is the use of the ssl_bump becoming standard or no one needs any caching
> >within Squid these days so that Squid
> >has become a tool for filtering and access control only?
>
> I guess it's the latter.
>
> I personally think in cases of e.g.  public documents where the only
> privacy
> issue is that you know who accesses what content, simpler version of
> security could be enough: confirmation of authenticity (the content was not
> modified). Such content could be cacheable.


Thank you for clarifying this.
So ideally, outbound access control and reverse proxying :)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Odhiambo Washington

On Wed, May 26, 2021 at 3:58 AM Amos Jeffries  wrote:

> On 22/05/21 2:06 am, Odhiambo Washington wrote:
> > Hello everyone,
> >
> > I installed this on my Windows 10 but gave up when I could not make it
> > to cache anything.
> >
>
> Squid by default uses a memory based cache these days. Unless your
> traffic is non-cacheable you should be seeing some things stored there
> without any configuration.
>
>
> > What is the correct format of the above config on Windows?
> >
> > cache_dir aufs c:\Squid\cachedir 3000 16 256
> >
>
> As far as I know that directory path should be written as:
>
>   /c/Squid/cachedir
>
>
> The '/cygdir' prefix from examples tutorials is part of CygWin
> environment configuration.
>


So I tried that and...


C:\Squid\var\cache\squid> C:\Squid\bin\squid.exe -z
2021/05/26 11:29:43| FATAL: Bungled /etc/squid/squid.conf line 64:
cache_dir aufs /C/Squid/var/cache/squid
2021/05/26 11:29:43| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.108 seconds = 0.046 user + 0.062 sys
Maximum Resident Size: 703488 KB
Page faults with physical i/o: 2852



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Matus UHLAR - fantomas

>On 22/05/21 2:06 am, Odhiambo Washington wrote:
>>I installed this on my Windows 10 but gave up when I could not make
>>it to cache anything.

On 26.05.21 12:57, Amos Jeffries wrote:
>Squid by default uses a memory based cache these days. Unless your
>traffic is non-cacheable you should be seeing some things stored there
>without any configuration.

On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas 
wrote:

The main problem is that most of web content it HTTPS, which means it's
hardly cacheable outside of web browsers.

with https, proxy only sees stream of encrypted data:
the "s" in https means "secure" so no third party sees your data.

caching it requires decrypting of the connection, which means doing
man-in-the-mittle attack.  It requires private certififacion authority
installed on squid and in the browser, and for some domains using CAA
browsers will still complain, or you'll have to fake DNS CAA records, which
is harder with when using DNSSES, DoT or DoH.

On 26.05.21 11:25, Odhiambo Washington wrote:

In the light of the foregoing, what is the standard way of deploying Squid
these days?
Is the use of the ssl_bump becoming standard or no one needs any caching
within Squid these days so that Squid
has become a tool for filtering and access control only?

I guess it's the latter.

I personally think in cases of e.g.  public documents where the only privacy
issue is that you know who accesses what content, simpler version of
security could be enough: confirmation of authenticity (the content was not
modified). Such content could be cacheable. 

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Odhiambo Washington

On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas 
wrote:

> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
> >>I installed this on my Windows 10 but gave up when I could not make
> >>it to cache anything.
>
> On 26.05.21 12:57, Amos Jeffries wrote:
> >Squid by default uses a memory based cache these days. Unless your
> >traffic is non-cacheable you should be seeing some things stored there
> >without any configuration.
>
> The main problem is that most of web content it HTTPS, which means it's
> hardly cacheable outside of web browsers.
>
> with https, proxy only sees stream of encrypted data:
> the "s" in https means "secure" so no third party sees your data.
>
> caching it requires decrypting of the connection, which means doing
> man-in-the-mittle attack.  It requires private certififacion authority
> installed on squid and in the browser, and for some domains using CAA
> browsers will still complain, or you'll have to fake DNS CAA records, which
> is harder with when using DNSSES, DoT or DoH.


In the light of the foregoing, what is the standard way of deploying Squid
these days?
Is the use of the ssl_bump becoming standard or no one needs any caching
within Squid these days so that Squid
has become a tool for filtering and access control only?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

2021-05-26 Thread Matus UHLAR - fantomas


On 22/05/21 2:06 am, Odhiambo Washington wrote:
I installed this on my Windows 10 but gave up when I could not make 
it to cache anything.


On 26.05.21 12:57, Amos Jeffries wrote:
Squid by default uses a memory based cache these days. Unless your 
traffic is non-cacheable you should be seeing some things stored there 
without any configuration.


The main problem is that most of web content it HTTPS, which means it's
hardly cacheable outside of web browsers.

with https, proxy only sees stream of encrypted data:
the "s" in https means "secure" so no third party sees your data.

caching it requires decrypting of the connection, which means doing
man-in-the-mittle attack.  It requires private certififacion authority
installed on squid and in the browser, and for some domains using CAA
browsers will still complain, or you'll have to fake DNS CAA records, which
is harder with when using DNSSES, DoT or DoH.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] blocking mime types works for adobe, not for teams

Re: [squid-users] blocking mime types works for adobe, not for teams

Re: [squid-users] Caching configuration for Squid on Windows

[squid-users] blocking mime types works for adobe, not for teams

Re: [squid-users] Caching configuration for Squid on Windows

Re: [squid-users] Caching configuration for Squid on Windows

Re: [squid-users] Caching configuration for Squid on Windows

Re: [squid-users] Caching configuration for Squid on Windows

Re: [squid-users] Caching configuration for Squid on Windows

Re: [squid-users] Caching configuration for Squid on Windows

10 matches

Site Navigation

Mail list logo

Footer information