Re: [squid-users] moving squid from centos 7 to ubuntu 22.04

[robert k Wild]

Hi Amos,

thats fine, youve been more than helpful, thank you

this is where i learnt how to run squid with cicap

https://squidclamav.darold.net/documentation.html

have you got a good how to about running squid with e cap

whats the difference anyway between Icap and Ecap?

On Thu, 17 Nov 2022 at 09:29, Amos Jeffries  wrote:

> On 17/11/2022 9:21 pm, robert k Wild wrote:
> > Wow thanks Amos so much for this,
> >
> > You think if I build it on rocky Linux, it would be easier?
> >
>
> I am not familiar with Rocky Linux beyond its existence.
> I expect it would be similar to CentOS since both are in the RHEL family.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 5: server_cert_fingerprint not working fine...

[Amos Jeffries]

On 18/11/2022 5:02 am, UnveilTech - Support wrote:


Hello Squid Team,

Can you have a look to this bugzilla case :

https://bugs.squid-cache.org/show_bug.cgi?id=5245

it’s about a bug with Squid 5.7 and TLS 1.3.

Critical case created the 2022-10-27 09:59 UTC, it would be nice to 
have a fix/patch…


  occur)



As one can see in the bug report Alex has looked at it in some detail.
The solution may be complex or large change, and thus unlikely to occur 
in Squid-5 if so.


There are three things that come to mind immediately as related problems 
we cannot do anything about:
 1) Squid cannot know in advance what server cert will be provided 
(after step2) when it decided to splice (or not) at step2.
 2) SHA1 is not the only type of cert fingerprint. The non-working 
certs may be providing newer SHA2/3 etc fingerprints
 3) In TLS/1.3 a lot of data can be hidden inside the encryption. Squid 
may simply not be given access to the [real] fingerprint unless bump 
(decrypt) happens.


HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

[Михаил]

Hi David, Thanks for your advice but it doesn't help me. I use AD account which haven't set these parameters. Misha. 17.11.2022, 10:07, "David Touzeau" :Hiperhaps this onehttps://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket Le 16/11/2022 à 05:11, Михаил a écrit :Hi everybody, Could you help me to setup my new squid server? I have a problem with keytab authorization. 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Cannot decrypt ticket for HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }}Got NTLMSSP neg_flags=0xe20882972022/11/16 11:35:40| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Cannot decrypt ticket for HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }} # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab HTTP/uisproxy-rop.***.***.corpUsing default cache: /tmp/krb5cc_0Using principal: HTTP/uisproxy-rop.***.***.corp@***.***.CORPUsing keytab: /etc/squid/keytab/uisproxy-rop-t.keytabAuthenticated to Kerberos v5 # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytabKeytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytabKVNO Principal --   3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac)   3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96)   3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96)   3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac)   3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96)   3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96)   3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac)   3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts-hmac-sha1-96)   3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts-hmac-sha1-96)   3 host/uisproxy-rop@***.***.CORP (arcfour-hmac)   3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96)   3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96) # klist -ktKeytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytabKVNO Timestamp           Principal --- --   3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP   3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP   3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP   3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP   3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP   3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP   3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP   3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP   3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP   3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP   3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP   3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
 -- 
David Touzeau - Artica Tech France
Development team, level 3 support
--
P: +33 6 58 44 69 46
www: https://wiki.articatech.com
www: http://articatech.net ,___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 5: server_cert_fingerprint not working fine...

[UnveilTech - Support]

Hello Squid Team,

Can you have a look to this bugzilla case :
https://bugs.squid-cache.org/show_bug.cgi?id=5245

it's about a bug with Squid 5.7 and TLS 1.3.
Critical case created the 2022-10-27 09:59 UTC, it would be nice to have a 
fix/patch...

Thanks in advance.

Best regards,
Bye Fred

De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part 
de UnveilTech - Support
Envoyé : mardi 25 octobre 2022 18:22
À : squid-users@lists.squid-cache.org
Objet : [squid-users] Squid 5: server_cert_fingerprint not working fine...

Hello,


Here is the part of our squid.conf on Squid 5 :

...

acl my_cf1_list server_cert_fingerprint '/etc/squid5/CF1.txt'

ssl_bump peek all

ssl_bump terminate my_cf1_list

ssl_bump splice all

...



We're not sure about the ssl_bump keys and options to use here, to be honnest 
we've already spend hours to find the right way to make it working fine.



Here are some samples from the CF1.txt file:

# dayznews.biz

FB:EC:F7:AE:F4:BD:F4:85:68:C0:81:65:99:BA:7D:D3:FA:F8:51:74

# cdeveloper.cn

94:0A:C0:53:A0:E9:74:CE:91:12:6E:FD:06:57:08:58:B2:A5:76:10


1.   Is the server_cert_fingerprint working correctly or are there any bugs 
with the v5 ?

2.   Are the ssl_bump options/order correct ?

Any tips are welcome, thanks in advance...

Best regards,
Bye Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to generate daily usage email reports?

[Rafael Akchurin]

Hello Alex,

We have something like you seem to be in need of -  
https://docs.diladele.com/administrator_guide_stable/traffic_monitoring/reports.html
But these reports are not Squid analyzer :( sorry.

Best regards,
Rafael

From: squid-users  On Behalf Of Alex 
Kimble
Sent: Thursday, November 17, 2022 4:57 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] How to generate daily usage email reports?

Greetings Squid users,

I have 2 questions:


  1.  What are some good ways to generate a daily usage report which I can 
receive in email format .csv or .html is fine (top users, top URLs, blocked 
URLs)
  2.  Can daily usage reports be created and emailed from Squidanalyzer or is 
that just eye candy?

Thank you!

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to generate daily usage email reports?

[Alex Kimble]

Greetings Squid users,

I have 2 questions:


  1.  What are some good ways to generate a daily usage report which I can 
receive in email format .csv or .html is fine (top users, top URLs, blocked 
URLs)
  2.  Can daily usage reports be created and emailed from Squidanalyzer or is 
that just eye candy?

Thank you!

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] moving squid from centos 7 to ubuntu 22.04

[Amos Jeffries]

On 17/11/2022 9:21 pm, robert k Wild wrote:

Wow thanks Amos so much for this,

You think if I build it on rocky Linux, it would be easier?



I am not familiar with Rocky Linux beyond its existence.
I expect it would be similar to CentOS since both are in the RHEL family.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] moving squid from centos 7 to ubuntu 22.04

[robert k Wild]

Wow thanks Amos so much for this,

You think if I build it on rocky Linux, it would be easier?

On Thu, 17 Nov 2022, 06:07 Amos Jeffries,  wrote:

> On 16/11/2022 6:31 am, robert k Wild wrote:
> > hi all,
> >
> > atm i have written a script, once you have built a centos 7 VM, you
> > just run the script and after the reboot its a complete running
> > squidclamAV server
> >
> > i'm going to be moving the script to a ubuntu server as centos 7 is
> > dead now (as i run clamAV on it, clamAV will stop getting virus
> > definitions 2024 as i use this for virus scanning of internet packets)
> >
> > just want to know what lines i need to adjust to work with ubuntu
> > instead of centos, obviously i know instead of yum install its apt
> > install
> >
>
> My comments below assume that you want to keep the exact versions as-is
> and custom build.
>
> Otherwise, if you are okay following Ubuntu's official packages and
> security fixes things could be a lot different (and simpler).
>
>
> > heres my long script
> >
> > #!/bin/bash
> > #
> > #this script will download/install and configure the following packages
> > #
> > #squid - proxy server
> > #squid ssl bump - intercept HTTPS traffic
> > #clamAV - antivirus engine inc trojans,viruses,malware
> > #c-icap - icap server
> > #squidclamav - that integrates all the above in squid
>
> You may not be aware squidclamav has been replaced with eCAP ClamAV module:
> 
>
> Ubuntu provides libecap package and Squid has support auto-enabled for it.
> So all you should need to do is build the ecap-clamav adaptor and
> configure it for use.
>
>
> > #whitelist URL's
> > #deny MIME types
> > #
> > #on the PROD host you only need squid
> > #
> > #first things first lets disable firewalld and SElinux
> > #
> > systemctl stop firewalld
> > systemctl disable firewalld
> > sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> > #
> > #squid packages
> > #
> > yum install -y epel-release screen rsync net-tools ethtool swaks sed
> > tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive
> > libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf
> > automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
> > #
>
> Drop "epel-release" as irrelevant on Ubuntu.
>
> Ubuntu developer packages have "-dev" suffix instead of "-devel". So all
> those should change.
>
> To get access to simpler source building I recommend altering the apt
> configuration like so:
>
>  sudo sed --in-place -E 's/# (deb-src.*updates main)/  \1/g'
> /etc/apt/sources.list
>  sudo apt-get --quiet=2 update
>
>
> There are some trivial package naming differences. When apt complains
> about not finding a package you can use
>  to search for the Ubuntu naming
> and/or any alternatives.
>
>
> Many of those are not related to Squid in any way. Perhapse separate
> them into a different install command?
>
> After the above deb-src change the packages needed to build Squid for
> Ubuntu can be installed like so:
>
>  sudo apt-get --quiet=2 build-dep squid
>
> Similar commands also for clamav, c-icap any others which Ubuntu
> provides packages for.
>
> After that build-dep command you only need to install dependencies if
> the Ubuntu package lacks support.
> For example, Ubuntu older than 21.10 lack openssl natively, so "apt
> install libssl-dev" may be needed specially.
>
>
> > #clamAV packages
> > #
> > yum install -y clamav-server clamav-data clamav-update
> > clamav-filesystem clamav clamav-scanner-systemd clamav-devel
> > clamav-lib clamav-server-systemd
> > #
>
>
> > #download and compile from source
> > #
> > cd /tmp
> > wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz
> > --no-check-certificate
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz
> > --no-check-certificate
> > wget
> >
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> > --no-check-certificate
> > #
> > for f in *.tar.gz; do tar xf "$f"; done
> > #
> > cd /tmp/squid-4.17
> > ./configure --with-openssl --enable-ssl-crtd --enable-icap-client
> > --enable-http-violations && make && make install
>
> The prefix can be a bit different on Debian/Ubuntu. To ensure it is
> right add --prefix=/usr/local to the above options.
>
>
> > #
> > cd /tmp/c_icap-0.5.10
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --without-bdb --prefix=/usr/local && make && make install
> > #
> > cd /tmp/squidclamav-7.1
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --with-c-icap=/usr/local --with-libarchive && make && make install
> > #
> > cd /tmp/c_icap_modules-0.5.5
> > ./configure 'CFLAGS=-O3 -m64 -pipe'
> > 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> > -L/usr/local/clamav/l