[squid-users] squid callout sequence
at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed redirectors are way ahead of ssl-bump in the callout order, in a https-ssl-bump case you will need ssl-bump to run (so you can get full URL for example), then you can run redirector based on the result of ssl-bump, correct? why is redirector run before ssl-bump? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid callout sequence (Amos Jeffries)
> > On 25/06/18 05:15, Gordon Hsiao wrote: > > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed > > redirectors are way ahead of ssl-bump in the callout order, in a > > https-ssl-bump case > > There is not really any "https-ssl-bump" case. > > There is SSL-Bump (decrypting a TLS stream - or not), and there is HTTPS > (HTTP messages inside TLS). > > > > you will need ssl-bump to run (so you can get full > > URL for example), then you can run redirector based on the result of > > ssl-bump, correct? > > No. SSL-Bump is an operation applied to a CONNECT message, when setting > up the TLS tunnel. There are maybe also *multiple* CONNECT messages when > SSL-Bump gets involved - which the FAQ text following that sequence > describes. > > > HTTP is stateless protocol. So the CONNECT message(s) are independent of > both each other, and anything decrypted from inside the tunnel. Each and > every message Squid handles gets its own cycle through the callout > sequence. > > > > why is redirector run before ssl-bump? > > Because Squid needs to know _where_ it is going before it can connect > there. SSL-Bump is part of tunnel/connection setup. > > Amos > > will SSL-Bump(not 'peek+splice', but the 'peek+bump' mode) decrypt all the tcp packets? For example I connect to youtube.com/myvideo, will peek+bump only decrypt the pseudo CONNECT messages(I'm doing transparent proxy), or will it decrypt all the video streams too? if it's the latter case the proxy will be cpu intensive. Thanks for the hellp Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid callout sequence
> > On 25/06/18 14:59, Gordon Hsiao wrote: > > On 25/06/18 05:15, Gordon Hsiao wrote: > > > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I > noticed > > > redirectors are way ahead of ssl-bump in the callout order, in a > > > https-ssl-bump case > > > > There is not really any "https-ssl-bump" case. > > > > There is SSL-Bump (decrypting a TLS stream - or not), and there is > HTTPS > > (HTTP messages inside TLS). > > > > > > > you will need ssl-bump to run (so you can get full > > > URL for example), then you can run redirector based on the result > of > > > ssl-bump, correct? > > > > No. SSL-Bump is an operation applied to a CONNECT message, when > setting > > up the TLS tunnel. There are maybe also *multiple* CONNECT messages > when > > SSL-Bump gets involved - which the FAQ text following that sequence > > describes. > > > > > > HTTP is stateless protocol. So the CONNECT message(s) are > independent of > > both each other, and anything decrypted from inside the tunnel. Each > and > > every message Squid handles gets its own cycle through the callout > > sequence. > > > > > > > why is redirector run before ssl-bump? > > > > Because Squid needs to know _where_ it is going before it can connect > > there. SSL-Bump is part of tunnel/connection setup. > > > > Amos > > > > > > will SSL-Bump(not 'peek+splice', but the 'peek+bump' mode) decrypt all > > the tcp packets? For example I connect to youtube.com/myvideo > > <http://youtube.com/myvideo>, will peek+bump only decrypt the pseudo > > CONNECT messages(I'm doing transparent proxy), or will it decrypt all > > the video streams too? if it's the latter case the proxy will be cpu > > intensive. > > Sorry if I wasn't clear. The ssl_bump (directive and CONNECT handling) > part is the TLS handshake at the beginning of TLS connections. Once the > decrypt or splice is setup it just continues indefinitely. Whatever is > being decrypted from within that TLS is completely separate from the > bumping itself. > > Amos > > > So, peek+bump itself will only deal with TLS handshake part(e.g. to get FQDN/full-URL for redirectors) , still the proxy will have to do aes-decrypt-and-encrypt for the same TCP stream when peek+bump is used, which could be very cpu intensive, correct? Because once peek+bump is used, the proxy split the ssl stream into two segments and will have to deal with everything for both ends. peek+splice is totally different and it will not need the aes-decrypt-and-encrypt, basically just probe for SNI then tunnel the whole connection, so proxy's cpu should not be overloaded at all. Thanks a lot for the explanations, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] when will squid 4 be production ready?
squid4 has been released for quite a while, when will it be production ready or any rough timeline on the horizon? Some little features are attractive such as automatic intermediate CA download. on another notes, it would be great if someone can update Squid book on 3.5/4.x, especially on ssl-bump and other new stuff. Cheers, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ACL vs redirector order
Assuming I allow a domain to pass in ACL, but deny it in my redirector, which one will work? Also, assuming I deny a domain in squid.conf, but allow in in the redirector, which one will take precedence? Will there be a difference for the above when peek+splice / peek+bump was used? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] can squid use dns server on random port(non-53)?
checked the manual it seems I can only set dnsserver with a new IP, is it possible to make squid support non-standard DNS port, e.g. 5353? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslproxy_foreign_intermediate_certs -- where to locate a bundle
does it exist somewhere? Just notice this option in 3.5 but google does not say any location I can fetch like the way a typical ca-bundle is. Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] http_port vs https_port
Reading all the cfg options in Squid 3.5 I noticed http_port has lots of SSL related options(which it should not), plus https_port is referring to http_port for those options, should http_port have nothing to do with ssl-specific options and those ssl-options could be better moved to https_port section instead? http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] can squid use dns server on random port(non-53)?
Date: Thu, 28 Jun 2018 07:06:14 +1200 > From: Amos Jeffries > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] can squid use dns server on random > port(non-53)? > Message-ID: <4563f027-a210-deeb-df82-f5a238887...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 27/06/18 16:29, Dieter Bloms wrote: > > Hello, > > > > On Tue, Jun 26, Gordon Hsiao wrote: > > > >> checked the manual it seems I can only set dnsserver with a new IP, is > it > >> possible to make squid support non-standard DNS port, e.g. 5353? > > Squid only contains a minimal stub resolver. It requires a recursive > resolver on port 53 (UDP *and* TCP) to do the actual DNS resolving and > any fancy things like strange ports. > > So what Dieter said: > > > > > maybe you can use a dns resolver like unbound, dnscache, dnsmasq, > > which can be configure to listen on localhost port 53, so only squid can > > access it via localhost and no other servers. > > These dns resolvers can be configure to use a non standard port like > > 5353 for the destination dns servers. > > > > But in the past I've never seen a dns server listening on port 5353, so > > maybe the setup is a little broken. > > > > > Amos > > > I agree it's a bit unusual, but adding a nameserver port option will be nice if the changes are not intrusive. Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] dns_packet_max
Still reading all the options, noticed dns_packet_max is off by default. My squid uses dnsmasq, that has EDNS on by default and it "defaults to 4096, which is the RFC5625-recommended size" In this case what will happen then? dnsmasq may receive EDNS up to 4K, which squid by default only takes 512Byte. http://www.squid-cache.org/Versions/v3/3.5/cfgman/dns_packet_max.html warns some older resolver does not like EDNS, but dnsmasq has this feature on by default... Thinking about setting up "dns_packet_max 4096" and see what happens... Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] http_port vs https_port (Alex Rousskov)
> > Date: Wed, 27 Jun 2018 11:55:29 -0500 > From: Gordon Hsiao > To: squid-users@lists.squid-cache.org > Subject: [squid-users] http_port vs https_port > Message-ID: > < > cak0ifyxx6_jyme1hdsdsvoof5_pbmevoatavnbzh56uljni...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Reading all the cfg options in Squid 3.5 I noticed http_port has lots of > SSL related options(which it should not), plus https_port is referring to > http_port for those options, should http_port have nothing to do with > ssl-specific options and those ssl-options could be better moved to > https_port section instead? > > http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html > > Gordon > -- next part -- > An HTML attachment was scrubbed... > URL: < > http://lists.squid-cache.org/pipermail/squid-users/attachments/20180627/53c8530f/attachment-0001.html > > > > ------ > > Message: 4 > Date: Wed, 27 Jun 2018 11:23:22 -0600 > From: Alex Rousskov > To: Gordon Hsiao , > squid-users@lists.squid-cache.org > Subject: Re: [squid-users] http_port vs https_port > Message-ID: > > Content-Type: text/plain; charset=utf-8 > > On 06/27/2018 10:55 AM, Gordon Hsiao wrote: > > Reading all the cfg options in Squid 3.5 I noticed http_port has lots of > > SSL related options(which it should not), plus https_port is referring > > to http_port for those options, should http_port have nothing to do with > > ssl-specific options and those ssl-options could be better moved to > > https_port section instead? > > http_port uses SSL options when bumping HTTP CONNECT tunnels. > > Alex. > > Keep reading http_port vs https_port here... 1. http_port does not require openssl, https_port does, however http_port can do ssl-bump so I would think http_port is conditionally depending on openssl 2. reading cfgman v3.5 page I could not really tell their difference when openssl/ssl-bump is involved, it seems http_port is a superset of https_port and they behave the same when ssl-bump(splice or bump) is to be used. Since http_port (--with-openssl) seems can do everything https_port can do, why do we have https_port at all? in which circumstances I must use https_port? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] minimize squid memory usage
I noticed my Squid doubles its memory usage even though I had: cache deny all cache_mem 0 MB access_log none Assuming I need _absolutely_ no cache what-so-ever(to the point to change compile flags to disable that, if needed), no store-to-disk neither, i.e. no objects need to be cached at all. I just need Squid to check a few ACLs with absolutely minimal memory usage for now, what else am I missing to get that work? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] minimize squid memory usage
Unfortunately, none of those alternatives can deal with https(peek or bump) as far as I can tell, and these days https is a must for proxy. Gordon >From: Leonardo Rodrigues >To: squid-users@lists.squid-cache.org >Subject: Re: [squid-users] minimize squid memory usage >Message-ID: <6951b4aa-6c8e-d386-8e80-2471ccfa4...@solutti.com.br> >Content-Type: text/plain; charset=utf-8; format=flowed > >Em 09/07/18 20:45, Gordon Hsiao escreveu: >> >> Assuming I need _absolutely_ no cache what-so-ever(to the point to >> change compile flags to disable that, if needed), no store-to-disk >> neither, i.e. no objects need to be cached at all. I just need Squid >> to check a few ACLs with absolutely minimal memory usage for now, what >> else am I missing to get that work? >> > If you don't need everything that squid can offer, maybe using >other proxy software can be a better option. There are other software, >with less options, that for sure will have a smaller memory footprint. >But as you just need ACL capabilities, maybe those can be enough. > > Have you tried checking that ? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] shared_memory_locking failed to mlock
Just upgraded squid to 4.1, however if I enabled shared_memory_locking I failed to start squid: "FATAL: shared_memory_locking on but failed to mlock(/squid-tls_session_cache.shm, 2101212): (12) Out of memory" How do I know how much memory it is trying to mlock? is 2101212(~2MB) the shm size of not, any way to debug/looking-into/config this size? Again I disabled cache etc for a memory restricted environment, also used the minimal configuration with a few enable-flags, in the meantime I want to avoid memory overcommit from squid(thus mlock) Regards, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] shared_memory_locking failed to mlock
after increased shared memory(/dev/shm on linux), it does not help, still don't know why mlock fails, or how much memory it needs to mlock to avoid failing. On Sun, Jul 15, 2018 at 9:47 PM Gordon Hsiao wrote: > Just upgraded squid to 4.1, however if I enabled shared_memory_locking I > failed to start squid: > > "FATAL: shared_memory_locking on but failed to > mlock(/squid-tls_session_cache.shm, 2101212): (12) Out of memory" > > How do I know how much memory it is trying to mlock? is 2101212(~2MB) the > shm size of not, any way to debug/looking-into/config this size? > > Again I disabled cache etc for a memory restricted environment, also used > the minimal configuration with a few enable-flags, in the meantime I want > to avoid memory overcommit from squid(thus mlock) > > Regards, > Gordon > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] shared_memory_locking failed to mlock
On a x86/64bit ubuntu machine if I set 'workers 4' and run:
squid --foreground -f /etc/squid.conf 2>&1 |grep mlock
mlock(0x7f2e5bfb2000, 8)= 0
mlock(0x7f2e5bf9f000, 73912)= -1 ENOMEM (Cannot allocate
memory)
squid -N -f /etc/squid.conf 2>& |grep mlock
mlock(0x7f8e4b7c, 8)= 0
mlock(0x7f8e4b7ad000, 73912)= -1 ENOMEM (Cannot allocate
memory)
Note 1; -N and --foreground made no difference as long as 'workers 4' is
set, I was expecting -N will ignore "worker 4", does it?
Now I set 'workers 2' and run the same two commands above and I got the
output(both are the same), which means squid started successfully:
mlock(0x7f0c441cc000, 8)= 0
mlock(0x7f0c441c3000, 32852)= 0
mlock(0x7f0c441c2000, 52) = 0
Note as long as "workers <=2" I can run squid as expected and mlock the
memory. I have more than 4GB RAM free(this is a 8GB RAM laptop) and this is
a Intel i7, the mlock failure is strange.
On my target system which has 512MB RAM, even 'workers 0' won't help, I
still get :
mlock(0x778de000, 2101212) = -1 ENOMEM (Out of memory)
I have to disable lock-memory for now and it puzzles me why the very first
2MB mlock can fail. I strace|grep shm_get and shmat and found nothing,
instead there are lots of mmap calls, so Squid is using mmap for its shared
memory mapping, the only question is that, is this mlock file-backed-up or
is it anonymous mmaped(in this case on Linux it will use /dev/shm by
default)?
Thanks a lot,
Gordon
On Mon, Jul 16, 2018 at 11:58 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 07/15/2018 08:47 PM, Gordon Hsiao wrote:
> > Just upgraded squid to 4.1, however if I enabled shared_memory_locking I
> > failed to start squid:
> >
> > "FATAL: shared_memory_locking on but failed to
> > mlock(/squid-tls_session_cache.shm, 2101212): (12) Out of memory"
>
> > How do I know how much memory it is trying to mlock? is 2101212(~2MB)
> > the shm size of not,
>
> Yes, Squid tried to lock a 2101212-byte segment and failed.
>
>
> > any way to debug/looking-into/config this size?
>
> I am not sure what you mean, but please keep in mind that the failed
> segment could be the last straw -- most of the shared memory could be
> allocated earlier. You can observe all allocations/locks with 54,7
> debugging. Look for "mlock(".
>
> You can also run "strace" or a similar command line tool to track
> allocations, but analyzing strace output may be more difficult than
> looking through Squid logs.
>
>
> > Again I disabled cache etc for a memory restricted environment, also
> > used the minimal configuration with a few enable-flags, in the meantime
> > I want to avoid memory overcommit from squid(thus mlock)
>
> I am glad the new code is working to prevent runtime crashes in your
> memory-restricted environment. If studying previous mlock() calls does
> not help, please suggest what else Squid could do not help you.
>
>
> Thank you,
>
> Alex.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] shared_memory_locking failed to mlock
Turns out it is a ulimit-related issue, I bumped default mlock limit to a
large value and now I can start squid with memory-locked.
yes strace is only for syscalls, while ltrace shows all library calls.
Thanks for the help!
Gordon
On Mon, Jul 16, 2018 at 6:38 PM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 07/16/2018 05:08 PM, Gordon Hsiao wrote:
> > On a x86/64bit ubuntu machine if I set 'workers 4' and run:
>
> > squid --foreground -f /etc/squid.conf 2>&1 |grep mlock
> > mlock(0x7f2e5bfb2000, 8)= 0
> > mlock(0x7f2e5bf9f000, 73912)= -1 ENOMEM
>
> > squid -N -f /etc/squid.conf 2>& |grep mlock
> > mlock(0x7f8e4b7c, 8)= 0
> > mlock(0x7f8e4b7ad000, 73912)= -1 ENOMEM
>
> > Note 1; -N and --foreground made no difference as long as 'workers 4' is
> > set, I was expecting -N will ignore "worker 4", does it?
>
> IIRC, -N does not start workers. However, some (memory allocation) code
> may not honor -N and still allocate memory necessary for those (disabled
> by -N) workers. That would be a bug AFAICT.
>
>
> > Now I set 'workers 2' and run the same two commands above and I got the
> > output(both are the same), which means squid started successfully:
> > mlock(0x7f0c441cc000, 8)= 0
> > mlock(0x7f0c441c3000, 32852)= 0
> > mlock(0x7f0c441c2000, 52) = 0
>
> The second allocation is probably smaller because two workers need fewer
> SMP queues (or similar shared memory resources) than four workers.
>
>
> > I have more than 4GB RAM free(this is a 8GB RAM laptop) and this
> > is a Intel i7, the mlock failure is strange.
>
> The default amount of shared memory available to a program is often much
> smaller than the total amount of RAM. I do not recall which Ubuntu
> commands or sysctl settings control the former, but Squid wiki or other
> web resources should have that info. The question you should ask
> yourself is "How much shared memory is available for the Squid process"?
>
>
> > On my target system which has 512MB RAM, even 'workers 0' won't help, I
> > still get :
> >
> > mlock(0x778de000, 2101212) = -1 ENOMEM (Out of memory)
>
> For "workers 0" concerns, please see the -N discussion above. The two
> should be equivalent.
>
>
> > I have to disable lock-memory for now and it puzzles me why the very
> > first 2MB mlock can fail.
>
> Most likely, your OS is configured (or defaults) to provide very little
> shared memory to a process when the total RAM is only 512MB.
>
>
> > I strace|grep shm_get and shmat and found nothing,
>
> mlock() is a system call so strace should see it, but it may be called
> something else.
>
>
> > instead there are lots of mmap calls, so Squid is using mmap
> > for its shared memory mapping,
>
> Squid creates segments using shm_open() and attaches to them using mmap().
>
>
> > the only question is that, is this mlock
> > file-backed-up or is it anonymous mmaped(in this case on Linux it will
> > use /dev/shm by default)?
>
> On Ubuntu, Squid shared memory segments should all be in /dev/shm by
> default. Squid does not want them to be backed by real files. See
> shm_open(3).
>
> Please note that some libc calls manipulating regular files are
> translated into mmap() calls by the standard library (or some such). Not
> all mmap() calls you see in strace are Squid mmap() calls.
>
>
> HTH,
>
> Alex.
>
>
> > On Mon, Jul 16, 2018 at 11:58 AM Alex Rousskov wrote:
> >
> > On 07/15/2018 08:47 PM, Gordon Hsiao wrote:
> > > Just upgraded squid to 4.1, however if I enabled
> > shared_memory_locking I
> > > failed to start squid:
> > >
> > > "FATAL: shared_memory_locking on but failed to
> > > mlock(/squid-tls_session_cache.shm, 2101212): (12) Out of memory"
> >
> > > How do I know how much memory it is trying to mlock? is
> 2101212(~2MB)
> > > the shm size of not,
> >
> > Yes, Squid tried to lock a 2101212-byte segment and failed.
> >
> >
> > > any way to debug/looking-into/config this size?
> >
> > I am not sure what you mean, but please keep in mind that the failed
> > segment could be the last straw -- most of the shared memory could be
> > allocated earlier. You can observe all allocations/locks with 54,7
> > debugging. Look for "mlock(".
> >
> > You can also run "strace&q
[squid-users] squid 4.1 and domain fronting
I just read "RFC 2616 compliant proxy will rewrite the Host header making it impossible to do domain fronting over HTTP or where SSL/TLS interception is taking place", also checked RFC 2616 page at squid site, it is unclear to me that if squid can enforce host-header consistence with SNI to avoid domain fronting whenever needed? or this should be done by c-icap/redirector under peek+bump mode? Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.1 and domain fronting
http://www.squid-cache.org/Versions/v4/cfgman/host_verify_strict.html looks like squid did handle this already. On Sat, Jul 21, 2018 at 4:10 PM Gordon Hsiao wrote: > I just read "RFC 2616 compliant proxy will rewrite the Host header making > it impossible to do domain fronting over HTTP or where SSL/TLS interception > is taking place", also checked RFC 2616 page at squid site, it is unclear > to me that if squid can enforce host-header consistence with SNI to avoid > domain fronting whenever needed? or this should be done by > c-icap/redirector under peek+bump mode? > > Gordon > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] HSTS and HPKP
I'm running squid4.1 interception peek+splice mode. Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep redirecting https<-->http until it failed(too many redirects). Once Squid is removed all is good. I also searched various lists and squid's website, it's still unclear to me, for intercept proxy, can Squid deal with HSTS reliably these days? A similar questions is HPKP, or the pinning certificate, can Squid 4.1 handle that? When no HSTS/HPKP is involved, it seems all sites work well. Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] block visit 80/443 browsing via IP(no domain name)
is there a way to block any attempt to visit http/https by _any_ IP directly, i.e. http://my-IP or https://my-IP (yes this will give a warning for SSL most likely). here my-IP could be any IPv4 address, for example. Basically I want to have Squid to enforce all 80/443 access should be done via a FQDN instead of an IP, is this possible? or should this be handled in a redirector instead? Thanks, Gordon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] block visit 80/443 browsing via IP(no domain name)
skype was blocking every raw-ip:443 instead of just its own IPs, a bit too restricted, though it can have a list of its own IPs and dst might just work. I'm trying to see if some chat can be blocked as they uses raw-IP without DNS at all(similar to what skype did) yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept mode), that is still different from a raw-IP with 443/ssl, the latter will warn because rarely any ssl certificate will have CN in IP format. there might be some vpn over 443 port that uses raw-IP that I hope to block, if any. Thanks, Gordon On Sun, Jul 29, 2018 at 7:00 AM wrote: > Send squid-users mailing list submissions to > squid-users@lists.squid-cache.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-requ...@lists.squid-cache.org > > You can reach the person managing the list at > squid-users-ow...@lists.squid-cache.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > >1. block visit 80/443 browsing via IP(no domain name) (Gordon Hsiao) >2. Re: block visit 80/443 browsing via IP(no domain name) > (Amos Jeffries) > > > ---------- > > Message: 1 > Date: Sat, 28 Jul 2018 23:11:43 -0500 > From: Gordon Hsiao > To: squid-users@lists.squid-cache.org > Subject: [squid-users] block visit 80/443 browsing via IP(no domain > name) > Message-ID: > < > cak0ifyzxwt2gq-+wm9bsrnjf3ulahhrtpe4pu0wb4o1qgp3...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > is there a way to block any attempt to visit http/https by _any_ IP > directly, i.e. > > http://my-IP or https://my-IP (yes this will give a warning for SSL most > likely). here my-IP could be any IPv4 address, for example. > > Basically I want to have Squid to enforce all 80/443 access should be done > via a FQDN instead of an IP, is this possible? or should this be handled in > a redirector instead? > > Thanks, > Gordon > -- next part -- > An HTML attachment was scrubbed... > URL: < > http://lists.squid-cache.org/pipermail/squid-users/attachments/20180728/a65bf67a/attachment-0001.html > > > > -- > > Message: 2 > Date: Sun, 29 Jul 2018 18:32:45 +1200 > From: Amos Jeffries > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] block visit 80/443 browsing via IP(no > domain name) > Message-ID: <8883cf05-af98-6788-b42d-c1edd764a...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 29/07/18 16:11, Gordon Hsiao wrote: > > is there a way to block any attempt to visit http/https by _any_ IP > > directly, i.e. > > > > http://my-IP or https://my-IP (yes this will give a warning for SSL most > > likely > > Er, what makes you think that? Squid intercepting HTTPS has to already > be decrypting the TLS in order to see any https:// from the client. > > > > ). here my-IP could be any IPv4 address, for example. > > To match transactions with raw-IP in their HTTP request-line URL use a > dstdom_regex ACL with -n parameter and regex that matches raw-IP. > <http://www.squid-cache.org/Doc/config/acl/> > > You should use a regex that matches both IPv4 and IPv6 because they > *will* both be presented at times regardless of whether your systems are > IPv4-only. > > You can find an example of a regex and how to use it in this page: > <https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note > that Skype regex includes the port number ":443" at the end of the > pattern which you may not want. > > Also, be aware that intercepted traffic does not operate with domain > names. It often only has access to the IP:port details from TCP SYN > packets. That especially includes intercepted port 443 traffic at the > early stages of SSL-Bump processing. > > Is there something in particular you want to achieve with this blocking? > > Amos > > > -- > > Subject: Digest Footer > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > -- > > End of squid-users Digest, Vol 47, Issue 58 > *** > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
