Re: [squid-users] site opens only without ssl bump

[Majed Zouhairy]

Peace,

On 11/4/22 15:46, Alex Rousskov wrote:

On 11/4/22 02:31, Majed Zouhairy wrote:

with

logformat squidx %err_code/%err_detail
access_log xsquid

squid stopped logging completely


Please try to follow the earlier sketch more closely: Keep your usual 
logformat codes while adding %err_code/%err_detail and keep your usual 
access_log destination when specifying the custom logformat name 
(xsquid). Use squid.conf.documented as a syntax reference for these 
directives. Always monitor cache.log (or equivalent) for important 
messages.


I think i am becoming Biden, i read the squid documented and didn't get 
it, am i supposed to substitute %err_code/%err_detail with something 
like [http:]>%h for example?

here is what cache.log displayed when i changed config to:

logformat squidx %err_code/%err_detail
access_log daemon:/var/log/squid/accessX.log squidx

acces.log stopped working and again cache.log displayed:

2022/11/09 16:58:36| SendEcho ERROR: sending to ICMPv6 packet to 
[2a00:1450:4010:c02::5f]: (101) Network is unreachable
2022/11/09 16:58:40| SendEcho ERROR: sending to ICMPv6 packet to 
[2a00:1450:4010:c0e::c6]: (101) Network is unreachable
2022/11/09 16:58:48| SendEcho ERROR: sending to ICMPv6 packet to 
[2a00:1450:4010:c0d::66]: (101) Network is unreachable
2022/11/09 16:58:58| SendEcho ERROR: sending to ICMPv6 packet to 
[2a00:1148:db00:0:b0b0::1]: (101) Network is unreachable

2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to 
finish

2022/11/09 16:59:29 kid1| Killing master process, pid 22616
2022/11/09 16:59:29 kid1| Closing HTTP(S) port [::]:8080
2022/11/09 16:59:29 kid1| Closing Pinger socket on FD 46
2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to 
finish

2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr1 exited
current master transaction: master85
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running 
(need 1/32)

current master transaction: master85
2022/11/09 16:59:29 kid1| Starting new helpers
current master transaction: master85
2022/11/09 16:59:29 kid1| helperOpenServers: Starting 1/32 
'security_file_certgen' processes

current master transaction: master85
2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr3 exited
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running 
(need 1/32)

2022/11/09 16:59:29 kid1| storeDirWriteCleanLogs: Starting...
2022/11/09 16:59:29 kid1| 65536 entries written so far.
2022/11/09 16:59:29 kid1|   Finished.  Wrote 90620 entries.
2022/11/09 16:59:29 kid1|   Took 0.10 seconds (914392.96 entries/sec).
2022/11/09 16:59:29 kid1| FATAL: The sslcrtd_program helpers are 
crashing too rapidly, need help!






with

ssl_bump splice all

now the site works


OK, so now we know that something breaks around SslBump step1. The next 
task is (still) getting %err_code/%err_detail working. If that is not 
enough, then you will also need to collect debugging logs.



HTH,

Alex.




On 11/3/22 16:05, Alex Rousskov wrote:

On 11/3/22 05:43, Majed Zouhairy wrote:

i have 2 proxies, one with ssl bump and one without, there is a 
internal site that opens only on the no ssl bump proxy.


on the ssl bump proxy it displays:



What does Squid say in access.log for this problematic request? 
Please configure Squid to log %err_code/%err_detail before 
answering this question. For example:


logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid



Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all


Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all


Alex.




Не удается получить доступ к сайтуВеб-страница по адресу (i was 
unable to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)

ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called 
the "use the scenario for automatic configuration"

in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl tls_s1_connect    at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hs

Re: [squid-users] site opens only without ssl bump

[Majed Zouhairy]

On 11/3/22 21:25, Alex Rousskov wrote:

On 11/3/22 10:17, Majed Zouhairy wrote:

here is the log:


1667471160.808 77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 
- HIER_NONE/- -



i added the following line to squid:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %%Sh/%

Please do not redefine built-in formats like "squid". As you can see, 
your adjustment had no effect -- the log records do not end with -/- (or 
better). Follow the xsquid sketch (that I shared earlier) instead.




with

logformat squidx %err_code/%err_detail
access_log xsquid

squid stopped logging completely


with either

ssl_bump peek all
ssl_bump splice all

or

ssl_bump peek tls_s1_connect
ssl_bump splice all

it still does not work.


Interesting. How about just:

   ssl_bump splice all

... which should splice the TCP connections before any TLS work begins.

with

ssl_bump splice all

now the site works



Alex.



On 11/3/22 16:05, Alex Rousskov wrote:

On 11/3/22 05:43, Majed Zouhairy wrote:

i have 2 proxies, one with ssl bump and one without, there is a 
internal site that opens only on the no ssl bump proxy.


on the ssl bump proxy it displays:



What does Squid say in access.log for this problematic request? 
Please configure Squid to log %err_code/%err_detail before answering 
this question. For example:


logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid



Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all


Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all


Alex.




Не удается получить доступ к сайтуВеб-страница по адресу (i was 
unable to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)

ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the 
"use the scenario for automatic configuration"

in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl tls_s1_connect    at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hsts    ssl::server_name .akamaihd.net
acl tls_allowed_hsts    ssl::server_name .proxy.ckko.nl
acl tls_server_is_bank ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
acl tls_to_splice any-of tls_allowed_hsts 
tls_server_is_bank


# TLS/SSL bumping steps

ssl_bump peek    tls_s1_connect # peek 
at TLS/SSL connect data
ssl_bump splice tls_to_splice    # 
splice some: no active bump
ssl_bump stare all    # 
stare(peek) at server
 # 
properties of the webserver

ssl_bump bump

contents of the 
/usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:


.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy 
when ias.ckko.nl is accessed


despite all this configuration, the site does not open. in ufdbguard 
every site from the user is a pass.


in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
https://ckko.nl/upload/certificates/8.crl
2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.00 ms
2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
connection was forcibly closed by the remote host.
2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 17.00 ms
2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1

Re: [squid-users] site opens only without ssl bump

[Majed Zouhairy]

p peek tls_s1_connect
ssl_bump splice all

it still does not work.


On 11/3/22 16:05, Alex Rousskov wrote:

On 11/3/22 05:43, Majed Zouhairy wrote:

i have 2 proxies, one with ssl bump and one without, there is a 
internal site that opens only on the no ssl bump proxy.


on the ssl bump proxy it displays:



What does Squid say in access.log for this problematic request? Please 
configure Squid to log %err_code/%err_detail before answering this 
question. For example:


logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid



Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all


Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all


Alex.




Не удается получить доступ к сайтуВеб-страница по адресу (i was unable 
to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)

ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the 
"use the scenario for automatic configuration"

in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl tls_s1_connect    at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hsts    ssl::server_name 
.akamaihd.net
acl tls_allowed_hsts    ssl::server_name 
.proxy.ckko.nl
acl tls_server_is_bank ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump peek    tls_s1_connect # peek at 
TLS/SSL connect data
ssl_bump splice tls_to_splice    # splice 
some: no active bump
ssl_bump stare all    # 
stare(peek) at server
 # properties 
of the webserver

ssl_bump bump

contents of the 
/usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:


.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy 
when ias.ckko.nl is accessed


despite all this configuration, the site does not open. in ufdbguard 
every site from the user is a pass.


in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
https://ckko.nl/upload/certificates/8.crl
2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.00 ms
2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
connection was forcibly closed by the remote host.
2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 17.00 ms
2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.00 ms
2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 12.00 ms
2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 15.00 ms
2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
read tcp 192.168.2.5:10538->10.0

[squid-users] site opens only without ssl bump

[Majed Zouhairy]

Peace,
i have 2 proxies, one with ssl bump and one without, there is a internal 
site that opens only on the no ssl bump proxy.


on the ssl bump proxy it displays:


Не удается получить доступ к сайтуВеб-страница по адресу (i was unable 
to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, 
возможно, временно недоступна или постоянно перемещена по новому адресу. 
(it is possible that it can not bbe reached or it has been permanently 
relocated to a new address)

ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the "use 
the scenario for automatic configuration"

in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl tls_s1_connect  at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hstsssl::server_name
.akamaihd.net
acl tls_allowed_hstsssl::server_name
.proxy.ckko.nl
acl 	tls_server_is_bank 		ssl::server_name		 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl tls_to_splice   any-of  tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bumppeektls_s1_connect  
# peek at TLS/SSL connect data
ssl_bumpsplice  tls_to_splice   
# splice some: no active bump
ssl_bumpstare   all 
# stare(peek) at server

# properties of the webserver
ssl_bumpbump

contents of the 
/usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:


.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy 
when ias.ckko.nl is accessed


despite all this configuration, the site does not open. in ufdbguard 
every site from the user is a pass.


in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
https://ckko.nl/upload/certificates/8.crl
2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.00 ms
2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read 
tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing connection 
was forcibly closed by the remote host.
2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 17.00 ms
2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.00 ms
2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 12.00 ms
2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 15.00 ms
2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read 
tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing connection 
was forcibly closed by the remote host.
2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.00 ms
2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
t

Re: [squid-users] sarg error in squid 5.7

[Majed Zouhairy]

thanks for replying but,

On 9/29/22 19:04, Amos Jeffries wrote:
> On 30/09/22 03:45, Majed Zouhairy wrote:
>> Peace, does squid still not support long urls?
>>
>
> Squid supports long URLs. If it did not those log entries would be 
shorter and indicate clients being rejected with "414 URI Too Long".

>
> Your problem is the length of the log line. The logging modules have 
limits which may be shorter than what you have configured the acceptible 
URL / request size to be.

>
> I suggest trying TCP logging instead of the default stdio or daemon.
>
how to configure tcp logging on the local machine and not to a remote 
machine?


> Sarg itself may also have problems with such long URLs.
>
>
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] sarg error in squid 5.7

[Majed Zouhairy]

Peace, does squid still not support long urls?

sudo sarg -x -z
SARG: Init
SARG: Loading configuration file "/usr/share/sarg/sarg.conf"
SARG: TAG: access_log /var/log/squid/access.log
SARG: TAG: title "Squid User Access Reports"
SARG: TAG: font_face Tahoma,Verdana,Arial
SARG: TAG: font_size 18px
SARG: TAG: header_font_size 12px
SARG: TAG: temporary_dir /tmp
SARG: TAG: output_dir /srv/www/sarg
SARG: TAG: resolve_ip yes
SARG: Chaining IP resolving module "dns"
SARG: TAG: date_format e
SARG: TAG: lastlog 25
SARG: TAG: remove_temp_files yes
SARG: TAG: index yes
SARG: TAG: index_tree file
SARG: TAG: overwrite_report yes
SARG: TAG: topsites_num 180
SARG: TAG: exclude_codes /usr/share/sarg/exclude_codes
SARG: TAG: max_elapsed 2880
SARG: TAG: report_type topusers topsites denied sites_users users_sites 
date_time denied auth_failures site_user_time_date downloads

SARG: TAG: long_url no
SARG: TAG: privacy no
SARG: TAG: show_successful_message yes
SARG: TAG: show_read_statistics yes
SARG: TAG: www_document_root /srv/www/htdocs
SARG: TAG: download_suffix 
"zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg"

SARG: Purging temporary directory "/tmp/sargnX2FZX"
SARG: Parameters:
SARG:   Hostname or IP address (-a) =
SARG: Exclude file (-c) =
SARG:  Date from-until (-d) =
SARG:Email address to send reports (-e) =
SARG:  Config file (-f) = /usr/share/sarg/sarg.conf
SARG:  Date format (-g) = Europe (dd/mm/)
SARG:IP report (-i) = No
SARG: Keep temporary files (-k) = No
SARG:Input log (-l) = /var/log/squid/access.log
SARG:   Resolve IP Address (-n) = Yes
SARG:   Output dir (-o) = /srv/www/sarg/
SARG: Use Ip Address instead of userid (-p) = No
SARG:Accessed site (-s) =
SARG: Time (-t) =
SARG: User (-u) =
SARG:Temporary dir (-w) = /tmp/sargnX2FZX
SARG:   Debug messages (-x) = Yes
SARG: Process messages (-z) = 1
SARG:  Previous reports to keep (--lastlog) = 25
SARG:
SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for 
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not 
be parsed and is ignored
1664429404.809 12 10.32.0.2 NONE_NONE/400 23894 POST 
https://yandex.by/clck/safeclick/data=AiuY0DBWFJ5Hyx_fyvalFLOD-Yhiku6D0pBKde9dUC5JtQWHFepEIISjW65MNM0MbWwwbD826Q6PbhmH8wOygGEGZrEbAD17l5ZxdNR-cdjO5PX6BPXQlCuhboWrsuvOUWLzCF5DolY3QBpPflNk0GmYurtACNOj7wBvT5DBkWS6Bceio12NXfa8_IXI5oBhrJfhfaLy5st7wUykxNAvNbUHEnwTieLfdmpWv04zCFacPnnvLUqOdGAbFXQPEbyGKDhVsb12swdUr4_IwTWnXwp1t0lXq_Cm415e6rMpeCdg8vTFFT-D0k0UQ39arRjMuSDzE_8MtoDT6M3q7UB3qA8i-DQ4QupIf-bI_8lhs0d1gtj3wWUrmNrATp6i_Xjf6leJ-IJ_gsU7hxp1BhpvQxPiBPbdz63vO8xdfmupx6dQMbYcoSywDppIGo1X80S4dK9_ZpoKlMP_Onn8Flh8s6Dl4aqqh1AOvNaWnEirAtxtHbtfvUBAQz8N-SYAaN2sQJKUnjJGewpawVeLOZ1qQQ,,/sign=214e4bac6a7f5b6913d67e7a333db887/keyno=0/ref=orjY4mGPRjkHVRqRT7scnl9k3ZfzgjFj0NXM8QCXJ87Lp4yaofJuZIGyAcDCDs-Qxz1NDGQsk0PYaiHTlBS-kNrrDW1IyfUgrvoaMQQfJjvAaeeXw0yAWiEPHr2ZWCcw2tYm73H8gZ89Y5jlFWYscV9f6rVDBKocPyT7JEQI25xWZJZvkh_O-JV9DU8JbHJ5_cwFb_FmjJRcNITbQwr24MQ3UrFCfWmBzhTmAoRmzxtZN3RIbSvTFJQccXH-nU0Awm8IViyObMOih6WKmYmDFq_lMhfJi21t9kshE1JzTbLXdJIck-bAmjvX_VZn2cVPXKt10hpVpsTpMICr52rGzA,,/installation_info=eyJnZW8iOi

J2bGEiLCJjdHlwZSI6InByb2QiLCJ2ZXJ0aWNhbCI6IldFQiJ9/events=%5B%7B%22event%22%3A%22append%22%2C%22tree%22%3A%7B%22id%22%3A%2265olw0e-0-115%22%2C%22name%22%3A%22%24subresult%22%2C%22attrs%22%3A%7B%22schema-ver%22%3A0%2C%22ui%22%3A%22desktop%22%2C%22parent-id%22%3A%2265olw0e-0-10%22%2C%22trigger-event-trusted%22%3Afalse%2C%22main-search%22%3Afalse%7D%2C%22children%22%3A%5B%7B%22id%22%3A%2265olw0e-0-114%22%2C%22name%22%3A%22image%22%2C%22attrs%22%3A%7B%22row%22%3A0%2C%22item%22%3A0%2C%22docid%22%3A%22ZA4F90CD9CBA93F43%22%2C%22image%22%3A%22%2F%2Favatars.mds.yandex.net%2Fi%3Fid%3De9a6a5515c67cae851b07b9f229b5e83-5220043-images-thumbs%26n%3D13%22%2C%22width%22%3A90%2C%22height%22%3A150%7D%2C%22children%22%3A%5B%7B%22id%22%3A%2265olw0e-0-116%22%2C%22name%22%3A%22thumb%22%2C%22attrs%22%3A%7B%22row%22%3A0%2C%22item%22%3A0%7D%7D%5D%7D%2C%7B%22id%22%3A%2265olw0e-0-117%22%2C%22name%22%3A%22image%22%2C%22attrs%22%3A%7B%22row%22%3A0%2C%22item%22%3A1%2C%22docid%22%3A%22Z9DDC9719A5955EEE%22%2C%22ima
ge%22%3A%22%2F%2Favatars.mds.yandex.net%2Fi%3Fid%3D8c9f9e5b8aa88bf86eb6f6fe517f085c-4032520-images-thumbs%26n%3D13%22%2C%22width%22%3A165%2C%22height%22%3A150%7D%2C%22children%22%3A%5B%7B%22id%22%3A%2265olw0e-0-118%22%2C%22name%22%3A%22thumb%22%2C%22attrs%22%3A%7B%22row%22%3A0%2C%22item%22%3A1%7D%7D%5D%7D%2C%7B%22id%22%3A%2265olw0e-0-119%22%2C%22name%22%3A%22image%22%2C%22attrs%22%3A%7B%22row%22%3A0%2C%22ite

[squid-users] squid still crashes

[Majed Zouhairy]

Yesterday, we upgraded from squid 5.4.1 to squid 5.6 yet it still 
crashes in less than 12 hours..


Today, we check the logs..and there is this:

/06/28 00:10:03 kid1| ERROR: failure while accepting a TLS connection on 
conn8058 local=10.10.10.10:8080 remote=10.10.11.10:64023 FD 25 flags=1: 
0x55b631f514b0*1

current master transaction: master57
2022/06/28 00:10:54 kid1| FATAL: check failed: transporting()
exception location: FwdState.cc(678) noteDestinationsEnd
current master transaction: master3490
2022/06/28 00:10:54 kid1| Closing Pinger socket on FD 53
current master transaction: master3490
2022/06/28 00:10:54| Pinger exiting.
2022/06/28 00:10:54 kid1| Set Current Directory to /var/cache/squid
2022/06/28 00:10:54 kid1| Starting Squid Cache version 5.6 for 
x86_64-suse-linux-gnu...

2022/06/28 00:10:54 kid1| Service Name: squid
2022/06/28 00:10:54 kid1| Process ID 2962
2022/06/28 00:10:54 kid1| Process Roles: worker
2022/06/28 00:10:54 kid1| With 4096 file descriptors available
2022/06/28 00:10:54 kid1| Initializing IP Cache...
2022/06/28 00:10:54 kid1| DNS Socket created at [::], FD 8
2022/06/28 00:10:54 kid1| DNS Socket created at 0.0.0.0, FD 9
2022/06/28 00:10:54 kid1| Adding nameserver 10.0.12.10 from /etc/resolv.conf
2022/06/28 00:10:54 kid1| Adding nameserver 10.0.12.11 from /etc/resolv.conf
2022/06/28 00:10:54 kid1| helperOpenServers: Starting 5/32 
'security_file_certgen' processes
2022/06/28 00:10:54 kid1| helperOpenServers: Starting 8/16 'ufdbgclient' 
processes
2022/06/28 00:10:54 kid1| Logfile: opening log 
daemon:/var/log/squid/access.log
2022/06/28 00:10:54 kid1| Logfile Daemon: opening log 
/var/log/squid/access.log

2022/06/28 00:10:55 kid1| Unlinkd pipe opened on FD 41
2022/06/28 00:10:55 kid1| Local cache digest enabled; rebuild/rewrite 
every 3600/3600 sec

2022/06/28 00:10:55 kid1| Store logging disabled
2022/06/28 00:10:55 kid1| Swap maxSize 3072000 + 983040 KB, estimated 
311926 objects

2022/06/28 00:10:55 kid1| Target number of buckets: 15596
2022/06/28 00:10:55 kid1| Using 16384 Store buckets
2022/06/28 00:10:55 kid1| Max Mem  size: 983040 KB
2022/06/28 00:10:55 kid1| Max Swap size: 3072000 KB
2022/06/28 00:10:55 kid1| Rebuilding storage in /var/cache/squid (dirty log)
2022/06/28 00:10:55 kid1| Using Least Load store dir selection
2022/06/28 00:10:55 kid1| Set Current Directory to /var/cache/squid
2022/06/28 00:10:55 kid1| Finished loading MIME types and icons.
2022/06/28 00:10:55 kid1| HTCP Disabled.
2022/06/28 00:10:55 kid1| Pinger socket opened on FD 46
2022/06/28 00:10:55 kid1| Squid plugin modules loaded: 0
2022/06/28 00:10:55 kid1| Adaptation support is off.
2022/06/28 00:10:55 kid1| Accepting SSL bumped HTTP Socket connections 
at conn29 local=[::]:8080 remote=[::] FD 44 flags=9

2022/06/28 00:10:55| pinger: Initialising ICMP pinger ...
2022/06/28 00:10:55| pinger: ICMP socket opened.
2022/06/28 00:10:55| pinger: ICMPv6 socket opened
2022/06/28 00:10:55 kid1| Store rebuilding is 4.21% complete
2022/06/28 00:10:56 kid1| Done reading /var/cache/squid swaplog (94921 
entries)

2022/06/28 00:10:56 kid1| Finished rebuilding storage from disk.
2022/06/28 00:10:56 kid1| 94915 Entries scanned
2022/06/28 00:10:56 kid1| 0 Invalid entries.
2022/06/28 00:10:56 kid1| 0 With invalid flags.
2022/06/28 00:10:56 kid1| 94911 Objects loaded.
2022/06/28 00:10:56 kid1| 0 Objects expired.
2022/06/28 00:10:56 kid1| 6 Objects cancelled.
2022/06/28 00:10:56 kid1| 0 Duplicate URLs purged.
2022/06/28 00:10:56 kid1| 4 Swapfile clashes avoided.
2022/06/28 00:10:56 kid1|   Took 1.36 seconds (69553.12 objects/sec).
2022/06/28 00:10:56 kid1| Beginning Validation Procedure
2022/06/28 00:10:56 kid1|   Completed Validation Procedure
2022/06/28 00:10:56 kid1|   Validated 94908 Entries
2022/06/28 00:10:56 kid1|   store_swap_size = 2700488.00 KB
2022/06/28 00:10:56 kid1| storeLateRelease: released 6 objects
2022/06/28 00:11:00 kid1| ERROR: failure while accepting a TLS 
connection on conn244 local=10.10.10.10:8080 remote=10.10.11.10:64095 FD 
27 flags=1: 0x55804e1d9770*1

current master transaction: master60
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.3 frequent crash

[Majed Zouhairy]

ing directories in /var/cache/squid/0A
2022/02/14 17:32:15 kid1| /var/cache/squid/0B exists
2022/02/14 17:32:15 kid1| Making directories in /var/cache/squid/0B
2022/02/14 17:32:15 kid1| /var/cache/squid/0C exists
2022/02/14 17:32:15 kid1| Making directories in /var/cache/squid/0C
2022/02/14 17:32:15 kid1| /var/cache/squid/0D exists
2022/02/14 17:32:15 kid1| Making directories in /var/cache/squid/0D
2022/02/14 17:32:15 kid1| /var/cache/squid/0E exists
2022/02/14 17:32:15 kid1| Making directories in /var/cache/squid/0E
2022/02/14 17:32:15 kid1| /var/cache/squid/0F exists
2022/02/14 17:32:15 kid1| Making directories in /var/cache/squid/0F
2022/02/14 17:32:15| Removing PID file (/run/squid.pid)


On 2/14/22 16:53, Alex Rousskov wrote:

On 2/14/22 08:49, Majed Zouhairy wrote:
i have squid 4.17 on the machine assembled from source but i did an 
uninstall

sudo make uninstall
before installing 5.4 from the package manager..should i have stopped 
the squid before uninstalling?

or is there something else?


Sorry, I cannot give you the exact steps to prevent two Squids from 
running on your server -- there are too many unknowns for me to do that.


If you have a Squid instance running, you should stop it before starting 
another Squid instance. You can check whether you have a Squid instance 
running using "ps aux | fgrep squid" or a similar basic command.


Alex.



On 2/14/22 16:41, Alex Rousskov wrote:

On 2/14/22 07:25, Majed Zouhairy wrote:

now on 5.4 i get:

...
2022/02/14 15:14:33 kid1| commBind Cannot bind socket FD 44 to 
[::]:8080: (98) Address already in use

2022/02/14 15:14:33 kid1| Closing HTTP(S) port [::]:8080
2022/02/14 15:14:33 kid1| FATAL: Unable to open HTTP Socket
2022/02/14 15:14:33 kid1| Squid Cache (Version 5.4): Terminated 
abnormally.


The above is usually the result of a misconfiguration or 
mismanagement: There are two processes trying to listen on the same 
port 8080. That could be two Squid worker processes or a Squid worker 
process competing with a non-Squid process.


* If your Squid startup scripts include preliminary steps like "squid 
-z", then make sure those scripts wait for that first Squid instance 
to exit before starting the primary Squid instance.


* If you are using SMP macros or conditionals in squid.conf, please 
share your Squid configuration.



HTH,

Alex.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.3 frequent crash

[Majed Zouhairy]

i have squid 4.17 on the machine assembled from source but i did an 
uninstall

sudo make uninstall
before installing 5.4 from the package manager..should i have stopped 
the squid before uninstalling?

or is there something else?

On 2/14/22 16:41, Alex Rousskov wrote:

On 2/14/22 07:25, Majed Zouhairy wrote:

now on 5.4 i get:

...
2022/02/14 15:14:33 kid1| commBind Cannot bind socket FD 44 to 
[::]:8080: (98) Address already in use

2022/02/14 15:14:33 kid1| Closing HTTP(S) port [::]:8080
2022/02/14 15:14:33 kid1| FATAL: Unable to open HTTP Socket
2022/02/14 15:14:33 kid1| Squid Cache (Version 5.4): Terminated 
abnormally.


The above is usually the result of a misconfiguration or mismanagement: 
There are two processes trying to listen on the same port 8080. That 
could be two Squid worker processes or a Squid worker process competing 
with a non-Squid process.


* If your Squid startup scripts include preliminary steps like "squid 
-z", then make sure those scripts wait for that first Squid instance to 
exit before starting the primary Squid instance.


* If you are using SMP macros or conditionals in squid.conf, please 
share your Squid configuration.



HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.3 frequent crash

[Majed Zouhairy]

now on 5.4 i get:

2022/02/14 15:14:32 kid1| FATAL: Unable to open HTTP Socket
2022/02/14 15:14:32 kid1| Squid Cache (Version 5.4): Terminated abnormally.
CPU Usage: 0.401 seconds = 0.357 user + 0.044 sys
Maximum Resident Size: 101920 KB
Page faults with physical i/o: 0
2022/02/14 15:14:32 kid1| Closing Pinger socket on FD 46
2022/02/14 15:14:32| pinger: Initialising ICMP pinger ...
2022/02/14 15:14:32| pinger: ICMP socket opened.
2022/02/14 15:14:32| pinger: ICMPv6 socket opened
2022/02/14 15:14:32| Pinger exiting.
2022/02/14 15:14:32 kid1| ERROR: negotiating TLS on FD 116: 
error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed 
(1/-1/0)

2022/02/14 15:14:32 kid1| Set Current Directory to /var/cache/squid
2022/02/14 15:14:32 kid1| Starting Squid Cache version 5.4 for 
x86_64-suse-linux-gnu...

2022/02/14 15:14:32 kid1| Service Name: squid
2022/02/14 15:14:32 kid1| Process ID 19350
2022/02/14 15:14:32 kid1| Process Roles: worker
2022/02/14 15:14:32 kid1| With 4096 file descriptors available
2022/02/14 15:14:32 kid1| Initializing IP Cache...
2022/02/14 15:14:32 kid1| DNS Socket created at [::], FD 8
2022/02/14 15:14:32 kid1| DNS Socket created at 0.0.0.0, FD 9
2022/02/14 15:14:32 kid1| Adding nameserver 10.0.10.15 from /etc/resolv.conf
2022/02/14 15:14:32 kid1| Adding nameserver 10.0.10.14 from /etc/resolv.conf
2022/02/14 15:14:32 kid1| helperOpenServers: Starting 5/32 
'security_file_certgen' processes
2022/02/14 15:14:32 kid1| helperOpenServers: Starting 8/16 'ufdbgclient' 
processes
2022/02/14 15:14:33 kid1| Logfile: opening log 
daemon:/var/log/squid/access.log
2022/02/14 15:14:33 kid1| Logfile Daemon: opening log 
/var/log/squid/access.log
2022/02/14 15:14:33 kid1| ERROR: negotiating TLS on FD 161: 
error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed 
(1/-1/0)

2022/02/14 15:14:33 kid1| Unlinkd pipe opened on FD 41
2022/02/14 15:14:33 kid1| Local cache digest enabled; rebuild/rewrite 
every 3600/3600 sec

2022/02/14 15:14:33 kid1| Store logging disabled
2022/02/14 15:14:33 kid1| Swap maxSize 3072000 + 983040 KB, estimated 
311926 objects

2022/02/14 15:14:33 kid1| Target number of buckets: 15596
2022/02/14 15:14:33 kid1| Using 16384 Store buckets
2022/02/14 15:14:33 kid1| Max Mem  size: 983040 KB
2022/02/14 15:14:33 kid1| Max Swap size: 3072000 KB
2022/02/14 15:14:33 kid1| Rebuilding storage in /var/cache/squid (dirty log)
2022/02/14 15:14:33 kid1| Using Least Load store dir selection
2022/02/14 15:14:33 kid1| Set Current Directory to /var/cache/squid
2022/02/14 15:14:33 kid1| Finished loading MIME types and icons.
2022/02/14 15:14:33 kid1| commBind Cannot bind socket FD 44 to 
[::]:8080: (98) Address already in use

2022/02/14 15:14:33 kid1| HTCP Disabled.
2022/02/14 15:14:33 kid1| Pinger socket opened on FD 46
2022/02/14 15:14:33 kid1| Squid plugin modules loaded: 0
2022/02/14 15:14:33 kid1| Adaptation support is off.
2022/02/14 15:14:33 kid1| Closing HTTP(S) port [::]:8080
2022/02/14 15:14:33 kid1| Not currently OK to rewrite swap log.
2022/02/14 15:14:33 kid1| storeDirWriteCleanLogs: Operation aborted.
2022/02/14 15:14:33 kid1| FATAL: Unable to open HTTP Socket
2022/02/14 15:14:33 kid1| Squid Cache (Version 5.4): Terminated abnormally.

On 1/18/22 23:56, Alex Rousskov wrote:

On 1/18/22 2:51 AM, Amos Jeffries wrote:

On 8/01/22 05:02, Alex Rousskov wrote:

On 1/7/22 9:34 AM, Amos Jeffries wrote:

Others include altering the fundamental AsyncJob API behaviour -
affecting every feature in Squid at their most fundamental levels.



I disagree with the above summary.



This is not an opinion.


It is impossible to tell for sure whether this is an opinion or a fact
because the summary is using undefined terms like "every feature" and
"most fundamental levels". To you, it may sound like a fact. To me, it
sounds like gross exaggeration at best: Clearly, there are Squid
features (for some reasonable definition of a "feature") unaffected by
this change at "most fundamental levels" (for some reasonable definition
of "most fundamental levels").



The patch "part 2" makes logic changes to
AsyncJob - specifically destructors and swanSong. That touches
*everything* Squid does. The other parts touch I/O in similarly deep
ways and we have a history of unexpected weird side effects with I/O
refactorings.


I do not think squid-users is the right place to debate complex
development issues. I will just note that the commit in question does
not, IMO, change AsyncJob methods in fundamental ways. It only shrinks
the long-known gray area of what those functions should (not) do. Before
this change, we did not know where certain actions should take place.
Now, we (think we) do, and we have adjusted a few places to follow those
newly discovered rules.

Will this complex change have unexpected side effects? Yes, of course! I
have disclosed that risk when posting the changes. No need to grossly
exaggerate to agree on that point -- nobody is arguing against it.



I am seriously considering

[squid-users] squid 5.3 frequent crash

[Majed Zouhairy]

peace i have squid with ufdb guard, after upgrading today to 5.3 i'm 
getting:




2022/01/06 14:47:35| Processing: acl localhet src 169.254.0.0/16 	# RFC 
3927 link-local (directly plugged) machines

2022/01/06 14:47:35| Processing: acl SSL_ports port 443
2022/01/06 14:47:35| Processing: acl Safe_ports port 80 # http
2022/01/06 14:47:35| Processing: acl Safe_ports port 8080   # http
2022/01/06 14:47:35| Processing: acl Safe_ports port 21 # ftp
2022/01/06 14:47:35| Processing: acl Safe_ports port 443# https
2022/01/06 14:47:35| Processing: acl Safe_ports port 70 # gopher
2022/01/06 14:47:35| Processing: acl Safe_ports port 210# wais
2022/01/06 14:47:35| Processing: acl Safe_ports port 1025-65535	# 
unregistered ports

2022/01/06 14:47:35| Processing: acl Safe_ports port 280# 
http-mgmt
2022/01/06 14:47:35| Processing: acl Safe_ports port 488# 
gss-http
2022/01/06 14:47:35| Processing: acl Safe_ports port 591# 
filemaker
2022/01/06 14:47:35| Processing: acl Safe_ports port 777# 
multiling http
2022/01/06 14:47:35| Processing: acl CONNECT method CONNECT
2022/01/06 14:47:35| Processing: acl blockfiles urlpath_regex -i 
"/etc/squid/blocks.files.acl"

2022/01/06 14:47:35| Processing: http_access deny !Safe_ports
2022/01/06 14:47:35| Processing: http_access deny CONNECT !SSL_ports
2022/01/06 14:47:35| Processing: http_access allow localhost manager
2022/01/06 14:47:35| Processing: http_access deny manager
2022/01/06 14:47:35| Processing: visible_hostname proxy.skko.by
2022/01/06 14:47:35| Processing: forwarded_for delete
2022/01/06 14:47:35| Processing: delay_pools 1
2022/01/06 14:47:35| Processing: delay_class 1 3
2022/01/06 14:47:35| Processing: delay_access 1 allow slower
2022/01/06 14:47:35| Processing: delay_access 1 deny all
2022/01/06 14:47:35| Processing: delay_parameters 1 128000/128000 -1/-1 
128000/64000

2022/01/06 14:47:35| Processing: http_access allow localnet
2022/01/06 14:47:35| Processing: http_access allow localhost
2022/01/06 14:47:35| Processing: http_access deny all
2022/01/06 14:47:35| Processing: http_port 8080 ssl-bump 
cert=/etc/squid/certs/myCA.pem generate-host-certificates=on 
dynamic_cert_mem_cache_size=8MB

2022/01/06 14:47:35| Processing: acltls_s1_connect  at_step 
SslBump1
2022/01/06 14:47:35| Processing: acltls_s2_client_hello at_step SslBump2
2022/01/06 14:47:35| Processing: acltls_s3_server_hello at_step SslBump3
2022/01/06 14:47:35| Processing: acl 	tls_allowed_hsts		ssl::server_name 
			.akamaihd.net
2022/01/06 14:47:35| Processing: acl 	tls_allowed_hsts		ssl::server_name 
			.proxy.skko.by
2022/01/06 14:47:35| Processing: acl 	tls_server_is_bank 	 
ssl::server_name		 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
2022/01/06 14:47:35| Processing: acl 	tls_to_splice 			any-of 	 
tls_allowed_hsts		tls_server_is_bank
2022/01/06 14:47:35| Processing: ssl_bump 		peektls_s1_connect 		# 
peek at TLS/SSL connect data
2022/01/06 14:47:35| Processing: ssl_bump 		splice tls_to_splice		# 
splice some: no active bump
2022/01/06 14:47:35| Processing: ssl_bump 		stare all	# 
stare(peek) at server
2022/01/06 14:47:35| Processing: ssl_bump 		bump	# bump if we 
can (if the stare succeeded)

2022/01/06 14:47:35| Processing: cache_dir ufs /var/cache/squid 3000 16 256
2022/01/06 14:47:35| Processing: coredump_dir /var/cache/squid
2022/01/06 14:47:35| Processing: cache_mem 960 MB
2022/01/06 14:47:35| Processing: netdb_filename none
2022/01/06 14:47:35| Processing: refresh_pattern ^ftp:  
144020% 10080
2022/01/06 14:47:35| Processing: refresh_pattern ^gopher:   
14400%  1440
2022/01/06 14:47:35| Processing: refresh_pattern -i (/cgi-bin/|\?)  0   
0%  0
2022/01/06 14:47:35| Processing: refresh_pattern .  
0   20% 4320
2022/01/06 14:47:35| Processing: url_rewrite_extras "%>a/%>A %un %>rm 
bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
2022/01/06 14:47:35| Processing: url_rewrite_program 
/usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/
2022/01/06 14:47:35| Processing: url_rewrite_children 16 startup=8 
idle=2 concurrency=4 queue-size=64

2022/01/06 14:47:35| Initializing https:// proxy context
2022/01/06 14:47:35| Requiring client certificates.
2022/01/06 14:47:36| Initializing http_port [::]:8080 TLS contexts
2022/01/06 14:47:36| Using certificate in /etc/squid/certs/myCA.pem
2022/01/06 14:47:36| Using certificate chain in /etc/squid/certs/myCA.pem
2022/01/06 14:47:36| Adding issuer CA: 
/C=BY/ST=Minsk/L=Minsk/O=RUP/OU=COD/CN=proxy.skko.by/emailAddress=v_sed...@skno.by

2022/01/06 14:47:36| Using key in /etc/squid/certs/myCA.pem
2022/01/06 14:47:36| Not requiring any client certificates


in cache.log:

2022/01/06 14:27:14 kid1|

Re: [squid-users] cannot open site

[Majed Zouhairy]

On 11/18/21 12:44 PM, Amos Jeffries wrote:

On 18/11/21 20:08, Majed Zouhairy wrote:

using squid 5.2, does it support TLS1.3?



It does.



 Failed to establish a secure connection to [unknown]

The system returned:

 [No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=1)



That is an I/O error. Unable to read or write some bytes.




squid is using ssl bump




TLS/1.3 handshakes are encrypted. It often cannot be bumped, only 
spliced. Check that traffic to this server is not attempting to 
bump/decrypt.



Amos

thanks

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cannot open site

[Majed Zouhairy]

using squid 5.2, does it support TLS1.3?



Failed to establish a secure connection to [unknown]

The system returned:

[No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=1)

Failed to establish a secure connection: [No Error]

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.


the site actually uses: (TLS_AES_128_GCM_SHA_256 128 bit keys, TLS 1.3)

squid is using ssl bump

and  i don't have tls options

#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


anything to be configured?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in squid log

[Majed Zouhairy]

hmmm, this started happening after the last squid update.. i just 
noticed it is now version 5.2

i have ufdbguard but i don't think i have smp..

the last line of squid conf are

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64

i think ufdbguard does not support squid version 5 yet, which might be 
the problem


On 11/8/21 10:42 PM, Alex Rousskov wrote:

On 11/8/21 5:30 AM, Majed Zouhairy wrote:

when i run sarg

SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not
be parsed and is ignored
1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET
https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_


UPVydoTW1636349696.714    629 10.106.0.2 NONE_NONE/200 0 CONNECT
azscus1-client-s.gateway.messenger.live.com:443 -
HIER_DIRECT/40.74.219.49 -
SARG: 4 consecutive errors found in the input log file
/var/log/squid/access.log

so i think the solution would be to exclude zen.yandex.by from processing ?


The correct solution would depend on what you are trying to accomplish
(with sarg), but that solution is unlikely to include disabling logging
of requests to any domains IMHO.

Based on the above output (that could have been changed by multiple mail
agents), it is difficult for me to guess what sarg did not like, but if
you are suffering from Squid SMP workers corrupting each-other
access.log entries, then please see Bug 5173:
https://bugs.squid-cache.org/show_bug.cgi?id=5173


HTH,

Alex.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem in squid log

[Majed Zouhairy]

when i run sarg

SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for 
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not 
be parsed and is ignored
1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET 
https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_


UPVydoTW1636349696.714629 10.106.0.2 NONE_NONE/200 0 CONNECT 
azscus1-client-s.gateway.messenger.live.com:443 - HIER_DIRECT/40.74.219.49 -
SARG: 4 consecutive errors found in the input log file 
/var/log/squid/access.log


so i think the solution would be to exclude zen.yandex.by from processing ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] certificate issuer not known

[Majed Zouhairy]

solved the issue with this guide:

https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

but needs different commands for tumbleweed



On 6/23/21 2:56 PM, Majed Zouhairy wrote:


Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

on squid 4.15

it displays:


ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: 
https://wiki.squid-cache.org/*


     Failed to establish a secure connection to 104.130.201.120

The system returned:

     (71) Protocol error (TLS code: 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)


     SSL Certficate error: certificate issuer (CA) not known: 
/C=US/O=Let's Encrypt/CN=R3


This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.


Your cache administrator is webmaster.

configuration:

http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB




acl tls_s1_connect    at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hsts    ssl::server_name .akamaihd.net
acl tls_allowed_hsts    ssl::server_name .proxy.skko.by
#acl tls_server_is_bank ssl::server_name .abnamro.nl
#acl tls_server_is_bank ssl::server_name .abnamro.comacl
tls_server_is_bank ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump peek    tls_s1_connect # peek at TLS/SSL connect data
ssl_bump splice tls_to_splice    # splice some: no active bump
ssl_bump stare all    # stare(peek) at server
     # properties of 
the webserver

ssl_bump bump    # bump if we can (if the stare succeeded)



#ssl_bump peek all
#ssl_bump splice all

##ssl_bump server-first all

#sslproxy_cert_error allow all



cache_dir ufs /var/cache/squid 8000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 960 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:    1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .    0    20%    4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9

what needs to be done to fix?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] certificate issuer not known

[Majed Zouhairy]

Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

on squid 4.15

it displays:


ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: 
https://wiki.squid-cache.org/*


Failed to establish a secure connection to 104.130.201.120

The system returned:

(71) Protocol error (TLS code: 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)


SSL Certficate error: certificate issuer (CA) not known: 
/C=US/O=Let's Encrypt/CN=R3


This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.


Your cache administrator is webmaster.

configuration:

http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB




acl tls_s1_connect  at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# define acls for sites that must not be actively bumped

acl tls_allowed_hstsssl::server_name
.akamaihd.net
acl tls_allowed_hstsssl::server_name
.proxy.skko.by
#acltls_server_is_bank  ssl::server_name.abnamro.nl
#acltls_server_is_bank  ssl::server_name.abnamro.comacl
tls_server_is_bank 		ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl tls_to_splice   any-of  tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bumppeektls_s1_connect  # peek at TLS/SSL connect data
ssl_bumpsplice  tls_to_splice   # splice some: no active bump
ssl_bumpstare   all # stare(peek) at server

# properties of the webserver
ssl_bump bump   # bump if we can (if the stare succeeded)



#ssl_bump peek all
#ssl_bump splice all

##ssl_bump server-first all

#sslproxy_cert_error allow all



cache_dir ufs /var/cache/squid 8000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 960 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?)   0   0%  0
refresh_pattern .   0   20% 4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9

what needs to be done to fix?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile squid with tumbleweed

[Majed Zouhairy]

i solved the problem..

since this was in the squid status:
FATAL: The /usr/libexec/squid/security_file_certgen -s 
/var/cache/squid/ssl_db -M 4MB helpers


and i was creating a dirctory in /var/lib/squid/ssl_db

so instead, i ran:

sudo /usr/libexec/squid/security_file_certgen -c -s 
/var/cache/squid/ssl_db -M 8MB


restarted squid and now it works!

On 4/2/21 2:02 PM, Amos Jeffries wrote:

On 1/04/21 11:41 pm, Majed Zouhairy wrote:


to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der




sudo squid -z

asks for certificate password
then

Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 
violation. Detected non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate 
configured for HTTP_port 0.0.0.0:8080


That says there is no CA certificate found in the file configured for 
that ports tls-cert= option. Squid requires a signing (CA) certificate 
and its private key in order to perform SSL-Bump.


With "squid -k parse" Squid should tell you what it is loading from that 
file.





squid conf:


...


http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA






ssl_bump peek all
ssl_bump splice all

sslproxy_cert_error allow all





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile squid with tumbleweed

[Majed Zouhairy]

ss exited, 
code=exited, status=1/FAILURE
Apr 04 21:58:13 proxy systemd[1]: squid.service: Failed with result 
'exit-code'.


4.04.21 13:24, Amos Jeffries пишет:

On 4/04/21 5:09 pm, Majed Zouhairy wrote:

the error is:

Прокси-сервер отказывается принимать соединения

translation: the proxy-server is refusing to accept connections..



That seems like the meaningless text modern Browsers like replacing 
real error with.


Can you check the Squid logs to see what is actually going on?



might it be some setting in ufdbguard now?



If that text is from the Browser it could be anything.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile squid with tumbleweed

[Majed Zouhairy]

the error is:

Прокси-сервер отказывается принимать соединения

translation: the proxy-server is refusing to accept connections..

might it be some setting in ufdbguard now?

4.04.21 04:51, Amos Jeffries пишет:

On 3/04/21 4:13 pm, Majed Zouhairy wrote:
hmm, thank you both.. i regenerated new certificates using Eliazer's 
method and now squid restarted but it is refusing connections..


What is the error happening now?


i normally configure port 8080 as the proxy port in the browser, and 
i am thinking there needs to be another port for ssl bumping?




No. SSL-Bump as you have it configured intercepts the CONNECT traffic 
the browser send to normal proxy port.




now the configuration is like this:



>
http_port 8080 ssl-bump cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB




ssl_bump peek all
ssl_bump splice all







# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat


NP: the comment above is about the cache_dir line. You can remove it.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile squid with tumbleweed

[Majed Zouhairy]

hmm, thank you both.. i regenerated new certificates using Eliazer's 
method and now squid restarted but it is refusing connections..
i normally configure port 8080 as the proxy port in the browser, and i 
am thinking there needs to be another port for ssl bumping?


now the configuration is like this:




# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

##sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB




ssl_bump peek all
ssl_bump splice all



#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
#refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
#refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 
80% 129600 reload-into-ims




range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1



cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:    1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .    0    20%    4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options 
ALL,1 33,2 28,9


2.04.21 14:02, Amos Jeffries пишет:

On 1/04/21 11:41 pm, Majed Zouhairy wrote:


to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der




sudo squid -z

asks for certificate password
then

Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 
violation. Detected non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate 
configured for HTTP_port 0.0.0.0:8080


That says there is no CA certificate found in the file configured for 
that ports tls-cert= option. Squid requires a signing (CA) certificate 
and its private key in order to perform SSL-Bump.


With "squid -k parse" Squid should tell you what it is loading from 
that file.





squid conf:


...


http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA






ssl_bump peek all
ssl_bump splice all

sslproxy_cert_error allow all





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] compile squid with tumbleweed

[Majed Zouhairy]

>Peace,
as part of self developing, we decided that turning on sslbump + splice 
is a good idea, so how to install squid with ssl support on tumbleweed?


answer: it is already compiled with ssl support

but now i followed:

https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522

to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
copied the 3 files to /etc/squid/certs
sudo chown squid:squid -R /etc/squid/certs
sudo /usr/libexec/squid/security_file_certgen -c -s 
/var/lib/squid/ssl_db -M 4MB

sudo chown squid:squid -R /var/lib/squid
sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der)

sudo squid -z

asks for certificate password
then


2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional 
IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. 
Detected non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080

2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys
Maximum Resident Size: 62352 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080

2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys
Maximum Resident Size: 62272 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080

2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys
Maximum Resident Size: 63360 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080

2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys
Maximum Resident Size: 62992 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080

2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys
Maximum Resident Size: 62640 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03| Removing PID file (/run/squid.pid)


squid conf:

acl localnet (network/24)

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 8080# http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.example.vx

dns_v4_first on

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

#sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA





#acl step1 at_step SslBump1
#ssl_bump peek step1
#ssl_bump bump all

#sslcrtd_program /usr/libexec/squid/security_file_certgen -s 
/var/lib/squid/ssl_db -M 4MB

#sslcrtd_children 5

ssl_bump peek all
ssl_bump splice all

#ssl_bump server-first all

sslproxy_cert_

[squid-users] compile with ssl support

[Majed Zouhairy]

Peace,
as part of self developing, we decided that turning on sslbump + splice 
is a good idea, so how to install squid with ssl support on tumbleweed?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid cache

[Majed Zouhairy]

Thanks for, at least, the explanation

On 3/1/21 6:12 PM, Alex Rousskov wrote:

On 3/1/21 2:07 AM, Majed Zouhairy wrote:

i tried this, but neither the https download bandwidth restriction nor
caching seems to be working as expected


Squid cannot cache HTTP responses without bumping HTTPS traffic. This is
a protocol-level limitation, not a bug.

There are known delay pools bugs for not-bumped (i.e. tunneled or
CONNECT) traffic. IIRC, the pools may work for some tunnels, but the
imposed limits may vary significantly from the configured values.


HTH,

Alex.



acl slower src 10.46.10.78
acl localnet src 10.46.10.0/24

acl SSL_ports port 443
acl Safe_ports port 80    # http
acl Safe_ports port 8080    # http
acl Safe_ports port 21    # ftp
acl Safe_ports port 443    # https
acl Safe_ports port 70    # gopher
acl Safe_ports port 210    # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280    # http-mgmt
acl Safe_ports port 488    # gss-http
acl Safe_ports port 591    # filemaker
acl Safe_ports port 777    # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.lk.sk


delay_pools 1
delay_class 1 3
delay_access 1 allow slower
delay_access 1 deny all
delay_parameters 1 51200/51200 -1/-1 51200/25600

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80%
129600 reload-into-ims
refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80%
129600 reload-into-ims



range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1

# DONT MODIFY THESE LINES
refresh_pattern \^ftp:   1440    20% 10080
refresh_pattern \^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .   0  20% 43200

cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:    1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .    0    20%    4320

url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9


any help?


On 2/26/21 10:22 AM, Majed Zouhairy wrote:


Health be Upon you,

i want to cache certain files, let's say exe, msi... above 20MB and
below 300MB, limit the cache directory to 3GB
i have no ssl bump not configured
version 4.14
how to do that?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid cache

[Majed Zouhairy]

i tried this, but neither the https download bandwidth restriction nor 
caching seems to be working as expected


acl slower src 10.46.10.78
acl localnet src 10.46.10.0/24

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 8080# http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.lk.sk


delay_pools 1
delay_class 1 3
delay_access 1 allow slower
delay_access 1 deny all
delay_parameters 1 51200/51200 -1/-1 51200/25600

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 
129600 reload-into-ims




range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1

# DONT MODIFY THESE LINES
refresh_pattern \^ftp:   144020% 10080
refresh_pattern \^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern . 0  20% 43200

cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9


any help?


On 2/26/21 10:22 AM, Majed Zouhairy wrote:


Health be Upon you,

i want to cache certain files, let's say exe, msi... above 20MB and 
below 300MB, limit the cache directory to 3GB

i have no ssl bump not configured
version 4.14
how to do that?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid cache

[Majed Zouhairy]

Health be Upon you,

i want to cache certain files, let's say exe, msi... above 20MB and 
below 300MB, limit the cache directory to 3GB

i have no ssl bump not configured
version 4.14
how to do that?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] re-directing through squid using MAC

[Majed Zouhairy]

wifi ? so you would rather get up at nights just so not to expose to 
some sites?


30.01.21 20:12, Eliezer Croitoru пишет:


Hey,

There are many solutions for these however it depends on couple things.

The first thing is the parental and kids/children/others cooperation.

Ie if the kids know and want to use the solution.

I believe that parenting starts based on understanding that there is a 
Threat out there.


Today it’s the  same thing like fire and other hazards awareness.

If the kids/children/others in the house doesn’t believe that there is 
a threat it is the obligation of the parents and
the community to teach and educate them about the subject(To my 
believe A demo is always a last resort solution).


( I have seen many adults which doesn’t believe even after they have 
been hit..


Ie they have a virus on their PC or Mobile and they still believe that 
there is not issue.


Even after these are being given a demo of what is being leaked from 
their PC and Mobile they don’t care. )


Lately I have seen couple new WIFI solutions(The old doesn’t work 
anymore..) which offers some parental control
in the house bundled in the product that has a management and control 
app for the parents.


I don’t know if these can be compared to squid.

I can just say that IDS and AV with squid would require some kind of 
customization and I believe that it’s worth
to try some ready to use solutions as a part of the kids/children and 
adults education.


It’s like riding a bicycle, if you will try to create one yourself… it 
depends on your “blacksmith” or “iron man” skills.


To force the PC or the mobile would be different solution but they 
both require some application these days.


On your LAN it will also depend on the cooperation.

When you want to capture traffic on LAN it would probably be by the 
combination of MAC and IP.


These two are both tied to one another…

There are many devices these day who tries to dynamically assign mac 
address to avoid what you are trying to achieve.


To overcome this you are probably better use one of these below (or 
more..):


  * 802x authentication for WIFI
  * Redirect all traffic except the identified devices by their
MAC+IP(FROM DHCP)
  * HotSpot authentication

I have implemented the above solutions on both a Linux device and 
Mikrotik.


Currently I am using Mikrotik Router which does all of the above else 
then the filtering itself which I am using
an external service which does better tls/ssl inspection and 
categorizing then I can provide with Squid and a subscription.


(…No hard feelings with the Squid project)

All The Bests,

Eliezer



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com 

Zoom: Coming soon

*From:* squid-users  *On 
Behalf Of *Wolfgang Paul Rauchholz

*Sent:* Saturday, January 30, 2021 9:19 AM
*To:* squid-users@lists.squid-cache.org
*Subject:* [squid-users] re-directing through squid using MAC

I got two questions actualy. I want to re-direct all traffic certain 
users (parental control...) through squid.


(1)  What i the best possibility to do so independently of whether 
they are on the LAN or are outside home?


(2) If I only want to re-direct when they are on the LAN; can I do 
this by capturing the MAC address of their devices?


Thank you!


Wolfgang Rauchholz

+34 627 994 977

https://www.linkedin.com/in/wolfgangrauchholz/


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit bandwidth

[Majed Zouhairy]

>>> ...
>>>
 error_directory /usr/share/squid/errors/en
>>> The above is a default value. Remove that line from your config.
>> this? error_directory /usr/share/squid/errors/en
> Yes, that one.
so it's not the email client even
>
 delay_pools 1
 delay_class 1 3
 delay_access 1 allow slower !localnet
>>> All IPs which match "slower" ACL are also matched by "localnet" ACL.
>>>
>>> It is impossible for an IP to be both part of slower and not part of
>>> localnet. So this line never matches and all traffic is not-delayed.
>>>
>>> To fix, remove the "!localnet" requirement from the above line.
>> i already tried that, i was thinking that there would be an option like
>> acl slower src 10.46.0.74 10.46.0.107
>> acl localnet src !10.46.0.74 10.46.0.0/24
>> so as not type the whole subnet individual addresses
>>
> It is possible to define an ACL like localnet with holes. But that would
> not do what you are wanting.
still that would be very nice to know
>
>
> "delay_access 1 allow slower"  does what you are asking for in terms of
> only the IPs listed in "slower" having their traffic slowed down.
>
> If that is not working, then you may be hitting a bug or something is
> different from what you have told us about the traffic. eg CONNECT
> tunnels do not always have delay pools applied in Squid-4.
>
>
> Amos

it's only working on http downloads,

might it have any relationship with ufdbguard is being used?

the rest of the config

delay_pools 1
delay_class 1 3
delay_access 1 allow slower
delay_access 1 deny all
delay_parameters 1 51200/51200 -1/-1 51200/25600

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 512 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit bandwidth

[Majed Zouhairy]

On Tue, 2020-09-01 at 05:10 +1200, Amos Jeffries wrote:
> On 31/08/20 8:24 pm, Vacheslav wrote:
> > Peace,
> > 
> > been suffering for many hours so i'd rather ask for aid..
> > 
> > i'm trying to limit the flow mainly for the most maximize people
> > 
> 
> Okay.
> 
> What Squid version are you using?
> 
> 
sudo squid -v
Squid Cache: Version 4.13
Service Name: squid

> > acl slower src 10.46.0.74 10.46.0.107
> 
> One of the reasons this posting git held up for moderation was that
> the
> lines which are supposed to contain ASCII tab characters contained
> Unicode characters "\c3\82".
this is now another email client..so let's confirm that
> 
> If those Unicode characters are actually present in your squid.conf
> file
> then you need to go through and remove them all.

i went ahead and typed those added lines in nano and deleted the
original ones..still not a trump!
> 
> ...
> > acl localnet src 10.46.0.0/24   #  local private
> > network (LAN)
> 
> ...
> > acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"
> > 
> ...
> 
> > error_directory /usr/share/squid/errors/en
> 
> The above is a default value. Remove that line from your config.
this? error_directory /usr/share/squid/errors/en
> 
> > delay_pools 1
> > delay_class 1 3
> > delay_access 1 allow slower !localnet
> 
> All IPs which match "slower" ACL are also matched by "localnet" ACL.
> 
> It is impossible for an IP to be both part of slower and not part of
> localnet. So this line never matches and all traffic is not-delayed.
> 
> To fix, remove the "!localnet" requirement from the above line.
i already tried that, i was thinking that there would be an option like
acl slower src 10.46.0.74 10.46.0.107
acl localnet src !10.46.0.74 10.46.0.0/24
so as not type the whole subnet individual addresses


> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allowing a port only to certain IP/host

[Majed Zouhairy]

On Mon, 2020-03-09 at 15:48 +0100, Antony Stone wrote:
> On Monday 09 March 2020 at 15:43:14, Service MV wrote:
> 
> > Hello everyone, I need to enable port 22 in squid but only to a
> > certain
> > server (host.domain.com) in particular, so that the rest of the
> > world
> > cannot be accessed via SSH.
> 
> Squid does not support SSH.
> 
> > I would like to know this is the right way to do it:
> 
> Use iptables or whatever other firewall software you use on your
> gateway router 
> to block all TCP port 22 outbound access except destination
> host.domain.com
> 
> 
> Antony.
> 
yeah he's up to no good again

https://articles.mercola.com/sites/articles/archive/2020/03/10/why-bill-gates-accelerating-toxic-food-system.aspx?cid_source=dnl&cid_medium=email&cid_content=art2ReadMore&cid=20200310Z1&et_cid=DM478066&et_rid=826674687


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users