[squid-users] HTTP Request method CNT from Windows clients

2018-08-13 Thread Peter Viskup 
Does anybody seen this in Squid logs already?
httpRqMethod CNT

There is no destination IP nor request host logged. All clients are
Windows machines. Requests are rejected due to not supported HTTP
method.

The complete log entry example:

13/Aug/2018:14:26:18 +0200 10.x.y.z 63740 -> - - responseTime=0
httpXFF=- httpRqProto=1.1 httpRqMethod=CNT httpRqHost=- httpURI=-
httpRef=- httpRsStatus=400 httpRqBytes=283 httpRsBytes=3688 httpUA="-"
httpRqCT="-" httpRsCT="text/html;charset=utf-8" httpRsServer=squid
mime=text/html icapResult=- icapTimeTotal=0 icapTimeRq=- icapTimeRs=-
squidStatus=NONE:HIER_NONE squidError=- squidErrorDetail=-
proxyPort=3128 proxyIP=10.x.c.c proxyNode=10.x.c.a sslBumpMode=-
sslSNI="-" sslClientProto="TLS/1.2" sslServerProto="-"
sslClientCipher="ECDHE-RSA-AES256-GCM-SHA384" sslServerCipher="-"
sslSubject="-" sslIssuer="-" sslCertErrors="-"

-- 
Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid ipcache and DNS TTL smaller than 60 seconds

2018-04-10 Thread Peter Viskup 
Squid use TTL of 60 seconds for DNS resource records with TTL smaller than
that value.

Some sites can have DNS TTL set to lower value due to high availability
design (DNS load balancer).

In RFCs [1][2][3] it is explained the received TTL can be lowered to the
upper bound TTL value of DNS cache, but not to increase it.

Is it possible to change that 60 seconds default somewhere in
configuration? Was the 60 seconds default chosen according some reference?

[1] https://tools.ietf.org/html/rfc2181#section-8

[2] https://tools.ietf.org/html/rfc1035#section-3.2.1

[3] https://tools.ietf.org/html/rfc7719#section-4


Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid4 ICAP connection handling

2018-04-10 Thread Peter Viskup 
On Mon, Apr 9, 2018 at 4:43 PM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 04/09/2018 06:03 AM, Peter Viskup wrote:
>> Running Squid 4.0.23 the ICAP connections getting "frozen".
>>
>> proxy:~ $ netstat -ntpa| grep 40620
>> tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
>> ESTABLISHED 1165/(squid-1)
>> tcp0 2744857 127.0.0.1:1344  127.0.0.1:40620
>> ESTABLISHED 1211/esets_icap
>>
>> # after ICAP service restart
>> proxy:~ $ netstat -ntpa| grep 40620
>> tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
>> ESTABLISHED 1165/(squid-1)
>> tcp0 2744858 127.0.0.1:1344  127.0.0.1:40620
>> FIN_WAIT1   -
>>
>> # later on - squid still keep the connection open
>> proxy:~ $ netstat -ntpa| grep 40620
>> tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
>> ESTABLISHED 1165/(squid-1)
>
>> How the ICAP connections are handled?
>
> Is there an HTTP transaction associated with (e.g., waiting for) that
> stuck ICAP connection?

Not found the HTTP transaction associated with.

> Can you reproduce this problem with a single HTTP transaction? Or does
> it take many transactions to get Squid into this state? If you can
> easily reproduce, I recommend filing a bug report with an ALL,9 trace of
> the problematic transaction attached.

I can easily reproduce. Will search for the HTTP transaction, but not sure
whether I would be able to trace it.

More information in:
https://bugs.squid-cache.org/show_bug.cgi?id=4844
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid4 ICAP connection handling

2018-04-09 Thread Peter Viskup 
Running Squid 4.0.23 the ICAP connections getting "frozen".

proxy:~ $ netstat -ntpa| grep 40620
tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
ESTABLISHED 1165/(squid-1)
tcp0 2744857 127.0.0.1:1344  127.0.0.1:40620
ESTABLISHED 1211/esets_icap

# after ICAP service restart
proxy:~ $ netstat -ntpa| grep 40620
tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
ESTABLISHED 1165/(squid-1)
tcp0 2744858 127.0.0.1:1344  127.0.0.1:40620
FIN_WAIT1   -

# later on - squid still keep the connection open
proxy:~ $ netstat -ntpa| grep 40620
tcp   920144  0 127.0.0.1:40620 127.0.0.1:1344
ESTABLISHED 1165/(squid-1)

How the ICAP connections are handled?
Was there any change in the code? We didn't experienced this with
Squid3.5 before.

Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid4 '%<la' empty sometimes

2018-04-06 Thread Peter Viskup 
Amos,
thank you for your helpful reply.

Setup with use of %note is working. Both servers have same
configuration from GIT. Added one include for the proxyNode note
configuration with "GIT ignore" flag on that file.
Realized the note can be used to track the ACL the transaction passed to.

Proxy node ID:
note proxyNode 10.x.y.a
logformat ... proxyNode=%{proxyNode}note ...

Passed via ACL:
acl sslstep1 at_step SslBump1
acl sslstep3 at_step SslBump3

acl test_s src 
acl test_d dstdomain 
acl test_ssl ssl::server_name 
acl SSH_port port 22

# splice at step1 for SSH connections
note acl test_splice_ssh test_s test_d SSH_port
ssl_bump splice sslstep1 test_s test_d SSH_port

# splice at step3 for other TLS connections
note acl test_splice_http test_s test_ssl
ssl_bump splice sslstep3 test_s test_ssl

logformat ... acl=%{acl}note ...


On Thu, Apr 5, 2018 at 12:31 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
> On 05/04/18 21:39, Peter Viskup wrote:
>> On Wed, Apr 4, 2018 at 5:42 PM, Amos Jeffries wrote:
>>> On 04/04/18 21:15, Peter Viskup wrote:
>>>> On Linux Virtual Server balanced cluster the %>>> errors ERR_ACCESS_DENIED or TCP_MEM_HIT are logged.
>>>>
>>>> This is causing issue when processing logs on remote machine (e.g.
>>>> ELK). The "proxy node" cannot be differentiated.
>>>
>>> It sounds to me like you are misinterpreting what is happening and/or
>>> using the wrong logformat tags/codes.
>>>
>>> The denied or HIT transactions you mention *do not* involve any upstream
>>> server. Thus no upstream server connection. No logformat codes will log
>>> details from a non-existing thing.
>>>
>>> So can you clarify what you mean by "Linux Virtual Server balanced
>>> cluster" ?
>>>
>>> Is that a cluster of LB devices/VM in front (or behind) a Squid proxy?
>>>  or some Squid running on each node of the cluster?
>>>  or something else?
>>
>> Two VMs with heartbeat+ldirectord+LVS. Every server running the Squid
>> proxy. The service IP with LVS configuration (managed by ldirectord)
>> is made highly available.
>>
>
>
> Okay. So..
>
> 0) you could also configure a specific unique value in each Squid's
> logformat definition. So it is explicitly present in all log lines
> generated by that proxy / node.
>
> ... or if you need something more dynamic ...
>
> 1) you could use the "note" directive to algorithmically determine (in
> its ACL matching) a value for %note to record in a shared logformat
> definition on a per-request, per-node basis.
>
> 2) If you have OpenFlows or similar recording of the inbound TCP
> connections you might use the %>a:%>p:%>la tuplet (client IP:port +
> Squid-IP) to match up with other info about the client TCP connection.
> That is the most reliable relationship (as the server connection range
> from none to many).
>
>  [ note that %>la and %la may be different in the presence of NAT,
> TPROXY, or PROXY protocol. ]
>
> 3) If the LVS is managing packet routing using TOS or packet markings
> you could use the %>qos or %>nfmark to explicitly display those in the
> log file.
>
> 4) If the VMs all have unique interface MAC/EUI addresses you could use
> that uniqueness as node IDs with the %>eui code.
>
> 5) you could use all of the codes in #2, #3, and #4 for a 6-tuplet
> identifier.
>
>
> Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid4 '%<la' empty sometimes

2018-04-05 Thread Peter Viskup 
On Wed, Apr 4, 2018 at 5:42 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
> On 04/04/18 21:15, Peter Viskup wrote:
>> On Linux Virtual Server balanced cluster the %> errors ERR_ACCESS_DENIED or TCP_MEM_HIT are logged.
>>
>> This is causing issue when processing logs on remote machine (e.g.
>> ELK). The "proxy node" cannot be differentiated.
>
> It sounds to me like you are misinterpreting what is happening and/or
> using the wrong logformat tags/codes.
>
> The denied or HIT transactions you mention *do not* involve any upstream
> server. Thus no upstream server connection. No logformat codes will log
> details from a non-existing thing.
>
> So can you clarify what you mean by "Linux Virtual Server balanced
> cluster" ?
>
> Is that a cluster of LB devices/VM in front (or behind) a Squid proxy?
>  or some Squid running on each node of the cluster?
>  or something else?

Two VMs with heartbeat+ldirectord+LVS. Every server running the Squid
proxy. The service IP with LVS configuration (managed by ldirectord)
is made highly available.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid4 '%<la' empty sometimes

2018-04-04 Thread Peter Viskup 
On Linux Virtual Server balanced cluster the %http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid client or cache manager under Multi instance squid /SMP

2018-03-28 Thread Peter Viskup 
Hello Ahmad,
your instances should have different ports opened. Use squidclient's
options -p -h to request the appropriate instance.

Example from our server:

proxy02:/etc/squid $ squidclient -p 8080 cache_object://localhost/
mgr:info|grep "Start Time"
Start Time: Thu, 22 Mar 2018 13:09:24 GMT
proxy02:/etc/squid $ squidclient -p 3128 cache_object://localhost/
mgr:info|grep "Start Time"
Start Time: Fri, 23 Mar 2018 13:03:20 GMT

Not sure whether it is possible to get per-thread stats.

It also depends on the Squid's version as stated on wiki [1]. Only versions
3.5+ can be run as multi-instance with SMP enabled.
More information about how the load is distributed across SMP threads is on
another wiki page [2].

[1] https://wiki.squid-cache.org/MultipleInstances#SMP_enabled_Squid
[2]
https://wiki.squid-cache.org/Features/SmpScale#Who_decides_which_worker_gets_the_request.3F

-- 
Peter

On Wed, Mar 28, 2018 at 2:53 PM, --Ahmad--  wrote:

> Hello Guys ,
>
> i have no idea who to use squid client or cache manager when i have
> multiple instances of squid running .
>
> say i have 2 instances
>
> squid -n 1 -f 1.conf
> squid -n 2 -f 2.conf
>
>
> all what i need is to see the request rate hitting each instance above .
> how can i use the cache manager ?
>
> is there an option for squid client app ?
>
>
> more Q
> if i have both ( multi instance with SMP say 4 workers )
>
> how can i see the request rate on the total instance and request rate on
> the kids of this instance   ?
>
>
>
> kind regards
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SNMP remote monitoring and IP fragmentation

2018-03-06 Thread Peter Viskup 
Communication is ok. Problem was with pcap filtering based on port
number. Only the first fragment of the packet have this information.
All others have port fields empty. More information in tcpdump man
page in IP Fragmentation section.

In new packet capture the request for 87 OIDs is replied with 87
corresponding values.

Issue with not consistent data values in Zabbix are related to Zabbix
server post-processing.

On Tue, Mar 6, 2018 at 12:10 PM, Amos Jeffries  wrote:
> On 06/03/18 23:36, Eliezer Croitoru wrote:
>> Is this SNMP value present in the cache-manager pages?
>> If so it would be pretty simple to write a script that will extract the 
>> relevant data via http.
>>
>
> OID *.1.5.2.2 is the mgr:client_list table data, excluding the TCP_*
> code breakdown for responses given.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid SNMP remote monitoring and IP fragmentation

2018-03-02 Thread Peter Viskup 
We do monitor our Squid's via SNMP with Zabbix and use the template
available on Zabbix share portal [1].
Retrieval of values is not reliable. Seems to be related to IP fragmentation.

The complete answer should be 4325B long.

~# snmpwalk -m /usr/share/squid3/mib.txt -v2c -CE
.1.3.6.1.4.1.3495.1.5.2.2 -Cc -c d8d385baeb54 localhost:3401
.1.3.6.1.4.1.3495.1 2>/dev/null | wc -c
4325

But on the Squid we receive one 1514B packet (not complete answer).

What are your experiences in this area?

[1] https://share.zabbix.com/cat-app/squid-proxy-snmp

-- 
Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid4 multi-instance configuration

2018-02-20 Thread Peter Viskup 
Feel free to use this systemd (based on postgresql) and logrotate
configuration for multi-instance configuration according wiki [1].
Might be useful for others.

The instance is "enabled" by presence of
/etc/squid/${service_name}.instance file.

There could be includes like these in squid.conf

pid_filename /var/run/squid/${service_name}.pid # required
include /etc/squid/conf.d/${service_name}-http_port.conf # at least
http_port needs to differ
include /etc/squid/conf.d/${service_name}-cache_dir.conf # cache_dir
needs to differ either
include /etc/squid/conf.d/${service_name}-log.conf # log targets needs
to differ either

Example of http_port configuration
~# cat conf.d/test-http_port.conf
http_port 8080 name=${service_name} # see the use of ${service_name}
macro in included files

And services are managed via systemd
~# systemctl start squid@prod.service
~# systemctl status squid@prod.service

[1] https://wiki.squid-cache.org/MultipleInstances

Peter


squid.logrotate
Description: Binary data


squid.service
Description: Binary data


squid@.service
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid4 with sslbump not logged server side cert_subject and cert_issuer

2018-02-16 Thread Peter Viskup 
On Thu, Feb 15, 2018 at 7:41 PM, Alex Rousskov
<rouss...@measurement-factory.com> wrote:
> On 02/15/2018 07:32 AM, Amos Jeffries wrote:
>> On 16/02/18 01:44, Peter Viskup wrote:
>>> Running squid version 4.0.23 with logformat including
>>>
>>> SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
>>> SSLClientProto="%ssl::>negotiated_version"
>>> SSLServerProto="%ssl::<negotiated_version"
>>> SSLBumpClientCipher="%ssl::>negotiated_cipher"
>>> SSLBumpServerCipher="%ssl::<negotiated_cipher"
>>> SSLBumpSubject="%ssl::<cert_subject"
>>> SSLBumpIssuer="%ssl::<cert_issuer"
>>>
>>> and ssl_bump configured simply with
>>>
>>> ssl_bump bump all
>>> http_access allow all
>>>
>>> the messages still logged with dashes for Subject and Issuer values
>>>
>>> SSLBumpMode=bump SSLSNI="www.google.sk" SSLClientProto="TLS/1.0" 
>>> SSLServerProto
>>> ="TLS/1.2" SSLBumpClientCipher="ECDHE-RSA-AES256-SHA"
>>> SSLBumpServerCipher="ECDHE-RSA-AES128-GCM-SHA256" SSLBumpSubject="-"
>>> SSLBumpIssuer="-"
>>>
>>> I am doing something wrong or did I overlooked something?
>> You told Squid to "bump all" which, by itself, means bump immediately
>> after client Hello arrives.
>
> In other words, you are doing a rough equivalent of the ancient
> client-first bumping. To tell Squid to look at the client and server TLS
> handshake messages (including the server certificate) before bumping the
> connection, use something like this:
>
>   ssl_bump stare all
>   ssl_bump bump all

Confirm with these two lines the cert information is logged as expected.
Will read the wiki once more.

> The log message contains a server cipher (%ssl::<negotiated_cipher) so
> Squid ought to know the certificate as well. The missing certificate in
> this context sounds like a bug or a missing feature to me: Either the
> server cipher should not be logged (if Squid did not see the origin
> handshake yet) or both the cipher and the certificate details should be
> logged. The only exception I could think of is a TLS negotiation error
> where the server sends the cipher but not the certificate.
>
> The above problem may not be important if, in fact, you did not actually
> want to use client-first bumping (which usually does not work well),
> _and_ staring at the server (i.e., stare all) logs the information you
> want. However, that does not mean the problem is not there.

I do not want to use client-first bump and thus the issue solved by stare
Thank you.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid4 with sslbump not logged server side cert_subject and cert_issuer

2018-02-15 Thread Peter Viskup 
Running squid version 4.0.23 with logformat including

SSLBumpMode=%ssl::bump_mode SSLSNI="%ssl::>sni"
SSLClientProto="%ssl::>negotiated_version"
SSLServerProto="%ssl::

Re: [squid-users] Squid4 with ssl-bump single_dh_use unknown

2018-02-14 Thread Peter Viskup 
Crypto part of the configure log:

checking for nettle_md5_init in -lnettle... yes
checking nettle/md5.h usability... yes
checking nettle/md5.h presence... yes
checking for nettle/md5.h... yes
checking nettle/base64.h usability... yes
checking nettle/base64.h presence... yes
checking for nettle/base64.h... yes
checking for Nettle 3.4 API compatibility... no
configure: Using Nettle cryptographic library: yes
checking for crypt in -lcrypt... yes
checking for MD5Init in -lmd5... no
checking for LIBGNUTLS... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking gnutls/x509.h usability... yes
checking gnutls/x509.h presence... yes
checking for gnutls/x509.h... yes
configure: GnuTLS library support: auto  -lgnutls
checking openssl/bio.h usability... yes
checking openssl/bio.h presence... yes
checking for openssl/bio.h... yes
checking openssl/crypto.h usability... yes
checking openssl/crypto.h presence... yes
checking for openssl/crypto.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
checking openssl/md5.h usability... yes
checking openssl/md5.h presence... yes
checking for openssl/md5.h... yes
checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/x509v3.h usability... yes
checking openssl/x509v3.h presence... yes
checking for openssl/x509v3.h... yes
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking openssl/txt_db.h usability... yes
checking openssl/txt_db.h presence... yes
checking for openssl/txt_db.h... yes
checking for LIBOPENSSL... yes
checking for EVP_PKEY_get0_RSA in -lcrypto... yes
checking for BIO_meth_new in -lcrypto... yes
checking for BIO_get_init in -lcrypto... yes
checking for ASN1_STRING_get0_data in -lcrypto... yes
checking for X509_STORE_CTX_get0_cert in -lcrypto... yes
checking for X509_VERIFY_PARAM_get_depth in -lcrypto... yes
checking for X509_STORE_CTX_get0_untrusted in -lcrypto... yes
checking for X509_STORE_CTX_set0_untrusted in -lcrypto... yes
checking for X509_up_ref in -lcrypto... yes
checking for X509_CRL_up_ref in -lcrypto... yes
checking for DH_up_ref in -lcrypto... yes
checking for X509_get0_signature in -lcrypto... yes
checking for SSL_CIPHER_find in -lssl... yes
checking for SSL_CTX_set_tmp_rsa_callback in -lssl... no
checking for SSL_SESSION_get_id in -lssl... yes
checking for TLS_method in -lssl... yes
checking for TLS_client_method in -lssl... yes
checking for TLS_server_method in -lssl... yes
checking for SSL_CTX_get0_certificate in -lssl... yes
checking whether SSL_CTX_new and similar openSSL API functions require
'const SSL_METHOD *'"... yes
checking whether SSL_get_new_ex_index() dup callback accepts 'const
CRYPTO_EX_DATA *'"... yes
checking whether SSL_CTX_sess_set_get_cb() callback accepts a const ID
argument"... yes
checking "whether X509_get0_signature() accepts const parameters"... yes
checking whether the TXT_DB use OPENSSL_PSTRING data member... yes
checking whether the squid workaround for buggy versions of
sk_OPENSSL_PSTRING_value should used... no
checking whether the workaround for OpenSSL IMPLEMENT_LHASH_  macros
should used... yes
checking whether hello message can be overwritten in SSL struct... no
configure: OpenSSL library support: yes  -lssl -lcrypto


On Wed, Feb 14, 2018 at 2:02 PM, Peter Viskup <skupko...@gmail.com> wrote:
> Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not 
> known.
> Older build of squid 3.5.21 on Debian 8 doesn't report it.
> According the documentation [1] it should be known and supported.
>
> [1] http://www.squid-cache.org/Doc/config/http_port/
>
> Is it a bug?
>
> Peter
>
> $ /usr/sbin/squid -v
> Squid Cache: Version 4.0.23
> Service Name: squid
> Squid built with SSLBump
>
> This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions
> on distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
> -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
> -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
> -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian
> linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--libex

[squid-users] Squid4 with ssl-bump single_dh_use unknown

2018-02-14 Thread Peter Viskup 
Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not known.
Older build of squid 3.5.21 on Debian 8 doesn't report it.
According the documentation [1] it should be known and supported.

[1] http://www.squid-cache.org/Doc/config/http_port/

Is it a bug?

Peter

$ /usr/sbin/squid -v
Squid Cache: Version 4.0.23
Service Name: squid
Squid built with SSLBump

This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions
on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
-fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian
linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid'
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--disable-loadable-modules' '--enable-storeio=aufs,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-external-acl-helpers=file_userip,session,SQL_session,time_quota,unix_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--disable-esi'
'--enable-icmp' '--enable-zph-qos' '--disable-ecap'
'--disable-translation' '--disable-ident-lookups'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-security-cert-generators=file'
'--enable-ssl-crtd' '--with-openssl' '--without-mit-krb5'
'--without-heimdal-krb5' '--disable-wccp' '--disable-wccpv2'
'--disable-ipv6' '--enable-build-info=Squid built with SSLBump'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
-O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
-Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro
-Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=.
-fstack-protector-strong -Wformat -Werror=format-security'

$ /usr/sbin/squid -k parse -d 9 -n test
2018/02/14 13:33:41| Startup: Initializing Authentication Schemes ...
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'basic'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'digest'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'negotiate'
2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'ntlm'
2018/02/14 13:33:41| Startup: Initialized Authentication.
2018/02/14 13:33:41| WARNING: BCP 177 violation. IPv6 transport forced
OFF by build parameters.
2018/02/14 13:33:41| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2018/02/14 13:33:41| Processing: acl localnet src 10.0.0.0/8
 # RFC 1918 local private network (LAN)
2018/02/14 13:33:41| Processing: acl SSL_ports port 443 990
2018/02/14 13:33:41| Processing: acl Safe_ports port 80 # http
2018/02/14 13:33:41| Processing: acl Safe_ports port 21 # ftp
2018/02/14 13:33:41| Processing: acl Safe_ports port 443# https
2018/02/14 13:33:41| Processing: acl Safe_ports port 70 # gopher
2018/02/14 13:33:41| Processing: acl Safe_ports port 210# wais
2018/02/14 13:33:41| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2018/02/14 13:33:41| Processing: acl Safe_ports port 280
 # http-mgmt
2018/02/14 13:33:41| Processing: acl Safe_ports port 488
 # gss-http
2018/02/14 13:33:41| Processing: acl Safe_ports port 591
 # filemaker
2018/02/14 13:33:41| Processing: acl Safe_ports port 777
 # multiling http
2018/02/14 13:33:41| Processing: acl Safe_ports port 990# ftps
2018/02/14 13:33:41| Processing: acl CONNECT method CONNECT
2018/02/14 13:33:41| Processing: acl purge method PURGE
2018/02/14 13:33:41| Processing: http_access deny !Safe_ports
2018/02/14 13:33:41| Processing: http_access deny CONNECT !SSL_ports
2018/02/14 13:33:41| Processing: http_access allow localhost manager
2018/02/14 13:33:41| Processing: http_access deny manager
2018/02/14 13:33:41| Processing: http_access allow localhost purge
2018/02/14 13:33:41| Processing: http_access deny purge
2018/02/14 13:33:41| Processing: http_access allow localhost
2018/02/14 13:33:41| Processing: http_access deny all
2018/02/14 13:33:41| Processing: include /etc/squid/conf.d/test-http_port.conf
2018/02/14 13:33:41| Processing Configuration File:

Re: [squid-users] Squid service-name macro one config and different ports

2018-02-02 Thread Peter Viskup 
On Fri, Feb 2, 2018 at 12:13 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
>
> On 02/02/18 23:42, Peter Viskup wrote:
> > Want to run multiple instances of Squid4 on the same server with
> > different ports and one configuration file.
> > Not sure whether (and how) the http_port and snmp_port options can be
> > made as conditional options in squid.conf.
> > At the moment it looks like it is not possible.
>
> "conditional" on what exactly?
>
> When run properly as multi-tenant instances with the -n namespace
> separation the Squid instances know nothing about each other. So there
> is no possible way to configure "I am X not Y" conditions.
>
>
> That said the namespace is provided as a config macro for a reason.
> Which is to make it possible to do this:
>
> squid.conf:
>  ...
>  include /etc/squid/${service_name}.conf
>  ...

This is exactly I was looking for.

This way I would be able to use one global config with service
specific includes.

Thank you.

Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid service-name macro one config and different ports

2018-02-02 Thread Peter Viskup 
Want to run multiple instances of Squid4 on the same server with different
ports and one configuration file.
Not sure whether (and how) the http_port and snmp_port options can be made
as conditional options in squid.conf.
At the moment it looks like it is not possible.

The workaround can be to use separate configuration file for each instance
(inst1.conf, inst2.cond) and include the "global" part of the configuration
in both of them or separate files with the same global part.

Does somebody of you have other proposal?

Thank you.

Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Log to syslog issues with syslog priority

2017-07-13 Thread Peter Viskup 
Tried to configure logging to syslog directly and experiencing issues
with not accepted syslog priority assigned in config files.

This is the configuration:
~# grep -E '^access_log|^icap_log|logstrmfilter' /etc/squid3/squid.conf
access_log syslog:local7.notice logformat=combined3
acl logstrmfilter http_status 403 500-
acl logstrmfilter2 http_status 200 404 300-304
access_log syslog:local7.err logformat=squidstrm logstrmfilter
access_log syslog:local7.warning logformat=squidstrm !logstrmfilter2
icap_log syslog:local7.info icap_squid

With aim to log all access entries to local7.notice, some errors to
local7.err and not retrievable requests to local7.warning in addition
to log ICAP to local7.info.

But the syslog receives access logs at local7.debug, ICAP and the
error filtered logs together at local7.info.
Squid version 3.5.21.
I want to forward those messages to remote syslog server for further
processing. This is the motivation of this setup.

Is there something I misunderstood in the access_log documentation?
Seems there is no ACL filtering effective for syslog module.

Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Meaning of "HTTP I/O number of reads"

2016-08-25 Thread Peter Viskup 
Hello all,
we do experience some connection issues with SFTP and clear HTTP
clients on Squid 3.4 version built with SSL split.
We occasionally see ERR_CONNECT_FAIL with SYSERR=110.

Just discovered higher value of "HTTP I/O number of reads" at the time
the issue occur.
I am not able to understand this value - what it points to. Sometimes
the value of HTTP I/O number of reads jump from tenths to 6000 or even
higher.

Peter
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSLBump non-HTTPs connections

2016-06-02 Thread Peter Viskup 
Hello all,
just wondering whether it is possible to perform SSLBump/SSLSplit for
non-HTTPs connections. At the moment we are interested in FTPs.
We are running Squid 3.4.2 version.

Configured the SSLBump and in that case not able to receive SSL Certificates

proxy:/etc/squid3# grep server-first squid.conf
ssl_bump server-first all
proxy:/etc/squid3# socat TCP-LISTEN:,reuseaddr,fork
PROXY:127.0.0.1:www.ftpsservicedomain.net:990,proxyport=8080
proxy:/etc/squid3# openssl s_client -connect localhost: -showcerts
CONNECTED(0003)
140535877478056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

With ssl_bump disabled for the particular destination domain we are
able to receive SSL Certificates:

proxy:/etc/squid3# openssl s_client -connect localhost: -showcerts
CONNECTED(0003)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=www.ftpsservicedomain.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
-BEGIN CERTIFICATE-
MIIGQzCCBCugAwIBAgITWgAAuYCRJAQnIMZ1CwABAAC5gDANBgkqhkiG9w0BAQsF


In both cases the only log entry we see is the CONNECT request:
01/Jun/2016:10:16:23 +0200681 127.0.0.1 TAG_NONE/200 0 CONNECT
www.ftpsservicedomain.net:990 - HIER_DIRECT/www.ftpsservicedomain.net
- [Host: www.ftpsservicedomain.net:990\r\n] [-]

Best regards,
-- 
Peter Viskup
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users