Re: [squid-users] Ubuntu 22.04 LTS repository for Squid 6.9 (rebuilt from sources in Debian)

[Rafael Akchurin]

Only 6.9 is now in Debian; once 6.10 will be there, I will republish.

Best regards,
Rafael



From: squid-users  On Behalf Of 
Dmitry Melekhov
Sent: Thursday, April 11, 2024 11:42 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Ubuntu 22.04 LTS repository for Squid 6.9 (rebuilt 
from sources in Debian)

11.04.2024 13:30, Rafael Akchurin пишет:
Hello everyone,

Online repository with latest Squid 6.9



why not 6.10?


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 22.04 LTS repository for Squid 6.9 (rebuilt from sources in Debian)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 6.9 (rebuilt from sources in Debian) for 
Ubuntu 22.04 LTS 64-bit is available at https://squid69.diladele.com/.
Github repo https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu22 
contains all the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid69.diladele.com/ubuntu/ jammy main" \
> /etc/apt/sources.list.d/squid69.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

This version of Squid will now be part of Web Safety 9.2 coming out in summer 
of 2024.  If you have some spare time and are interested in Admin UI for Squid 
and ICAP web filtering, consider downloading an appliance for VMware 
ESXi/vSphere<https://packages.diladele.com/websafety-va/9.0/websafety.zip> or 
Microsoft 
Hyper-V<https://packages.diladele.com/websafety-va/9.0/websafety-hyperv.zip> or 
even deploy directly on Microsoft 
Azure<https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety>
 and Amazon AWS<https://aws.amazon.com/marketplace/pp/prodview-ixvbzugrltcqq>.

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 22.04 LTS repository for Squid 6.6 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 6.6 (rebuilt from sources in Debian 
unstable) for Ubuntu 22.04 LTS 64-bit is available at 
https://squid66.diladele.com/.
Github repo https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu22 
contains all the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid66.diladele.com/ubuntu/ jammy main" \
> /etc/apt/sources.list.d/squid66.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

This version of Squid will now be part of Web Safety 9.0 coming out in March 
2024.  If you have some spare time and are interested in Admin UI for Squid and 
ICAP web filtering, consider downloading an appliance for VMware 
ESXi/vSphere<https://packages.diladele.com/websafety-va/9.0/websafety.zip> or 
Microsoft 
Hyper-V<https://packages.diladele.com/websafety-va/9.0/websafety-hyperv.zip> or 
even deploy directly on Microsoft 
Azure<https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety>
 and Amazon AWS<https://aws.amazon.com/marketplace/pp/prodview-ixvbzugrltcqq>.

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

<>___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 22.04 LTS repository for Squid 6.5 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 6.5 (rebuilt from sources in Debian 
unstable) for Ubuntu 22.04 LTS 64-bit is available at 
https://squid65.diladele.com/.
Github repo https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu22 
contains all the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid65.diladele.com/ubuntu/ jammy main" \
> /etc/apt/sources.list.d/squid65.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. This version of Squid will now be part of Web Safety 9.0 coming out in 
early 2024. Please, if you have time and interested in Admin UI for Squid and 
ICAP web filtering, consider using the latest development version at 
https://www.diladele.com/download.html - the preconfigured appliance can be 
easily deployed in VMware ESXi/vSphere, Microsoft Hyper-V, Microsoft Azure and 
Amazon AWS.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS passthrough

[Rafael Akchurin]

Helo Fendando,

One way to do that is to use policy-based-routing on your gateway.

This can be easily done with for example Microtik (see 
https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html)
But also with native say Debian (we only have somewhat outdated tutorial with 
Debian 10/Ubuntu 20 at  
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html).

Hope this will help.
Best regards,
Rafael

From: squid-users  On Behalf Of 
Fernando Giorgetti
Sent: Saturday, September 30, 2023 12:07 AM
To: Alex Rousskov 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TLS passthrough

If someone has already done that, with the client running in a different 
machine, I would love to know how.

In case Squid runs on the same machine used as a network gateway to the client 
machine, I suppose the config would be similar, but if it's not running on the 
same machine used as the gateway, then it would be nice to see how.

Thanks

Em sex., 29 de set. de 2023 18:13, Alex Rousskov 
mailto:rouss...@measurement-factory.com>> 
escreveu:
On 2023-09-29 13:55, Fernando Giorgetti wrote:

> The "intercept" scenario demonstrated here
> https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
> makes sense to me, as we are just redirecting internal traffic into Squid,
> so the original destination IP is preserved.

> I was able to make it work and that TLS app worked just fine. The
> only constraint is that it requires that both the client and Squid
> ran on the same machine, but at least it worked perfectly.

I am very glad you are making progress. FWIW, there are also ways to
intercept traffic from applications that do not run on the same machine
as Squid. This is not my area of expertise, but others on the list can
guide you if you need that kind of setup.


> Here is my squid.conf (just in case someone eventually has a similar
> issue):

Thank you!

Alex.



> acl CONNECT method CONNECT
> acl mytlsserverip dst 10.0.0.10
> http_access allow CONNECT mytlsserverip
>
> http_port 3128
>
> https_port 127.0.0.1:3129 intercept ssl-bump \
>tls-cert=/tmp/certs/squid.pem \
>tls-key=/tmp/certs/squid.key \
>generate-host-certificates=off
>
> ssl_bump splice all
>
>
> And here are the firewall rules I have used:
>
> iptables -t nat -I OUTPUT -p tcp -d 10.0.0.10 --dport 55671 -j DNAT
> --to-destination 127.0.0.1:3129 
> iptables -t nat -I OUTPUT --match owner --uid-owner squid  -p tcp -d
> 10.0.0.10 --dport 55671 -j ACCEPT
>
> I appreciate all the guidance and discussion Matus and Alex.
>
> Thank you,
> Fernando
>
> On Fri, Sep 29, 2023 at 12:53 PM Alex Rousskov
> mailto:rouss...@measurement-factory.com>
> >>
>  wrote:
>
> On 2023-09-29 10:55, Fernando Giorgetti wrote:
>  > Do you control the client application? If yes, then perhaps
> it can be
>  > adjusted to support HTTP proxies? In other words, the client
> will send a
>  > plain text HTTP CONNECT request to Squid and, upon receiving
> a 200
>  > (Connection Established) response headers, will start using
> TLS with the
>  > origin server. In this case, you do not need interception.
>
>
>  > Nope, the client application is also used to communicate with
> other apps in
>  > other environments.
>
> FWIW, "used with other apps" does not imply or explain the "nope, we do
> not control the application" answer IMHO.
>
>
>  > The SNI has to be used as the client/server apps perform
>  > mutual TLS authentication.
>
> To avoid a misunderstanding, nothing I have said precludes the use of
> TLS SNI by the client application. Thus, I am not sure why you are
> saying the above.
>
>
>  > In order to evaluate if we can use Squid for this purpose, I have
>  > also created a basic TLS client/server app to validate what is
>  > happening. Basically my TLS client tries to connect directly to Squid
>  > IP/Port and I am indicating the SNI so that the TLS handshake
>  > passes.
>
> FWIW, a scenario where the client application establishes a TLS
> connection with Squid https_port (configured as a reverse HTTPS proxy)
> will not work for your use case AFAICT. I am not sure why you are
> testing this. It has not been suggested on this mailing list.
>
> BTW, you can use ("curl" or even "openssl s_client") and "openssl
> s_server" for basic tests. I recommend using well-known test programs
> (instead of custom apps) because doing so makes it easier for mailing
> list readers to understand what your test clients and servers are doing
> (and to reproduce your setup).
>
>
>  > When I tried to make it work using a forward proxy with intercept and
>  > ssl_bump, I could not make Squid peek at the SNI and tunnel the
>  > request to the 

[squid-users] [icap] rewritten transparent intercept tutorials for squid, mikrotik, ubuntu 20, debian 12 (nftables) and rhel 9 (firewalld)

[Rafael Akchurin]

Hello everyone,

The three tutorials on how to configure transparent interception and inspection 
of HTTP and HTTP traffic using Squid 5 on Ubuntu 20, Debian 12 and RHEL 9 were 
rewritten and re-tested for correct working with latest Web Safety 8.6 ICAP 
filter.

The tutorials are:

  *   RHEL 9 - 
https://docs.diladele.com/tutorials/transparently_filtering_https_centos/index.html
  *   Debian 12 (nftables) - 
https://docs.diladele.com/tutorials/transparent_proxy_debian/index.html
  *   Mikrotik 7 + Ubuntu 20 - 
https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html 
(policy based routing)
Hope you will find it useful.

Best regards,
Rafael Akchurin
Diladele B.V.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

[Rafael Akchurin]

And the configure options are just those from Debian Unstable (I just added the 
--disable-optimizations to be able to debug in vscode):


./configure \
--with-build-environment=default \
--disable-optimizations \
--enable-build-info="ubuntu 22" \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--libexecdir=/usr/lib/squid \
--mandir=/usr/share/man \
--enable-inline \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd,rock" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \

--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
--enable-auth-digest="file,LDAP" \
--enable-auth-negotiate="kerberos,wrapper" \
--enable-auth-ntlm="fake,SMB_LM" \

--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group"
 \
--enable-security-cert-validators="fake" \
--enable-storeid-rewrite-helpers="file" \
--enable-url-rewrite-helpers="fake" \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid \
--with-logdir=/var/log/squid \
--with-pidfile=/run/squid.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--enable-linux-netfilter \
--with-systemd



-Original Message-
From: squid-users  On Behalf Of Alex 
Rousskov
Sent: Thursday, July 13, 2023 5:02 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

On 7/13/23 10:29, Francesco Chemolli wrote:
> Hi Rafael,
>    that code was moved to a RegisteredRunner in commit
> 09490bb867d0b3f00a29911a65c715108e95b782 .
> I'm not sure why it is not working for you

That commit broke NTLM support in some environments because the linker in those 
environments does not add src/auth/ntlm/Scheme.cc code to squid executable. 
Linkers are allowed to drop modules that they think are unused. We will need to 
find a solution to that problem.

Alex.


> On Thu, Jul 13, 2023 at 1:38 PM Rafael Akchurin 
> mailto:rafael.akchu...@diladele.com>> wrote:
> 
> Good day everyone,
> 
> We are now trying to move the configuration with was valid and
> working in Squid 5.7 to Squid 6.1 and hitting the following error:
> Unknown authentication scheme 'ntlm'
> 
> The problem seem to be with the following configuration we use
> (output from squid -k parse).
> 
> 023/07/13 13:34:04| Processing: auth_param ntlm program
> /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
> 2023/07/13 13:34:04| ERROR: Failure while parsing Config File:
> Unknown authentication scheme 'ntlm'.
> 2023/07/13 13:34:04| FATAL: Bungled
> /opt/websafety/etc/squid/authentication.conf line 231: auth_param
> ntlm program /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan
> --dc1port=389
> 2023/07/13 13:34:04| Squid Cache (Version 6.1): Terminated abnormally.
> 
> Comparing the contents of squid-5.9/src/AuthReg.cc and
> squid-6.1/src/AuthReg.cc it seems the support for NTLM
> authentication was indeed removed from the codebase (see below).
> 
> May I ask if the NTLM scheme is not needed at all now and we should
> continue using only Negotiate scheme (letting it handle the NTLM as
> usual)?
> 
> Best regards,
> Rafael Akchurin
> Diladele B.V.
> 
> 
> In 5.0 the AuthReg.cc was
> 
> /**
> * Initialize the authentication modules (if any)
> * This is required once, before any configuration actions are taken.
> */
> void
> Auth::Init()
> {
>      debugs(29,DBG_IMPORTANT,"Startup: Initializing Authentication
> Schemes ...");
> #if HAVE_AUTH_MODULE_BASIC
>      static const char *basic_type =
> Auth::Basic::Scheme::GetInstance()->type();
>      debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
> Scheme '" << basic_type << "'");
> #endif
> #if HAVE_AUTH_MODULE_DIGEST
>      static const char *digest_type =
> Auth::Digest::Scheme::GetInstance()->type();
>      debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
> Scheme '" << digest_type << "'");
> #endif
>

[squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

[Rafael Akchurin]

Good day everyone,

We are now trying to move the configuration with was valid and working in Squid 
5.7 to Squid 6.1 and hitting the following error:
Unknown authentication scheme 'ntlm'

The problem seem to be with the following configuration we use (output from 
squid -k parse).

023/07/13 13:34:04| Processing: auth_param ntlm program 
/opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
2023/07/13 13:34:04| ERROR: Failure while parsing Config File: Unknown 
authentication scheme 'ntlm'.
2023/07/13 13:34:04| FATAL: Bungled 
/opt/websafety/etc/squid/authentication.conf line 231: auth_param ntlm program 
/opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
2023/07/13 13:34:04| Squid Cache (Version 6.1): Terminated abnormally.

Comparing the contents of squid-5.9/src/AuthReg.cc and squid-6.1/src/AuthReg.cc 
it seems the support for NTLM authentication was indeed removed from the 
codebase (see below).

May I ask if the NTLM scheme is not needed at all now and we should continue 
using only Negotiate scheme (letting it handle the NTLM as usual)?

Best regards,
Rafael Akchurin
Diladele B.V.


In 5.0 the AuthReg.cc was

/**
* Initialize the authentication modules (if any)
* This is required once, before any configuration actions are taken.
*/
void
Auth::Init()
{
debugs(29,DBG_IMPORTANT,"Startup: Initializing Authentication Schemes ...");
#if HAVE_AUTH_MODULE_BASIC
static const char *basic_type = Auth::Basic::Scheme::GetInstance()->type();
debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication Scheme '" << 
basic_type << "'");
#endif
#if HAVE_AUTH_MODULE_DIGEST
static const char *digest_type = 
Auth::Digest::Scheme::GetInstance()->type();
debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication Scheme '" << 
digest_type << "'");
#endif
#if HAVE_AUTH_MODULE_NEGOTIATE
static const char *negotiate_type = 
Auth::Negotiate::Scheme::GetInstance()->type();
debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication Scheme '" << 
negotiate_type << "'");
#endif
#if HAVE_AUTH_MODULE_NTLM
static const char *ntlm_type = Auth::Ntlm::Scheme::GetInstance()->type();
debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication Scheme '" << 
ntlm_type << "'");
#endif
debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication.");
}


In 6.1 it is now



/**
* Initialize the authentication modules (if any)
* This is required once, before any configuration actions are taken.
*/
void
Auth::Init()
{
debugs(29, 2, "Initializing Authentication Schemes ...");
#if HAVE_AUTH_MODULE_BASIC
static const char *basic_type = Auth::Basic::Scheme::GetInstance()->type();
debugs(29, 2, "Initialized Authentication Scheme '" << basic_type << "'");
#endif
#if HAVE_AUTH_MODULE_DIGEST
static const char *digest_type = 
Auth::Digest::Scheme::GetInstance()->type();
debugs(29, 2, "Initialized Authentication Scheme '" << digest_type << "'");
#endif
#if HAVE_AUTH_MODULE_NEGOTIATE
static const char *negotiate_type = 
Auth::Negotiate::Scheme::GetInstance()->type();
debugs(29, 2, "Initialized Authentication Scheme '" << negotiate_type << 
"'");
#endif
}
<>___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HSTS in browsers summary, help wanted.

[Rafael Akchurin]

Hello Eliezer,

Please be sure to clean up the mimicked cert storage of Squid after changing 
the Root CA for sslbump (if you use one).

Best regards,
Rafael
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of 
ngtech1...@gmail.com
Sent: Wednesday, June 28, 2023 6:03 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] HSTS in browsers summary, help wanted.

Hey Everyone,

I am testing Squid 5.9 and 6.0.3 now and I am trying to understand what might 
go wrong in the client side with SSL Bump.
I have a nice setup which works with a mysql DB and it can be recreated with 
vagrant in a very simple manner on-top of all EL8 based Distros.
(Alma, Rocky, CentOS, Oracle, RHEL, Fedora).

There are a set of helpers which runs in the background and do the heavy 
lifting to make the setup more dynamic.

Since I am using an existing DESKTOP there is HSTS history in the browsers:
- Edge
- Chrome
- Firefox

I have added the Root CA certificate to both Windows trusted root ca's store 
and into firefox certificates store.

For many sites like bing... the HSTS warning is popping out.
In edge I can disable HSTS but I don't know how to clean the HSTS cache in Edge 
and in other browsers.
Any help would be usefull.

Thanks,
Eliezer

* I will post later on the Vagrant sources.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ClamAV crash in eCAP Adapter

[Rafael Akchurin]

Hello everyone,

May I ask for your experiences with the latest update of ClamAV with eCAP 
adapter enabled. Running Squid 5.7 on Ubuntu 20.04.
Starting from today (01-March-2023) the following crash stops Squid process.

#0  0x7fab13a44ff0 in cli_bm_scanbuff () from 
/lib/x86_64-linux-gnu/libclamav.so.9
#1  0x7fab13a4c8da in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#2  0x7fab13a52023 in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#3  0x7fab13a545a9 in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#4  0x7fab13a5a589 in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#5  0x7fab13a5b4cf in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#6  0x7fab13a54251 in ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
#7  0x7fab13a5767a in cl_load () from /lib/x86_64-linux-gnu/libclamav.so.9
#8  0x7fab13c123e5 in Adapter::ClamAv::loadDatabase 
(this=this@entry=0x56119a5f4290) at ClamAv.cc:137
#9  0x7fab13c12658 in Adapter::ClamAv::configure (this=0x56119a5f4290, 
cfg=...) at ClamAv.cc:83
#10 0x7fab13c0939d in Adapter::Service::configure (this=0x56119a5ef940, 
cfg=warning: RTTI symbol not found for class 'Adaptation::Ecap::ConfigRep'
...) at /usr/include/c++/9/tr1/shared_ptr.h:668
#11 0x56119979bd04 in Adaptation::Ecap::ServiceRep::tryConfigureAndStart() 
()
#12 0x56119979c38b in Adaptation::Ecap::ServiceRep::finalize() ()
#13 0x561199783126 in Adaptation::Config::Finalize(bool) ()
#14 0x56119951ba3f in SquidMain(int, char**) ()
#15 0x5611993a8ef6 in main ()

Am I correct to think the crash might be related to some definition file update 
issued by ClamAV team?

Already tried re-download of the definition files using freshclam, but without 
any success.
Disabling eCAP adapter solves the problems but I would rather find out why it 
crashes.

Best regards,
Rafael

<>___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] daily usage email reports for hostnames/users/top URLs/blocked URLs

[Rafael Akchurin]

Hello Alex,

We use our own reporter like in 
https://docs.diladele.com/administrator_guide_stable/traffic_monitoring/reports.html
Disclosure – it requires a license key ☹.

Best regards,
Rafael

From: squid-users  On Behalf Of Alex 
Kimble
Sent: Monday, November 28, 2022 2:37 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] daily usage email reports for hostnames/users/top 
URLs/blocked URLs

What is everyone using for generating and emailing daily reports in either 
.csv/.pdf/.html format for which machines/users? Looking for a simple report 
that shows top URLs & blocked URLs.

Thanks,

[A picture containing text  Description automatically generated]
Alex Kimble
Senior Security Analyst

317.869.6708 pc
317.617.0812 wc
alex.kim...@viewpointe.com

227 West Trade Street, Suite 2000
Charlotte, NC 28202

www.viewpointe.com

[Title: LinkedIn - Description: image of LinkedIn 
icon][Title: Twitter - 
Description: image of Twitter icon]

Notice: This email message (including any attachments) may contain 
confidential, proprietary, privileged and/or private information. The 
information is intended solely for the use of the individual or entity to which 
it is addressed. If you are not the intended recipient of this message, please 
notify the sender immediately and delete the message and any attachments from 
your system. Any disclosure, reproduction, distribution or other use of this 
message or any attachments by an individual or entity other than the intended 
recipient is strictly prohibited.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ubuntu ecap clamAV adapter

[Rafael Akchurin]

Hello Robert,

May be this will be of any help – this is how we compile the eCAP for Squid - 
https://github.com/diladele/websafety/blob/master/core.ubuntu20/03_clamav.sh
If you need to compile the Squid too – also look at 
https://github.com/diladele/squid-ubuntu

Best regards,
Rafael

From: squid-users  On Behalf Of 
robert k Wild
Sent: Thursday, November 24, 2022 7:23 PM
To: Squid Users 
Subject: [squid-users] ubuntu ecap clamAV adapter

hi all,

so im trying to install squid, ecap with the clamAV adapter

i noticed when i install squid it comes already with libecap, so all i need to 
do is install the clamAV adapter

so do i just need to do this

wget https://www.e-cap.org/archive/ecap_clamav_adapter-2.0.0.tar.gz

but when i do

./configure

i get this error

configure: error: in `/root/ecap_clamav_adapter-2.0.0':
configure: error: The pkg-config script could not be found or is too old.  Make 
sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.

Alternatively, you may set the environment variables LIBECAP_CFLAGS
and LIBECAP_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

To get pkg-config, see .
See `config.log' for more details

ive looked at there website but its for the sample adapter

any help would be great

thanks,
rob

--
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

[Rafael Akchurin]

Also it might have been related to recent Microsoft Updates.

The following article summarizes our issues with Kerberos (note we use a 
special user in AD with keytab, not joining of proxy into the domain).

https://docs.diladele.com/faq/squid/authentication/event_14_kerberos_key_distribution_center.html

Best regards,
rafael

-Original Message-
From: squid-users  On Behalf Of 
Klaus Brandl
Sent: Friday, November 18, 2022 3:23 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

which options do you have configured for the auth helper?
Something like:

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i

Best regards

Klaus

Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил:
> Hi David,
>  
> Thanks for your advice but it doesn't help me. I use AD account which 
> haven't set these parameters.
>  
> Misha.
>  
> 17.11.2022, 10:07, "David Touzeau" :
> > Hi
> > 
> > perhaps this one
> > https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-can
> > not-decrypt-ticket
> > 
> >  
> > Le 16/11/2022 à 05:11, Михаил a écrit :
> > > Hi everybody,
> > >  
> > > Could you help me to setup my new squid server? I have a problem 
> > > with keytab authorization.
> > >  
> > > 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating 
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor 
> > > code may provide more information. Cannot decrypt ticket for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for 
> > > HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }} Got NTLMSSP 
> > > neg_flags=0xe2088297
> > > 2022/11/16 11:35:40| ERROR: Negotiate Authentication validating 
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor 
> > > code may provide more information. Cannot decrypt ticket for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }}
> > >  
> > > # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab
> > > HTTP/uisproxy-rop.***.***.corp
> > > Using default cache: /tmp/krb5cc_0 Using principal: 
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP
> > > Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Authenticated to Kerberos v5
> > >  
> > > # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Principal
> > >  
> > > --
> > >3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac)
> > >3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac)
> > >3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac)
> > >3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts-
> > > hmac-sha1-96)
> > >3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts-
> > > hmac-sha1-96)
> > >3 host/uisproxy-rop@***.***.CORP (arcfour-hmac)
> > >3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >  
> > > # klist -kt
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Timestamp   Principal
> > >  --- 
> > > --
> > >3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >3 11/16/2022 11:30:50 HTTP/uisproxy- 
> > > rop.***.***.corp@***.***.CORP
> > >3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >  
> > > ___
> > > squid-users mailing list
> > > squid-users@lists.squid-cache.org
> > > http://lists.squid-cache.org/listinfo/squid-users
> >  
> > --
> > David Touzeau - Artica Tech France
> > Development team, level 3 support
> > --
> > P: +33 6 58 44 69 46
> > www: https://wiki.articatech.com
> > www: http://articatech.net
> > ,
> > ___
> > squid-users mailing 

Re: [squid-users] How to generate daily usage email reports?

[Rafael Akchurin]

Hello Alex,

We have something like you seem to be in need of -  
https://docs.diladele.com/administrator_guide_stable/traffic_monitoring/reports.html
But these reports are not Squid analyzer :( sorry.

Best regards,
Rafael

From: squid-users  On Behalf Of Alex 
Kimble
Sent: Thursday, November 17, 2022 4:57 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] How to generate daily usage email reports?

Greetings Squid users,

I have 2 questions:


  1.  What are some good ways to generate a daily usage report which I can 
receive in email format .csv or .html is fine (top users, top URLs, blocked 
URLs)
  2.  Can daily usage reports be created and emailed from Squidanalyzer or is 
that just eye candy?

Thank you!

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FW: Encrypted browser-Squid connection errors

[Rafael Akchurin]

The following line set in the Script Address box of the browser proxy 
configuration will help - no need for a PAC file for quick tests. Be sure to 
adjust the proxy name and port.

data:,function FindProxyForURL(u, h){return "HTTPS proxy.example.lan:8443";}

More info at https://webproxy.diladele.com/docs/network/secure_proxy/browsers/

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of 
Grant Taylor
Sent: Thursday, October 20, 2022 2:39 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] FW: Encrypted browser-Squid connection errors

On 10/19/22 8:33 AM, Alex Rousskov wrote:
> I do not know exactly what you mean by "https proxy" in this context, 
> but I suspect that you are using the wrong FireFox setting. The easily 
> accessible "HTTPS proxy" setting in the "Configure Proxy Access to the 
> Internet" dialog is _not_ what you need! That setting configures a 
> plain text HTTP proxy for handling HTTPS traffic. Very misleading, I know.

+10 to the antiquated UI ~> worse UX.

> You need a PAC file that tells FireFox to use an HTTPS proxy.

I believe you can use the FoxyProxy add-on to manage this too.



--
Grant. . . .
unix || die

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 5.7 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 5.7 (rebuilt from sources in Debian 
unstable) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid57.diladele.com/.
Github repo https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu20 
contains the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid57.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid57.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 5.7 will be part of upcoming Web Safety 8.3 planned for release 
in winter of 2023.  This version will contain the Microsoft Azure Tenant 
Restrictions and Google App Limitation functionality as well as GEO-IP 
filtering. Download the latest virtual appliance of Web Safety from 
https://www.diladele.com/download.html




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.8+ intercept

[Rafael Akchurin]

Thanks – will do when preparing web safety 8.2 (October/November 2022)  – added 
https://github.com/diladele/websafety/issues/1869

Best regards,
rafael

From: squid-users  On Behalf Of 
ngtech1...@gmail.com
Sent: Wednesday, August 10, 2022 10:10 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 4.8+ intercept

Hey Rafael,

This document covers on the V6 branch of Mikrotik and the stable is 7.4.
If you do have the resources to publish a V7 document upgrade it would help 
others.

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 On Behalf Of Rafael Akchurin
Sent: Tuesday, 9 August 2022 23:54
To: M K mailto:mohammed.khal...@gmail.com>>
Cc: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] Squid 4.8+ intercept

Hello K,

We use https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html
Best regards,
Rafael


Op 9 aug. 2022 om 21:29 heeft M K 
mailto:mohammed.khal...@gmail.com>> het volgende 
geschreven:

Hello,

I have a setup like this one:

| Client | => | Router | => Internet
 ||
 \/
  | Squid |

...the router is a Mikrotik router capable of all things NAT/Redirect and 
whatnot. Squid server has only one network interface.
Using the router:
- I tried routing traffic to squid server IP.
- I tried destination-NATing from client to server IP, with origin server 
IP-and-port natted to squid IP-and-port, and with origin server IP-only natted 
to squid-IP.

I have been struggling for 2 days to setup a working Squid 4.8 or higher 
interception.
Test server is running Ubuntu 18.4.3 and Squid 4.8.
Documentation is either too much trim or extremely outdated.
Any help would be very much appreciated.

All best,
K
___
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.8+ intercept

[Rafael Akchurin]

Hello K,

We use https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html

Best regards,
Rafael

Op 9 aug. 2022 om 21:29 heeft M K  het volgende 
geschreven:


Hello,

I have a setup like this one:

| Client | => | Router | => Internet
 ||
 \/
  | Squid |

...the router is a Mikrotik router capable of all things NAT/Redirect and 
whatnot. Squid server has only one network interface.
Using the router:
- I tried routing traffic to squid server IP.
- I tried destination-NATing from client to server IP, with origin server 
IP-and-port natted to squid IP-and-port, and with origin server IP-only natted 
to squid-IP.

I have been struggling for 2 days to setup a working Squid 4.8 or higher 
interception.
Test server is running Ubuntu 18.4.3 and Squid 4.8.
Documentation is either too much trim or extremely outdated.
Any help would be very much appreciated.

All best,
K
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Windows Server 2019-22 Kerberos transparent Windows client authentication help wanted. Try 2

[Rafael Akchurin]

Hello Eliezer,

We use it all the time - 
https://docs.diladele.com/administrator_guide_stable/active_directory/index.html
Not sure if this satisfies your requirements though. But it seems to be very 
stable.

Best regards,
Rafael 



-Original Message-
From: squid-users  On Behalf Of 
ngtech1...@gmail.com
Sent: Saturday, July 30, 2022 9:24 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Windows Server 2019-22 Kerberos transparent Windows 
client authentication help wanted. Try 2

Hey Everybody,

Last time I have tried to test transparent windows client authentication to AD 
with Kerberos I have failed in any test.
The documentation at:
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Is not sufficient, it only describes the idea and while this is well understood 
the actual implementation is not well explained in most of the articles I have 
tried to understand from.
Last time I have tried both CentOS, RHEL, Fedora, Oracle, Debian ,Ubuntu and 
failed.

The latest documents I have seen which seems good to some degree are:
https://support.kaspersky.com/KWTS/6.1/en-US/166440.htm
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/setting-up-squid-as-a-caching-proxy-with-kerberos-authentication


My next try is for:
https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

If someone have the knowledge about a specific guide that works for Windows 
Server 2016+ please send me a link.

Thanks,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 5.5 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 5.5 (rebuilt from sources in Debian 
unstable) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid55.diladele.com/.
Github repo https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu20 
contains the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid55.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid55.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 5.5 will be part of upcoming Web Safety 8.1 planned for release 
in summer of 2022.
Download the latest virtual appliance of Web Safety from 
https://www.diladele.com/download.html



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to install squid 5 on ubuntu 18.04

[Rafael Akchurin]

Hello Hg,

One way we do it is at 
https://docs.diladele.com/howtos/build_squid_on_ubuntu_20/repository.html

Best regards,
Rafael

From: squid-users  On Behalf Of Hg Mi
Sent: Thursday, January 20, 2022 6:40 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] How to install squid 5 on ubuntu 18.04


Dear Support,

As mentioned, is there any method to install the squid 53 on ubuntu using apt?  
without compile it.

Thanks.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid upgrade failure support questions

[Rafael Akchurin]

Be sure to also check the actual squid.exe is running - not just the service 
wrapper, you might be facing the 
https://github.com/diladele/squid-windows/issues/101 bug (4.14 does not work on 
older processors)

Best regards,
Rafael

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Sunday, 24 October 2021 22:45
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid upgrade failure support questions

On 25/10/21 6:33 am, Yuen, John wrote:
> 
> http_port 3128
> 
> The 'Squid for Windows' service is set to 'Automatic' startup type and 
> shows the 'Running' status. So it can't be that. I can telnet to port
> 3128 on the new working Squid v4.14 server. But I can't telnet to the 
> same port 3128 on the upgraded/non-working Squid server. When I do, it 
> doesn't work and errors out like this:
> 
> C:\>telnet Squid-01 3128
> 
> Connecting To Squid-01...Could not open connection to the host, on 
> port
> 3128: Connect failed
> 

At no point in your post do I see any mention of what the IP addresses are. Can 
you please indicate what "localhost", "Squid-01" resolve to on both the machine 
used as client and the Squid machine. And what IP(s) those firewall rules by 
Local subnet "Any" and Remote address "local subnet".


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 5.2 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 5.2 (rebuilt from sources in Debian 
unstable) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid52.diladele.com/.
Github repo  
https://github.com/diladele/squid-ubuntu/tree/squid-52/src/ubuntu20 contains 
the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid52.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid52.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 5.2 will be part of upcoming Web Safety 7.7 planned for release 
in December, 2021.
Download the latest virtual appliance from 
https://www.diladele.com/download.html


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 5.1 (rebuilt from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

Online repository with latest Squid 5.1 (rebuilt from sources in Debian 
unstable) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid51.diladele.com/.
Github repo  
https://github.com/diladele/squid-ubuntu/tree/squid-51/src/ubuntu20 contains 
the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid51.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid51.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 5.1 will be part of upcoming Web Safety 7.7 planned for release 
in December, 2021.
Download the latest virtual appliance from 
https://www.diladele.com/download.html

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid for Windows 4.14 is available

[Rafael Akchurin]

Hello everyone,

After years of postponing we were finally able to build and pack the Squid 4 
for Microsoft Windows.
Sorry it took a lot more time and efforts than anticipated. The already 
existing version 4.15 is also being packed.
I will update once again when it is available.

The MSI can be downloaded from https://squid.diladele.com/ site.

While you are there be sure to check out our other projects - Web Safety ICAP 
web filter and Admin UI for Squid (https://www.diladele.com/) and
DNS Safety filter (something like web safety but on DNS level - 
https://dnssafety.diladele.com/).

Repo for development of Squid for Windows is available at  
https://github.com/diladele/squid-windows.
Please post your question *for MSI problems only* at 
supp...@diladele.com - and for Squid part here.

Best regards,
Rafael




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 4.13-8 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

The online repository with latest Squid 4.13-8 (rebuilt from Debian unstable 
with sslbump support) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid413-ubuntu20.diladele.com/. Github repo  
https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu20 contains the 
scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid413-ubuntu20.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid413-ubuntu20.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 4.13 will be part of upcoming Web Safety 7.6 planned for release 
in June, 2021. This version has the ability to use any header value set by 
Squid for selecting of web filtering policies in ICAP server as well as other 
small fixes. Download the latest virtual appliance from 
https://www.diladele.com/download.html


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.13 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

The online repository with latest Squid 4.13 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid413.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.
Scripts for Ubuntu 20 and Ubuntu 16 are also available in that repo.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid413.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid413.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient

Hope you will find this useful. Note that older repo of squid412.diladele.com 
will be taken down today (due to sslbump issues with Chrome fixed in Squid 
4.13).

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 4.13 will be part of upcoming Web Safety 7.5 planned for release 
in November, this version has more improvements in the report generation module 
(upload reporting) and other various small fixes. Download the latest virtual 
appliance from https://docs.diladele.com/index.html

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Rafael Akchurin]

Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp* connections 
and let the sslbump/authentication run on the cluster of squids - thus you 
would get working auth on squid side and use keepalived/haproxy on the client 
side.

I do not see any reason why it cannot work unless you specifically desire to 
use some haproxy's features for l7 loadbalancing.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of 
Klaus Brandl
Sent: Friday, July 24, 2020 10:45 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication

Hi Brett,

but then you have a single point of failure, if your loadbalancer is down, 
nothing will work. We need a solution, that each system can work by itself. So 
at the moment we merge the keytabs of each system together, and we are able to 
takeover the addresses of the other systems. Then we have no loadbalancing, 
but a fallback solution, what is more important on our systems.

On Friday 24 July 2020 09:53:03 Brett Lymn wrote:
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > But if anyone knows a solution, i will spread my ears :)
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> 
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> 
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Rafael Akchurin]

Hello Klaus, Brett, all list members,

This is the scheme with haproxy and Squid we use all the time in our test lab 
for Web Safety - we need to constantly add/remove test nodes to the cluster 
without breaking/changing anything in Kerberos settings for the constantly 
running client pool - 
https://docs.diladele.com/administrator_guide_stable/active_directory_extra/redundancy/haproxy_proxy_protocol.html

And yes we do *not* use computer account, we use *user* account instead.
See the reasoning  in the tutorial.

Best regards,
Rafael Akchurin
Diladele B.V.

  

-Original Message-
From: squid-users  On Behalf Of 
Brett Lymn
Sent: Friday, July 24, 2020 2:23 AM
To: Klaus Brandl 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication

On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> 
> But if anyone knows a solution, i will spread my ears :)
> 

What we do is:

1) create a user account in AD that will be used for the HA front end, set a 
password and export the keytab for this user
2) Use ktadmin to import the keytab entries for the user created in step
1 into the keytab for squid on the squid servers.
3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user 
created in 1

The SPN (service principal name) tells kerberos to use the user details set up 
in step 1 to authenticate http requests.  This works for us, has been for years.

One thing, if you want to know the IP addresses of your clients in the squid 
logs you will need to do some extra stuff because all accesses will appear to 
come from the HA loadbalancer.  We have configured our load balancers to insert 
the X-Forwarded-For header into the http traffic and then modified the logging 
to log both the loadblancer and client IP.

--
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE 
Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, 
Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, 
South Australia, 5000.
If the identity of the sending company is not clear from the content of this 
email, please contact the sender.

This email and any attachments may contain confidential and legally privileged 
information. If you are not the intended recipient, do not copy or disclose its 
content, but please reply to this email immediately and highlight the error to 
the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 7.4 web filter for Squid proxy is available

[Rafael Akchurin]

Greetings everyone,

Web Safety 7.4 - ICAP web filter for Squid proxy and Admin UI for Squid Proxy 
is now available for production use. The following changes and improvements are 
included into this build.

  *   Added ability to limit bandwidth usage per policy (bandwidth throttling 
is implemented using Squid's delay pool configuration parameters). See this 
documentation 
article<https://docs.diladele.com/administrator_guide_stable/web_filter/policies/bandwidth_limitation.html>.
  *   Statistics storage optimized, the daily CSV files are packed as GZ files, 
reducing the storage requirements up to 10 times.
  *   Fixed an issue with cluster traffic log uploads from more than two 
cluster nodes.
  *   Fixed issues with rotating of Web Safety logs.
  *   Added support for Squid 4.11 on Ubuntu 18/Debian 10.
  *   Virtual appliance generation infrastructure moved to VMware ESXi 6.7 so 
some unknown issues might occur on older VMware vSphere/ESXi deployments.

Download Links

  *   Virtual appliance for VMware 
ESXi/vSphere<http://packages.diladele.com/websafety-va/7.4/websafety.zip>
  *   Virtual appliance for Microsoft 
Hyper-V<http://packages.diladele.com/websafety-va/7.4/websafety-hyperv.zip>
  *   The Microsoft Azure and Amazon AWS images are being published now so 
check the download page<https://www.diladele.com/download.html> later in a week.
If you find bugs or issues with this new build (especially bandwidth limitation 
code) be sure to create an 
issue<https://github.com/diladele/websafety/issues/new> at our GitHub 
repository.

Thanks to all of you for making this possible.
Stay safe.

Best regards,
Rafael Akchurin
Diladele B.V.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.11 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

The online repository with latest Squid 4.11 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid411.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation. Scripts for Ubuntu 16 are also available in that 
repo.
We plan to add Ubuntu 20 in the near future too.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid411.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid411.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient

Hope you will find this useful. Note that older repo of squid410.diladele.com 
will be taken down in 1 year.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 4.11 will be part of upcoming Web Safety 7.4 planned for release 
in early June, this version has some improvements in the report generation 
module and support for delay pools per policy. It is now very easy to restrict 
bandwidth usage by Active Directory groups directly from Admin UI. Download the 
latest virtual appliance from https://docs.diladele.com/index.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 7.3 web filter for Squid proxy is available

[Rafael Akchurin]

Greetings everyone,

Web Safety 7.3 - ICAP web filter for Squid proxy and Admin UI for Squid Proxy 
is now available for production use. The following changes and improvements are 
included into this build.


  *   Optimized all parts of the report generation module - the application now 
requires less time to build the reports and is able to handle reporting of more 
users than before.
  *   Added a setting to allow automatic download of missing intermediate HTTPS 
certificates. Disabled by default.
  *   Fixed some minor issues in report generation, added more debug output to 
the report log allowing for better understanding how much time was spent during 
reporting.
  *   Added support for Squid 4.10 on Ubuntu 18/Debian 10.
  *   Improved cluster configuration sync. The client nodes are able to upload 
the Squid's access logs to the server node. The report building process at 
server node can now create integrated traffic history for the whole cluster.
  *   It is now possible to completely disable traffic monitoring and reporting 
from the Admin UI.

See the version history page for other changes - 
https://docs.diladele.com/version_history/index.html.

Download Links


  *   Virtual appliance for VMware 
ESXi/vSphere<http://packages.diladele.com/websafety-va/7.3/websafety.zip>
  *   Virtual appliance for Microsoft 
Hyper-V<http://packages.diladele.com/websafety-va/7.3/websafety-hyperv.zip><https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety>
  *   Microsoft 
Azure<https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety>
 appliance (both 7.3 PAYG and BYOL instances)
  *   Amazon AWS<https://aws.amazon.com/marketplace/pp/B07KJHLHKC> appliance 
(7.3 BYOL instance is being published)

Best regards,
Rafael Akchurin
Diladele B.V.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[Rafael Akchurin]

Thanks will do!
When you say outdated you means cyphers? Or instructions?

Raf

-Original Message-
From: squid-users  On Behalf Of 
L.P.H. van Belle
Sent: Monday, 17 February 2020 11:23
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] please, can someone help me with the negotiate 
kerberos?

Hai Rafeal, 

Yes, i agree, this is the other most simple way, but i suggest, you 
remove/change on this page:

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
The generated Kerberos configuration file will usually look like:

[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac 
des3-hmac-sha1 

These are really outdated. ;-) 


To ( just the default )

[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_kdc = true
dns_lookup_realm = false


Keytabs and samba, read: 
https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Keytab_Extraction 



Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Rafael 
> Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with the 
> negotiate kerberos?
> 
> Hello Rafael,
> 
> There is an easier option *without* joining the Squid machine to the 
> domain, See tutorial at 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without our UI - 
> just you would need to do more manual steps).
> 
> Raf
> 
> -Original Message-
> From: squid-users 
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] please, can someone help me with the negotiate 
> kerberos?
> 
> Helo! i think i did almost everything right, firstly i made it in a 
> test enviroment with debian stretch running squid 3.5 and a windows 
> server 2008 based domain controller, and it worked!
> 
> but when i tried to deploy it in the production enviroment running 
> debian stretch, squid 3.5 and windows server 2012 as the domain 
> controller the authentication never works, the file 
> /var/log/squid/cache.log shows this:
> 
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating 
> user.
> Result: {result=BH, notes={message: gss_acquire_cred()
> failed: Unspecified GSS failure.  Minor code may provide more 
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from 
> squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' 
> (decoded
> length: 1826).
> 
> Obs1:I replaced a big string with letters and numbers by "(LETTERS AND 
> NUMBERS)"
> Obs2: i posted more of the file in this link 
> https://pastebin.com/Z2fe98dB
> 
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/squid2.domain.local@DOMAIN.LOCAL:
> root@SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/squid2.domain.local@DOMAIN.LOCAL
> 
> Valid starting   Expires  Service principal
> 02/15/2020 10:55:32  02/15/2020 20:55:32 
> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> renew until 02/16/2020 09:55:32
> 
> 
> 
> The results of running:klist -kte /etc/squid/HTTP.keytab
> 
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp   Principal
>  ---
> --
>1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (arcfour-hmac)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL
> (aes256-cts-hmac-s

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[Rafael Akchurin]

Hello Rafael,

There is an easier option *without* joining the Squid machine to the domain,
See tutorial at 
https://docs.diladele.com/administrator_guide_stable/active_directory/index.html
 (it also applies to vanilla Squid without our UI - just you would need to do 
more manual steps).

Raf

-Original Message-
From: squid-users  On Behalf Of 
Rafael Silva Daniel
Sent: Saturday, 15 February 2020 21:08
To: squid-users@lists.squid-cache.org
Subject: [squid-users] please, can someone help me with the negotiate kerberos?

Helo! i think i did almost everything right, firstly i made it in a test 
enviroment with debian stretch running squid 3.5 and a windows server 2008 
based domain controller, and it worked!

but when i tried to deploy it in the production enviroment running debian 
stretch, squid 3.5 and windows server 2012 as the domain controller the 
authentication never works, the file /var/log/squid/cache.log shows this:

2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS 
failure.  Minor code may provide more information. No principal in keytab 
matches desired name; }}
negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from squid
(length: 2439).
negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' (decoded
length: 1826).

Obs1:I replaced a big string with letters and numbers by "(LETTERS AND NUMBERS)"
Obs2: i posted more of the file in this link https://pastebin.com/Z2fe98dB

well, the results of running: kinit -kt /etc/squid/HTTP.keytab
HTTP/squid2.domain.local@DOMAIN.LOCAL:
root@SERVER:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squid2.domain.local@DOMAIN.LOCAL

Valid starting   Expires  Service principal
02/15/2020 10:55:32  02/15/2020 20:55:32  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 02/16/2020 09:55:32



The results of running:klist -kte /etc/squid/HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp   Principal
 ---
--
   1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)

And the results of running: root@SERVER:~# 
/usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
Token: (Alonglinewithnumbersandletters)

the configs of the /etc/krb5.conf:

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/HTTP.keytab

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local
admin_server = dc01.domain.local
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

and the /etc/squid/squid.conf:

http_port 3128
dns_nameservers 200.198.5.4 200.198.5.5
visible_hostname PROXY
cache_dir 

Re: [squid-users] Squid 4.10 for windows

[Rafael Akchurin]

Sorry Chris,

We still cannot find time to finish compilation of Squid 4 for Windows.
The Linux version running within Hyper-V works much better most probably. Why 
not to try it?

Best regards,
Rafael Akchurin
Diladele B.V.


From: squid-users  On Behalf Of 
Latino, Chris
Sent: Thursday, 13 February 2020 17:17
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 4.10 for windows

Hi

Hoping you can help we are using squid for windows 3.5.28

Our vulnerability scanner is saying this isn't the latest version but I can't 
see a 4.10 version for windows and when I go to

https://squid.diladele.com/

It's still showing the 3.5.28 version

Chris Latino
Senior Systems Platform Engineer II

Mastercard
1 Angel Lane | London, EC4R 3AB
[cid:image001.png@01D5E292.B0BD8290]

CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the 
use of the intended recipient and may contain information that is privileged, 
confidential or exempt from disclosure under applicable law. If you are not the 
intended recipient, any disclosure, distribution or other use of this e-mail 
message or attachments is prohibited. If you have received this e-mail message 
in error, please delete and notify the sender immediately. Thank you.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.10 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello everyone,

The online repository with latest Squid 4.10 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid410.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.
Scripts for Ubuntu 16 are also available in that repo.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid410.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid410.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient

Hope you will find this useful. Note that older repo of squid49.diladele.com 
will be taken down in 2 years.

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at another our project - DNS Safety filtering server.  Sort 
of Web Safety implemented as DNS Server. Might be interesting in deployments 
where HTTPS decryption is not possible.
https://dnssafety.diladele.com/


We are now also researching a possibility to have an iPhone/iPad built in DNS 
blocker that will allow you to filter outgoing DNS requests on any connection, 
even 4G.
The application will be built using Apple Network 
Extension<https://developer.apple.com/documentation/networkextension> 
framework. Stay tuned<https://www.diladele.com/community.html>!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Need help setting up DD-WRT router to use Squid as a transparent proxy

[Rafael Akchurin]

You can try policy based routing if DD-WRT supports that – see 
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

From: squid-users  On Behalf Of 
Robert Marshall
Sent: Thursday, 16 January 2020 09:30
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Need help setting up DD-WRT router to use Squid as a 
transparent proxy

Hi all,

I'm trying to set up a transparent proxy on my network so that all devices are 
forced to use Squid/SquidGuard for network traffic, and can filter out 
undesirable destinations.

I have Squid/SquidGuard running on a Raspberry Pi 4, running the latest release 
of Raspian Buster. The route is a D-Link DIR-860L, flashed with the 01/14/20 
build of DD-WRT. I tried using the instructions at DD-WRT. But, am running into 
problems.

Squid/SquidGuard works fine if I enter in a manual proxy in my Firefox browser. 
However, when I go to configure my router's settings I have problems. The error 
message that's coming up says that I'm passing an invalid URL, and the only 
thing that shows in the error message is the /. This is happening on ALL 
webpages I try and go to, not just the ones which SquidGuard is set to filter 
out.

Helpful hints or directions will be greatly appreciated!

Robert
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] unable to get issuer cert locally protocol error

[Rafael Akchurin]

Hello Robert,

See why it happens - 
https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

Best regards,
Rafael Akchurin

On 15 Jan 2020, at 03:59, robert k Wild  wrote:


hi all,

when im trying to go on a web page, squid cant connect and gives me an error 
page -

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's 
Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the remote 
host does not support secure connections, or the proxy is not satisfied with 
the host security credentials.

does anyone know what the problem is

cheers,

rob


--
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid log analyzer

[Rafael Akchurin]

Hello Vacheslav,

We are building something like sarg/squidanalyzer/lightsquid in web safety 7.2.
See 
https://docs.diladele.com/administrator_guide_develop/traffic_monitoring/index.html
 

It shall be easy to grab the virtual appliance, upload your Squid logs into 
/var/log/squid and see if the results are ok.

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users  On Behalf Of 
Vacheslav
Sent: Friday, 20 December 2019 11:05
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid log analyzer

i searched for a ufdb guard log analyzer and it was like looking for aliens..so 
i settled for squid log analyzers..i tried calimaris which reminded me that 
squid is translated to kalmar in Russian but the version on opensuse does not 
provide what user went to where..i read about lots of options..many are stopped 
from being updated, others require too much setup and finally i saw sarg! 
almost everyone was bashing it as slow and try this instead..but it promised to 
show which user visited what url, so i installed it and tried it from command 
line and it was fast but it failed to create the index file in the configured 
folder so couldn't see the html results.. i suffered all day reading this and 
that and experimenting and it was useless, so i tired reaching for help on 
their forum and it is like i visited a ghost town..
so who has tried  something similar to do this that is working?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] good guide to AntiVirus detection, squid4

[Rafael Akchurin]

Hello Robert,

Please see scripts at 
https://github.com/diladele/websafety/tree/release-7.2.0/core.ubuntu18 on how 
we do that (if you do not need web filtering – just ignore that part).

Best regards,
Rafael

From: squid-users  On Behalf Of 
robert k Wild
Sent: Thursday, 19 December 2019 16:03
To: squid-users@lists.squid-cache.org
Subject: [squid-users] good guide to AntiVirus detection, squid4

hi all, hope your all well :)

im looking after a good guide to set up real time antivirus on squid 4 for all 
the traffic

i have seen numerous tools for this like clamAV, C-icap, HAVP and i have read 
since squid 3, squid comes with icap

can i just use icap the build in one or shall i use something else to go with it

if anyone has got suggestions and can show me a good guide on how to do it, 
that would be great

thanks,
rob

--
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.9 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.9 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid49.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.
Scripts for Ubuntu 16 are also available in that repo.

Hope you will find this helpful. Note that older repo of squid48.diladele.com 
will be taken down in 1 year.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid49.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid49.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient



--
Please take a look at another our project - DNS Safety filtering server.  Sort 
of Web Safety implemented as DNS Server. Might be interesting in deployments 
where HTTPS decryption is not possible.
https://dnssafety.io/


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

[Rafael Akchurin]

Hello Sebastian, 

If you decide to go policy routing way as Amos suggested - please see the 
tutorial at 
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html
Or 
https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html
 for WCCP.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Friday, 1 November 2019 07:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Unsuccessful at using Squid v4 with intercept

On 1/11/19 5:53 am, FOUTREL Sébastien wrote:
> --
> --
> *De :* Antony Stone
> *Envoyé :* mercredi 30 octobre 2019 17:39
>  
> On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:
> 
>> Hello, I would like to use squid as a transparent proxy for my users.
> 
>> "Clients" are behind a Debian "Router" which MASQUERADE them (as they 
>> use RFC 1918 ips).
>> 
>> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
>> server which is outside my network.
>> 
>> I read a lot of tutorials and examples from squid site...
> 
> Did that include the links I've given below?
> 
> Yes I read almost all examples config from wiki.squid-cache.org 
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was 
> mislead by the fact that there is a DNAT config and a REDIRECT config..
> DNAT is completely useless if Squid only support to be on the router.
> Wasn't it possible to dnat to a different server with older versions 
> (my memory is faulty) ?
> http://tldp.org/HOWTO/TransparentProxy-6.html for example.


Squid-2 used to ignore all NAT errors and just go where the client HTTP headers 
were claiming to be going. This proved to be a major security vulnerability 
with a pile of nasty related issues and side effects.
CVE-2009-0801 for reference.

DNAT is a tiny amount faster and less CPU cycles on the kernel NAT side of 
interception, and can be used in config tricks to get more than 64K entries in 
the NAT tables. So it is kept around for extremely high-traffic proxies.

REDIRECT is better for zero-conf installations or ones with a dynamic IP 
address on the proxy machine (eg IPv6 auto-conf and privacy addressing).


> 
> I read the "fw mark and route policy" method as an alternative not the 
> only way to go. My mistake.
> 

Easily made if you are reading *every* example config. Policy Routing _is_ an 
alternative ... to WCCP.

There are so many different types of routers with different config 
requirements, and also numerous NAT systems. Our formal Intercept examples are 
laid out as separate router config example and NAT config example. Pick one 
from each category as appropriate to the software your network uses for each 
machine.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos nad keytab problem

[Rafael Akchurin]

Hello everyone,

Just my two cents too. Note you can map the *user* to the Kerberos SPN - this 
lets you have your squid proxy live outside of the AD.
Just setup the dedicated user in the AD, map SPN to it and export the keytab to 
your squid.

See 
https://docs.diladele.com/administrator_guide_stable/active_directory/index.html

Downside - the password for that designated user needs to be non expiring or 
you'd be regenerating keytabs everytime the password changes. Which is not 
difficult anyway too.

Best regards,
Rafael Akchurin
Diladele B.V.



From: squid-users  On Behalf Of 
L.P.H. van Belle
Sent: Wednesday, 25 September 2019 17:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos nad keytab problem

I also had problems with msktutil.. so i suggest you try this, see below..
Im using it for few years and it always works (for me offcourse)..

It should be pretty simple, but the site squid-cache (wiki) is in my opinion a 
bit outdated.
And its for Amos to adapt it on the site.

Amos or Alex, please review below, you might want to add it.
And add your parts to it, like running this without a correct spn.

Its tested in use and and working since squid 3.1 upto 4.8.
Tested on debian Wheezy (7) upto Buster (10)

Below assumes the server your setting up, does have an A and PTR record.
(note, which should be added at the domain join of winbind, as of samba4.x )

This is my howto.
A Debian based, with Kerberos Auth against an Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory.
But since i dont have any, im not testing it.


# Install a minimal OS, at install only choose base + ssh server.
# Setup these variable for a copy/past, might be handy, and then "it just works"

# Obligated to set.  # ADDOM;
# This should match the netbios (NT4) domain name in caps, per example from a 
login: NTDOM\username
ADDOM="NTDOM"

# These should be fine, but if you have multiple ipnumbers and hostnames, you 
might want to adjust these.
FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"

# Requirements before you start installing the sofrware like: squid winbind 
krb5-user

# Login, sudo to root.
# /etc/resolv.conf, set as followed.
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC

# Verify it:
grep search /etc/resolv.conf
grep nameserver /etc/resolv.conf

# If ok, then run :
apt update
apt install squid winbind krb5-user -y

# Just hit enter on every question, the defaults are fine. (verified in Debian).

# And now verify /etc/krb5.conf
less /etc/krb5.conf


# It should look like this :
#[libdefaults]
#default_realm = YOUR.Detected_REALM.TLD
#
# The following krb5.conf variables are only for MIT Kerberos.
#   kdc_timesync = 1
#ccache_type = 4
#forwardable = true
#proxiable = true

# ... and more..

#  >>  P.s.  i never touch krb5.conf, never needed, it "just works" <<

# Set REALM Variable now, default should be ok. dont touch it.
REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) "
# It's used for smb.conf and the auth part of squid.

# then stop squid and samba and configure it.
systemctl stop squid winbind

# flush the log, so if you start it you start with a clean log.
> /var/log/squid/cache.log

# Configure smb.conf and join the AD domain,  the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}

echo "# Auth-Only setup with winbind. ( no Shares )

workgroup = ${ADDOM}
security = ADS
realm = ${REALM}
netbios name = $(echo ${HOSTN^^})

## make sure the below number never overlap system ranges, see 
/etc/adduser.conf
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-

## map ids from the domain and (*) the range may not overlap !
idmap config ${ADDOM} : backend = rid
idmap config ${ADDOM} : range = 1-399

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

# renew the kerberos ticket
winbind refresh tickets = yes
" > /etc/samba/smb.conf

# And verify it.
less /etc/samba/smb.conf

# Next step, join the AD domain.
# Login/auth with kerberos.
kinit Administrator

# and join the domain.
net ads join -k

# Creating the squid keytab file.

export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab ADD HTTP/${FQDN}

#Verify the keytab file :
klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab

# destroy you authentication ticket for Administrator.
kdestroy

# set correct rights.
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here.

# and setup you squid auth.
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
--kerberos /usr/lib/squid/negotiate_kerberos_auth \\
  -k etc/sq

Re: [squid-users] AD user Login + Squid Proxy + Automatic Authentication

[Rafael Akchurin]

Hello Randi,

You seem to be wishing to setup Single-Sign-On. We have a small guide here that 
might be of some help. It is proven and it definitely works. It involves 
Microsoft AD and Kerberos 
https://docs.diladele.com/administrator_guide_stable/active_directory/index.html

The guide involves our Web Safety product but it should not really matter, the 
pristine Squid will do just fine. You can also use the community version of our 
UI for Squid, it is completely free so may also be helpful if you need browser 
management of your proxy box.

Best regards,
Rafael

From: squid-users  On Behalf Of 
Randi Indrawan
Sent: Thursday, August 22, 2019 6:28 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] AD user Login + Squid Proxy + Automatic Authentication


So I have setup a squid proxy on a CentOS 7 Server and now the authentication 
system uses ldap and it works, I can set which groups get access through a proxy

The problem is ... can we setup the proxy read the domain id that is being 
logged, so the proxy no longer asks for a username and password. All the 
tutorials I've seen are pop-up messages asking for the username and password. I 
would like this to happen automatically so when the user logs in they 
automatically authenticate
Best Regards
Randi Indrawan
DISCLAIMER : The information contained in this communication (including any 
attachments) is privileged and confidential, and may be legally exempt from 
disclosure under applicable law. It is intended only for the specific purpose 
of being used by the individual or entity to whom it is addressed. If you are 
not the addressee indicated in this message (or are responsible for delivery of 
the message to such person), you must not disclose, disseminate, distribute, 
deliver, copy, circulate, rely on or use any of the information contained in 
this transmission. We apologize if you have received this communication in 
error; kindly inform the sender accordingly. Please also ensure that this 
original message and any record of it is permanently deleted from your computer 
system. We do not give or endorse any opinions, conclusions and other 
information in this message that do not relate to our official business.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HAProxy + Squid

[Rafael Akchurin]

Hello Gabriel,

We do exactly that in our lab, see docs at 
https://docs.diladele.com/administrator_guide_7_0/active_directory_extra/redundancy/haproxy_proxy_protocol.html
It works perfectly.

Best regards,
Rafael Akchurin
Diladele B.V.



From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Service MV
Sent: Monday, July 22, 2019 4:37 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] HAProxy + Squid

Hello everyone, I would like to know if the configuration I want to do is 
viable:
1 Load Balancer HAProxy configured in TCP mode.
2 Squid servers 4.7.2 with negotiate kerberos authentication and LDAP group 
authorizations.
The idea is that the web clients of my lan point to the IP/Name of the Load 
Balancer and that this distributes the load between the proxy servers.
Attached is a link to a configuration diagram.
https://cloudcraft.co/view/00ccd7cb-861c-4e70-a38e-980fdd6cfad3?key=iEa-Gyp8R0ZSh-fxDNi58A
Thank you very much in advance for your comments.
Best regards

Gabriel

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.8 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.8 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid48.diladele.com.
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation (look for feature-squid-4.8-1 branch).
Scripts for Ubuntu 16 will be updated in the near future.

Hope you will find this helpful. Note that older repo of squid46.diladele.com 
will be taken down in two years.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid48.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid48.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient



--
Please take a look at another our project - DNS Safety filtering server.
Sort of Web Safety implemented as DNS Server.
Might be interesting in deployments where HTTPS decryption is not possible.
https://dnssafety.io/

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Debian Buster, Squid 4.6-1 amd64, "Too few negotiateauthenticator processes are running"

[Rafael Akchurin]

Hello James,

Here is to confirm that after applying this patch, rebuilding Squid 4.6 and 
deploying it into production of about 700 proxy connected clients using mostly 
Kerberos authentication followed by NTLM and Basic LDAP the mentioned issue 
with negotiate wrapper went away. No more pop us from client browsers.

Best regards,
Rafael Akchurin
Diladele B.V.

--
Need easy to manage DNS filter? See our new project at https://dnssafety.io/

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of James Zuelow
Sent: Monday, July 15, 2019 9:11 PM
To: 'squid-users@lists.squid-cache.org'
Subject: [squid-users] Debian Buster, Squid 4.6-1 amd64, "Too few 
negotiateauthenticator processes are running"

We have a pair of Squid proxies, running as a failover pair with ucarp.

Both of these proxies are domain joined with Samba, and we've been using 
Kerberos authentication for several years.

After Debian Buster was released, we upgraded the failover unit and did some 
basic testing.  Everything seemed to go correctly.  Unfortunately when we 
tested, we didn't put the failover under a serious load - we merely made sure 
each component was working the way we expected it to.

We waited a week, and then updated the primary.

As soon as the primary was updated and assumed a real load, users started 
seeing proxy authentication prompts and the proxy started operating very slowly 
- to the point where sessions would time out.  We quickly rolled to the 
failover, but the problem remained.

Since this was a major version upgrade, everything on the server had changed so 
I had lots of places to look for errors.  I did in fact find that my file 
descriptor settings in limits.conf had reverted back to the default of 1024, 
but even after fixing this the proxy was slow.

I see in the logs many occurrences of "Too few negotiateauthenticator processes 
are running" - the negotiate authenticators look like they're crashing every 
15-45 seconds when the proxy is busy (between 80-100 requests per second at my 
site).

Doing a quick Google, I found this:  
https://github.com/diladele/websafety-issues/issues/1141
Which refers to this:  https://bugs.squid-cache.org/show_bug.cgi?id=4936

The fix referred to in bug 4936 appears to be about a month old.

https://tracker.debian.org/pkg/squid implies that the version of squid in 
Buster is older than that, last merged into testing (now stable) in February.

Before I file a Debian bug report, how could I go about confirming the presence 
of bug 4936 in the current Debian stable version of Squid?  Are the dates good 
enough?

Thank you!

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL inside ClamAV?

[Rafael Akchurin]

Hello Felipe,

We have something like this in our ICAP server.
See 
https://docs.diladele.com/administrator_guide_7_0/web_filter/policies/blocking_file_downloads.html

Best regards,
Rafael Akchurin
Diladele B.V.

From: squid-users  On Behalf Of 
Felipe Arturo Polanco
Sent: Friday, 15 March 2019 16:38
To: squid-users@lists.squid-cache.org
Subject: [squid-users] ACL inside ClamAV?

Hi,

Is it possible to use SQUID ACL inside ClamAV or any other ICAP server?

The idea is to have a list of file types to be denied for some users and 
allowed for some others.

Thanks,
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem compiling squid 4 on ubuntu 18.04

[Rafael Akchurin]

Hello Alex,

Please take a look at how we recompile Squid 4.6 for Ubuntu 18.
It compiles and runs nicely without errors.

See https://docs.diladele.com/howtos/build_squid_4_on_ubuntu/index.html

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users  On Behalf Of Alex 
Gutiérrez Martínez
Sent: Wednesday, 27 February 2019 22:48
To: squid-users@lists.squid-cache.org
Subject: [squid-users] problem compiling squid 4 on ubuntu 18.04

Hello comunity, can someone be so nice to tell me what i´m doing wrong


Im compiling squid 4.5 on ubuntu 18.04


this are the dependency i have installed


apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev libldap2-dev 
libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl
libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils


this are the options for squid

./configure --build=x86_64-linux-gnu --enable-delay-pools 
--enable-cache-digests --enable-icap-client --enable-ssl --enable-ssl-crtd 
--with-openssl --enable-follow-x-forwarded-for 
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" 
--enable-auth-digest="file,LDAP" --prefix=/usr --includedir=${prefix}/include 
--mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc 
--localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. 
--disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules 
--datadir=/usr/share/squid --sysconfdir=/etc/squid --mandir=/usr/share/man 
--enable-inline --disable-arch-native
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock
--enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests 
--enable-icap-client --enable-follow-x-forwarded-for 
--enable-auth-negotiate=kerberos,wrapper
--enable-auth-ntlm=fake,smb_lm
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi --enable-zph-qos 
--enable-ecap --disable-translation --with-swapdir=/var/spool/squid 
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid 
--with-filedescriptors=65536 --with-large-files --with-default-user=proxy 
--enable-ssl --with-open-ssl=/etc/ssl/openssl.cnf --enable-linux-netfilter 
'CFLAGS=-g
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security'


im getting this error


error: NTLM auth helper smb_lm ... not found


thanks in advance


--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows Repeatedly Crashing

[Rafael Akchurin]

I would try deploying Squid on Linux machine running within Hyper-V just to be 
sure the Squid part itself works fine. Then only specifics of it running on 
Cygwin will remain to be uncovered. Should be very easy to setup. Couple of 
hours at most (you have already dedicated much more time to this).

For example here is how we do it 
https://github.com/diladele/websafety-virtual-appliance/blob/master/scripts.ubuntu18/03_squid.sh
It is even easier if you do not need to sslbump. Just

apt-get update && apt-get install -y squid

And voila!

-Original Message-
From: squid-users  On Behalf Of Van 
Order, Drew (US - Hermitage)
Sent: Wednesday, 27 February 2019 16:55
To: elie...@ngtech.co.il
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

Business objective is to enable MSFT Azure MMA's (Microsoft Monitoring Agents) 
blocked from the internet to send agent data to Azure Log Analytics

Simple proxy
No SSL bump
Squid config is attached
I tried disabling caching with Squid, found it crashed more frequently Squid 
was chosen this is intended to be a stopgap solution, and it's free. It's a 
battle to win over security in order to have tcp/443 opened everywhere.

I'm not sure Squid is the problem, I have an identically configured Squid that 
bypasses the F5 working beautifully, but it's only 50 clients (MMA's) 
connecting, Each client takes roughly 5 connections. The clients are still 
going through a firewall(s). 

Our network folks say that neither the FW or F5 leading up to Squid report 
congestion. 

It's possible that Squid for Windows + F5 VIP are not intended to work 
together, but it makes sense to just have one proxy IP address.

I'm getting ready to Skype with our F5 guy to compare what I'm seeing with what 
he's seeing. Also trying to get how many clients are going through the F5 to 
compare to my 'good' Squid

-Original Message-
From: elie...@ngtech.co.il 
Sent: Wednesday, February 27, 2019 9:20 AM
To: Van Order, Drew (US - Hermitage) 
Cc: squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The setup itself is not clear to me.
Is it a simple proxy?
With SSL bump?
Can you share or send me the squid configuration?
There might be another solution for your use case that you have yet to try.
Also if the purpose is not caching, why do you try to use squid?
There are lots of other proxies for windows out there? (just wondering what and 
why have you choose Squid)

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: Van Order, Drew (US - Hermitage) 
Sent: Wednesday, February 27, 2019 05:51
To: Eliezer Croitoru ; Rafael Akchurin 

Cc: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid for Windows Repeatedly Crashing

Hello folks, and thanks for keeping interest. Today I spent a bit of time 
learning squidclient, and have determined that the server is not in any way 
resource constrained. I've attached the output from mgr:info, mgr:client_list, 
and mgr:filedescriptors in between crashes. Was wondering if someone could 
explain Tout, which I presume is timeout. Of interest are the ones set to 
86400, which I presume is one day. That seems like a big problem--but where is 
it coming from? I'm using the Cygwin Squid config defaults.

There seems to be a lot of Reading next request going on before Squid recycles. 
I wonder if the F5 VIP is dealing with congestion through the firewall, which, 
in turn, is causing congestion on the pool output side, the
10.26.25.220 address. Our F5 guys have gone silent on me, I have been asking 
questions, in particular why all the F5 traffic is coming over just one IP 
address in the pool.

In case folks wonder what the IP's are in the file descriptor output

1310 Socket  8986044*2806  40.71.12.224:443
593a6510-ebfc-4d6b-a8f0-a0411dfee098.ods.opinsights.azure.com:443 (this is 
Squid forwarding Windows event/perf data from an agent to Azure Log
Analytics)
1311 Socket  8993015*9208  10.26.25.220:61088Reading next
request (10.26.25.220) is the pool IP address of the F5 in use)
1312 Socket  8992690*8826  10.26.25.220:61436Reading next
request
1313 Socket  8999169*2884  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443 (Squid to Azure)
1314 Socket  8998787*2508  104.208.163.218:443
eus2-jobruntimedata-prod-su1.azure-automation.net:443
1315 Socket  118 119*3924  10.26.25.220:52153Idle client:
Waiting for next request
1316 Socket  9001382*8697  10.26.25.220:54786Reading next
request

This is from a box that restarts squid every few minutes. Typical cache.log 
snippet

2019/02/26 21:24:22 kid1| storeDirWriteCleanLogs: Starting...
2019/02/26 21:24:22 kid1|   Finished.  Wrote 0 entries.
2019/02/26 21:24:22 kid1|   Took 0.00 seconds

[squid-users] Ubuntu 18 LTS repository for Squid 4.6 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.6 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid46.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid44.diladele.com 
will be taken down in one year.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid46.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid46.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient



--
Please take a look at another our project - DNS Safety filtering server.
Sort of Web Safety implemented as DNS Server. Might be interesting in 
deployments where HTTPS decryption is not possible.
https://dnssafety.io/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows Repeatedly Crashing

[Rafael Akchurin]

As far as I know the internal FD limit for Windows build is around 3K - might 
be being existed and thus unexpected behavior raising its ugly head..

-Original Message-
From: squid-users  On Behalf Of Van 
Order, Drew (US - Hermitage)
Sent: Sunday, 24 February 2019 14:40
To: elie...@ngtech.co.il; 'Amos Jeffries' ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

This is helpful, and I especially appreciate the time given it is the weekend.

The Squids are confusing me, as everything is well behaved at the moment. One 
server was erroring off and on for a few hours earlier today, but stopped after 
a reboot.

It does appear that redirecting roughly 125 servers to no longer use the proxy 
has helped. Unfortunately, our F5 guy can't tell me how many IP addresses 
remain coming into this F5 VIP, which would give me the number of servers, and 
an idea how loaded this thing is. I have good reason to believe it is under 
1,000. He has shown us graphs indicating the VIP isn't stressed, but I will 
keep working on him, b/c I can't imagine not being able to report how many 
distinct IP addresses hit the VIP.

I don't have a Visio, but

Server running the Microsoft Monitoring Agent sends data over 
tcp/443-->Internal facing firewall(s)-->F5 VIP-->one of 4 Squids-->internet 

Each of the 4 VMWare Squids has 4 proc and 8 GB memory, 10 GB NIC.

We're a large enterprise with multiple data centers and many subnets, so there 
are quite a few firewalls, and most of the time a server must go through more 
than one firewall. Can't help but wonder if firewall exhaustion could cause the 
symptoms.

Revision: I typed the above last night. This morning, the server that had been 
erroring is at it again, but stopped. Others are fine. Interesting problem.

-Original Message-
From: elie...@ngtech.co.il 
Sent: Saturday, February 23, 2019 12:16 PM
To: Van Order, Drew (US - Hermitage) ; 'Amos Jeffries' 
; squid-users@lists.squid-cache.org
Subject: [EXT] RE: [squid-users] Squid for Windows Repeatedly Crashing

The next tool might help you to understand the status of the open connections.
If the socket is being closed( I think Windows Server 2016 is a very good 
OS...).
https://secure-web.cisco.com/1gLLf4HP_bwYOteW6x8gJ8EGyBrYzTMzMIi7P6q7aGi136WObNRd7uZQkrv-CKTO7ipHpLgOvHaGbzxLT7RpG6AGtkeTHUn2O8-CIAgcBOCUzn6KyZoPhqsAcpIXokXWcjlWHdUVUwlZVT0WKEhuOuAGvw2washhJEOg1Gcbsf99cy7ofqJfuTc-fS23KxfiE8W-2GLLNuF_J8q5uGJdvUMhm6HN-4CO3c_i8wxOlHrxgX3GjSLbLo8odnA6YctD5A01sjW3dpC4oiioIkGY7gDY-hjSSNYr_xoZzsixScColG-JRDlR3uktjsFF5JCkU1EROfoOfUHsDdeJ0IV2Cpk6yzbSPNNno7jV5BmZSsmR_jRgW7WJa4eVhKUvicMfy8RBespjtbfk17lUf9JamqmxPBtP2eHsiIb4_wk9iJfRr_S-aA1Ve7rPDmCXm9bZ9HRmXphi8o5AeYMWbK9DTrnmPDmFamis922AT6F4KUuBvS3PKqeCkT3EUuGmlwHXxCiJGwYBKXQmOehcFbqgfFQ/https%3A%2F%2Fwww.nirsoft.net%2Futils%2Fcports.html

There is a possibility that some OS TCP limit is being reached and there for 
the socket closure.
If you are using F5 you can easily find out the load at the crash point.
I assume that if a normal Squid instance can take a load of 900k requests per 
second in somewhat constant rate for more than a minute then the issue might be 
else where then squid.
I am not sure but pretty sure that if you do not have anyone that is 
knowledgeable enough about windows sockets, sessions and FW limitations you 
will either:
- learn it your self
- find an expert
- use an OS that is more then 20% supported by any of the Squid-Cache team 
members and other developers around the globe.

Just to say a good word about Windows Server 2016, I compared it to a Windows 
10 under load and it seems to take a lot more load.
Also it not just takes the load but balance it well (on an open source windows 
designed software).

Also if you have a specific use case maybe a specific proxy can be customized 
for it.
Let me know if you wish to shed more details on the configuration so I can take 
my time and understand if there is a solution else then Squid.

Eliezeer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users  On Behalf Of Van 
Order, Drew (US - Hermitage)
Sent: Friday, February 22, 2019 15:32
To: Amos Jeffries ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid for Windows Repeatedly Crashing

The test box I set up outside the F5 finally started exhibiting these errors, 
once I pointed roughly 60 machines to it. It took a few hours.
Sounds like this narrows it down to either the OS itself (seems unlikely, other 
apps would crash), or the litany of agents our security folks have mandated. It 
may indeed be necessary to move to Linux.

Thank you very much for your time!

-Original Message-
From: Amos Jeffries 
Sent: Thursday, February 21, 2019 11:31 PM
To: Van Order, Drew (US - Hermitage) ; 
squid-users@lists.squid-cache.org
Subject: [EXT] Re: [squid-users] Squid for Windows Repeatedly Crashing

On 22/02/19 

Re: [squid-users] Building Squid 3.5 for Win2k with SSL

[Rafael Akchurin]

Hello Amos, Reinhard,

Interestingly enough this error does not popup when building Squid on 64-bit 
Cygwin.
Might be some 32-bit installation glitch?

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Sunday, 10 February 2019 11:30
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Building Squid 3.5 for Win2k with SSL

On 10/02/19 9:56 pm, Reinhard Zumpf Dipl.-Ing. wrote:
> Hi,
> 
> thanks so much for helping out. I managed to get configure run through 
> now as described from Diladele.
> 
> But, make terminates like that:
> 
> ...
> mv -f $depbase.Tpo $depbase.Po
> depbase=`echo SBuf.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
> g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/etc/squid/squid.conf\"
> -DDEFAULT_SQUID_DATA_DIR=\"/usr/share/squid\"
> -DDEFAULT_SQUID_CONFIG_DIR=\"/etc/squid\"   -I.. -I../include -I../lib
> -I../src -I../include-I../src   -I/usr/include/libxml2
> -I/usr/include/libxml2 -Wall -Wpointer-arith -Wwrite-strings 
> -Wcomments -Wshadow -Woverloaded-virtual -pipe -D_REENTRANT -g -O2 
> -march=native -MT SBuf.o -MD -MP -MF $depbase.Tpo -c -o SBuf.o SBuf.cc 
> &&\ mv -f $depbase.Tpo $depbase.Po
> SBuf.cc: In Elementfunktion »SBuf::size_type SBuf::rfind(char,
> SBuf::size_type) const«:
> SBuf.cc:760:21: Fehler: »memrchr« wurde in diesem Gültigkeitsbereich 
> nicht definiert
>  const void *i = memrchr(buf(), (int)c, (size_type)endPos);
>  ^~~
> SBuf.cc:760:21: Anmerkung: empfohlene Alternative: »memchr«
>  const void *i = memrchr(buf(), (int)c, (size_type)endPos);
>  ^~~
>  memchr
> make[3]: *** [Makefile:7173: SBuf.o] Fehler 1
> make[3]: Verzeichnis „/home/synrzu/squid-3.5.28/src“ wird verlassen
> make[2]: *** [Makefile:7296: all-recursive] Fehler 1
> make[2]: Verzeichnis „/home/synrzu/squid-3.5.28/src“ wird verlassen
> make[1]: *** [Makefile:6157: all] Fehler 2
> make[1]: Verzeichnis „/home/synrzu/squid-3.5.28/src“ wird verlassen
> make: *** [Makefile:581: all-recursive] Fehler 1
> 
> It is the latest x86 cygwin with all packages mentioned by Diladele 
> and Squid 3.5.28 sources.
> 
> What can I do?
> 

I'm not familiar enough with Cygwin to be specific, sorry. You will need to 
track down where the memrchr is defined and make sure that file gets included 
properly by the compiler.

Rafael has not mentioned this failing with 3.5 before so I assume it is 
something missing from the ./configure options, or perhapse some extension to 
cygwin that needs installing.

You could try and ask Rafael / Diladele directly since it is their document you 
are following here.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

[Rafael Akchurin]

Hello Dieter,

Just for the record, I have no problems accessing that site using SSL bumping 
AD integrated Squid 4.4 (coupled with web safety ICAP filter but that should 
not matter really). Squid conf is more or less default with usual 
peek-and-splice (bump all) directives.

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Wednesday, 9 January 2019 13:25
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] can't access https://www.finanzamt.bayern.de/ with 
sslbump (other sites works well)

On 9/01/19 5:52 am, Dieter Bloms wrote:
> Hello,
> 
> I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
> Sslbump works fine for all sides, but I can't access only one site 
> https://www.finanzamt.bayern.de/ and don't know the reason.
> Ssllabs gives "A".

That means they are using "Good Practice" with their use of TLS. The better 
they use TLS the less likely that SSL-Bump works.


...
> The access.log looks like:
> 
> --snip--
> 1546962078.461   4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 
> - HIER_DIRECT/193.34.207.31 -
> 1546962078.472  0 x.x.x.x NONE/500 8495 GET 
> https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
> --snip--
> 
> no entries in cache.log
> 
> Can anybody try this site to see whether it is my local installation, or the 
> webserver.
> 

Please check your cache.log and the 500-status error page message to find out 
what the problem is. TLS is such a complicated system that it is unlikely 
others will be able to see the reason your system is failing with the very few 
details you have provided.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Release Candidate of Web Safety 7.0 web filter for Squid proxy

[Rafael Akchurin]

Hello everyone,

The release candidate build of Web Safety ICAP web filter for Squid proxy 
(version 7.0.0.8768 built on December 14, 2018) is now available for download.
This version contains the following breaking changes, fixes and improvements:


  *   Base platform moved to Ubuntu 18 LTS
  *   Required Python version is now 3 instead of 2.
  *   Required Django version is now 2.1.2 instead of 1.11.
  *   Squid proxy is now version 4.4.
  *   FreeBSD 11, pfSense 2.4 and Raspbian 9 builds are available (status is 
still experimental)

Pre-configured virtual appliances for VMware ESXi/vSphere and Microsoft Hyper-V 
are available from https://www.diladele.com/download_next_version.html.
GitHub repo with automation scripts we used to build this virtual appliance 
from stock Ubuntu 18 LTS image is at 
https://github.com/diladele/websafety-virtual-appliance/tree/release-7.0.0/scripts.ubuntu18

Direct links to virtual appliances:


  *   
http://packages.diladele.com/websafety/7.0.0.8768/va/ubuntu18/websafety.zip
  *   
http://packages.diladele.com/websafety/7.0.0.8768/va/ubuntu18/websafety-hyperv.zip

Virtual appliance for Microsoft Azure is available from Azure Marketplace at 
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety?tab=Overview
Corresponding deployment guide is at 
https://docs.diladele.com/tutorials/proxy_in_microsoft_azure/index.html.

Virtual appliance for Amazon AWS is published at 
https://aws.amazon.com/marketplace/pp/B07KJHLHKC?qid=1542298277826=0-1_=srh_res_product_title
 with corresponding deployment guide at 
https://docs.diladele.com/tutorials/web_filter_amazon_aws/index.html

Your questions/issues/bugs are welcome at supp...@diladele.com

The final release is planned at the end of January 2019.
Thanks to all of you for making this possible!

Best regards,
Rafael Akchurin
Diladele B.V.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [tutorial] How to rebuild Squid 4.4 on Ubuntu 16 with SSLBump

[Rafael Akchurin]

Hello,

We have written a small tutorial on how to rebuild Squid 4.4 from Debian 
Unstable on Ubuntu 16 LTS.
It is available here - 
https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html

The scripts are stored in github repo at 
https://github.com/diladele/squid-ubuntu/tree/master/src/ubuntu16, hopefully 
might be helpful for someone. Unfortunately no plans to publish online repo for 
the DEBs for now  (use squid44.diladele.com if you are ok with going to Ubuntu 
18).

Best regards,
Rafael Akchurin
Diladele B.V.

--
Web Filter deployed in Microsoft Azure? Surely possible, see 
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety?tab=Overview


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello Jose,

Latest Squid is already available in Debian unstable, no need to use Ubuntu 
recompilation.

Best regards,
Rafael Akchurin

> Op 1 nov. 2018 om 21:08 heeft José J. Rodriguez  
> het volgende geschreven:
> 
> Rafael Akchurin wrote:
>> Greeting all,
>> The online repository with latest Squid 4.4 (rebuilt from Debian unstable 
>> with sslbump support) for Ubuntu 18 LTS 64-bit is available at 
>> squid44.diladele.com. Github repo at 
>> https://github.com/diladele/squid-ubuntu contains the scripts we used to 
>> make this compilation.
> 
> Hi:
> 
> Will this work on Debian 9.X?
> 
> Regards,
> Joe1962
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello Samuel,

Yes will make the Docker when 7.0 is in beta stage, now we need to polish it a 
little.
Added issue at https://github.com/diladele/websafety-issues/issues/1030

Best regards,
Rafael Akchurin
Diladele B.V.

From: squid-users  On Behalf Of S 
Irlapati
Sent: Wednesday, 31 October 2018 19:54
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with 
sslbump support from sources in Debian unstable)


Is it possible to make a docker image for this?
On 10/31/18 12:23 PM, Rafael Akchurin wrote:
Greeting all,

The online repository with latest Squid 4.4 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid44.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid43.diladele.com 
will be taken down in two weeks.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid44.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid44.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient






___

squid-users mailing list

squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.4 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid44.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid43.diladele.com 
will be taken down in two weeks.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid44.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid44.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local

[Rafael Akchurin]

Yes you can use any ICAP/eCAP server you like, just adjust the docs as required 
and that is it.

From: Uchenna Nebedum 
Sent: Friday, 19 October 2018 20:17
To: Rafael Akchurin 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original 
IPs on local

Thanks a lot Rafael, I've gone through the documentation it looks to be very 
promising, one reservation i have is I want to use greasyspoon for icap and i 
see ecap is implemented already. I intend to install everything as suggested on 
the link, then after this change squid.conf to remove ecap connection.
Please, I hope this will work?

Thanks a lot again for the link, it really explained everything well enough for 
a beginner.
Uchenna Nebedum

On Fri, Oct 19, 2018, 18:30 Rafael Akchurin 
mailto:rafael.akchu...@diladele.com>> wrote:
Hello Uchenna,

May be this policy based routing with Mikrotik tutorial will be of any use
See https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html

Best regards,
Rafael Akchurin
Diladele B.V.


From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 On Behalf Of Uchenna Nebedum
Sent: Friday, 19 October 2018 18:42
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs 
on local

Good Day All,
i'm new to squid and i have configured squid as an http transparent proxy with 
a mikrotik.
the squid server has only a single NIC, so i followed a tutorial and set up a 
dst-nat to squid proxy for traffic on port 80,
Chain:dstnat.
Protocol:tcp
Dst-port:80
Action:dst-nat
To Addresses:192.168.2.2 (squid proxy)
To ports:8080
but after setup, only https traffic works correctly,
http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE"
squid access.log is empty then in squid cache.log these are the errors

```
2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on 
local=192.168.2.2:8080<http://192.168.2.2:8080> 
remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33: (92) 
Protocol not available
2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate original 
IPs on local=192.168.2.2:8080<http://192.168.2.2:8080> 
remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33
```
please find below my squid.conf contents

```
acl localnet src 192.168.1.0/24<http://192.168.1.0/24>
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
icap_enable off
icap_service service_req reqmod_precache 1 
icap://127.0.0.1:1344/REQMOD<http://127.0.0.1:1344/REQMOD>
adaptation_service_set class_req service_req
adaptation_access class_req allow all
icap_service service_resp respmod_precache 0 
icap://127.0.0.1:1344/RESPMOD<http://127.0.0.1:1344/RESPMOD>
adaptation_service_set class_resp service_resp
adaptation_access class_resp allow all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
http_port 8080 transparent
 access_log daemon:/var/log/squid/access.log squid
coredump_dir /var/spool/squid
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320
```
please any help or correction would be highly appreciated, i am not even sure 
if the approach is correct.

--
Nebedum Uchenna
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local

[Rafael Akchurin]

Hello Uchenna,

May be this policy based routing with Mikrotik tutorial will be of any use
See https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html

Best regards,
Rafael Akchurin
Diladele B.V.


From: squid-users  On Behalf Of 
Uchenna Nebedum
Sent: Friday, 19 October 2018 18:42
To: squid-users@lists.squid-cache.org
Subject: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs 
on local

Good Day All,
i'm new to squid and i have configured squid as an http transparent proxy with 
a mikrotik.
the squid server has only a single NIC, so i followed a tutorial and set up a 
dst-nat to squid proxy for traffic on port 80,
Chain:dstnat.
Protocol:tcp
Dst-port:80
Action:dst-nat
To Addresses:192.168.2.2 (squid proxy)
To ports:8080
but after setup, only https traffic works correctly,
http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE"
squid access.log is empty then in squid cache.log these are the errors

```
2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on 
local=192.168.2.2:8080<http://192.168.2.2:8080> 
remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33: (92) 
Protocol not available
2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate original 
IPs on local=192.168.2.2:8080<http://192.168.2.2:8080> 
remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33
```
please find below my squid.conf contents

```
acl localnet src 192.168.1.0/24<http://192.168.1.0/24>
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
icap_enable off
icap_service service_req reqmod_precache 1 
icap://127.0.0.1:1344/REQMOD<http://127.0.0.1:1344/REQMOD>
adaptation_service_set class_req service_req
adaptation_access class_req allow all
icap_service service_resp respmod_precache 0 
icap://127.0.0.1:1344/RESPMOD<http://127.0.0.1:1344/RESPMOD>
adaptation_service_set class_resp service_resp
adaptation_access class_resp allow all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
http_port 8080 transparent
 access_log daemon:/var/log/squid/access.log squid
coredump_dir /var/spool/squid
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320
```
please any help or correction would be highly appreciated, i am not even sure 
if the approach is correct.

--
Nebedum Uchenna
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.3 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.3 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid43.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid42.diladele.com 
will be taken down in two weeks.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid43.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid43.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.28 for Microsoft Windows 64-bit is available

[Rafael Akchurin]

Greetings everyone,

Sorry with even a more huge delay we would like to announce the availability of 
the CygWin based build of Squid proxy
for Microsoft Windows version 3.5.28 (amd64 only!). Delay was caused by our 
inability to code sign the MSI with new "token" requirements.

* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.28-RELEASENOTES.html .
* Ready to use MSI package can be downloaded from http://squid.diladele.com .
* List of open issues for the installer - 
https://github.com/diladele/squid-windows/issues

Thanks a lot for Squid developers for making this great software!

Please join our humble efforts to provide ready to run MSI installer for Squid 
on Microsoft Windows with all required dependencies at GitHub -
https://github.com/diladele/squid-windows . Report all issues/bugs/feature 
requests at GitHub project.
Issues about the *MSI installer only* can also be reported to 
supp...@diladele.com<mailto:supp...@diladele.com> .

Best regards,
Rafael Akchurin
Diladele B.V.
https://www.diladele.com



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 6.4 web filter plugin for Squid proxy is available

[Rafael Akchurin]

Greetings everyone,

Next version of Web Safety web filter for Squid proxy (version 6.4.0.2517 built 
on July 5, 2108) is now available for download.
This version contains the following fixes and improvements:


  *   YouTube Guard filtering daemon now runs as a separate process. This 
allows to filter traffic by both Google Safe Browsing and YouTube restriction 
modules at the same time.
  *   UI of YouTube filtering rules is completely rewritten, it is now possible 
to selectively filter YouTube videos by policies (enable for students, disable 
for staff).
  *   Fixed error in policy filtering exclusions by remote domain IP address.
  *   Added initial support for Ubuntu 18 LTS and Squid 4 (full support will be 
added in Web Safety 6.5)
  *   Added advanced field to manually manage additions to NIC management file 
/etc/network/interfaces on Ubuntu 16 and Debian 9.
  *   Builds for FreeBSD(pfSense) are not produced any more, please use version 
6.3 if you require running Web Safety on FreeBSD(pfSense). We are now trying to 
build a separate product for pfSense platform.

Pre-configured virtual appliance is available from 
https://www.diladele.com/virtual_appliance.html (can be run in VMWare 
ESXi/vSphere or Microsoft Hyper-V).
The same virtual appliance can be easily deployed in Microsoft Azure with the 
following link 
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety?tab=Overview

GitHub repo with automation scripts we used to build this virtual appliance 
from stock Ubuntu 16 LTS image is at 
https://github.com/diladele/websafety-virtual-appliance
Your questions/issues/bugs are welcome at 
supp...@diladele.com<mailto:supp...@diladele.com>

Direct link to virtual appliance:


  *   
http://packages.diladele.com/websafety/6.4.0.2517/va/ubuntu16/websafety.zip

Version 6.5 will include initial implementation of Application Control (like 
allow Spotify, block Facebook Messenger) module as well as support for Ubuntu 
18 LTS and latest Squid 4. See the version history at 
https://docs.diladele.com/version_history/index.html

Thanks to all of you for making this possible!

Best regards,
Rafael Akchurin
Diladele B.V.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + Squidguard Youtube URL video filtering

[Rafael Akchurin]

Hello Roberto,

Another way is to have a dedicated YouTube API rewriter or say ICAP filter (as 
we do in Web Safety version 6.4) and try to allow/block video by parsing out 
the video ID from request URL and looking up its related meta information on 
the fly in YouTube database.

See our rewriter in Web Safety ICAP filter for Squid available as part of 
virtual appliance at https://www.diladele.com/virtual_appliance.html.  The code 
in Python in /opt/websafety/bin/youtube_guard.py and if very easy to understand.

Please note our guard assumes the video partials from googlevideo.com are 
allowed. If you need to further prevent access to these partials and allow only 
your video no matter what - then keeping a close eye on the 
https://github.com/rg3/youtube-dl project is a must.

Please note in Web Safety 6.4 (ICAP for Squid) we have rewritten that 
functionality in golang to allow specifying different allow/deny 
videos/categories/channels per different group of proxy users. So be sure to 
get version 6.3.

Best regards,
Rafael Akchurin
Diladele B.V.
https://www.diladele.com

 

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Roberto Carna
Sent: Thursday, August 16, 2018 9:51 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid + Squidguard Youtube URL video filtering

Dear Amos, I've tried to sniff the HTTP requests when I ask for:

https://www.youtube.com/embed/ff9sDLGtnK8?rel=0=0

After that I've created a Squidguard exception list as below:

ytimg.com
googlevideo.com
googleapis.com
www.youtube.com/embed/ff9sDLGtnK8?rel=0=0

But I can't see the video yet.

Please I need to know if using Squidguard it's just impossible to do this 
exception, so in this case I forget it.

Thanks a lot again!!!


2018-08-16 10:17 GMT-03:00 Amos Jeffries :
> On 17/08/18 00:43, Roberto Carna wrote:
>> Dear, I have Squid + Squidguard working OK.
>>
>> Squidguard is filtering the entire www.youtube.com website.
>>
>> But now I have to permit just one video from Youtube:
>>
>> https://www.youtube.com/embed/ff9sDLGtnK8?rel=0=0
>>
>> I have added the below URL as an exception in Squidguard:
>>
>> www.youtube.com/embed/ff9sDLGtnK8?rel=0=0
>>
>> but after that I can't see it, still blocked.
>>
>> How can I enable just this URL from Squidguard preferently blocking 
>> the rest of Youtube ???
>
> Unfortunately only with a great deal of difficulty.
>
> The "?v=..." and "/embed/..." URLs are just public identifiers to 
> access the YouTube APIs. At the HTTP level they result in a quite long 
> series of sub-requests, redirections and the like bouncing all over 
> the
> youtube.* and googlevideos.* and googleapis.* domains.
>  Yes all of them are involved multiple times. So whitelisting is an 
> all-or-nothing prospect, with other G services being implicitly 
> whitelisted as side effects.
>
>
> Also, whenever the way to decipher the above maze of traffic gets 
> published so we can do things like what you ask. YT shortly afterwards 
> change how it operates - usually towards even more complexity. This 
> has happened too many times to be coincidence IMO.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] splunk 3.5.27-Sec Advisories

[Rafael Akchurin]

We are waiting on it. Sorry summer time :)

Best regards,
Rafael Akchurin

> Op 3 aug. 2018 om 21:06 heeft Kumpf, Scott  het volgende 
> geschreven:
> 
> Greetings,
> 
> Checking in to see how the new Squid for Windows build is coming along, is 
> there an update?  Is there a tentative release date? 
> 
> *Subject is incorrect---ignore 'splunk'
> 
> Scott Kumpf
> Sr. Network Engineer-EMS (Contractor)
> Orlando Utilities Commission
> Office: (407) 434-4305 / Cell: (386) 547-2698
> Email: sku...@ouc.com
> 
> 
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Rafael Akchurin
> Sent: Saturday, July 28, 2018 1:36 AM
> To: Amos Jeffries 
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] splunk 3.5.27-Sec Advisories
> 
> Hello Amos, Scott,
> 
> Will try building now. Shall be possible by the end of next week I hope.
> 
> Best regards,
> Rafael Akchurin
> 
>>> Op 28 jul. 2018 om 07:23 heeft Amos Jeffries  het 
>>> volgende geschreven:
>>> 
>>> On 28/07/18 08:48, Kumpf, Scott wrote:
>>> Greetings,
>>> 
>>> The organization I work for is running Splunk for Windows version 3.5.27 
>>> which is impacted by 3 security vulnerabilities that were released earlier 
>>> this year.  From what I can tell, our squid implementation was installed 
>>> using an MSI package from Diladele.  It is my understanding per the 
>>> advisories, the first point of contact for support is the 
>>> maintainer/package vendor.  Diladele referred me back to Squid Developers 
>>> and the only version that they have made available is version 3.5.27.  As I 
>>> am not too familiar with source code packaging or compiling, I am in search 
>>> for some guidance on available options to mitigate or remediate these 
>>> vulnerabilities.  I believe 2 of them have workarounds that can be 
>>> implemented by modifying the squid.conf.
>>> As I  am not aware of how to determine how this version was configured at 
>>> time of build therefore am not 100% certain if my implementation is even 
>>> vulnerable.  Supposing the software is at risk, the advisories indicate 
>>> there are patches available for each issue, however, I'm not clear on what 
>>> to do with the information that the patch link presents.
>>> 
>> 
>> The command line "squid -v" will list the build options used for your 
>> particular binary along with its particular version. The advisory 
>> section titled "Determining if your version is vulnerable:" is a 
>> checklist to compare against your Squid. One statement there should 
>> match your particular Squid installation.
>> 
>> The fixes for all these are in our 3.5.28 bundle from 10 days ago. I 
>> have not made the official announcements yet (thanks for the reminder) 
>> so Diladele may have not been aware.
>> 
>> I've cc'd Rafael on this reply and also opened an issue in the tracker 
>> specifically notifying of the release so they can start on that while 
>> I do the write-up. 
>> <https://github.com/diladele/squid-windows/issues/81>
>> 
>> 
>> HTH
>> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> DISCLAIMER:
> Florida has a very broad public records law. As a result, any written 
> communication created or received by Orlando Utilities Commission officials 
> and employees will be made available to the public and media, upon request, 
> unless otherwise exempt. Under Florida law, email addresses are public 
> records. If you do not want your email address released in response to a 
> public records request, do not send electronic mail to this office. Instead, 
> contact our office by phone or in writing.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] splunk 3.5.27-Sec Advisories

[Rafael Akchurin]

Hello Amos, Scott,

Will try building now. Shall be possible by the end of next week I hope.

Best regards,
Rafael Akchurin

> Op 28 jul. 2018 om 07:23 heeft Amos Jeffries  het 
> volgende geschreven:
> 
>> On 28/07/18 08:48, Kumpf, Scott wrote:
>> Greetings,
>> 
>> The organization I work for is running Splunk for Windows version 3.5.27 
>> which is impacted by 3 security vulnerabilities that were released earlier 
>> this year.  From what I can tell, our squid implementation was installed 
>> using an MSI package from Diladele.  It is my understanding per the 
>> advisories, the first point of contact for support is the maintainer/package 
>> vendor.  Diladele referred me back to Squid Developers and the only version 
>> that they have made available is version 3.5.27.  As I am not too familiar 
>> with source code packaging or compiling, I am in search for some guidance on 
>> available options to mitigate or remediate these vulnerabilities.  I believe 
>> 2 of them have workarounds that can be implemented by modifying the 
>> squid.conf.
>> As I  am not aware of how to determine how this version was configured at 
>> time of build therefore am not 100% certain if my implementation is even 
>> vulnerable.  Supposing the software is at risk, the advisories indicate 
>> there are patches available for each issue, however, I'm not clear on what 
>> to do with the information that the patch link presents.
>> 
> 
> The command line "squid -v" will list the build options used for your
> particular binary along with its particular version. The advisory
> section titled "Determining if your version is vulnerable:" is a
> checklist to compare against your Squid. One statement there should
> match your particular Squid installation.
> 
> The fixes for all these are in our 3.5.28 bundle from 10 days ago. I
> have not made the official announcements yet (thanks for the reminder)
> so Diladele may have not been aware.
> 
> I've cc'd Rafael on this reply and also opened an issue in the tracker
> specifically notifying of the release so they can start on that while I
> do the write-up. <https://github.com/diladele/squid-windows/issues/81>
> 
> 
> HTH
> Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient and PROXY procotol enabled http_port (solved)

[Rafael Akchurin]

Hello Amos, Eliezer and all,

Thanks a lot for your ideas/suggestions. Decided to go easy way:


- added another "http_port 127.0.0.1:3128" directive to squid.conf 
(without require-proxy-header option)

- directed squidclient binary to use it

Hope no side effects from this configuration.

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at https://www.diladele.com - ICAP web filtering plugin for 
Squid proxy.


From: Rafael Akchurin
Sent: Saturday, April 14, 2018 10:14 AM
To: squid-users (squid-users@lists.squid-cache.org) 
<squid-users@lists.squid-cache.org>
Subject: squidclient and PROXY procotol enabled http_port

Greetings to everyone,

I have the following deployment:

- Several Squid nodes configured with "http_port 3128 
require-proxy-header"

- One haproxy what relays TCP connections to nodes

- squidclient that is run on each node manually

Browsers pointing to haproxy are correctly serviced by Squid nodes. Everything 
works as expected.
But trying to run squidclient to get mgr:idns results in the following.

squidclient -v mgr:idns -h 127.0.0.1 -p 3128
Request:
GET 3128 HTTP/1.0
User-Agent: squidclient/3.5.23
Accept: */*
   Connection: close

Cache_log inidicates:
2018/04/14 10:04:38 kid1| PROXY client not permitted by ACLs from 
local=[::1]:3128 remote=[::1]:38854 FD 21 flags=1

That is good and fine; but after adding 127.0.0.1 into proxy_protocol_access 
directive error changes into:

2018/04/14 10:10:10 kid1| PROXY protocol error: invalid header from 
local=127.0.0.1:3128 remote=127.0.0.1:36648 FD 23 flags=1

Question

Is it possible to ask squidclient to prepend the PROXY header to its request?


<>___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squidclient and PROXY procotol enabled http_port

[Rafael Akchurin]

Greetings to everyone,

I have the following deployment:

- Several Squid nodes configured with "http_port 3128 
require-proxy-header"

- One haproxy what relays TCP connections to nodes

- squidclient that is run on each node manually

Browsers pointing to haproxy are correctly serviced by Squid nodes. Everything 
works as expected.
But trying to run squidclient to get mgr:idns results in the following.

squidclient -v mgr:idns -h 127.0.0.1 -p 3128
Request:
GET 3128 HTTP/1.0
User-Agent: squidclient/3.5.23
Accept: */*
   Connection: close

Cache_log inidicates:
2018/04/14 10:04:38 kid1| PROXY client not permitted by ACLs from 
local=[::1]:3128 remote=[::1]:38854 FD 21 flags=1

That is good and fine; but after adding 127.0.0.1 into proxy_protocol_access 
directive error changes into:

2018/04/14 10:10:10 kid1| PROXY protocol error: invalid header from 
local=127.0.0.1:3128 remote=127.0.0.1:36648 FD 23 flags=1

Question

Is it possible to ask squidclient to prepend the PROXY header to its request?


<>___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 6.2 web filter plugin for Squid proxy is Release Candidate

[Rafael Akchurin]

Greetings all,

Next version of Web Safety web filter for Squid proxy (version 6.2.0.FD48, 
built on April 13, 2018, Release Candidate) is now available for download.
This version contains the following fixes and improvements:


*Added new dynamic site categorization module. This module works on 
both requests and response. When categorizing requests URL, Referer and Host 
headers are scanned. When categorizing responses - textual contents of pages 
are scanned. Currently there are dynamic categorizer for Nudity Pornography, 
Adult Themes Sexuality, Drugs and Gambling categories, but more and more 
categorizers will be added with each release. We target to finally have all 
available categories covered.


*Redesigned and re-implemented deep content inspection engine. The 
speed of content inspection is a little improved. Detection is now done faster. 
The amount of used RAM when performing adult language detection is greatly 
decreased (approximately 10 times).

Pre-configured virtual appliance is available from 
https://www.diladele.com/download_next_version.html (should be run in VMWare 
ESXi/vSphere or Microsoft Hyper-V). GitHub repo with automation scripts we used 
to build this virtual appliance from stock Ubuntu 16 LTS image is at 
https://github.com/diladele/websafety-virtual-appliance/tree/release-6.2.0 .

Direct link to virtual appliance:


*
http://packages.diladele.com/websafety/6.2.0.FD48/va/ubuntu16/websafety.zip

Please deploy this version is non-too-critical environments only. Your 
questions/issues/bugs are welcome at 
supp...@diladele.com<mailto:supp...@diladele.com>
Version 6.3 will include re-implemented Surfing Now page and CTIRU URL 
prevention list (provided by Home Office UK).

You can join our community to get free early access to next development builds 
at https://www.diladele.com/community.html .

Thanks to all of you for making this possible!

Best regards,
Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is very slow after moving to production environment

[Rafael Akchurin]

Hello Roberto,

When Squid is "slow" like users complain first thing to check is always the DNS 
settings.
Also sometimes switching to "IPv4 DNS resolve first" helps.

Look for "squidclient mgr:idns" and "dns_v4_first on" on Squid wiki.

Hope others have better answers.

Best regards,
Rafael Akchurin
Diladele B.V.

https://www.diladele.com/


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Roberto Carna
Sent: Monday, April 9, 2018 9:59 PM
To: Antony Stone <antony.st...@squid.open.source.it>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid is very slow after moving to production 
environment

Dear Antony, both proxies are virtual machines in the same DMZthey use the 
same DNS, the same firewall, the same Internet link, the same IP but different 
MAC Address.

Firewall rules are the same too.

The new proxy is slow because when users try to go to a web page, it is very 
slow in download the content page.about 1 minute to do it.

The Dansguardian configuration is te same too.

I've past my configuration in the previous mail.

Thanks a lot !!!



2018-04-09 16:36 GMT-03:00 Antony Stone <antony.st...@squid.open.source.it>:
> On Monday 09 April 2018 at 21:00:21, Roberto Carna wrote:
>
>> Dear, I have implemented a server with Dansguardian 10.2.1.1 and 
>> Squid 3.5.23-5.
>>
>> I've tested it with 5 users for along 2 months and always it worked OK.
>>
>> But today when a moved it to production environment, it worked but 
>> very very slow.
>
> 1. What is "very very slow"?  What difference are you noticing:
>
>  - limited bandwidth for downloads?
>
>  - high latency for reaching new URLs?
>
>  - reduced ability to handle new requests?
>
> Basically, how are you measuring the difference between test 
> performance and production performance?
>
> 2. Please explain your networking setups for the test and production
> environments:
>
>  - do they share the same Internet connection?
>
>  - do they both go through the same firewall?
>
>  - do they both use the same DNS server, or have their own DNS 
> servers, or what?
>
>  - are the same traffic rules implemented for each procy on the firewall/s?
>
>  - do you use any form of user authentication, and if so, please give 
> details
>
> 3. What volume of requests per hour / minute / day / whatever is 
> convenient did you have in the test environment, and what volume do 
> you have now in the production environment?
>
>> I've just changed hostname and IP, in order to match with the old 
>> proxy server and flush de ARP table of the firewall (because ths 
>> server has the same IP but different MAC Address)and no more. And 
>> let me say that in production environment, there are 30-40 users at 
>> all, it's not a big number of users at all.
>>
>> Where can I start to see in order to analyze the problem? Any idea to 
>> help me?
>
>
> Regards,
>
>
> Antony.
>
> --
> I thought I had type A blood, but it turned out to be a typo.
>
>Please reply to the list;
>  please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] multiple log_file_daemon settings in squid.conf

[Rafael Akchurin]

Greetings all,

I am trying to find the best (easiest, least interfering) solution for the 
following problem.

Our custom ICAP server writes various information about ICAP transaction (user 
name, policy ip, detection module, timings, words triggered detection, etc) 
into the record database. This happens at the time when ICAP transaction ends. 
Based on that information we build extensive reports of web filtering activity.

As known, end of the ICAP transaction does not mean the end of the original 
transaction in Squid - e.g. after scanning CONNECT request and allowing it to 
proceed, the actual data transfer from the Squid's perspective may end much 
much later. The piece of information that would be very interesting for 
reporting module is how many bytes were pumped through that connection. This 
information is only available after the original Squid transaction ends.

So somehow in the record database we must correlate the ICAP transaction(s) 
with original Squid transaction.

Question 1:
Is there any unique transaction ID in the Squid's inner workings that I can see 
in the ICAP server, by passing it as additional X-* ICAP header?
I see some references to so called "master transaction" in the docs but could 
not find any log format like identifier that can be used for ICAP header value.

Question 2:
If there is no such transaction ID, I can use ICAP header to pass the ICAP 
specific transaction ID back to Squid *and* I can get that ID written to 
Squid's access log as "X-WebSafety-IID=%{X-WebSafety-IID}adapt::<last_h". Is it 
a valid approach?

Question 3:
If q1 or q2 is answered positively, I still need to somehow get the data from 
squid's access log the ICAP record database. Currently the idea is to have the 
custom logfile_daemon setting that would fork original log_file_daemon to have 
log entries written to access_log *and* parse out the ICAP ID *and* update the 
corresponding ICAP record in the database with transferred bytes information. 
But this seems complex and fragile.

Is it possible to have *two* daemon log settings in the squid.conf? One 
(original) would write access_log is usual and another one would parse out 
pumped bytes and update the ICAP records database.

Hope I could explain it :(

Thanks in advance for everyone taking time to respond.

Best regards,
Rafael Akchurin
Diladele B.V.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent Proxy with Policy Routing in pfSense

[Rafael Akchurin]

Hello Antonio,

Sorry no pfsense tutorials for now, but these two are *proved* to be working 
just fine.

https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html
https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html

Hope it helps.

Best regards,
Rafael Akchurin
Diladele B.V.



From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Antonio Emiliano
Sent: Tuesday, March 13, 2018 12:14 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid Transparent Proxy with Policy Routing in pfSense

Hi guys.

This is my last attempt before going to authenticated mode.

I searched all over the internet for a way to set up a "transparent squid" but 
until then the most I can get is an exhausted timeout when I go to an http.

My environment is as follows.

- Box squid 3.5.20
- pfSense as the default network gateway.
- Desktop Windows or linux.
- Only one network /24

I was able to make it work through this documentation: 
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

However this environment requires that the client has configured the gateway ip 
address of the squid itself.

It works. But that's not what I want.

NOTE: NAT configuration will only work when used on the squid box. This is 
required to perform intercept accurately and securely. To intercept from a 
gateway machine and direct traffic at a separate squid box use policy routing.

What I want is to make a rule in pfsense through policy routing, as it speaks 
in the documentation. I've tried several ways, but every time I try to access 
the http page it loads until the timeout expires.

In doc it does not explain directly how to do this rule in pfsense.

I tried through nat port forwarding and through rules in firewall setting in 
the squid server rule as gateway. But both do not work.

I tried to take as base these two links,
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
https://wiki.squid-cache.org/ConfigExamples/Intercept/PfPolicyRoute

No firewall block
It's some detail that's missing either in pfsense or squid.

Please give me a light.

Att,

Antonio Emiliano
LinkedIn: https://www.linkedin.com/in/antonioemiliano

"Corra, coelho.
 Cave um buraco, esqueça o sol,
 E quando o trabalho finalmente acabar
 Não descanse, é hora de cavar outro."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 6.1 web filter plugin for Squid proxy is available

[Rafael Akchurin]

Greetings all,

Next version of Web Safety ICAP web filter for Squid proxy (version 6.1.0.1995 
built on January 15, 2018) is now available for download. This version contains 
the following fixes and improvements:


- Added URL rewriter for Google Safe Browsing (Update API v4). It is 
now possible to check each URL for malware and malicious links. You would need 
to register on Google Cloud Platform and obtain your own API key. More 
information is at https://developers.google.com/safe-browsing/v4/get-started.

- Redesigned exclusions in UI. There is only one list of exclusions 
now. It is possible to further specify what exclusions are needed for each list 
entry. Supported exclusions are "Skip HTTPS decryption (SSL Bump)", "Bypass 
proxy authentication", "Bypass web filter and antivirus scan", "Do not cache 
HTML pages" and "Bypass Google Safe Browsing".

Pre-configured virtual appliance is available from 
https://www.diladele.com/virtual_appliance.html (should be run in VMWare 
ESXi/vSphere or Microsoft Hyper-V). GitHub repo with automation scripts we used 
to build this virtual appliance from stock Ubuntu 16 LTS image is at 
https://github.com/diladele/websafety-virtual-appliance/tree/master/scripts.ubuntu16
 .

Direct links to virtual appliance:


- 
http://packages.diladele.com/websafety/6.1.0.1995/va/ubuntu16/websafety.zip

- 
http://packages.diladele.com/websafety/6.1.0.1995/va/centos7/websafety.zip

- 
http://packages.diladele.com/websafety/6.1.0.1995/va/ubuntu16/websafety-hyperv.zip

Free time-limited license key can be downloaded from 
http://packages.diladele.com/license/6/trial/2DF0D5CC9827ABD6510DC0A11C9A5A8FF3BE87AA/license.zip
 .

Your questions/issues/bugs are welcome at supp...@diladele.com. Next version 
will include dynamic real-time page categorization using machine learning 
algorithms. You can join our community to get early access to next development 
builds at https://www.diladele.com/community.html .

Thanks to all of you for making this possible!

Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Rafael Akchurin]

Thats strange. 
How is your network configured? Your rules indicate you have 2 nics but you 
later say you have one..

Best regards,
Rafael Akchurin

> Op 7 feb. 2018 om 23:31 heeft setuid <set...@gmail.com> het volgende 
> geschreven:
> 
>> On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
>> If you do not mind looking at other tutorials - these are what we have in 
>> the test lab.
> 
>> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> 
> I can confirm that the instructions in this tutorial results in the same
> exact failure scenario as all previous attempts and tests (once I
> removed the unnecessary Apache/Web Safety bits).
> 
> Firewall rules are:
> 
> -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT
> 
> Squid config is generic, with the exception of:
> 
> http_port 3126 intercept
> 
> There is a single interface on the host, which resides on the LAN _and_
> is Internet-facing (eth0).
> 
> The result is that I get the same as before:
> 
> ==> /var/log/squid3/access.log <==
> 1518042565.613  0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
> text/html
> 
> If I point the client (curl, browser, perl + LWP) at the proxy directly
> on 3128, it works as expected.
> 
> I am firmly convinved that _transparent_ proxying with squid, is 100%
> non-functional. The proxy works fine, but transparent proxying is
> demonstrably broken in anything later than 3.x.
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Rafael Akchurin]

No unfortunately nothing like this is in our lab for FreeBSD - but default 
Squid package in pfSense runs transparently without issues I have heard (or 
with other issues than you have).

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: setuid [mailto:set...@gmail.com] 
Sent: Wednesday, February 7, 2018 10:45 PM
To: Rafael Akchurin <rafael.akchu...@diladele.com>; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy 
(NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.htm
> l 
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.h
> tml

Thanks for the quick reply. Do you have a version of these that is BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using Linux 
as a means to validate that the functionality to do transparent proxying was 
broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should be 
decoupled as they're not required to get this working (and are likely 
prohibited in many-to-most enterprises who would deploy a proxy in this 
fashion).


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Rafael Akchurin]

Hello setuid,

If you do not mind looking at other tutorials - these are what we have in the 
test lab.

https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

First one for Squid running on the gateway and the second one for separate 
Squid that intercepts  traffic re-routed from the router using 
Policy-Based-Routing.
The tutorials are working, I test it with every release of our ICAP web filter.

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of setuid
Sent: Wednesday, February 7, 2018 10:11 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT 
https)

I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, 
ipfilter) does not work at all, when configured as a transparent proxy. Full 
stop.

I went through hundreds of posts on dozens of forums, blogs and other 
resources, tried dozens and dozens of configurations suggested by those posts, 
tried all 3 firewall options on BSD, tried two versions of Ubuntu and the 
various versions of Squid from the apt repos, as well as those in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my 
configuration was set to. That result, is that _every single http request I 
make_ when Squid is configured as a transparent proxy, results in the following 
response being logged:

==
07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
==

When I point a client directly at the proxy, using a browser, curl or anything 
else, I see:

==
07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") 
==

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is 
_identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config, with 
the exception of the following lines:

==
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
==

I've tried all of the obvious links, blogs and resources I could Google up, and 
100% of them fail to function as described. Most people I've seen on the forums 
who attempt to get this working, throw their hands up in defeat and end up 
configuring the proxy directly on every client that needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

==
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 
-j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 
-j DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT 
--to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp 
--dport $PROXY_PORT -j ACCEPT ==

This takes every packet that hits the router on :80, and sends it to my Squid 
server on .25, which mangles it and sends it back to 192.168.1.1 (router), and 
onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same exact 
configuration, but http_port was set to 'accel', and I didn't need _any_ 
NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to (but 
direct-to and direct-reply aren't supported on FreeBSD's pf, only OpenBSD's pf 
supports that syntax), and iptables PREROUTING and POSTROUTING mojo (also 
fails).

Here's a list of some of the resources I've tried, with 100% failure in every 
case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* htt

[squid-users] Policy based routing and Squid transparent interception tutorial

[Rafael Akchurin]

Greetings all,

I have written a step by step tutorial how to enable policy based routing of 
HTTP and HTTPS traffic with iptables on router (default gateway) and Squid 
running on a separate box. May be of interest for someone, hence posting it 
here.

If anything is not clear or plain wrong please say so.
See https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Best regards,
Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] persistent connections not being utilized with Chrome

[Rafael Akchurin]

Hello Brian,

Sorry not to flame it all out further - but I see the same annoying "waiting 
for proxy tunnel" in Chrome through SSL bumping AD integrated explicit Squid.
*but* the same 200 of tabs loads just fine from FF and the same Squid on the 
same machine at the same time - so might be a Chrome issue/architecture?

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Brian J. Murrell
Sent: Monday, January 15, 2018 4:41 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] persistent connections not being utilized with Chrome

On Fri, 2018-01-12 at 21:34 -0700, Alex Rousskov wrote:
> In that case, there are two HTTP
> connections
> in play:
> 
>   1. An HTTP connection from the client to the origin server.

By this do you mean to say there is a connection from the client, through the 
proxy server to the origin server?

>   2. An HTTP connection from the client to the proxy.
> 
> Both HTTP connections use the same TCP client connection/socket

Understood.  So I do believe you are ACKing my question above.

> No, the optimization is still there as far as client-origin traffic is 
> concerned.

Except that it is all bottle-necked through the same open-TCP-socket 
limitations that Chrome has to a single destination.  I think what I want to 
see is those limited number of TCP-sockets better utilized. 
But maybe that cannot happen without pipelining.

> Yes, probably something like that is happening.

So how do I ameliorate it?

> Perhaps they do? How many requests does Chrome send inside a CONNECT 
> tunnel through Squid, on average?

My short investigation using packet sniffing seems to indicate just one.

> If you bump CONNECT tunnels using
> SslBump, then you can use Squid to measure persistency. If you do not 
> bump, then you should still be able to use Chrome developer tools to 
> measure persistency.

Any clues about how do to do that?

> Origin server response delays rather than TCP handshakes may be your 
> primary bottleneck because Chrome probably does not pipeline and, 
> without pipelining, there can be at most one concurrent request per 
> HTTP connection.

I think Chrome disabled pipelining a while back:

https://stackoverflow.com/questions/30477476/why-is-pipelining-disabled-in-modern-browsers

> To improve throughput in your environment (without raising the number 
> of TCP connections that Chrome is allowed to open), you would need to 
> wait for HTTP/2 support. In HTTP/2, a single HTTP connection can carry 
> lots of concurrent transactions.

So are people without proxies suffering this same issue?  I don't think they 
are because their few hundred tabs will all be much more distributed to various 
servers and domains across the Internet allowing their Chrome to open many 
(many!) more parallel TCP connections and wait for them all to respond in 
parallel.

It's the concentration of all of those potential TCP connections through a 
single host -- the proxy server -- that is greatly reducing the parallelism of 
fetching lots of objects at the same time and dragging it's wall-clock time out.

Perhaps there is no solution until HTTP/2.

I just find it surprising that every IT person that utilizes a proxy has to 
tell their users, "yeah, that's just how it is here in this network, very slow 
to start up your browser".  :-(

Cheers,
b.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety RC 6.0 ICAP web filter plugin for Squid proxy is now Release Candidate

[Rafael Akchurin]

Greetings all,

We would like to announce the next version of Web Safety ICAP web filter for 
Squid proxy (version 6.0.0.EF8F, built on December 12, 2017) as Release 
Candidate.

This version contains the following fixes and improvements:


*Added ability to block comments and related videos on YouTube.

*Admin UI updated from Django 1.8.17 to Django 1.11.7 (breaking change!)

*The backup/restore functionality was completely redesigned. It is now 
possible to directly import configuration backup from older version of the 
product into UI.

*Added special community build of the product. This build is based on 
FOSS components and is completely free. Squid proxy, Admin UI to manage it, 
Traffic Monitor and ClamAV eCAP antivirus are included into the preconfigured 
virtual appliance based on Ubuntu 16 
http://packages.diladele.com/websafety/6.0.0.EF8F/va/ubuntu16/websafety.zip .

*Added support for haproxy's PROXY protocol, now it is possible to know 
the user's IP in cluster deployments. Policies can be applied by the IP 
address/range/subnet and not by only Active Directory authenticated user 
name/group.

*Kerberos REALM field is moved to UI/Squid/Auth/Kerberos. Now is 
possible to use NTLM or LDAP authentication without configuring any Kerberos 
setting at all.

The version is available from 
https://www.diladele.com/download_next_version.html . It is recommended to use 
Ubuntu 16 and CentOS 7 based virtual appliances in production. Direct links to 
virtual appliances are:


*
http://packages.diladele.com/websafety/6.0.0.EF8F/va/ubuntu16/websafety.zip

*
http://packages.diladele.com/websafety/6.0.0.EF8F/va/centos7/websafety.zip

The final release is expected to take place at the end of January 2018. We are 
now slowly updating our docs site and all integration tutorials and continue 
acceptance tests on all platforms.

Please use this build in non critical production deployments. Your 
questions/issues/bugs are welcome at 
supp...@diladele.com<mailto:supp...@diladele.com>. Next version will include 
Google Safe Browsing protection as URL rewriter. Join our community to get 
early access to next development builds (see 
https://www.diladele.com/community.html).

Thanks to all of you for making this possible!

Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

[Rafael Akchurin]

May it be 
https://docs.diladele.com/faq/squid/chrome_ssl_filter/dns_does_not_exist.html ?

Best regards,
Rafael Akchurin

Op 5 dec. 2017 om 20:34 heeft erdosain9 
<erdosa...@gmail.com<mailto:erdosa...@gmail.com>> het volgende geschreven:

Hi, and thanks.

But, i dont get it, how this is possible, if the bumping is working well. I
mean, if all https is working with my certificate, except for those that i
block (from chrome). But the bumping is working well in Chrome and Firefox.

This is log from Chrome with port

1512501177.181 33 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html
443
1512501177.182 35 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html
443
1512501177.186 40 192.168.1.121 TCP_MISS/200 815 POST
https://www.google.com.ar/url? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html 443
1512501177.252 59 192.168.1.121 TCP_DENIED/200 0 CONNECT
web.whatsapp.com:443<http://web.whatsapp.com:443> 
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- - 443
1512501177.338 80 192.168.1.121 TCP_MISS/204 193 GET
http://www.gstatic.com/generate_204 u...@mydomain.lan<mailto:u...@mydomain.lan>
HIER_DIRECT/www.gstatic.com<http://www.gstatic.com> - 80


This is the log from firefox with port

1512501278.321 41 192.168.1.121 TCP_MISS/200 813 GET
https://www.google.com.ar/url? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html 443
1512501278.684185 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443<http://www.whatsapp.com:443> 
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- - 443
1512501278.875  3 192.168.1.121 TAG_NONE/403 6567 GET
https://www.whatsapp.com/? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_NONE/- text/html 443
1512501278.916 35 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html
443
1512501279.160877 192.168.1.121 TAG_NONE/200 0 CONNECT
www.google.com.ar:443<http://www.google.com.ar:443> 
u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/www.google.com.ar<http://www.google.com.ar> - 443
1512501279.278 52 192.168.1.121 TCP_MISS/204 459 POST
https://www.google.com.ar/gen_204? u...@mydomain.lan<mailto:u...@mydomain.lan> 
HIER_DIRECT/- text/html
443
1512501279.529608 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443<http://www.whatsapp.com:443> 
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- - 443
1512501279.746  2 192.168.1.121 TAG_NONE/403 6569 GET
http://squid.mydomain.lan:3128/squid-internal-static/icons/SN.png
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- text/html 3128
1512501279.832 75 192.168.1.121 TCP_DENIED/200 0 CONNECT
www.whatsapp.com:443<http://www.whatsapp.com:443> 
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- - 443
1512501279.838  0 192.168.1.121 TAG_NONE/403 6571 GET
https://www.whatsapp.com/favicon.ico 
u...@mydomain.lan<mailto:u...@mydomain.lan> HIER_NONE/- text/html
443

"How do you compare the two certificates? "

I see the certificate, and look detail (both, firefox and chrome).
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t376870/Captura_de_pantalla_de_2017-12-05_16-25-48.png>

is the same CN :squid.mydomain.lan

And, again, this error just happend from Chrome when there is time to show a
"web from squid" (no route to host, error, access denied,  etc.)

For example if i see the certificate from facebook (trough squid https
bumping) i see my certificate... so why when i block the web Chrome give
that problem

Thanks again
(sorry i dont speak english very well)



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 5.2 ICAP web filter plugin for Squid is now Release Candidate

[Rafael Akchurin]

Greetings all,

The version 5.2.0.210A of Web Safety ICAP web filter for Squid proxy is 
announced as Release Candidate.
It is now ready for broad deployment to production systems. The code is 
complete and anything new will only be added to the upcoming 5.3.

This version contains the following fixes and improvements:


*Added management sections for Squid cache (refresh patterns) and 
logging submodules to Admin UI. It is now very easy to enable different log 
level for a separate Squid module to make troubleshooting simpler.

*New version of definition files database. Some categories were 
combined to make the usage more straightforward, several new categories added.

*Added support for "brotli" transfer encoding, greatly improving 
filtering on YouTube and other Google services.

*Improved correctness of traffic monitoring reports built over the 
Squid access logs.

*Added support for recently released pfSense 2.4. Also dropped support 
for FreeBSD 10 and added FreeBSD 11.

The version is available from 
https://www.diladele.com/download_next_version.html . It is recommended to use 
Ubuntu 16 and CentOS 7 based virtual appliances in production. Direct links to 
virtual appliances are:


*
http://packages.diladele.com/websafety/5.2.0.210A/va/ubuntu16/websafety.zip

*
http://packages.diladele.com/websafety/5.2.0.210A/va/centos7/websafety.zip

Final release is expected in two weeks (approx. 15 of November, 2017).

Next version 5.3 will contain eCAP based ClamAV adapter antivirus from 
Measurement Factory, available from http://www.e-cap.org/downloads  (except for 
FreeBSD 11), support for haproxy's PROXY protocol and proxy pseudo 
authentication based on IP to Active Directory open source project Active 
Directory Inspector ( see 
https://github.com/diladele/active-directory-inspector ).  Builds of 5.3 for 
now is in beta stage and thus freely available to Early Adopters community ( 
https://www.diladele.com/community.html ).

Thanks to all of you for making this possible!

Best regards,
Rafael Akchurin
Diladele B.V.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

[Rafael Akchurin]

Ok thanks again Amos.

The plan is then: 

- external acl helper gets the SRC and connects to REST server running on AD DC 
with IP <-> user mapping database
- replies with OK user=
- this name get's delivered to access log and ICAP/eCAP
- (optional) we are able to match the user to security group and apply 
designated filtering policy in our ICAP server.

Written above seems to work in the test lab.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Tuesday, October 17, 2017 3:54 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Pseudo proxy authentication (mapping of IP address 
to user name) in intercept mode.

On 17/10/17 22:39, Rafael Akchurin wrote:
> Hello everyone,
> 
> I would like to get your opinions on the subject.
> 
> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For 
> non-technical reasons, setup of explicit proxy settings and thus 
> enforcing proxy authentication on Squid is not possible.
> 
> *Solution*:
> 
> 1.Deploy some agent on domain controller that would periodically 
> enumerate workstation IPs and get currently logged on users by WMI or 
> something like this. This is fine and already working in our project 
> at https://github.com/diladele/active-directory-inspector
> 
> 2.Let Squid somehow use the remote running inspector to match the IP 
> address to user names (and expose the user name to ICAP eventually). 
> May be anyone knows the type of helper/acl/annotation that needs to be 
> in running/configured on the Squid box?
> 

That kind of authorization is the purpose of the session and LDAP external ACL 
helpers. Though AFAIK neither of them uses the AD interface (YMMV if the Perl 
DB module can use AD as an SQL-like database).

You might be able to also be use the Basic auth LDAP helper from Squid-3.4+ as 
an external ACL helper. It will require some fiddling of the LDAP parameters 
and the ACL input format to make the external ACL input into the Basic-auth 
lookup.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

[Rafael Akchurin]

Hello Amos,

Thanks for your responses.

What I do not understand completely - if we have intercept style of deployment, 
when browsers know nothing about the proxy - how basic (or any other type of 
authenticator) will work? I always thought browsers will discard proxy-auth 
responses just because they do not know if proxy is in-between.

May it be that only session helper is applicable in this case?

Best regards,
Rafael

-Original Message-
> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For 
> non-technical reasons, setup of explicit proxy settings and thus 
> enforcing proxy authentication on Squid is not possible.
> 
> *Solution*:
> 
> 1.Deploy some agent on domain controller that would periodically 
> enumerate workstation IPs and get currently logged on users by WMI or 
> something like this. This is fine and already working in our project 
> at https://github.com/diladele/active-directory-inspector
> 
> 2.Let Squid somehow use the remote running inspector to match the IP 
> address to user names (and expose the user name to ICAP eventually). 
> May be anyone knows the type of helper/acl/annotation that needs to be 
> in running/configured on the Squid box?
> 

That kind of authorization is the purpose of the session and LDAP external ACL 
helpers. Though AFAIK neither of them uses the AD interface (YMMV if the Perl 
DB module can use AD as an SQL-like database).

You might be able to also be use the Basic auth LDAP helper from Squid-3.4+ as 
an external ACL helper. It will require some fiddling of the LDAP parameters 
and the ACL input format to make the external ACL input into the Basic-auth 
lookup.
 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

[Rafael Akchurin]

Hello everyone,

I would like to get your opinions on the subject.

Problem: admin needs to manage squid acls (and icap web filter settings) using 
security groups from Active Directory. For non-technical reasons, setup of 
explicit proxy settings and thus enforcing proxy authentication on Squid is not 
possible.

Solution:


1.  Deploy some agent on domain controller that would periodically 
enumerate workstation IPs and get currently logged on users by WMI or something 
like this. This is fine and already working in our project at 
https://github.com/diladele/active-directory-inspector

2.  Let Squid somehow use the remote running inspector to match the IP 
address to user names (and expose the user name to ICAP eventually). May be 
anyone knows the type of helper/acl/annotation that needs to be in 
running/configured on the Squid box?

Thanks for anyone responding.

Best regards,
Rafael Akchurin
Diladele B.V.




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

[Rafael Akchurin]

Hello Eliezer,

From desktop ff/chrome goto youtube. It will be br encoded.

Best regards,
Rafael Akchurin

> Op 6 okt. 2017 om 02:43 heeft Eliezer Croitoru <elie...@ngtech.co.il> het 
> volgende geschreven:
> 
> Hey Yuri and Rafael,
> 
> I have tried to find a site which uses brotli compression but yet to find one.
> Also I have not seen any brotli request headers in firefox or chrome, maybe 
> there is a specific browser which uses it?
> 
> Thanks,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Yuri
> Sent: Sunday, October 1, 2017 04:08
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] SSL Bump Failures with Google and Wikipedia
> 
> I guess in HTTP headers. =-O :-D
> 
> 
> 01.10.2017 7:05, Eliezer Croitoru пишет:
>> Hey Rafael,
>> 
>> Where have you seen the details about brotli being used?
>> 
>> Thanks,
>> Eliezer
>> 
>> 
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: elie...@ngtech.co.il
>> 
>> 
>> 
>> -Original Message-
>> From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com]
>> Sent: Sunday, October 1, 2017 01:16
>> To: Jeffrey Merkey <jeffmer...@gmail.com>
>> Cc: Eliezer Croitoru <elie...@ngtech.co.il>; squid-users 
>> <squid-users@lists.squid-cache.org>
>> Subject: Re: [squid-users] SSL Bump Failures with Google and Wikipedia
>> 
>> Hello Jeff,
>> 
>> Do not forget Google and YouTube are now using brotli encoding 
>> extensively, not only gzip.
>> 
>> Best regards,
>> Rafael Akchurin
>> 
>>> Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey <jeffmer...@gmail.com> 
>>> het
>> volgende geschreven:
>>>> On 9/30/17, Eliezer Croitoru <elie...@ngtech.co.il> wrote:
>>>> Hey Jeffrey,
>>>> 
>>>> What happens when you disable the next icap service this way:
>>>> icap_service service_avi_resp respmod_precache 
>>>> icap://127.0.0.1:1344/cherokee bypass=0 adaptation_access 
>>>> service_avi_resp deny all
>>>> 
>>>> Is it still the same?
>>>> What I suspect is that the requests are defined to accept gzip 
>>>> compressed objects and the icap service is not "gnuzip" them which 
>>>> results in what you see.
>>>> 
>>>> To make sure that squid is not at fault here try to disable both 
>>>> icap services and then add then one at a time and see which of this 
>>>> triangle is giving you trouble.
>>>> I enhanced an ICAP library which is written in GoLang at:
>>>> https://github.com/elico/icap
>>>> 
>>>> And I have couple examples on how to work with http requests and 
>>>> responses
>>>> at:
>>>> https://github.com/andybalholm/redwood/
>>>> https://github.com/andybalholm/redwood/search?utf8=%E2%9C%93=gzip;
>>>> t
>>>> ype=
>>>> 
>>>> Let me know if you need help finding out the issue.
>>>> 
>>>> All The Bests,
>>>> Eliezer
>>>> 
>>>> 
>>>> Eliezer Croitoru
>>>> Linux System Administrator
>>>> Mobile: +972-5-28704261
>>>> Email: elie...@ngtech.co.il
>>>> 
>>>> 
>>>> 
>>>> -Original Message-
>>>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
>>>> On Behalf Of Jeffrey Merkey
>>>> Sent: Saturday, September 30, 2017 23:28
>>>> To: squid-users <squid-users@lists.squid-cache.org>
>>>> Subject: [squid-users] SSL Bump Failures with Google and Wikipedia
>>>> 
>>>> Hello All,
>>>> 
>>>> I have been working with the squid server and icap and I have been 
>>>> running into problems with content cached from google and wikipedia.
>>>> Some sites using https, such as Centos.org work perfectly with ssl 
>>>> bumping and I get the decrypted content as html and it's readable.
>>>> Other sites, such as google and wikipedia return what looks like 
>>>> encrypted traffic, or perhaps mime encoded data, I am not sure which.
>>>> 
>>>> Are there cases where squid will default to direct mode and not 
>>>> de

Re: [squid-users] SSL Bump Failures with Google and Wikipedia

[Rafael Akchurin]

Hello Jeff,

Do not forget Google and YouTube are now using brotli encoding extensively, not 
only gzip.

Best regards,
Rafael Akchurin

> Op 30 sep. 2017 om 23:49 heeft Jeffrey Merkey <jeffmer...@gmail.com> het 
> volgende geschreven:
> 
>> On 9/30/17, Eliezer Croitoru <elie...@ngtech.co.il> wrote:
>> Hey Jeffrey,
>> 
>> What happens when you disable the next icap service this way:
>> icap_service service_avi_resp respmod_precache
>> icap://127.0.0.1:1344/cherokee bypass=0
>> adaptation_access service_avi_resp deny all
>> 
>> Is it still the same?
>> What I suspect is that the requests are defined to accept gzip compressed
>> objects and the icap service is not "gnuzip" them which results in what you
>> see.
>> 
>> To make sure that squid is not at fault here try to disable both icap
>> services and then add then one at a time and see which of this triangle is
>> giving you trouble.
>> I enhanced an ICAP library which is written in GoLang at:
>> https://github.com/elico/icap
>> 
>> And I have couple examples on how to work with http requests and responses
>> at:
>> https://github.com/andybalholm/redwood/
>> https://github.com/andybalholm/redwood/search?utf8=%E2%9C%93=gzip=
>> 
>> Let me know if you need help finding out the issue.
>> 
>> All The Bests,
>> Eliezer
>> 
>> 
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: elie...@ngtech.co.il
>> 
>> 
>> 
>> -Original Message-
>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
>> Behalf Of Jeffrey Merkey
>> Sent: Saturday, September 30, 2017 23:28
>> To: squid-users <squid-users@lists.squid-cache.org>
>> Subject: [squid-users] SSL Bump Failures with Google and Wikipedia
>> 
>> Hello All,
>> 
>> I have been working with the squid server and icap and I have been
>> running into problems with content cached from google and wikipedia.
>> Some sites using https, such as Centos.org work perfectly with ssl
>> bumping and I get the decrypted content as html and it's readable.
>> Other sites, such as google and wikipedia return what looks like
>> encrypted traffic, or perhaps mime encoded data, I am not sure which.
>> 
>> Are there cases where squid will default to direct mode and not
>> decrypt the traffic?  I am using the latest squid server 3.5.27.  I
>> really would like to get this working with google and wikipedia.  I
>> reviewed the page source code from the browser viewer and it looks
>> nothing like the data I am getting via the icap server.
>> 
>> Any assistance would be greatly appreciated.
>> 
>> The config I am using is:
>> 
>> #
>> # Recommended minimum configuration:
>> #
>> 
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> 
>> acl localnet src 127.0.0.1
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src fc00::/7   # RFC 4193 local private network range
>> acl localnet src fe80::/10  # RFC 4291 link-local (directly
>> plugged) machines
>> 
>> acl SSL_ports port 443
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70  # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> 
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>> 
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>> 
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>> 
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a loca

[squid-users] Squid 3.5.27 for Microsoft Windows 64-bit is available

[Rafael Akchurin]

Greetings everyone,

Sorry with a huge delay we would like to announce the availability of the 
CygWin based build of Squid proxy
for Microsoft Windows version 3.5.27 (amd64 only!).

* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27-RELEASENOTES.html .
* Ready to use MSI package can be downloaded from http://squid.diladele.com .
* List of open issues for the installer - 
https://github.com/diladele/squid-windows/issues

Thanks a lot for Squid developers for making this great software!

Please join our humble efforts to provide ready to run MSI installer for Squid 
on Microsoft Windows with all required dependencies at GitHub -
https://github.com/diladele/squid-windows . Report all issues/bugs/feature 
requests at GitHub project.
Issues about the *MSI installer only* can also be reported to 
supp...@diladele.com<mailto:supp...@diladele.com> .

Best regards,
Rafael Akchurin
Diladele B.V.
https://www.diladele.com



Cloud Guard URL re-writer for Squid proxy

We would also like to introduce our new research project - cloud based URL 
rewriter for Squid proxy. In short it
is an URL rewriter that gets integrated with Squid. The rewriter calls into
guard.diladele.com/api/* to process URL rewrite requests.

For now it works in Windows only. We plan to add support for Linux (amd64, 
MIPS, ARM based),
FreeBSD and pfSense if there is be enough interest for that. The project is in 
the beta stage now so
please use it as much as possible but on non production systems. Please direct 
your issues
to supp...@diladele.com.

Signup/Login is available at https://guard.diladele.com/login/ . Please note, 
due to early stage
of the project it is only possible to sign up from DE, FR, NL and UK. If you'd 
like to be notified
of when the project is available in your country, please join our community 
forum
(https://groups.google.com/d/forum/web-safety) or MailChimp hosted news
letter (http://eepurl.com/vXDPH ).


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid for windows] article on how to enable sslbump

[Rafael Akchurin]

Hello Yuri,

We tried building it several times, but it was not  clear why it failed.. so we 
keep postponing :(

Best regards,
Rafael Akchurin


Op 13 sep. 2017 om 18:07 heeft Yuri 
<yvoi...@gmail.com<mailto:yvoi...@gmail.com>> het volgende geschreven:



13.09.2017 21:32, Rafael Akchurin пишет:

Greetings everyone,



For all those using Squid version for Microsoft Windows – here is the article 
explaining how to enable HTTPS decryption (sslbump) on Windows platforms.

Please see https://docs.diladele.com/faq/squid/sslbump_squid_windows.html



If you find any errors please tell us at 
supp...@diladele.com<mailto:supp...@diladele.com>



--

Best regards,

Rafael Akchurin

Diladele B.V.

https://www.diladele.com


P.S. Build of Squid 3.5.27 for Microsoft Windows is still on the way :( …
BTW, Raf. Why not to build 4.0.21 already? Now 2017, 3.5.x is so ancient, ever 
on Win64. :) I would like to see cert downloader also on my laptop ;)



___
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid for windows] article on how to enable sslbump

[Rafael Akchurin]

Greetings everyone,



For all those using Squid version for Microsoft Windows - here is the article 
explaining how to enable HTTPS decryption (sslbump) on Windows platforms.

Please see https://docs.diladele.com/faq/squid/sslbump_squid_windows.html



If you find any errors please tell us at 
supp...@diladele.com<mailto:supp...@diladele.com>



--

Best regards,

Rafael Akchurin

Diladele B.V.

https://www.diladele.com


P.S. Build of Squid 3.5.27 for Microsoft Windows is still on the way :( ...
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

[Rafael Akchurin]

Hello LA, Yuri,

The server analysis at 
https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com=52.0.220.87 
shows the certificate chain presented by the remote server is indeed 
incomplete, specifically the following certificate is not presented:

---
Symantec Class 3 Secure Server CA - G4
Fingerprint SHA256: 
eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
RSA 2048 bits (e 65537) / SHA256withRSA
---

Adding it to the intermediate certificate file as indicated on 
https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended
 and reloading Squid 3.5.23 allows to successfully see and bump the site.

Our UI generates exactly the same config setting as you have tried:
sslproxy_foreign_intermediate_certs 
/opt/websafety/etc/squid/foreign_intermediate_certs.pem

So it must be working :)

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of L A Walsh
Sent: Thursday, September 7, 2017 11:15 PM
To: squid-us...@squid-cache.org
Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on 
what I'm doing wrong?

Got an error message from squid where I'm doing https-bumping:

--
The following error was encountered while trying to retrieve the URL: 
https://help.ea.com/

*Failed to establish a secure connection to 52.0.220.87*

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the remote 
host does not support secure connections, or the proxy is not satisfied with 
the host security credentials.



Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced in 
parallel chains).  The two certs looked like:

-BEGIN CERTIFICATE-
...hexstuff==
-END CERTIFICATE-


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [icap] Web Safety 5.1 ICAP web filter plugin for Squid is Ready

[Rafael Akchurin]

Greetings everyone,

New version of Web Safety (ICAP web filter plugin for Squid 3.5) is ready for 
production. Build number 5.1.0.493A generated on August 9, 2017.

* This version contains the ability to bypass the blocked page (using a bypass 
token). Upon being presented with a blocked page user can click on "Proceed 
Anyway" button and the blocked domain is then added to a temporary white-list. 
Bypass time and policies to allow bypassing can be customized by the 
administrator.

* We have changed a lot in the Admin UI internally, splitting the monstrous 
Django code files into small and manageable classes. In future this will allow 
us to provide free Admin UI for all Squid users easily detachable from the 
commercial Web Safety plugin.

Application is packed as virtual appliance to be run in VMWare ESXi (vSphere) 
or Microsoft Hyper-V and is available from 
https://www.diladele.com/virtual_appliance.html. Installation scripts for real 
hardware are hosted on our GitHub repository at 
https://github.com/diladele/websafety-virtual-appliance.

Please direct all support questions to supp...@diladele.com or submit through 
GitHub issue tracker (https://github.com/diladele/websafety-issues/milestones). 
In the next version we are planning to add antivirus engine ClamAV (and 
possibly another commercial antivirus) as another ICAP service chain to Admin 
UI.

Best regards,
Rafael Akchurin
Diladele B.V. 
https://www.diladele.com 

--
P.S. Squid 3.5.27 for Windows is on the way.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] shall squid be stopped in order to run "squid -z"

[Rafael Akchurin]

Hello all,

Sorry my google fu failed today. I could not find the answer to the subj.
The thing is we are building the UI for Squid within our ICAP project and now 
need to let the admin "re-initialize" the cache_dir.

Shall the squid daemon be stopped while doing this?
Or ideally, is it possible to pass the *new* directory path to "squid -z" and 
then make a change in the conf followed by "squid -k reconfigure" and erasing 
the old dir later (how later?).


Thanks to all who replies.
Best regards,
Rafael Akchurin
Diladele B.V.
https://www.diladele.com

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as gateway

[Rafael Akchurin]

May be this will be of any help - 
https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of erdosain9
Sent: Tuesday, July 11, 2017 5:41 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid as gateway

Ok Yuri, im re re re reading... :-)

And probe another configs, like this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

and nothing, i dont get where i fail.

Squid, it is config in interception mode.

cache.log

2017/07/11 14:15:43 kid1| Accepting HTTP Socket connections at
local=[::]:3128 remote=[::] FD 14 flags=9
2017/07/11 14:15:43 kid1| Accepting NAT intercepted HTTP Socket connections at 
local=[::]:3129 remote=[::] FD 15 flags=41

So. yes, yes, i keep reading. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683058.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid and active directory

[Rafael Akchurin]

And this as alternative
https://docs.diladele.com/administrator_guide_5_1/active_directory/index.html

Raf

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri
Sent: Saturday, July 1, 2017 11:28 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid and active directory


http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group.html

http://lists.squid-cache.org/pipermail/squid-users/2015-October/007445.html

http://www.squid-cache.org/mail-archive/squid-users/200210/0725.html

http://www.squid-cache.org/mail-archive/squid-users/200309/0053.html

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

This, heh?

02.07.2017 2:58, Eng Hooda пишет:
Hello Every Body,
I am trying to get squid3 (latest on debain 8 repositories ) to authenticate 
clients using active directory .

I used the tutorial recommend for debian :
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid

and after a lot of tweaks to several steps machine joined the domain and now 
what remains is configuring squid .

I installed negotiate_wrapper as described .

But the file required :


/usr/lib/squid3/squid_ldap_group
is not present in the path specified.

I searched a lot for an updated tutorial without luck.

Any ideas ?

Thanks and BR.

Eng Hooda

 End of forwarded message 




___

squid-users mailing list

squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.26 for Microsoft Windows 64-bit is available

[Rafael Akchurin]

Greetings everyone,

The CygWin based build of Squid proxy for Microsoft Windows version 3.5.26 is 
now available (amd64 only!).

* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.26-RELEASENOTES.html .
* Ready to use MSI package can be downloaded from http://squid.diladele.com .
* List of open issues for the installer - 
https://github.com/diladele/squid-windows/issues

Thanks a lot for Squid developers for making this great software!

Please join our humble efforts to provide ready to run MSI installer for Squid 
on Microsoft Windows with all required dependencies at GitHub -
https://github.com/diladele/squid-windows . Report all issues/bugs/feature 
requests at GitHub project.
Issues about the *MSI installer only* can also be reported to 
supp...@diladele.com<mailto:supp...@diladele.com> .

Best regards,
Rafael Akchurin
Diladele B.V.
https://www.diladele.com

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy.
The upcoming version 5.1 with "Bypass Blocked Page" functionality is available 
from https://www.diladele.com/download_next_version.html



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid sslbump and certificates

[Rafael Akchurin]

Hello Vieri,

This article tries to explain why it happens.
https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#ssl-certificate-test-tool-in-web-safety-5

To fix it - better use what Yuri recommended in 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Raf

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Vieri
Sent: Monday, May 29, 2017 2:36 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid sslbump and certificates

Hi,

When a client browser gets the Squid error page as shown below, what does it 
mean?
Does it mean that Squid doesn't trust the CA mentioned below?
If I wanted to allow the connection anyway, what options would I have?


The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=US/O=GeoTrust, 
Inc./OU=Domain Validated SSL/CN=Secure Site Starter DV SSL CA - G2


Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

[Rafael Akchurin]

Please note if you first let the connect tunnel to succeed (forcing bump) and 
then block the next coming request through that tunnel - you will get the 
blocked message displayed.

We do it in ICAP 
(https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html) - 
other community members may know better if it is possible to do that in Squid 
directly.

Beware of those using your tunnels to pump non http traffic though. Blocking 
the connect as it is done now in Squid keeps you on safe side.

Best regards,
Rafael Akchurin

Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries 
<squ...@treenet.co.nz<mailto:squ...@treenet.co.nz>> het volgende geschreven:

On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any 
response to a CONNECT tunnel message.
https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any 
response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this browser 
behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 
511 status code with deny_info and hope that it chooses to display something 
halfway useful.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump and chrome 58

[Rafael Akchurin]

And on 3.5 too?

-Original Message-
From: Yuri [mailto:yvoi...@gmail.com] 
Sent: Wednesday, May 3, 2017 12:30 PM
To: Rafael Akchurin <rafael.akchu...@diladele.com>; Flashdown 
<flashd...@data-core.org>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58

Mountain brake, Raf :-)

Fixed yesterday, already running on productions (on my side) ;-)


03.05.2017 15:05, Rafael Akchurin пишет:
> Sorry disregard - should practice my  google fu better - see 
> http://bugs.squid-cache.org/show_bug.cgi?id=4711
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
> On Behalf Of Rafael Akchurin
> Sent: Wednesday, May 3, 2017 10:48 AM
> To: Flashdown <flashd...@data-core.org>; Yuri Voinov 
> <yvoi...@gmail.com>
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] ssl bump and chrome 58
>
> [This sender failed our fraud detection checks and may not be who they 
> appear to be. Learn about spoofing at 
> http://aka.ms/LearnAboutSpoofing]
>
> Hello all,
>
> The following steps give in Chrome 58 the "Your connection is not private" 
> error with "NET::ERR_CERT_COMMON_NAME_INVALID" and "missing_subjectAltName" 
> error:
>
> (peek-an-splice bumping squid 3.5.23_1 as in 
> https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html)
>
> 1. Open Chrome 58+
> 2. Type some non existing domain name like "https://www.asdlajsdfl.com; (note 
> the httpS:// schema) 3. See the missing_subjectAltName error.
>
> Correct behavior would be Squid generating faked certificate for the domain 
> name "www.asdlajsdfl.com" *with* subjectAltName extension set to 
> "www.asdlajsdfl.com".
>
> So question is - does anyone know if this is already existing bug or shall I 
> file one?
> May be it is a feature?
>
> Best regards,
> Rafael
>
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
> On Behalf Of Flashdown
> Sent: Thursday, April 27, 2017 6:42 PM
> To: Yuri Voinov <yvoi...@gmail.com>
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] ssl bump and chrome 58
>
> I've tested the registry setting and it worked out. You can copy the below 
> lines in a .reg file and execute it.
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
> "EnableCommonNameFallbackForLocalAnchors"=dword:0001
>
>
> Best regards,
> Flashdown
>
> Am 2017-04-27 18:34, schrieb Flashdown:
>> Hello together,
>>
>> here is a workaround that you could use in the meanwhile.
>>
>> https://www.chromium.org/administrators/policy-list-3#EnableCommonNam
>> e
>> FallbackForLocalAnchors
>>
>> Source:
>> https://www.chromium.org/administrators/policy-list-3#EnableCommonNam
>> e
>> FallbackForLocalAnchors
>>>>>>> BEGIN
>> EnableCommonNameFallbackForLocalAnchors
>> Whether to allow certificates issued by local trust anchors that are 
>> missing the subjectAlternativeName extension
>>
>> Data type:
>>  Boolean [Windows:REG_DWORD]
>> Windows registry location:
>>
>> Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAncho
>> r
>> s
>> Mac/Linux preference name:
>>  EnableCommonNameFallbackForLocalAnchors
>> Android restriction name:
>>  EnableCommonNameFallbackForLocalAnchors
>> Supported on:
>>
>>  Google Chrome (Linux, Mac, Windows) since version 58 until 
>> version 65
>>  Google Chrome OS (Google Chrome OS) since version 58 until 
>> version 65
>>  Google Chrome (Android) since version 58 until version 65
>>
>> Supported features:
>>  Dynamic Policy Refresh: Yes, Per Profile: No
>> Description:
>>
>>  When this setting is enabled, Google Chrome will use the 
>> commonName of a server certificate to match a hostname if the 
>> certificate is missing a subjectAlternativeName extension, as long as 
>> it successfully validates and chains to a locally-installed CA 
>> certificates.
>>
>>  Note that this is not recommended, as this may allow bypassing 
>> the nameConstraints extension that restricts the hostnames that a 
>> given certificate can be authorized for.
>>
>>  If this policy is not set, or is set to false, server 
>> certificates that lack a subjectAlternativeName extension containing 
>> either a DNS name or IP address will not be trusted.
>> Example value:
>>  0x (Wi

Re: [squid-users] ssl bump and chrome 58

[Rafael Akchurin]

Sorry disregard - should practice my  google fu better - see 
http://bugs.squid-cache.org/show_bug.cgi?id=4711

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Rafael Akchurin
Sent: Wednesday, May 3, 2017 10:48 AM
To: Flashdown <flashd...@data-core.org>; Yuri Voinov <yvoi...@gmail.com>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58

[This sender failed our fraud detection checks and may not be who they appear 
to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]

Hello all,

The following steps give in Chrome 58 the "Your connection is not private" 
error with "NET::ERR_CERT_COMMON_NAME_INVALID" and "missing_subjectAltName" 
error:

(peek-an-splice bumping squid 3.5.23_1 as in 
https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html)

1. Open Chrome 58+
2. Type some non existing domain name like "https://www.asdlajsdfl.com; (note 
the httpS:// schema) 3. See the missing_subjectAltName error.

Correct behavior would be Squid generating faked certificate for the domain 
name "www.asdlajsdfl.com" *with* subjectAltName extension set to 
"www.asdlajsdfl.com".

So question is - does anyone know if this is already existing bug or shall I 
file one?
May be it is a feature?

Best regards,
Rafael


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Flashdown
Sent: Thursday, April 27, 2017 6:42 PM
To: Yuri Voinov <yvoi...@gmail.com>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58

I've tested the registry setting and it worked out. You can copy the below 
lines in a .reg file and execute it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"EnableCommonNameFallbackForLocalAnchors"=dword:0001


Best regards,
Flashdown

Am 2017-04-27 18:34, schrieb Flashdown:
> Hello together,
>
> here is a workaround that you could use in the meanwhile.
>
> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
> FallbackForLocalAnchors
>
> Source:
> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
> FallbackForLocalAnchors
>>>>>> BEGIN
> EnableCommonNameFallbackForLocalAnchors
> Whether to allow certificates issued by local trust anchors that are 
> missing the subjectAlternativeName extension
>
> Data type:
> Boolean [Windows:REG_DWORD]
> Windows registry location:
>
> Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchor
> s
> Mac/Linux preference name:
> EnableCommonNameFallbackForLocalAnchors
> Android restriction name:
> EnableCommonNameFallbackForLocalAnchors
> Supported on:
>
> Google Chrome (Linux, Mac, Windows) since version 58 until 
> version 65
> Google Chrome OS (Google Chrome OS) since version 58 until 
> version 65
> Google Chrome (Android) since version 58 until version 65
>
> Supported features:
> Dynamic Policy Refresh: Yes, Per Profile: No
> Description:
>
> When this setting is enabled, Google Chrome will use the 
> commonName of a server certificate to match a hostname if the 
> certificate is missing a subjectAlternativeName extension, as long as 
> it successfully validates and chains to a locally-installed CA 
> certificates.
>
> Note that this is not recommended, as this may allow bypassing the 
> nameConstraints extension that restricts the hostnames that a given 
> certificate can be authorized for.
>
> If this policy is not set, or is set to false, server certificates 
> that lack a subjectAlternativeName extension containing either a DNS 
> name or IP address will not be trusted.
> Example value:
> 0x (Windows), false (Linux), false (Android), 
> (Mac)
> <<<<<<<<<<<< END
>
>
>
> Am 2017-04-27 18:16, schrieb Flashdown:
>> Hello together,
>>
>> Suddenly I am facing the same issue when users Chrome has been 
>> updated to V58. I am running Squid 3.5.23.
>>
>> This is the reason:
>> https://www.thesslstore.com/blog/security-changes-in-chrome-58/
>> Short: Common Name Support Removed in Chrome 58 and Squid does not 
>> create certs with DNS-Alternatives names in it. Because of that it 
>> fails.
>>
>> Chrome says:
>> 1. Subject Alternative Name Missing - The certificate for this site 
>> does not contain a Subject Alternative Name extension containing a 
>> domain name or IP address.
>> 2. Certificate Error - There are issues with the site's certificate 
>> chain (net::ERR_CERT_COMMON_NAME_INVALID).
>>
>> Can