Re: [squid-users] FTP proxy
Hi Andrea, > I see this feature was introduced in 3.5 as an experimental one; at 4.13 > is it still so or is it considered stable and dependable? We are using the squid ftp_port feature for some customers. So far, we have not experienced any issues. The only downside to using frox (from which we also have migrated) ist the missing feature setting an upstream proxy (proxy-chaining FTP). > Is there a way to restrict the port range of the additional connections > (e.g. to 4-5)? As Alex mentioned, squid forces passive FTP, which is the better for firewalled environments anyways. You should activate automatic FTP detection on your firewall (hint: FTP helper for iptables) - this way you don't need to add any extra rules besides the FTP data connection port. Kind regards, Jascha Sticher Fujitsu ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid as reverse proxy for two or more webs
Hi, > acl ticket_acl dstdomain .MYDOMAIN.lan This matches *.mydomain.lan - php.mydomain.lan as well as ticket.mydomain.lan As the configuration is used top-to-bottom, the first of the cache_peers will be used (as only one parent is used). Use more specific ACLs to mitigate this: acl ticket_acl dstdomain ticket.MYDOMAIN.lan acl php_acl dstdomain php.MYDOMAIN.lan Kind regards, Jascha -Ursprüngliche Nachricht- Von: squid-users Im Auftrag von erdosain9 Gesendet: Freitag, 10. August 2018 15:15 An: squid-users@lists.squid-cache.org Betreff: [squid-users] Squid as reverse proxy for two or more webs Hi to all. I was reading several tutorials and I can not find what I'm doing wrong. I want to use squid to redirect to these two sites that are both within my domain. In my internal dns I have declared both servers, with their corresponding ips, also squid. reverse.mydomain.lan 192.168.1.21 (SQUID) php.mydomain.lan 192.168.1.223 ticket.mydomain.lan 192.168.1.246 In addition to the internal DNS, I have the / etc / hosts configured with these values: [root@squidReverse ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.21 reverse.mydomain.lan 192.168.1.246 ticket.mydomain.lan 192.168.1.223 php.mydomain.lan This is the configuration of the squid referring to the reverse proxy: http_port 192.168.1.21:80 accel vhost cache_peer 192.168.1.246 parent 80 0 proxy-only name=ticket cache_peer 192.168.1.223 parent 80 0 proxy-only name=php acl ticket_acl dstdomain .MYDOMAIN.lan http_access allow ticket_acl cache_peer_access ticket allow ticket_acl acl php_acl dstdomain .MYDOMAIN.lan http_access allow php_acl cache_peer_access php allow php_acl With this config when i go to reverse.mydomain.lan (from a web browser) i get the ticket web, but how i can go to the second web?? php web?? I dont get it. if i go to ticket.reverse.mydomain.lan i dont nothing, It does not even come to squid, neither with php.reverse.mydomian.lan Thanks to all. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay
Hi, most times we encountered this error message it had something to do with IPv4 DNS queries being answered too slowly or not at all (as in: only -records in the reply). If this occurring with some sites only, that could be the case. You could verify this by sniffing your DNS queries from the squid. We solved >99% of these error with the following two lines - a couple of sites needed entries in /etc/hosts, because their nameservers were broken. > dns_timeout 10 seconds > forward_max_tries 25 Kind regards, Jascha Sticher -Ursprüngliche Nachricht- Von: squid-users Im Auftrag von Ahmad, Sarfaraz Gesendet: Dienstag, 7. August 2018 16:15 An: Amos Jeffries ; squid-users@lists.squid-cache.org Betreff: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay I cannot reproduce this. This is intermittent. In Chrome's dev tools, it appeared to take over 20 secs to setup the TCP connection. I am SSL bumping all TLS connections unless they match certain ACLs. So it is safe to assume that the vast majority of the traffic was bumped. I don't see any TLS handshake failure messages in cache.log. I think the access.log messages I posted earlier are fake CONNECT requests created using TCP-level info (the response time logged there is directly proportionate to what I see in Chrome's dev tools). Guessing that Squid would send TCP SYN-ACK only after it receives SYN-ACK from remote/origin server. I don’t think ICAP(reqmod) would come into the picture yet either (assuming that even the TCP connections have not been set up yet) so that is safe to rule out. Am I right here ? Also restarting squid service fixed this. I had a python script running in the background that was able to GET a webpage using requests module(timeout set to 30) but Squid apparently couldn't even set up a TCP connection. - Sarfaraz -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Tuesday, August 7, 2018 6:04 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay On 07/08/18 21:55, Ahmad, Sarfaraz wrote: > Hi, > > > > I am WCCPv2 for redirecting traffic to Squid. > Squid version? > Intermittently I see these messages in access.log and the internet for > clients goes away. > > > > 1533612202.312 79102 NONE_ABORTED/000 0 CONNECT > 198.22.156.64:443 > - HIER_NONE/- - > > 1533612202.312 82632 NONE_ABORTED/000 0 CONNECT > 173.194.142.186:443 - HIER_NONE/- - > > 1533612202.312 16030 NONE_ABORTED/000 0 CONNECT > 172.217.15.67:443 > - HIER_NONE/- - > > 1533612202.312 78477 NONE_ABORTED/000 0 CONNECT > 173.194.142.186:443 - HIER_NONE/- - > > > > But I can access internet on the host running squid itself just fine > yet Squid reports those messages with high response times (the second column). > ...> > > We use an ICAP service. Could that play a role here ? A lot of things *might* play a role there. > > Any thoughts ? Trace the traffic. What did the client actually send to Squid? It's probably not a port-80 style CONNECT request. What does Squid send back to the client? Does Squid complete the TLS handshake? What are your SSL-Bump settings? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] how debug google status codes in log file
Hi Ahmad, every HTTPS connection is TUNNELED through squid, as long as you do not intercept SSL traffic (SSLbump). You can only get either a 200 return code or error codes connected to failure of the connection, e.g. proxy authentication required, deny (by proxy) or network/dns issues. You will not see any return codes the likes of 301 (redirect), server authentication or 404 (not found). That's pretty much the point of a tunnel. Kind regards, Jascha -Ursprüngliche Nachricht- Von: squid-users Im Auftrag von --Ahmad-- Gesendet: Dienstag, 19. Juni 2018 07:25 An: Squid Users Betreff: Re: [squid-users] how debug google status codes in log file also how about if the tcp was tcp_tunnel like below : 17/Jun/2018:08:18:09 -0400559 6xxx33833 x 2000 TCP_TUNNEL/200 1974 CONNECT www.google.com:443 xxxHIER_DIRECT/ www.google.com 2607:f8b0:4005:809::2004 c9f0:dfde:2da5:c4c0:7148:3646 all my logs from google is TCP_TUNNEL/200 for all types of message any way to differentiate the http status code ? im hitting google https let me know thanks > On 19 Jun 2018, at 8:12 AM, --Ahmad-- wrote: > > hello folks > how debug google status codes in log file ? > > in wiki i see we have : > > 1529368601.307 60038 184.154.133.146 TAG_NONE/503 0 CONNECT > www.google.com.et:443 fifoxy HIER_NONE/- - > > the question is how can i see the http status code of connection in proxy ? > > regards > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to configure a "proxy home" page ?
Hi everyone, I know this is quite off-topic, but I wanted to clarify a bit. SSH and TLS both provide the same thing, namely a tunnel between a client and a server. While both use asymmetric crypto for authentication and symmetric crypto for data transfer and therefore the same algorithms (that's why openssh requires openssl/gnutls - as crypto library), they are independent protocols. SSH uses its own key format, which does not know such a thing as a CA – each server generates its own server key pair (or at least it should).[1,2] As to SSH-MiTM, this is indeed possible, in two cases: a) The server key is unknown to the client and not verified correctly (by the user!). Then a fake server can decrypt SSH and intercept everything. b) The client validates server certificates incorrectly or is told ignore changes in the server key (eg. “-o StrictHostKeyChecking=no” with openssh) There are some SSH-MITM solutions available on the internet.[3] To conclude, if crypto is involved _every_ part of the conversation needs to do it _right_. Including the user. Kind regards, Jascha [1] https://security.stackexchange.com/questions/1599/what-is-the-difference-between-ssl-vs-ssh-which-is-more-secure [2] https://wiki.hetzner.de/index.php/Ed25519 - hetzner shipped the same elliptic-curve host key on each host for a time [2] e.g. https://github.com/mitmproxy/mitmproxy Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im Auftrag von Yuri Gesendet: Montag, 26. März 2018 03:13 An: squid-users@lists.squid-cache.org Betreff: Re: [squid-users] How to configure a "proxy home" page ? 26.03.2018 07:08, Amos Jeffries пишет: On 26/03/18 13:44, Yuri wrote: 26.03.2018 06:41, Yuri пишет: 26.03.2018 06:30, Amos Jeffries пишет: On 26/03/18 12:34, Yuri wrote: 26.03.2018 05:23, Amos Jeffries пишет: On 26/03/18 12:07, Yuri wrote: 26.03.2018 05:05, Amos Jeffries пишет: On 26/03/18 11:05, Yuri wrote: On 26/03/18 12:34, Yuri wrote:> 26.03.2018 05:23, Amos Jeffries пишет: This is what I mean by "TLS used properly" - proper is when it always circles back to user deciding who they trust. No matter how indirectly, the user installs a (root) CA causing trust or allowed someone else to do so. Generally speaking, yes. I just mean, that in some other protocols you have no any possibility to make MiTM by any way, whenever installing something or not. This prevents any improper or malicious use of protocol. TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise SSH by installing any key/certs to client. Correct? This is by design? No. SSH is just TCP/telnet over TLS. So if the SSH software were to trust the cert/key Squid delivers one could use SSL-Bump on that SSH traffic. You sure? https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl Quote: "SSH has its own transport protocol independent from SSL, so that means SSH DOES NOT use SSL under the hood." Because I'm not. Different sources tells opposite. I'm sure SSH using openssl under the hood. But not sure it uses same tunneling implementation like TLS-over-HTTP. And now it is still unknown any method to MiTM SSH, AFAIK. I'm not 100% sure, but it uses the same message framing as TLS and performs the same handshake sequence and security verifications. This is not the same as transport, yes? Because of transport is primary target for bumping. That said *SSL* _is_ different from TLS so the quote is technically correct either way. It seems to me that the difference is not of principle. Both SSL and TLS use the same architecture, in which, in principle, it is possible to have an MiTM certificate, which one of the parties trusts. Amos Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE. Vom 23. bis 27. April 2018. www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- "C++ seems like a language suitable for firing other people's legs." * * C++20 : Bug to the future * * ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Users Guide --- Dead link
Hi, you could always try the internet wayback machine at archiv.org: https://web.archive.org/web/20120531141437/http://www.deckle.co.za:80/squid-users-guide/ Kind regards, Jascha > Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE. Vom 23. bis 27. April 2018. www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern -Ursprüngliche Nachricht- > Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im > Auftrag von Eliezer Croitoru > Gesendet: Freitag, 9. März 2018 03:24 > An: 'Laurence Finston'; squid-users@lists.squid-cache.org > Betreff: Re: [squid-users] Users Guide --- Dead link > > Did you meant that this link: > https://www.deckle.co.za/squid-users-guide/ > > is dead? > From what I have seen the whole domain is kind of dead now. > > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Laurence Finston > Sent: Thursday, March 8, 2018 16:29 > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Users Guide --- Dead link > > Hello, > > I'm just starting out learning about Squid. The link to the Squid Users Guide > by Oskar Pearson on http://www.squid-cache.org/Doc/ is dead: > > 404 Not Found > > Code: NoSuchBucket > Message: The specified bucket does not exist > BucketName: deckle-redirects > RequestId: 317BF36686DE608E > HostId: > hE+eXv0FqL0/9aB66vz0NV1YjtNp4Cc/hYplqLRaF+CuiELrShKSoaE8xhe3URcl3+ > 5baEosyM8= > > Could somebody repair it or let me know where I could find the document? > > Thank you. > > Laurence Finston > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Proxy hierarchy and FTP access
Hi, > I'm sorry Jascha but the suggestions you got in your thead went kind of over > my head, can I ask you if and how you "do allow the front-end Squid to > re-FTP the traffic to the appropriate server then intercept it independently > into the backend with its own ftp_port accepting the "native FTP" coming out > of the frontend"? Please see https://wiki.squid-cache.org/SquidFaq/InterceptionProxy for an overview of the interception proxy concept. Basically, you need to route the FTP-Traffic from your client-side proxy to the DMZ-proxy. I'm not sure on how well this will work with FTP, because of its dual-connection nature. According to the squid FAQ it is not supported, but there are several FTP-helpers which could make this work. I haven't tried that solution either, because we can't change our design that way without breaking production traffic. Googling > If that's a "technically possible only" suggestion, I guess my only > alternative is to let my FileZilla client connect directly to my DMZ Squid > machine and do the ACL stuff there, right? We are currently using the "frox" FTP proxy on our client-side proxy server. This software does support an FTP-Upstream proxy, but has not been maintained for a few years now. It is not available in the official Debian repositories (since Wheezy, IIRC). If you don't want to use this, you need to allow your users to the DMZ proxy. On the other hand, FileZilla does support an HTTP proxy (you need to allow CONNECT for the FTP target ports though). Kind regards, Jascha Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE. Vom 23. bis 27. April 2018. www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Proxy hierarchy and FTP access
Hi, > I'm setting up a new infrastructure for my web proxy and I'm having a > problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9 > machines by the way. > > I used to have a single Squid machine talking freely to the internet from > inside the LAN, with clients connecting on port 3128 for HTTP request and 21 > for FTP using FileZilla with "FTP proxy" options enabled. > The relevant part of my Squid configuration is the following, and everything > worked like a charm: > > ftp_port 21 > acl FTP proto FTP > acl siti_ftp dstdomain "/etc/squid/ftp_sites" > http_access allow FTP ftp_sites > > Then for security purposes I've set up a second Squid machine, in our DMZ, > to act as a cache parent for the LAN machine, but now FTP only works > through > a browser; I've tried enabling the ftp_port directive on the parent machine, > disabling it in the LAN one and a bunch of other stuff but nothing seems to > be working. This is exactly my setup right there and I came with the same question to this mailing list. Sadly, the is no support for an explicit FTP-forwarding proxy at the moment and no development to implement this as far as I know. > For reference, the parent grants access to the chil proxy thanks to this > setting: > acl child_proxy src 10.9.10.X/32 > http_access allow child_proxy This is for HTTP-Pakets only. When using FTP via the browser you are actually using ftp over http, which uses the 3128 port on your client-side proxy. When using a FTP client with a FTP proxy you are connecting via native FTP, which does not use the cache_peer settings (as those only support HTTP messages) I'm guessing you use to access the parent proxy. See http://squid-web-proxy-cache.1019090.n4.nabble.com/FTP-proxy-chain-with-native-ftp-td4684366.html for the suggested workarounds from my thread. Kind regards, Jascha > Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE. Vom 23. bis 27. April 2018. www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern -Ursprüngliche Nachricht- > Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im > Auftrag von Grey > Gesendet: Mittwoch, 28. Februar 2018 09:31 > An: squid-users@lists.squid-cache.org > Betreff: [squid-users] Proxy hierarchy and FTP access > > Hi guys, > > > At this point, I'd like to know if what I'm trying to do is possible at all, > beacuse I'm starting to think there's something major I've totally > overlooked. > Thanks a lot to anyone willing to help :) > > > > -- > Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid- > Users-f1019091.html > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 3.5.20 run out of my memory.
> Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im > Auftrag von Amos Jeffries > Gesendet: Freitag, 9. Februar 2018 08:37 > > On 09/02/18 20:30, Sticher, Jascha wrote: > > Hi, > > > >> KiB Mem: 4037016 total, 3729152 used, 307864 free, 120508 buffers > >> KiB Swap: 8511484 total,0 used, 8511484 free. 2213580 cached Mem > > > > this is normal behaviour in Linux - everything that's once read from disk is > cached in RAM, as long as there is free memory. > > If the RAM is needed in another way, the cache in memory will be reduced. > See also: https://www.linuxatemyram.com/ > > > > > > Kind regards, > > > > Jascha Sticher > > > > Nice way to say it. Do you mind If I quote you for this in the Squid FAQ > pages? > > Amos I don't mind - go ahead. I'm glad to help! Kind regards, Jascha Sticher ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 3.5.20 run out of my memory.
Hi, > KiB Mem: 4037016 total, 3729152 used, 307864 free, 120508 buffers > KiB Swap: 8511484 total,0 used, 8511484 free. 2213580 cached Mem this is normal behaviour in Linux - everything that's once read from disk is cached in RAM, as long as there is free memory. If the RAM is needed in another way, the cache in memory will be reduced. See also: https://www.linuxatemyram.com/ Kind regards, Jascha Sticher ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] FTP proxy chain with native ftp
Hi, we're currently upgrading our proxy environment to squid 3.5.23 (Debian Stretch) and would like to use the native FTP proxy feature to replace our old FTP proxy solution (frox). Due to some design choices, we have a proxy hierarchy for HTTP as well as FTP traffic. Is there a way (yet) to tell my first squid instance to use another squid as a forward proxy with native FTP? IIRC, the cache_peer directive always uses HTTP requests, so this seems as a dead end. Mit freundlichen Grüßen / Kind regards, Jascha Sticher ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users