Re: [squid-users] SSLBump and squid process CPU usage
By now i not see anymore the single squid process taking all the resources, using the multi process the load is spread and all seem work really well. I see only sometimes the clam-d service hitting 100% for few istants but i think that is normal, as it's a single process, but not cause any slowdown. The ACL that i've cut are only big lists of dstdomain (i think that not require much cpu), and acl for some groups of users (time based ACL). Nothing really intensive. The only thing that i think can be intensive is the extension checking for locking some users, but only few clients hit this ACL. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] tlsv1 alert unknown ca (1/0)
Maybe i've spotted what was. Trendmicro Antivirus (cloud version). Was generating a lot of TCP_MISS with status code 200. Added the domain .trendmicro.com to the "not bumped" domains (with some microsoft domains used for the update processes) and the cache file is so much clean! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBump and squid process CPU usage
For now i've tried with the "workers 3" directive, i can see 3 squid process, seem that they span quite evenly the load and the page loading seem better. Hope that fix the bottlenek... In any case, i not know if there is somtheing wrong in the config that can hurt the performance -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] tlsv1 alert unknown ca (1/0)
How i can find what is the problematic CA? On the cache.log i have hundreds of this (aroung 10 per second), but in the access.log i have really few TCP_DENIED connections or in general other errors that can indicate what's causing that problem. Thanks!! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBump and squid process CPU usage
Wow, a lot to read (and understand, for a newbie like me :-|) From what i've seen it's sufficient to insert the "workers n" directive in the conf (n number of workers). With some limitations with the features that support SMP (delay pools, cache, etc - i not think to use any of them) -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSLBump and squid process CPU usage
Hi!
I've configured squid with ssl_bump and now the squid process (not the
helpers) takes quite load. There aren't too much clients on it (max 50).
This is the config (ripped some acl to make it readable):
--
cache_mgr x...@xxx.com
visible_hostnameproxy.xxx.com
dns_v4_first on
authenticate_ip_ttl 1 hour
forward_max_tries 25
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=xxx
--kerberos /usr/local/bin/squid_kerb_auth -s GSS_C_NO_NAME
auth_param negotiate children 50
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=xxx
auth_param ntlm children 50
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via
kerberos/ntlm
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -v 3 -R -b
"dc=xxx,dc=local" -D squid@xxx.local -W /etc/squid/ldappass.txt -f
sAMAccountName=%s -h srv-dc1.xxx.local
auth_param basic children 50
auth_param basic realm Proxy xxx
### ldap group authorisation
external_acl_type memberof ttl=30 %LOGIN
/usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b "dc=xxx,dc=local"
-D squid@xxx.local -W /etc/squid/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU
xxx,dc=xxx,dc=local))" -h srv-dc1.xxx.local
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
# aclname acltype typename activedirectorygroup
acl InternetBloccatoexternal memberof "/etc/squid/Internet_bloccato.txt"
... etc
acl bypass dstdomain somedomains
... etc
# ACL per Windows Update e microsoft
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain .windowsupdate.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain .delivery.mp.microsoft.com
a lot more ACL
# ACL per bloccare per estensione
acl estensionibloccate urlpath_regex -i "/etc/squid/estensionibloccate.txt"
## Disable ssl interception for dropbox.com and hotmail.com (and localhost)
acl no_ssl_interception dstdomain somedomains
ssl_bump none localhost
ssl_bump none no_ssl_interception
ssl_bump stare
ssl_bump bump all
acl SSL_ports port 443
acl SSL_ports port 7071
acl SSL_ports port 10443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
# Permetti FTP
acl ftp proto FTP
acl ftp_port port 21
# ACL per limiti utenti Internet_limitato
acl giorni time T W F
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
ftp_epsv off
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow ftp_port CONNECT
http_access allow ftp
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate
a lot more ACL
# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all
### logging
logformat useragent %>a [%tl] "%{User-Agent}>h"
# don't log allowedsites, prioritysites, AnonymousAccess
access_log /var/log/squid/access.log logformat=squid
#!allowedsites !prioritysites !AnonymousAccess
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log
logfile_rotate 10
# Squid normally listens to port 3128
#http_port 8080
http_port 8080 ssl-bump cert=/etc/squid/proxy.xxx.local.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=NO_SSLv3,NO_SSLv2 s$
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#
maximum_object_size 3000 KB
Re: [squid-users] Squid keeps using ipv6 using ssl_bump
I've tried to comment out the "tcp_outgoing_address 0.0.0.0 all" directive as you suggested, and actually all work as it should. Not know why in the past had to add it. By now, only one site has problem with ssl_bump and ipv6, and it's wiki.squid-cache.org (quite hilarious). If i bump it i get the ipv6 error, if i add it to the ssl_bump none ACL it go to the ipv4 route normally. I've had fear that wasn't the only one, but by now i've not had any other complain by users. Strange. For now i'll not intercept it and problem solved. Really thank for the support! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.5, delay pools and external helpers
Hi... I'm trying to limit download bandwidth to some user groups based on AD using external helpers, using the following command: delay_pools 1 delay_class 1 1 delay_access 1 allow InternetLimitato InternetLibero InternetCentralino !CONNECT delay_parameters 1 50/50 InternetLimitato InternetLibero InternetCentralino are some AD groups, and i want to add theyr traffic to the 1 delay pool, but with this configuration not work. Else, if i apply the delay pool to all all works as expected. It's like this by design? Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-5-delay-pools-and-external-helpers-tp4671969.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and site ryanair.com
After futher search seem that the webpage now is trying to get files from cdnjs.cloudflare.com, but it resolves as an ipv6 address. My network is not ready for ipv6. I've already shut off ipv6 on the interface, used the dns_v4_first on and tcp_outgoing_address 0.0.0.0, but still no luck It tries always to use the ipv6. What i can do? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-site-ryanair-com-tp4669105p4669962.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and site ryanair.com
I'll doubt is a chrome bug, as with direct connection i've not any problem... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-site-ryanair-com-tp4669105p4669366.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and site ryanair.com
Still have problems... I've tried in different ways and i'm unable to get it work... This is my config: # # Recommended minimum configuration: # ### cache manager cache_mgr cache...@domain.com visible_hostnameServ07.domain.com authenticate_ip_ttl 1 hour ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/local/bin/squid_kerb_auth -s GSS_C_NO_NAME auth_param negotiate children 50 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth -d --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 50 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -v 3 -R -b dc=domain,dc=local -D squid@domain.local -W /etc/squid/ldappass.txt -d -f sAMAccountName=%s -h srv-dc1.domain.local auth_param basic children 50 #startup=0 idle=1 auth_param basic realm Proxy Domain ##auth_param basic credentialsttl 1 minute ##auth_param basic casesensitive off ### Kerb authorization #external_acl_type memberof ttl=30 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g %g -D DOMAIN.LOCAL ### ldap authorisation external_acl_type memberof ttl=30 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b dc=domain,dc=local -D squid@domain.local -W /etc/squid/ldappass.txt -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU Domain,dc=domain,dc=local)) -h srv-dc1.domain.local ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED # aclname acltype typename activedirectorygroup acl InternetBloccatoexternal memberof /etc/squid/Internet_bloccato.txt acl InternetCentralino external memberof /etc/squid/Internet_centralino.txt acl InternetLimitatoexternal memberof /etc/squid/Internet_limitato.txt acl InternetLibero external memberof /etc/squid/Internet_libero.txt acl InternetVIP external memberof /etc/squid/Internet_VIP.txt acl consentiti_tuttidstdomain /etc/squid/block/consentiti_tutti.txt acl consentiti dstdomain /etc/squid/block/consentiti.txt acl nonconsentiti dstdomain /etc/squid/block/nonconsentiti.txt acl bypass dstdomain .sistri.it acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl java_jvm browser Java/1.4 Java/1.5 Java/1.6 Java/1.7 Java/1.8 ## Disable ssl interception for dropbox.com and hotmail.com (and localhost) acl no_ssl_interception dstdomain .dropbox.com .hotmail.com .sistri.it .office365.com .officineciola.it .adobe.com .adobelogin.com ssl_bump none localhost ssl_bump none no_ssl_interception ## Add the rest of your ssl-bump rules below ## e.g ssl_bump server-first all ## etc ### squid defaults #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl SSL_ports port 7071 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com http_access allow CONNECT wuCONNECT http_access allow windowsupdate http_access allow java_jvm http_access allow localhost # Permetti FTP acl ftp proto FTP acl ftp_port port 21 http_access allow ftp_port CONNECT http_access allow ftp # ACL per limiti utenti Internet_limitato acl giorni time T W H # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS ftp_epsv off # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # ### http_access rules http_access allow bypass always_direct
[squid-users] Squid and site ryanair.com
Hi! I have squid/3.3.13 on a centos 6.5, configured with ntlm and kerberos auth. I'm having throubles to get work the http site ryanair.com. The dynamic content of the page (the find flights button and the calendars, that as far i can see are js+css) are not working (the calendars does not open and the button doesn't highlight on mouse move). I've also tried to put an exception for the dstdomain ryanair.com before the auth, and i have the same problem. On access.log i get only DENIED on: 1421337197.667 0 172.16.2.210 TCP_DENIED/407 3944 CONNECT s-static.ak.facebook.com:443 - HIER_NONE/- text/html 1421337195.919 0 172.16.2.210 TCP_DENIED/407 3908 CONNECT apis.google.com:443 - HIER_NONE/- text/html there was also a DENIED on: 1421337020.420 0 172.16.2.210 TCP_DENIED/407 4354 GET http://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.3.6/slick.css - HIER_NONE/- text/html I've tried to bypass also auth on dstdomain cloudflare.com, now i get a MISS on that instead of a DENIED, but the page still not work. If i bypass totally the proxy the site works. Can someone explain me how to get around this? Really thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-site-ryanair-com-tp4669105.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Group check against AD
Hi! I'm trying to check if a user is present in a Group, and now i'm using the following config: external_acl_type memberof ttl=30 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b dc=domain,dc=local -D squid@domain.local -W /etc/squid/ldappass.txt -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU domain,dc=domain,dc=local)) -h srv-dc1.domain.local It work, but has some limits, for example if a user is only in the group of interest it not pass (while adding a second Group that is the default Group it works). Also, if a user is on some sub groups it not work. I've tried also the kerb helper (with kerb configured and keytab working), using shell commands it work, for example: /usr/lib64/squid/ext_kerberos_ldap_group_acl -g Internet libero -D DOMAIN.LOCAL that converted in squid must be something like: external_acl_type memberof ttl=30 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g %g -D DOMAIN.LOCAL works (on shell, i've not tried the second syntax on squid), but with the same limits. There is a way to at least have the user in only one Group (that is the default group)? Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Group-check-against-AD-tp4668078.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] 3.3.x - 3.4.x: huge performance regression
Same here, i'm waiting the right time to go to the customer and try the debug suggested by Amos Jeffries on 3.4.x codes to help to find where is the performance issue. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/3-3-x-3-4-x-huge-performance-regression-tp4668003p4668036.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with basic_ldap_auth
Nothing to do, seem that if squid fails one of the negotiate_wrapper methods doesn't use any other method, asking that password (that as you say isn't a basic auth, as the realm part isn't displayed). In the logs i get only negotiate_wrapper events. I've also tried to comment out the pure ntlm and basic auth methods, confirming that aren't actually used. This same config was working on 3.4.x, so i think that is a 3.3.13 bug... Later in the morning (when the users are at launch) i'll try to disable the negotiate wrapper and leave only basic to see if it work. If i can't get it work i'll try previous versions, as on the 3.4.x versions i have a too high cpu usage (most of the time at 100%), while on the 3.3 i get only around 5% With the same config! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-basic-ldap-auth-tp4667736p4667796.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with basic_ldap_auth
Ok, i've tried to comment out and leave only one helper at time, and i can get work only one helper. If i have only basic helper, and other commented out, it work (asking the password with the correct realm text), but if i enable other helpers, only work the one that is first in order on the conf file, the others doesn't work, and ask me that strange logon request. Strange thing is that also with the -d option on all helpers i get in the cache.log file only the negotiate wrapper debug info. Any help or suggestion before i try to downgrade to a different version? Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-basic-ldap-auth-tp4667736p4667799.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with basic_ldap_auth
I've noticed that also others had problems on 3.4.x with high cpu usage using ntlm auth, and i would be happy to help and support the project. But i don't know too much about linux (are only few month that i play with it) and know squid only a bit. I not know if i can be much useful. And the system is of a customer of mine, but i can connect via vpn, so i can access to it at any time. Let me know if and how i can help! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-basic-ldap-auth-tp4667736p4667808.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
