Re: [squid-users] 3.5.20 run out of my memory.

2018-02-08 Thread minh hưng đỗ hoàng 
Thanks alot for your help,

> https_port 3130 tproxy ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> > cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn
>
> Please add sslflags=NO_DEFAULT_CA to the above config line. That should
> reduce the memory usage a lot.
>
>
I have tried this command, but my squid still used alot of my memory for
cache .

KiB Mem:   4037016 total,  3729152 used,   307864 free,   120508 buffers
KiB Swap:  8511484 total,0 used,  8511484 free.  2213580 cached Mem

Squid only use about 1.2Gb dram to run, but use alot of memory for cached (
2213580 cached Mem )
What was cached by my squid with my squid.conf ? Can i reduce or set
life-time for this cache ?

-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 3.5.20 run out of my memory.

2018-02-06 Thread minh hưng đỗ hoàng 
Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode.
With basic config in squid.conf, but squid is run out of my server's memory.
Here is my configure option :

'--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid'
'--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-gnuregex' '--enable-delay-pools' '--enable-cache-digests'
'--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-http-violations'
'--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install'
'--enable-ltdl-convenience' '--enable-x-accelerator-vary'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--disable-translation' '--disable-ipv6'
'--disable-ident-lookups' '--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-aufs-threads=24' '--with-filedescriptors=65536'
'--with-large-files' '--with-maxfd=65536' '--with-openssl'
'--with-default-user=proxy' '--with-included-ltdl'
--

And i apply this patch before compile for disabling host forgery checks :

+diff -ur squid-3.5.20-orig/src/client_side_request.cc
squid-3.5.20/src/client_side_request.cc
+--- squid-3.5.20-orig/src/client_side_request.cc2016-07-01
13:37:50.0 +0200
 squid-3.5.20/src/client_side_request.cc2017-03-10
16:48:08.920084072 +0100
+@@ -530,6 +530,10 @@
+ }
+ debugs(85, 3, HERE << "validate IP " << clientConn->local <<
" non-match from Host: IP " << ia->in_addrs[i]);
+ }
++// disable fogery check. See
https://code.nethesis.it/Nethesis/dev/issues/5088
++http->request->flags.hostVerified = true;
++http->doCallouts();
++return;
+ }
+ debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << "
possible from Host:");
+ hostHeaderVerifyFailed("local IP", "any domain IP");

And here is my squid.conf ( i don't post my http_access for clearly view :()

###
# Squid normally listens to port 3128
###

https_port 3130 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl/e1f19c0494badc8dc14e8c4c56a8b97a.dyn
http_port 3129 tproxy
http_port 3128

###
# squid ssl_bump option
###
acl step1 at_step SslBump1
acl block ssl::server_name "/etc/squid/block_domain.txt"
ssl_bump peek step1
ssl_bump terminate block
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

###
## LOGFILE OPTIONS
###

mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid

include /etc/squid/logging.conf
###
## OPTIONS FOR TROUBLESHOOTING
###

coredump_dir /var/spool/squid
debug_options ALL,1
cache_effective_user squid
cache_effective_group squid
###
## PERSISTENT CONNECTION HANDLING
###

detect_broken_pconn off
client_persistent_connections off
server_persistent_connections on

###
## ERROR PAGE OPTIONS
###
error_directory /usr/share/squid/errors/en
error_log_languages off

###
## DNS OPTIONS
###
check_hostnames off
hosts_file /etc/hosts
connect_retries 2
ipcache_low 90
ipcache_size 5024   # Maximum number of DNS IP cache entries.
fqdncache_size 3024 # Maximum number of FQDN cache entries.
pipeline_prefetch 100

###
##  MISCELLANEOUS
###

[squid-users] How to block a https website with squid 3.5.3

2018-01-11 Thread minh hưng đỗ hoàng 
Dear all, i using squid as a transparent proxy. But i can't deny a https
website like
https://remitano.com

My squid is compiled on ubuntu14 with this configure option
Squid Cache: Version 3.5.3
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/usr/include'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-gnuregex'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-http-violations'
'--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install'
'--enable-ltdl-convenience' '--enable-x-accelerator-vary'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--disable-translation' '--disable-ipv6'
'--disable-ident-lookups' '--enable-delay-pools'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24'
'--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536'
'--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'

And here is my squid.conf

acl localnet src 192.168.10.0/24 #LAN
acl localnet src 10.10.10.0/24 #WIFI
acl localnet src 10.10.20.0/24 #WIFI
acl localnet src 172.18.18.0/24 #WIFI
acl localnet src 172.17.0.0/16
acl localnet src 10.10.1.0/24

acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https


acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blockregexurl
ssl_bump terminate domain
ssl_bump terminate block_domain
ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_flags  DONT_VERIFY_PEER
sslproxy_cafile /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

---
First , i can block facebook by use this command :
acl facebook dstdomain .facebook.com
http_access deny CONNECT facebook

But it is not effect with https://remitano.com

I try to use these command but it's not work:

acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
http_access deny blockregexurl
http_access deny CONNECT blockregexurl

acl block_domain dstdomain remitano.com
acl domain dstdomain sso.remitano.com socket.remitano.com cdn.remitano.com
http_access deny block_domain
http_access deny CONNECT block_domain
http_access deny domain
http_access deny CONNECT domain


-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

2017-11-29 Thread minh hưng đỗ hoàng 
Dear Amos,
Sorry for concluded hurriedly.
When i do a test with 1 user, it's seem ok, no more Aler from cache.log.
But when i test with more users, the Alert log from cache.log happen again.
And so i can't access some https page as chatwork.com , facebook.com

2017/11/29 18:06:41 kid1| SECURITY ALERT: Host header forgery detected on
local=54.238.137.130:443 remote=172.16.255.10:61831 FD 131 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:06:41 kid1| SECURITY ALERT: on URL: www.chatwork.com:443
2017/11/29 18:06:48 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.8:443 remote=172.16.255.51:54984 FD 173 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:06:48 kid1| SECURITY ALERT: on URL: api.facebook.com:443
2017/11/29 18:08:07 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.12:443 remote=172.16.255.51:54990 FD 51 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:08:07 kid1| SECURITY ALERT: on URL: static.xx.fbcdn.net:443
2017/11/29 18:08:50 kid1| SECURITY ALERT: Host header forgery detected on
local=172.217.24.197:443 remote=172.16.255.10:61866 FD 34 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:08:50 kid1| SECURITY ALERT: on URL: mail.google.com:443
2017/11/29 18:09:43 kid1| SECURITY ALERT: Host header forgery detected on
local=13.113.80.172:443 remote=172.16.255.10:61890 FD 124 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:09:43 kid1| SECURITY ALERT: on URL: ws-chatwork.pusher.com:443
2017/11/29 18:10:59 kid1| WARNING: 1 swapin MD5 mismatches
2017/11/29 18:11:00 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.15.22:443 remote=172.16.255.51:55032 FD 93 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:11:00 kid1| SECURITY ALERT: on URL: connect.facebook.net:443
2017/11/29 18:13:15 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.36:443 remote=172.16.255.12:33158 FD 25 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:13:15 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/29 18:14:00 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.34:443 remote=172.16.255.59:39526 FD 74 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:14:00 kid1| SECURITY ALERT: on URL: mqtt-mini.facebook.com:443


I have a Mikrotik router (172.16.1.1), and some Lan Local. With every Lan,
my DHCP allocates DNS, gateway to my LAN. Ext : 172.16.255.0/24 with
gateway : 172.16.255.254 and DNS 172.16.255.254
- Mikrotik config with Cache DNS from 8.8.8.8
- Squid use DNS 172.16.1.1 ( Mikrotik DNS)
- Squid config DNS to 172.16.1.1
- Client use DNS allocated by DHCP (but there is still Mikrotik router)

Here is my full squid.conf :

#Allollow LAN Network

# Allow Network ACL Allow/Deny Section#
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535

acl CONNECT method CONNECT
acl fb dstdomain .facebook.com

#http_access deny CONNECT fb

http_access allow localhost
http_access allow all


# Transparent Proxy Parameters
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=off
cert=/etc/squid/ssl_cert/squid-3.5.27.pem

### SSL config ###
#-Start-#
#ssl_bump none all
 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice all
#-End-#

# - Add X-Forwarded-for in headers [0]?
#-Start-#
forwarded_for transparent
#-End-#

debug_options ALL,1

log_fqdn on
emulate_httpd_log on
icap_enable on

global_internal_static on
short_icon_urls on
log_uses_indirect_client on


# - DNS AND IP CACHES [4341]

dns_nameservers 172.16.1.1
dns_v4_first on
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds
-

Could you please help me . Thanks & Best Regards,

2017-11-28 17:32 GMT+07:00 minh hưng đỗ hoàng :

> Dear Amos,
> I solved my problem by following this :
> 1 - I used my Mikrotik router as a cache DNS
> 2 - Both Squid proxy and my client use Mikrotik' DNS
>
> => It no more take alert from cache.log
>
> Thanks alot :)
> --
> Thanks & Best Regards,
> --
> Đỗ Hoàng Minh Hưng
> Gmail : hoangminh...@gmail.com
> SĐT : 01234454115
>



-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

2017-11-28 Thread minh hưng đỗ hoàng 
Dear Amos,
I solved my problem by following this :
1 - I used my Mikrotik router as a cache DNS
2 - Both Squid proxy and my client use Mikrotik' DNS

=> It no more take alert form cache.log

Thanks alot :)
-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

2017-11-26 Thread minh hưng đỗ hoàng 
>
> Not just the Squid machine but *all* the clients going through your Squid
>> also have to be using the same DNS resolver for that workaround. Any of
>> them using other resolvers (eg 8.8.8.8 or similar services) *will* hit
>> these errors.
>>
>
>
> And this is my dns config in squid.config :
>>
>> # - DNS AND IP CACHES [4341]
>>
>> dns_nameservers 127.0.0.1
>> dns_v4_first on
>> #original_dst off
>> client_dst_passthru off
>>
>
> The above setting is rejecting clients when the host verify fails.
> TO let traffic through the proxy when host-verify fails set it back to the
> default "client_dst_passthru on".
>
> The Host verify failure is most dangerous when cached - so that is always
> prohibited. But upstream routing is difficult for Squid to determine - thus
> that config option. It is left up to you whether you risk your clients
> getting infected by that mechanism - Squid just minimizes the damage and
> risk by limiting it to the one client making the suspicious request.
>
>
Thanks alot for your suggestion, i thought that i made some mistake in my
DNS. I will try to find out and show you the result.
-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

2017-11-24 Thread minh hưng đỗ hoàng 
Dear Amos, thank you so much for your quickly reply .
I have tried to replace my SSL config with your suggestion. But my squid
get a error like this in cache.log:

2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on
local=216.58.199.110:443 remote=172.18.18.15:55704 FD 13 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: apis.google.com:443
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on
local=172.217.25.3:443 remote=172.18.18.15:55705 FD 17 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: www.google.com.vn:443
2017/11/25 13:21:53 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.13.35:443 remote=172.18.18.15:55720 FD 22 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:53 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/25 13:21:54 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.13.35:443 remote=172.18.18.15:55724 FD 22 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:54 kid1| SECURITY ALERT: on URL: www.facebook.com:443

So i can't access www.facebook.com. It's error on my browser :
*ERR_SSL_PROTOCOL_ERROR*

I find out the same issue in this discussion :
http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html

And then i try to make my squid becomes a cache DNS itself using Unbound.
But look like it does'nt work . I get same error before install cache DNS.
Here is my DNS test on my Squid:

[root@localhost ~]# nslookup
> google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.203.46

And this is my dns config in squid.config :

# - DNS AND IP CACHES [4341]

dns_nameservers 127.0.0.1
dns_v4_first on
#original_dst off
client_dst_passthru off
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds

Could you help me please :(

2017-11-24 20:27 GMT+07:00 Amos Jeffries :

> On 25/11/17 02:04, minh hưng đỗ hoàng wrote:
>
>>
>>
>> Dear Squid-users,
>> I want to setup a Squid proxy in transparent mode http/https traffic
>> without any config in Client site.
>>
>> I use Squid 3.5.20 on Centos7.I just install squid with default feature
>> as *yum install squid.*
>> *
>> *
>> I just do that , but i have some problem with my output logging in
>> access.log .
>> Specifically, my access.log only show ip_address_server:443 instead
>> domain name of destination server like that :
>>
>>
>> *1511525732.912206 172.18.18.15 TAG_NONE/200 0 CONNECT
>> 172.217.24.35:443 - ORIGINAL_DST/172.217.24.35 -*
>> *
>> *
>> I know that i take some mistake in my squid.conf . But i can't find out
>> how to fix it. Could you please show me how to improve my squid.conf .
>>
>>
> You configured "ssl_bump none all".
>
> <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>
> "do not use these with Squid-3.5 and newer"
>
>
> Use this instead:
>
>  acl step1 at_step SslBump1
>  ssl_bump peek step1
>  ssl_bump splice all
>
>
> There should be two log entries per HTTPS connection. One before peek
> happens with raw-IP:port details. And a second one after peek which may
> have a _server_ name (*not* domain name) if and only if the client sends
> TLS SNI extension data.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

2017-11-24 Thread minh hưng đỗ hoàng 
Dear Squid-users,
I want to setup a Squid proxy in transparent mode http/https traffic
without any config in Client site.

I use Squid 3.5.20 on Centos7.I just install squid with default feature as *yum
install squid.*

I just do that , but i have some problem with my output logging in
access.log .
Specifically, my access.log only show ip_address_server:443 instead domain
name of destination server like that :


*1511525732.912206 172.18.18.15 TAG_NONE/200 0
CONNECT 172.217.24.35:443  -
ORIGINAL_DST/172.217.24.35  -*

I know that i take some mistake in my squid.conf . But i can't find out how
to fix it. Could you please show me how to improve my squid.conf .

Here is my squid.conf file in attact file

Waiting for your reply.
Thanks alot !

-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115



-- 
Thanks & Best Regards,
--
Đỗ Hoàng Minh Hưng
Gmail : hoangminh...@gmail.com
SĐT : 01234454115


squid.conf
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users