[squid-users] a decent way to speed up Facebook?

2018-09-04 Thread turgut kalfaoğlu 
Hello there. I have a transparent squid at my home to speed up the 
browsing by caching stuff.  And it works well for HTTP.


For HTTPS, I was only able to get it to "peek" and I'd like to able to 
bump the connections.


I installed the server certificate on the client, but still, the browser 
(firefox) keeps complaining:


Your connection is not secure
The owner of www.facebook.com has configured their website improperly. 
To protect your information from being stolen, Firefox has not connected 
to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that 
Firefox may only connect to it securely. As a result, it is not possible 
to add an exception for this certificate.


Here is what I have:
#
# serverIsBank is a list of domains that are banks essentially. They 
seem more picky.

#
ssl_bump splice serverIsBank
ssl_bump peek all
# ssl_bump bump all    # this does not work, it gives the error above..

https_port 3129 intercept ssl-bump \
    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
    cert=/etc/squid/ssl_cert/tk2ca.pem 
key=/etc/squid/ssl_cert/tk2ca.pem \

   sslflags=NO_SESSION_REUSE
tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslproxy_cert_error allow all
sslcrtd_program  /usr/lib64/squid/security_file_certgen  -s 
/var/lib/ssl_db -M $

sslcrtd_children 50 startup=5 idle=5


Thanks, -turgut


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unliked SSL cipher

2017-04-19 Thread turgut kalfaoğlu 

On 04/19/2017 06:44 PM, dij...@gmail.com wrote:
Do you recieve the same error while connecting to 
https://www.wikipedia.org?

Yes I do.

I also tried to connect to the IP address as well; and that gives me the 
same error.

The browser didn't say anything; it was squid that complained.
Regards,
 -turgut




If you connect to https://91.198.174.192/* directly, your browser 
schould warn you about ssl issue; that is because of:


CN = *.wikipedia.org

SAN=
*.wikipedia.org
wikipedia.org
*.m.wikipedia.org
*.zero.wikipedia.org
wikimedia.org
*.wikimedia.org
*.m.wikimedia.org
*.planet.wikimedia.org
mediawiki.org

This certificate is not allowed to be used with IP address (which is 
common) and that is the issue I suppose. Certificate is V3 sha256, 
which is... perfectly normal.


On 2017-04-19 08:49, turgut kalfaoğlu wrote:


Hi. Can I ask for assistance solving this problem. Many thanks!

Fedora # rpm -qa|grep squid
squid-4.0.17-1.fc25.x86_64
# uname -a
Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13 
01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux



  ERROR


The requested URL could not be retrieved



The following error was encountered while trying to retrieve the URL: 
https://91.198.174.192/*


*Failed to establish a secure connection to 91.198.174.192*

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:140920F8:SSL
routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually 
acceptable security settings for handling your request. It is 
possible that the remote host does not support secure connections, or 
the proxy is not satisfied with the host security credentials.


Your cache administrator is root 
<mailto:root?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20proxy%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20%2871%29%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2019%20Apr%202017%2006%3A46%3A00%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.1.194%0D%0AServerIP%3A%2091.198.174.192%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%2091.198.174.192%0D%0A%0D%0A%0D%0A>.





Generated Wed, 19 Apr 2017 06:46:00 GMT by proxy (squid/4.0.17)




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Unliked SSL cipher

2017-04-18 Thread turgut kalfaoğlu 

Hi. Can I ask for assistance solving this problem. Many thanks!

Fedora # rpm -qa|grep squid
squid-4.0.17-1.fc25.x86_64
# uname -a
Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13 
01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux



 ERROR


   The requested URL could not be retrieved



The following error was encountered while trying to retrieve the URL: 
https://91.198.174.192/*


   *Failed to establish a secure connection to 91.198.174.192*

The system returned:

   (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

   Handshake with SSL server failed: error:140920F8:SSL
   routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.


Your cache administrator is root 
.





Generated Wed, 19 Apr 2017 06:46:00 GMT by proxy (squid/4.0.17)


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] option to auto-recreate the ssl db ?

2017-04-17 Thread turgut kalfaoğlu 

Hi there.. Could we have an option to auto re-create the ssl database?

For some reason, out of nowhere, I start getting these in the cache.log:
security_file_certgen helper database '/var/lib/ssl_db' failed: Failed 
to open file /var/lib/ssl_db/index.txt
security_file_certgen helper database '/var/lib/ssl_db' failed: Failed 
to open file /var/lib/ssl_db/index.txt
security_file_certgen helper database '/var/lib/ssl_db' failed: Failed 
to open file /var/lib/ssl_db/index.txt
security_file_certgen helper database '/var/lib/ssl_db' failed: Failed 
to open file /var/lib/ssl_db/index.txt


# rpm -qa|grep squid
squid-4.0.17-1.fc25.x86_64

Many thanks, -turgut


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] need an SSL example conf

2017-04-08 Thread turgut kalfaoğlu 

Hi there. I need help setting up SSL caching -- just for facebook.

It's a small LAN; and I would like to speed up the internet by caching 
facebook junk.


I tried to cache all SSL connections --- but connecting to bank web 
sites gave us headaches - they are apparently more strict somehow.


Does anyone have anything similar they can share?

Many thanks, -turgut


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL

2017-03-20 Thread turgut kalfaoğlu 

On 03/20/2017 11:28 AM, Eliezer Croitoru wrote:

What mobile devices are you using?


It's an android 7 phone..
-turgut



Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of turgut kalfao?lu
Sent: Monday, March 20, 2017 8:58 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] SSL

Good morning everyone,

Congratulations on improving the SSL interception in squid; I am now
caching https traffic - especially the beast called facebook.
Likewise google https works well; and I have no issues on the destop.

The androids are giving a few headaches:
1) WhatsApp videos do not download,
2) Facebook messenger will not connect.

Are these known issues, or shall I collect debugging info on them?
If there are any iptables or squid commands to bypass caching these; I'd
be very glad if someone can share them.
I just want to be able to speed up the traffic without hindering any
communication.

Many thanks,
Turgut Kalfaoglu

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL

2017-03-19 Thread turgut kalfaoğlu 

Good morning everyone,

Congratulations on improving the SSL interception in squid; I am now 
caching https traffic - especially the beast called facebook.

Likewise google https works well; and I have no issues on the destop.

The androids are giving a few headaches:
1) WhatsApp videos do not download,
2) Facebook messenger will not connect.

Are these known issues, or shall I collect debugging info on them?
If there are any iptables or squid commands to bypass caching these; I'd 
be very glad if someone can share them.
I just want to be able to speed up the traffic without hindering any 
communication.


Many thanks,
Turgut Kalfaoglu

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Working SSL configuration for Squid 4.x?

2016-05-31 Thread turgut kalfaoğlu 
Hello. Whenever I tried to get squid to transparently cache https 
content (mainly to speed up facebook browsing at my home),  I get all 
kinds of problems.


Is there a cookbook available for the recent squid versions?

Many thanks, -turgut


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] sahibinden.com fails with https bump

2016-05-10 Thread turgut kalfaoğlu 
Hello everyone..

My setup -- this is for speeding up the home ADSL..

https_port 3129 intercept ssl-bump \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 20 startup=3 idle=1
ssl_bump server-first  all

This works well for facebook, gmail, google, and probably others..
But https://sahibinden.com , whatever they are doing fails - the page
appears broken.
I tried  broken_sites acl trick, did not help.

acl broken_sites ssl::server_name .sahibinden.com
acl broken_sites ssl::server_name image5.sahibinden.com
acl broken_sites ssl::server_name .shbdn.com
ssl_bump none broken_sites

Does anyone have any ideas what else I can try?
Many thanks, -tk

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] whatsapp image download fails

2016-02-21 Thread turgut kalfaoğlu 
Thank you for your reply; there is nothing about SSL neither in iptables
nor in squid settings now.
It only intercepts port 80 requests..

There is nothing visible in squid's access.log nor the firewall logs of
the server when I click on an image to download in Whatsapp.

-turgut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] whatsapp image download fails

2016-02-21 Thread turgut kalfaoğlu 
Hi.. On my LAN's squid server, I redirect port 80 to local squid,
   iptables -t nat -A PREROUTING -s 192.168.2.0/24  -p tcp --dport 80 -j
REDIRECT --to-port 3128

and the squid speeds up and anonymizes the requests from the LAN.
This works well for http, unfortunately I could not get https working
transparently so I gave up on that.

Anyway, image downloads from the android application, Whatsapp fail.
It is unable to send or receive images. It gives some generic error like
"download failed"
when an image is clicked.

Is there any solution to this?
Many thanks, -turgut


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid cache

2016-02-09 Thread turgut kalfaoğlu 
Hi again.. I have a squid setup with two servers; one acting as "parent"
and only getting requests from the child,
and the other one actually serves people as a transparent accelerator
for the slow internet.

It works well normally, two things I could not get to work well:
1) SSL. I had many problems and gave up eventually. I haven't tried it
lately, now it's at 3.5.9, should I try it again, and is there a working
formula that works well?

2) www.rolex.com. For some reason, this site gives an access denied!  No
big deal, but just interesting.

Regards,
Turgut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] when using a search box on een website my hole internet explorer freezes incuding earlier opend tabs

2015-06-03 Thread turgut kalfaoğlu 
On 06/03/2015 02:23 PM, Amos Jeffries wrote:
> On 3/06/2015 10:38 p.m., Jeroen Ruijter wrote:
>> Dear Amos,
>>
>> When we use this website www.rechtspraak.nl and enter a search term in the 
>> search box the internet explorer session freezes.
>> We are unable to close a window with control + w or with the mouse pressing 
>> the cross at the corner.
I believe that's the normal behavior for Internet Explorer..
-turgut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ssl_crtd helpers crashing too rapidly..

2015-06-02 Thread turgut kalfaoğlu 
Hello everyone.. I have been a squid user for a very long time.

Currently I set it up as transparent proxy at a small LAN, proxying http
and https as best as I can.

I get the
 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!
error.. selinux is disabled, and that ssl_db folder appears normal; all
files having the same size more or less.

I'm running 3.4.12.. I wrote a script to delete the ssl_db folder and
re-create it, and that fixes the issue.
I just wanted you to know that the bug exists at this version.

Regards, -turgut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users