Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.09.15 7:12, Amos Jeffries пишет: > On 24/09/2015 2:04 a.m., Yuri Voinov wrote: >> >> Through assertion and then restarts squid: >> >> 2015/09/23 20:03:25 kid1| Validated 35899 Entries >> 2015/09/23 20:03:25 kid1| store_swap_size = 1730768.00 KB >> 2015/09/23 20:03:26 kid1| storeLateRelease: released 0 objects >> 2015/09/23 20:03:26 kid1| assertion failed: PeerConnector.cc:116: >> "peer->use_ssl" >> 2015/09/23 20:03:30 kid1| Set Current Directory to /var/cache/squid >> 2015/09/23 20:03:30 kid1| Starting Squid Cache version >> 3.5.7-20150808-r13884 for x86_64-unknown-cygwin... >> 2015/09/23 20:03:30 kid1| Service Name: squid >> 2015/09/23 20:03:30 kid1| Process ID 11160 > > There you go. The peering ACLs are working. > > Now you need to fix the ssl_bump rules such that the torproject traffic > does not require bump/decrypt before sending over the insecure peer > connection. Squid does not support re-encrypt. Huh. It works. Thank your, Amos! > > > Please use 3.5.9 for that part. 3.5.9 does support re-encrypt? > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWBAUJAAoJENNXIZxhPexGEVQH/2L4SE5BP8L/2m35mqDTmqKI AbPnpiw70DeQiBu1ZidQ6vyARFhtdJTE14VTENF3qaTQP3mnfd2Orr10sx5Sv1Es cDUE9mWf6QUdjbIivi7qaKw+zHRXrP9vD2oi1qpPqxEnRZUoX+5orNlJYQhzsp9K USGSQg7z+Vje0ilPZrDfgh0l+DQWQk/A9k9gJ/dslJqVxtVFY1iGJevdChVAs+0I DVSAHUIK/nwXrfA3ThZsBqqEYYk9jHvC/Kpj2vuy+udt0JdDhnR052TS0vaE6tN1 B2aIr7YQYnOD3r+ceF3ita/fM7hGWI5yPiH7jSiPHtsKghADk2wgoE+cCCBkPaM= =jcsz -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 25/09/2015 2:13 a.m., Yuri Voinov wrote: > > 24.09.15 7:12, Amos Jeffries пишет: >> On 24/09/2015 2:04 a.m., Yuri Voinov wrote: >>> >>> Through assertion and then restarts squid: >>> >>> 2015/09/23 20:03:25 kid1| Validated 35899 Entries >>> 2015/09/23 20:03:25 kid1| store_swap_size = 1730768.00 KB >>> 2015/09/23 20:03:26 kid1| storeLateRelease: released 0 objects >>> 2015/09/23 20:03:26 kid1| assertion failed: PeerConnector.cc:116: >>> "peer->use_ssl" >>> 2015/09/23 20:03:30 kid1| Set Current Directory to /var/cache/squid >>> 2015/09/23 20:03:30 kid1| Starting Squid Cache version >>> 3.5.7-20150808-r13884 for x86_64-unknown-cygwin... >>> 2015/09/23 20:03:30 kid1| Service Name: squid >>> 2015/09/23 20:03:30 kid1| Process ID 11160 > >> There you go. The peering ACLs are working. > >> Now you need to fix the ssl_bump rules such that the torproject traffic >> does not require bump/decrypt before sending over the insecure peer >> connection. Squid does not support re-encrypt. > Huh. It works. Thank your, Amos! > > >> Please use 3.5.9 for that part. > 3.5.9 does support re-encrypt? No, but it has better ssl_bump processing and more SNI related functonality that may allow you to avoid having to decrypt in the first place. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aha. Good news. This is something already. 25.09.15 1:57, Amos Jeffries пишет: > On 25/09/2015 2:13 a.m., Yuri Voinov wrote: >> >> 24.09.15 7:12, Amos Jeffries пишет: >>> On 24/09/2015 2:04 a.m., Yuri Voinov wrote: Through assertion and then restarts squid: 2015/09/23 20:03:25 kid1| Validated 35899 Entries 2015/09/23 20:03:25 kid1| store_swap_size = 1730768.00 KB 2015/09/23 20:03:26 kid1| storeLateRelease: released 0 objects 2015/09/23 20:03:26 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" 2015/09/23 20:03:30 kid1| Set Current Directory to /var/cache/squid 2015/09/23 20:03:30 kid1| Starting Squid Cache version 3.5.7-20150808-r13884 for x86_64-unknown-cygwin... 2015/09/23 20:03:30 kid1| Service Name: squid 2015/09/23 20:03:30 kid1| Process ID 11160 >> >>> There you go. The peering ACLs are working. >> >>> Now you need to fix the ssl_bump rules such that the torproject traffic >>> does not require bump/decrypt before sending over the insecure peer >>> connection. Squid does not support re-encrypt. >> Huh. It works. Thank your, Amos! >> >> >>> Please use 3.5.9 for that part. >> 3.5.9 does support re-encrypt? > > No, but it has better ssl_bump processing and more SNI related > functonality that may allow you to avoid having to decrypt in the first > place. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWBGKjAAoJENNXIZxhPexG9vMIAKGlUOd+mu5sZaq2ObqMLBDT 9lsWWeRJScidSOzMnj4zzfV0Ult8km23+z3oEj0TCE7KzIEDnkRWkn0by9YPdlqO W+e+vPdjSu6FQbLmiHyVa6f7KxlW3+VWZdpNmj3/pAdwZ4rNA91qZP0qZ8A4NHtr u8kc3kPT8vCTmD+AhOkyxolxo1TGyl4UAC56bENUJ9I/gy2fvc6rYyJ4D3I1SbXb QAqbgAdJrmvEpu68s1yiuW9BG72i7dtNcvqt8rHIyfWADDjhBupE5PXD+42Q2dP2 FWl+ljTvanrUOSxXUSz5G4tyHu2YFavk/VS7wRLWAJoMRHIqLYV0PoqnBp41tHc= =D3HA -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 23/09/2015 11:01 p.m., Yuri Voinov wrote:
> Look:
>
> # Tor acl
> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>
> url.tor contains:
> ^https?.*torproject.*
>
> May be, I'm an idiot, but where is the error?
The URL on the CONNECT requests ("torproject.om:443") are not starting
with string "http".
Use:
acl tor_url dstdom_regex torproject
or
acl tor_url dstdomain .torproject.com
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Look: # Tor acl acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" url.tor contains: ^https?.*torproject.* May be, I'm an idiot, but where is the error? All other url.tor entries works perfectly. WIth HTTP only. 23.09.15 7:44, Amos Jeffries пишет: On 23/09/2015 4:39 a.m., Yuri Voinov wrote: Ooops. After timed out: - CONNECT torproject.org:443 HTTP/1.1 Host: torproject.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 -- 2015/09/22 22:37:55.499 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: torproject.org:443' via torproject.org 2015/09/22 22:37:55.499 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'torproject.org:443' 2015/09/22 22:37:55.499 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2015/09/22 22:37:55.499 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED I think what this is showing is that your tor_url is not matching what we think it has been matching. Or maybe the squid.conf you have been editing is not the one running. This line: never_direct allow tor_url changes the log to say "never_direct = ALLOWED" when the ACL matches. Since it is not, I conclude that the cache_peer_access allow tor_url line is also not matching and that is why the peer is not being used. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
23.09.15 17:07, Matus UHLAR - fantomas пишет: Hello, On 17.09.15 18:47, Yuri Voinov wrote: acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz ssl_bump splice NoSSLIntercept # Privoxy+Tor access rules never_direct allow tor_url cache_peer_access 127.0.0.1 allow tor_url 18.09.15 21:22, Matus UHLAR - fantomas пишет: I wonder if the never_direct and cache_peer_access should not use the same acl as "ssl_bump splice". On 20.09.15 20:59, Amos Jeffries wrote: Maybe for values but ssl::server_name ACL may not work outside ssl_bump. It might, or it might not be usable by the other *_access rules and depends on whether the matching decisions for those rule sets is the same for the ssl_bump ones. That latter condition is a big 'IF'. I wonder how does this match. The SNI should be only seen when the https connection is received, either by intercepting https or client using HTTPS to connect proxy. on unintercepted HTTP port that received CONNECT request, it would only see the CONNECT string, e.g. "CONNECT kaspi.kz:443", correct? About SNI - not fact. When I completely turn off SSL bump, this looks like the same. Also, testing server is non-interception proxy, just forwarding. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 24/09/2015 2:04 a.m., Yuri Voinov wrote: > > Through assertion and then restarts squid: > > 2015/09/23 20:03:25 kid1| Validated 35899 Entries > 2015/09/23 20:03:25 kid1| store_swap_size = 1730768.00 KB > 2015/09/23 20:03:26 kid1| storeLateRelease: released 0 objects > 2015/09/23 20:03:26 kid1| assertion failed: PeerConnector.cc:116: > "peer->use_ssl" > 2015/09/23 20:03:30 kid1| Set Current Directory to /var/cache/squid > 2015/09/23 20:03:30 kid1| Starting Squid Cache version > 3.5.7-20150808-r13884 for x86_64-unknown-cygwin... > 2015/09/23 20:03:30 kid1| Service Name: squid > 2015/09/23 20:03:30 kid1| Process ID 11160 There you go. The peering ACLs are working. Now you need to fix the ssl_bump rules such that the torproject traffic does not require bump/decrypt before sending over the insecure peer connection. Squid does not support re-encrypt. Please use 3.5.9 for that part. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ooops. After timed out: - - CONNECT torproject.org:443 HTTP/1.1 Host: torproject.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 - -- 2015/09/22 22:37:55.499 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: torproject.org:443' via torproject.org 2015/09/22 22:37:55.499 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'torproject.org:443' 2015/09/22 22:37:55.499 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2015/09/22 22:37:55.499 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=38.229.72.16:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=82.195.75.101:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=154.35.132.70:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=93.95.227.222:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=86.59.30.40:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2620:0:6b0:b:1a1a:0:26e5:4810]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:41b8:202:deb:213:21ff:fe20:1426]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:858:2:2:aabb:0:563b:1e28]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(295) peerSelectDnsPaths:timedout = 0 2015/09/22 22:38:11.323 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=127.0.0.1:3128 remote=127.0.0.1:40083 FD 22 flags=1 2015/09/22 22:38:11.323 kid1| client_side.cc(2338) parseHttpRequest: HTTP Client REQUEST: - - 22.09.15 22:35, Amos Jeffries пишет: > nonhierarchical_direct off > never_direct allow tor_url -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAYRWAAoJENNXIZxhPexGPJoIALiJQweZSPl3pcJQdJSuq13O wteB5jrm4gC6gH7pbmOu7NjHE4WsNLNhltlhGvGQ6nfBay6i7sa2ZOxlPPGw35aM 6NpZqdDOZAndGsyNCwmSlHnx1Acn+QsQoH+Tv5KoHL0EuGx86qPIIhPN5rzKQm+L 3LJOIvHZCwK/YjwTRKQznT40zfsuAeutDaTbVdDpUejHO3eUt20m50anuNlJMx+T mipK1wypvabqO/JjaDhaZgyVfJYW4G3zbngIfa6Z+A42xBR9o9HVfUggHPzJINT9 n4GYt1R4v6r20fk9YY9LXfJgedUfYw3uSSOKQgOtWJLBSrGxg62eSttxVR+enaM= =smhU -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - CONNECT torproject.org:443 HTTP/1.1 Host: torproject.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 - -- 2015/09/22 22:37:55.499 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: torproject.org:443' via torproject.org 2015/09/22 22:37:55.499 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'torproject.org:443' 2015/09/22 22:37:55.499 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2015/09/22 22:37:55.499 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=38.229.72.16:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=82.195.75.101:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=154.35.132.70:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=93.95.227.222:443 flags=1 2015/09/22 22:37:55.499 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=86.59.30.40:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2620:0:6b0:b:1a1a:0:26e5:4810]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:41b8:202:deb:213:21ff:fe20:1426]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:858:2:2:aabb:0:563b:1e28]:443 flags=1 2015/09/22 22:37:55.500 kid1| peer_select.cc(295) peerSelectDnsPaths:timedout = 0 Here is it. 22.09.15 22:35, Amos Jeffries пишет: > nonhierarchical_direct off > never_direct allow tor_url -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAYQjAAoJENNXIZxhPexGee4H/37FqxYx4NM6kJaZL2ewMugk b8djkMDfthYnvkjj7RhBODVixlx9YqSCT+MPz2Jit8ELx1qvgUcVwMhH5G5umckG qHBHxL6p7G3yuozhR2g86FnARoGpa7UuFDqdKdcjmO3QarIoBgny32Tsw3ZXbgpJ Sw91bqnctRBL3TsUuaTCiwo+T+xSKK8XwXLGO48pIpl26E63bRGRM5fNQ7+hnsbS upu2VHC5vb0ffXZa5PAcJRVFejbP6NiAtRC/jt/QMvHHLQKy7NqVw2FM1B6B/dvX W2e/VTI4om+ju26DeyTIbAMlnfpEnpxJm0aUEtURG9duPyR0lJVasBZzzkyUgNs= =+0mG -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 23/09/2015 4:39 a.m., Yuri Voinov wrote: > > Ooops. After timed out: > > - > CONNECT torproject.org:443 HTTP/1.1 > Host: torproject.org > Proxy-Connection: keep-alive > User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 > > > -- > 2015/09/22 22:37:55.499 kid1| peer_select.cc(258) peerSelectDnsPaths: > Find IP destination for: torproject.org:443' via torproject.org > 2015/09/22 22:37:55.499 kid1| peer_select.cc(280) peerSelectDnsPaths: > Found sources for 'torproject.org:443' > 2015/09/22 22:37:55.499 kid1| peer_select.cc(281) peerSelectDnsPaths: > always_direct = DENIED > 2015/09/22 22:37:55.499 kid1| peer_select.cc(282) peerSelectDnsPaths: > never_direct = DENIED I think what this is showing is that your tor_url is not matching what we think it has been matching. Or maybe the squid.conf you have been editing is not the one running. This line: >> never_direct allow tor_url changes the log to say "never_direct = ALLOWED" when the ACL matches. Since it is not, I conclude that the cache_peer_access allow tor_url line is also not matching and that is why the peer is not being used. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - CONNECT www.torproject.org:443 HTTP/1.1 Host: www.torproject.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 - -- 2015/09/22 21:54:01.269 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: www.torproject.org:443' via www.torproject.org 2015/09/22 21:54:01.269 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'www.torproject.org:443' 2015/09/22 21:54:01.269 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2015/09/22 21:54:01.269 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=86.59.30.40:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=93.95.227.222:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=154.35.132.70:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=82.195.75.101:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:858:2:2:aabb:0:563b:1e28]:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:41b8:202:deb:213:21ff:fe20:1426]:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2620:0:6b0:b:1a1a:0:26e5:4810]:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=38.229.72.16:443 flags=1 2015/09/22 21:54:01.269 kid1| peer_select.cc(295) peerSelectDnsPaths:timedout = 0 2015/09/22 21:54:02.941 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=127.0.0.1:3128 remote=127.0.0.1:37495 FD 55 flags=1 2015/09/22 21:54:02.941 kid1| client_side.cc(2338) parseHttpRequest: HTTP Client REQUEST: - - - - CONNECT www.torproject.org:443 HTTP/1.1 Host: www.torproject.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 - -- 2015/09/22 21:54:33.169 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: www.torproject.org:443' via www.torproject.org 2015/09/22 21:54:33.169 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'www.torproject.org:443' 2015/09/22 21:54:33.169 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2015/09/22 21:54:33.169 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=82.195.75.101:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:858:2:2:aabb:0:563b:1e28]:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2001:41b8:202:deb:213:21ff:fe20:1426]:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=[::] remote=[2620:0:6b0:b:1a1a:0:26e5:4810]:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=38.229.72.16:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=86.59.30.40:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=93.95.227.222:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(286) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=154.35.132.70:443 flags=1 2015/09/22 21:54:33.170 kid1| peer_select.cc(295) peerSelectDnsPaths:timedout = 0 2015/09/22 21:54:34.377 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=127.0.0.1:3128 remote=127.0.0.1:37507 FD 57 flags=1 2015/09/22 21:54:34.377 kid1| client_side.cc(2338) parseHttpRequest: HTTP Client REQUEST: - - 22.09.15 3:38, Amos Jeffries пишет: > On 22/09/2015 7:33 a.m., Yuri Voinov wrote: >> >> Here is access log when using IE: >> >> 1442863815.068785 127.0.0.1 TCP_MISS/302 506 GET >> http://torproject.org/ - FIRSTUP_PARENT/127.0.0.1 text/html >> 1442863816.542 105231 127.0.0.1 TAG_NONE/200 0 CONNECT >> www.torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - >> 1442863821.899 105210 127.0.0.1 TAG_NONE/200 0 CONNECT >> www.torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - >> >> and then timeout. Sometimes second connect goes to IPv4 address, >> sometimes IPv6. >> >> When using
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Can't understand, why it is not work. Tor Browser works ok itself. The similar config via Squid 3.5.7+Privoxy - don't. CONNECT to torproject.org:443 goes directly, whenever config changes. 21.09.15 23:56, Amos Jeffries пишет: > On 17/09/2015 10:07 p.m., Yuri Voinov wrote: >> If I disable SSL bump for tunneled sites, I've got an error SSL: >> >> ssl_error_rx_record_too_long >> > > If you "disabled" ssl_bump by removing its config, or using "ssl_bump > none" for that traffic then the error is strictly a problem between the > client and origin server. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAEW/AAoJENNXIZxhPexGH9kH/iZ/OytCs/ASQSitKfIFsZOn lk/Xp5mvyyBO0zHbAmk08ZlS9Gh54fE9/KvePT0rfiCpOzVh8zZIHywv9tbTc8yG MPnQvTwnQWIDNSzCWScxnM9/STYeV0sHB+jaRun2dtiBBpmraRxAVXQgldr6t1MQ uKdeCD/drOGY/5YNhr7v0nAT4csL5wl3AAq45VOEzA3TjupCgEdpEKGEkhMdL0Ej S2dEpk7Dfnra7k3PAu76lbVOzA8aNmVDnEXtHnKEeDoOJo9YY9xgQkSLkhFZSZLo UDCcJnbykQXSxHjFKVW+orhXEsX+TSgZKh8gkxy3SeAU5yACDssK5m4694hxs3c= =YTxH -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 22/09/2015 6:00 a.m., Yuri Voinov wrote: > > Can't understand, why it is not work. > > Tor Browser works ok itself. > > The similar config via Squid 3.5.7+Privoxy - don't. > > CONNECT to torproject.org:443 goes directly, whenever config changes. I suspect some detail is being removed during the relay. Which makes me wonder why it is so important to send CONNECT via privoxy in the first place. The HTTP headers and such on the CONNECT which privoxy strips away are never sent externally anyway, they stop at the proxy gateway which receives and enacts the CONNECT. That may be your Squid or privoxy itself. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 17/09/2015 10:07 p.m., Yuri Voinov wrote: > If I disable SSL bump for tunneled sites, I've got an error SSL: > > ssl_error_rx_record_too_long > If you "disabled" ssl_bump by removing its config, or using "ssl_bump none" for that traffic then the error is strictly a problem between the client and origin server. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 22.09.15 1:23, Antony Stone пишет: > On Monday 21 September 2015 at 21:20:19, Yuri Voinov wrote: > >> 22.09.15 1:15, Amos Jeffries пишет: >> >>> HSTS is opt-out. Strip the *response* header on the first contact and it >>> disappears. >> >> I can't. Because first connection can't occur during ISP ban by IP. >> First contact is never occurs. > > If first contact never occurs, HSTS doesn't apply. Client has no clue that the > server requires HTTPS. > > > Antony. > I think so. But in access.log I see only HIER_DIRECT CONNECT to torproject.org:443 and no answer from server. Browser shows ERR_TIME_OUT. HTTP sites works perfectly via tunnel. But HTTPS-versions is not. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAFnQAAoJENNXIZxhPexGT+gH/RzgRrz1uvHMYK3eYYDY1m/X SEAnGVI6nTBOqoLY9XUlOagAd2ZkG3HEQwprQI+JoL4s0r7ibmpvC7mHhuzfJJqw qADltTiQKPXPEMr2hcKOfrWUAqUSNNSsMb/RvIWQ8sEAv3q63Gtn+BrGhHpFGp/c yJ1OUB6BzoOmQeNOeuJOkKODf1VBE+KiXb45JyFFBmMplsOs1+HInPtyo9R/MOyb SPlGgR9QcLDUVTVG8VGHObHXBRwhgiw64sgnyxq70w/6IkEVweQY5qixk9r+4Lb9 oZBYx1XBanWSAq22W5zo7jaeDdFsiI8gOxX32hljLL9GYcr4pwN15Z2XCA09+24= =uSS6 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On Monday 21 September 2015 at 21:20:19, Yuri Voinov wrote: > 22.09.15 1:15, Amos Jeffries пишет: > > > HSTS is opt-out. Strip the *response* header on the first contact and it > > disappears. > > I can't. Because first connection can't occur during ISP ban by IP. > First contact is never occurs. If first contact never occurs, HSTS doesn't apply. Client has no clue that the server requires HTTPS. Antony. -- "I estimate there's a world market for about five computers." - Thomas J Watson, Chairman of IBM Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Finally it ends up by this one: http://i.imgur.com/izWY1cc.png Antony, how it can be explained? ;) 22.09.15 1:23, Antony Stone пишет: > On Monday 21 September 2015 at 21:20:19, Yuri Voinov wrote: > >> 22.09.15 1:15, Amos Jeffries пишет: >> >>> HSTS is opt-out. Strip the *response* header on the first contact and it >>> disappears. >> >> I can't. Because first connection can't occur during ISP ban by IP. >> First contact is never occurs. > > If first contact never occurs, HSTS doesn't apply. Client has no clue that the > server requires HTTPS. > > > Antony. > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAFxJAAoJENNXIZxhPexGdVQIAJWE6WFuGYiVSdanrLpmxy2h hl5kP3qhDpqRE1phyyQzrYXhDr4IIvsL9jmi/H4M7iJCXLzJ/7EuMt3wNgMDb9kz LetZEkgzsla8La62kHvHCm9t6+vuVq0s0o56jVR5DAeuXvrs1mFTZcptU/Fy39bN LHtwkhnY4Z1EiQmPWKC5jh6PaEsEetAzLCUMfvcKMV+CHCQ4A4FLr+aXqvzeTG76 iwFBS9Iw5bzFj4S+W32vYjmX8mKGPrDDRh+ZQPTryIcGlwMAf2Nv2XmgZbyuCI/T EVriPWyzUsVtl4u0xsp0qmTuU9ywzOslQaUltjjziy8aX8ze+z2M/WqbJT/Lwrc= =JQVD -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 22/09/2015 6:25 a.m., Yuri Voinov wrote: > > This is dig result: > > ;; ANSWER SECTION: > torproject.org. 3600IN A 93.95.227.222 > torproject.org. 3600IN A 154.35.132.70 > torproject.org. 3600IN A 86.59.30.40 > torproject.org. 3600IN A 82.195.75.101 > torproject.org. 3600IN A 38.229.72.16 > > This IP is banned. Completely. Outgoing packets are dropped by ISP. > > So this is critical to forward ALL session, starting with first packet, > into Privoxy, and, then to Tor tunnel. > > Otherwise session can't be established. > > The problem enforces with HSTS onto torproject.org URL. Completely > HTTPS. From first GET request. > > This can be solved with Tor Browser itself, but I want to find common > solution. > > This is very simple. Complete HTTPS session must be forward to parent > proxy at whole. Because of only HTTP's forwarding possibility is > meaningless in HSTS-enabled world. HSTS is opt-out. Strip the *response* header on the first contact and it disappears. > > This is feature request, Amos. Otherwise Squid lacks some critical > functionality. > Feature request implies something that is not supported being added. CONNECT relay already is supported and works well for many others, just apparently not for you. ... why? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This is dig result: ;; ANSWER SECTION: torproject.org. 3600IN A 93.95.227.222 torproject.org. 3600IN A 154.35.132.70 torproject.org. 3600IN A 86.59.30.40 torproject.org. 3600IN A 82.195.75.101 torproject.org. 3600IN A 38.229.72.16 This IP is banned. Completely. Outgoing packets are dropped by ISP. So this is critical to forward ALL session, starting with first packet, into Privoxy, and, then to Tor tunnel. Otherwise session can't be established. The problem enforces with HSTS onto torproject.org URL. Completely HTTPS. From first GET request. This can be solved with Tor Browser itself, but I want to find common solution. This is very simple. Complete HTTPS session must be forward to parent proxy at whole. Because of only HTTP's forwarding possibility is meaningless in HSTS-enabled world. This is feature request, Amos. Otherwise Squid lacks some critical functionality. 22.09.15 0:13, Amos Jeffries пишет: > On 22/09/2015 6:00 a.m., Yuri Voinov wrote: >> >> Can't understand, why it is not work. >> >> Tor Browser works ok itself. >> >> The similar config via Squid 3.5.7+Privoxy - don't. >> >> CONNECT to torproject.org:443 goes directly, whenever config changes. > > I suspect some detail is being removed during the relay. > > Which makes me wonder why it is so important to send CONNECT via privoxy > in the first place. The HTTP headers and such on the CONNECT which > privoxy strips away are never sent externally anyway, they stop at the > proxy gateway which receives and enacts the CONNECT. That may be your > Squid or privoxy itself. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAEuaAAoJENNXIZxhPexGOD8H/0rzH7Xf7OyIdk7GTW0uuKpg bLzsuh5OnLMSzuAZgxormhky5VYi3X2zoEQq71jEhbDWH4xlTvcPK9y5/GPz0L3x z38rI5cDSX49bkPFn4yxRXRMvq+FZakbSmT9LuwW8E3phjhem7RLKOIPgRiyslxG rYw83/qoTkVFg5P9fVhIVu9gy5GEyIoxiPCdiH3U/PWSZrlLePyJPZSWlYSqIyhH sIx62qYi6bLZbtIcYrflR0/naco/4d8fYlwvDYmIuHuPeNZE6kINxgdgJhkhymkO mw2klVncjeXKcewq/68Nz8Yak+8l1xPGPrGXp5aEUylRTxMa3FOb0mYwtT6iEbk= =yDTE -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'm in a coffin seen all purulent politics. But when suddenly my customers lose access to their documents on Google documents - I pick up instruments. And I want them to work. At the same time, I can not put everything and everyone Tor Browser. Apart from the fact that if the proxy has no meaning at all. I want to give controlled access to the tunnel for specified sites. Not extremism, not drugs etc. Simple. 22.09.15 0:13, Amos Jeffries пишет: > On 22/09/2015 6:00 a.m., Yuri Voinov wrote: >> >> Can't understand, why it is not work. >> >> Tor Browser works ok itself. >> >> The similar config via Squid 3.5.7+Privoxy - don't. >> >> CONNECT to torproject.org:443 goes directly, whenever config changes. > > I suspect some detail is being removed during the relay. > > Which makes me wonder why it is so important to send CONNECT via privoxy > in the first place. The HTTP headers and such on the CONNECT which > privoxy strips away are never sent externally anyway, they stop at the > proxy gateway which receives and enacts the CONNECT. That may be your > Squid or privoxy itself. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAFVAAAoJENNXIZxhPexGBhQH/3U+xkknXxGNTgYrl8EWYF4n xJY4xZnc9BT5vFm5HO7U+udeS+jLiJWfsoenzertHy1uUElzC5f83iUZDMLft1IG 6sy4s1buYuOn3CQ+EzDD7WyzF3A7Jt4h+focmocFQ0SnRIDxn5Rtwk0km+SXvXRR l13bQxqI/VQd8jzJODAr3EiSO0ZNavU0FxySNjfL0wahn0srqysRn/W3S7FRxXRJ IIAoLOtYrvF3f5mItY9LOzarATsASlujjhRXFP5YagJs4P7VnOyrvxWZ4GGK0w4m 47epm4Uin6HDhxz2gIJCOZNW5dWq1shsvk0BumU4lsU9ruThu6tkoUfB7FjvAD8= =K9XH -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The torproject.org is just an example. This is not so important like, for example, google docs, google mail, google drive (all web interface at minimum), archive.org. All of this uses HSTS now and, if banned by IP by ISP (note: dns is not spoofed), it can't be reacheable via Squid+tunneled proxy. Completely. First CONNECT got timeout - and viola! - destination unreacheable. 22.09.15 0:13, Amos Jeffries пишет: > On 22/09/2015 6:00 a.m., Yuri Voinov wrote: >> >> Can't understand, why it is not work. >> >> Tor Browser works ok itself. >> >> The similar config via Squid 3.5.7+Privoxy - don't. >> >> CONNECT to torproject.org:443 goes directly, whenever config changes. > > I suspect some detail is being removed during the relay. > > Which makes me wonder why it is so important to send CONNECT via privoxy > in the first place. The HTTP headers and such on the CONNECT which > privoxy strips away are never sent externally anyway, they stop at the > proxy gateway which receives and enacts the CONNECT. That may be your > Squid or privoxy itself. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAFO8AAoJENNXIZxhPexGZXIH/R151F6zrrIpeljNIxKDRyan Nrg/g/sqj6JUbosv6uZeP+ewQVCCes4SAR3HkdFrKMntfnrgNio8f2blv8cydPX3 6yLoh+ULc0QKMDx1clY+cVb0PQxSHRz3Tt1t3bwUY5rMBXjswR/oW2wWDq1a2ISM zU8VZ28pPti2aHA+TwpSVEeOXrwlppvGxYG8Zpc8rMHZlKlaveVgxh0tkyDKyGid 86HuaevXsDtutet5sGRBdK2yYi90Wad+J9ujbK42sa+q1iMqoBfWPpuJ9NVPWViy t+z7Ul8jqtf1idzSSSMdTaQO8ssjZFhVD0j35wDBNfNJjShAAGjDcOz73nZK+wc= =O4Pv -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 22.09.15 1:15, Amos Jeffries пишет: > On 22/09/2015 6:25 a.m., Yuri Voinov wrote: >> >> This is dig result: >> >> ;; ANSWER SECTION: >> torproject.org. 3600IN A 93.95.227.222 >> torproject.org. 3600IN A 154.35.132.70 >> torproject.org. 3600IN A 86.59.30.40 >> torproject.org. 3600IN A 82.195.75.101 >> torproject.org. 3600IN A 38.229.72.16 >> >> This IP is banned. Completely. Outgoing packets are dropped by ISP. >> >> So this is critical to forward ALL session, starting with first packet, >> into Privoxy, and, then to Tor tunnel. >> >> Otherwise session can't be established. >> >> The problem enforces with HSTS onto torproject.org URL. Completely >> HTTPS. From first GET request. >> >> This can be solved with Tor Browser itself, but I want to find common >> solution. >> >> This is very simple. Complete HTTPS session must be forward to parent >> proxy at whole. Because of only HTTP's forwarding possibility is >> meaningless in HSTS-enabled world. > > HSTS is opt-out. Strip the *response* header on the first contact and it > disappears. I can't. Because first connection can't occur during ISP ban by IP. First contact is never occurs. > > >> >> This is feature request, Amos. Otherwise Squid lacks some critical >> functionality. >> > > Feature request implies something that is not supported being added. > CONNECT relay already is supported and works well for many others, just > apparently not for you. > > ... why? Don't understand. > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWAFhzAAoJENNXIZxhPexG158H/3g0rZ4+btzOi7xoDzcArKfa n1m9nT95raM3r/ry0b/Ray8+K+8ZOWsYPrgxAV/XUUCwYzOBaSeFSiWDDlx1PUB+ /AesUdQcDWW014ejh70pE6a4U8wlwPkZecC71Pknq1qtVfjrjAlFE/hL4yIVnT+w EGEsY2wbmU3+SZEqa1aujx/RWTilKSGjBir9S7Cu8jg2/RdOfmW/dPumm7nXnThn zFqI269S+JzN9jWHttk4ISkCjdBEVH25flilhYCoQ3+EmaDV2X94dQiMWgo2xjsD dnaHUN/qcpRXK+Gjpi1T/SqtIDbHn72CX8mQdPZstWDH8kVgN/zdp4jnS1GClOY= =CjLG -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 22/09/2015 7:33 a.m., Yuri Voinov wrote: > > Here is access log when using IE: > > 1442863815.068785 127.0.0.1 TCP_MISS/302 506 GET > http://torproject.org/ - FIRSTUP_PARENT/127.0.0.1 text/html > 1442863816.542 105231 127.0.0.1 TAG_NONE/200 0 CONNECT > www.torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - > 1442863821.899 105210 127.0.0.1 TAG_NONE/200 0 CONNECT > www.torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - > > and then timeout. Sometimes second connect goes to IPv4 address, > sometimes IPv6. > > When using Chrome/Firefox, session always starts from CONNECT 443 port. Aha. I see what you mean. The HTTP response contains no HSTS header, but redirects to https://. The response to the first HTTPS request then contains HSTS. Next details to look for is the peer-selection output and HTTP message details: debug_options ALL,0 44,2 11,2 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 19/09/2015 4:48 a.m., Yuri Voinov wrote: > > 18.09.15 21:22, Matus UHLAR - fantomas пишет: >> from earlier e-mail: > >>> acl tor_url url_regex "C:/Squid/etc/squid/url.tor" > >> On 17.09.15 18:47, Yuri Voinov wrote: >>> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz >>> ssl_bump splice NoSSLIntercept > >>> # Privoxy+Tor access rules >>> never_direct allow tor_url > >>> cache_peer_access 127.0.0.1 allow tor_url > >> I wonder if the never_direct and cache_peer_access should not use the same >> acl as "ssl_bump splice". Maybe for values but ssl::server_name ACL may not work outside ssl_bump. It might, or it might not be usable by the other *_access rules and depends on whether the matching decisions for those rule sets is the same for the ssl_bump ones. That latter condition is a big 'IF'. >> Also, the regex \.icq\.* will apparently never match, there should be > "\.icq\..*" or simply "\.icq\." > This match ICQ.COM HTTP over 443 port. No. "icq.com" does not contain the string ".icq" (not the initial '.'). It will match any SNI, CONNECT URI, or server certificate SubjectAltName field containing the string ".icq" or ".icq.". ... but not the plain name "icq.com". To match "icq.com" and all its sub-domain requests (ie. regex equivalent of "dstdomain .icq.com") the correct regex is: (.*\.)?icq\.com$ > >> ...regex should match inside the server_name, correct? >> in such case apparently kaspi\.kz should be "kaspi\.kz$" > no. This must match kaspi\.ks.* > And this match. Correct, assuming the 's'/'z' difference was a typo. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 18.09.15 21:22, Matus UHLAR - fantomas пишет: > from earlier e-mail: > >> acl tor_url url_regex "C:/Squid/etc/squid/url.tor" > > On 17.09.15 18:47, Yuri Voinov wrote: >> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz >> ssl_bump splice NoSSLIntercept > >> # Privoxy+Tor access rules >> never_direct allow tor_url > >> cache_peer_access 127.0.0.1 allow tor_url > > I wonder if the never_direct and cache_peer_access should not use the same > acl as "ssl_bump splice". > Also, the regex \.icq\.* will apparently never match, there should be "\.icq\..*" or simply "\.icq\." This match ICQ.COM HTTP over 443 port. > > ...regex should match inside the server_name, correct? > in such case apparently kaspi\.kz should be "kaspi\.kz$" no. This must match kaspi\.ks.* And this match. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV/EBzAAoJENNXIZxhPexGtjcH/jOOCtBpfW1KyqDrhZDyGCgF oFPmwI0ZzyXgd0mzfgxfT1EvGGNFzHH9zLgSzx5uUz6ipwBKqmnTA6uqWkaORE5S rClkoPF4xT3o4yEsvHU5Z6ZoL7xXEAbwsvgwhOolh/pAB1meW0ZXqZre+mrBGiaP JOnXbjzls4Qy5CnzGzBUcPM9XVVMfcWF9oiobAct4CPmABeymxSkwGFW5zPMm/mA XiggAc4ZuRzMI4iS7/sfP2LHxej1GH8QMGsXHL8VvWZz4MxaThIJk805PAdpRNiI NyT+xE+W7GLuQvUu0IEsaM9fl7G47OeCgCERhD1Chwf2+uKW+ObbLWfLUFlaGwI= =xiVd -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
from earlier e-mail: acl tor_url url_regex "C:/Squid/etc/squid/url.tor" On 17.09.15 18:47, Yuri Voinov wrote: acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz ssl_bump splice NoSSLIntercept # Privoxy+Tor access rules never_direct allow tor_url cache_peer_access 127.0.0.1 allow tor_url I wonder if the never_direct and cache_peer_access should not use the same acl as "ssl_bump splice". Also, the regex \.icq\.* will apparently never match, there should be "\.icq\..*" or simply "\.icq\." ...regex should match inside the server_name, correct? in such case apparently kaspi\.kz should be "kaspi\.kz$" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
17.09.15 10:50, Amos Jeffries пишет: On 17/09/2015 4:36 a.m., Yuri Voinov wrote: Hm. If I understand correctly, the right configuration must be: # Privoxy+Tor access rules never_direct allow CONNECT never_direct allow tor_url # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Right? But: http://i.imgur.com/UMxt2vh.png Is CONNECT always requires DIRECT? In the above yes. If you don't want that remove the never_direct for CONNECT as well. I can't see FIRSTUP_PARENT for CONNECT in access log: 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/154.35.132.70 - 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - Those appear to be CONNECT requests which got ssl_bump'ed, not passed on upstream. The access controls about how to pass things upstream are irrelevant for them. Because of IP's banned by ISP, direct CONNECT got timeout. Also, all rot_url ACL can't connect. Where I'm wrong? Where is the server IP coming from? Server IP comes from local DNS cache, which is got right IP via dnscrypt. I was in this case confused by the fact that CONNECT and does not go into the tunnel. I've correct configuration a bit, but still no effect: # SSL bump rules sslproxy_cert_error allow all ssl_bump none localhost ssl_bump none url_nobump ssl_bump none dst_nobump ssl_bump server-first net_bump # Privoxy+Tor access rules never_direct allow tor_url # And finally deny all other access to this proxy http_access deny all # - # HTTP parameters # - # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
If I disable SSL bump for tunneled sites, I've got an error SSL: ssl_error_rx_record_too_long 17.09.15 10:50, Amos Jeffries пишет: On 17/09/2015 4:36 a.m., Yuri Voinov wrote: Hm. If I understand correctly, the right configuration must be: # Privoxy+Tor access rules never_direct allow CONNECT never_direct allow tor_url # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Right? But: http://i.imgur.com/UMxt2vh.png Is CONNECT always requires DIRECT? In the above yes. If you don't want that remove the never_direct for CONNECT as well. I can't see FIRSTUP_PARENT for CONNECT in access log: 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/154.35.132.70 - 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - Those appear to be CONNECT requests which got ssl_bump'ed, not passed on upstream. The access controls about how to pass things upstream are irrelevant for them. Because of IP's banned by ISP, direct CONNECT got timeout. Also, all rot_url ACL can't connect. Where I'm wrong? Where is the server IP coming from? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Squid 3.5.7 the same result: 1442420915.874 207879 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - 1442493956.863 168528 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - 1442493957.934 168289 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - Config snippet is: # SSL bump rules sslproxy_cert_error allow all acl DiscoverSNIHost at_step SslBump1 ssl_bump peek DiscoverSNIHost acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz ssl_bump splice NoSSLIntercept ssl_bump bump all # Privoxy+Tor access rules never_direct allow tor_url # And finally deny all other access to this proxy http_access deny all # - # HTTP parameters # - # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Squid configuration options: http://i.imgur.com/1234E8q.png 17.09.15 16:18, Amos Jeffries пишет: > On 17/09/2015 7:57 p.m., Yuri Voinov wrote: >> >> >> 17.09.15 10:50, Amos Jeffries пишет: >>> On 17/09/2015 4:36 a.m., Yuri Voinov wrote: Hm. If I understand correctly, the right configuration must be: # Privoxy+Tor access rules never_direct allow CONNECT never_direct allow tor_url # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Right? But: http://i.imgur.com/UMxt2vh.png Is CONNECT always requires DIRECT? >>> In the above yes. If you don't want that remove the never_direct for >>> CONNECT as well. >>> I can't see FIRSTUP_PARENT for CONNECT in access log: 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/154.35.132.70 - 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - >>> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on >>> upstream. The access controls about how to pass things upstream are >>> irrelevant for them. >>> Because of IP's banned by ISP, direct CONNECT got timeout. Also, all rot_url ACL can't connect. Where I'm wrong? >>> Where is the server IP coming from? >> Server IP comes from local DNS cache, which is got right IP via dnscrypt. >> >> I was in this case confused by the fact that CONNECT and does not go >> into the tunnel. >> >> I've correct configuration a bit, but still no effect: >> >> # SSL bump rules >> sslproxy_cert_error allow all >> ssl_bump none localhost >> ssl_bump none url_nobump >> ssl_bump none dst_nobump >> ssl_bump server-first net_bump >> > > Ah. Right I forget this is 3.4 you are talking about. > > server-first bumping requires a SSL/TLS server to get the cert details > from. Your cache_peer is not one of those servers, and ssl-bump through > a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT > connection. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+rZ1AAoJENNXIZxhPexGQiAH/RLc8a0mWAV6Xi75QFM+TBnD 0FgRqYqeZCbYEgGl+pTJFMQyEo1e1eXSudRTAQGNcO3gTqhlz9n/2tee6U60a/tC jmxVtFxpqThcZjcvLP1/ODz1dclDkSJ4QBKlKlr2Z4Qya3Sd/jF8g1hm+tr7jZ31 fLp6MVxcO3fGNg1dfb7AQjRaMiOz+/nVsQD6dt3ciqLxjjTqyCMd/YceSsg9//l/ N/sfoR/Jj6lQrQBb59ssUHOGE04y1Igksx24kqF+NhQllHn2Tgc48G1R+13Zyj9s f21kzakaSqHcrATHg7VK9iNkOguqrkJx9bTRZrTr9GM0mD/1VTAmV22qjAcqxp0= =Luej -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 16.09.15 21:34, Amos Jeffries пишет: > On 17/09/2015 3:18 a.m., Yuri Voinov wrote: >> >> This: >> >> http://osdir.com/ml/web.squid.general/2003-04/msg00800.html >> >> does not work. > > Do you have always_direct rules that match the request(s)? I commented out last always_direct, without effect. > > or "nonhierarchical_direct on" ? No. > > > The order of invocation is: > > nonhierarchical_direct (on means dont use peers for methods which are > uncacheable) > > always_direct (allow means dont use peers at all) > > never_direct (allow means dont use DIRECT/ORIGINAL_DST) > > prefer_direct (on means use peers as last resort) > > cache_peer_access (deny means dont use this peer) > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+Y+UAAoJENNXIZxhPexGvvcH/0wgz1unao5+xt9JgLHq1Onz WD5xDJzd2sOyko3bkPQqLmuOvrVdGwOW01lULp7eVwnLBwN+zUKBTSevanqQsLEi TBuQUUlf5K8yIET+Jm5OH85MuH3CSYRtU+15ZCOvnBipCLRIcm0atTQpTjMdMnJM ETAV5SfmovoZPJnRgx2gaWWW6UbSTM9WuHnpV8lLh4IGQw+yqV2KlDjQUTryiuVC w/MiMWumClG11IEw02rJNJlGzmi9Z7Nthak75bcNHbSXz6DrWq27Llb+QwtKgHw9 vnPJKj+cCyfx+9UXQnGjz11JGnVVYks+8NdT2Ete7VYKXy9HvqxPjcERH2f1wug= =OcNo -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sure. I've tried all possible combinations. Including this: # SSL bump rules sslproxy_cert_error allow all acl DiscoverSNIHost at_step SslBump1 ssl_bump peek DiscoverSNIHost acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* ssl_bump splice NoSSLIntercept ssl_bump bump all # Privoxy+Tor access rules never_direct allow CONNECT never_direct allow tor_url always_direct deny tor_url always_direct allow all # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow CONNECT cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all The problem is: I need to forward ro parent AND combination for CONNECT and tor_url ACL. Something like this: # Privoxy+Tor access rules never_direct allow CONNECT tor_url never_direct allow tor_url always_direct deny tor_url always_direct allow all # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow CONNECT tor_url cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all But this also doesn't work. I'e., most queries must outgoing via Squid, with SSL Bump if needed, but selected URLs must goes via cache_peer to Tor, both HTTP/HTTPS, and HTTPS without bumping. Can't understand how to achieve this. 16.09.15 21:34, Amos Jeffries пишет: > On 17/09/2015 3:18 a.m., Yuri Voinov wrote: >> >> This: >> >> http://osdir.com/ml/web.squid.general/2003-04/msg00800.html >> >> does not work. > > Do you have always_direct rules that match the request(s)? > or "nonhierarchical_direct on" ? > > The order of invocation is: > > nonhierarchical_direct (on means dont use peers for methods which are > uncacheable) > > always_direct (allow means dont use peers at all) > > never_direct (allow means dont use DIRECT/ORIGINAL_DST) > > prefer_direct (on means use peers as last resort) > > cache_peer_access (deny means dont use this peer) > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+Y3yAAoJENNXIZxhPexGlmcH/3tBQvK14s468GAoc2KfeojA 8o9tL4YvLwRFKabmROtAdaZgOoYuBixHeHAa8Z1G3TezTmFxpg7MntT7mg0K/O1W KXM5pOkjMnGFjCrHyVxHH3Lrcb3lDLO3BpHkeV8531KMinizQyroAb260gvI+r71 Q63nVT5hOaRlFgoIQX35eJc3bdAMH6To4mS8xws7djZnpB2XBlQt7wDCRxhy8gm5 1eoeP9rBdX71IGK1HutqnmVOjjKkobPD3TlFXdtm3KoUOLfz0OCa3zbfw+S7p2D7 AqvXvXVCvUVPgyzFp+TsDsI/7twEhjvGTsLeNbppojfVxMAIf25t0F9YxG443fs= =XZT8 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This: http://osdir.com/ml/web.squid.general/2003-04/msg00800.html does not work. 16.09.15 0:15, Matus UHLAR - fantomas пишет: > On 15.09.15 23:42, Yuri Voinov wrote: >> I asked a specific question. How does Squid as a whole - I am well >> aware. Before asking a question - I tried everything I seemed right. And >> I asked, hoping to get a specific answer or intelligible explanation, >> not the common words and sentences to read the manual. I outlined the >> position quite clear? > > so, have you tried cache_peer with dst acl or have you not? > >> If you do not know the exact answer - it is better to remain silent. > > you did not provide enough informations, you did not tell what you did, you > did not mention basic information like using sslbump and now you are telling > me not even try to help you? > > with this attitude I will just ignore you for next time no matter if I can > help you or not. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+YgwAAoJENNXIZxhPexGpAQH/iP47RLncpw4R/qoXszztliH vcCYgcXvqsYfWbFy6Qo95acz+4UIdCKku0rChN5Ffdl3UrrC6kYaE78HfzYiMcI/ r6blAzrtT1FAsxu6st8OKiQ2/yj2T431tyItbrti9ytJZ82OQylqeth5UpEFkddU anHncnM11/wCl3K8MW2lGfp3hzdac6xuNWDp7l+X1ezGzs/79jFg2YhSnheDuNjf /F5eMQ3ej3R2Fgh3C31XHpkSKKRysUqNN16x3gtlKgbzOMz9tH1qcWKz5MUJQTLf Gwewx68iCfrCWpLJ3bQJlUwZ4bdOdt4MqP0eRGE94CRjJYIc0bfotoDj2mAckJs= =AJno -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 17/09/2015 3:18 a.m., Yuri Voinov wrote: > > This: > > http://osdir.com/ml/web.squid.general/2003-04/msg00800.html > > does not work. Do you have always_direct rules that match the request(s)? or "nonhierarchical_direct on" ? The order of invocation is: nonhierarchical_direct (on means dont use peers for methods which are uncacheable) always_direct (allow means dont use peers at all) never_direct (allow means dont use DIRECT/ORIGINAL_DST) prefer_direct (on means use peers as last resort) cache_peer_access (deny means dont use this peer) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hm. If I understand correctly, the right configuration must be: # Privoxy+Tor access rules never_direct allow CONNECT never_direct allow tor_url # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Right? But: http://i.imgur.com/UMxt2vh.png Is CONNECT always requires DIRECT? I can't see FIRSTUP_PARENT for CONNECT in access log: 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/154.35.132.70 - 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - Because of IP's banned by ISP, direct CONNECT got timeout. Also, all rot_url ACL can't connect. Where I'm wrong? 16.09.15 22:03, Amos Jeffries пишет: > never_direct allow CONNECT -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+ZqiAAoJENNXIZxhPexGlFMIAKQ8dcxLXW8fJ8Os9WDHLdtI RgVcJJvMxGq7VaSPiHIfZA3vV5//8ceg6kYJsP1rNckdsAyuaOsJlOlw3ammTjpR zmLh/FKKAk8VG1S1npYnrlpcTUnbNf4O4vM+N2vEnQvdizNlhswhaXvgfc0/lrWV Redi+jmGwBkPbiN8npwz6Xe0VbC3PMGwB4VefqCS8TN3z3Y2ABTTwJ4nMyUPuKIo G4zdS9utXcnsqxhyIz7WIj9hVRfn2Jkl5SiWhyccqyELt4LwBJ0SMadGvDifA+Gg ulQnJjXn+xSOdpmGN1HcYXqMgl0MoPGe+RpcxYAYJcwJfDd1llN7KyS6lYPmNJo= =BIrI -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 17/09/2015 4:36 a.m., Yuri Voinov wrote: > > Hm. > > If I understand correctly, the right configuration must be: > > # Privoxy+Tor access rules > never_direct allow CONNECT > never_direct allow tor_url > > # Local Privoxy is cache parent > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default > > cache_peer_access 127.0.0.1 allow tor_url > cache_peer_access 127.0.0.1 deny all > > Right? > > But: > > http://i.imgur.com/UMxt2vh.png > > Is CONNECT always requires DIRECT? In the above yes. If you don't want that remove the never_direct for CONNECT as well. > > I can't see FIRSTUP_PARENT for CONNECT in access log: > > 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT > torproject.org:443 - HIER_DIRECT/154.35.132.70 - > 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT > torproject.org:443 - HIER_DIRECT/38.229.72.16 - > Those appear to be CONNECT requests which got ssl_bump'ed, not passed on upstream. The access controls about how to pass things upstream are irrelevant for them. > Because of IP's banned by ISP, direct CONNECT got timeout. > > Also, all rot_url ACL can't connect. > > Where I'm wrong? Where is the server IP coming from? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? cache_peer_access with proper ACLs should do that. note that always_direct can avoid it. I need to send some sites, defined by ACL, connections with starts with CONNECT (443 port), to the cache_peer first? Rather then direct connect it? I.e., both HTTP/HTTPS must be forwarded to cache_peer for specified sites. No one direct connections must establishes for these sites. Squid 3.4.14. Which options set I must use? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 There is no answer. 15.09.15 23:31, Matus UHLAR - fantomas пишет: > On 15.09.15 23:27, Yuri Voinov wrote: >> Is it possible to specifically - how exactly it is necessary to write >> the configuration? The fact is that any variations on a similar theme >> cause assertion. > > just combine it with proper acl of type dst or dstdomain... > >> 15.09.15 23:17, Matus UHLAR - fantomas пишет: >>> On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? >>> >>> cache_peer_access with proper ACLs should do that. >>> note that always_direct can avoid it. > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+FbiAAoJENNXIZxhPexGo2sH/1CPv70zBihcOz2E8PK9UsbN jUcjnkEZM2C2WNzshc/iQO5jLPvNdSg4bJjEly2nZjQ12p1NFsfZeJFmCvaykPAv CAoQAkb4GhGf9RBz8cjtWjgiHqp94KbX48fNa70smcN8DZkqr3RafY/Uoo+v3oRt 24EIg/frHNxugDSkEvB+XNd71bgksW/mXDGpHYETPcxfN62AhjDVjdghslidfWNC gqu66ojvV5cK4J1W+3PF1Kgxv0g/0bR5J9dY6k/C042yM/AXPvHEp2/N57uEBsiH CPqzHcwwnpi8dlqRQVK8sYnJhy7GUaiqFeMyVS01n6ohsnZb9Ar3Pzhht1RFiwI= =PmYi -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Antony, thank your for answer. My problem is a bit specific. I have some permanently ISP-banned sites. I need to pass-through it from transparent interception Squid to cache_peer - both plain HTTP and HTTPS tunnels without decryption. Sites defined in ACL. HTTP-only sessions forwarded correctly, but HTTPS is not. They goes directly. I can't pass all connections via tunnel. Just some specific sites. Example: torproject.org is permanently HTTPS now. Session starts with CONNECT method. If IP's banned by ISP, forwarding into parent (with Tor) does not work. I've tried to solve this, but unseccessful. Yes, I can use Tor browser itself. But via Squid+Privoxy+Tor - doesn't work. 15.09.15 23:49, Antony Stone пишет: > On Tuesday 15 September 2015 at 19:45:05, Yuri Voinov wrote: > >> I want to get the answer the people who did it. And not those that >> suggest that they could do it. > > I have a suggestion which I hope may help - show us a configuration you have > tried, following the documentation, and tell us in what way it fails to work > as expected - then we may be able to show you where the error is. > > It's quite significant that in your original question, you did not mention you > were using Squid in transparent SSL Bump mode, therefore the answer you > received did not take this into account. > > The more information you give us about what you want to achieve, what you've > done so far, and what goes wrong, the more we are able to help you debug the > problem. > > > Regards, > > > Antony. > >> 15.09.15 23:42, Matus UHLAR - fantomas пишет: > On 15.09.15 22:45, Yuri Voinov wrote: >> Does anyone know - is it possible to send the connection, starting >> with the CONNECT, to cache-peer? 15.09.15 23:17, Matus UHLAR - fantomas пишет: > cache_peer_access with proper ACLs should do that. > note that always_direct can avoid it. >>> >>> On 15.09.15 23:33, Yuri Voinov wrote: Squid working in transparent SSL Bump mode. AFAIK, here is SSL decrypts. AFAIK, decrypted tunnel denied to be forwarded to parent. I need to forward some URLs without decryption to peer. Whole session starting with CONNECT. Problem: Peer must accepts both HTTP and HTTPS connections. Yes, there is Privoxy, which can tunnel CONNECT. How to tell Squid - "Forward this URL and this URL into peer, whenever HTTP or HTTPS"? >>> >>> disable sslbump (enable "splice") with proper ACLs: >>> http://www.squid-cache.org/Doc/config/ssl_bump/ > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+FuyAAoJENNXIZxhPexGH4UH/i2tix795ui5wyJYud2dri4X aNvxYHDEKY0fT94y7CKZm2uHAXv1UxY/GWT3DCXkF63jFIrXKvLlm+pfQT7cvpos O2up5jrgXVg86/8MoTuFH5A3MSNYH01N0qfG85+YW/qGpVRvXdpfDZFrj/dBtefA t2+geOcPZ7LIcwzqCuuoJ8VVJMTmYBVDcpSFFdGcieVPUq3kuMP++kRC/Gn7znGh L9NgHCuUcQ7g7CUQViX5I3a8rU6SDhl0gLj9KUvkp0zqUO9cSifZakmFowTBzTyd Ix8AgE0R5puGpLv4PyGyuI6Be3cSQCpitQYlB0jrvsfqOqO2v3LMIDZAlh1yj5M= =GK+k -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? 15.09.15 23:17, Matus UHLAR - fantomas пишет: cache_peer_access with proper ACLs should do that. note that always_direct can avoid it. On 15.09.15 23:33, Yuri Voinov wrote: Squid working in transparent SSL Bump mode. AFAIK, here is SSL decrypts. AFAIK, decrypted tunnel denied to be forwarded to parent. I need to forward some URLs without decryption to peer. Whole session starting with CONNECT. Problem: Peer must accepts both HTTP and HTTPS connections. Yes, there is Privoxy, which can tunnel CONNECT. How to tell Squid - "Forward this URL and this URL into peer, whenever HTTP or HTTPS"? disable sslbump (enable "splice") with proper ACLs: http://www.squid-cache.org/Doc/config/ssl_bump/ -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I asked a specific question. How does Squid as a whole - I am well aware. Before asking a question - I tried everything I seemed right. And I asked, hoping to get a specific answer or intelligible explanation, not the common words and sentences to read the manual. I outlined the position quite clear? If you do not know the exact answer - it is better to remain silent. 15.09.15 23:39, Matus UHLAR - fantomas пишет: > On 15.09.15 22:45, Yuri Voinov wrote: >> Does anyone know - is it possible to send the connection, starting with >> the CONNECT, to cache-peer? > 15.09.15 23:17, Matus UHLAR - fantomas пишет: > cache_peer_access with proper ACLs should do that. > note that always_direct can avoid it. > >>> On 15.09.15 23:27, Yuri Voinov wrote: Is it possible to specifically - how exactly it is necessary to write the configuration? The fact is that any variations on a similar theme cause assertion. > >> 15.09.15 23:31, Matus UHLAR - fantomas пишет: >>> just combine it with proper acl of type dst or dstdomain... > > On 15.09.15 23:35, Yuri Voinov wrote: >> There is no answer. > > there is no answer where? > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+Fh7AAoJENNXIZxhPexG0Z4IAJT4W37fMQgl0xO0Amd9emZO XwZmSRQ85MsHQfCokcJXfdoh/mIcAr0e+zT5Xc3tnfbS6hsaoXSn39ISIZk0zPDY l9wNBglP9qZXyyL3hkWNamtqGytkOalg1uf3lWCo5p2hccYvxpcaGGVnBlhG74Cn yi4MQ/poECdVJ8OS+HM5IKU41DjNKpQIz8GUmL1atJde1CTGkP+3kQlFr5PYtKrD F2qELO4TzC6YMu9wfP4K2CHgXcd8by1N6uI8uDMqJnOrbg+T4q46uSXk613nR2X/ OkxZzjZwpE1ITAUZGevVbkWtQ8N0KSzE+yTBeSdbzENYYnfSQzJS/Ff5Sn+VbE8= =GRMZ -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I want to get the answer the people who did it. And not those that suggest that they could do it. 15.09.15 23:42, Matus UHLAR - fantomas пишет: >>> On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? > >> 15.09.15 23:17, Matus UHLAR - fantomas пишет: >>> cache_peer_access with proper ACLs should do that. >>> note that always_direct can avoid it. > > On 15.09.15 23:33, Yuri Voinov wrote: >> Squid working in transparent SSL Bump mode. >> >> AFAIK, here is SSL decrypts. AFAIK, decrypted tunnel denied to be >> forwarded to parent. >> >> I need to forward some URLs without decryption to peer. Whole session >> starting with CONNECT. >> >> Problem: Peer must accepts both HTTP and HTTPS connections. Yes, there >> is Privoxy, which can tunnel CONNECT. How to tell Squid - "Forward this >> URL and this URL into peer, whenever HTTP or HTTPS"? > > disable sslbump (enable "splice") with proper ACLs: > http://www.squid-cache.org/Doc/config/ssl_bump/ > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+FkgAAoJENNXIZxhPexG6qMH/0FDG+TuZxeF2oLVPt/oKZSe H80saCKW3eIgzvkclnLdCetrL0UGl+rmSvM53jrgqe6/x9NnTcapcpbeV2oxMAJv mcbJ7QM4lJhBJHx3qyiZU0DuKGj9QM0DIoA6i3y8mgoiXNwc0D7DfmOwYrrk6BWw fBHx3fazZ4DEnMRay+YuzOsdV7eV19Pc7TqnBRyyBfsoYXh9THxZRAXHBelKwPcu 9qvFQQ7wwiEhx+BBakSBwyc9BG1oHfZVQnLKdasalTkJqDYP0bYPVT1HNAvEF0JL /K9ojVll4vbX8kWuWUArI5ZMLBx21sb3mjev+smB22/5/FKmm7EWNDYuHHjCyjY= =MzgN -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? I'll try to explain. I need to send some sites, defined by ACL, connections with starts with CONNECT (443 port), to the cache_peer first? Rather then direct connect it? I.e., both HTTP/HTTPS must be forwarded to cache_peer for specified sites. No one direct connections must establishes for these sites. Squid 3.4.14. Which options set I must use? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+Es8AAoJENNXIZxhPexGp7AIAJMco/R5RNVmMC29/HJM1r+Z QmVv3N9/XXCsx6/r1oJLA1HdVaeAt9WNubVRMF15DiSJRhEK7LswTYriPSNon945 XWnjVaRcDoFs8vHHsch3AipNHxzd+MEXIPb7TH20zc1MDQXN8FqabwC4ToGTU5+z /S7iQqbU6zkOe4zsLNS/vyjaxeP9jetjcQSutL0+7RYovIR9fC2V28S/DRmlZ37x cZ5DZrGDAo1vU3ZvW85HSq38Ql+WG4cdwfYzvEoZF2930guebpy8zmmswR05Vsdy nqE6zxsXZRtMqoOfk3Zjc5aj9NiVUNz1RdsRobTtPY4Eqe1ug4kP+69clHOlzg4= =GRyr -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? 15.09.15 23:17, Matus UHLAR - fantomas пишет: cache_peer_access with proper ACLs should do that. note that always_direct can avoid it. On 15.09.15 23:27, Yuri Voinov wrote: Is it possible to specifically - how exactly it is necessary to write the configuration? The fact is that any variations on a similar theme cause assertion. 15.09.15 23:31, Matus UHLAR - fantomas пишет: just combine it with proper acl of type dst or dstdomain... On 15.09.15 23:35, Yuri Voinov wrote: There is no answer. there is no answer where? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Is it possible to specifically - how exactly it is necessary to write the configuration? The fact is that any variations on a similar theme cause assertion. 15.09.15 23:17, Matus UHLAR - fantomas пишет: > On 15.09.15 22:45, Yuri Voinov wrote: >> Does anyone know - is it possible to send the connection, starting with >> the CONNECT, to cache-peer? > > cache_peer_access with proper ACLs should do that. > note that always_direct can avoid it. > >> I need to send some sites, defined by ACL, connections with starts with >> CONNECT (443 port), to the cache_peer first? Rather then direct connect it? >> >> I.e., both HTTP/HTTPS must be forwarded to cache_peer for specified >> sites. No one direct connections must establishes for these sites. >> >> Squid 3.4.14. >> >> Which options set I must use? > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+FUXAAoJENNXIZxhPexGWeUIAMAOIh3GtSF9SmhHAILspqx0 XsZknDByCtqBkrLif7RSbmSRpP+xCbZqdZ0abetQ/e78qE3Z/0NSS5mTRjK5XUIP ARYqp1+k0nzk38CNnZ19oeqYLk5jfwc716zrqyxOWQWdOigyBSMeP7Qq09NvciyD tL5lfVTo5bKD6Nn26cuIW4HLcTgsy40UFWLHmok9KGUGkGHuSZysr5nNR7ceiU0d uagrum5FVUXTfcDHobxYCS3VbQy9G8aJZ9MBvAJmAfR6c8R+YgSabRT6UiZ/MZHP xjJwsAK94og22G5SpP1Gh3WTLWe9DjQ50wGssK0dBJGm3GQRzHoZAgf144iitCI= =5cbG -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
On 15.09.15 23:27, Yuri Voinov wrote: Is it possible to specifically - how exactly it is necessary to write the configuration? The fact is that any variations on a similar theme cause assertion. just combine it with proper acl of type dst or dstdomain... 15.09.15 23:17, Matus UHLAR - fantomas пишет: On 15.09.15 22:45, Yuri Voinov wrote: Does anyone know - is it possible to send the connection, starting with the CONNECT, to cache-peer? cache_peer_access with proper ACLs should do that. note that always_direct can avoid it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Squid working in transparent SSL Bump mode. AFAIK, here is SSL decrypts. AFAIK, decrypted tunnel denied to be forwarded to parent. I need to forward some URLs without decryption to peer. Whole session starting with CONNECT. Problem: Peer must accepts both HTTP and HTTPS connections. Yes, there is Privoxy, which can tunnel CONNECT. How to tell Squid - "Forward this URL and this URL into peer, whenever HTTP or HTTPS"? 15.09.15 23:17, Matus UHLAR - fantomas пишет: > On 15.09.15 22:45, Yuri Voinov wrote: >> Does anyone know - is it possible to send the connection, starting with >> the CONNECT, to cache-peer? > > cache_peer_access with proper ACLs should do that. > note that always_direct can avoid it. > >> I need to send some sites, defined by ACL, connections with starts with >> CONNECT (443 port), to the cache_peer first? Rather then direct connect it? >> >> I.e., both HTTP/HTTPS must be forwarded to cache_peer for specified >> sites. No one direct connections must establishes for these sites. >> >> Squid 3.4.14. >> >> Which options set I must use? > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJV+FZmAAoJENNXIZxhPexGvjsIAMdJAdC5FRivJ1A9jVBULQdC vf7T1p5fOuC4Jjy54Vn8pg8HHsUM/7I/RaYJASvfYetH80uJuw+v34kc10o08Pjv CMTms1qdLPj4hU9I9DCBj7OLOx16PuCRmpOKxqNOdbHhHSKVOEm1OPSEbCirDKVg NOzfOYGxFJ87TBYLy/8qop02akxJcIifZV5Rlt0+ihg++8wnu3koi75SAM+oYt9U jtFmzegPKkf/wCIvs+m2ecpWKsRF38ZmGAdpBm/Bykhco+ZVv5ead75bh88x2UON YYPcGz9tIepbT4xUKxRbrY2LhvJL+qeRR6u0pTYymhlL9O+ASnTlb66vrZZy5nk= =9qp+ -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Here is my testing config from test system. This is original configuration, which is works well with HTTP but not with HTTPS. I've tried to permit CONNECT access to cache_peer, config cache_peer as ssl, splice forwarded URL's... without any result. When I've turned URL into cache_peer - access.log shows this: 1442336013.594 8060 127.0.0.1 TCP_TUNNEL/200 6833 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - 1442336013.924 10802 127.0.0.1 TCP_TUNNEL/200 31810 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - 1442336014.157 9315 127.0.0.1 TCP_TUNNEL/200 29088 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - 1442336014.157 8664 127.0.0.1 TCP_TUNNEL/200 22643 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - 1442336014.252 8677 127.0.0.1 TCP_TUNNEL/200 10701 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - 1442336014.256 8678 127.0.0.1 TCP_TUNNEL/200 42904 CONNECT www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 - bit nothing happens. IP's for this URL is banned by ISP. So, CONNECT has no answer. And - site is strict HTTPS. Note: Bump can't start because server no answers to CONNECT. In some variants - whenever HTTP goes into cache_peer with ssl enabled - Squid dies: 2015/09/15 23:24:27 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" In most cases Squid simple stops working. always_direct state has no visible effect and no matter. Excludind/including forwarded URL to splice directive is no matter. I can't see any other error. So, will be interesting - is it possible to forward HTTP/HTTPS for specified URL to cache_peer without decrypting. And I do not understand how to make this correctly. 16.09.15 0:15, Matus UHLAR - fantomas пишет: > On 15.09.15 23:42, Yuri Voinov wrote: >> I asked a specific question. How does Squid as a whole - I am well >> aware. Before asking a question - I tried everything I seemed right. And >> I asked, hoping to get a specific answer or intelligible explanation, >> not the common words and sentences to read the manual. I outlined the >> position quite clear? > > so, have you tried cache_peer with dst acl or have you not? > >> If you do not know the exact answer - it is better to remain silent. > > you did not provide enough informations, you did not tell what you > did, you > did not mention basic information like using sslbump and now you are > telling > me not even try to help you? > > with this attitude I will just ignore you for next time no matter if I > can > help you or not. # - # ACL's # - acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl SSL_ports port 8443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # No-cache ACLs acl dont_cache dstdomain rulesofwargame.com imgur.com # Privoxy+Tor acl acl tor_url url_regex "C:/Squid/etc/squid/url.tor" # - # Access parameters # - # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access deny to_localhost # Rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # Cache directives cache deny dont_cache # Hide internal networks details outside forwarded_for delete via off # Disable alternate protocols reply_header_access Alternate-Protocol deny all # Disable HSTS reply_header_access Strict-Transport-Security deny all reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains # Normalize Vary to reduce duplicates reply_header_access Vary deny all reply_header_replace Vary Accept-Encoding # SSL bump rules sslproxy_cert_error allow all acl DiscoverSNIHost at_step SslBump1 ssl_bump peek DiscoverSNIHost acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz ssl_bump splice NoSSLIntercept ssl_bump bump all # Privoxy+Tor access rules never_direct allow tor_url always_direct deny tor_url
