Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

[Berger J Nicklas]

A colleague provided this squid.conf and now https working fine with curl as 
well!

visible_hostname localhost

# Handling HTTP requests
http_port 3128
http_port 3129 intercept

acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain .google.com
acl allowed_http_sites dstdomain .redhat.com


http_access allow allowed_http_sites

# Handling HTTPS requests
acl SSL_port port 443
http_access allow SSL_port

acl allowed_https_sites ssl::server_name .microsoft.com
acl allowed_https_sites ssl::server_name .google.com
acl allowed_https_sites ssl::server_name .redhat.com

https_port 3130 intercept ssl-bump connection-auth=off 
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB 
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate

http_access deny all

From: squid-users  on behalf of Alex 
Rousskov 
Sent: Wednesday, November 20, 2019 17:43
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL 
certificate problem: self signed certificate in certificate chain"

On 11/20/19 3:31 AM, Berger J Nicklas wrote:

> squid 4.1

Start by upgrading to the latest Squid v4 available.


> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain

What was Squid trying to tell curl? Was Squid sending an error response?
Tell curl to run --insecure to find out what happened.


> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:
> Failed to open file /var/spool/squid/ssl_db/index.txt

You should fix this. Perhaps you did not initialize the database (see
"man security_file_certgen")? Or perhaps the permissions are wrong
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?

> acl allowed_http_sites dstdomain .microsoft.com
> acl allowed_http_sites dstdomain .google.com
> acl allowed_http_sites dstdomain .redhat.com

> http_access allow allowed_http_sites Safe_ports

This allows CONNECT to port 80, which is probably not what you want. See
squid.conf.default for the recommended layout of https_access rules.


> #SSL Settings
> acl allowed_https_sites dstdomain .microsoft.com

Do not add one site twice.


> http_access allow CONNECT allowed_https_sites

This allows CONNECT to any port of the allowed_https_sites. See
squid.conf.default for the recommended layout of https_access rules.


> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

A copy-paste typo? There is no "options=..." directive.


> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The last two lines are unreachable. You probably want to review how
http_access (and most other) ACL-driven directives work, including the
"first match ends the search" rule.

> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all
> ssl_bump bump all

To learn how ssl_bump rules work, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

AFAICT, the above rules are equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2 allowed_https_sites
  ssl_bump terminate step2
  ssl_bump splice all

or, roughly speaking, "splice allowed_https_sites (after peeking at
their server) and terminate everything else (ASAP)"

... which is rather different from what the original rules may have
tried to accomplish (whatever that was).


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

[Alex Rousskov]

On 11/20/19 3:31 AM, Berger J Nicklas wrote:

> squid 4.1

Start by upgrading to the latest Squid v4 available.


> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain

What was Squid trying to tell curl? Was Squid sending an error response?
Tell curl to run --insecure to find out what happened.


> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:
> Failed to open file /var/spool/squid/ssl_db/index.txt

You should fix this. Perhaps you did not initialize the database (see
"man security_file_certgen")? Or perhaps the permissions are wrong
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?

> acl allowed_http_sites dstdomain .microsoft.com
> acl allowed_http_sites dstdomain .google.com
> acl allowed_http_sites dstdomain .redhat.com

> http_access allow allowed_http_sites Safe_ports

This allows CONNECT to port 80, which is probably not what you want. See
squid.conf.default for the recommended layout of https_access rules.


> #SSL Settings
> acl allowed_https_sites dstdomain .microsoft.com

Do not add one site twice.


> http_access allow CONNECT allowed_https_sites

This allows CONNECT to any port of the allowed_https_sites. See
squid.conf.default for the recommended layout of https_access rules.


> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

A copy-paste typo? There is no "options=..." directive.


> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The last two lines are unreachable. You probably want to review how
http_access (and most other) ACL-driven directives work, including the
"first match ends the search" rule.

> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all
> ssl_bump bump all

To learn how ssl_bump rules work, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

AFAICT, the above rules are equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2 allowed_https_sites
  ssl_bump terminate step2
  ssl_bump splice all

or, roughly speaking, "splice allowed_https_sites (after peeking at
their server) and terminate everything else (ASAP)"

... which is rather different from what the original rules may have
tried to accomplish (whatever that was).


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

[Berger J Nicklas]

Hello,
I want to start saying I'm new working with squid so bear with me. We are at my 
company trying to use squid as egress solution for our servers running in AWS.
We need to have a whitelisting function in place.

HTTP works fine but not HTTPS.

When trying to run curl from another server using squid to access internet we 
receive this message:
 #curl https://microsoft.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When checking the squid cache log file this is showing:

# tail -f /var/log/squid/cache.log
2019/11/20 08:25:01 kid1| HTCP Disabled.
2019/11/20 08:25:01 kid1| Squid plugin modules loaded: 0
2019/11/20 08:25:01 kid1| Adaptation support is off.
2019/11/20 08:25:01 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 23 flags=9
2019/11/20 08:25:01 kid1| Accepting NAT intercepted HTTP Socket connections at 
local=[::]:3129 remote=[::] FD 24 flags=41
2019/11/20 08:25:01 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
connections at local=[::]:3130 remote=[::] FD 25 flags=41
2019/11/20 08:25:02 kid1| storeLateRelease: released 0 objects
security_file_certgen helper database '/var/spool/squid/ssl_db' failed: Failed 
to open file /var/spool/squid/ssl_db/index.txt
2019/11/20 08:25:10 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:12 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:14 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:19 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:19 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:20 kid1| Error negotiating SSL connection on FD 12: 
error:0001:lib(0):func(0):reason(1) (1/0)

The squid.conf looks like this:

#acl localnet src 10.0.0.0/8
visible_hostname centos-squid-4.1

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain .google.com
acl allowed_http_sites dstdomain .redhat.com


http_access allow allowed_http_sites Safe_ports
http_port 3128
http_port 3129 intercept

#SSL Settings
acl allowed_https_sites dstdomain .microsoft.com

http_access allow CONNECT allowed_https_sites
options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem
https_port 3130 intercept ssl-bump generate-host-certificates=on 
cert=/etc/squid/fredrik_cert/squid.pem key=/etc/squid/fredrik_cert/squid.key 
options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam
.pem

# And finally deny all other access to this proxy
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
#refresh_pattern .


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

cache_mem 1024 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s 
/var/spool/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump bump all

Please assist me!
Nick

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[Amos Jeffries]

On 14/04/19 1:40 am, tester100 wrote:
> Hiya
> 
> i am trying to compile squid 4.6 also with the same configure as shown here
> but its giving me error on the enable-ssl  option..
> 
> 
> I have managed to compile it without the --enable-ssl function, but then
> again
> 

See my response to your earlier post.

> in the ssl_crtd files  there is no files generated therefore it shows the
> following error
> 
> 
> /etc/squid/ssl_certs# /usr/lib/squid/ssl_crtd: No such file or directory
> bash: /usr/lib/squid/ssl_crtd:: No such file or directory
> 

Please see the release notes for Squid-4:




Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[tester100]

Hiya

i am trying to compile squid 4.6 also with the same configure as shown here
but its giving me error on the enable-ssl  option..


I have managed to compile it without the --enable-ssl function, but then
again

in the ssl_crtd files  there is no files generated therefore it shows the
following error


/etc/squid/ssl_certs# /usr/lib/squid/ssl_crtd: No such file or directory
bash: /usr/lib/squid/ssl_crtd:: No such file or directory



dkanejs wrote
> Thanks for the reply and apologies my post didn't include the HTML
> fragments:
> 
> Configuration:
> 
> ./configure \
> --enable-ssl \
> --enable-ssl-crtd \
> --with-openssl \
> --disable-arch-native \
> --prefix=/usr \
> --localstatedir=/var \
> --sysconfdir=/etc/squid \
> --libexecdir=/usr/lib/squid \
> --datadir=/usr/share/squid \
> --with-default-user=proxy \
> --with-logdir=/var/log/squid \
> --with-pidfile=/var/run/squid.pid
> 
> Squid configuration:
> 
> visible_hostname squid
> http_port 3128
> acl whitelist dstdomain .example.com
> http_access allow whitelist
> https_port 3129 cert=/etc/squid/squid.pem
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET 
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> ssl-bump intercept
> acl SSL_port port 443
> http_access allow SSL_port
> acl CONNECT method CONNECT
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump peek step2 whitelist
> ssl_bump splice step3 whitelist
> ssl_bump terminate step2 all
> http_access deny all
> coredump_dir /var/cache/squid/
> 
> iptables:
> 
> iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
> iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
> 3129
> 
> Access log:
> 
> 1551954200.914 54 10.0.1.166 NONE_ABORTED/200 0 CONNECT
> 93.184.216.34:443 - HIER_NONE/- -
> 1551954214.370  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/-
> text/html
> 1551954217.223  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/-
> text/html
> 1551954256.558  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/-
> text/html
> 1551954261.638  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/-
> text/html
> 1551954273.516215 10.0.1.166 NONE_ABORTED/200 0 CONNECT
> 93.184.216.34:443 - HIER_NONE/- -
> 1551954391.304  1 185.59.221.44 NONE_ABORTED/200 0 CONNECT
> 10.0.0.151:443 - HIER_NONE/- -
> 1551954395.346  0 185.59.221.44 NONE_ABORTED/200 0 CONNECT
> 10.0.0.151:443 - HIER_NONE/- -
> 1551954398.938  0 185.59.221.44 NONE_ABORTED/200 0 CONNECT
> 10.0.0.151:443 - HIER_NONE/- -
> 
> Thanks again,
> David
> 
> 
> 
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users





--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[dkanejs]

>if you intercept/redirect http to port 3128, it must be configured as
"intercept" too.

Spot on cheers!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[Matus UHLAR - fantomas]

[B

Thanks for your analysis Amos.

As you can tell I'm still figuring this stuff out.

HTTPS is working now but HTTP is not, not sure what I'm doing wrong.

I tried my best to understand your comments and now have the following
config:



http_port 3128
https_port 3129 intercept ssl-bump cert=/etc/squid/squid.pem


if you intercept/redirect http to port 3128, it must be configured as
"intercept" too.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[dkanejs]

Thanks for your analysis Amos.

As you can tell I'm still figuring this stuff out.

HTTPS is working now but HTTP is not, not sure what I'm doing wrong.

I tried my best to understand your comments and now have the following
config:


squid.conf


visible_hostname squid

acl localnet src 10.0.0.0/8

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

http_access deny !Safe_ports

http_access allow localhost manager
http_access deny manager

acl whitelist dstdomain .example.com
http_access allow whitelist

http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128
https_port 3129 intercept ssl-bump cert=/etc/squid/squid.pem

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/cache/squid


Thanks and let me know if i have misunderstood your amendments.

Thanks again,
David



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[Amos Jeffries]

On 8/03/19 1:35 am, dkanejs wrote:
> Thanks for the reply and apologies my post didn't include the HTML fragments:
> 
> Configuration:
> 
> ./configure \
> --enable-ssl \
> --enable-ssl-crtd \
> --with-openssl \
> --disable-arch-native \
> --prefix=/usr \
> --localstatedir=/var \
> --sysconfdir=/etc/squid \
> --libexecdir=/usr/lib/squid \
> --datadir=/usr/share/squid \
> --with-default-user=proxy \
> --with-logdir=/var/log/squid \
> --with-pidfile=/var/run/squid.pid
> 
> Squid configuration:
> 
> visible_hostname squid
> http_port 3128
> acl whitelist dstdomain .example.com
> http_access allow whitelist

You are missing the default security protections against DoS and some
other attack types. Please leave those Safe_ports and SSL_ports access
lines and place your custom rules after them.


> https_port 3129 cert=/etc/squid/squid.pem
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET 
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> ssl-bump intercept

The NAT 'intercept' mode flag needs to be second, right after the port
number.

The 'ssl-bump' flag should go before the cert= option so the right types
of cert are loaded. Without this ordering Squid-4 cannot warn you about
cert type errors (if any).

The "NO_SSLv2" is invalid. As of Squid-4 all options relating to SSLv2
are no longer supported in any way.


> acl SSL_port port 443
> http_access allow SSL_port
> acl CONNECT method CONNECT

"CONNECT" ACL is now a built-in. You do not have to define it.

> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump peek step2 whitelist
> ssl_bump splice step3 whitelist
> ssl_bump terminate step2 all

The use of "all" ACL in the above lines does nothing but confuse people.

Please also be aware the 'whitelist' ACL will not match reliably in TLS
handshake because TLS does not have HTTP message URLs - thus no URL
domain name.

That means you should expect to see only terminated TLS handshakes with
this config. Anything actually being accepted and responded to would be
the anomaly.

I think what you are needing is probably this:

 ssl_bump peek all
 acl tls_whitelist ssl::server_name .example.com
 ssl_bump splice step3 tls_whitelist
 ssl_bump terminate all



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[dkanejs]

Thanks for the reply and apologies my post didn't include the HTML fragments:

Configuration:

./configure \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-arch-native \
--prefix=/usr \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--libexecdir=/usr/lib/squid \
--datadir=/usr/share/squid \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid

Squid configuration:

visible_hostname squid
http_port 3128
acl whitelist dstdomain .example.com
http_access allow whitelist
https_port 3129 cert=/etc/squid/squid.pem
options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl CONNECT method CONNECT
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 whitelist
ssl_bump splice step3 whitelist
ssl_bump terminate step2 all
http_access deny all
coredump_dir /var/cache/squid/

iptables:

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3129

Access log:

1551954200.914 54 10.0.1.166 NONE_ABORTED/200 0 CONNECT
93.184.216.34:443 - HIER_NONE/- -
1551954214.370  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html
1551954217.223  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html
1551954256.558  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html
1551954261.638  0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html
1551954273.516215 10.0.1.166 NONE_ABORTED/200 0 CONNECT
93.184.216.34:443 - HIER_NONE/- -
1551954391.304  1 185.59.221.44 NONE_ABORTED/200 0 CONNECT
10.0.0.151:443 - HIER_NONE/- -
1551954395.346  0 185.59.221.44 NONE_ABORTED/200 0 CONNECT
10.0.0.151:443 - HIER_NONE/- -
1551954398.938  0 185.59.221.44 NONE_ABORTED/200 0 CONNECT
10.0.0.151:443 - HIER_NONE/- -

Thanks again,
David



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

[dkanejs]

Foreword

I'm by no means an expert so please bear with me...

I have seen many questions about this but they are all for Squid 3 and none
of the configurations work for Squid 4.

I have also tried using (with adjustment for Squid 4) answers from questions
on here and serverfault, etc but without success.
What I'm trying to do

I'm trying to create a transparent (requires no client configuration) Squid
proxy for HTTP and HTTPS.

In short, I want to whitelist specific domains on both HTTP and HTTPS.
Details

- Building / Running in AWS
- Ubuntu 18.04
- Instance has Source/Destination check disabled
- Private subnets route table points 0.0.0.0/0 to EC2 Instance
- Squid 4.6 compiled with SSL support options: 

Current Configuration


iptables


Results

Using the proxy via a host in the private subnet for HTTP:


Using the proxy via a host in the private subnet for HTTPS:


Happy to share more information / configuration if I've missed something
important.

If anyone can help shed some light on what I'm doing wrong, (or share a
working configuration to put me out of my misery!), it would be much
appreciated thanks!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

[Amos Jeffries]

On 22/01/19 9:19 pm, XploD wrote:
> 
> Can anybody tell me what I have to do so that every android app accepts
> the intercepted connection?
> 

IIRC there is also a phone CA certificate store where it can be added.
Though I do not recall exactly where it is right now.

Even with that setup some apps (from eg Youtube and Facebook) use
certificate pinning. They bundle the domains CA cert hard-coded into the
app it self and only trusts that exact CA. Or use a client certificate
similarly bundled with each app to authenticate against the server.

When either of those TLS features are used SSL-Bump cannot do the 'bump'
action - only the peek, splice or terminate work. That is still enough
to identify the destination domain, but no deep inspection.


> 
> BTW: If any squid developer is reading this: Squid is awesome work!
> Thank you very much for such beauty!
> 

On behalf of the team: thank you.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

[XploD]

Hi.



I've got a strange problem, and I don't know if you can help me:

To secure my mobile phone, I have set up a VPN using Strongswan which is used 
anytime I use an open WiFi hotspot. This works fine.



But to get rid of all the trackers applied to websites and android apps, I want 
to use a proxy to filter any unwanted communication:

So I have set up squid to intercept both port 80 and 443, with SSL_BUMP, 
Self-Signed Certificates, ...



In firefox mobile, I had to download the CA-certificate in PEM format, so that 
firefox asked if I wanted to install the certificate. After doing so, the proxy 
works just fine, and any website shows the Squid Authority as CA. 



For Chrome, I had to download the CA-Certificate as .crt file. I installed that 
in Android, so that it is displayed in the user section of the Trusted-CA page. 
Afte that, Chrome accessed any website without complains, stating that every 
site was signed by the Squid Authority.



But now my problem:

Any android app I try wants to open an SSL connection to some servers, but none 
of them does work. Every app either says it has no connection, or shows a 
certifate mismatch...

Can anybody tell me what I have to do so that every android app accepts the 
intercepted connection?



Best regards,

Dirk



BTW: If any squid developer is reading this: Squid is awesome work! Thank you 
very much for such beauty!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Transparent Proxy

[Amos Jeffries]

On 10/10/17 21:19, davide.motti wrote:

Hi to everybody,

Last week I've set up Squid as transparent Proxy and everything seems to
work fine, it cache HTTP and HTTPS connections without any problem.

The only think that "worries" me is that if I put the "intercept" flag
on the http_port and on the https port I'm not able to connect to any
site, but if I put off the "intercept" flag the I connect to all sites
in transparent mode (no settings on the client's browser).


The configuration you have is not a "transparent proxy" unless you have 
the tproxy or intercept flags in squid.conf port lines. They are what 
tells Squid to do the MITM "transparent" things.


Also, you do not have any https_port in this config. So port 443 traffic 
cannot be received, no matter how it gets to Squid.




So I'm running Squid-3.5.27 on Ubuntu Server 16.04 LTS and it was so
compiled:

./configure --build=x86_64-linux-gnu --prefix=/usr --localstatedir=/var
--libexecdir=${prefix}/lib/squid --datadir=${prefix}/share/squid
--sysconfdir=/etc/squid --mandir=/usr/share/man
--with-swapdir=/var/spool/squid --with-default-user=proxy
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid
--with-open-ssl=/etc/ssl/openssl.cnf --with-filedescriptors=65536
--enable-ssl-crtd --enable-linux-netfilter.

The main squid.config file:

http_port
3128
http_port 192.168.21.111:3129

http_port 192.168.21.111:13130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myRCA.pem
  
  
  
acl debian src 192.168.7.112

acl debian src fe80::a2ce:c8ff:fe1e:bfb8
acl localhost src 127.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 3128
acl Safe_ports port 3129
acl Safe_ports port 403
acl Safe_ports port 409
acl Safe_ports port 210

acl Safe_ports port 1025-65535
acl Safe_ports port 280

acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
# HTTP ACCESS
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
  
http_access allow localhost manager

http_access allow debian
http_access allow localhost

visible_hostname 20150604-004.intern.modomoto.de
   

   


acl step1 at_step SslBump1
   


ssl_bump peek step1
ssl_bump bump all
sslproxy_options ALL
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER


The above 5 lines disable *all* security that TLS has to offer. Chances 
of your network being " p0wned " are quite high.


This is also possibly why the intercept *appears* to work.



sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 10

Squid iptables rules:

# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*mangle

:PREROUTING ACCEPT [41705:23328287]
:INPUT ACCEPT [40269:23242848]
:FORWARD ACCEPT [6:2262]

:OUTPUT ACCEPT [32950:6122247]
:POSTROUTING ACCEPT [33060:6138510]
COMMIT
# Completed on Mon Sep 25 09:34:12 2017
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*nat

:PREROUTING ACCEPT [2731:496529]
:INPUT ACCEPT [1440:370186]
:OUTPUT ACCEPT [3278:202202]
:POSTROUTING ACCEPT [41:2041]
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT
--to-destination
  $SQUID_IP:$HTTP_SQUID_PORT

-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports $HTTP_SQUID_PORT



-A PREROUTING -s $SQUID_IP -p tcp -m tcp --dport 443 -j DNAT
--to-destination $SQUID_IP:$HTTPS_SQUID_PORT
-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports
$HTTP_CLIENT_PORT

-A POSTROUTING -o $CLIENT_INTERF -j MASQUERADE


...


Why are you looping port 443 traffic outbound from Squid back into its 
receiving port?


And you have replaced most of the other important details with variable 
names. You have three HTTP ports (with various IPs) and zero HTTPS ports 
in squid.conf so its not even clear what these variables are referring 
to by name.


Please replace your iptables rules with the ones listed at 





My client act as his own router and his iptables rules are the followings:



REDIRECT/DNAT erases the destination IP Squid is connecting to when in 
"transparent" intercept mode. This is what you MUST NOT have any NAT 
between the client browser and Squid machine. Packets MUST be routed 
instead (possibly through a tunnel, but still routed).




As I told the intercept mode works without the "intercept flag" on the
http_port directive: I would like just to 

[squid-users] Squid as Transparent Proxy

[davide.motti]

Hi to everybody,

Last week I've set up Squid as transparent Proxy and everything seems to
work fine, it cache HTTP and HTTPS connections without any problem.

The only think that "worries" me is that if I put the "intercept" flag
on the http_port and on the https port I'm not able to connect to any
site, but if I put off the "intercept" flag the I connect to all sites
in transparent mode (no settings on the client's browser).

So I'm running Squid-3.5.27 on Ubuntu Server 16.04 LTS and it was so
compiled:

./configure --build=x86_64-linux-gnu --prefix=/usr --localstatedir=/var
--libexecdir=${prefix}/lib/squid --datadir=${prefix}/share/squid
--sysconfdir=/etc/squid --mandir=/usr/share/man
--with-swapdir=/var/spool/squid --with-default-user=proxy
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid
--with-open-ssl=/etc/ssl/openssl.cnf --with-filedescriptors=65536
--enable-ssl-crtd --enable-linux-netfilter.

The main squid.config file:

http_port
3128
http_port 192.168.21.111:3129  

http_port 192.168.21.111:13130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myRCA.pem   
 
 
 
acl debian src 192.168.7.112 
acl debian src fe80::a2ce:c8ff:fe1e:bfb8
acl localhost src 127.0.0.0/32 
acl SSL_ports port 443
acl Safe_ports port 80 
acl Safe_ports port 443   

acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 3128
acl Safe_ports port 3129
acl Safe_ports port 403 
acl Safe_ports port 409 
acl Safe_ports port 210   

acl Safe_ports port 1025-65535  
acl Safe_ports port 280   

acl Safe_ports port 488  
acl Safe_ports port 591  
acl Safe_ports port 777  
acl CONNECT method CONNECT   
# HTTP ACCESS 
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
 
http_access allow localhost manager  
http_access allow debian 
http_access allow localhost 

visible_hostname 20150604-004.intern.modomoto.de 

  


  

acl step1 at_step SslBump1  

  

ssl_bump peek step1 
ssl_bump bump all 
sslproxy_options ALL  
sslproxy_cert_error allow all  
sslproxy_flags DONT_VERIFY_PEER   
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB  
sslcrtd_children 10  

Squid iptables rules:

# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*mangle

:PREROUTING ACCEPT [41705:23328287] 
:INPUT ACCEPT [40269:23242848]
:FORWARD ACCEPT [6:2262]  

:OUTPUT ACCEPT [32950:6122247]
:POSTROUTING ACCEPT [33060:6138510]
COMMIT 
# Completed on Mon Sep 25 09:34:12 2017
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*nat
  

:PREROUTING ACCEPT [2731:496529] 
:INPUT ACCEPT [1440:370186]
:OUTPUT ACCEPT [3278:202202]
:POSTROUTING ACCEPT [41:2041]  
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT
--to-destination
 $SQUID_IP:$HTTP_SQUID_PORT 
 

-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports $HTTP_SQUID_PORT
   

-A PREROUTING -s $SQUID_IP -p tcp -m tcp --dport 443 -j DNAT
--to-destination $SQUID_IP:$HTTPS_SQUID_PORT
-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports
$HTTP_CLIENT_PORT   
  

-A POSTROUTING -o $CLIENT_INTERF -j MASQUERADE 

COMMIT  
  

# Completed on Mon Sep 25 09:34:12
2017 
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*filter 
 

:INPUT DROP
[0:0]
:FORWARD ACCEPT [6:2262] 

Re: [squid-users] Squid 3.5.13 transparent compiling fails with ubuntu 14.04 server

[L . P . H . van Belle]

> > ## 2) we added --enable-ssl , --with-open-ssl=/etc/ssl/openssl.cnf,
> 
> Neither of which is a valid ./configure option for Squid.

Not ? works perfect on debian. 
I took my info from : 
http://www.tonmann.com/2015/04/compile-squid-3-5-x-under-debian-jessie/


And these are the all the debian configure options. 

squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Debian linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie 
-Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' 
'--disable-arch-native' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' 
'--enable-follow-x-forwarded-for' 
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' 
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate
 =kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' 
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
 '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' 
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' 
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--enable-ssl' 
'--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-build-info=Debian linux' 
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE 
-fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE 
-pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security'


> > ##--enable-linux-netfilter' to the debian/rules in squid.
> >
> 
> Netfilter is a built-in part of Linux and auto-enabled by Squid. No need
> to build specially for it.
Thank for this one, i'll test that out with 3.5.13 when its in debian SID.


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: vrijdag 29 januari 2016 15:21
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 3.5.13 transparent compiling fails with
> ubuntu 14.04 server
> 
> On 30/01/2016 2:26 a.m., L.P.H. van Belle wrote:
> > This works on a debian Jessie, so to adapt this for ubuntu 14.04 should
> be simple.
> >
> > Have a look whats doen here, and change it to Ubuntu.
> >
> >
> >
> > I’ve put : ## CHECK THIS for Ubuntu  where you need to check things for
> Ubuntu.
> >
> >
> >
> > And with the check this, look at the version numbers and change
> accordingly.
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> > #!/bin/bash
> >
> >
> >
> > ## TEST DATE : 25-01-2016.
> >
> > ## a local (file) repo is setup,
> >
> > ## to make squid 3.5.12 from Debian SID work on Debian Jessie, the
> following ## is needed.
> >
> > ## 1) libecap dependes on GCC 5.2, this is changed to 4.9 (Jessie
> version) ## (debian/control)
> >
> > ## 2) we added --enable-ssl , --with-open-ssl=/etc/ssl/openssl.cnf,
> 
> Neither of which is a valid ./configure option for Squid.
> 
> >
> > ##--enable-linux-netfilter' to the debian/rules in squid.
> >
> 
> Netfilter is a built-in part of Linux and auto-enabled by Squid. No need
> to build specially for it.
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.13 transparent compiling fails with ubuntu 14.04 server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
'--with-large-files'

are antagonist for

'build_alias=x86_64-linux-gnu'


If you use 64-bit native os, you already have large files.

and

'--enable-async-io=8'

is tooo low for real system with

'--with-filedescriptors=65536'

.

And, of course,

'--with-open-ssl=/etc/ssl/openssl.cnf'

is wrong parameter. Must be:

'--with-openssl'

with specified library dir if need.

You really sure you understand all of specified config parameters and
they satisfy your real needs?

For example,

'--enable-zph-qos'

?

You really configure QoS on your active network equipment?


29.01.16 21:26, L.P.H. van Belle пишет:
>>> ## 2) we added --enable-ssl , --with-open-ssl=/etc/ssl/openssl.cnf,
>>
>> Neither of which is a valid ./configure option for Squid.
>
> Not ? works perfect on debian.
> I took my info from :
> http://www.tonmann.com/2015/04/compile-squid-3-5-x-under-debian-jessie/
>
>
> And these are the all the debian configure options.
>
> squid -v
> Squid Cache: Version 3.5.12
> Service Name: squid
> Debian linux
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie
-Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid'
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate
>  =kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536'
>  '--with-large-files' '--with-default-user=proxy' '--enable-ssl'
'--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-build-info=Debian
linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'
>
>
>>> ##--enable-linux-netfilter' to the debian/rules in squid.
>>>
>>
>> Netfilter is a built-in part of Linux and auto-enabled by Squid. No need
>> to build specially for it.
> Thank for this one, i'll test that out with 3.5.13 when its in debian SID.
>
>
> Greetz,
>
> Louis
>
>
>> -Oorspronkelijk bericht-
>> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
Namens
>> Amos Jeffries
>> Verzonden: vrijdag 29 januari 2016 15:21
>> Aan: squid-users@lists.squid-cache.org
>> Onderwerp: Re: [squid-users] Squid 3.5.13 transparent compiling fails
with
>> ubuntu 14.04 server
>>
>> On 30/01/2016 2:26 a.m., L.P.H. van Belle wrote:
>>> This works on a debian Jessie, so to adapt this for ubuntu 14.04 should
>> be simple.
>>>
>>> Have a look whats doen here, and change it to Ubuntu.
>>>
>>>
>>>
>>> I’ve put : ## CHECK THIS for Ubuntu  where you need to check things for
>> Ubuntu.
>>>
>>>
>>>
>>> And with the check this, look at the version numbers and change
>> accordingly.
>>>
>>>
>>>
>>> Greetz,
>>>
>>>
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>> #!/bin/bash
>>>
>>>
>>>
>>> ## TEST DATE : 25-01-2016.
>>>
>>> ## a local (file) repo is setup,
>>>
>>> ## to make squid 3.5.12 from Debian SID work on Debian Jessie, the
>> following ## is needed.
>>>
>>> ## 1) libecap dependes on GCC 5.2, this is changed to 4.9 (Jessie
>> version) ## (debian/control)
>>>
>>> ## 2) we added --enable-ssl , --with-open-ssl=/etc/ssl/openssl.cnf,
>>
>> Neither of which is a valid ./configure option f

Re: [squid-users] Squid 3.5.13 transparent compiling fails with ubuntu 14.04 server

[Amos Jeffries]

On 30/01/2016 4:26 a.m., L.P.H. van Belle wrote:
>>> ## 2) we added --enable-ssl , --with-open-ssl=/etc/ssl/openssl.cnf,
>>
>> Neither of which is a valid ./configure option for Squid.
> 
> Not ? works perfect on debian. 

By "works perfect" I assume you mean autoconf doing its usual thing of
ignoring unknown options entirely.

 --enable-ssl was replaced a while ago  by --with-openssl (note the
single '-').

 --with-open-ssl has never existed.


--with-openssl does take a "=PATH" optional component. However it is the
base path under which openssl was installed (/usr/...). Not the path to
a system configuration file (/etc/...).
On Debian if you are using the system OpenSSL *-dev package then you can
omit the PATH part and Squid will find the bits it needs automatically.


> I took my info from : 
> http://www.tonmann.com/2015/04/compile-squid-3-5-x-under-debian-jessie/
> 

The authoritative info on configure options for any given Squid release
is provided by "./configure --help".

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as transparent in 'caching layer'

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Amos,

independent proxies also supported by Cisco WCCP. For redundancy it can
group any numbers of transparent proxies.

WBR, Yuri

10.05.15 12:57, Amos Jeffries пишет:
 On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
 Hi,

 Most of all know about tiered network
 topology(access,aggregation/dist,core) from core than to firewall and
then
 to router. For redundancy usually there 2 core and 2 firewall. I was
 thinking adding a transparent caching layer between core and
firewall,just
 adding squid box. It is okay just adding 2 independent squid box or I
need
 some sync between squid box ? What if I add not 2 but 6 and doing
 active-active on both core n firewall? Can anybody give me insight ?
Btw My
 objective is to save some bandwidths from user for internet access.

 Go with independent Squid boxes until you are happy that they are
 operating properly and you know whats going on. Number of Squid does not
 matter much, so long as they each can handle the traffic load you put
 through. If you are new to this start with just one and put only a small
 amount of the traffic through, then increase gradually until you need 2,
 and so on.

 Sync'ing between the Squid caches, and interception proxying can each
 have unwanted side effects. Its best to deal with those in separately to
 avoid confusion and troubles.


 active-active on both core n firewall does not matter. You MUST NOT
 perform destination-NAT (or TPROXY) on any machine other than the Squid
 box receiving the TCP connection from client(s). The firewalls and core
 only perform *routing* (perhapse over a tunnel) to get the TCP packets
 to the right Squid box. This has the nice side effect of greatly
 reducing the amount of data the firewalls need to sync.


 Hints for beginners:

  Caching can make some traffic appear slower - all MISS and some REFRESH
 transactions. There is extra packet processing done by the proxy and
 latency getting the packets around. This is the tradeoff for bandwidth
 saving. Super-fast HITs and traffic optimization can make up for that,
 but not always.

 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVTzRXAAoJENNXIZxhPexGXJYIAMtb90ri0hymGN7ZGTVH98cy
uZbNjQ2kYQqxXGCkkSFECpjM0wqkONF6pPGrL1YqcecZCkmGNS6ExE6r4FMuX8y1
oBE2z9OfaN/4CfMq4+WvE0jwtyOSVyKIUSUKr+I2qTNCubg0kFgr9yWONOdLbUDJ
FJ06c1qqb1U8u8ZsYFTL7/hfTgVRr6QjnGQlnNcCwzU+/QIAtAP7GyRxJB0b0yxJ
i2M/LQ+d1LJMhCgX6ICgBas5x+GXXB3KHtH0jAn/xF854qciQhbOrMf0O/j/ac19
4XB8qfqsGkIvPe3TcPSYypyOJn1dXILpb7mmNogGzh+rE4nmdRG7cam6MX3En8c=
=SXkU
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid as transparent in 'caching layer'

[Ibrahim Lubis]

Hi,

Most of all know about tiered network
topology(access,aggregation/dist,core) from core than to firewall and then
to router. For redundancy usually there 2 core and 2 firewall. I was
thinking adding a transparent caching layer between core and firewall,just
adding squid box. It is okay just adding 2 independent squid box or I need
some sync between squid box ? What if I add not 2 but 6 and doing
active-active on both core n firewall? Can anybody give me insight ? Btw My
objective is to save some bandwidths from user for internet access.

Thx
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as transparent in 'caching layer'

[Amos Jeffries]

On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
 Hi,
 
 Most of all know about tiered network
 topology(access,aggregation/dist,core) from core than to firewall and then
 to router. For redundancy usually there 2 core and 2 firewall. I was
 thinking adding a transparent caching layer between core and firewall,just
 adding squid box. It is okay just adding 2 independent squid box or I need
 some sync between squid box ? What if I add not 2 but 6 and doing
 active-active on both core n firewall? Can anybody give me insight ? Btw My
 objective is to save some bandwidths from user for internet access.

Go with independent Squid boxes until you are happy that they are
operating properly and you know whats going on. Number of Squid does not
matter much, so long as they each can handle the traffic load you put
through. If you are new to this start with just one and put only a small
amount of the traffic through, then increase gradually until you need 2,
and so on.

Sync'ing between the Squid caches, and interception proxying can each
have unwanted side effects. Its best to deal with those in separately to
avoid confusion and troubles.


active-active on both core n firewall does not matter. You MUST NOT
perform destination-NAT (or TPROXY) on any machine other than the Squid
box receiving the TCP connection from client(s). The firewalls and core
only perform *routing* (perhapse over a tunnel) to get the TCP packets
to the right Squid box. This has the nice side effect of greatly
reducing the amount of data the firewalls need to sync.


Hints for beginners:

 Caching can make some traffic appear slower - all MISS and some REFRESH
transactions. There is extra packet processing done by the proxy and
latency getting the packets around. This is the tradeoff for bandwidth
saving. Super-fast HITs and traffic optimization can make up for that,
but not always.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as transparent in 'caching layer'

[Ibrahim Lubis]

Thx all for the info
On May 10, 2015 5:35 PM, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Amos,

 independent proxies also supported by Cisco WCCP. For redundancy it can
 group any numbers of transparent proxies.

 WBR, Yuri

 10.05.15 12:57, Amos Jeffries пишет:
  On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
  Hi,
 
  Most of all know about tiered network
  topology(access,aggregation/dist,core) from core than to firewall and
 then
  to router. For redundancy usually there 2 core and 2 firewall. I was
  thinking adding a transparent caching layer between core and
 firewall,just
  adding squid box. It is okay just adding 2 independent squid box or I
 need
  some sync between squid box ? What if I add not 2 but 6 and doing
  active-active on both core n firewall? Can anybody give me insight ?
 Btw My
  objective is to save some bandwidths from user for internet access.
 
  Go with independent Squid boxes until you are happy that they are
  operating properly and you know whats going on. Number of Squid does not
  matter much, so long as they each can handle the traffic load you put
  through. If you are new to this start with just one and put only a small
  amount of the traffic through, then increase gradually until you need 2,
  and so on.
 
  Sync'ing between the Squid caches, and interception proxying can each
  have unwanted side effects. Its best to deal with those in separately to
  avoid confusion and troubles.
 
 
  active-active on both core n firewall does not matter. You MUST NOT
  perform destination-NAT (or TPROXY) on any machine other than the Squid
  box receiving the TCP connection from client(s). The firewalls and core
  only perform *routing* (perhapse over a tunnel) to get the TCP packets
  to the right Squid box. This has the nice side effect of greatly
  reducing the amount of data the firewalls need to sync.
 
 
  Hints for beginners:
 
   Caching can make some traffic appear slower - all MISS and some REFRESH
  transactions. There is extra packet processing done by the proxy and
  latency getting the packets around. This is the tradeoff for bandwidth
  saving. Super-fast HITs and traffic optimization can make up for that,
  but not always.
 
  Amos
 
  ___
  squid-users mailing list
  squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2

 iQEcBAEBCAAGBQJVTzRXAAoJENNXIZxhPexGXJYIAMtb90ri0hymGN7ZGTVH98cy
 uZbNjQ2kYQqxXGCkkSFECpjM0wqkONF6pPGrL1YqcecZCkmGNS6ExE6r4FMuX8y1
 oBE2z9OfaN/4CfMq4+WvE0jwtyOSVyKIUSUKr+I2qTNCubg0kFgr9yWONOdLbUDJ
 FJ06c1qqb1U8u8ZsYFTL7/hfTgVRr6QjnGQlnNcCwzU+/QIAtAP7GyRxJB0b0yxJ
 i2M/LQ+d1LJMhCgX6ICgBas5x+GXXB3KHtH0jAn/xF854qciQhbOrMf0O/j/ac19
 4XB8qfqsGkIvPe3TcPSYypyOJn1dXILpb7mmNogGzh+rE4nmdRG7cam6MX3En8c=
 =SXkU
 -END PGP SIGNATURE-

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid in transparent

[Monah Baki]

Hi all,

I have client who has his Policy Based Routing as:

interface GigabitEthernet0/0/1.1 (route policy on the LAN interface)

ip policy route-map CFLOW





ip access-list extended REDIRECT (Redirect of my IP www)

deny   tcp host 10.0.0.24 any eq www

permit tcp host 10.0.0.23 any eq www



route-map CFLOW permit 10  (route map)

match ip address REDIRECT
set ip next-hop 10.0.0.24



The 10.0.0.24 is my FreeBSD 10.1 running squid 3.5, with one interface,
10.0.0.23 is his laptop. The IP address of the Cisco is 10.0.0.9

I configured squid as:
./configure --prefix=/cache/squid --enable-follow-x-forwarded-for
--with-large-files --enable-ssl --disable-ipv6 --enable-esi
--enable-kill-parent-hack --enable-snmp --with-pthreads
--with-filedescriptors=65535 --enable-cachemgr-hostname=hostname
--enable-storeio=ufs,aufs,diskd,rock --enable-ipfw-transparent
--enable-pf-transparent

My squid.conf has the following;
# Squid normally listens to port 3128
http_port 3128 intercept
http_port 80 intercept
snmp_port 3401


If I remove the intercept and from a client browser points to the squid, it
works. If I add the intercept, it does not work, I do not see any logs in
my access.log file.


Any help will be highly appreciated


Thanks
Monah
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

http://wiki.squid-cache.org/ConfigExamples/Intercept

26.02.15 23:12, Monah Baki пишет:
 Hi all,
 
 I have client who has his Policy Based Routing as:
 
 interface GigabitEthernet0/0/1.1 (route policy on the LAN
 interface)
 
 ip policy route-map CFLOW
 
 
 
 
 
 ip access-list extended REDIRECT (Redirect of my IP www)
 
 deny   tcp host 10.0.0.24 any eq www
 
 permit tcp host 10.0.0.23 any eq www
 
 
 
 route-map CFLOW permit 10  (route map)
 
 match ip address REDIRECT set ip next-hop 10.0.0.24
 
 
 
 The 10.0.0.24 is my FreeBSD 10.1 running squid 3.5, with one
 interface, 10.0.0.23 is his laptop. The IP address of the Cisco is
 10.0.0.9
 
 I configured squid as: ./configure --prefix=/cache/squid
 --enable-follow-x-forwarded-for --with-large-files --enable-ssl
 --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp
 --with-pthreads --with-filedescriptors=65535
 --enable-cachemgr-hostname=hostname 
 --enable-storeio=ufs,aufs,diskd,rock --enable-ipfw-transparent 
 --enable-pf-transparent
 
 My squid.conf has the following; # Squid normally listens to port
 3128 http_port 3128 intercept http_port 80 intercept snmp_port
 3401
 
 
 If I remove the intercept and from a client browser points to the
 squid, it works. If I add the intercept, it does not work, I do not
 see any logs in my access.log file.
 
 
 Any help will be highly appreciated
 
 
 Thanks Monah
 
 
 
 ___ squid-users mailing
 list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU71SFAAoJENNXIZxhPexGRrYH/3aN8FnRdm9kbM1867C3SKeO
1iA1ZvEa7QuwLox1VvigjGS22cX5qqt/uodNzDI/WPPDj8C56PWbCoCWlHy2mpJE
xXYwNV+yYSPb4TYHooUPyxqH8G0Ghod3TAyOGnGLSSL3Hf3KPP5M3VWjsxJNI7ox
+TDaAAgsWzcKblJHGT3wTOGAT6Kzqm0MAaQyoacI+bTfPUhaLrm5VyV6kYAIQQCf
41mfMLvR8RG9TE/oCIbCzciZan5JoKIcTpqrpnU7K16qoEmZXDmsbJM5cDpXM7dG
6RG8EW9auRyg8xc3XjpR7ZpXVkKipqmieRqGMyQUnKsobeGv2jI0LZqkEPDEX9M=
=EwCL
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

And if you seen this:

- --enable-ipfw-transparent
- --enable-pf-transparent

I think this is xBSD. ;)

27.02.15 0:36, Eliezer Croitoru пишет:
 On 26/02/2015 19:12, Monah Baki wrote:
 Hi all,
 
 I have client who has his Policy Based Routing as:
 
 interface GigabitEthernet0/0/1.1 (route policy on the LAN
 interface)
 
 ip policy route-map CFLOW
 
 Hey Monah,
 
 How is it all related to squid? What OS are you using for squid?
 
 Eliezer ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU72mfAAoJENNXIZxhPexG09AH/jvaWX0Yf5JQ+Mm9y60anI1d
AKngAIN1uH/8wl7dLtuwumytdYHUdp5j6obPs3Ekhnn/uFaoU9V8MtoWdzFx99WB
W6car5S4YYpvAipvFDFB0zws8Sy5gyFa7WguKyoaB2jnRSWM5AJivMuW/PR8J/T1
FQPuF0L07hldKb8qQS9nTNKn1BLgaz3pjo2/UlVZDRnBKHL/VbxM4t8U5ueJA+pe
PNpi4r4sY3boPWwGJKt+Hnw35EL25y96tfIy3jjeHDdE2SZJmr7QLfOOr8RnjNsJ
p2m/oNEA3wmKcrtQRhmbaiVgSs4KvTyH4Qrj+l/wE3FCMLPrctsmlvSSmlkmisY=
=gk/N
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

:

Parity Check? ;) You need better RAM with ECC ;)

27.02.15 0:52, Eliezer Croitoru пишет:
 On 26/02/2015 20:43, Yuri Voinov wrote:
 Directly, Eliezer:)
 
 His installation doesn't work. Somebody have forgotten about
 NAT;)
 
 It happen to me many times and still happen to me here and there
 when the memory is getting old.
 
 Eliezer ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU72uoAAoJENNXIZxhPexGg1AIALsG5ql7bkwxjWbuALfDRGIt
gy7KdvXnhtrOJ012Uu5mwy1KJQARYb7vfeP0+FRch5K9jLuNJeaZrEeN6y8EYX+I
KR7h4VIGOtxFamVFOsFNobTQ08xwbSvbDu3fAYravfProHFg92SQf1P+mhTTvWNI
0kRPnCI5u1BW4w12W3zmLb9dF7XPPm/DXAVbkz+X6f257rpGpu8JjWpzkR6F1EB8
rLZZ0v3WIyzWnUHLnH4cyzM3j5txczGSS9RTwmwF3ZANkpuw4zQv7fB7bBUPBhrE
rTvK55wJJ8Zu+49b3WWqFagCydK5dIih5u1dWy+r6OJeTtQP/c1VBZvdS7OvPpA=
=8BFM
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Eliezer Croitoru]

On 26/02/2015 20:43, Yuri Voinov wrote:

Directly, Eliezer:)

His installation doesn't work. Somebody have forgotten about NAT;)


It happen to me many times and still happen to me here and there when 
the memory is getting old.


Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Eliezer Croitoru]

On 26/02/2015 19:12, Monah Baki wrote:

Hi all,

I have client who has his Policy Based Routing as:

interface GigabitEthernet0/0/1.1 (route policy on the LAN interface)

ip policy route-map CFLOW


Hey Monah,

How is it all related to squid?
What OS are you using for squid?

Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Eliezer Croitoru]

On 26/02/2015 20:53, Yuri Voinov wrote:

Parity Check?;)  You need better RAM with ECC;)


I have used ECC for couple month(7-8) but it used too much Watts.

Thanks,
Eliezer

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Directly, Eliezer :)

His installation doesn't work. Somebody have forgotten about NAT ;)

27.02.15 0:36, Eliezer Croitoru пишет:
 On 26/02/2015 19:12, Monah Baki wrote:
 Hi all,
 
 I have client who has his Policy Based Routing as:
 
 interface GigabitEthernet0/0/1.1 (route policy on the LAN
 interface)
 
 ip policy route-map CFLOW
 
 Hey Monah,
 
 How is it all related to squid? What OS are you using for squid?
 
 Eliezer ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU72lkAAoJENNXIZxhPexGiJkIAKDdSZOMtYT2kkr5MIn3tJnl
ol76rG2yaIqD6+hvW9hvMEjqPXcK/TVInbNgw1g6v+t67+6k/vocS2aENRjFjH/G
5fJV43BQFik0f1XFWousKpHzHfrZW3uRDkx4aMBt/hBRNhJyp/yR8RupqTt44u3b
pR8wMjmgwBGP/gLE2GwYkKMDMKkNcjT/qiJdWL2OcARjpHuyHH6xe1b7OBCa118e
36tK07cj3pIZej3Tju9l4LyB3s0fGzMD6N69GOnnMMU3t8qPNBvpprQPCUoqJ71C
oTsbul8lygvw+wvR5D6vOKPL5QUb4kUQRo/JNdyYHYqzh5Hqo+t9gaiTgqGeZeA=
=xmY5
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid in transparent

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 27/02/2015 7:44 a.m., Yuri Voinov wrote:
 And if you seen this:
 
 --enable-ipfw-transparent --enable-pf-transparent
 
 I think this is xBSD. ;)


And on FreeBSD also --with-nat-devpf


Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU78ZEAAoJELJo5wb/XPRjaYYH/15gYv4JbgjNtTpWPniefXAX
aXLXu7gX4/EHtAjzWuRwHW2lLW9fjiwVYGNtnzc9lDEM1RGRE4aeGkZ2eXM04gQe
s+S67G1eLLpyuTCteDmRetbp+ijtBXWa41GMrrqJmnAwZN1s24FxieROyEYfnZvX
cJuxEW2wKXYnjoXX5Avg4DftryeVA1TPMLGUJ3MMUmkdddQU5WKi1QAj1h9821fP
WvlY5yMvfzTP028BtmKCRI6hcGn+riTJxtMGYCajHlGOZfooYXwj1u/aYbmsRRWH
j3eJpsa3TqmpRUDJfPGv27xhcmu+y6JEABzRMBmM/mRaDRBoxOgXzRBcBpPZsKc=
=r+5y
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users