Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Sameh Onaissi 
That did it.

Again, Thanks Eliezer! I really appreciate it. 




> On Dec 20, 2016, at 11:20 AM, Eliezer Croitoru  wrote:
> 
> What I wrote is that you will need to put it as the first line in the 
> squid.conf file...
> But in your case you are using squidguard so you will need to add the next 
> lines in this order:
> url_rewrite_access deny localhost
> url_rewrite_access allow all
> 
> Eliezer
> 
> * Anthony thanks for pointing me to the squid.conf paste.
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Sameh Onaissi
> Sent: Tuesday, December 20, 2016 6:16 PM
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] squidcliente stopped working!
> 
> Antony is right….
> 
> I have that line in my config file. That is my config that Antony posted 
> (http://pastebin.com/TQ8H6bRp), except I excluded the SMTP port as Amos 
> recommended.
> 
>> On Dec 20, 2016, at 11:11 AM, Antony Stone 
>>  wrote:
>> 
>> On Tuesday 20 December 2016 at 16:59:11, Eliezer Croitoru wrote:
>> 
>>> The issue is with acls and probably squidguard.
>>> You should add to the configuration something like:
>>> http_access allow localhost manager
>> 
>> Er, that line is already in his squid.conf
>> 
>>> and also another line that will deny localhost traffic from being 
>>> inspected. If the above as the first line doesn't sort it out I will 
>>> need squid.conf to understand what is causing it.
>> 
>> I think http://pastebin.com/TQ8H6bRp is what he is working with?
>> 
>> 
>> Antony.
>> 
>> --
>> The truth is rarely pure, and never simple.
>> 
>> - Oscar Wilde
>> 
>>  Please reply to the list;
>>please *don't* CC me.
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Eliezer Croitoru 
What I wrote is that you will need to put it as the first line in the 
squid.conf file...
But in your case you are using squidguard so you will need to add the next 
lines in this order:
url_rewrite_access deny localhost
url_rewrite_access allow all

Eliezer

* Anthony thanks for pointing me to the squid.conf paste.


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Sameh Onaissi
Sent: Tuesday, December 20, 2016 6:16 PM
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squidcliente stopped working!

Antony is right….

I have that line in my config file. That is my config that Antony posted 
(http://pastebin.com/TQ8H6bRp), except I excluded the SMTP port as Amos 
recommended.

> On Dec 20, 2016, at 11:11 AM, Antony Stone 
>  wrote:
> 
> On Tuesday 20 December 2016 at 16:59:11, Eliezer Croitoru wrote:
> 
>> The issue is with acls and probably squidguard.
>> You should add to the configuration something like:
>> http_access allow localhost manager
> 
> Er, that line is already in his squid.conf
> 
>> and also another line that will deny localhost traffic from being 
>> inspected. If the above as the first line doesn't sort it out I will 
>> need squid.conf to understand what is causing it.
> 
> I think http://pastebin.com/TQ8H6bRp is what he is working with?
> 
> 
> Antony.
> 
> --
> The truth is rarely pure, and never simple.
> 
> - Oscar Wilde
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Sameh Onaissi 
Antony is right….

I have that line in my config file. That is my config that Antony posted 
(http://pastebin.com/TQ8H6bRp), except I excluded the SMTP port as Amos 
recommended.

> On Dec 20, 2016, at 11:11 AM, Antony Stone 
>  wrote:
> 
> On Tuesday 20 December 2016 at 16:59:11, Eliezer Croitoru wrote:
> 
>> The issue is with acls and probably squidguard.
>> You should add to the configuration something like:
>> http_access allow localhost manager
> 
> Er, that line is already in his squid.conf
> 
>> and also another line that will deny localhost traffic from being
>> inspected. If the above as the first line doesn't sort it out I will need
>> squid.conf to understand what is causing it.
> 
> I think http://pastebin.com/TQ8H6bRp is what he is working with?
> 
> 
> Antony.
> 
> -- 
> The truth is rarely pure, and never simple.
> 
> - Oscar Wilde
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Antony Stone 
On Tuesday 20 December 2016 at 16:59:11, Eliezer Croitoru wrote:

> The issue is with acls and probably squidguard.
> You should add to the configuration something like:
> http_access allow localhost manager

Er, that line is already in his squid.conf

> and also another line that will deny localhost traffic from being
> inspected. If the above as the first line doesn't sort it out I will need
> squid.conf to understand what is causing it.

I think http://pastebin.com/TQ8H6bRp is what he is working with?


Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Eliezer Croitoru 
The issue is with acls and probably squidguard.
You should add to the configuration something like:
http_access allow localhost manager

and also another line that will deny localhost traffic from being inspected.
If the above as the first line doesn't sort it out I will need squid.conf to
understand what is causing it.
If you want to send the squid.conf privately feel free to do so.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: Sameh Onaissi [mailto:sameh.onai...@solcv.com] 
Sent: Tuesday, December 20, 2016 5:40 PM
To: Eliezer Croitoru 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squidcliente stopped working!

Hi Eliezer, 
Thanks for the reply.

changing /etc/hosts made no difference, the new log just showed the ipv4
localhost:

verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.22
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost (127.0.0.1:3128)
Connected to: localhost (127.0.0.1:3128)
Sending HTTP request ... 
done.
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 15:42:07 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 225
X-Cache: HIT from http://squidpxy.domain.com
X-Cache-Lookup: HIT from http://squidpxy.domain.com:3128
Via: 1.1 http://squidpxy.domain.com (squid/3.5.22)
Connection: close






http://www.domain.com/squid/access_denied.jpg"; alt="Acceso
Denegado" style="width:704px;height:428px;">






curl just returns the html code of the access denied page.


On Dec 20, 2016, at 10:26 AM, Eliezer Croitoru <mailto:elie...@ngtech.co.il>
wrote:

curl http://localhost:3128/squid-internal-mgr/info


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Sameh Onaissi 
Hi Eliezer,
Thanks for the reply.

changing /etc/hosts made no difference, the new log just showed the ipv4 
localhost:

verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.22
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost (127.0.0.1:3128)
Connected to: localhost (127.0.0.1:3128)
Sending HTTP request ...
done.
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 15:42:07 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 225
X-Cache: HIT from squidpxy.domain.com
X-Cache-Lookup: HIT from squidpxy.domain.com:3128
Via: 1.1 squidpxy.domain.com (squid/3.5.22)
Connection: close






http://www.domain.com/squid/access_denied.jpg"; alt="Acceso 
Denegado" style="width:704px;height:428px;">






curl just returns the html code of the access denied page.


On Dec 20, 2016, at 10:26 AM, Eliezer Croitoru 
mailto:elie...@ngtech.co.il>> wrote:

curl http://localhost:3128/squid-internal-mgr/info

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Eliezer Croitoru 
It looks like your acls are denying access to the localhost because it's trying 
to access the proxy using ipv6.
Try to comment the "::1 localhost" line from /etc/hosts and try to see if it's 
the same.
If it's still not working you will need to write couple rules at the top of the 
squid.conf files to allow manager interface access from localhost.
Also since squid 3.2 you have the option to use curl or any other tool to 
access the info pages without squid client which can help you.
Try the next:
# curl http://localhost:3128/squid-internal-mgr/info

And see what happens.
Also if you have some filtering solution in this squid setup you will need to 
make an exception from this inspection on connections for localhost(both ipv4 
and ipv6) since the admin doesn't need these restrictions.

Let me know about the results.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Sameh Onaissi
Sent: Tuesday, December 20, 2016 4:04 PM
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squidcliente stopped working!


On Dec 19, 2016, at 11:55 PM, Amos Jeffries <mailto:squ...@treenet.co.nz> wrote:

On 20/12/2016 9:52 a.m., Sameh Onaissi wrote:



On Dec 19, 2016, at 1:31 PM, Antony Stone wrote:

On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:


Hello,

I was using squid client to get cache stats, however this morning it
completely stopped working.


http://mydomainname.com/squid/access_denied.jpg";
alt="Acceso Denegado" style="width:704px;height:428px;">


the html code is the code of my redirect page whenever a client tries to
access a blacklisted website.

How big is your blacklist?  Could you show us what's in it?

Have you added the proxy itself to the whitelist?

The blacklist consistes of the ads, porn, socialnet and spyware lists of the BL 
list. 

I added both LAN and WAN IPs of the server to the whitelist but didn’t help.

What URL was being requested that got the above access denied response?

Use -vv parameter to squidclient and "debug_options 11,2" in squid.conf
to have the requests header logged and find that out.

This is what shows now:

verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.22
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
Connected to: localhost ([::1]:3128)
Sending HTTP request ... 
done.
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:03:46 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 103
X-Cache: HIT from http://squidpxy.domain.com
X-Cache-Lookup: HIT from http://squidpxy.domain.com:3128
Via: 1.1 http://squidpxy.domain.com (squid/3.5.22)
Connection: close






http://www.domain.com/squid/access_denied.jpg"; alt="Acceso 
Denegado" style="width:704px;height:428px;">





And in the access log:

1482242596.513  0 ::1 TCP_MEM_HIT/200 598 GET cache_object://localhost/info 
- HIER_NONE/- text/html








So, I changed my default acl setting in squid guard config file to pass all for 
now (I know it is not ideal), just to monitor the cache as I am trying to get 
the HIT ratio up. (currently only at 7.8%)

squid guard config: http://pastebin.com/bbe8CWLE

So your SG config just does basic IP, URL and time based allow or
redirect decisions.

I suggest you drop SG entirely and move that config into your squid.conf:


# Time rules
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time SA 00:00-24:00

# Source addresses
acl exempt src 10.0.0.90 10.0.0.167
acl youtubers src 10.0.0.1-10.0.0.4
acl localnet src 10.0.0.0/24

# Destination classes
acl blah_domains dstdomain "adv/domains"
acl blah_domains dstdomain "deny/domains"
acl blah_domains dstdomain "porn/domains"
acl blah_domains dstdomain "spyware/domains"
acl blah_domains dstdomain "socialnet/domains"

acl blah_urls dstdom_regex "adv/urls"
acl blah_urls dstdom_regex "deny/urls"
acl blah_urls dstdom_regex "porn/urls"
acl blah_urls dstdom_regex "spyware/urls"
acl blah_urls dstdom_regex "socialnet/urls"

acl stuff_always_blocked anyof blah_domains blah_urls

acl whitelist_domains dstdomain "whitelist/domains"
acl whitelist_urls dstdom_regex "whitelist/urls"
acl whitelist anyof whitelist_domains whitelist_urls
deny_info 302:http://example.com/squid/denegado.h

Re: [squid-users] squidcliente stopped working!

2016-12-20 Thread Sameh Onaissi 

On Dec 19, 2016, at 11:55 PM, Amos Jeffries 
mailto:squ...@treenet.co.nz>> wrote:

On 20/12/2016 9:52 a.m., Sameh Onaissi wrote:

On Dec 19, 2016, at 1:31 PM, Antony Stone wrote:

On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:

Hello,

I was using squid client to get cache stats, however this morning it
completely stopped working.

http://mydomainname.com/squid/access_denied.jpg";
alt="Acceso Denegado" style="width:704px;height:428px;">

the html code is the code of my redirect page whenever a client tries to
access a blacklisted website.

How big is your blacklist?  Could you show us what's in it?

Have you added the proxy itself to the whitelist?

The blacklist consistes of the ads, porn, socialnet and spyware lists of the BL 
list.

I added both LAN and WAN IPs of the server to the whitelist but didn’t help.


What URL was being requested that got the above access denied response?

Use -vv parameter to squidclient and "debug_options 11,2" in squid.conf
to have the requests header logged and find that out.

This is what shows now:

verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.22
Accept: */*
Connection: close


.
Transport detected: IPv4-mapped  and IPv6
Resolving localhost ...
Connecting... localhost ([::1]:3128)
Connected to: localhost ([::1]:3128)
Sending HTTP request ...
done.
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:03:46 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 103
X-Cache: HIT from squidpxy.domain.com
X-Cache-Lookup: HIT from squidpxy.domain.com:3128
Via: 1.1 squidpxy.domain.com (squid/3.5.22)
Connection: close






http://www.domain.com/squid/access_denied.jpg"; alt="Acceso 
Denegado" style="width:704px;height:428px;">




And in the access log:

1482242596.513  0 ::1 TCP_MEM_HIT/200 598 GET cache_object://localhost/info 
- HIER_NONE/- text/html






So, I changed my default acl setting in squid guard config file to pass all for 
now (I know it is not ideal), just to monitor the cache as I am trying to get 
the HIT ratio up. (currently only at 7.8%)

squid guard config: pastebin.com/bbe8CWLE


So your SG config just does basic IP, URL and time based allow or
redirect decisions.

I suggest you drop SG entirely and move that config into your squid.conf:


# Time rules
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time SA 00:00-24:00

# Source addresses
acl exempt src 10.0.0.90 10.0.0.167
acl youtubers src 10.0.0.1-10.0.0.4
acl localnet src 10.0.0.0/24

# Destination classes
acl blah_domains dstdomain "adv/domains"
acl blah_domains dstdomain "deny/domains"
acl blah_domains dstdomain "porn/domains"
acl blah_domains dstdomain "spyware/domains"
acl blah_domains dstdomain "socialnet/domains"

acl blah_urls dstdom_regex "adv/urls"
acl blah_urls dstdom_regex "deny/urls"
acl blah_urls dstdom_regex "porn/urls"
acl blah_urls dstdom_regex "spyware/urls"
acl blah_urls dstdom_regex "socialnet/urls"

acl stuff_always_blocked anyof blah_domains blah_urls

acl whitelist_domains dstdomain "whitelist/domains"
acl whitelist_urls dstdom_regex "whitelist/urls"
acl whitelist anyof whitelist_domains whitelist_urls
deny_info 302:http://example.com/squid/denegado.html whitelist

acl youtubers_domains dstdomain "socialnet/domains"
acl youtubers_urls dstdom_regex "adv/urls"
acl youtubers anyof youtubers_domains youtubers_urls
deny_info 302:http://example.com/squid/denegado.html youtubers

# Policies
http_access deny !localnet
deny_info 302:http://example.com/squid/denegado.html localnet

http_access allow exempt
http_access allow youtubers !stuff_always_blocked
http_access deny youtubers
http_access allow non-working-hours
http_access allow whitelist !stuff_always_blocked
http_access deny whitelist
http_access allow localnet

deny_info 302:http://example.com/squid/denegado.html all
http_access deny all




squid.conf: http://pastebin.com/TQ8H6bRp

Quote from your config:

acl Safe_ports port 587 #SMTP

Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near
an HTTP proxy.  Preventing what you have allowed to happen is one of the
primary reasons Safe_ports exists in the first place!”


The reason I allow 587 is because the Squid Proxy lives on the same
server as a mail server which needs this port, and several clients have
their mail clientes (Outlook..etc) already configured to use this port.

Bogus. You should know it is possible that two pieces of software can
run on one machine without interferring with each other.

Whether or not a mailserver exists on the same machine

Re: [squid-users] squidcliente stopped working!

2016-12-19 Thread Amos Jeffries 
On 20/12/2016 9:52 a.m., Sameh Onaissi wrote:
> 
>> On Dec 19, 2016, at 1:31 PM, Antony Stone wrote:
>>
>> On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:
>>
>>> Hello,
>>>
>>> I was using squid client to get cache stats, however this morning it
>>> completely stopped working.
>>
>>> http://mydomainname.com/squid/access_denied.jpg";
>>> alt="Acceso Denegado" style="width:704px;height:428px;">
>>
>>> the html code is the code of my redirect page whenever a client tries to
>>> access a blacklisted website.
>>
>> How big is your blacklist?  Could you show us what's in it?
>>
>> Have you added the proxy itself to the whitelist?
> 
> The blacklist consistes of the ads, porn, socialnet and spyware lists of the 
> BL list. 
> 
> I added both LAN and WAN IPs of the server to the whitelist but didn’t help.
> 

What URL was being requested that got the above access denied response?

Use -vv parameter to squidclient and "debug_options 11,2" in squid.conf
to have the requests header logged and find that out.


> So, I changed my default acl setting in squid guard config file to pass all 
> for now (I know it is not ideal), just to monitor the cache as I am trying to 
> get the HIT ratio up. (currently only at 7.8%)
>   
> squid guard config: pastebin.com/bbe8CWLE
> 

So your SG config just does basic IP, URL and time based allow or
redirect decisions.

I suggest you drop SG entirely and move that config into your squid.conf:


# Time rules
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time MTWHF 18:00-24:00 00:00-08:00
acl non-working-hours time SA 00:00-24:00

# Source addresses
acl exempt src 10.0.0.90 10.0.0.167
acl youtubers src 10.0.0.1-10.0.0.4
acl localnet src 10.0.0.0/24

# Destination classes
acl blah_domains dstdomain "adv/domains"
acl blah_domains dstdomain "deny/domains"
acl blah_domains dstdomain "porn/domains"
acl blah_domains dstdomain "spyware/domains"
acl blah_domains dstdomain "socialnet/domains"

acl blah_urls dstdom_regex "adv/urls"
acl blah_urls dstdom_regex "deny/urls"
acl blah_urls dstdom_regex "porn/urls"
acl blah_urls dstdom_regex "spyware/urls"
acl blah_urls dstdom_regex "socialnet/urls"

acl stuff_always_blocked anyof blah_domains blah_urls

acl whitelist_domains dstdomain "whitelist/domains"
acl whitelist_urls dstdom_regex "whitelist/urls"
acl whitelist anyof whitelist_domains whitelist_urls
deny_info 302:http://example.com/squid/denegado.html whitelist

acl youtubers_domains dstdomain "socialnet/domains"
acl youtubers_urls dstdom_regex "adv/urls"
acl youtubers anyof youtubers_domains youtubers_urls
deny_info 302:http://example.com/squid/denegado.html youtubers

# Policies
http_access deny !localnet
deny_info 302:http://example.com/squid/denegado.html localnet

http_access allow exempt
http_access allow youtubers !stuff_always_blocked
http_access deny youtubers
http_access allow non-working-hours
http_access allow whitelist !stuff_always_blocked
http_access deny whitelist
http_access allow localnet

deny_info 302:http://example.com/squid/denegado.html all
http_access deny all


> 
>>
>>> squid.conf: http://pastebin.com/TQ8H6bRp
>>
>> Quote from your config:
>>
>>  acl Safe_ports port 587 #SMTP
>>
>> Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near 
>> an HTTP proxy.  Preventing what you have allowed to happen is one of the 
>> primary reasons Safe_ports exists in the first place!”
> 

> The reason I allow 587 is because the Squid Proxy lives on the same
server as a mail server which needs this port, and several clients have
their mail clientes (Outlook..etc) already configured to use this port.

Bogus. You should know it is possible that two pieces of software can
run on one machine without interferring with each other.

Whether or not a mailserver exists on the same machine has nothing to do
with Squid.

Your mailserver itself should be using that port and controlling what
traffic can use it. *HTTP* traffic should never be allowed to flow from
the proxy software through to the mailserver software.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-19 Thread Sameh Onaissi 

> On Dec 19, 2016, at 1:31 PM, Antony Stone  
> wrote:
> 
> On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:
> 
>> Hello,
>> 
>> I was using squid client to get cache stats, however this morning it
>> completely stopped working.
> 
>> http://mydomainname.com/squid/access_denied.jpg";
>> alt="Acceso Denegado" style="width:704px;height:428px;">
> 
>> the html code is the code of my redirect page whenever a client tries to
>> access a blacklisted website.
> 
> How big is your blacklist?  Could you show us what's in it?
> 
> Have you added the proxy itself to the whitelist?

The blacklist consistes of the ads, porn, socialnet and spyware lists of the BL 
list. 

I added both LAN and WAN IPs of the server to the whitelist but didn’t help.

So, I changed my default acl setting in squid guard config file to pass all for 
now (I know it is not ideal), just to monitor the cache as I am trying to get 
the HIT ratio up. (currently only at 7.8%)

squid guard config: pastebin.com/bbe8CWLE



> 
>> squid.conf: http://pastebin.com/TQ8H6bRp
> 
> Quote from your config:
> 
>   acl Safe_ports port 587 #SMTP
> 
> Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near 
> an HTTP proxy.  Preventing what you have allowed to happen is one of the 
> primary reasons Safe_ports exists in the first place!”

The reason I allow 587 is because the Squid Proxy lives on the same server as a 
mail server which needs this port, and several clients have their mail clientes 
(Outlook..etc) already configured to use this port.

> 
> http://lists.squid-cache.org/pipermail/squid-users/2016-December/013776.html
> 
> By the way, what did you have to fix to prevent those public IP addresses 
> being 
> able to access your Squid proxy?

I basically let them get blocked by squid for a day or two and they stopped. I 
just allowed LAN source IPs.

> 
> http://lists.squid-cache.org/pipermail/squid-users/2016-December/013764.html
> 
> 
> Antony.
> 
> -- 
> Pavlov is in the pub enjoying a pint.
> The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
> forgot to feed the dog!"
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-19 Thread Antony Stone 
On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:

> Hello,
> 
> I was using squid client to get cache stats, however this morning it
> completely stopped working.

> http://mydomainname.com/squid/access_denied.jpg";
> alt="Acceso Denegado" style="width:704px;height:428px;">

> the html code is the code of my redirect page whenever a client tries to
> access a blacklisted website.

How big is your blacklist?  Could you show us what's in it?

Have you added the proxy itself to the whitelist?

> squid.conf: http://pastebin.com/TQ8H6bRp

Quote from your config:

acl Safe_ports port 587 #SMTP

Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near 
an HTTP proxy.  Preventing what you have allowed to happen is one of the 
primary reasons Safe_ports exists in the first place!"

http://lists.squid-cache.org/pipermail/squid-users/2016-December/013776.html

By the way, what did you have to fix to prevent those public IP addresses being 
able to access your Squid proxy?

http://lists.squid-cache.org/pipermail/squid-users/2016-December/013764.html


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

2016-12-19 Thread Alex Rousskov 
On 12/19/2016 09:44 AM, Sameh Onaissi wrote:
> squid client returns numbers based on traffic on 3128 by default right?

No, the above statement is incorrect. The cache manager interface
reports whole-Squid statistics by default, including all listening ports.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squidcliente stopped working!

2016-12-19 Thread Sameh Onaissi 
Hello,

I was using squid client to get cache stats, however this morning it completely 
stopped working.


When I run squidclient mgr:info I get the following

HTTP/1.1 200 OK
Date: Mon, 19 Dec 2016 16:33:44 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 539
X-Cache: HIT from hostname
X-Cache-Lookup: HIT from hostname:3128
Via: 1.1 hostname (squid/3.5.22)
Connection: close






http://mydomainname.com/squid/access_denied.jpg"; alt="Acceso 
Denegado" style="width:704px;height:428px;">





the html code is the code of my redirect page whenever a client tries to access 
a blacklisted website.

squid.conf: http://pastebin.com/TQ8H6bRp

Any idea how to fix this?


ON SIDE NOTE:
squid client returns numbers based on traffic on 3128 by default right? but in 
my intercept, I have https traffic going through 3127 and ssl-bump on port 
3129. How can I account for all traffic being cached?

Thanks you!
Sam
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squidcliente stopped working!

2016-12-19 Thread Sameh Onaissi 
Hello,

I was using squid client to get cache stats, however this morning it completely 
stopped working.


When I run squidclient mgr:info I get the following

HTTP/1.1 200 OK
Date: Mon, 19 Dec 2016 16:33:44 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 25 Nov 2016 16:55:22 GMT
ETag: "bd-54222fce80317"
Accept-Ranges: bytes
Content-Length: 189
Vary: Accept-Encoding
Content-Type: text/html
Age: 539
X-Cache: HIT from hostname
X-Cache-Lookup: HIT from hostname:3128
Via: 1.1 hostname (squid/3.5.22)
Connection: close






http://mydomainname.com/squid/access_denied.jpg"; alt="Acceso 
Denegado" style="width:704px;height:428px;">





the html code is the code of my redirect page whenever a client tries to access 
a blacklisted website.

squid.conf:
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users