subject:"Re\: \[squid\-users\] \(no subject\)"

Re: [squid-users] (no subject)

2022-04-20 Thread Alex Rousskov


On 4/20/22 16:05, Zaheer Shaikh wrote:

let me try setting up https.
Is a private key needed for tls-cert bundle? 


Yes, it is needed, either in the tls-cert bundle or in the tls-key=file. 
See https_port documentation for details.


You are setting up an HTTPS forward proxy (as far as this https_port is 
concerned). For a TLS client to trust such a proxy, the proxy must 
identify itself (and sign traffic) with a trusted (by the client) 
certificate. Doing so naturally requires the proxy to possess the 
matching private certificate key. This aspect is similar to how an HTTPS 
server identifies itself to TLS clients.



HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2022-04-19 Thread Alex Rousskov


On 4/19/22 16:12, Zaheer Shaikh wrote:

we are struggling to get it working with cert based authentication.



Certs are in p12 format.


You may need to convert the port certificate and its key to PEM format:
https://stackoverflow.com/a/15144560



http_port 3128


Client certificate authentication works over TLS. Your Squid must listen 
on https_port and your clients must connect using TLS. For example:


https_port 3443 \

tls-cert=/this/port/server/cert/key/and/bundle.pem \

clientca=/CA/certificates/to/check/clients.pem

The tls-cert bundle should contain the private certificate key for the 
Squid listening port, the public certificate for that port, and any 
necessary intermediate CA certificates that signed that public certificate.



HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-23 Thread Vieri Di Paola

On Wed, Oct 23, 2019 at 1:06 PM Amos Jeffries  wrote:
>
> First problem with these rules is they depend on an IP address. IP is
> the one detail guaranteed not to match properly when TPROXY spoofing is
> going on.

Thank you for giving me clues.
Actually, my whole setup was OK except for one detail.
Where I specify only "10.215.144.48" for TProxy, I needed to also add
the public IP addresses of my 3 ppp links to Internet, ie. the "inet"
values that are shown with:
# ip a s ppp1
# ip a s ppp2
# ip a s ppp3

I don't know how to avoid that. However, it's not a big deal because
they are static addresses.

Thanks again,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-23 Thread Amos Jeffries

On 23/10/19 1:23 am, Vieri Di Paola wrote:
> On Tue, Oct 22, 2019 at 1:48 PM Amos Jeffries wrote:
>>
>> I do not see any DIVERT rule at all in your firewall config dump. That
>> is at least part of the problem.
> 
> I opened the previous dump and saw the divert rules here below:
> 
> Chain PREROUTING (policy ACCEPT 573K packets, 462M bytes)
>  pkts bytes target prot opt in out source
> destination
>  573K  462M CONNMARK   all  --  *  *   0.0.0.0/0
> 0.0.0.0/0CONNMARK restore mask 0xff
>  1213  181K routemark  all  --  ppp1   *   0.0.0.0/0
> 0.0.0.0/0mark match 0x0/0xff
>  3195  308K routemark  all  --  ppp2   *   0.0.0.0/0
> 0.0.0.0/0mark match 0x0/0xff
>  1320 79360 routemark  all  --  ppp3   *   0.0.0.0/0
> 0.0.0.0/0mark match 0x0/0xff
>  311K  277M tcpre  all  --  *  *   0.0.0.0/0
> 0.0.0.0/0mark match 0x0/0xff
> 0 0 divert tcp  --  ppp1   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp  --  ppp2   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp  --  ppp3   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
>76  7484 TPROXY tcp  --  enp10s0 *   10.215.144.48
> 0.0.0.0/0tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x200/0x200
> 0 0 divert tcp  --  ppp1   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp  --  ppp2   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp  --  ppp3   *   0.0.0.0/0
> 10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
>10  1060 TPROXY tcp  --  enp10s0 *   10.215.144.48
> 0.0.0.0/0tcp dpt:443 TPROXY redirect 0.0.0.0:3130 mark
> 0x200/0x200
> 
> Aren't these the DIVERT rules you are referring to?
> 


Oh, case sensitivity. I was grep'ing for the upper case chain name.

So you have a 'divert' chain.

First problem with these rules is they depend on an IP address. IP is
the one detail guaranteed not to match properly when TPROXY spoofing is
going on.

Second problem is that they also depend on a source port number of 80 or
443. The traffic needing to be marked comes from both directions, so
this will break half the traffic flow.


Third is that you are using the --transparent option. If I am
understanding it correctly, that will cause the connections out of Squid
(which are marked as transparent) to skip divert action and hit the
TPROXY intercept all over again - infinite loop.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-22 Thread Vieri Di Paola

On Tue, Oct 22, 2019 at 1:48 PM Amos Jeffries  wrote:
>
> I do not see any DIVERT rule at all in your firewall config dump. That
> is at least part of the problem.

I opened the previous dump and saw the divert rules here below:

Chain PREROUTING (policy ACCEPT 573K packets, 462M bytes)
 pkts bytes target prot opt in out source
destination
 573K  462M CONNMARK   all  --  *  *   0.0.0.0/0
0.0.0.0/0CONNMARK restore mask 0xff
 1213  181K routemark  all  --  ppp1   *   0.0.0.0/0
0.0.0.0/0mark match 0x0/0xff
 3195  308K routemark  all  --  ppp2   *   0.0.0.0/0
0.0.0.0/0mark match 0x0/0xff
 1320 79360 routemark  all  --  ppp3   *   0.0.0.0/0
0.0.0.0/0mark match 0x0/0xff
 311K  277M tcpre  all  --  *  *   0.0.0.0/0
0.0.0.0/0mark match 0x0/0xff
0 0 divert tcp  --  ppp1   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
--transparent
0 0 divert tcp  --  ppp2   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
--transparent
0 0 divert tcp  --  ppp3   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:80 flags:!0x17/0x02 socket
--transparent
   76  7484 TPROXY tcp  --  enp10s0 *   10.215.144.48
0.0.0.0/0tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
0x200/0x200
0 0 divert tcp  --  ppp1   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
--transparent
0 0 divert tcp  --  ppp2   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
--transparent
0 0 divert tcp  --  ppp3   *   0.0.0.0/0
10.215.144.48   [goto]  tcp spt:443 flags:!0x17/0x02 socket
--transparent
   10  1060 TPROXY tcp  --  enp10s0 *   10.215.144.48
0.0.0.0/0tcp dpt:443 TPROXY redirect 0.0.0.0:3130 mark
0x200/0x200

Aren't these the DIVERT rules you are referring to?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-22 Thread Vieri Di Paola

On Tue, Oct 22, 2019 at 1:48 PM Amos Jeffries  wrote:
>
> On 22/10/19 11:22 pm, Vieri Di Paola wrote:
> >
> > I use Shorewall on this system. This program configures iptables and 
> > routing.
> > I dumped all the network information while trying to access port 80 on
> > host with IP addr. 104.113.250.104 form local host with IP addr.
> > 10.215.144.48:
> I do not see any DIVERT rule at all in your firewall config dump. That
> is at least part of the problem.

I don't know why.. I must have taken the wrong dump. Here's a new one
I just tested:

https://drive.google.com/file/d/1iqIU8SrvmOfSHs7wv2tjLLx1DXWNrP8h/view?usp=sharing

> Have you run through the notes and troubleshooting checks on the TPROXY
> feature page?
> 

Yes, but I'm obviously overlooking something.
I'll work on it.

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-22 Thread Amos Jeffries

On 22/10/19 11:22 pm, Vieri Di Paola wrote:
> 
> I use Shorewall on this system. This program configures iptables and routing.
> I dumped all the network information while trying to access port 80 on
> host with IP addr. 104.113.250.104 form local host with IP addr.
> 10.215.144.48:

I do not see any DIVERT rule at all in your firewall config dump. That
is at least part of the problem.

Have you run through the notes and troubleshooting checks on the TPROXY
feature page?

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-22 Thread Vieri Di Paola

Hi,

On Fri, Oct 18, 2019 at 10:13 PM Amos Jeffries  wrote:
>
> If you are able to share your config maybe we could help spot something,
> both for that and for the timeout issue.

I prepared and tested a trimmed-down squid conf:

# cat squid.conf
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130

http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslflags=NO_DEFAULT_CA
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10

cache_dir diskd /var/cache/squid 32 16 256

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl good_useragents req_header User-Agent Firefox/
acl good_useragents req_header User-Agent Edge/
acl good_useragents req_header User-Agent Microsoft-CryptoAPI/

http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

http_access allow CONNECT interceptedssl SSL_ports
http_access deny !good_useragents

http_access allow localnet

debug_options rotate=1 ALL,9

reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all

email_err_data on
client_lifetime 480 minutes

httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for transparent

cache_mem 32 MB

max_filedescriptors 65536
icap_service_failure_limit -1
icap_persistent_connections off

http_access allow localhost

http_access deny all

coredump_dir /var/cache/squid

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

> You said Squid used TPROXY. The spoofing of packets causes a different
> set of routing tables and rules to be applied than normal server
> outgoing traffic.

I use Shorewall on this system. This program configures iptables and routing.
I dumped all the network information while trying to access port 80 on
host with IP addr. 104.113.250.104 form local host with IP addr.
10.215.144.48:
https://drive.google.com/file/d/13Pr2OCgCInY6E72krCci9BiHrB1lrMce/view?usp=sharing

> Looks like Squid is doing everything right and the issues is somewhere
> between the TCP SYN send and SYN ACK returning.

I suspect there must be something wrong with my routing or marking
(please see dump).

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-18 Thread Amos Jeffries

On 19/10/19 1:21 am, Vieri Di Paola wrote:
> On Fri, Oct 11, 2019 at 3:50 PM Amos Jeffries wrote:
>>
>> Note that this last entry is about a connection to port 443, whereas the
>> rest of the log is all about traffic to port 80.
>>>
>>> The Squid machine has no issues if I browse the web from command line,
>>> eg. 'links http://www.linuxheadquarters.com' works fine.
>>>
>>> What should I be looking for?
>>
>> TCP/IP level packet routing. Squid is trying to open a TCP connection to
>> that "remote=" server. TCP SYN is sent, and then ... ... ... nothing.
> 
> I noticed the ":80 to :443" flaw in the log, and I don't know why this
> shows up if it's not a redirection.

If you are able to share your config maybe we could help spot something,
both for that and for the timeout issue.


> So I did another test to another destination, and I tried to connect
> to host with IP addr. 104.113.250.104 on port 80.
> Now the log is consistent, but I'm still getting the same connection
> timeout even though I can connect without any issues with an HTTP
> client from the Squid machine itself. If it were a packet routing
> issue, wouldn't the connection time out also with this HTTP client on
> the server itself?

You said Squid used TPROXY. The spoofing of packets causes a different
set of routing tables and rules to be applied than normal server
outgoing traffic.

> 
> Do you see anything fishy in the squid log I've pasted below?
> 

Looks like Squid is doing everything right and the issues is somewhere
between the TCP SYN send and SYN ACK returning.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-18 Thread Vieri Di Paola

On Fri, Oct 11, 2019 at 3:50 PM Amos Jeffries  wrote:
>
> Note that this last entry is about a connection to port 443, whereas the
> rest of the log is all about traffic to port 80.
> >
> > The Squid machine has no issues if I browse the web from command line,
> > eg. 'links http://www.linuxheadquarters.com' works fine.
> >
> > What should I be looking for?
>
> TCP/IP level packet routing. Squid is trying to open a TCP connection to
> that "remote=" server. TCP SYN is sent, and then ... ... ... nothing.

I noticed the ":80 to :443" flaw in the log, and I don't know why this
shows up if it's not a redirection.
So I did another test to another destination, and I tried to connect
to host with IP addr. 104.113.250.104 on port 80.
Now the log is consistent, but I'm still getting the same connection
timeout even though I can connect without any issues with an HTTP
client from the Squid machine itself. If it were a packet routing
issue, wouldn't the connection time out also with this HTTP client on
the server itself?

Do you see anything fishy in the squid log I've pasted below?

https://pastebin.com/yJZYw28A

Thanks again,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-11 Thread Amos Jeffries

On 12/10/19 2:35 am, Vieri Di Paola wrote:
> Hi,
> 
> I'm trying to connect from a LAN client with IP addr. 10.215.144.48 to
> a web server through Squid 3 + Tproxy.
> 
> As you can see from the logs here below, there seems to be a timeout:
> 
> https://pastebin.com/2Jka4es1

That log contains only a few lines of actual relevance to the problem:

2019/10/11 15:13:48.003 kid1| 5,5| comm.cc(1574) checkTimeouts:
checkTimeouts: FD 14 Expired
2019/10/11 15:13:48.003 kid1| 5,5| comm.cc(1577) checkTimeouts:
checkTimeouts: FD 14: Call timeout handler
2019/10/11 15:13:48.003 kid1| 5,4| AsyncCall.cc(93) ScheduleCall:
comm.cc(1580) will call Comm::ConnOpener::timeout(local=10.215.144.48
remote=172.217.17.5:443 flags=25, data=0x149ac58) [call7547]
2019/10/11 15:13:48.023 kid1| 5,4| AsyncCallQueue.cc(55) fireNext:
entering Comm::ConnOpener::timeout(local=10.215.144.48
remote=172.217.17.5:443 flags=25, data=0x149ac58)
2019/10/11 15:13:48.023 kid1| 5,4| AsyncCall.cc(38) make: make call
Comm::ConnOpener::timeout [call7547]
2019/10/11 15:13:48.023 kid1| 45,9| cbdata.cc(492) cbdataReferenceValid:
0x149ac58
2019/10/11 15:13:48.023 kid1| 45,9| cbdata.cc(492) cbdataReferenceValid:
0x149ac58
2019/10/11 15:13:48.023 kid1| 45,9| cbdata.cc(492) cbdataReferenceValid:
0x149ac58
2019/10/11 15:13:48.023 kid1| 45,9| cbdata.cc(492) cbdataReferenceValid:
0x149ac58
2019/10/11 15:13:48.023 kid1| 5,4| AsyncJob.cc(123) callStart:
Comm::ConnOpener status in: [ job929]
2019/10/11 15:13:48.023 kid1| 45,9| cbdata.cc(492) cbdataReferenceValid:
0x149ac58
2019/10/11 15:13:48.023 kid1| 5,5| ConnOpener.cc(442) timeout:
local=10.215.144.48 remote=172.217.17.5:443 flags=25: * - ERR took too
long to receive response.


Note that this last entry is about a connection to port 443, whereas the
rest of the log is all about traffic to port 80.


> 
> The Squid machine has no issues if I browse the web from command line,
> eg. 'links http://www.linuxheadquarters.com' works fine.
> 
> What should I be looking for?

TCP/IP level packet routing. Squid is trying to open a TCP connection to
that "remote=" server. TCP SYN is sent, and then ... ... ... nothing.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2019-10-02 Thread Alex Rousskov

On 10/2/19 7:49 AM, Matus UHLAR - fantomas wrote:
> Hello,
> 
> We have recently upgraded debian 9/squid 3.5.23 to debian 10/squid 4.6
> 
> Since then, we see many errors like these:
> 
> 1569967208.535   3651 192.168.aa.bbb TCP_TUNNEL_ABORTED/200 7200 CONNECT
> arc.msn.com:443 - HIER_DIRECT/52.229.207.60 -
> 1569967212.488 170668 192.168.cc.ddd TCP_TUNNEL_ABORTED/200 1979 CONNECT
> play.google.com:443 - HIER_DIRECT/216.58.201.110 -

> Is there anything that could cause high number of these errors?

Yes, bug fixes (e.g., logging transactions that were never logged
before) and/or new bugs (e.g., stuck transactions).

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2018-08-31 Thread Antony Stone

On Friday 31 August 2018 at 10:59:03, Денис Степанов wrote:

> Good day!
> I have a some problem with Squid-3.5.27: after working of 15-20 minutes
> appears problem with SubjectAlternativeName for any HTTPS websites (for
> more details see
> https://forum.netgate.com/topic/134054/squid-3-5-27-ssl-custom-works-few-mi
> nutes-mitm-breakdown ).
> P.S. I can attach logs of last 5 minutes Squid's working and config file in
> next message.
> 
> P.P.S. I was writing  such message few times with attached files, but I
> think, that it was dropped by antispam filters

Making sure you have a Subject line would be a good start to dealing with that 
problem.

Antony.

-- 
Don't procrastinate - put it off until tomorrow.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2018-07-13 Thread Amos Jeffries

On 14/07/18 12:34, Krystyna Niesiołowska wrote:
> Hi All,
> 
> In my company, the HR uses an outsourced SaaS (on a unique public IP)
> configured with a commercial SSL certificate (i.e. I have both the
> private and the public key) accessed by our employees via a subdomain of
> our company domain (saas.company.com)  .
> Unfortunately, we cannot control the data being transferred by the HR
> people and because of the GDPR the board wants to be able to get alerts
> if anyone tries to transfer personal data to the cloud + a general
> channel to check against any data exfiltration.
> 
> 
> My idea is to set to route all traffic going to sass.company.com
>  via a box running Squid with SSL interception.
> I would like to install the same cert as the one used with the SaaS.
> This is to avoid the need of installing any additional certs on use's'
> machines. Unfortunately, I cannot find an option to set Squid with a
> single commercial cert instead of a CA (commonly used to intercept
> generate individual certs for all of the SSL traffic).
> 
> Does anybody have any suggestions on the viable setup?
> 

What you are calling a "commercial certificate" is actually a server
certificate. It is solely for use on servers and reverse-proxy.

So you need to setup Squid as a reverse-proxy (aka CDN frontend) to the
SAAS service instead.

To do that have your network DNS resolver provide the internal clients
with the proxy IP address instead of the remote servers IP and in
squid.conf:

 https_port 443 accel cert=... key=...
 acl saas dstdomain saas.example.com
 cache_peer saas.example.com 443 0 originserver ssl
 cache_peer_access allow saas
 cache_peer_access deny all


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2018-07-13 Thread login mogin

Hi,

I don’t get why you need a squid box for that purpose. If you have the
private key you could end the traffic on like nginx and just forward it to
saas, while doing that you could log the traffic as you want.

Best
Logan

On Fri, Jul 13, 2018 at 5:34 PM Krystyna Niesiołowska <
krystyna.niesiolow...@interia.pl> wrote:

> Hi All,
>
> In my company, the HR uses an outsourced SaaS (on a unique public IP)
> configured with a commercial SSL certificate (i.e. I have both the private
> and the public key) accessed by our employees via a subdomain of our
> company domain (saas.company.com)  .
> Unfortunately, we cannot control the data being transferred by the HR
> people and because of the GDPR the board wants to be able to get alerts if
> anyone tries to transfer personal data to the cloud + a general channel to
> check against any data exfiltration.
>
> My idea is to set to route all traffic going to sass.company.com via a
> box running Squid with SSL interception. I would like to install the same
> cert as the one used with the SaaS. This is to avoid the need of installing
> any additional certs on use's' machines. Unfortunately, I cannot find an
> option to set Squid with a single commercial cert instead of a CA (commonly
> used to intercept generate individual certs for all of the SSL traffic).
>
> Does anybody have any suggestions on the viable setup?
>
> Best wishes,
>
> Kristin
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-13 Thread Alex Rousskov

On 12/13/2017 11:35 AM, Amos Jeffries wrote:
> Step 1 can be a peek or stare at you choice.

... and that choice will determine whether Squid bumps or splices the
connections at step2 in the unlikely event no ssl_bump rules match
during step2. It is best to avoid such situations, of course.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-13 Thread Amos Jeffries


On 13/12/17 21:19, 赵 俊 wrote:

 When I access SVN ,I want to bump SVN connection.



My squid.conf :

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump stare ssl_step1
ssl_bump bump ssl_step2
ssl_bump terminate ssl_step3

May  i  solve this problem,if I go to the official certification  
organization certificating myCA ?






The second problem is that you are bumping at SSL-Bump  step #2 before
 any of the real server details are available to Squid.


I want to know which step to bump and which action at SSL-Bump step#1?




To avoid problems you need mimic to happen. So bump at step 3. Stare at 
step 2. Step 1 can be a peek or stare at you choice.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-12 Thread Amos Jeffries


On 13/12/17 14:11, 赵 俊 wrote:

Hi,

When I access SVN ,I want to bump SVN connection.


Error like this:


The following error was encountered while trying to retrieve the URL: 
https://WIN-BEOUENL2N6U/*


*Failed to establish a secure connection to 192.168.52.6*

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/CN=WIN-BEOUENL2N6U

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.



My squid.conf :

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump stare ssl_step1
ssl_bump bump ssl_step2
ssl_bump terminate ssl_step3

May  i  solve this problem,if I go to the official certification  
organization certificating myCA ?




Not really. There are two problems;

The first problem is that you are using host names instead of domain name.




The second problem is that you are bumping at SSL-Bump step #2 before 
any of the real server details are available to Squid.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-08 Thread Matus UHLAR - fantomas


On 07.12.17 14:12, Ing. Pedro Pablo Delgado Martell wrote:
I have been reading about the difference between a KB and a KiB, 


the kilo (1000) uses lowercase 'k' as defined by SI prefixes.

... when learning about computers some 30 years ago, we have used
capital 'K' that was meant to be 1024.

later I was told that some people (apparently mostly at electrical
engineering) used upper case K, M and G to measure multiples, while lower
case m, u and n were meant for fractions.

Ki, Mi and Gi were introduced later in order to provide more precise
in computing environment.

HDD manufacturers still use decimal prefixes - it looks better to have 5000
gigabyte HDDs than 4656 Gigabyte...

Kilobyte and Kibibyte respectively. According to several websites, 
also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you 
guys say on /etc/squid/squid.conf this:


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm. 
___

squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Antony Stone

On Thursday 07 December 2017 at 20:50:27, Yuri wrote:

> Antonio, enough.
> 
> I do not believe that no one here has a sense of humor.

I think I agree with that sentence (although it's a little hard to be sure).

> Are you serious about discussing it with animal seriousness?

The question appeared to be asked seriously in the first place.  I apologise if 
it was in fact a joke and I did not realise.

Antony.

> 08.12.2017 1:48, Antony Stone пишет:
> > On Thursday 07 December 2017 at 20:43:52, Ing. Pedro Pablo Delgado
> > Martell wrote:
> >> "In our kilobyte - one thousand twenty-four bytes."
> >> 
> >> Your kilobyte Ok, let's move on, there is no point.
> > 
> > https://en.wikipedia.org/wiki/Kilobyte
> > 
> > "In historical usage in some areas of information technology,
> > particularly in reference to digital memory capacity, kilobyte denotes
> > 1024 (2^10) bytes. This arises from the powers-of-two sizing common to
> > memory circuit design. In this context, the symbols K and KB are often
> > used."
> > 
> > "The kilobyte has traditionally been used to refer to 1024 bytes (2^10
> > B), a usage still common. The usage of the metric prefix kilo for binary
> > multiples arose as a convenience, because 1000 approximates 1024."
> > 
> > "The binary representation of 1024 bytes typically uses the symbol KB,
> > with an uppercase letter K. The B is often omitted in informal use. For
> > example, a processor with 65,536 bytes of cache memory might be said to
> > have "64K" of cache. In this convention, one thousand and twenty-four
> > kilobytes (1024 KB) is equal to one megabyte (1 MB), where 1 MB is
> > 1024^2 bytes."
> > 
> > Hope that helps,
> > 
> > 
> > Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

Antonio, enough.

I do not believe that no one here has a sense of humor. Are you serious
about discussing it with animal seriousness?


08.12.2017 1:48, Antony Stone пишет:
> On Thursday 07 December 2017 at 20:43:52, Ing. Pedro Pablo Delgado Martell 
> wrote:
>
>> "In our kilobyte - one thousand twenty-four bytes."
>>
>> Your kilobyte Ok, let's move on, there is no point.
> https://en.wikipedia.org/wiki/Kilobyte
>
> "In historical usage in some areas of information technology, particularly in 
> reference to digital memory capacity, kilobyte denotes 1024 (2^10) bytes. 
> This 
> arises from the powers-of-two sizing common to memory circuit design. In this 
> context, the symbols K and KB are often used."
>
> "The kilobyte has traditionally been used to refer to 1024 bytes (2^10 B), a 
> usage still common. The usage of the metric prefix kilo for binary multiples 
> arose as a convenience, because 1000 approximates 1024."
>
> "The binary representation of 1024 bytes typically uses the symbol KB, with 
> an 
> uppercase letter K. The B is often omitted in informal use. For example, a 
> processor with 65,536 bytes of cache memory might be said to have "64K" of 
> cache. In this convention, one thousand and twenty-four kilobytes (1024 KB) 
> is 
> equal to one megabyte (1 MB), where 1 MB is 1024^2 bytes."
>
> Hope that helps,
>
>
> Antony.
>

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Antony Stone

On Thursday 07 December 2017 at 20:43:52, Ing. Pedro Pablo Delgado Martell 
wrote:

> "In our kilobyte - one thousand twenty-four bytes."
> 
> Your kilobyte Ok, let's move on, there is no point.

https://en.wikipedia.org/wiki/Kilobyte

"In historical usage in some areas of information technology, particularly in 
reference to digital memory capacity, kilobyte denotes 1024 (2^10) bytes. This 
arises from the powers-of-two sizing common to memory circuit design. In this 
context, the symbols K and KB are often used."

"The kilobyte has traditionally been used to refer to 1024 bytes (2^10 B), a 
usage still common. The usage of the metric prefix kilo for binary multiples 
arose as a convenience, because 1000 approximates 1024."

"The binary representation of 1024 bytes typically uses the symbol KB, with an 
uppercase letter K. The B is often omitted in informal use. For example, a 
processor with 65,536 bytes of cache memory might be said to have "64K" of 
cache. In this convention, one thousand and twenty-four kilobytes (1024 KB) is 
equal to one megabyte (1 MB), where 1 MB is 1024^2 bytes."

Hope that helps,

Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

I love power of 2 :)

And in our kilometer is 1024 m ;)


08.12.2017 1:40, Antony Stone пишет:
> On Thursday 07 December 2017 at 20:34:22, Yuri wrote:
>
>> In our kilobyte - one thousand twenty-four bytes. :)
> This has been the definition since the earliest days of computing (or at 
> least, 
> as soon as any computer had 1024 of anything...)
>
> This (rather stupid-sounding, in my opinion) kibibyte stuff is a much more 
> recently introduced term, and is basically only needed for marketing people.
>
> 2^10 is a much more natural quantity of anything to have in computer terms 
> (since the whole system is based on binary) than 10^3 is, however 10^3 is a 
> smaller number, therefore the marketing people can tell you that the product 
> contains more of them.
>
>
> Antony.
>
>> 08.12.2017 1:29, Yuri пишет:
>>> https://i.imgur.com/bDw1O2b.png
>>>
>>> 08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:
 I have been reading about the difference between a KB and a KiB,
 Kilobyte and Kibibyte respectively. According to several websites,
 also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
 guys say on /etc/squid/squid.conf this:

 "Units accepted by Squid are:

 bytes - byte

 KB - Kilobyte (*1024 bytes*)
 "

 This email is not for criticize your work, I'm only looking for some
 clearance because right now I'm confused about how Squid is really
 measuring files.

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Antony Stone

On Thursday 07 December 2017 at 20:34:22, Yuri wrote:

> In our kilobyte - one thousand twenty-four bytes. :)

This has been the definition since the earliest days of computing (or at least, 
as soon as any computer had 1024 of anything...)

This (rather stupid-sounding, in my opinion) kibibyte stuff is a much more 
recently introduced term, and is basically only needed for marketing people.

2^10 is a much more natural quantity of anything to have in computer terms 
(since the whole system is based on binary) than 10^3 is, however 10^3 is a 
smaller number, therefore the marketing people can tell you that the product 
contains more of them.

Antony.

> 08.12.2017 1:29, Yuri пишет:
> > https://i.imgur.com/bDw1O2b.png
> > 
> > 08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:
> >> I have been reading about the difference between a KB and a KiB,
> >> Kilobyte and Kibibyte respectively. According to several websites,
> >> also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
> >> guys say on /etc/squid/squid.conf this:
> >> 
> >> "Units accepted by Squid are:
> >> 
> >> bytes - byte
> >> 
> >> KB - Kilobyte (*1024 bytes*)
> >> "
> >> 
> >> This email is not for criticize your work, I'm only looking for some
> >> clearance because right now I'm confused about how Squid is really
> >> measuring files.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

We are in trouble with bugs that do not close for years, they excite us,
and you're here with units of measurement :)


08.12.2017 1:35, Yuri пишет:
>
> Oooops! zetta-byte :)
>
>
> 08.12.2017 1:34, Yuri пишет:
>>
>> In our kilobyte - one thousand twenty-four bytes. :)
>>
>> PS. And in our zettabayte - ten in the twenty-first degree byte. :)
>>
>>
>> 08.12.2017 1:29, Yuri пишет:
>>>
>>> https://i.imgur.com/bDw1O2b.png
>>>
>>>
>>> 08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:

 I have been reading about the difference between a KB and a KiB,
 Kilobyte and Kibibyte respectively. According to several websites,
 also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
 guys say on /etc/squid/squid.conf this:

 "Units accepted by Squid are:

         bytes - byte

         KB - Kilobyte (*1024 bytes*)

         ...

         ...

 "

 This email is not for criticize your work, I'm only looking for
 some clearance because right now I'm confused about how Squid is
 really measuring files.




 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> -- 
>>> "Some people, when confronted with a problem, think «I know, I'll use 
>>> regular expressions.» Now they have two problems."
>>> --Jamie Zawinsk
>>>
>>> **
>>> * C++: Bug to the future *
>>> **
>>
>> -- 
>> "Some people, when confronted with a problem, think «I know, I'll use 
>> regular expressions.» Now they have two problems."
>> --Jamie Zawinsk
>>
>> **
>> * C++: Bug to the future *
>> **
>
> -- 
> "Some people, when confronted with a problem, think «I know, I'll use regular 
> expressions.» Now they have two problems."
> --Jamie Zawinsk
>
> **
> * C++: Bug to the future *
> **

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

Oooops! zetta-byte :)


08.12.2017 1:34, Yuri пишет:
>
> In our kilobyte - one thousand twenty-four bytes. :)
>
> PS. And in our zettabayte - ten in the twenty-first degree byte. :)
>
>
> 08.12.2017 1:29, Yuri пишет:
>>
>> https://i.imgur.com/bDw1O2b.png
>>
>>
>> 08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:
>>>
>>> I have been reading about the difference between a KB and a KiB,
>>> Kilobyte and Kibibyte respectively. According to several websites,
>>> also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
>>> guys say on /etc/squid/squid.conf this:
>>>
>>> "Units accepted by Squid are:
>>>
>>>         bytes - byte
>>>
>>>         KB - Kilobyte (*1024 bytes*)
>>>
>>>         ...
>>>
>>>         ...
>>>
>>> "
>>>
>>> This email is not for criticize your work, I'm only looking for some
>>> clearance because right now I'm confused about how Squid is really
>>> measuring files.
>>>
>>>
>>>
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> -- 
>> "Some people, when confronted with a problem, think «I know, I'll use 
>> regular expressions.» Now they have two problems."
>> --Jamie Zawinsk
>>
>> **
>> * C++: Bug to the future *
>> **
>
> -- 
> "Some people, when confronted with a problem, think «I know, I'll use regular 
> expressions.» Now they have two problems."
> --Jamie Zawinsk
>
> **
> * C++: Bug to the future *
> **

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

In our kilobyte - one thousand twenty-four bytes. :)

PS. And in our zettabayte - ten in the twenty-first degree byte. :)


08.12.2017 1:29, Yuri пишет:
>
> https://i.imgur.com/bDw1O2b.png
>
>
> 08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:
>>
>> I have been reading about the difference between a KB and a KiB,
>> Kilobyte and Kibibyte respectively. According to several websites,
>> also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
>> guys say on /etc/squid/squid.conf this:
>>
>> "Units accepted by Squid are:
>>
>>         bytes - byte
>>
>>         KB - Kilobyte (*1024 bytes*)
>>
>>         ...
>>
>>         ...
>>
>> "
>>
>> This email is not for criticize your work, I'm only looking for some
>> clearance because right now I'm confused about how Squid is really
>> measuring files.
>>
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -- 
> "Some people, when confronted with a problem, think «I know, I'll use regular 
> expressions.» Now they have two problems."
> --Jamie Zawinsk
>
> **
> * C++: Bug to the future *
> **

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-12-07 Thread Yuri

https://i.imgur.com/bDw1O2b.png


08.12.2017 1:12, Ing. Pedro Pablo Delgado Martell пишет:
>
> I have been reading about the difference between a KB and a KiB,
> Kilobyte and Kibibyte respectively. According to several websites,
> also Google,  1KB = 1000 bytes and 1KiB = 1024 bytes. However, you
> guys say on /etc/squid/squid.conf this:
>
> "Units accepted by Squid are:
>
>         bytes - byte
>
>         KB - Kilobyte (*1024 bytes*)
>
>         ...
>
>         ...
>
> "
>
> This email is not for criticize your work, I'm only looking for some
> clearance because right now I'm confused about how Squid is really
> measuring files.
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"Some people, when confronted with a problem, think «I know, I'll use regular 
expressions.» Now they have two problems."
--Jamie Zawinsk

**
* C++: Bug to the future *
**



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-09-26 Thread Eliezer Croitoru

Hey,

My recommendation about YouTube Caching is to use a special server that will 
store the YouTube videos locally.
I have created such a service which run's in on a Linux box and you can see the 
details at:
http://gogs.ngtech.co.il/elicro/youtube-store

I have not completed every tool that I wanted to publish it with since I need 
time and funds to make it all work together.

The idea is that squid will allow YouTube every YouTube action such as search 
and browsing but not YouTube videos playback directly from the Internet.
When a video have not been downloaded yet, the user will receive a 
notification\splash page that allows him to request a download of the video or 
will automatically queue the download.
(maybe with username and password protection..)
And in the case that the user will want to get back into the original YouTube 
page he would be able to access the page but not the video using a special link 
that will be displayed in the "YouTube video splash page".
In the case that the video exists in the local service\server the user\client 
would be able to watch the video from the local store web-server.

I am using it here locally with a tiny NAS solution and it works great.

Caching YouTube images should be pretty easy\simple using StoreID.

Let me know if you have interest in such a solution.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Sukhbaatar T
Sent: Tuesday, September 26, 2017 11:16
To: squid-users@lists.squid-cache.org
Subject: [squid-users] (no subject)

Hello.
I'm a teacher.
My computer's OS is Windows 7.
Installed SQUID 3.5.27.
We have fifteen computers in our cabinet.
The internet bandwidth is 4mb. We need to cache youtube and fb data of our kids.
The youtube cache needs to be saved for a month, and the facebook to remain for 
a day.
Our configuration is this small.
Can you do the SQUID options for this (squid.conf file)?

Thank you

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-09-26 Thread Amos Jeffries


On 26/09/17 21:15, Sukhbaatar T wrote:
Hello. I'm a teacher. My computer's OS is Windows 7. Installed SQUID 
3.5.27. We have fifteen computers in our cabinet. The internet bandwidth 
is 4mb. We need to cache youtube and fb data of our kids. The youtube 
cache needs to be saved for a month, and the facebook to remain for a 
day. Our configuration is this small. Can you do the SQUID options for 
this (squid.conf file)? Thank you


It would be best if you learned to do it yourself. Then you would not 
have to ask us.


Did you see the response to your last post where I pasted the links to 
what you need?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-05-12 Thread Alex Rousskov

On 05/12/2017 08:50 AM, chiasa.men wrote:
> Am Freitag, 12. Mai 2017, 14:16:45 CEST schrieb Amos Jeffries:
>> The efficient solution is to have long persistence on the connections
>> between your CDN frontend (Squid) and the backend origins (Apache). You
>> can make the timeout much shorter on the Squid client connections.

> I see. So I'll tell apache to set the KeepAliveTimeout to squids default 
> persistent_request_timeout of 2 minutes :)

To avoid race conditions, the Apache timeout should be _larger_ than
Squid timeout. If Apache only talks to Squid, then it does not hurt to
set the Apache timeout to twice the value of Squid timeout. It is the
_smaller_ timeout that will effectively determine the number of idle
persistent connections between the two points in this case.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-05-12 Thread chiasa.men

Am Freitag, 12. Mai 2017, 14:16:45 CEST schrieb Amos Jeffries:
> On 12/05/17 22:31, chiasa.men wrote:
> > Am Sonntag, 23. April 2017, 17:57:52 CEST schrieb Amos Jeffries:
> >> On 23/04/17 23:25, chiasa@web.de wrote:
> >>> Hello
> >>> 
> >>> my squid.conf looks like that:
> >>> 
> >>> https_port 3128 accel cert=/cert.pem key=/cert.key
> >>> 
> >>> defaultsite=ww1.example.com vhost
> >>> 
> >>> acl server20_domains dstdomain ww1.example.com ww2.example.com
> >>> 
> >>> http_access allow server20_domains
> >>> 
> >>> cache_peer server20 parent 443 0 no-query originserver name=server20
> >>> 
> >>> login=PASSTHRU ssl sslversion=6
> >>> 
> >>> cache_peer_access server20 allow server20_domains
> >>> 
> >>> cache_peer_access server20 deny all
> >>> 
> >>> The idea was to send ww1 and ww2 to server20 which is hosting an apache
> >>> 
> >>> webservice for both sites.
> >> 
> >> That looks fine.
> >> 
> >>> You can see that approximately after 5s the timeout happens. Is it a
> >>> message
> >>> 
> >>> to worry about? (it is just "info" labled) Why does it occur?
> >> 
> >> Unknown. This is an Apache problem. The Squid portion of things appears
> >> to be working if I'm reading that weird  access.log correctly.
> >> 
> >> Amos
> > 
> > Acutally it's not. The problem seemed to be the
> > server_persistent_connections setting in squid.conf.
> > By default set to on it tries to keep the cache_peer connection. Apache on
> > the other site hit the KeepAliveTimeout which was set to 5 seconds by
> > default. server_persistent_connections off in squid.conf
> 
> So Squid is told (by Apache) that the connection is to be kept open /
> persistent and then Apache closes it very quickly afterward. That is an
> explicit configured problem, but still Apache endpoint is the cause of
> the issues you are having here.
> 
> It is not a bug or error for either software, since that is one of the
> behaviours explicitly allowed by HTTP. But for you its being a problem.
You are absolutely right.
> 
> > It set server_persistent_connections to off and the problem disappeared.
> > Is there any downside of this setting?
> 
> 1) Every single HTTP request sent to any upstream server has to go
> through a full TCP connection handshake process, then a TCP shutdown
> process afterwards.
> 
> 2) TCP socket cannot be used for a second connection until the kernel
> has confirmed both endpoints are not going to send anything on it. Which
> may be up to 15min.
> 
> Between them these can cause a 50ms extra latency on every request, with
> a limit of just over 70 requests per second through the proxy to any
> given server - compared to the several tens of thousands Squid can
> normally handle and under 1ms latency that is quite bad.
> 
> 
> The efficient solution is to have long persistence on the connections
> between your CDN frontend (Squid) and the backend origins (Apache). You
> can make the timeout much shorter on the Squid client connections.
I see. So I'll tell apache to set the KeepAliveTimeout to squids default 
persistent_request_timeout of 2 minutes :)
That sounds reasonable.
Thank you for the explanation.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-05-12 Thread Amos Jeffries


On 12/05/17 22:31, chiasa.men wrote:

Am Sonntag, 23. April 2017, 17:57:52 CEST schrieb Amos Jeffries:

On 23/04/17 23:25, chiasa@web.de wrote:

Hello

my squid.conf looks like that:

https_port 3128 accel cert=/cert.pem key=/cert.key

defaultsite=ww1.example.com vhost

acl server20_domains dstdomain ww1.example.com ww2.example.com

http_access allow server20_domains

cache_peer server20 parent 443 0 no-query originserver name=server20

login=PASSTHRU ssl sslversion=6

cache_peer_access server20 allow server20_domains

cache_peer_access server20 deny all

The idea was to send ww1 and ww2 to server20 which is hosting an apache

webservice for both sites.

That looks fine.


You can see that approximately after 5s the timeout happens. Is it a
message

to worry about? (it is just "info" labled) Why does it occur?

Unknown. This is an Apache problem. The Squid portion of things appears
to be working if I'm reading that weird  access.log correctly.

Amos

Acutally it's not. The problem seemed to be the
server_persistent_connections setting in squid.conf.
By default set to on it tries to keep the cache_peer connection. Apache on the
other site hit the KeepAliveTimeout which was set to 5 seconds by default.
server_persistent_connections off in squid.conf


So Squid is told (by Apache) that the connection is to be kept open / 
persistent and then Apache closes it very quickly afterward. That is an 
explicit configured problem, but still Apache endpoint is the cause of 
the issues you are having here.


It is not a bug or error for either software, since that is one of the 
behaviours explicitly allowed by HTTP. But for you its being a problem.




It set server_persistent_connections to off and the problem disappeared.
Is there any downside of this setting?


1) Every single HTTP request sent to any upstream server has to go 
through a full TCP connection handshake process, then a TCP shutdown 
process afterwards.


2) TCP socket cannot be used for a second connection until the kernel 
has confirmed both endpoints are not going to send anything on it. Which 
may be up to 15min.


Between them these can cause a 50ms extra latency on every request, with 
a limit of just over 70 requests per second through the proxy to any 
given server - compared to the several tens of thousands Squid can 
normally handle and under 1ms latency that is quite bad.



The efficient solution is to have long persistence on the connections 
between your CDN frontend (Squid) and the backend origins (Apache). You 
can make the timeout much shorter on the Squid client connections.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-05-12 Thread chiasa.men

Am Sonntag, 23. April 2017, 17:57:52 CEST schrieb Amos Jeffries:
> On 23/04/17 23:25, chiasa@web.de wrote:
> > Hello
> > 
> > my squid.conf looks like that:
> > 
> > https_port 3128 accel cert=/cert.pem key=/cert.key
> > 
> > defaultsite=ww1.example.com vhost
> > 
> > acl server20_domains dstdomain ww1.example.com ww2.example.com
> > 
> > http_access allow server20_domains
> > 
> > cache_peer server20 parent 443 0 no-query originserver name=server20
> > 
> > login=PASSTHRU ssl sslversion=6
> > 
> > cache_peer_access server20 allow server20_domains
> > 
> > cache_peer_access server20 deny all
> > 
> > The idea was to send ww1 and ww2 to server20 which is hosting an apache
> > 
> > webservice for both sites.
> 
> That looks fine.
> 
> > You can see that approximately after 5s the timeout happens. Is it a
> > message
> > 
> > to worry about? (it is just "info" labled) Why does it occur?
> 
> Unknown. This is an Apache problem. The Squid portion of things appears
> to be working if I'm reading that weird  access.log correctly.
> 
> Amos

Acutally it's not. The problem seemed to be the 
server_persistent_connections setting in squid.conf.
By default set to on it tries to keep the cache_peer connection. Apache on the 
other site hit the KeepAliveTimeout which was set to 5 seconds by default.
server_persistent_connections off in squid.conf

It set server_persistent_connections to off and the problem disappeared.
Is there any downside of this setting?

  __
|"""\-=
()
  __
|"""\-=
()
(tanks)

Chia
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2017-04-23 Thread Amos Jeffries


On 23/04/17 23:25, chiasa@web.de wrote:


Hello

my squid.conf looks like that:

https_port 3128 accel cert=/cert.pem key=/cert.key

defaultsite=ww1.example.com vhost

acl server20_domains dstdomain ww1.example.com ww2.example.com

http_access allow server20_domains

cache_peer server20 parent 443 0 no-query originserver name=server20

login=PASSTHRU ssl sslversion=6

cache_peer_access server20 allow server20_domains

cache_peer_access server20 deny all

The idea was to send ww1 and ww2 to server20 which is hosting an apache

webservice for both sites.



That looks fine.

You can see that approximately after 5s the timeout happens. Is it a 
message


to worry about? (it is just "info" labled) Why does it occur?




Unknown. This is an Apache problem. The Squid portion of things appears 
to be working if I'm reading that weird  access.log correctly.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2015-06-24 Thread Yuri Voinov


Squid 3.5.x?

24.06.15 17:59, Dalmar пишет:

Hi,
For over two weeks i am having a really headache in configuring squid 
transparent/intercept.
I have tried different options and configurations but i couldn't get 
it to work.
i think the problems lies in the Iptables / NAT but i really couldn't 
solve it.
I have tried different iptable rules including the intercept linuxDnat 
- sysctl configuration, but didnt work.


# your proxy IP
SQUIDIP=X.X.X.X

# your proxy listening port
SQUIDPORT=


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 
--to-destination $SQUIDIP:$SQUIDPORT

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


i have to say that squid works well when i configure in the client 
browsers.


at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action 
DST-NAT to address squidIP and Port


i am using ubuntu server 15.04 using squid 3.3.8 and this is my 
configuration and the errors i get:



 -- eth0 WAN <- MAIN WAN Public IP Internet
 MK---|
 -- eth1 LAN
  |
   -- eth2 Proxy

 -- eth0 WAN ---> Public IP --> Internet --> gets internet from 
24online / another Mikrotik

 Squid---|
  -- eth1 Proxy
   |
-- eth2 webmin --> For server Management


-error1: if no intercept/transparent and no iptables is configured
-Invalid URL -  The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!


-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local= 
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik 
lan IP)


squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible 
internal network
acl localnet src 192.168.0.0/16 # RFC1918 
possible internal network

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 10 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320
cache_effective_user proxy
cache_effective_group proxy


I am really confused, can anyone guide me please.
Thanks in advance


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2015-05-25 Thread Antony Stone

On Monday 25 May 2015 at 21:50:12 (EU time), S Sarath kumar wrote:

> Hi,
> 
> below mentioned rules only applied
> 
> acl Streaming rep_mime_type video/flv video/x-flv
> acl mynetwork src 10.108.20.0/24
> 
> http_reply_access deny mynetwork  Streaming
> http_access allow mynetwork

1. Please reply to the list, not privately.

2. Are you saying that the above is your *entire* squid.conf?

If yes, you have more problems with it than you might realise.

If no, please do post the entire squid.conf, excluding blank lines and 
comments, and obscuring private information if appropriate (but be clear if 
you do this).

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2015-05-25 Thread Antony Stone

On Monday 25 May 2015 at 21:20:16 (EU time), S Sarath kumar wrote:

> hi i have been using squid3 on ubuntu 14.04.
> i want to block the stream content in my lan.
> hence i written a acl like below.
> this acl at the top.

Please post the entire squid.conf (excluding blank lines / comments).

That gives us a much better chance of answering your question.

Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

38 matches

Mail list logo