Re: [squid-users] Logs to confirm packets dropped/not forwarded by squid

[Antony Stone]

On Monday 06 Feb 2017 at 17:26, Anonymous cross wrote:

>  Is there any way to find the connections dropped/not forwarded by Squid? I
> could see HTTP GET is forwarded to squid but it's not initiating a
> connection with webserver

Have you looked in access.log for that connection?


Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logs to confirm packets dropped/not forwarded by squid

[Antony Stone]

On Monday 06 Feb 2017 at 17:34, Anonymous cross wrote:

> I don't find any entry in access.log for that connection.

Okay, maybe you should explain a little more about what you mean by "I could 
see HTTP GET is forwarded to Squid" - does "forwarded" mean you're using 
intercept mode, and if it does, how are you forwarding the packets to Squid?

How did you "see the HTTP GET", and where were you looking for it?


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Two dns record fqdn pointing to different squid servers

[Antony Stone]

On Wednesday 01 February 2017 at 20:06:22, erdosain9 wrote:

> Hi.
> I have running two squid servers.
> One with ip access and another with users.

Sorry, what do you mean by "IP access"?

I assume both Squid servers have IP addresses.

Do you mean that only one of them has connectivity to the Internet?

What do you mean by "the other one has users"?

Is it doing some sort of authentication, or do you simply mean that this is 
the one the users have connectivity to, so that your network arrangement is:

users -> Squid box 1 -> Squid box 2 -> router -> Internet

...and that the users cannot connect to Squid box 2, and Squid box 1 cannot 
connect to the Internet.

Is that a reasonable description of your setup?

> (the machine users are configure with "proxy.blabla.lan" (the squid with ip
> access)

I don't think I uderstand that bit.

> I want to know if it is possible do balance between them.

Please define "balance"?

> The problem, for me it is that the "server with ip access" it is refer with
> a A dns record that point to his ip (proxy.blabla.lan)... and the "squid
> with user access", the dns it is pointing with fqdn (squid.blabla.lan)

Okay, so the two machines have DNS A records for different hostnames.

> So, i cant do a multiple A record, pointing to the two ip, because, one of
> the squid servers wait a fqdn answer...

Why can't you do a multiple A record?

There's nothing wrong with:

proxy.blabla.lanA   192.168.38.56

squid.blabla.lanA   192.168.38.73

example.blabla.lan  A   192.168.38.56
A   192.168.38.73

So that example.blabla.lan points to both IP addresses.

> I tried to do  CNAME but, its not working... (i tried to do
> "proxy.blabla.com pointing to squid.blabla.com at the same time that the ip
> of the "ip access squid server")

No, you are not allowed to have a CNAME in DNS as well as any other record (A, 
MX, NS, etc).  If something is a CNAME, it cannot also be anything else.

> (hope this understood, i dont speak english)

I think you're doing okay, but please clarify the things requested above :)

Also, please simply tell us: what are you trying to achieve?  It's often the 
case that someone is trying to solve a problem, thinks of a possible solution, 
and asks on a mailing list such as this for help in implementing the 
solutions, when there is actually a far better / simpler solution to the 
problem available.  However, because the problem itself was not stated, nobody 
can propose the better / simpler solution, and everyone just works towards 
making the poorer solution work somehow or other...


Regards,


Antony.


-- 
People who use Microsoft software should be certified.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Native FTP relay: connection closes (?) after 'cannot assign requested address' error

[Antony Stone]

On Thursday 26 January 2017 at 17:41:21, Alexander wrote:

> It seems that I have solved the issue by using nf_conntrack_ftp and
> redirecting "NEW,RELATED" traffic to squid:

Excellent news.

> ftp_port 2121 intercept
> 
> modprobe nf_conntrack_ftp ports=2121
> 
> iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-port 2121
> iptables -t nat -A PREROUTING -p tcp -m state --state NEW,RELATED -j
> REDIRECT

Just out of interest, how are you getting the FTP traffic to the Squid box in 
the first place?

I assume you're not routing all Internet-bound traffic via this machine 
(otherwise that second REDIRECT rule would cause problems for SSH, SMTP, IMAP, 
etc), so how are you identifying the FTP traffic to get it from your router to 
the Squid box?


Antony.

-- 
Police have found a cartoonist dead in his house.  They say that details are 
currently sketchy.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid on it's own server

[Antony Stone]

On Friday 27 January 2017 at 05:17:28, John Pearson wrote:

> hi all, my current setup: laptop(10.0.1.10) and squid-box(10.0.1.11) and
> debian router(10.0.1.1).
> 
> I am doing wget on laptop
> 
> wget squid-cache.org
> 
> I am redirecting packets on the router to squid-box by changing the
> destination MAC address

Well, that's a novel way of doing policy routiong...

> and destination IP and port address.

Oh dear.

> I am able to see the packets reaching the squid-box and in squid log I am
> seeing many
> 
> 10.0.1.11 TCP_MISS/503 47502 GET http://squid-cache.org/ - ORIGINAL_DST/
> 10.0.1.11 text/html
> 
> The log stream is really fast. All I see on laptop is “HTTP request sent,
> awaiting response …" Any advice? thanks!

Yes, do NOT change the destination IP address on ANY machine except the one 
which Squid is running on.

See http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and pay 
attention to the part which says "This configuration is given for use *on the 
squid box*."

Get the packets *to* that box however you like, but don't change them along 
the way.


Antony.

-- 
It may not seem obvious, but (6 x 5 + 5) x 5 - 55 equals 5!

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Not all html objects are being cached

[Antony Stone]

On Friday 27 January 2017 at 12:58:52, Yuri wrote:

> Again. What is the difference? I open it from different workstations,
> from different browsers - I see the same thing. The code is identical. I
> can is to cache? Yes or no?

You're entitled to do whatever you want to, following standards and 
recommendations or not - just don't complain when choosing not to follow those 
standards and recommendations results in behaviour different from what you 
wanted (or what someone else intended).

Oh, and by the way, what did you mean earlier when you said:

> You either wear pants or remove the cross, as they say.

?


Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Not all html objects are being cached

[Antony Stone]

On Friday 27 January 2017 at 13:15:21, Yuri wrote:

> 27.01.2017 18:05, Antony Stone пишет:
> 
> > You're entitled to do whatever you want to, following standards and
> > recommendations or not - just don't complain when choosing not to follow
> > those standards and recommendations results in behaviour different from
> > what you wanted (or what someone else intended).
> 
> All this crazy debate reminds me of Microsoft Windows. Windows is better
> to know why the administrator should not have full access. Windows is
> better to know how to work. Windows is better to know how to tell the
> system administrator so that he called the system administrator.

That should remind you of OS X and Android as well, at the very least (and 
quite possibly systemd as well)

My opinion is that it's your choice whether to run Microsoft Windows (or Apple 
OS X, or Google Android) or not - but you have to accept it as a whole 
package; you can't say "I want some of the neat features, but I want them to 
work *my* way".

If you don't accept all aspects of the package, then don't use it.

> Antonio, you've seen at least once, so I complained about the
> consequences of my own actions?

You seem to continually complain that people are recommending not to try going 
against standards, or trying to defeat the anti-caching directives on websites 
you find.

It's your choice to try doing that; people are saying "but if you do that, bad 
things will happen, or things will break, or it just won't work the way you 
want it to", and then you say "but I don't like having to follow the rules".

That's what I meant about complaining about the consequences of your actions.


Antony.

-- 
"Life is just a lot better if you feel you're having 10 [small] wins a day 
rather than a [big] win every 10 years or so."

 - Chris Hadfield, former skiing (and ski racing) instructor

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Strange behavior - reload service failed, but not start....

[Antony Stone]

On Friday 27 January 2017 at 14:13:55, erdosain9 wrote:

> Ok, thanks.
> But something more its wrong look up this:
> 
> [root@squid ips]# squid -k restart
> squid: ERROR: Could not send signal 21 to process 8083: (3) No such process
> 
> [root@squid ips]# squid -k shutdown
> squid: ERROR: Could not send signal 15 to process 8083: (3) No such process
> 
> [root@squid ips]# squid -k kill
> squid: ERROR: Could not send signal 9 to process 8083: (3) No such process
> 
> [root@squid ips]# squid -k debug
> squid: ERROR: Could not send signal 12 to process 8083: (3) No such process
> 
> ..mmm... what's going on here???
> 
> But actually squid is running and working,

What does ps -ax tell you the process ID for it is?

I bet it's not 8083...

> Also, if i do a change in squid.conf... it dosent take it. neither
> systemctl, or like you see any squid -k command

Sounds like a permissions problem to me - what are the ownerships and 
permissions on your squid.conf file, and on the Squid PID file?


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Strange behavior - reload service failed, but not start.... (solved)

[Antony Stone]

On Friday 27 January 2017 at 14:36:01, erdosain9 wrote:

> Hi, again.
> Now, i do this
> 
> [root@squid ips]# ps aux | grep squid
> root  2228  0.0  0.0 130900   344 ?Ss   ene24   0:00
> /usr/sbin/squid -sYC

... snip ...

> [root@squid ips]# systemctl stop squid
> [root@squid ips]# pkill squid
> [root@squid ips]# squid -z
> 
> And now is working, also with the command systemctl but, anyway you
> recommend more the use of squid -k commands no??

Well, if you started it with systemctl / systemd, then it's a good idea to 
stop it with systemctl / systemd.

However:

On Thursday 26 January 2017 at 03:57:48, Amos Jeffries wrote:

> On 26/01/2017 5:38 a.m., erdosain9 wrote:
> 
> > some other approach??
> 
> Not using systemd to control Squid-3. The two are not compatible. As you
> just found out the hard way.
> 
> Squid is not a daemon, it is a Daemon + Manager in one binary/process.
> systemd is based around the naive assumption that everything is a simple
> daemon and gets horribly confuzled when reality bites. It is not alone,
> upstart has the same issues. Basically only start/stop work, and even
> those only most of the time if done very carefully.
> 
> Your choices with systemd are (1) use the 'squid -k' commands, or (2)
> upgrade to Squid-4 and install the tools/systemd/squid.service file we
> provide for that version.

Therefore avoid using systemd with Squid, and you should be able to manage it 
normally.


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it didn't work.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Proxyfy spice protocol behind nat

[Antony Stone]

On Sunday 19 February 2017 at 19:05:57, Oscar Segarra wrote:

> Hi,
> 
> In my environment I have deployed two KVM hypervisors. I'd like to deploy
> in my DMZ a squid proxy host in order to hide hypervisor IPs and Ports from
> the clients.

Why?  What's the problem with the clients knowing the true values?

> Each virtual machine has a unique port but VMs can run on any hypervisor.

It doesn't sound to me like the VMs are actually part of what you're trying to 
do here?  You're just talking about client connections to hypervisors; the VMs 
are not part of that.

> Is it possible to achieve this with squid?

What protocol do the clients use to communicate with the KVM Hypervisors?

If it's HTTP, HTTPS or FTP, then you can probably configure Squid in 
accelerator mode and use it to do what you want.

However, why are you trying to do this?  What is the risk involved in the 
clients knowing the true IPs and ports of the hypervisors, which would be 
mitigated by having them connect via a proxy instead?

Have you considered using HAproxy or LVS, both of which are far more generic 
network proxies than Squid is?

> Is there any example how to configure this?

Not that I have ever heard of, however if it is a protocol which Squid can 
handle, it really doesn't matter what the specific backend system is; there are 
plenty of examples on how to do HTTP, HTTPS and FTP.



Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Customize squid to make it understand malformed requests

[Antony Stone]

On Monday 16 January 2017 at 09:03:52, Oğuz İsmail Uysal wrote:

> For a private reason, I want to customize squid version 3.5.12 the way I
> stated above. For example I have customized it already to make it
> understand \r\n /\r\n instead of \r\n\r\n as request's end

> now I want it to remove the characters after a spesific character in request
> uri, and to remove a spesific character which is placed at the end of all
> headers (before \r\n).

Wouldn't this be easier to achieve using content adaptation?

http://wiki.squid-cache.org/Features/eCAP
http://wiki.squid-cache.org/Features/ICAP

Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL Bump

[Antony Stone]

On Friday 20 January 2017 at 17:12:04, Mustafa Mohammad wrote:

> What are the steps to setup SSL Bump?

Don't.

Use peek and splice instead.

See http://wiki.squid-cache.org/Features/SslBump for info, then 
http://wiki.squid-cache.org/Features/SslPeekAndSplice for guidance.


Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] DENIED and ALLOWED at once?

[Antony Stone]

On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:

> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin  wrote:
> > /var/log/squid/access.log
> > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
> > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
> 
> This is unauthenticated (notice the "- -" after the IP)
> 
> > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1;
> > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
> 
> This one is authenticated (juan.perez). The code 407 in the first request
> means "proxy request authentication". So what happened here is that the
> user browsed, was asked for credentials (and maybe those were provided
> automatically), and then the request was resent with the creds included.

Given the timestamps (both 12:19:45; no time for a human to enter credentials 
at a prompt) the browser did this automatically, and invisibly to the user.

> http_access deny  !kerb_auth
> 
> > http_access allow kerb_auth whitelist_ips
> 
> And here is the config that causes that -- it's totally normal...
> 
> Thanks,

Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 13:09:52, Samuraiii wrote:

> Hello,
> I am trying to setup squid as SSL protected proxy for few users without
> any intention to use ssl-bumping or any other MITM technique.
> I just want to have SSL secured connection between browser and proxy.
> Proxy will not be "transparent" and will be using PAC file for
> configuration and PAM for authentication.
> I want to avoid any "other software" alternative as stunnel etc...
> I also have (for server involved) valid "Lets encrypt" certificate which
> I would like to use for this.
> What can I do to achieve this on squid 3.5?

Unfortunately it's not Squid that's the challenge - it's the browser.

If you're using Firefox and/or Chrome, you should be okay.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote:

> On 24.8.2016 13:18, Antony Stone wrote:
> > 
> > See "Encrypted browser-Squid connection" at the bottom of
> > http://wiki.squid-cache.org/Features/HTTPS
> 
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails

Please give more details for "fails".

Is the following your entire squid.conf (except for comments)?

Have you tried getting SSL access to Squid working before introducing 
authentication?

What are you trying, to test this, and what are the results?


Regards,


Antony.

> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and files cache between multiple pc

[Antony Stone]

On Tuesday 06 September 2016 at 14:58:40, Marco Calegari wrote:

> hi all
> I've a strange problem with squid v3.1.20

That is over four years old.  You should upgrade.

> Using squid also to cache "big" files (for big I mean >20Mb), happens that
> if a pc download a file, first time file has downloaded from internet.
> Second time from squid cache. Everything ok But: if I try to download same
> file from another pc, same file come downloaded from internet and not via
> squid.
> 
> Why?

Thanks for including your squid.conf - that is useful.

However, we also need to see the access.log lines which are generated by the 
three requests:

1. Original request (which downloads from the Internet) from PC1

2. Second request (which gets cached content) from PC1

3. First request (which download from the Internet again) from PC2

By the way, can you confirm that small files do not have the same problem, and 
the cached copy gets sent to PC2 in request number 3 above?


Thanks,


Antony.

-- 
I bought a book about anti-gravity.  The reviews say you can't put it down.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] subnet forward

[Antony Stone]

On Wednesday 07 September 2016 at 15:05:25, Pol Hallen wrote:

> I've a small lan:
> 
> dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP
>lan2_192.168.1.0/24 (NIC2)<--->switch+AP
> 
> I've squid server v.3.1.20 on 192.168.1.20
> 
> from 192.168.1.0/24 network squid works perfectly :-))) from
> 192.168.10.0/24 network squid works but: is very very very slow...
> 
> I've check firewall and routing, dns and ping and seem ok

Where's the firewall?

Show us the routing table on 192.168.1.20, and show us the routing table on 
the machine above with three network cards.  Also please tell us the IP 
addresses on its three interfaces.

Show us any NAT rules you have on that machine.

> maximum_object_size 5 Gb
> cache_dir ufs /data/vmware/squid-cache 30720 16 256
> cache_mem 4096 MB
> 
> minimum_object_size 0
> maximum_object_size_in_memory 512 Kb
> cache_replacement_policy heap GDSF
> 
> cache_swap_low 85
> cache_swap_high 90
> 
> half_closed_clients off
> 
> hosts_file /etc/hosts
> memory_pools off
> client_db off
> dns_nameservers 127.0.0.1
> 
> via off
> forwarded_for off
> httpd_suppress_version_string off
> follow_x_forwarded_for deny all
> #visible_hostname sign.bunker.org
> 
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
> 432000 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
> 10080 90% 43200 override-expire ignore-no-cache ignore-no-store
> ignore-private
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern . 0 40% 40320
> 
> refresh_pattern -i movies.com/.* 10080 90% 43200
> refresh_pattern (/cgi-bin/|\?) 0 0% 0

What?  No http_access rules or ACLs?


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Proxy

[Antony Stone]

On Thursday 08 September 2016 at 10:44:12, John Sayce wrote:

> After I wrote this I realised it should be changing the mac not the ip,
> which is not what’s happeneing.  I think it's my firewall configuration
> that's wrong.

In that case your firewall is doing NAT instead of policy routing.

Regards,


Antony.

> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Antony Stone Sent: 08 September 2016 09:36
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Transparent Proxy
> 
> On Thursday 08 September 2016 at 10:12:48, John Sayce wrote:
> > For testing purposes I've reduced it to the following:
> > 
> > http_port 3128 intercept
> > #dns_v4_first on
> > dns_nameservers 10.8.2.3 194.168.4.100 10.8.2.2 8.8.8.8 acl wifi src
> > 10.8.14.0/24 acl all src all http_access allow all maximum_object_size
> > 1 GB minimum_object_size 0 KB maximum_object_size_in_memory 4 MB
> > cache_mem 1700 MB cache_dir aufs /var/cache/squid 4 32 512
> > coredump_dir /var/cache/squid access_log /var/log/squid/access.log
> > squid cache_log /var/log/squid/cache.log
> > refresh_pattern ^ftp:   144020% 10080
> > refresh_pattern ^gopher:14400%  1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> > refresh_pattern .   0   20% 4320
> > cache_effective_user asd
> > cache_effective_group asd
> > cache_mgr jsa...@asdlighting.com
> > forwarded_for off
> > 
> > The version is 3.5.12
> > 
> > Okay.  Sorry, to clarify with a specific example.
> 
> Don't apologise - specific examples are good, because it makes sure we're
> both talking about the same thing (and sometimes, as below, reveals little
> details about the network arrangement which weren't previously clear).
> 
> > Lets say I'm contacting http://1.1.1.1/ then the ack packet starts off
> > with the client with ip address 10.8.14.9
> 
> So, source IP = 10.8.14.9 : destination IP = 1.1.11
> 
> > in subnet 10.8.14.9/24 with default gateway 10.8.14.1.
> > It's routed through my core switch to my my firewall with ip 10.8.1.1.
> 
> So that's a router, not just a switch?  It has one interface 10.8.14.1 on
> subnet 10.8.14.0/24 and another interface on (presumably) 10.8.1.0/24
> pointing at 10.8.1.1 as the next-hop route towards 1.1.1.1
> 
> > My firewall recognises that the packet has a destination port 80 and
> > is in subnet 10.8.14.0/24
> 
> The source address is in that subnet, yes.
> 
> > and changes the destination address to be that of my proxy server
> > 10.8.2.11.
> 
> No - see below.
> 
> > So now the ack packet has source 10.8.14.9 and destination 10.8.2.11.
> 
> No, it doesn't.  When a packet goes via a router, its destination IP
> address is not changed to the address of the next-hop router (otherwise
> things would never work across the Internet).
> 
> It's only the destination MAC address in the encapsulating ethernet frame
> which gets changed to that of the next-hop router.  The source and
> destination IP addresses inside are not touched.
> 
> > How does iptables know to reply to my client 10.8.14.9 with source
> > address 1.1.1.1?  Does iptables know to read the header?
> 
> TCP header, yes.
> 
> HTTP header, no.
> 
> Just think about the very first link between the client and its default
> gateway:
> 
> Packet with source address = 10.8.14.9, destinatoin address = 1.1.1.1
> 
> How does that packet get to the default router 10.8.14.1?  Its destination
> IP is 1.1.1.1, so that doesn't help.
> 
> It's because the destination MAC address in the ethernet frame containing
> that IP packet is the MAC address of 10.8.14.1.
> 
> A few minutes playing around with wireshark on your network could be quite
> enlightening :)
> 
> 
> 
> Regards,
> 
> 
> Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we don't 
know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Proxy

[Antony Stone]

On Thursday 08 September 2016 at 10:12:48, John Sayce wrote:

> For testing purposes I've reduced it to the following:
> 
> http_port 3128 intercept
> #dns_v4_first on
> dns_nameservers 10.8.2.3 194.168.4.100 10.8.2.2 8.8.8.8
> acl wifi src 10.8.14.0/24
> acl all src all
> http_access allow all
> maximum_object_size 1 GB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 4 MB
> cache_mem 1700 MB
> cache_dir aufs /var/cache/squid 4 32 512
> coredump_dir /var/cache/squid
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> cache_effective_user asd
> cache_effective_group asd
> cache_mgr jsa...@asdlighting.com
> forwarded_for off
> 
> The version is 3.5.12
> 
> Okay.  Sorry, to clarify with a specific example.

Don't apologise - specific examples are good, because it makes sure we're both 
talking about the same thing (and sometimes, as below, reveals little details 
about the network arrangement which weren't previously clear).

> Lets say I'm contacting http://1.1.1.1/ then the ack packet starts off with
> the client with ip address 10.8.14.9

So, source IP = 10.8.14.9 : destination IP = 1.1.11

> in subnet 10.8.14.9/24 with default gateway 10.8.14.1. 
> It's routed through my core switch to my my firewall with ip 10.8.1.1.

So that's a router, not just a switch?  It has one interface 10.8.14.1 on 
subnet 10.8.14.0/24 and another interface on (presumably) 10.8.1.0/24 pointing 
at 10.8.1.1 as the next-hop route towards 1.1.1.1

> My firewall recognises that the packet has a destination port 80 and is in
> subnet 10.8.14.0/24

The source address is in that subnet, yes.

> and changes the destination address to be that of my proxy server 10.8.2.11.

No - see below.

> So now the ack packet has source 10.8.14.9 and destination 10.8.2.11.

No, it doesn't.  When a packet goes via a router, its destination IP address 
is not changed to the address of the next-hop router (otherwise things would 
never work across the Internet).

It's only the destination MAC address in the encapsulating ethernet frame 
which gets changed to that of the next-hop router.  The source and destination 
IP addresses inside are not touched.

> How does iptables know to reply to my client 10.8.14.9 with source address
> 1.1.1.1?  Does iptables know to read the header?

TCP header, yes.

HTTP header, no.

Just think about the very first link between the client and its default 
gateway:

Packet with source address = 10.8.14.9, destinatoin address = 1.1.1.1

How does that packet get to the default router 10.8.14.1?  Its destination IP 
is 1.1.1.1, so that doesn't help.

It's because the destination MAC address in the ethernet frame containing that 
IP packet is the MAC address of 10.8.14.1.

A few minutes playing around with wireshark on your network could be quite 
enlightening :)



Regards,


Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Antony Stone]

On Thursday 08 September 2016 at 12:27:42, Omid Kosari wrote:

> Hi Fred,
> 
> Same problem here . Do you found any solution or workaround ?

Please clarify which message you are reply / referring to.

Thanks,


Antony.

-- 
Archaeologists have found a previously-unknown dinosaur which seems to have 
had a very large vocabulary.  They've named it Thesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

[Antony Stone]

On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:

> 08.09.2016 2:25, erdosain9 пишет:
> > Hi.
> > A query. Sslbump is possible without installing the certificate,
> > machine by machine ???
> 
> Bump impossible. Splice - possible.
> 
> > Is there any way that this certificate Squid SUBMIT ??
> 
> Cant understand question. What do you mean?

I believe he wants a mechanism for squid to be able to provide the fake CA 
certificate to the browser, so that the browser then trusts the fake site 
certificate which is signed with it.

Of course, this is impossible, since any mechanism which allowed this would 
allow the browser to be fooled into trusting any certificate anyone cared to 
wave at it.


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

[Antony Stone]

On Thursday 08 September 2016 at 00:06:02, Marcus Kool wrote:

> slightly off topic: what is the easiest way to install a cert on a
> smartphone? I looked for an app but did not find one.

On my Android 4.2.2 device:

Settings -> Security -> Trusted credentials: "Display trusted CA certificates"

Settings -> Security -> Install from SD card: "Install certificates from SD 
card"


Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Proxy

[Antony Stone]

On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:

> I believe so.  The specific command I used was:
> 
> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 
> (For some reason my adapter is ens33, I have no idea why it's not eth0. 
> Squid is set to run on 3128.)

That looks okay, then.

> It's fair to say I have almost no experience with iptables.  Is it iptables
> that should be doing the address translation?

Yes - the rule above tells the machine to take any packet addressed to port 80 
on any address and send it instead to the local machine (REDIRECT changes the 
destination address to 127.0.0.1, even though that's not obvious) and port 
3128.

> when the packet is sent back to the client?

Correct.  IPtables' address translation rules are automatically symmetrical - 
when a packet gets translated in one direction, a record is kept that it was 
done, and then the reply packet is automatically reverse-translated when it 
comes back in the other direction.

This is true no matter whether packets are going *through* the IPtables 
machine (ie: it's acting as a router), or whether they're being processed *on* 
the IPtables machine (as in this case).

I think we need to know more about your squid setup.

Please tell us which version of squid you are using, and post here your 
squid.conf file without comments or blank lines.


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Caches

[Antony Stone]

On Tuesday 04 October 2016 at 19:43:21, KR wrote:

> > On Oct 4, 2016, at 11:45 AM, Antony Stone wrote:
> > 
> > On Tuesday 04 October 2016 at 17:00:24, KR wrote:
> >> Hello Anthony, Yuri,
> >> 
> >> It seems every line is commented out in the config?
> > 
> > Impossible - otherwise it couldn't generate the error message "FATAL:
> > Bungled /etc/squid/squid.conf line 3467: cache_dir rock /ssd3 ..."
> > 
> > That is telling you that line 3467 of squid.conf starts with the
> > directive "cache_dir”.
> 
> I see, is there an easy way to omit all lines that begin with the # sign?

Well, grep?

eg: grep -v "^[^#]" will show all lines which start with something other than 
a # - in other words, it will omit blank lines and comments.

> The line in question is
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256

Please confirm which file you are showing us the information from.

> > Standard Ubuntu?  Which version?
> 
> Standard and current.

So, 16.04?

> >> Attached are two screenshots that are suspect.
> > 
> > Er, what are those screenshots of?  It's certainly not the output of
> > Squid, or its config file.

An answer to this would be helpful.

> >> Ubuntu is running inside of a vm,
> > 
> > Er, so /ssd3 is not an actual SSD, then?  What is it?
> 
> I suspect it is an SSD drive

"Suspect"?

How have you set up this VM?  Is there an actual device mounted on /ssd3, or 
is it just some directory name in your VM?

> > I'm suspicious that you may be used webmin, and we've had someone here on
> > the list recently who installed Squid on Ubuntu along with webmin, and
> > we then found out that the package maintainer had put the documentation
> > file for squid.conf in place of the actual squid.conf.
> 
> I tried it both its webadmin

Please specify what yu mean by this - what is the "it" which "its" refers to 
above?

> and terminal to install.  Same result.  Squid seems to want a cache folder
> one very partition that exists.

I recommend you stop using any graphical tool to try to manage Squid, remove 
the package, and then simply:

1. Install the Squid (maybe called Squid3?  I can't quite recall for Ubuntu) 
package using apt-get or aptitude.

2. Edit the config file /etc/squid/squid.conf to your needs.

Hope that helps,


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - AD kerberos auth and Linux Server proxy access not working

[Antony Stone]

On Tuesday 04 October 2016 at 12:08:27, Nilesh Gavali wrote:

> All;
> 
> we have Squid proxy configured with Windows SSO with Kerberos which work
> fine for WIndows AD users.
> we have new requirement where one Linux application server need to access
> Internet via squid proxy, we allowed Linux host access via ACL but getting
> denied access error.

> http_access allow IWCCP01 allowedsite
> http_access allow USER allowedsite
> http_access deny all
> http_access allow ad_auth

That makes no sense.  The last rule can never be triggered.  "deny all" does 
exactly what it says.

However, that doesn't explain your problem, so please show what you get in 
your access log for a request from this Linux machine IWCCP01.

Thanks,

Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in configuring squid

[Antony Stone]

On Tuesday 04 October 2016 at 14:51:13, Mehdi Yeganeh wrote:

> Thanks for quick replay,
> I need to use my server, i configure my ip address in some software like
> antivirus and ...

... and what?

I do not understand what antivirus software has to do with our discussion.  
Please give details, don't just write "...".

> So, I want all of that working

All of what?

> with my server ip address and for this reason I cannot use torproxy or
> torproject. I need a proxy server (squid) on my server

In that case install Squid on your server.  What is the problem?

> More details about 173.161.0.227:
> Its sophos web appliance that use squid on debian and using some other
> proxy software (Astaro HttpProxy) with squid and
> iptables for forwarding ports. but i can`t find the other proxy software
> for download. so, i just have squid alone (although iptables is present)

Okay, so I understand that the machine on that IP address (which appears to be 
serving Pennoyer School in Illinois, with connectivity provided by Comcast) is 
a "Sophos web appliance" - some sort of combined firewall / proxy / port 
forwarder.

What is the relevance of that machine to your question?

> Please tell me that should i use other tools or squid can do it?

Do what?

Please explain exactly what it is you are trying to achieve, and hoping that 
Squid is a solution for.


Regards,


Antony.

-- 
Police have found a cartoonist dead in his house.  They say that details are 
currently sketchy.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - AD kerberos auth and Linux Server proxy access not working

[Antony Stone]

On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote:

> Hello Antony;
> I have double checked the current working configuration of my squid.conf
> and it has same settings which I posted earlier. somehow it is working for
> us.

I'm not saying the whole thing won't work; I'm saying there is no point in 
having a line "http_access allow ad_auth" following the line "http_access deny 
all".  The ad_auth line can never be invoked.

> below is the error from access.log file.
> 
> 1475518342.279  0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
> vseries-test.bottomline.com:443 - NONE/- text/html

Error 407 is "proxy auth required", so the proxy is expecting authentication 
for some reason.

Can you confirm that the hostname vseries-test.bottomline.com is contained in 
your site file /etc/squid/sitelist/dbs_allowed_site ?

Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to 
"http_access allow IWCCP01" and see whether the machine then gets access?


Antony.

-- 
+++ Divide By Cucumber Error.  Please Reinstall Universe And Reboot +++

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Caches

[Antony Stone]

On Tuesday 04 October 2016 at 17:00:24, KR wrote:

> Hello Anthony, Yuri,
> 
> It seems every line is commented out in the config?

Impossible - otherwise it couldn't generate the error message "FATAL: Bungled 
/etc/squid/squid.conf line 3467: cache_dir rock /ssd3 ..."

Thta is telling you that line 3467 of squid.conf starts with the directive 
"cache_dir".

> This is a fresh install.

Standard Ubuntu?  Which version?

> ls -al /ssd3 outputs:
> 
> total 8
> drwxr-xr-x  2 root root 4096 Aug 13 18:20 .
> drwxr-xr-x 30 root root 4096 Oct  3 13:49 ..

Hm, okay, so that really does exist on your machine, then...

> Attached are two screenshots that are suspect.

Er, what are those screenshots of?  It's certainly not the output of Squid, or 
its config file.

> Do I need all of these cache folders on every partition?

You can put your cache directories wherever you like.

> Ubuntu is running inside of a vm,

Er, so /ssd3 is not an actual SSD, then?  What is it?

> default installation method using the setup wizard.

I'm suspicious that you may be used webmin, and we've had someone here on the 
list recently who installed Squid on Ubuntu along with webmin, and we then 
found out that the package maintainer had put the documentation file for 
squid.conf in place of the actual squid.conf.

It can still work (not everything is commented out) but it's *far* bigger than 
it needs to be, and is somewhat confusing to work with.


Regards,


Antony.

-- 
It may not seem obvious, but (6 x 5 + 5) x 5 - 55 equals 5!

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Parameter to define quantity of clients in Proxy Reverse

[Antony Stone]

On Wednesday 21 Sep 2016 at 17:03, Roberto Carna wrote:

> Dear, just a brief question:
> 
> I have Squid 3.4.8 on Debian running in reverse proxy mode, and I need
> to know if there is any parameter in squid.conf that I have to adjust
> in order to define the quantity of clients I will accept.

No.

> Or is the same if the squid receives 10 or 1.000.000 petitions at the
> same time??? (My hardware is big enough, this is not my problem).

Squid will handle as many simulataneous connections as your hardware, 
operating system, and network connection can support.

It's just the same as your web server - it'll handle as many connection 
requests as it can; there's nothing to configure to specify how many to 
accept.


Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Question about the url rewrite before proxy out

[Antony Stone]

On Thursday 22 Sep 2016 at 06:04, squid-us...@filter.luko.org wrote:

> > i am looking for a proxy which can "bounce" the request, which is not a
> > classic proxy.
> > 
> > I want it works in this way.
> > 
> > e.g. a proxy is running a 192.168.1.1
> > and when i want to open http://www.yahoo.com, i just need call
> > http://192.168.1.1/www.yahoo.com the proxy can pickup the the host
> > "http://www.yahoo.com; from the URI, and retrieve the info for me​, so
> > it need to get the new $host from $location, and remove the $host from
> > the $location before proxy pass it. it is doable via squid?
> 
> Yes it is doable (but unusual).  First you need to tell Squid which requests
> should be rewritten, then send them to a rewrite program to be transformed. 
> Identify the domains like this:



> If you input http://www.yahoo.com/page.html, this will be transformed to
> http://192.168.1.1/www.google.com/page.html.

I got the impression that the OP wanted the rewrite to work the other way 
around.

Squid sees http://192.168.1.1/www.google.com and  re-writes it to 
http://www.google.com

> The helper just needs to print that out prepended by "OK rewrite-url=xxx". 
> More info at http://www.squid-cache.org/Doc/config/url_rewrite_program/
> 
> Of course, you will need something listening on 192.168.1.1 (Apache, nginx,
> whatever) that can deal with those rewritten requests.

I got the impression that the OP wanted Squid to be listening on this address, 
doing the rewrites, and then fetching from standard origin servers.

> That is an unusual way of getting requests to 192.168.1.1 though, because
> you are effectively putting the hostname component into the URL then sending
> it to a web service and expecting it to deal with that.

Yes, that's what the OP wants Squid to handle, I think.


Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cpu usage 100% from few days ago !!

[Antony Stone]

On Wednesday 17 August 2016 at 11:01:40, Eliezer Croitoru wrote:

> Hey Omid,
> 
> Just to understand, are you intercepting traffic?

From the original report: "Squid is in tproxy mode with routing"


Antony.

> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Omid Kosari Sent: Wednesday, August 17, 2016 8:04 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid cpu usage 100% from few days ago !!
> 
> Even one ip address with less than 5 requests per second can grow squid cpu
> usage up to 30% . And 10 requests per second made 100% cpu usage . While
> there is nothing other than that client goes through squid . The client
> bandwidth is less than 10Kbps .
> 
> Isn't it crazy also ?

-- 
Salad is what food eats.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] best way to have randomized outgoing per each new connection

[Antony Stone]

On Monday 22 August 2016 at 20:01:14, --Ahmad-- wrote:

> I’m wondering here … what is the best method so that i give randomized tcp
> outgoing address per new session.

How do you define a "session" (in terms that mean something to Squid)?

> say that i have 100 ips  on squid .
> 
> i want each new connection to squid comes to have a specified outgoing
> address from the 100 pool
> 
> say i connected to port xxx on squid  i want to have outgoing ip like ip1
> 
> say i closed my browser or disconnected the session and connected again to
> have ip2 and keep on ip2 until session is closed or dead or timeout .

Please define "session" :)


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:

> 24.08.2016 18:23, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
> >> No one CA do not issue signing CA for subject, which is not CA itself.
> >> 
> >> So, op wants impossible thing.
> > 
> > Why would one need a signING certificate just to create an SSL connection
> > between the browser and Squid?
> > 
> > Surely one merely needs a valid signED certificate, same as you would
> > put on a web server to set up secure connections to it?
> > 
> > OP is not intercepting secure traffic, nor making HTTP sites look to
> > the browser like HTTPS ones.
> 
> Then I do not understand what he wants op.

He wants to configure his browser to connect to the proxy over an SSL 
connection, and then inside this secure connection send standard HTTP and 
HTTPS requests, just as a browser would do over an unsecured connection to the 
proxy on Squid's standard port 3128.

It's nothing to do with whether either the client or the destination server 
believe the web content itself to be secured with SSL/TLS.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS


Antony.

-- 
Archaeologists have found a previously-unknown dinosaur which seems to have 
had a very large vocabulary.  They've named it Thesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:

> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
>
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.

Have you tried adding the option "generate-host-certificates=off" to your 
https_port line?

I'm not an expert on this bit of Squid, but I'm just looking at
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing 
anything to do with a "signing certificate" (which you do not have, and do not 
want to use).

> And here is my complete squid.conf:
> 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote:

> On 24.8.2016 14:18, Yuri Voinov wrote:
> > No one CA do not issue signing CA for subject, which is not CA itself.
> > 
> > So, op wants impossible thing.
> 
> I have tried to drop clientca option, to add generate-host-certificates=off
>  but outcome is still same error...
> 
> even with just this as config:
> https_port 8443 accel \

Why are you using accelerator mode?  Surely this is just a normal forwarding 
proxy?

> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem


Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we don't 
know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:

> No one CA do not issue signing CA for subject, which is not CA itself.
> 
> So, op wants impossible thing.

Why would one need a signING certificate just to create an SSL connection 
between the browser and Squid?

Surely one merely needs a valid signED certificate, same as you would put on a 
web server to set up secure connections to it?

OP is not intercepting secure traffic, nor making HTTP sites look to the 
browser 
like HTTPS ones.


Antony.

> 24.08.2016 18:15, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
> >> Squid fails to start for me with:
> >> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 
> [::]:8443
> 
> >> I have found that this is related to missing self signed certificate,
> >> and since I do not want to use self signed certificate I am asking if I
> >> can do anything about it.
> >> I would like to avoid self signed certificates so my users would not
> >> need to import and replace my own certs.
> > 
> > Have you tried adding the option "generate-host-certificates=off" to your
> > https_port line?
> > 
> > I'm not an expert on this bit of Squid, but I'm just looking at
> > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
> 
> noticing
> 
> > anything to do with a "signing certificate" (which you do not have,
> 
> and do not
> 
> > want to use).
> > 
> >> And here is my complete squid.conf:
> >> 
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80  # http
> >> acl Safe_ports port 21  # ftp
> >> acl Safe_ports port 443 # https
> >> acl Safe_ports port 70  # gopher
> >> acl Safe_ports port 210 # wais
> >> acl Safe_ports port 1025-65535  # unregistered ports
> >> acl Safe_ports port 280 # http-mgmt
> >> acl Safe_ports port 488 # gss-http
> >> acl Safe_ports port 591 # filemaker
> >> acl Safe_ports port 777 # multiling http
> >> acl Safe_ports port 901 # SWAT
> >> acl CONNECT method CONNECT
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access allow localhost manager
> >> http_access deny manager
> >> http_access deny to_localhost
> >> 
> >> auth_param basic program /usr/libexec/squid/basic_pam_auth
> >> auth_param basic children 5
> >> auth_param basic realm Proxy Authentication Required
> >> auth_param basic credentialsttl 2 hours
> >> 
> >> acl authenticated proxy_auth REQUIRED
> >> http_access allow authenticated
> >> http_access deny all
> >> 
> >> https_port 8443 \
> >> 
> >> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> >> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> >> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> >> tls-dh=/etc/ssl/certs/dhparam.pem \
> >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> >> cipher=HIGH
> >> 
> >> cache_dir aufs /var/cache/squid 512 16 256
> >> coredump_dir /var/cache/squid
> >> refresh_pattern ^ftp:   144020% 10080
> >> refresh_pattern ^gopher:14400%  1440
> >> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> >> refresh_pattern .   0   20% 4320
> > 
> > Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:

> >> Then I do not understand what he wants op.
> 
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
> on
> 
> > Secure connection to squid proxy without need for anything else (on
> > client side) than configuring proxy in browser.
> 
> > Using provided signed certificates.
> > No SSL-bumping or whatever just forwarding.
> 
> Firstly, the concept is not safe. Users will have a secure connection to
> the proxy

Yes, that is all the OP is looking for.

> as well as the next?

Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is 
reduced.

> HTTP? User misled green padlock,

I do not think the browser will show an SSL/TLS padlock for a secured proxy 
connection - it only shows this for a secured connection to the destination 
server.  Therefore no misled users.

> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?

I don't understand what you are saying here.

The connection across the local network between browser and proxy is secured.

Beyond that everything works across the Internet just as normal - HTTP sites 
are not secured, HTTPS sites are secured.  The user sees SSL padlock and 
certificate chain for HTTPS sites, nothing for HTTP sites.

So, the design is more secure over the local network than the standard 
arrangement, and exactly the same beyond the local network.

No security is being compromised or downgraded.


Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] connections from particular users sometimes get stuck

[Antony Stone]

On Wednesday 28 September 2016 at 17:37:58, Alex Rousskov wrote:

> AFAICT, Squid did not receive a request for www.ru:
> > $ egrep -c '.ru|217.112.35.75' cache.log.debug
> > 0
> > 
> > $ tshark -V -r squid-stuck-reference-client.pcap | egrep -c
> > '.ru|217.112.35.75' 0

Is that a direct copy'n'paste from your terminal?

If so, you tried one too many w's :(


Antony.

-- 
"There has always been an underlying argument that we should open up our 
source code more broadly. The fact is that we are learning from open source 
and we are opening our code more broadly through Shared Source.

Is there value to providing source code? The answer is unequivocally yes."

 - Jason Matusow, head of Microsoft's Shared Source Program, in response to 
leaks of Windows source code on the Internet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] The Squid “Persona”- Squid 3.5.21+4.0.14 Release

[Antony Stone]

On Wednesday 28 September 2016 at 13:39:04, Eliezer Croitoru wrote:

> Take a look at the page source to get the full article:
> http://www1.ngtech.co.il/wpe/?p=345

If this is to be used as publicity material or a news item associated with the 
Squid project, I humbly recommend that a native English speaker is engaged to 
proofread and edit it.

Regards,

Antony.

-- 
3 logicians walk into a bar. The bartender asks "Do you all want a drink?"
The first logician says "I don't know."
The second logician says "I don't know."
The third logician says "Yes!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos Ne

[Antony Stone]

On Wednesday 28 September 2016 at 16:02:42, erdosain9 wrote:

> Hi.
> Sorry for my ignorance, but, i have squid authentication with kerberos...
> 
> all is working fine...
> 
> but i have some behavior in cache.log that... i dont know if this is the
> expected, or there is some problem
> 
> because the file is going to be huge as put the squid in production ...
> this is appropriate behavior, or is warning of a problem?

Please post here your current squid.conf without comments or blank lines.

Antony.

-- 
All matter in the Universe can be placed into one of two categories:

1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in configuring squid

[Antony Stone]

On Monday 03 October 2016 at 17:03:13, Shark wrote:

> I want to config squid to make "open proxy" for both http & https
> I want make anonymous proxy, without decrypting traffic or etc, just change
> ip address, like this:
> 
> i find lot of ip port in internet for example: 173.161.0.227
> when i add some host to /etc/hosts like this:
> 
> 173.161.0.227 www.iplocation.net
> 
> its give me true way without ssl blocking in client and my ip changes to
> 173.161.0.227,

Squid is the wrong tool for this job.

You probably want something like https://www.torproject.org/
‎

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Caches

[Antony Stone]

On Monday 03 October 2016 at 20:55:07, Jason Alexander wrote:

> Greetings -
> 
> I’m trying to install squid on an Ubuntu workstation in a VM.  I install
> squid but unable to initialize caches.  I get the following error:
> 
> FATAL: Bungled /etc/squid/squid.conf line 3467: cache_dir rock /ssd3 ...

My guess is:

a) you have an email client which isn't correctly adding a plain text body

b) you do not have a directory /ssd3 on your computer

If either of those is incorrect, please follow Yuri's request to post your 
squid.conf (without comments or blank lines, please), but also add the output 
of:

ls -al /ssd3

from your machine.


Thanks,


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent and non Transparent at the same time

[Antony Stone]

On Thursday 27 October 2016 at 20:57:04, Yuri Voinov wrote:

> You know method to do this without NAT? ;)

I know how to do it without DNAT, which is what Eliezer recommended and you 
challenged.

Antony.

-- 
"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent and non Transparent at the same time

[Antony Stone]

On Thursday 27 October 2016 at 21:04:18, Yuri Voinov wrote:

> (facepalm)
> 
> rdr(REDIRECT) is NAT functionality? Yes or no?

Apologies - I could have answered this better:

Yes, REDIRECT is one NAT functionality.  There are several others.

On Thursday 27 October 2016 at 19:46:53, Eliezer Croitoru wrote:

> You need routing policy not DNAT.

This remains a correct statement.


Antony.

-- 
f u cn rd ths, u cn gt a gd jb n nx prgrmmng

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent and non Transparent at the same time

[Antony Stone]

On Thursday 27 October 2016 at 19:51:22, Yuri Voinov wrote:

> You absolutely sure, Eliezier? :)

Yes - you do not use DNAT.

You do use REDIRECT on the machine Squid is running on.


Antony.

> 27.10.2016 23:46, Eliezer Croitoru пишет:
> > You need routing policy not DNAT.
> > 
> > Eliezer
> > 
> > 
> > Eliezer Croitoru
> > Linux System Administrator
> > Mobile: +972-5-28704261
> > Email: elie...@ngtech.co.il
> > 
> > 
> > -Original Message-
> > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> 
> On Behalf Of erdosain9
> 
> > Sent: Thursday, October 27, 2016 19:08
> > To: squid-users@lists.squid-cache.org
> > Subject: Re: [squid-users] Transparent and non Transparent at the same
> 
> time
> 
> > Ok... but i have this problem
> > 
> >  ERROR: NAT/TPROXY lookup failed to locate original IPs on
> > 
> > local=192.168.1.15:3130 remote=192.168.1.1:52090 FD 14 flags=33
> > 
> > ...
> > I put some dstnat in Mikrotik (192.168.1.1)
> > 
> > 
> > ip firewall nat add chain=dstnat src-add=192.168.1.121 protocol=tcp
> > dst-port=80  action=dst-nat
> > to-addresses=192.168.1.20 to-ports=3129
> > 
> > ERROR: NAT/TPROXY lookup failed to locate original IPs on
> > local=192.168.1.20:3129 remote=192.168.1.1:52153 FD 14 flags=33
> > 2016/10/27 14:01:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
> > local=192.168.1.215:3129 remote=192.168.1.1:52154 FD 14 flags=33: (92)
> 
> Protocol not available
> 
> > I dont have iptables or firewalld... im using Centos... is necessary
> 
> enable firewalld or iptables???
> 
> > im using the PC (192.168.1.121 for test) Thanks
> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-and-non-Tran
> sparent-at-the-same-time-tp4680309p4680330.html
> 
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent and non Transparent at the same time

[Antony Stone]

On Thursday 27 October 2016 at 21:04:18, Yuri Voinov wrote:

> (facepalm)
> 
> rdr(REDIRECT) is NAT functionality? Yes or no?

Yes, DNAT is one NAT functionality.  There are several others.

On Thursday 27 October 2016 at 19:46:53, Eliezer Croitoru wrote:

> You need routing policy not DNAT.

DNAT is definitively not required for this - it needs a different form of NAT.


Antony.

-- 
f u cn rd ths, u cn gt a gd jb n nx prgrmmng

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent and non Transparent at the same time

[Antony Stone]

On Thursday 27 October 2016 at 21:09:44, Yuri Voinov wrote:

> OP originally wrote - "I have no IPtables and so on."
> He needs specific guidance, not word games.

Agreed.


Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is something wrong with the squid list?

[Antony Stone]

On Saturday 05 November 2016 at 16:07:09, Stanford Prescott wrote:

> I've received no messages at all on this mail list for several days. Is the
> list still "working"?

Yes.

http://lists.squid-cache.org/pipermail/squid-users/2016-November/date.html

Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Problem

[Antony Stone]

On Tuesday 08 November 2016 at 13:47:25, Jose Joaquin Ruiz Silva wrote:

> Good morning I am Cuban I have mounted squid 2.7 on debian wheezy

Why?

Debian Wheezy contains version 3.1.20 and Wheezy-backports contains the 
version 3.4.8

Installing 2.7 in 2016 (that version is 8 years old and has not been updated 
in 6 years - see http://www.squid-cache.org/Versions/ ) is a dead end.

> and it works fine but I am looking for a page that will allow users to
> change the password

What password?

> see their quota

What quota?

> the user expire after 1 year, the password expire in 2 months

Please tell us what you are talking about - Squid has no password expiry 
mechanism.

> but That an email arrives to him on the last 10 days telling him that he has
> 10 days to change the password.

1. Where does this email come from?

2. What does this password provide access to?

I strongly suspect your question is not to do with Squid (LDAP, perhaps?), but 
give us some more information and we'll see if we can help.


Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Problem - Google

[Antony Stone]

On Monday 07 November 2016 at 10:53:14, Bilal Mohamed wrote:

> Hi,
> 
> I am getting following error while accessing google. Rest all websites are
> ok. There is no ACL to block google.com

Is your machine properly configured for IPv6?

Try the following:

ping www.google.com

ping6 www.google.com

If you get a response to both of those then your machine looks like it is 
correctly working on both IPv4 and IPv6, and we need to investigate further 
what the problem with Squid is, but if you get a response from the first 
command and not from the second, then IPv6 is not working correctly, and 
therefore Squid cannot connect to Google's IPv6 address (as shown below).

If the latter turns out to be the problem, I hope someone else can remind us 
what the configuration command is to tell Squid to use IPv4 and not IPv6.


Antony.

> *ERROR*
> 
> *The requested URL could not be retrieved*
> --
> 
> The following error was encountered while trying to retrieve the URL:
> http://www.google.com/
> 
> *Connection to 2a00:1450:4009:803::2004 failed.*
> 
> The system returned: *(101) Network is unreachable*
> 
> The remote host or network may be down. Please try the request again.
> 
> Your cache administrator is webmaster

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching Google Chrome googlechromestandaloneenterprise64.msi

[Antony Stone]

Disclaimer: I am not a Squid developer.

On Saturday 22 October 2016 at 14:43:55, gar...@comnet.uz wrote:

> IMO:
> 
> The only reason I believe [explains] why core developers of Squid tend to
> move HTTP violating settings from average users is to prevent possible
> abuse/misuse.

I believe the reason is that one of Squid's goals is to be RFC compliant, 
therefore it does not contain features which violate HTTP.

> Nevertheless, I believe that core developers should publish an
> _official_ explanations regarding the tendency, as it often becomes a
> "center of gravity" of many topics.

Which "tendency"?

What are you asking for an official explanation of?


Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] possible to intercept https traffic in TCP_TUNNEL CONNECT method ?

[Antony Stone]

On Saturday 22 October 2016 at 15:42:23, --Ahmad-- wrote:

> Hi guys
> say that i have squid proxy sever
> and i was running  capturing traffic on that server .

You mean using ICAP or ECAP service?

> say that all users were using ip:port —> ((tcp_connect  tunnel))) mode of
> squid

I'm not sure what you mean here - are you saying the clients are configured to 
use the proxy, or that the proxy is operating in intercept mode, and the 
clients don't know?

> the question is being asked here … will i be able to see https traffic like
> Facebook  as normal traffic ? or encrypted ?

You can always see the encrypted traffic - you don't need Squid for that - just 
run tcpdump, wireshark or similar on a router between your clients and the 
Internet.  Encrypted traffic isn't going to tell you much, though.

> the question in other way  …. is it possible to hack https traffic and see
> it as not encrypted ?

Yes - you perform a Man-in-the-Middle attack, which requires configuring the 
clients to accept fake certificates from Squid by trusting its built-in 
Certificate Authority.  In other words, you cannot do it without clients 
knowing that the certificate presented by Squid does not belong to the site 
they're visiting.

Also, all technical possibilities aside, it may well be illegal for you to do 
this, depending on where you are and who your users are.

See http://wiki.squid-cache.org/Features/SslPeekAndSplice and 
http://wiki.squid-cache.org/SquidFaq/ContentAdaptation for more details.


Antony.

-- 
"Life is just a lot better if you feel you're having 10 [small] wins a day 
rather than a [big] win every 10 years or so."

 - Chris Hadfield, former skiing (and ski racing) instructor

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slowness in Squid [squid-users Digest, Vol 26, Issue 82]

[Antony Stone]

On Sunday 23 October 2016 at 14:42:02, Krishna Kulkarni wrote:

> Hi Antony,
> Thanks for the reply. I have made changes in squid.conf as per your
> suggestion and have allocated 20 GB of Hard disk space.

Have you made any measurements at all (either before making the disk cache 
bigger, or since) of what percentage of content Squid is actually caching for 
you?

In other words, how much bandwidth is Squid saving you, compared to simply not 
using Squid at all and getting the content directly?

Also, what made you believe that your disk cache was too small and needed to 
be 20Gbytes instead?

> Squid server at my location handles http/https requests for more than 500
> hosts.

What's more important is the number of requests per second going through Squid 
- it doesn't matter how many hosts are generating them.

> But at peak hours squid usually performs very slow and browser takes
> 1-2 minutes just to serve google home page and more time than that for
> heavy web page.

Have you compared this side-by-side with a browser configured to use Squid and 
a browser configured to go direct?

> I have verified network link utilization & found it consumes not more than
> 15 mb whereas link bandwidth is of 45mb

So, why are you using Squid?

> but still squid serves web pages very slow to client hosts.

What hardware are you running Squid on?

Which operating system / version are you running it under?

What load is Squid generating on the machine?

> Any suggestions in squid configuration to overcome this issue would be
> highly appreciated.

Have you made any measurements of the type of traffic your users are generating 
(for eaxmple, HTTP vs. HTTPS) and how much of this is cacheable at all?

Squid won't help you if the content they're fetching can't be cached (either 
encrypted, or dynamically-generated etc.).


Regards,


Antony.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slowness in Squid

[Antony Stone]

On Sunday 23 October 2016 at 05:36:22, Krishna Kulkarni wrote:

> I am new to squid.. I have installed squid 3.5 on CentOS 6.7. As a
> configuration part, I have kept most of the things default. Please advice
> on how to allocate cache memory of 20 GB to squid.

Do you mean cache memory, or disk cache?


If you mean memory (RAM) and you have enough of this in your system (eg: 32 
Gbytes or more), then find the section in squid.conf which starts with:

# MEMORY CACHE OPTIONS

And read about the tag "cache_mem".

To set this value (normally 256 Mbytes) to 20 Gbytes, set:

cache_mem 20 GB


If, on the other hand, you do not mean memory, but you mean disk cache, then 
find the section in squid.conf with starts with:

#  TAG: cache_dir

and read that section.

Pay particular attention to the line which says:

#   cache_dir ufs Directory-Name Mbytes L1 L2 [options]

And then later there is an example:

# cache_dir ufs /var/spool/squid3 100 16 256

Uncomment that line and change the 100 (Megabytes) in that line to 2 (for 
20 Gigabytes) and perhaps also adjust the 16 to something like 64 or even 256 
- for a large cache you don't want a few directories with lots of entries 
each, so it's worthwhile creating lots of directories to keep the number of 
files in each down.

> I got to know that, more cache memory would increase performance of squid..

What do you mean by "performance"?


Antony.

-- 
Just when you think you're done, a cat floats by with buttered toast strapped 
to its back.

 - Steve Krug, "Don't make me think"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-users Digest, Vol 26, Issue 82

[Antony Stone]

On Sunday 23 October 2016 at 15:26:54, Yuri Voinov wrote:

> You can have slow DNS. Consider to use local caching DNS recursor as
> source for proxy & users.

Why would that result in requests via Squid being slower than direct?

@Krishna: You *have* confirmed that Squid requests are slower than direct 
requests, for the same URL, at the same time, haven't you?

Antony.

> 23.10.2016 18:42, Krishna Kulkarni пишет:
> > Hi Antony,
> > Thanks for the reply. I have made changes in squid.conf as per your
> > suggestion and have allocated 20 GB of Hard disk space.
> > Squid server at my location handles http/https requests for more than
> > 500 hosts. But at peak hours squid usually performs very slow and
> > browser takes 1-2 minutes just to serve google home page and more time
> > than that for heavy web page.
> >
> > I have verified network link utilization & found it consumes not more
> > than 15 mb whereas link bandwidth is of 45mb but still squid serves web
> > pages very slow to client hosts.
> >
> > Any suggestions in squid configuration to overcome this issue would be
> > highly appreciated.
> >
> > Thanks,
> > Krishna.

-- 
"If I've told you once, I've told you a million times - stop exaggerating!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Issue when connecting to apple APN

[Antony Stone]

On Monday 24 October 2016 at 11:27:17, Alaa Hassan Barqawi wrote:

> Dears,
> I am facing issue in connecting with apple APN gateway.push.apple.com :
> 2195 The name cannot be resolved although I am using google DNS servers
> and it throws an error Unable to determine IP address from host name
> gateway.push.apple.com The DNS server returned:
> No DNS records

There is no A (or ) record, but it is a CNAME:

$ dig gateway.push.apple.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway.push.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4722
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gateway.push.apple.com.IN  A

;; ANSWER SECTION:
gateway.push.apple.com. 193 IN  CNAME   gateway.push-
apple.com.akadns.net.
gateway.push-apple.com.akadns.net. 60 IN A  17.188.129.25
gateway.push-apple.com.akadns.net. 60 IN A  17.188.134.21
gateway.push-apple.com.akadns.net. 60 IN A  17.188.135.152
gateway.push-apple.com.akadns.net. 60 IN A  17.188.135.149
gateway.push-apple.com.akadns.net. 60 IN A  17.188.134.150
gateway.push-apple.com.akadns.net. 60 IN A  17.188.136.184
gateway.push-apple.com.akadns.net. 60 IN A  17.188.137.150
gateway.push-apple.com.akadns.net. 60 IN A  17.188.142.26

;; Query time: 19 msec
;; SERVER: 80.68.80.24#53(80.68.80.24)
;; WHEN: Mon Oct 24 10:35:09 2016
;; MSG SIZE  rcvd: 215

Are you using your own DNS server, or someone else's?


Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Issue when connecting to apple APN

[Antony Stone]

On Monday 24 October 2016 at 11:36:34, Antony Stone wrote:

> On Monday 24 October 2016 at 11:27:17, Alaa Hassan Barqawi wrote:
> > Dears,
> > I am facing issue in connecting with apple APN gateway.push.apple.com :
> > 2195 The name cannot be resolved although I am using google DNS servers
> > and it throws an error Unable to determine IP address from host name
> > gateway.push.apple.com The DNS server returned:
> > No DNS records
> 
> There is no A (or ) record, but it is a CNAME:
> 
> $ dig gateway.push.apple.com
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gateway.push.apple.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4722
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;gateway.push.apple.com.IN  A
> 
> ;; ANSWER SECTION:
> gateway.push.apple.com. 193 IN  CNAME   gateway.push-
> apple.com.akadns.net.
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.129.25
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.134.21
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.135.152
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.135.149
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.134.150
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.136.184
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.137.150
> gateway.push-apple.com.akadns.net. 60 IN A  17.188.142.26
> 
> ;; Query time: 19 msec
> ;; SERVER: 80.68.80.24#53(80.68.80.24)
> ;; WHEN: Mon Oct 24 10:35:09 2016
> ;; MSG SIZE  rcvd: 215
> 
> Are you using your own DNS server, or someone else's?

I apologise for not noticing "I am using Google DNS servers".

However, sending the above query to 8.8.8.8 gives me precisely the same 
result.


Antony.

-- 
The Magic Words are Squeamish Ossifrage.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP Outgoing Address ACL Problem

[Antony Stone]

On Friday 11 November 2016 at 17:51:04, jarrett+squid-us...@jarrettgraham.com 
wrote:

> I'm trying to use ACLs to direct incoming traffic on assigned ports to
> assigned outgoing addresses.  But, squid uses the first IP address
> assigned to the interface not listed in the config instead.

See http://lists.squid-cache.org/pipermail/squid-users/2016-
October/013270.html

Specifically "IP addressing on the outgoing connections is an operating system 
choice.  Squid does not have any direct control over outgoing connections 
besides their destination IP:port."


Antony.

-- 
I thought I had type A blood, but it turned out to be a typo.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] remove all squid pages & errors pages footprints

[Antony Stone]

On Sunday 20 Nov 2016 at 11:22, --Ahmad-- wrote:

> i want to protect squid from being scanned and flagged as open proxy

So, make sure it isn't an open proxy - restrict who has access, either by IP 
address or by authentication.

If you *do* have an open proxy on the Internet, it doesn't matter whether it 
identifies itself as Squid or not - it *will* get found, it will get (ab)used, 
and you may well find your connectivity provider blocks your IP address.


Antony

-- 
The Magic Words are Squeamish Ossifrage.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Problem

[Antony Stone]

On Wednesday 02 November 2016 at 12:10:46, Bilal Mohamed wrote:

> This is where the files are pointing to... can i delete the files dm-0 and
> dm-1 ?

NO!

> root@AG-HO-PRXY:/dev/mapper# ls -lrt
> total 0
> crw--- 1 root root 10, 236 2016-11-02 13:21 control
> lrwxrwxrwx 1 root root   7 2016-11-02 13:21 AG--HO--PRXY-swap_1 ->
> ../dm-1
> lrwxrwxrwx 1 root root   7 2016-11-02 13:21 AG--HO--PRXY-root ->
> ../dm-0

Those are the raw devices representing your disk storage.

I recommend you consult someone familiar with Linux system administration to 
resolve this problem.

Antony.

> On Wed, Nov 2, 2016 at 2:02 PM, Antony Stone wrote:
> > On Wednesday 02 November 2016 at 11:58:31, Bilal Mohamed wrote:
> > > How do I clear it?
> > 
> > Erm, delete stuff you don't need, or given that it's an LVM logical
> > volume, make it bigger?
> > 
> > I really don't think that is a Squid-specific question...
> > 
> > > On Wed, Nov 2, 2016 at 1:57 PM, Antony Stone wrote:
> > > > On Wednesday 02 November 2016 at 11:39:22, Bilal Mohamed wrote:
> > > > > Please find the disk space status.
> > > > > 
> > > > > /dev/mapper/AG--HO--PRXY-root
> > > > > 
> > > > >  12189696 12189695   1  100% /
> > > > 
> > > > And there's your problem - your root file system is full.
> > > > 
> > > > 
> > > > Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Problem

[Antony Stone]

On Wednesday 02 November 2016 at 11:39:22, Bilal Mohamed wrote:

> Please find the disk space status.

> /dev/mapper/AG--HO--PRXY-root
>  12189696 12189695   1  100% /

And there's your problem - your root file system is full.


Antony.

-- 
I have an excellent memory.
I can't think of a single thing I've forgotten.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Problem

[Antony Stone]

On Wednesday 02 November 2016 at 12:17:30, Bilal Mohamed wrote:

> so what i need to clear now? i am restarting squid every 5-10 mins

You have a root file system which is too small for the data you are trying to 
store on it.

That is not a Squid-specific problem.

My recommendations, in order of preference, are:

1. Consult someone who knows about Linux system administration.

2. Define your Squid cache in squid.conf to be smaller

3. Make your root file system larger by expanding the Logical Volume (see point 
1 above)

4. Delete data you do not need to free up enough space for your cache (see 
also point 1 above)


Antony.

> On Wed, Nov 2, 2016 at 2:16 PM, Antony Stone wrote:
> > On Wednesday 02 November 2016 at 12:10:46, Bilal Mohamed wrote:
> > > This is where the files are pointing to... can i delete the files dm-0
> > > and dm-1 ?
> > 
> > NO!
> > 
> > > root@AG-HO-PRXY:/dev/mapper# ls -lrt
> > > total 0
> > > crw--- 1 root root 10, 236 2016-11-02 13:21 control
> > > lrwxrwxrwx 1 root root   7 2016-11-02 13:21 AG--HO--PRXY-swap_1 ->
> > > ../dm-1
> > > lrwxrwxrwx 1 root root   7 2016-11-02 13:21 AG--HO--PRXY-root ->
> > > ../dm-0
> > 
> > Those are the raw devices representing your disk storage.
> > 
> > I recommend you consult someone familiar with Linux system administration
> > to resolve this problem.
> > 
> > Antony.
> > 
> > > On Wed, Nov 2, 2016 at 2:02 PM, Antony Stone wrote:
> > > > On Wednesday 02 November 2016 at 11:58:31, Bilal Mohamed wrote:
> > > > > How do I clear it?
> > > > 
> > > > Erm, delete stuff you don't need, or given that it's an LVM logical
> > > > volume, make it bigger?
> > > > 
> > > > I really don't think that is a Squid-specific question...
> > > > 
> > > > > On Wed, Nov 2, 2016 at 1:57 PM, Antony Stone wrote:
> > > > > > On Wednesday 02 November 2016 at 11:39:22, Bilal Mohamed wrote:
> > > > > > > Please find the disk space status.
> > > > > > > 
> > > > > > > /dev/mapper/AG--HO--PRXY-root
> > > > > > > 
> > > > > > >  12189696 12189695   1  100% /
> > > > > > 
> > > > > > And there's your problem - your root file system is full.
> > > > > > 
> > > > > > Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Cannot connect to 127.0.0.1:3128

[Antony Stone]

On Tuesday 11 October 2016 at 12:31:03, Jorgeley Junior wrote:

> I think it could be the sequence of the rules, do this command and post the
> results:
> grep .   /etc/squid-your-version/squid.conf  |
> grep -v   "#"

This can be collapsed down to:

grep "^[^#]" /etc/squid-your-version/squid.conf

That regex matches any character other than # at the start of a line.  Empty 
lines don't count, because there is no character at the start of the line.


Antony.

> 2016-10-11 3:59 GMT-03:00 Amos Jeffries :
> > On 11/10/2016 4:54 p.m., Михаил wrote:
> > > I check version of squid 3.5.21 with my configuration and I faced with
> > > a problem. Early I used in version 3.5.12 this line for connect
> > > localhost,
> > 
> > but now
> > 
> > > it doesn't work.
> > 
> > Order is important. Where you place the rules in squid.conf matters a
> > lot with regards to whether they are actually useful and do what you
> > want, or not.
> > 
> > > # squid.conf
> > > ...
> > > http_access allow localhost manager
> > > http_access deny manager
> > > ...
> > > # squidclient -p 3128 -h localhost mgr:info
> > > HTTP/1.1 403 Forbidden
> > > Server: squid
> > > Mime-Version: 1.0
> > > Date: Tue, 11 Oct 2016 03:42:54 GMT
> > > ...
> > > 
> > > If I set a full access I could connect to localhost.
> > > 
> > > 
> > > # squid.conf
> > > ...
> > > http_access allow all
> > > http_access deny manager
> > > ...
> > 
> > So what IP address(es) does 'localhost' resolve to?
> > 
> > > # squidclient -p 3128 -h localhost mgr:info
> > > stub time| WARNING: BCP 177 violation. IPv6 transport forced OFF by
> > > build parameters.
> > 
> > I know you said in a followup to ignore this. But it may be important.
> > 
> > It shows that squidclient was built with --disable-ipv6, and yet your
> > system is IPv6-enabled.
> > 
> > The name "localhost" for IPv6-enabled systems is ::1.
> > 
> > A squid binary that is built with --disable-ipv6 will not permit ::1
> > since it is non-IP4. But it will be recognized as part of "all" IP space.
> > 
> > > HTTP/1.1 200 OK
> > > Server: squid
> > > Mime-Version: 1.0
> > > Date: Tue, 11 Oct 2016 03:47:36 GMT
> > > ...
> > > What is happend? And what is the right way to connect to
> > 
> > cache_management from
> > 
> > > localhost?
> > 
> > squidclient defaults to localhost and port 3128 for management access to
> > 
> > Squid. Just use:
> >   squidclient mgr:info
> > 
> > Amos
> > 
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> --

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 2.7 to Squid 3.5

[Antony Stone]

On Sunday 16 October 2016 at 15:20:39, Johnny Lam wrote:

> Dear All,
> 
> I've encountered a issue during upgrade from 2.7 to 3.5, please find my
> config below. Seems everything changed in version 3.5.

No config to be found :(

Please:

 - post your squid.conf without comments or blank lines

 - tell us which system / distribution / version you are running this on

 - tell us what "issue" means - ie: what problem are you experiencing?

> Hope you guys can help, Thanks!

The more info you give us, the better our chances :)


Antony.

-- 
The Magic Words are Squeamish Ossifrage.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Looking for additional information about securing squid

[Antony Stone]

On Tuesday 13 December 2016 at 23:44:12, Steve Becker wrote:

> Hi all,

Hi.

> My background's in networking, I'm very new to unix/linux and server
> administration, I don't know a whole lot about security beyond ACLs and
> setting up crypto for VPNs.
>
> I'm setting up a box at home with CentOS and squid,

> I know web servers are vulnerable to certain kinds of attacks, some of
> which could escalate user privileges or dump data people shouldn't have
> access to. Is squid, as a proxy server, I'm vulnerable to some of these
> kinds of attacks?  I'll be limiting squid to only accept traffic from my
> LAN but you still never know.  A guest might use my network with an
> infected device, etc.

First question - what are you aiming / hoping to achieve by implementing 
Squid?

Second question - do you really give guests full access to your home network, 
rather than just "a gateway to the Internet with no visibility of my private 
machines"?


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] unknown source IP in access.log

[Antony Stone]

On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:

> Thanks for your reply.
> 
> Here’s the config file: http://pastebin.com/DNDacy6M

Where is this file located on your system?  The answer to this question is 
needed further down my reply.

I've skipped some bits to make my reply clearer...

> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access allow CONNECT localnet numeric_IPs Skype_UA

Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard 
to accept that this really is the squid.conf file you're using:

a) if it allows connections from IPs such as 118.89.21.244

b) if it allows *anything* to CONNECT.


Please do one of the following:

1. Run "squid -k parse" and make sure it returns no errors, then introduce a 
deliberate error to your squid.conf file (such as mis-spelling "deny" or 
similar) and run "squid -k parse" again to make sure it reads the file you 
think it is using, and reports the error (then undo the mistake again).

2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the 
location on your system where your config file lives (as asked above).  
Assuming 
this returns no errors, again (as in suggestion 1) instroduce a deliberate 
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it 
picks up on the error.

I find it hard to believe that the squid.conf you showed can produce the 
results you report.

Please also post the output of "find / -name squid.conf" on your machine.

> Dovecot used its default ports:
> 110: pop
> 143: imap
> 995: pop3s
> 993: maps
> 
> Postfix SMTP 587

Okay, so nothing to do with Squid, then.  I just wondered whether it might 
have a web interface.


Regards,


Antony.

> On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:
> 
> On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
> 
> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.
> 
> I suggest you show us your squid.conf (wiithout comments or blank lines)
> because you do not seem to have achieved restricting source IPs as
> intended.
> 
> Here is a sample of the log:
> 
> 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
> 595
> 
> 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
> 749
> 
> 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728040.312  0
> 
> I am worried about spam…
> 
> I would not call this spam - I would call it "people trying to abuse your
> proxy".
> 
> is this normal?
> 
> It is normal that they try.  It is not normal that your access control
> rules allow them to get this far.
> 
> if not, how can I know what is accessing squid and stop it.
> 
> You don't care what is accessing it - you only care that it's coming from
> the outside, and that should not be allowed.  Either or both of your Squid
> ACLs and your firewall rules need to be reviewed.
> 
> NOTE: this server has a small iRedMail server installed on it.
> 
> What port/s does that listen on?  It is intended to be externally
> accessible?

-- 
"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] unknown source IP in access.log

[Antony Stone]

On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:

> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.

I suggest you show us your squid.conf (wiithout comments or blank lines) 
because you do not seem to have achieved restricting source IPs as intended.

> Here is a sample of the log:
> 
> 1481728035.855  0 199.233.237.186 TAG_NONE/400 4534 NONE
> error:invalid-request - HIER_NONE/- text/html 1481728035.952   1556
>
> 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461   
> 595
>
> 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993   
> 749
>
> 123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ -
> HIER_DIRECT/180.208.65.100 application/multipart-formdata 1481728037.538  
> 2307
>
> 122.227.189.214 TCP_MISS/200 764 POST
> http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233
> text/html 1481728038.572   9372
>
> 74.222.20.124 TCP_MISS/502 3922 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728038.573  0
>
> 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728038.773   2528
>
> 118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.162  
> 1575
>
> 139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.203   
> 612
>
> 122.227.189.214 TCP_MISS/200 1182 POST http://mobapi.ganji.com/datashare/ -
> HIER_DIRECT/115.159.231.182 text/html 1481728039.615  51681
>
> 172.82.184.19 TCP_MISS/502 3806 GET http://115.231.17.12:9636/ -
> HIER_DIRECT/115.231.17.12 text/html 1481728039.615  0
>
> 172.82.184.19 TAG_NONE/400 4532 NONE
> error:invalid-request - HIER_NONE/- text/html 1481728040.311  36606
>
> 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728040.312  0
>
> 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728041.477  67001
>
> 74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ -
> HIER_DIRECT/61.155.5.197 text/html 1481728041.478  0
>
> 74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728041.856  13613
>
> 172.82.190.245 TCP_MISS/502 3926 GET http://122.226.191.17:9636/ -
> HIER_DIRECT/122.226.191.17 text/html 1481728041.857  0
>
> 172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/-
> text/html
> 
> I am worried about spam…

I would not call this spam - I would call it "people trying to abuse your 
proxy".

> is this normal?

It is normal that they try.  It is not normal that your access control rules 
allow them to get this far.

> if not, how can I know what is accessing squid and stop it.

You don't care what is accessing it - you only care that it's coming from the 
outside, and that should not be allowed.  Either or both of your Squid ACLs 
and your firewall rules need to be reviewed.

> NOTE: this server has a small iRedMail server installed on it.

What port/s does that listen on?  It is intended to be externally accessible?


Regards,


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_DENIED/403 on raspberrypi

[Antony Stone]

On Friday 02 December 2016 at 21:30:57, domshyra wrote:

> So I have changed the file to a sample conf file. Here is what it looks
> like now

http_access allow all

Looks to me to be your biggest problem.

Standard security practice is "allow what you specifically know you want to 
allow, and deny by default everything else".

So, create your ACLs to allow what you want to allow, and then "deny all" at 
the end.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Intercept mode failing

[Antony Stone]

On Tuesday 03 January 2017 at 11:13:33, Hoggins! wrote:

> Okay, I get that.
> 
> Le 03/01/2017 à 10:33, Antony Stone a écrit :
> > No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
> 
> Well, my Squid server is not on the same network as my clients, so I
> need something else than just a REDIRECT on the Squid itself.

I'm not sure you fully understand what REDIRECT does.  It changes the 
destination address of the packets which *were* going to random web servers 
around the Internet, and have now reached your Squid box, so thatthey go to 
the local address of your Squid machien instead (and therefore Squid can see 
them and process them).

> > If you need to use policy routing to get the packets to the Squid machine
> > in the first place, that's okay, but this *must* be packet routing, not
> > address translation
> 
> Policy routing was my first choice, but there is one important detail in
> my setup : between my gateway (192.168.22.10) and my Squid
> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a
> link-local route to 192.168.55.3 so I can't add the default route to it
> inside a routing table (I get "Network is unreachable", which is expected).

So, if you can't route packets from the gateway to Squid, how was your NAT 
setup getting them there?

You said in your original posting: "192.168.55.3 being the Squid server, 
directly connected to the Internet, on a network my gateway has the routes 
for", suggesting that your gateway *can* route to the Squid server.

> So I guess I'm stuck.

Maybe you need to do policy routing on the gateway to the IPsec endpoint, and 
then further routing from there to Squid?


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Intercept mode failing

[Antony Stone]

On Tuesday 03 January 2017 at 10:17:54, Hoggins! wrote:

> Hello list,
> 
> I'm trying to do a simple intercept with Squid. Here is my setup :
> 
> I have a LAN with machines on 192.168.22.0/24. Their gateway is
> 192.168.22.10. On this machine, I have set the following iptables rule :
> 
> iptables -t nat -A PREROUTING -i eth0.100 ! -d 192.168.0.0/16 -p tcp
> --dport 80 -j DNAT --to 192.168.55.3:3129
> 
> - 192.168.55.3 being the Squid server

No - you must do the NAT (or REDIRECT) rule *on the Squid server*.

If you need to use policy routing to get the packets to the Squid machine in 
the first place, that's okay, but this *must* be packet routing, not address 
translation.

See http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat 
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and 
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute


Antony.

-- 
In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are 
British, the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the beer is American, the chefs are British, the supermarkets are 
German, the mechanics are French, the lovers are Swiss, the entertainment is 
Belgian, and everything is organised by the Italians.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] keep source ip when user connect over squid using ip:port

[Antony Stone]

On Saturday 07 January 2017 at 19:23:47, --Ahmad-- wrote:

> hey mate i total understand Tporxy with CISCO /wccp
> 
> but I’m asking here other way like connecting ip:port and keep squid using
> my original ip  as source

So, where do you expect the reply packets from the remote web server to end 
up?

If you're trying to cache content, they have to arrive at your Squid server, 
which means the source of the requests has to be the Squid server's address 
(or at least, some address which gets routed from the Internet via your Squid 
server).

If you're not trying to cache content, and you want the replies to come 
directly back to your browser, what are you using Squid for in this setup?


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http speed/ ms

[Antony Stone]

On Tuesday 10 January 2017 at 10:20:04, --Ahmad-- wrote:

> hi folks
> i want to ask .
> when i do ping  imp from my squid server  itself to website like aaa.com
>  lets say i have ping over 10ms but when i configured my
> server as squid and visit aaa.com  from squid server
> itself ..i have like 200 ms

How are you measuring that 200ms?

> the question here :
> why icmp timeout is 10ms  ?
> but http timeout is 200 ms ?

1. "Timeout" is the wrong term here.  It's more accurate to say "response 
time".

"Timeout" means that something failed because it took too long, whereas what 
you're measuring here is the time taken before it succeeded.


2. Why is the HTTP response time higher than the ICMP response time?

Because compared to ping running over ICMP, HTTP is a complicated protocol, 
running over TCP, which is a complicated, multi-stage protocol, and the 
response has to be generated by an application on the remote server, which is 
probably fetching content from a storage device in order to send it to you.

An ICMP ping requires just a single packet from your machine to the target, a 
simple response in the network stack, and a single packet back to you in 
return.

> is there  a way in squid to make it faster and few http ms like 30 ms ?

It's not Squid which is taking the time - it's the remote server - try 
measuring it without Squid in place and see what the response time is.


Antony.

-- 
One tequila, two tequila, three tequila, floor.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

[Antony Stone]

On Monday 19 December 2016 at 17:44:11, Sameh Onaissi wrote:

> Hello,
> 
> I was using squid client to get cache stats, however this morning it
> completely stopped working.

> http://mydomainname.com/squid/access_denied.jpg;
> alt="Acceso Denegado" style="width:704px;height:428px;">

> the html code is the code of my redirect page whenever a client tries to
> access a blacklisted website.

How big is your blacklist?  Could you show us what's in it?

Have you added the proxy itself to the whitelist?

> squid.conf: http://pastebin.com/TQ8H6bRp

Quote from your config:

acl Safe_ports port 587 #SMTP

Did you read Amos' reply "SMTP is the #1 worst protocol to let anywhere near 
an HTTP proxy.  Preventing what you have allowed to happen is one of the 
primary reasons Safe_ports exists in the first place!"

http://lists.squid-cache.org/pipermail/squid-users/2016-December/013776.html

By the way, what did you have to fix to prevent those public IP addresses being 
able to access your Squid proxy?

http://lists.squid-cache.org/pipermail/squid-users/2016-December/013764.html


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL and outgoing IP

[Antony Stone]

On Tuesday 27 December 2016 at 17:03:52, qdmetro wrote:

> I have a squid connected behind a firewall. On the firewall, only the Ip of
> the squid (192.168.1.1) is allowed to go on Internet.
> 
> Usually, when a user authenticate itself on the proxy, all the requests use
> the outgoing IP of the squid (192.168.1.1) so the can access to the
> website. I want to allow some websites to be reachable without
> authentication (especially for the activation of windows licences). I've
> tried this :
> 
> /acl Microsoft dstdomain .microsoft.com
> http_access allow Microsoft/
> 
> With this configuration, the requests don't use the outgoing Ip of the
> proxy anymore, so they come to my firewall with the source IP of the
> client (which is not allowed to go on the Internet).
> I've tried this to force the outgoing IP for this acl :
> 
> /tcp_outgoing_address 192.168.1.1 Microsoft/
> 
> but the request still don't use the IP of the proxy.
> 
> Maybe this kind of configuration isn't possible, or I miss something...

Show us your full squid.conf (just post it here in a reply, omitting comments 
and blank lines).

That should give us more useful information to go on.


Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

[Antony Stone]

On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:

> The user has hotspot shield installed on his PC, which I believe is a
> similar extension to the one you mentioned.

> He is getting by squid with some sort of VPN, I thought squid can be
> configured against such things?

It sounds as though you need to review your firewall (routing) policies.

Anyone who is allowed to use a VPN can effectively bypass all security policies 
on your network.


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidcliente stopped working!

[Antony Stone]

On Tuesday 20 December 2016 at 16:59:11, Eliezer Croitoru wrote:

> The issue is with acls and probably squidguard.
> You should add to the configuration something like:
> http_access allow localhost manager

Er, that line is already in his squid.conf

> and also another line that will deny localhost traffic from being
> inspected. If the above as the first line doesn't sort it out I will need
> squid.conf to understand what is causing it.

I think http://pastebin.com/TQ8H6bRp is what he is working with?


Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to bypass Squid proxy in intercept mode using acl/always_direct

[Antony Stone]

On Monday 26 December 2016 at 20:07:03, mabi wrote:

> Hello,
> 
> I am using Squid 3.5.20 in intercept mode for HTTP and HTTPS traffic with
> my OpenBSD 6.0 firewall. For some internal servers located on two
> different subdomains I would like to access these directly and as such
> bypass the Squid proxy. Is this possible to achieve that using the an acl
> and always_direct parameters of Squid?

I would recommend doing the bypass in the firewall rule which redirects all 
port 80 traffic to Squid - just allow those internal servers to get to the 
Internet without the redirect.


Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid stopped working after cache.log and access.log rotation

[Antony Stone]

On Wednesday 22 March 2017 at 16:17:32, Chee M Gui wrote:

> Hi All
> 
> We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS.  It
> ran fine at first but stopped working after a while.   telnet server 3128
> still works, i.e., opens a blank window, but Squid is just not accepting
> requests.Then we realized that there is no new access.log file.   The
> access.log file stopped rotated at 6:24AM on 3/17/2017.It looks like
> Squid wasn't able to create a new access.log?  We could not find any error
> message in syslog or the cache.log.  We haven't rebooted the server
> because we want to know what went wrong.   It isn't the firewall blocking
> Squid because Squid was working fine all the while until recently.  Also
> after it stopped working, we disabled the firewall to see if it would work
> but it still didn't work.
> 
> root@paproxy:/var/log/squid# ls -alt
> total 15536
> drwxr-xr-x 2 proxy proxy  4096 Mar 21 06:25 .
> -rw-r- 1 proxy proxy63 Mar 21 06:25 cache.log
> drwxrwxr-x 9 root  syslog 4096 Mar 21 06:25 ..
> -rw-r- 1 proxy proxy63 Mar 20 06:25 cache.log.1
> -rw-r- 1 proxy proxy83 Mar 19 06:25 cache.log.2.gz
> -rw-r- 1 proxy proxy  15759111 Mar 17 06:24 access.log.1
> -rw-r- 1 proxy proxy117223 Mar 17 05:52 netdb.state
> 
> Any ideas what went wrong?

Any chance you've run out of disk space?


Antony.

-- 
I bought a book about anti-gravity.  The reviews say you can't put it down.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Using client certificate for all connection

[Antony Stone]

On Thursday 30 March 2017 at 18:55:09, Juande wrote:

> Hi
> 
> I want to configure squid so every request through the proxy get client
> certificate authenticated.
> 
> I need some automatic software audit tools to access to a server that uses
> client certificates to access to its contents.

Are you saying that you want all client requests, to any server, to be 
authenticated by Squid (or a helper) for the client certificate?

Or are you saying that all requests to a specific server are required to be 
authenticated by client certificate, and Squid is supposed to supply this 
certificate (because the client itself cannot)?


Antony.

-- 
"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent/intercept Issues

[Antony Stone]

On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:

> > Today's Topics:
> >1. Re: Squid Transparent/intercept Issues (Antony Stone)
> >2. Re: SMP and AUFS (Matus UHLAR - fantomas)
> >3. Re: SMP and AUFS (Alex Rousskov)
> >4. Re: squid workers question (Alex Rousskov)
> >5. Re: squid workers question (Matus UHLAR - fantomas)
> >6. Re: SSL Bump issues (Alex Rousskov)
> >7. blocking or allowing specific youtube videos (Sohan Wijetunga)

Please edit your reply when responding to a digest email, deleting everything 
not specific to your question.

> > Date: Mon, 20 Mar 2017 16:56:17 +0100
> > From: Antony Stone
> > To: squid-users@lists.squid-cache.org
> > Subject: Re: [squid-users] Squid Transparent/intercept Issues
> > 
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
> > > Hello Everyone,
> > > 
> > > Squid Cache: Version 3.5.20
> > > OS: CentOS 7
> > > 
> > > I have used squid for quite some times non transparently and it works,
> > > problem kicks in when: http_port 3128 transparent is enabled.
> > > Access denied error page shows up when transparent is enabled
> > > ERRORThe requested URL could not be retrieved
> > 
> > How are you getting the packets to the Squid server for interception?
> > 
> > Is the Squid server in the default route between your clients and the
> > Internet, or are you redirecting the packets to the Squid server somehow?
> > 
> > Please give *details* of how you are intercepting and sending the packets
> > to Squid (eg: iptables rules, and which machine/s the rules are running
> > on).
> > 
> > 
> > Antony.

> ​@Antony.Stone
> 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
> dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101
> to-ports=3128

Okay, so there's your problem, then.

You must not use DSTNAT on a separate router to send packets to Squid for 
intercept.

(This used to work in older versions of Squid, but does not work any more and 
is documented on the wiki, for example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )

Note the wording: "NOTE: This configuration is given for use on the squid box." 
 
That means the NAT rules *must* be running on the Squid box itself and not (in 
your case) on the Mikrotik router.

> 3.​ It is not in default route, packets is been redirected.

In that case you need to use policy routing to get the packets *unchanged* to 
the Squid box - see the above link, and also
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> ​4. There is no iptable rules, firewall is disabled for this test.

You have to have a REDIRECT rule on the machine running Squid to get it to see 
the packets (once they are no longer being DNATted).

Please try to follow the guidelines at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and 
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and 
then come back to us with details of what you've tried, if there are still 
problems.


Regards,


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it didn't work.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent/intercept Issues

[Antony Stone]

On Monday 20 March 2017 at 16:26:40, christian brendan wrote:

> Hello Everyone,
> 
> Squid Cache: Version 3.5.20
> OS: CentOS 7
> 
> I have used squid for quite some times non transparently and it works,
> problem kicks in when: http_port 3128 transparent is enabled.
> Access denied error page shows up when transparent is enabled
> ERRORThe requested URL could not be retrieved

How are you getting the packets to the Squid server for interception?

Is the Squid server in the default route between your clients and the 
Internet, or are you redirecting the packets to the Squid server somehow?

Please give *details* of how you are intercepting and sending the packets to 
Squid (eg: iptables rules, and which machine/s the rules are running on).


Antony.

-- 
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent/intercept Issues

[Antony Stone]

On Wednesday 22 March 2017 at 11:59:14, christian brendan wrote:

> One more thing,
> Does this implies using two NICs (Network Interface Cards)?

No, this is not necessary.

> And the squid server has to be in-between clients and the internet?

That is the simpler way of doing it (in which case you would want two NICs, 
yes).

Basically your choices are:

1. Put the Squid server in the route between clients and the Internet (so, it 
has two NICs, each with an address on different networks), and an IPtables 
REDIRECT rule to send port 80 & 443 traffic to Squid.

2. Put your Squid server (with one NIC) wherever you like, having just a 
single IP address (and able to route to the Internet), and use policy routing 
on your Mikrotik router to send any packets from clients heading for port 80 & 
443 out on the Internet, to the Squid server instead (without doing DNAT and 
changing the destination address).  You still need the REDIRECT rule on the 
Squid server, and you must ensure that when Squid then makes its own request 
out to the Internet, that goes out, and does not get intercepted by the 
Mikrotik and sent back to Squid again :)


Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used a 
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid cache analysis

[Antony Stone]

On Thursday 06 April 2017 at 12:27:54, Punyasloka Arya wrote:

> squid version:3.3
> OS:centos

Which version of CentOS?

How was Squid installed?

Precisely which version of 3.3 are you using?

> The squid cache is not functioning properly

You'll have to be more specific than that - what *is* working, what is *not* 
working, what is the problem?

> Please suggest something to analyze or capture the log
> so that the cache service will improve.

Well, start with what you see in access.log

http://wiki.squid-cache.org/SquidFaq/SquidLogs

> Do we need to put some tool which will do it automatic?

Please tell us what "it" is - once we know what you want to do, we might be 
able to suggest ways of achieving it.


Antony.

-- 
Atheism is a non-prophet-making organisation.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Multiple http_access logic at the same time

[Antony Stone]

On Monday 17 April 2017 at 08:35:28, Serhat Koroglu wrote:

> Hello,
> I'm trying to manage squid users to access the proxy if they logged in and
> the site url is allowed in my url list. They are running one by one. If
> logged in accesses but not check the url and vice versa.

So, are you saying that the users must be logged in, *and* the URL they are 
accessing is on your list, otherwise the request is denied?

> But I want both of them. Here is my config part.
> 
> auth_param basic program /usr/bin/php /var/www/html/sqauth.php
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 5 hours
> 
> acl AuthenticatedUsers proxy_auth REQUIRED
> 
> acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
> acl all_others dst 0.0.0.0/0.0.0.0
> 
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow AuthenticatedUsers

That last line can never be executed, because the one before "deny all_others" 
simply blocks everything.

I think what you want is simply:

http_access allow AuthenticatedUsers allowed_sites
http_access deny all_others


Antony.

-- 
I just got a new mobile phone, and I called it Titanic.  It's already syncing.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy with simple iptable rule ...

[Antony Stone]

On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:

> Dear Sir Amos

:)

> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
> 
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my
> WAN send flood by public and it waste my all bandwidth)
> 
> For Example:
> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything 
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests on 
eth1 and sending them out on eth0?

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien 
running Squid has two interfaces, but is it only ascting as a proxy, or is it 
also a forwarding router for other traffic?

Also, have you read any documantation on IPtables, to get some examples of 
standard configurations?


And finally, you numbered the question above with a "1".  Is there a "2"?


Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS woes

[Antony Stone]

On Friday 14 April 2017 at 13:52:08, Olly Lennox wrote:

> I've tried building it and it seems to have make install -ed correctly but
> I'm getting "command not found" when I try to execute squid3.

Well, what command are you trying to run (the one which is "not found")?

And what do you from "whereis squid"?

If that second command shows nothing, what do you get from:
"find / -type f -name squid"?


Antony.

>   From: Rafael Akchurin 
>  To: "squid-users@lists.squid-cache.org"
>  Sent: Friday, 14 April 2017, 12:40
>  Subject: Re: [squid-users] HTTPS woes
> 
> >>> Then my config in Squid is like this, the dhparams file I generated as 
> >>> per 
instructions in the squid wiki:
> >> First of all: what's Squid's version?
> > 
> > And secondly; are you sufficiently capable with Debian to (cross-)build
> > your own Squid package that can run on Raspian? The Debian squid/squid3
> > packages do not have TLS/SSL/HTTPS support. So you will be building your
> > own to get the bumping features.
> 
> When you decide to recompile on Raspbian, please be sure to take a look at
> https://docs.diladele.com/administrator_guide_5_0/install/rpi/squid.html -
> it describes one way of doing this  *on* RPI (without cross compiling).
> But it is slooo. ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"I think both KDE and Gnome suck - I'm quite unbiased in that, because I use a 
Mac."

 - Jason Isitt

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Data usage reported in log files

[Antony Stone]

On Friday 10 March 2017 at 20:14:36, Yosi Greenfield wrote:

> Hello all,
> 
> I'm analyzing my squid logs with sarg, and I see that the number of
> bytes reported as used by any particular user are often nowhere
> near the bytes reported by netflow and tcpdump.

Which is larger?

> I'm trying to trace my users' data usage by site, but I'm unable to
> do so from the log files because of this.

Well, what is it you really want to know?

netflow / tcpdump will give you accurate numbers for the quantity of data on 
your Internet link - I assume this is what you're most interested in?

Squid will show you what quantity of data goes to/from the clients, but is 
that really important?

> Can someone please explain to me what I might be missing? Why does
> squid log report one thing and netflow and tcpdump show something
> else?

Data compression?

HTTP responses are often gzipped, so if tcpdump is showing you smaller numbers 
of bytes than Squid reports, that's what I'd look at first.


Antony.

-- 
This sentence contains exacly three erors.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Data usage reported in log files

[Antony Stone]

On Friday 10 March 2017 at 22:22:59, Yuri Voinov wrote:

> Of course, there is no stream video from security cams, no voice IP, no
> SIP, no torrents, no RDP, no other protocol. They simple does not exists
> and we're all believe that's all not above over 1% of overall traffic.
> Yes. Sure. Really.
> 
> Only web-surfing :) Sure :)

Thanks for the standard sarcasm.

Has it occurred to you that Yosi might have been measuring traffic to & from 
the 
IP of the Squid server, so as to ignore everything else he knows is happening 
on his network, so he can compare like with like?

My "not more than 1%" was for the additional traffic to/from the Squid server, 
other than HTTP/S.


Antony.

> 11.03.2017 3:19, Yuri Voinov пишет:
> > 11.03.2017 2:57, Antony Stone пишет:
> >> On Friday 10 March 2017 at 21:50:19, Yuri Voinov wrote:
> >>> Gentlemen, and it never occurred to you that there are other types of
> >>> traffic besides HTTP / HTTPS, right?
> >>> 
> >>> DNS, ICMP, other protocols?
> >> 
> >> I'm assuming Yosi has been measuring only TCP traffic, but even if he's
> >> been measuring everything, I don't think DNS, ICMP and other protocols
> >> would add more than 1% on top of HTTP/S, unless (as Marcus suggested)
> >> there is also totally-non-Squid traffic on the link being measured.
> > 
> > Come on, sure? Even in L7? Really? Cool story, bro!
> > 
> >> Antony.
> >> 
> >>> 11.03.2017 2:44, Yosi Greenfield пишет:
> >>>> Aha! That could be it. I use sslbump, but not for all users. I'll
> >>>> check that out, although I think that it's a problem even for bumped
> >>>> users. Even for bumped users we don't bump all sites, so that really
> >>>> could be it.
> >>>> 
> >>>> Thanks!
> >>>> 
> >>>> 
> >>>> -Original Message-
> >>>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> >>>> On Behalf Of Marcus Kool
> >>>> Sent: Friday, March 10, 2017 3:38 PM
> >>>> To: squid-users@lists.squid-cache.org
> >>>> Subject: Re: [squid-users] Data usage reported in log files
> >>>> 
> >>>> On 10/03/17 16:27, Yosi Greenfield wrote:
> >>>>> Thanks!
> >>>>> 
> >>>>> Netflow is much larger.
> >>>>> 
> >>>>> I really want to know exactly what site is costing my users data.
> >>>>> Many of our users are on metered connections and are paying for
> >>>>> overage, but I can't tell where that overage is being used. Are they
> >>>>> using youtube, webmail, wetransfer? I see only a fraction of their
> >>>>> actual proxy usage in my squid logs.
> >>>>> 
> >>>>> Data compression would give the opposite result, so that's not what
> >>>>> I'm seeing.
> >>>>> 
> >>>>> Any other ideas?
> >>>> 
> >>>> Is there any traffic that is not directed to Squid?
> >>>> 
> >>>> Do you use ssl-bump in bump mode ?
> >>>> If not, Squid has no idea how many bytes go through the (HTTPS)
> >>>> tunnels.
> >>>> 
> >>>> Marcus
> >>>> 
> >>>>> -Original Message-
> >>>>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> >>>>> On Behalf Of Antony Stone
> >>>>> Sent: Friday, March 10, 2017 2:21 PM
> >>>>> To: squid-users@lists.squid-cache.org
> >>>>> Subject: Re: [squid-users] Data usage reported in log files
> >>>>> 
> >>>>> On Friday 10 March 2017 at 20:14:36, Yosi Greenfield wrote:
> >>>>>> Hello all,
> >>>>>> 
> >>>>>> I'm analyzing my squid logs with sarg, and I see that the number of
> >>>>>> bytes reported as used by any particular user are often nowhere near
> >>>>>> the bytes reported by netflow and tcpdump.
> >>>>> 
> >>>>> Which is larger?
> >>>>> 
> >>>>>> I'm trying to trace my users' data usage by site, but I'm unable to
> >>>>>> do so from the log files because of this.
> >>>>> 
> >>>>> Well, what is it you really want to know?
> >>>>> 
> >>>>> netflow / tcpdump will give you accurate numbers for the quantity of
> >>>>> data on your Internet link - I assume this is what you're most
> >>>>> interested in?
> >>>>> Squid will show you what quantity of data goes to/from the clients,
> >>>>> but is that really important?
> >>>>> 
> >>>>>> Can someone please explain to me what I might be missing? Why does
> >>>>>> squid log report one thing and netflow and tcpdump show something
> >>>>>> else?
> >>>>> 
> >>>>> Data compression?
> >>>>> 
> >>>>> HTTP responses are often gzipped, so if tcpdump is showing you
> >>>>> smaller numbers of bytes than Squid reports, that's what I'd look at
> >>>>> first.
> >>>>> 
> >>>>> 
> >>>>> Antony.

-- 
 yes, but this is #lbw, we don't do normal

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Data usage reported in log files

[Antony Stone]

On Friday 10 March 2017 at 22:33:44, Yuri Voinov wrote:

> We have not seen the network topology and the full configuration of
> network devices - what are we arguing about and guessing about?

Nobody is arguing, and we are guessing so that we might be helpful to Yosi who 
asked the question.

Incidentally, please could you consider putting all of your comments (which 
are unrelated to further replies from other people) into a single posting, 
instead of sending, for example, four emails to the list, each replying only 
to your own previous comment?

That would make things far easier to follow in the conversation.


Thanks,


Antony.

-- 
I thought of going into banking, until I lost interest.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Data usage reported in log files

[Antony Stone]

On Friday 10 March 2017 at 21:50:19, Yuri Voinov wrote:

> Gentlemen, and it never occurred to you that there are other types of
> traffic besides HTTP / HTTPS, right?
> 
> DNS, ICMP, other protocols?

I'm assuming Yosi has been measuring only TCP traffic, but even if he's been 
measuring everything, I don't think DNS, ICMP and other protocols would add 
more than 1% on top of HTTP/S, unless (as Marcus suggested) there is also 
totally-non-Squid traffic on the link being measured.


Antony.

> 11.03.2017 2:44, Yosi Greenfield пишет:
> > Aha! That could be it. I use sslbump, but not for all users. I'll
> > check that out, although I think that it's a problem even for bumped
> > users. Even for bumped users we don't bump all sites, so that really
> > could be it.
> > 
> > Thanks!
> > 
> > 
> > -Original Message-
> > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> > Behalf Of Marcus Kool
> > Sent: Friday, March 10, 2017 3:38 PM
> > To: squid-users@lists.squid-cache.org
> > Subject: Re: [squid-users] Data usage reported in log files
> > 
> > On 10/03/17 16:27, Yosi Greenfield wrote:
> >> Thanks!
> >> 
> >> Netflow is much larger.
> >> 
> >> I really want to know exactly what site is costing my users data. Many
> >> of our users are on metered connections and are paying for overage,
> >> but I can't tell where that overage is being used. Are they using
> >> youtube, webmail, wetransfer? I see only a fraction of their actual
> >> proxy usage in my squid logs.
> >> 
> >> Data compression would give the opposite result, so that's not what
> >> I'm seeing.
> >> 
> >> Any other ideas?
> > 
> > Is there any traffic that is not directed to Squid?
> > 
> > Do you use ssl-bump in bump mode ?
> > If not, Squid has no idea how many bytes go through the (HTTPS) tunnels.
> > 
> > Marcus
> > 
> >> -Original Message-
> >> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> >> On Behalf Of Antony Stone
> >> Sent: Friday, March 10, 2017 2:21 PM
> >> To: squid-users@lists.squid-cache.org
> >> Subject: Re: [squid-users] Data usage reported in log files
> >> 
> >> On Friday 10 March 2017 at 20:14:36, Yosi Greenfield wrote:
> >>> Hello all,
> >>> 
> >>> I'm analyzing my squid logs with sarg, and I see that the number of
> >>> bytes reported as used by any particular user are often nowhere near
> >>> the bytes reported by netflow and tcpdump.
> >> 
> >> Which is larger?
> >> 
> >>> I'm trying to trace my users' data usage by site, but I'm unable to
> >>> do so from the log files because of this.
> >> 
> >> Well, what is it you really want to know?
> >> 
> >> netflow / tcpdump will give you accurate numbers for the quantity of
> >> data on your Internet link - I assume this is what you're most
> >> interested in?
> > 
> >> Squid will show you what quantity of data goes to/from the clients,
> >> but is that really important?
> >> 
> >>> Can someone please explain to me what I might be missing? Why does
> >>> squid log report one thing and netflow and tcpdump show something
> >>> else?
> >> 
> >> Data compression?
> >> 
> >> HTTP responses are often gzipped, so if tcpdump is showing you smaller
> >> numbers of bytes than Squid reports, that's what I'd look at first.
> >> 
> >> 
> >> Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-users Digest, Vol 31, Issue 61

[Antony Stone]

On Tuesday 21 March 2017 at 17:29:36, christian brendan wrote:

> Thanks a lot for the information.
> I will try this and give feedback.
> Best Regards

Please note both of the following for when you post your feedback:

1. The request inserted into the email you replied to by the mailing list 
system:

When replying, please edit your Subject line so it is more specific than
"Re: Contents of squid-users digest..."

2. The request I made in my reply to you:


Please edit your reply when responding to a digest email, deleting
everything not specific to your question.


Thanks,


Antony.

-- 
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Different cache_dir based on object types

[Antony Stone]

On Thursday 03 August 2017 at 20:25:59, ♥ NiNJA ♂ wrote:

> Hi friends
> 
> I have a server with Dual Xeon cpu , 64GB ram , [2] 256GB SSD and [4] 2TB
> HDD

Er, congratulations.

> Is there anyway to config Squid to store objects in different
> cache_dir based on object types ?
> 
> For example storing video files (mp4 , mkv ...) into first hard disk
> Storing windows update files into second hard disk
> Storing js , css , html files into third hard disk
> And etc ...

I have no idea how you might achieve this (maybe others have) but... why do 
you want to do this?

What is the benefit?


Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How do i implement an ACL for longer duration?

[Antony Stone]

On Friday 04 August 2017 at 11:44:10, purvar wrote:

> Hello everyone ,
> 
> I have to implement an ACL from 10:00 AM of tuesday to 11:00 AM of
> thursday. So, how do i make acl rule for such long duartion. Please do the
> needful.

You can't do this as a single ACL.  You'll need one for Tuesday, one for 
Wednesday and one for Thursday.


Antony.

-- 
If you were ploughing a field, which would you rather use - two strong oxen or 
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chaining icap and ecap services - FATAL: Received Segment Violation...dying.

[Antony Stone]

On Wednesday 12 July 2017 at 10:55:36, bugreporter wrote:

> Thank you Yuri,
> 
> The least I can say is that the conversation at
> http://bugs.squid-cache.org/show_bug.cgi?id=4597 makes me laugh a lot. My
> opinion is that if you modify the source code of an open source program
> without publishing your modifications your are in contradiction with GPL
> v2.

That depends entirely on whether the modified version has been distributed or 
not.

If whoever has done the modifications uses the modified version only for their 
own use, that is entirely in keeping with the GPL.

The GPL only says that you must make available the source code of your 
modifications for any modified version which you distribute to others.

> Your sponsor may have *serious blame* from the open source community
> (and also *legal problems*). 10 days of hard working is not nothing and I
> can understand your position. But What do you think that we do all of us
> (open source developers) ? My own Open Source project represents 1700 days
> of (very) hard working... But I always respect the GPL.

Please read it more closely, specifically sections 2 and 6, paying attention to 
the word "distribute".

https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html


Regards,


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

[Antony Stone]

On Monday 17 July 2017 at 21:31:50, Pablo Ruben Maldonado wrote:

> Hello, I have a squid box 3.5 working without problems for the lan
> 192.168.110.0/24 for several months. Now I want setup to another lan
> 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
> squid box. But in Squid's log I do not see anything. Can they give me some
> tip?

How is that new subnet connected to the Squid box?

Is it connected on a second network card in the Squid machine, or is it routed 
via a separate gateway connecting the two networks?


Antony.

-- 
All generalisations are inaccurate.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] This list generates a forward loop ...

[Antony Stone]

On Tuesday 18 July 2017 at 14:42:21, Walter H. wrote:

> Hello,
> 
> On every post I get an error mail back

What's the difference between the posts which generate an error, and this one 
which got through?

Are you sending all from the same address, through the same mail server?


Antony.

-- 
"Once you have a panic, things tend to become rather undefined."

 - murble

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

[Antony Stone]

On Tuesday 18 July 2017 at 12:11:58, Matus UHLAR - fantomas wrote:

> On 17.07.17 17:31, Pablo Ruben Maldonado wrote:
> >Hello, I have a squid box 3.5 working without problems for the lan
> >192.168.110.0/24 for several months. Now I want setup to another lan
> >192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
> >squid box. But in Squid's log I do not see anything. Can they give me some
> >tip?
> 
> local firewall on the squid box probably?

Can you SSH from a machine on 192.168.115.0/24 to the Squid server?

For that matter, can you ping it?

Does the Squid server have an appropriate route to get back to machines on 
192.168.115.0/24?


Antony.

-- 
This is not a rehearsal.
This is Real Life.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Antony Stone]

On Tuesday 18 July 2017 at 13:29:04, Walter H. wrote:

> Hello,
> 
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
> 
> this the iptables
> 

Does the output of "iptables -L -nvx" match the ruleset you've quoted here?

I'm just wondering whether the rules have got loaded properly.


Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

[Antony Stone]

On Tuesday 18 July 2017 at 13:09:31, Pablo Ruben Maldonado wrote:

> The iptables only follow configuration:
> 
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

Oh, you didn't say this was an intercepting proxy - that sort of thing does 
make a difference...

Maybe you could also answer my questions:

On Monday 17 July 2017 at 22:57:13, Antony Stone wrote:

> How is that new subnet connected to the Squid box?
> 
> Is it connected on a second network card in the Squid machine, or is it
> routed via a separate gateway connecting the two networks?

Given what you've now told us, that this machine is an intercepting proxy, 
please give us a network map - how are the following interconnected with each 
other:

 - the subnet 192.168.110.0/24
 - the subnet 192.168.115.0/24
 - the Squid server
 - the Internet-facing router

On Tuesday 18 July 2017 at 12:15:32, Antony Stone wrote:

> Can you SSH from a machine on 192.168.115.0/24 to the Squid server?
> 
> For that matter, can you ping it?
> 
> Does the Squid server have an appropriate route to get back to machines on
> 192.168.115.0/24?

If you can give us more information about your network and your Squid 
configuration, this may well make it easier for us to guess what is going on.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid box for two networks

[Antony Stone]

On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
> 
> The Squid Box has setup for Intercept Mode. Iptables rules here:
> 
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
> 
> Thanks
> 
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
> 
> pablo.ruben.maldon...@gmail.com> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > 192.168.110.0/24 for several months. Now I want setup to another lan
> > 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from 192.168.110.0/24

b) from 192.168.115.0/24


Antony.

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users