[squid-users] Re: Can squid be configured as SMTP/SMTPS proxy?
I am not sure if I understood what is not capable of Squid. You mean that use Squid to hide the client IP sender is not possible? This is the goal, the first message at serverfault is mine: http://serverfault.com/questions/212333/how-to-hide-the-client-ip-sender-and-show-only-the-smtp-server-ip -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Can-squid-be-configured-as-SMTP-SMTPS-proxy-tp2727188p3093474.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] maxconn
On 18/12/10 04:35, Jason Greene wrote: On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries wrote: On 17/12/10 10:38, Jason Greene wrote: I m trying to close a security hole I want to use maxconn on ALL IPs acl limitusercon maxconn 3 http_access deny all limitusercon Testing the "all" there is not useful. That should be just: http_access deny limitusercon ... making sure its placed at the top of your access controls so nothing doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" should do. Thanks, I'll try this out. But it doesn't seem to work and the hole still appears on a scan. What hole? HTTP Proxy CONNECT Loop DoS If that is what I think it is you are missing the default "deny CONNECT !SSL_Ports" or have opened SSL_Ports too wide. Due to: - the proxy listening ports are not SSL/CONNECT safe ports. - port 443 listening is reverse-proxy territory + reverse proxy must not accept CONNECT requests (older squid releases allowed it wrongly). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] maxconn
It doesn't make sense... I set the limit to 50 and I run my scan and the vulnerability shows... I drop it back by 5 and run my scan... it show until I get to 20...the vulnerability goes away I increase the limit by 1 until I get to 25 where it shows back up... I drop back down to 24 ... still there Now, even if I set it to 5, the vulnerability shows Anyone know what is going on? Jason On Fri, Dec 17, 2010 at 9:35 AM, Jason Greene wrote: > On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries wrote: >> On 17/12/10 10:38, Jason Greene wrote: >>> >>> I m trying to close a security hole >>> >>> >>> I want to use maxconn on ALL IPs >>> >>> acl limitusercon maxconn 3 >>> http_access deny all limitusercon >> >> Testing the "all" there is not useful. That should be just: >> >> http_access deny limitusercon >> >> ... making sure its placed at the top of your access controls so nothing >> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" >> should do. > > Thanks, I'll try this out. > >> >>> >>> But it doesn't seem to work and the hole still appears on a scan. >> >> What hole? > > > HTTP Proxy CONNECT Loop DoS > > >> >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.9 >> Beta testers wanted for 3.2.0.3 >> >
RE: [squid-users] Cache performance
True, but I recommend it, especially for the OS processing the disk I/O, and authenticators, etc, but it's not really a requirement. - Chad E. Naugle Tech Support II, x. 7981 Travel Impressions, Ltd. >>> "Bradley, Stephen W. Mr." 12/17/2010 11:44 AM >>> I would normally agree but until Squid fully implements SMP what would havin From: Chad Naugle [chad.nau...@travimp.com] Sent: Friday, December 17, 2010 10:12 AM To: Marcello Romani; squid-users@squid-cache.org Subject: Re: [squid-users] Cache performance I would also highly recommend using at least a Dual Core CPU, 1.6GHz + for 200 users. CPU performance is also a very important factor for user volume. - Chad E. Naugle Tech Support II, x. 7981 Travel Impressions, Ltd. >>> Marcello Romani 12/17/2010 10:01 AM >>> Il 17/12/2010 11:09, benjamin fernandis ha scritto: > Dear Friends, > > I m going to use squid for cache purpose only.And i heard that for > squid cache performance i have to use good RAM and HDD.I have 4gb RAM > and 160 GB SATA HDD.And i have 200 users' network.So please suggest me > the same.Means can i go with this H/W specification or is there any > suggestionPlease friends, suggest me .And in this server i m > using only squid for cache gainso also suggest me for RAM also. > > And one more thing, for better disk performace should i have to go > with raid 0 or any other suggestion. > > And what are the main squid configuration parameter for cache gain? > > thanks, > Benjo j. I'm no expert but what you have to avoid is having the squid process swap. So following the rough rule of 10MB of RAM for each GB of cache I'd try first with a 100GB cache, which would require 1GB RAM just for managing it. I'd keep cache mem low, like 128M. The rest of RAM would be used by OS for disk cache and buffers. Mount the cache dir with noatime option to avoid unnecessary disk accesses. To increase performance, use multiple cache_dir, each pointing to its own physical disk. Avoid raid if you need performance. That said, I don't want to sound rude, but I think your questions show that you should do some research on your own first. Please search the mailing list archives and the squid site. Many general questions about squid performance and configuration can be solved just by reading those docs and following the links. For a start: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid HTH -- Marcello Romani Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you." Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
Re: [squid-users] maxconn
On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries wrote: > On 17/12/10 10:38, Jason Greene wrote: >> >> I m trying to close a security hole >> >> >> I want to use maxconn on ALL IPs >> >> acl limitusercon maxconn 3 >> http_access deny all limitusercon > > Testing the "all" there is not useful. That should be just: > > http_access deny limitusercon > > ... making sure its placed at the top of your access controls so nothing > doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" > should do. Thanks, I'll try this out. > >> >> But it doesn't seem to work and the hole still appears on a scan. > > What hole? HTTP Proxy CONNECT Loop DoS > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
Re: [squid-users] Cache performance
I would also highly recommend using at least a Dual Core CPU, 1.6GHz + for 200 users. CPU performance is also a very important factor for user volume. - Chad E. Naugle Tech Support II, x. 7981 Travel Impressions, Ltd. >>> Marcello Romani 12/17/2010 10:01 AM >>> Il 17/12/2010 11:09, benjamin fernandis ha scritto: > Dear Friends, > > I m going to use squid for cache purpose only.And i heard that for > squid cache performance i have to use good RAM and HDD.I have 4gb RAM > and 160 GB SATA HDD.And i have 200 users' network.So please suggest me > the same.Means can i go with this H/W specification or is there any > suggestionPlease friends, suggest me .And in this server i m > using only squid for cache gainso also suggest me for RAM also. > > And one more thing, for better disk performace should i have to go > with raid 0 or any other suggestion. > > And what are the main squid configuration parameter for cache gain? > > thanks, > Benjo j. I'm no expert but what you have to avoid is having the squid process swap. So following the rough rule of 10MB of RAM for each GB of cache I'd try first with a 100GB cache, which would require 1GB RAM just for managing it. I'd keep cache mem low, like 128M. The rest of RAM would be used by OS for disk cache and buffers. Mount the cache dir with noatime option to avoid unnecessary disk accesses. To increase performance, use multiple cache_dir, each pointing to its own physical disk. Avoid raid if you need performance. That said, I don't want to sound rude, but I think your questions show that you should do some research on your own first. Please search the mailing list archives and the squid site. Many general questions about squid performance and configuration can be solved just by reading those docs and following the links. For a start: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid HTH -- Marcello Romani Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
Re: [squid-users] Cache performance
Il 17/12/2010 11:09, benjamin fernandis ha scritto: Dear Friends, I m going to use squid for cache purpose only.And i heard that for squid cache performance i have to use good RAM and HDD.I have 4gb RAM and 160 GB SATA HDD.And i have 200 users' network.So please suggest me the same.Means can i go with this H/W specification or is there any suggestionPlease friends, suggest me .And in this server i m using only squid for cache gainso also suggest me for RAM also. And one more thing, for better disk performace should i have to go with raid 0 or any other suggestion. And what are the main squid configuration parameter for cache gain? thanks, Benjo j. I'm no expert but what you have to avoid is having the squid process swap. So following the rough rule of 10MB of RAM for each GB of cache I'd try first with a 100GB cache, which would require 1GB RAM just for managing it. I'd keep cache mem low, like 128M. The rest of RAM would be used by OS for disk cache and buffers. Mount the cache dir with noatime option to avoid unnecessary disk accesses. To increase performance, use multiple cache_dir, each pointing to its own physical disk. Avoid raid if you need performance. That said, I don't want to sound rude, but I think your questions show that you should do some research on your own first. Please search the mailing list archives and the squid site. Many general questions about squid performance and configuration can be solved just by reading those docs and following the links. For a start: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid HTH -- Marcello Romani
RE: [squid-users] ssl-bump pause for 2 minutes for certain sites
Hi Amos, The pause happens when ICAP sends about 90% of the payload. The Content-Length header shown the exact size as 106900. I believe by the time squid starts to send the RESPMOD payload, all the DNS should already finished. If you look at the tcpdump on port 443, it pauses for 2 minutes and then RST by the web server. There is no additional data coming in after the pause from the webserver on port 443. So squid must already have the payload in full, but some how didn't do anything until kicked by the RST from the web server. After squid resume sending the ICAP payload, it actually sent in several 600 to 1400 sized packets. So it does not look like that the web server was holding back the payload. Regards, Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: December-16-10 8:49 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] ssl-bump pause for 2 minutes for certain sites On 17/12/10 08:45, Ming Fu wrote: > Hi, > > When using squid 3.1.9 and ssl-bump, access to > https://www.e-secure-it.com/info.html will cause squid RESPMOD to > pause for about 2 minutes when sending the body playload to the ICAP > server. The payload will eventually arrive. Just can't explain what > happens during the 2 minute. > > Tcpdump on port 443 show that there is a pause during the end of SSL > transaction with the e-secure. The time of the port 443 pause > correlates to the pause of ICAP body upload. But there is no such > pause when browser is direct connected to the e-secure site without > squid in the middle. > You seem to have answered your own question. Sending stuff to that ICAP server is very slow. Other things to consder: * Did the packets actually stop completely at that point? or did something else happen? * look at DNS etc as well. Squid may be waiting on the ICAP server name to resolve. * take a full packet traces (tcpdump -s 0 ...) and see what is actually being transfered to/from ICAP. It could be non-HTTP, broken syntax, or any kind of secondary encoding inside a HTTPS security channel. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Delay pool question
On 17/12/10 23:23, Nick Cairncross wrote: Hi List, A quick Delay Pool question..and a favour.. Currently using basic Delay Pool configuration for users: delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 200/200 Careful with those big numbers. They are in *bytes* and only the recent versions of Squid can cope with >32-bit values. delay_access 1 allow !SERVERSUBNETS AuthenticatedUsers delay_access 1 deny all Users authenticate via Kerberos, NTLM and then Basic (in that order) My question is; by using AuthenticatedUsers does that require another authentication or is the original one re-used from my acl (acl AuthenticatedUsers proxy_auth REQUIRED) and http_access rule (http_access allow AuthenticatedUsers). auth happens only once per request. As long as its checked in http_access delay pools can use the results. delay pools is a "fast" category test so does not challenge for credentials on its own, and will not match if they are unknown or missing at the time of pool assignment. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Re: Can squid be configured as SMTP/SMTPS proxy?
On 17/12/10 20:11, Manuel wrote: Hello, How common is for the client app to work with SMTPS proxies? I have a vBulletin forum in a backend that I want it to send e-mails to the users through a SMTP server in a different server. vBulletin app works fin with SMTP servers through TLS and SSL but have not tried with Squid yet. I've been told that this solution could be done with an VPN like OpenVPN but since we already have Squid in the frontend as a reverse proxy for the website and in that frontend is also located the SMTP server maybe we can just use the already running Squid. What do you think? *all* email clients work with SMTP proxies. These are called "mailservers" in the SMTP world. Squid is not capable of parsing or talking SMTP protocol. Using it as a mail relay server is futile. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
[squid-users] Delay pool question
Hi List, A quick Delay Pool question..and a favour.. Currently using basic Delay Pool configuration for users: delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 200/200 delay_access 1 allow !SERVERSUBNETS AuthenticatedUsers delay_access 1 deny all Users authenticate via Kerberos, NTLM and then Basic (in that order) My question is; by using AuthenticatedUsers does that require another authentication or is the original one re-used from my acl (acl AuthenticatedUsers proxy_auth REQUIRED) and http_access rule (http_access allow AuthenticatedUsers). The favour.. I'd be keen to see others' examples for production delay pools – only if you don't mind sharing :) Cheers, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Cache performance
Dear Friends, I m going to use squid for cache purpose only.And i heard that for squid cache performance i have to use good RAM and HDD.I have 4gb RAM and 160 GB SATA HDD.And i have 200 users' network.So please suggest me the same.Means can i go with this H/W specification or is there any suggestionPlease friends, suggest me .And in this server i m using only squid for cache gainso also suggest me for RAM also. And one more thing, for better disk performace should i have to go with raid 0 or any other suggestion. And what are the main squid configuration parameter for cache gain? thanks, Benjo j.