[squid-users] allowing facebook for spesific client IPs
Hi, Im trying to allow some client IPs to reach to facebook , and im generally blocking the facebook successfully. I tried some entries like below (which similar ones were working fine for other exceptions) but this doesnt seem to work acl john src 10.x.y.z acl jane src 10.x.y.t acl facebook dstdomain facebook.com (or .facebook.com) http_access allow john jane facebook. squid -k reconfigure Regards
Re: [squid-users] Site not found with proxy, without proxy it is OK
Hello, sorry for my impatience, but this problem is annoying me. Have somebody already read my problem? Could you tell me, please? Have somebody had same problem as me? Thanks. Jan Jan Papež (mailing lists) píše v St 14. 09. 2011 v 12:25 +0200: Hello, i submited this as bug #3343 (http://bugs.squid-cache.org/show_bug.cgi?id=3343), but Amos Jeffries closed it with redirection to this discussion list. Could somebody help me with this problem, please? Thanks. Jan
Re: [squid-users] proxy over SSL
Damien, You may also use Apache with a patched mod_proxy. See here : https://issues.apache.org/bugzilla/show_bug.cgi?id=29744 This is however not officially supported by Apache. Regards, Le Sep 16, 2011 à 3:59 AM, John Hardin a écrit : On Thu, 15 Sep 2011, Damien Martins wrote: I'd like to provide a proxy (using Squid) trought SSL. I know how to let people access URL in https:// But I'd like them to connect to the proxy trought SSL connection. Thank for any tip, link, information regarding my case Read up on a program called stunnel. You could use it to set up a SSL tunnel for proxy traffic like this: (I hope my ASCII art doesn't get too mangled...) Client_A on Net A Web Browser (proxy = http://Server_A:12345/) | \_/ Server_A on Net A stunnel listening on 12345/tcp ||| ||| SSL tunnel ||| {untrusted networks} ||| ||| \_/ Server_B1 on Net B stunnel listening on 23456/tcp | \_/ Server_B2 on Net B Squid listening on 3128 I'm assuming this is what you mean by connect to proxy through SSL. stunnel can use certificates to ensure only Server_A can access the proxy via Server_B1, if that's a concern. Also: Server_A and Client_A could be the same computer, and Server_B1 and Server_B2 could also be the same computer. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 2 days until the 224th anniversary of the signing of the U.S. Constitution
Re: [squid-users] proxy over SSL
Thank you all for your support, I'll try those solutions. Le 16/09/2011 09:02, Cedric Lor a écrit : Damien, You may also use Apache with a patched mod_proxy. See here : https://issues.apache.org/bugzilla/show_bug.cgi?id=29744 This is however not officially supported by Apache. Regards, Le Sep 16, 2011 à 3:59 AM, John Hardin a écrit : On Thu, 15 Sep 2011, Damien Martins wrote: I'd like to provide a proxy (using Squid) trought SSL. I know how to let people access URL in https:// But I'd like them to connect to the proxy trought SSL connection. Thank for any tip, link, information regarding my case Read up on a program called stunnel. You could use it to set up a SSL tunnel for proxy traffic like this: (I hope my ASCII art doesn't get too mangled...) Client_A on Net A Web Browser (proxy = http://Server_A:12345/) | \_/ Server_A on Net A stunnel listening on 12345/tcp ||| ||| SSL tunnel ||| {untrusted networks} ||| ||| \_/ Server_B1 on Net B stunnel listening on 23456/tcp | \_/ Server_B2 on Net B Squid listening on 3128 I'm assuming this is what you mean by connect to proxy through SSL. stunnel can use certificates to ensure only Server_A can access the proxy via Server_B1, if that's a concern. Also: Server_A and Client_A could be the same computer, and Server_B1 and Server_B2 could also be the same computer. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 2 days until the 224th anniversary of the signing of the U.S. Constitution
Re: [squid-users] Wrong country recognition on websites after Squid configured as transparent proxy
On 12.09.11 22:37, Piotr Pawlowski wrote: I've configured Squid as transparent proxy on my linux-based router. Everything is working fine, but one thing is really bothering me. After entering any website, my public IP is recognized as it becomes from US. I.e. currency on international shops becomes US dollar ; some wordpress statistics applications gives our IP US flag in graphical access_log presentation. Im sure, that problem is in Squid, because when I temporary disable http via Squid, everything is working fine. Does anybody knows why this happens? How to configure Squid to represent all http requests as they belong to originate country (Poland, to be more specific). I'd like to see all your HTTP request headers. Try visiting http://www.ericgiguere.com/tools/http-header-viewer.html with and without squid, that could tell us more. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: [squid-users] squid-users@squid-cache.org
On 13.09.11 09:23, spaceman wrote: Subject: [squid-users] squid-users@squid-cache.org Please, use better topic Firstly i would like to apologize to my poor english and less indentation, too much spaces make your mail hardly readable. I want to load balance two isp connection with one linux squid proxy server.Load balancing and failover is ok using shorewall firewall.My network setup is here [...] eth1 is for A internet connection It can only use Parent-A upstream parent proxy server eth2 is for B internet connection It can only use Parent-B upstream parent proxy server [...] Now i want to set up squid proxy server. My problem is that each internet connection has seperate parent proxy.They can only use their corresponding Parent proxy server. should be no probem - you can just define two parent proxies and disable direct access to the network. So i want to route,match or map A internet gateway request to Parent-A upstream parent proxy server and B internet gateway request to Parent-B upstream parent proxy server. in fact, you don't have to map anything, just use those two proxies. I think i must be use cache_peer cache_peer_access tcp_outgoing_address is squid running on the machine with multiple interfaces? I tink that in such case you don't need to define tcp_outgoing_address, the OS can take care of that. but no sure i have test so many times but fails fails in what way? What is the problem or error message? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler
[squid-users] any problems problem with sslBump
Hi, i am using Squid 3.1.15 server, i have enabled ssl-bump and dynamic ssl cert generation with this line: http_port 3150 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/www.example.com.pem always_direct allow all ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db -M 4MB sslcrtd_children 5 It works fine but i have two minor problems: 1) Internet explorer keeps giving me security questions about invalid certificates after i have imported my authority (i can see the authority in intermediate CA tab inside certs), i have installed the same authority in Firefox and i don't have this problem, how could i fix this? 2) Gmail only works in plain old HTML mode, the standard versions keeps loading for ever, all other google apps works great and other ssl sites too, only gmail fails to load the standard version. Regards, Miguel Angel.
Re: [squid-users] Wrong country recognition on websites after Squid configured as transparent proxy
Dear Matus and all, Thanks for the URL. Below you can find headers - with Squid enabled: NameValue hostlocalhost:8177 accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 accept-encodinggzip, deflate accept-languageen-us,en;q=0.5 cache-control max-age=259200 user-agent Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0 via 1.1 goyello.com.pl (squid/3.1.8) x-forwarded-for unknown, 213.192.65.106 x-forwarded-hostwww.ericgiguere.com x-forwarded-server www.ericgiguere.com connection close - with Squid disabled: NameValue hostlocalhost:8177 accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 accept-encoding gzip, deflate accept-language en-us,en;q=0.5 cookie JSESSIONID=28529E110235E301E413AE0CE9E78C54; __utma=135980773.1297309970.1316165254.1316165254.1316165254.1; __utmb=135980773; __utmc=135980773; __utmz=135980773.1316165254.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none) user-agent Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0 x-forwarded-for 213.192.65.106 x-forwarded-hostwww.ericgiguere.com x-forwarded-server www.ericgiguere.com connection close Best Regards -- Piotr Pawlowski GOYELLO System Administrator
RE: [squid-users] forward and reverse proxy with squid 3.2
-Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. ## ## # squid reverse proxy settings # content shamelessly adapted from # http://wiki.squid- cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2009 erich.t...@think.ch ## ## http_port 80 accel # peer servicedesk cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver name=servicedesk acl sites_server_1 dstdomain servicedesk.ruf.ch cache_peer_access servicedesk allow sites_server_1 http_access allow sites_server_1 ## ### It appears that the cache_peer directive now takes precedence. cheers Erich Erich, I ran into this when switching to the 3.x branch from 2.x, you need to answer on a second port for the forward proxy requests, this setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I believe this should work in it as well. http_port 80 accel http_port 3128 # If using https on reverse proxy as well https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 Make sure to include the proper access list entries so that you don't open the forward proxy to the world when allowing access to the reverse proxy port. The server will answer on http and https on ports 80 and 443 and direct those to the parent server, when connected to on port 3128 it will function as a standard forward proxy service for your internal users. Dean
RE: [squid-users] forward and reverse proxy with squid 3.2
-Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 8:28 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] forward and reverse proxy with squid 3.2 Hi Dean at 16.09.2011 15:12, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. ## ## # squid reverse proxy settings # content shamelessly adapted from # http://wiki.squid- cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2009 erich.t...@think.ch ## ## http_port 80 accel # peer servicedesk cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver name=servicedesk acl sites_server_1 dstdomain servicedesk.ruf.ch cache_peer_access servicedesk allow sites_server_1 http_access allow sites_server_1 ## ### It appears that the cache_peer directive now takes precedence. cheers Erich Erich, I ran into this when switching to the 3.x branch from 2.x, you need to answer on a second port for the forward proxy requests, this setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I believe this should work in it as well. http_port 80 accel http_port 3128 # If using https on reverse proxy as well https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SS Lv2 I have a forward proxy defined on 8080 and it works well until I include the reverse proxy configuration. Then everything goes to the cache peer defined for that vhost. What does your cache peer look like? Thanks Erich Perhaps it's the cache_peer_domain lines that you need, I have sanitized these entries, I am actually using a vhost configuration with multiple peers on port 80, and a single peer on https. cache_peer 1.1.1.1 parent 80 0 proxy-only no-query originserver name=HTTPPEER cache_peer_domain HTTPPEER www.domain.com cache_peer 1.1.1.1 parent 443 0 ssl no-query originserver name=HTTPSPEER cache_peer_domain HTTPSPEER www.domain.com My forward proxy is also using a parent cache, which makes the ACLs and rules likely quite a bit different, but I don't appear to have any allow deny rules for the parent peers used in the reverse proxy settings, so it looks like the cache_peer_domain is doing all the work in deciding what goes to the parents via the reverse proxy function, and what goes to the forward parent server. The only ACLs and rules I have setup are allowing and denying access to the forward proxy port.
Re: [squid-users] Huge Squid
Hi, I already try to find some information in wiki, but without success. I have a opportunity to configure a squid to 2 users. Can a huge machine handle this? I just wanna block some sites and caching. Is there some doc to help me with this? This one should help: http://pt.scribd.com/doc/7358805/Apres-Squid regards Lucas Brasilino
[squid-users] SSO NTLM and Likewise Open
Hi! I'm using Squid 3.1.15 with NTLM auth (SSO) for Active Directory on Windows 2003. NTLM SSO works perfect with Windows and Linux clients. Linux with Samba and Winbind (security = domain). Now I must work with Likewise. I follow this how to: http://www.beyondtrust.com/Technical-Support/Downloads/files/pbise/Manuals/likewise-samba-guide.html Using Ubuntu 11.04 and Likewise Open 6 (not apt). The system auth is perfect, but when the client open the browser it asks for user/password. Anyone integrates Likewise Open and Squid NTLM auth? Regards, Rodrigo. M. Rodrigo Monteiro Free as in Freedom, not free as in free beer As we are liberated from our own fear, our presence automatically liberates others Linux User # 403730
[squid-users] Re: bridge +tproxy
Hi, Can any of you guys suggest what must be done with the routes in the following case : 221.222.211.1 (router /gateway) -- switch -- tproxy + bridge -- super natting AAA device -- end users | |-- unused |-- unused I am using the same config. for TPROXY and Bridge as mentioned above. Now the problem arises when we are setting the routes for subnets in the super natting device as the device does SNAT from the pool of 255, 32, 64 global IPs but these IPs are on different subnets then the squid server and also there is an universal gateway for the whole network which has its own subnet (/30). The squid server also has its own subenet (/29) (a big IP pool has been divided into many small IP pools). I try to set following rules for each subnet ip route add x.y.z.a/24 dev br0 table 200 proto kernel scope link ip route add default via 221.222.211.1 dev br0 table 200 ip rule add from x.y.z.a/24 lookup 200 ip rule add to x.y.z.a/24 lookup 200 But I am not able to route the data properly. Kindly help me. Any help on this matter will be highly appreciated. Looking forward to a reply. Warm Regards. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/bridge-tproxy-tp2322443p3819204.html Sent from the Squid - Users mailing list archive at Nabble.com.