Re: [squid-users] squid.conf ssl-bump error
On 09.08.2012 07:05, Dieter Bloms wrote: Hi Nicolas, On Wed, Aug 08, Nicolas Michels wrote: I have squid installed with enable-ssl and enable-ssl-crtd sbin/squid -v Squid Cache: Version 3.0.STABLE26 configure options: '--enable-ssl' '--enable-ssl-crtd' But when I try to run squid I get this error: cache_cf.cc(346) squid.conf:19 unrecognized: 'ssl_bump' FATAL: Bungled squid.conf line 42: https_port 192.168.1.253:3129 transparent ssl-bump cert=/usr/local/squid/ssl.cert key=/usr/local/squid/ssl.key Squid Cache (Version 3.0.STABLE26): Terminated abnormally. CPU Usage: 0.008 seconds = 0.003 user + 0.005 sys Maximum Resident Size: 14416 KB Page faults with physical i/o: 0 When I remove "ssl-bump", squid is able to start, any help? your lines look strange to me. When you add the option "ssl-bump" squid tells you about an unknown option 'ssl_bump' ? For me it looks like you have ssl_bump in the config file instead of ssl-bump. SSL-bump is a new feature not available in 3.0. Its experimental in squid-3.1 and mostly usable 3.2. For HTTPS interception use the 3.HEAD packages. Amos
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 09.08.2012 12:32, Eliezer Croitoru wrote: On 8/9/2012 2:16 AM, Amos Jeffries wrote: Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... and let say i want to loosen it a bit more? How much more? to relay known dangerous traffic to peers as if it were safe? or just to obey never_direct? Amos
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 8/9/2012 2:16 AM, Amos Jeffries wrote: Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... and let say i want to loosen it a bit more? Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 09.08.2012 08:38, Davide Alberani wrote: Hi, I'm trying squid 3.2 (since I'll need some of the new features), but I'm having troubles using it in intercept mode, when used along with an upstream proxy. Which 3.2 release number please? that matters a LOT. Requests are forwarded to squid, but never sent to the upstream proxy; using squid directly (setting it into the browser), the requests are forwarded to the upstream. Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... Notice that I'm sure enough that my iptables rules are correct, and that the upstream proxy is correctly configured (simply, there's no traffic to it, when squid is used in transparent mode). Using the same configuration with squid 3.1, also the requests handled in intercept mode are forwarded to the upstream. Any idea? Thanks! These are the more meaningful parts of the configuration: == http_port 172.30.0.16:18080 intercept http_port 0.0.0.0:8080 server_persistent_connections off half_closed_clients off forwarded_for on acl from_allsrc all NP: "all" is a built-in ACL with identical definition to your "from_all". acl to_all dst all acl from_localhost src 127.0.0.1/32 acl CONNECT method CONNECT acl to_http_portport 80 acl to_proxy_port port 8080 acl to_internal_network dst 172.30.0.16 cache deny from_localhost cache deny CONNECT CONNECT requests are never cacheable. You can remove the above line. cache allow from_all http_access allow from_localhost http_access denyto_internal_network to_proxy_port http_access denyfrom_all "deny from_all" being an alias for "deny all" the FAQ comments about use of "deny all" are relevant here.. FAQ #1: any sequence of deny lines followed by a "deny all" can be collapsed down into a single ACL line "deny all". What your config actually tells Squid to do: http_access allow from_localhost http_access denyall http_reply_access allow from_localhost http_reply_access deny from_all see above. What your config actually tells Squid to do: http_reply_access allow from_localhost http_reply_access denyall Additionally. In order for a request to have been accepted by Squid for processing the http_access rules MUST have accepted it. Meaning these http_reply_access checks are 100% redundant and can be removed. visible_hostname off # Dansguardian or an upstream proxy. cache_peer 127.0.0.1 parent 0 no-query no-digest no-netdb-exchange name=default login=*:password cache_peer_access defaultdenyfrom_localhost cache_peer_access default denyfrom_all see above at http_access. What your config actually tells Squid to do: cache_peer_access default deny all Now, you were wondering why the peer got no requests? that would be why. Remembering that "from_localhost" is the only traffic which is permitted into Squid. What exactly are you wanting to be passed to the parent? In 3.2 the default action when no cache_peer_access at all is configured, is to attempt to use the peer. never_direct deny from_localhost never_direct allow from_all Given that from_localhost is the only traffic permitted through Squid at all. And that "never_direct deny" means "don't restrict". These never_direct lines are as redundant as the http_reply_access ones and can be erased. == When used in intercept mode, squid handles the request by itself: ==> /var/log/squid/cache.log <== 2012/08/06 13:01:46.477 kid1| forward.cc(273) fwdStart: 'http://www.cnn.com/' 2012/08/06 13:01:46.477 kid1| forward.cc(101) FwdState: Forwarding client request local=157.166.255.18:80 remote=172.30.0.252:44700 FD 68 flags=33, url=http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| forward.cc(160) selectPeerForIntercepted: opening a new conn: local=0.0.0.0 remote=157.166.255.18:80 flags=1 2012/08/06 13:01:46.478 kid1| forward.cc(317) startConnectionOrFail: http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| fwdConnectStart: http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| fwdConnectStart: got outgoing addr 0.0.0.0, tos 0, netfilter mark 0 2012/08/06 13:01:46.478 kid1| The AsyncCall fwdConnectDoneWrapper constructed, this=0xb81354a8 [call5533] On the other hand, when set in the browser, the upstream is also used: Aug 6 13:04:25 myname (squid-1): 1344251065.036301 172.30.0.252 TCP_MISS/200 2565 GET http://www.cnn.com/ - FIRSTUP_PARENT/127.0.0.1 text/html That is very strange. Becau
[squid-users] squid 3.2 intercept and upstream proxy not working
Hi, I'm trying squid 3.2 (since I'll need some of the new features), but I'm having troubles using it in intercept mode, when used along with an upstream proxy. Requests are forwarded to squid, but never sent to the upstream proxy; using squid directly (setting it into the browser), the requests are forwarded to the upstream. Notice that I'm sure enough that my iptables rules are correct, and that the upstream proxy is correctly configured (simply, there's no traffic to it, when squid is used in transparent mode). Using the same configuration with squid 3.1, also the requests handled in intercept mode are forwarded to the upstream. Any idea? Thanks! These are the more meaningful parts of the configuration: == http_port 172.30.0.16:18080 intercept http_port 0.0.0.0:8080 server_persistent_connections off half_closed_clients off forwarded_for on acl from_allsrc all acl to_all dst all acl from_localhost src 127.0.0.1/32 acl CONNECT method CONNECT acl to_http_portport 80 acl to_proxy_port port 8080 acl to_internal_network dst 172.30.0.16 cache deny from_localhost cache deny CONNECT cache allow from_all http_access allow from_localhost http_access denyto_internal_network to_proxy_port http_access denyfrom_all http_reply_access allow from_localhost http_reply_access deny from_all visible_hostname off # Dansguardian or an upstream proxy. cache_peer 127.0.0.1 parent 0 no-query no-digest no-netdb-exchange name=default login=*:password cache_peer_access defaultdenyfrom_localhost cache_peer_access default denyfrom_all never_direct deny from_localhost never_direct allow from_all == When used in intercept mode, squid handles the request by itself: ==> /var/log/squid/cache.log <== 2012/08/06 13:01:46.477 kid1| forward.cc(273) fwdStart: 'http://www.cnn.com/' 2012/08/06 13:01:46.477 kid1| forward.cc(101) FwdState: Forwarding client request local=157.166.255.18:80 remote=172.30.0.252:44700 FD 68 flags=33, url=http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| forward.cc(160) selectPeerForIntercepted: opening a new conn: local=0.0.0.0 remote=157.166.255.18:80 flags=1 2012/08/06 13:01:46.478 kid1| forward.cc(317) startConnectionOrFail: http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| fwdConnectStart: http://www.cnn.com/ 2012/08/06 13:01:46.478 kid1| fwdConnectStart: got outgoing addr 0.0.0.0, tos 0, netfilter mark 0 2012/08/06 13:01:46.478 kid1| The AsyncCall fwdConnectDoneWrapper constructed, this=0xb81354a8 [call5533] On the other hand, when set in the browser, the upstream is also used: Aug 6 13:04:25 myname (squid-1): 1344251065.036301 172.30.0.252 TCP_MISS/200 2565 GET http://www.cnn.com/ - FIRSTUP_PARENT/127.0.0.1 text/html -- Davide Alberani [PGP KeyID: 0x465BFD47] http://www.mimante.net/
Re: [squid-users] squid.conf ssl-bump error
Hi Nicolas, On Wed, Aug 08, Nicolas Michels wrote: > I have squid installed with enable-ssl and enable-ssl-crtd > sbin/squid -v > Squid Cache: Version 3.0.STABLE26 > configure options: '--enable-ssl' '--enable-ssl-crtd' > But when I try to run squid I get this error: > cache_cf.cc(346) squid.conf:19 unrecognized: 'ssl_bump' > FATAL: Bungled squid.conf line 42: https_port > 192.168.1.253:3129 transparent ssl-bump cert=/usr/local/squid/ssl.cert > key=/usr/local/squid/ssl.key > Squid Cache (Version 3.0.STABLE26): Terminated abnormally. > CPU Usage: 0.008 seconds = 0.003 user + 0.005 sys > Maximum Resident Size: 14416 KB > Page faults with physical i/o: 0 > > When I remove "ssl-bump", squid is able to start, any help? your lines look strange to me. When you add the option "ssl-bump" squid tells you about an unknown option 'ssl_bump' ? For me it looks like you have ssl_bump in the config file instead of ssl-bump. -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field.
Re: [squid-users] Squid memory usage
On 8/8/2012 6:49 PM, Hugo Deprez wrote: Hello, since I changed the configuration memory usage is growing slowy. Now squid is using 17% of 4GB Eliezer, I am not sure to understand. But I am using two VM, active/passive setup with a corosync VIP. I remembered someone talking here about a VM that was replicated and caused squid to leak memory. so I asked if it's a VM that was cloned or not to verify it. for me it still odd that a cloned VM will cause such a thing so I will just say it's seems like a bogus alarm set by someone by false assumption. just curios about this cluster setup you have there: can you give some more details about it? (email me directly) I am working on a cluster setup of squid tproxy balanced on a routing level. Thanks, Elizer I will consider upgrading one member of the cluster to 3.1.20 (squeeze packages). DO you think this will sole the issue ? Regards, On 8 August 2012 05:30, Amos Jeffries wrote: On 08.08.2012 02:35, Simon Roscic wrote: > I think this is probably: http://bugs.squid-cache.org/show_bug.cgi?id=3605 Can you start with the cachemgr memory usage report and confirm whether the same FwdServer excessive memory usage is seen? Amos -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Squid 3.2.0.19 beta is available
* Amos Jeffries : > This is the counter of how many "error" responses were generated and > logged by Squid. OK > Are you using deny_info redirection? (this counter includes the > 200/30x responses from that hack) Yes, massively so: deny_info http://proxy.charite.de/phishing/ phish1 deny_info http://proxy.charite.de/phishing/ phish2 deny_info http://proxy.charite.de/phishing/ phish3 deny_info http://proxy.charite.de/phishing/ phish4 deny_info http://proxy.charite.de/phishing/ phish5 deny_info http://proxy.charite.de/phishing/ phish6 deny_info http://proxy.charite.de/proxy/ dmz deny_info http://proxy.charite.de/proxy/ intranet > or are you logging more 4xx/5xx responses than before? Nope. > A scan of your logs should indicate what errors are happening more > often now. So I guess it's that "deny_info" stuff. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
[squid-users] squid.conf ssl-bump error
I have squid installed with enable-ssl and enable-ssl-crtd sbin/squid -v Squid Cache: Version 3.0.STABLE26 configure options: '--enable-ssl' '--enable-ssl-crtd' But when I try to run squid I get this error: cache_cf.cc(346) squid.conf:19 unrecognized: 'ssl_bump' FATAL: Bungled squid.conf line 42: https_port 192.168.1.253:3129 transparent ssl-bump cert=/usr/local/squid/ssl.cert key=/usr/local/squid/ssl.key Squid Cache (Version 3.0.STABLE26): Terminated abnormally. CPU Usage: 0.008 seconds = 0.003 user + 0.005 sys Maximum Resident Size: 14416 KB Page faults with physical i/o: 0 When I remove "ssl-bump", squid is able to start, any help? Thanks a lot.
Re: [squid-users] Squid memory usage
Hello, in my case it does not look like FwdServer memory useage is excessive (if i interpreted it correctly). I added my findings to the bug 3605, also i attached the output from squidclient mgr:mem and squidclient mgr:info to bug 3605. kind regards, Simon On 2012-08-08 05:30, Amos Jeffries wrote: I think this is probably: http://bugs.squid-cache.org/show_bug.cgi?id=3605 Can you start with the cachemgr memory usage report and confirm whether the same FwdServer excessive memory usage is seen? Amos
Re: [squid-users] Squid memory usage
Hello, since I changed the configuration memory usage is growing slowy. Now squid is using 17% of 4GB Eliezer, I am not sure to understand. But I am using two VM, active/passive setup with a corosync VIP. I will consider upgrading one member of the cluster to 3.1.20 (squeeze packages). DO you think this will sole the issue ? Regards, On 8 August 2012 05:30, Amos Jeffries wrote: > On 08.08.2012 02:35, Simon Roscic wrote: >> >> Hello, >> >> I am experiencing the same Problem as Hugo Deprez reported and i >> think it is a memory leak. >> >> In my case i can confirm this memory leakage for Squid releases >> 3.2.0.18 and 3.2.0.19. >> We have a few hundred users using our Squid Proxy VM (4 Cores/4 GB >> RAM/Ubuntu 12.04/x64) and during work hours memory useage is >> increasing quite quickly (e.g. in 1 hour 15% increase of RAM useage by >> Squid). >> After a few hours my Squid Proxy VM begins to swap: >> >> Mem: 4049728k total, 3943484k used, 106244k free, 7836k buffers >> Swap: 2097148k total, 826108k used, 1271040k free, 117900k cached >> >> PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND >> 26177 proxy 20 0 4159m 3.4g 2160 S3 87.0 29:20.81 squid3 >> >> also adding: >> >>> Can you try tuning these options? >>> memory_pools off >>> memory_pools_limit 1 MB >> >> >> as suggested by Drunkard Zhang does not help. >> >> ... >> >> So, how can we help to track down this problem? > > > I think this is probably: > http://bugs.squid-cache.org/show_bug.cgi?id=3605 > > Can you start with the cachemgr memory usage report and confirm whether the > same FwdServer excessive memory usage is seen? > > > Amos >
Re: [squid-users] Custom error page for an acl
Hi. On 08.08.2012 13:35, a bv wrote: I would like to write an acl on squid for the block the users access to the internal domain and LAN from squid. for this i guess acl dst will help me but i also like to have a custom error page for this acl . How can i easily do that ? I really think it would be better to block the entire access from the outer world to your squid on your firewall. :) Eugene.
Re: [squid-users] Squid 3.2.0.19 beta is available
On 8/7/2012 10:59 AM, Amos Jeffries wrote: mportant changes to note in this release: * As you should know CVE-2009-0801 security vulnerability protection was added in 3.2 series. Earlier betas attempted to protect peer caches as well as themselves, by blocking relay of untrusted requests until we could implement a safe relay. Due to time constraints this extra layer of peer protection has been REMOVED from 3.2 default builds. Interception cache proxies are themselves well protected against the vulnerability, but can indirectly poison any cache heirarchy they are integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be defined in CXXFLAGS to re-enable this peer protection if desired. Its use is encouraged, but will result in problems for some popular configurations. ie ISP interception proxy gatewaying through a cache array, matrix of interception proxies as siblings. Use of the client destination IP (ORIGINAL_DST) is still preferred for untrusted requests, so if your proxy is backed by a firewall denial please ensure that the rules are REJECT rules rather than DROP for best performance. never_direct does not affect this routing preference as it does for DIRECT traffic. I want to verify because i'm a bit confused. can a intercepted request be forwarded to a cache_peer in any way? Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
[squid-users] Re: Re: Character conversion between authentication and authorisation
Hi Amos, What is the rule for squid regarding rfc1738 escaping/unescaping ? Should the auth helpers return a rfc1738_escaped username and expect the same as input for the authorisation helper ? I don't do that at the moment in squid_kerb_auth nor in squid_kerb_ldap . Markus "Amos Jeffries" wrote in message news:61820e9d911d198441ff3778b6f10...@treenet.co.nz... On 01.08.2012 06:37, Markus Moeller wrote: Hi Amos, Does squid have an inverse function ? I need UTF-8 encoded strings for ldap matches and squid_kerb_auth gives me that (as far as I recall) . Would the ldap_group external helper deal with this case ? The version built with Squid has access to $(top_builddir)/lib/libmiscencoding.la where rfc1738_unescape(char*) is available (might need libmiscutil.la from the same location). For versions built outside Squid or without decoding the external_acl_type option "protocol=2.5" would probably get them going. Amos
[squid-users] Custom error page for an acl
Hi, I would like to write an acl on squid for the block the users access to the internal domain and LAN from squid. for this i guess acl dst will help me but i also like to have a custom error page for this acl . How can i easily do that ? Regards