[squid-users] Squid 3.3.8 intercept ssl bumping for mobile apps
Hello. I'm sorry that I've opened new topic for this problem, maybe I can give more detailed description here. I use squid 3.3.8 on Ubuntu 13.10 in transparent (intercept) mode. I cannot use mobile applications with the squid proxy. My squid.conf file: when I run squid3 -k reconfigure Squid works without any errors. But in cache.log I get the following: http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665915/Capture.png Maybe this photo can help. Hope you'll help to solve it. Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-3-8-intercept-ssl-bumping-for-mobile-apps-tp4665915.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SSL Bump and dynamic SSL generation
Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
[squid-users] 3.4.4 chroot
Hi - I'm having trouble getting squid 3.4.4 to run a chroot environment. Squid runs outside the chroot environment without any problems. I looked at the example on the wiki but it didn't work for me. Regardless of what I do, squid complains about not being able to find the file: -rw-r- 1 squid nobody 0 May 11 23:15 access.log But it can find the cache.log file which is in the same directory as access.log. Enclosed is the error message logged to /var/squid/logs/cache.log and the squid.conf files is attached. Any help would be greatly appreciated. -- Cinaed 2014/05/11 20:42:37 kid1| Starting Squid Cache version 3.4.4 for x86_64-unknown- linux-gnu... 2014/05/11 20:42:37 kid1| Process ID 22095 2014/05/11 20:42:37 kid1| Process Roles: worker 2014/05/11 20:42:37 kid1| With 1024 file descriptors available 2014/05/11 20:42:37 kid1| Initializing IP Cache... 2014/05/11 20:42:37 kid1| DNS Socket created at [::], FD 6 2014/05/11 20:42:37 kid1| DNS Socket created at 0.0.0.0, FD 7 2014/05/11 20:42:37 kid1| Adding nameserver x.x.x.x from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Adding nameserver x.x.x.x from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Adding domain x.com from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Logfile: opening log daemon:/var/squid/logs/access.log 2014/05/11 20:42:37 kid1| Logfile Daemon: opening log /var/squid/logs/access.log 2014/05/11 20:42:37 kid1| ipcCreate: /opt/squid/libexec/log_file_daemon: (2) No such file or directory # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #chroot /opt/squid/chroot #acl localhost src 127.0.0.1 acl localnet src x.x.x.x/xx # RFC1918 possible internal network #acl to_localhost dst 127.0.0.0/8 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16# RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210# wais acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280# http-mgmt #acl Safe_ports port 488# gss-http #acl Safe_ports port 591# filemaker #acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 #refresh_pattern ^gopher: 14400% 1440 #refresh_pattern -i (/cgi-bin/|\?) 00% 0 #refresh_pattern . 0 20% 4320 # local additions cache deny all cache_mgr root@localhost ftp_user root@localhost ftp_passive on ftp_sanitycheck on pconn_timeout 1 minute request_header_max_size 64 KB forwarded_for delete ignore_unknown_nameservers on icp_port 0 icp_access deny all htcp_port 0 htcp_access deny all snmp_port 0 snmp_access deny all cache_effective_user squid cache_effective_group nobody # end of configuration
Re: [squid-users] SSL Bump and dynamic SSL generation
I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Hi, change from server-first to client-first; and your issue is gone; Walter On Mon, May 12, 2014 08:41, Tom Holder wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom
Re: [squid-users] 3.4.4 chroot
On 12/05/2014 7:02 p.m., Cinaed Simson wrote: Hi - I'm having trouble getting squid 3.4.4 to run a chroot environment. Squid runs outside the chroot environment without any problems. I looked at the example on the wiki but it didn't work for me. Regardless of what I do, squid complains about not being able to find the file: -rw-r- 1 squid nobody 0 May 11 23:15 access.log But it can find the cache.log file which is in the same directory as access.log. Enclosed is the error message logged to /var/squid/logs/cache.log and the squid.conf files is attached. Any help would be greatly appreciated. -- Cinaed 2014/05/11 20:42:37 kid1| Starting Squid Cache version 3.4.4 for x86_64-unknown- linux-gnu... 2014/05/11 20:42:37 kid1| Process ID 22095 2014/05/11 20:42:37 kid1| Process Roles: worker 2014/05/11 20:42:37 kid1| With 1024 file descriptors available 2014/05/11 20:42:37 kid1| Initializing IP Cache... 2014/05/11 20:42:37 kid1| DNS Socket created at [::], FD 6 2014/05/11 20:42:37 kid1| DNS Socket created at 0.0.0.0, FD 7 2014/05/11 20:42:37 kid1| Adding nameserver x.x.x.x from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Adding nameserver x.x.x.x from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Adding domain x.com from /etc/resolv.conf 2014/05/11 20:42:37 kid1| Logfile: opening log daemon:/var/squid/logs/access.log 2014/05/11 20:42:37 kid1| Logfile Daemon: opening log /var/squid/logs/access.log 2014/05/11 20:42:37 kid1| ipcCreate: /opt/squid/libexec/log_file_daemon: (2) No such file or directory The problem here is the log_file_daemon helper program being unavailable or missing. Amos
Re: [squid-users] SSL Bump and dynamic SSL generation
Thanks Jay, it's not the CA I have an issue with, I can easily get that installed. On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913 -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Dan, Our browsers have very few and selected trusted CAs which are also stored in our Trusted Root Certification Authorities. Install an internal root CA by Microsoft Certificate Services and generate the CA. After generating the CA certificate make sure that you roll out the certificate via GPO Computer Configuration - Windows Settings - Security Setting - Public Key Policies - Trusted Publishers and add your cert to the Trusted Root Certification Authorities Once you have the root CA certificate installed in each computer, all subordinate CA will be trusted automatically. In this case, We plan to have your squid box to have a SUBORDINATE CA signed by your ROOT CA. (I hope you see the chain of authority here) Go to your squidbox and generate your .key file and certificate request .csr. openssl genrsa -out yourkey.key 1024 openssl req -new -key yourkey.key -out yourkey.csr copy the content of your .csr file to your root CA web enrollment service(make sure the web enrollment is installed), choose advanced certificate request. Paste the content of your .csr file and choose SUBORDINATE Certification Authority Click submit and download the Base64 encoded certificate file (NOT the Der encoded) Use the downloaded .cer file and your .key file to your squid SSL bump Your SQUID has now the subordinate CA and any certificate generated by Squid will be trusted automatically because the issuer of Squid's Sub CA is your domain root CA. *Our organization has existing internal PKI that we're currently using for our Microsoft NPS/802.1x. That keeps us out from headache by installing a new self-signed CA to each computer for Squid SSL bumping. Regards, Jay On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth d...@getbusi.com wrote: I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Tom, No problem. Make sure you have the latest version of Squid or at least version 3.3 to use server-first Jay On Mon, May 12, 2014 at 3:54 PM, Tom Holder t...@simpleweb.co.uk wrote: Thanks Jay, it's not the CA I have an issue with, I can easily get that installed. On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913 -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Thanks Jay! Very informative. Dan On 12 May 2014, at 6:02 pm, Jay Jimenez j...@integralvox.com wrote: Dan, Our browsers have very few and selected trusted CAs which are also stored in our Trusted Root Certification Authorities. Install an internal root CA by Microsoft Certificate Services and generate the CA. After generating the CA certificate make sure that you roll out the certificate via GPO Computer Configuration - Windows Settings - Security Setting - Public Key Policies - Trusted Publishers and add your cert to the Trusted Root Certification Authorities Once you have the root CA certificate installed in each computer, all subordinate CA will be trusted automatically. In this case, We plan to have your squid box to have a SUBORDINATE CA signed by your ROOT CA. (I hope you see the chain of authority here) Go to your squidbox and generate your .key file and certificate request .csr. openssl genrsa -out yourkey.key 1024 openssl req -new -key yourkey.key -out yourkey.csr copy the content of your .csr file to your root CA web enrollment service(make sure the web enrollment is installed), choose advanced certificate request. Paste the content of your .csr file and choose SUBORDINATE Certification Authority Click submit and download the Base64 encoded certificate file (NOT the Der encoded) Use the downloaded .cer file and your .key file to your squid SSL bump Your SQUID has now the subordinate CA and any certificate generated by Squid will be trusted automatically because the issuer of Squid's Sub CA is your domain root CA. *Our organization has existing internal PKI that we're currently using for our Microsoft NPS/802.1x. That keeps us out from headache by installing a new self-signed CA to each computer for Squid SSL bumping. Regards, Jay On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth d...@getbusi.com wrote: I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] squid cpu problem
Dear Amos
i have 4 squid servers ( three with 2 intel Xeon processors ) with no
problem
the problem only occurs on the forth Desktop server with AMD Phenom 2 X6
1090T
all servers have 16G ram
as to benchmark testing tool ( memory, CPU , DISK ) i can see that the
desktop server is faster and has faster Disks ( SSD ) , although the
problem only occurs on this server
could be the problem that i need faster CPU Or RAM Bus or there is any
problems with AMD ..??!!
i tried EXT2/4 and Reiserfs with the same problem ,should i try XFS ??
Thanks
On 2014-05-08 04:22, Amos Jeffries wrote:
On 8/05/2014 12:33 a.m., a.afach wrote:
Hi amos
as i see the problem is still occurring with other errors in GDB the
CPU
still goes to 100%
The problem is that very big objects do exist and occasionally need
to
be moved from memory to disk.
this it the GDB :
Loaded symbols for /lib64/libnss_db.so.2
0x0050a1c8 in linklistPush (L=0x9fb429e8, p=0x53e0be0) at
list.cc:47
47 list.cc: No such file or directory.
in list.cc
(gdb) backtrace
#0 0x0050a1c8 in linklistPush (L=0x9fb429e8, p=0x53e0be0) at
list.cc:47
#1 0x00594841 in UFSStoreState::write (this=0xb7775918,
buf=0x723b7c70
I\223\324\004\245\201\315\306\354P\276\372e\373\r\235\250\311\033\275P\333\344\323\211\354\275\200\362A,
size=4096, aOffset=-1, free_func=
0x50f220 memNodeWriteComplete(void*)) at ufs/store_io_ufs.cc:247
#2 0x005436e0 in doPages (anEntry=optimized out) at
store_swapout.cc:160
snip
i tried to change config with no success
the problem occurs in peak times or when no load in random times.
how can i know if the problem is a hardware problem or squid
Neither and both.
It is a non-problem in that storing a large object to disk in small
incremental bits is going to take a lot of CPU cycles. The nature of
the
task itself causes large CPU usage.
The Squid code doing this store is not great. It walks the linked-list
of memory blocks (N^2)/2 times during the store operation.
Also, the version you are using does not distinguish between objects
stored for future use and objects being discarded immediately. They all
go to disk on their way through Squid. So there is no way to avoid it
by
configuring storage of smaller objects.
The hardware is not able to cope with that operation being done on the
size of objects you are proxying.
Amos
thanks
On 2014-04-05 03:37, Amos Jeffries wrote:
This looks like the CPU cycles are being consumed by walking one or
more
very long lists of memory pieces and writing them to disk one by one.
Note the UFSStoreState::write parameter size=4096 in the backtrace
for
how bit those memory pages are.
Which could happen if you cached a very big object in cache_mem and
then
a random time later it needed swapping out to disk to free up memory.
It could also happen if Squid needed to suddenly swap out a large
number
of smaller items to make memory space available for a large one which
is
about to arrive.
So, have you configured Squid to allow very large objects (many MB or
GB) in memory storage?
Note these causes would not show up in the testing you mentioned
unless
you had a very wide range of test object sizes being pumped randomly
through the proxy. A tool like web polygraph is best to test that
traffic behaviour accurately.
Amos
On 5/04/2014 1:59 a.m., a.afach wrote:
Dear all
i still have the CPU spikes even when i used
disable-strict-error-checking without using Cflags
this is the gdb backtrace while the CPU spikes
0x0051b348 in linklistPush (L=0x11853e188, p=0xce6d4300) at
list.cc:47
47 while (*L)
(gdb) backtrace
#0 0x0051b348 in linklistPush (L=0x11853e188, p=0xce6d4300)
at
list.cc:47
#1 0x005a70a1 in UFSStoreState::write (this=0xb3970e28,
buf=0x11fe69ca0
!v\253r[/\307\232G\b\375`\237:\213\256^\335\373{\241%\232\363\021\071`\342\033\177a\202G\320{\323%\236K\342\243*\332\316\351\231=\360\370\313Ro=\317\262\243\315\027\351,\221\230\353Z\023\024q\QSC\036\214:M\242{@\351m\020\337Cw_\214\216\304\226\265\a\375\031\211\243V\222T\320\016\227\312-\211Sz\326^\346\230\251\327\222\n\373I\032\341\303==U\214\277\264\244\205\b1\346S=\230\215\204\245\254\312\223\066\336\230PpP\227\271\370\266;\362\226\242\036\225\235w\330\325\061\316{o_\364\021\062\351\376\062|\313\006`\357m\206FQ0\021\030C\224\004]\336\315\371\033h1\361\363\350d\366\066...,
size=4096, aOffset=-1, free_func=0x5203b0
memNodeWriteComplete(void*))
at ufs/store_io_ufs.cc:247
#2 0x00554ca0 in doPages (anEntry=optimized out) at
store_swapout.cc:160
#3 StoreEntry::swapOut (this=0x372ca10) at store_swapout.cc:279
#4 0x0054c986 in StoreEntry::invokeHandlers
(this=0x372ca10) at
store_client.cc:714
#5 0x004dc1a7 in FwdState::complete (this=0xbb502b48) at
forward.cc:341
#6 0x005579a5 in ServerStateData::completeForwarding
(this=0xf8030588) at Server.cc:239
#7 0x005571bd in
[squid-users] Squid Documentation
Hi All This is my first post to the Squid Users list for an incredibly long time - Hi all”) :) New Squid users: did you find the documentation at http://www.deckle.co.uk/squid-users-guide/ useful in your process of learning Squid? I wrote the Squid documentation at http://www.deckle.co.uk/squid-users-guide/ in 1999 with the aim of getting it published as a book. I then proceeded to get incredibly involved in trying to build and run a company, and I never completed it. It’s had very little love since, despite attempts to put it on a Wiki (which only succeeded in getting me banned from Adsense due to dodgy comments in the “Russian translation”) and on GitHub (which has had no commits other than by me). My impression is that the guide is woefully out of date, and should probably be binned and visitors redirected somewhere more useful. I was wondering if anyone had any ideas about this. Is the content useful? Is anyone else interested in trying to assist with bringing it up to date? I thought I’d check with a larger Squid audience here on squid-users first, and then raise it to the Squid dev mailing list based on the response here. The docs still get quite a few hits, considering their age and lack of maintenance. About 2000 unique IPs visited it last week (removing any reference to ‘bot’ in the user agent - though that doesn’t guarantee anything). Thanks! Oskar Pearson
[squid-users] Squid 24/7 outsourced technical support
Hi, I guess this should be a good place to post this question. Looking for a company that can provide 24/7 level 3 infrastructure support services for a cloud filtering service based on Squid and many other open source (+commercial) components. Essentially an outsourced NOC service. There are literally 1000s of these companies on the Internet but looking for one with good experience with Squid and proxying ideally. Anyone got any ideas. Thanks Daniel
Re: [squid-users] Unhandled exception: c
Hi Amos,
New backtrace - I hope this helps!
Core was generated by `(squid-1) -YC -f /etc/squid3/squid.conf'.
Program terminated with signal 6, Aborted.
#0 0x7f2f758a81b5 in raise () from /lib/libc.so.6
(gdb) bt full
#0 0x7f2f758a81b5 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x7f2f758aafc0 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x0054670f in xassert (msg=0x7bb62c c, file=0x7ea5f8
base/CbcPointer.h, line=147) at debug.cc:565
__FUNCTION__ = xassert
#3 0x005279d1 in CbcPointerConnStateData::operator-
(this=value optimized out) at base/CbcPointer.h:147
c = value optimized out
#4 0x0057238e in FwdState::initiateSSL (this=0x80f14ba8) at
forward.cc:827
hostname = 0x80e6d7e8 secure.flashtalking.com
isConnectRequest = value optimized out
peer = value optimized out
fd = 812
__FUNCTION__ = initiateSSL
peeked_cert = value optimized out
ssl = 0x940e87e0
sslContext = value optimized out
#5 0x005725e3 in FwdState::connectDone (this=0x80f14ba8,
conn=..., status=value optimized out, xerrno=0) at forward.cc:895
__FUNCTION__ = connectDone
#6 0x006a6f69 in AsyncCall::make (this=0x950cf990) at
AsyncCall.cc:32
__FUNCTION__ = make
#7 0x006aa215 in AsyncCallQueue::fireNext (this=value
optimized out) at AsyncCallQueue.cc:52
call = {p_ = 0x950cf990}
__FUNCTION__ = fireNext
#8 0x006aa3c0 in AsyncCallQueue::fire (this=0xfb53f0) at
AsyncCallQueue.cc:38
made = true
#9 0x005633dc in EventLoop::runOnce (this=0x7fffd3a62b20) at
EventLoop.cc:132
sawActivity = false
waitingEngine = 0x7fffd3a62ba0
__FUNCTION__ = runOnce
#10 0x00563518 in EventLoop::run (this=0x7fffd3a62b20) at
EventLoop.cc:96
No locals.
#11 0x005d3a25 in SquidMain (argc=value optimized out,
argv=value optimized out) at main.cc:1520
WIN32_init_err = value optimized out
__FUNCTION__ = SquidMain
signalEngine = {AsyncEngine = {_vptr.AsyncEngine = 0x7cc770},
loop = @0x7fffd3a62b20}
store_engine = {AsyncEngine = {_vptr.AsyncEngine = 0x7cc7d0},
No data fields}
comm_engine = {AsyncEngine = {_vptr.AsyncEngine = 0xa78f30},
No data fields}
mainLoop = {errcount = 0, last_loop = false, engines =
{capacity = 16, count = 4, items = 0x1426140}, timeService =
0x7fffd3a62b90, primaryEngine = 0x7fffd3a62ba0, loop_delay = 0, error =
false, runOnceResult = false}
time_engine = {_vptr.TimeEngine = 0x7dbe90}
#12 0x005d4213 in SquidMainSafe (argc=3051, argv=0xbeb) at
main.cc:1242
No locals.
#13 main (argc=3051, argv=0xbeb) at main.cc:1234
No locals.
We are also getting a lot of this sort of thing in the logs since I've
patched that Assert. Not sure If it's related.
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 13:22:57 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 13:22:57 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 13:22:57 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 13:22:57 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 13:22:57 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 13:22:57 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 13:22:57 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 13:22:57 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 14:21:49 kid1| Starting new ntlmauthenticator helpers...
2014/05/09 14:21:49 kid1| helperOpenServers: Starting 1/75 'ntlm_auth'
processes
2014/05/09 14:21:49 kid1| ipcCreate: fork: (12) Cannot allocate memory
2014/05/09 14:21:49 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process.
2014/05/09 14:21:50 kid1| Starting new ntlmauthenticator
Re: [squid-users] Squid Documentation
On 13/05/2014 1:38 a.m., Oskar Pearson wrote: Hi All This is my first post to the Squid Users list for an incredibly long time - Hi all”) :) New Squid users: did you find the documentation at http://www.deckle.co.uk/squid-users-guide/ useful in your process of learning Squid? I wrote the Squid documentation at http://www.deckle.co.uk/squid-users-guide/ in 1999 with the aim of getting it published as a book. I then proceeded to get incredibly involved in trying to build and run a company, and I never completed it. It’s had very little love since, despite attempts to put it on a Wiki (which only succeeded in getting me banned from Adsense due to dodgy comments in the “Russian translation”) and on GitHub (which has had no commits other than by me). My impression is that the guide is woefully out of date, and should probably be binned and visitors redirected somewhere more useful. I was wondering if anyone had any ideas about this. Is the content useful? Is anyone else interested in trying to assist with bringing it up to date? Hi Oskar, The Project wiki (http://wiki.squid-cache.org/) welcomes any content you want to contribute. Taking a brief scan of it now it seems to be quite well written and only the specific detail in some places is outdated. Please feel free to contact the admin (Francesco or myself) for editor access to copy your pages over. Amos Jeffries The Squid Software Foundation
Re: [squid-users] Squid 24/7 outsourced technical support
On 13/05/2014 1:54 a.m., Daniel Niasoff wrote: Hi, I guess this should be a good place to post this question. Looking for a company that can provide 24/7 level 3 infrastructure support services for a cloud filtering service based on Squid and many other open source (+commercial) components. Essentially an outsourced NOC service. There are literally 1000s of these companies on the Internet but looking for one with good experience with Squid and proxying ideally. Anyone got any ideas. Thanks Daniel Hi Daniel, If you dont get any responses from this post. http://www.squid-cache.org/Support/services.html contains an alphabetical list of companies which have made the effort to register their interest in supporting Squid commercially. Amos
Re: [squid-users] SSL Bump and dynamic SSL generation
How exactly client-first helps in that? Eliezer On 05/12/2014 10:26 AM, Walter H. wrote: Hi, change from server-first to client-first; and your issue is gone; Walter
Re: [squid-users] SSL Bump and dynamic SSL generation
I haven't investigated exactly, however, I'm guessing it's simply not trying to mimic the original SSL and is just generating one that is 'good-enough'. For my purposes, good enough is erm, good enough. Tom On Mon, May 12, 2014 at 6:01 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: How exactly client-first helps in that? Eliezer On 05/12/2014 10:26 AM, Walter H. wrote: Hi, change from server-first to client-first; and your issue is gone; Walter -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
RE: [squid-users] Squid 24/7 outsourced technical support
Thanks Amos, I should have looked there first :) -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 12 May 2014 16:45 To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 24/7 outsourced technical support On 13/05/2014 1:54 a.m., Daniel Niasoff wrote: Hi, I guess this should be a good place to post this question. Looking for a company that can provide 24/7 level 3 infrastructure support services for a cloud filtering service based on Squid and many other open source (+commercial) components. Essentially an outsourced NOC service. There are literally 1000s of these companies on the Internet but looking for one with good experience with Squid and proxying ideally. Anyone got any ideas. Thanks Daniel Hi Daniel, If you dont get any responses from this post. http://www.squid-cache.org/Support/services.html contains an alphabetical list of companies which have made the effort to register their interest in supporting Squid commercially. Amos
