Re: [squid-users] Fwd: gmail.com certificate name mismatch
This is one of the downsides of using ssl-bump. It's just bumps the IP first before the client and this is one of the side effects which happens and cannot be prevented for now due to the basic nature and structure of SSL. Eliezer On 06/13/2014 09:56 PM, Douglas Davenport wrote: I have squid 3.3.10 setup with sslbump working for all sites except when a user tries to type in gmail.com. For some reason the browser complains about certificate name mismatch. On examination the generated cert is actually for mail.google.com. Apparently google is redirecting buy why does this error happen only with sslbump. Anyone else have this issue, workarounds? Thanks in advance!
[squid-users] Is squid for OpenBSD 5.5 broken????
Hi all, Using ./configure --prefix=/usr/local/squid --with-filedescriptors=32768 --enable-snmp --with-large-files I installed OpenBSD 5.4 on a vmware workstation and squid 3.4.5, works fine. However, OpenBSD 5.5 on both vmware workstation and on a SPARC64 T5220, I get the following error running make, po -c -o client_side.o client_side.cc mv -f $depbase.Tpo $depbase.Po depbase=`echo client_side_reply.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/ local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I.. -I../include -I../lib -I../src -I../include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../libltdl -I../src -I../libltdl -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT client_side_reply.o -MD -MP -MF $depbase.Tpo -c -o client_side_reply.o client_side_reply.cc mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side_reply.cc: In member function 'void clientReplyContext::buildReplyHeader()': client_side_reply.cc:1326: warning: format '%ld' expects type 'long int', but argument 4 has type 'long long int' *** Error 1 in src (Makefile:6970 'client_side_reply.o') *** Error 1 in src (Makefile:7116 'all-recursive') *** Error 1 in src (Makefile:6036 'all') *** Error 1 in /home/mbaki/squid-3.4.5 (Makefile:587 'all-recursive') Thanks
[squid-users] MAPI over HTTP
Hi ! Does anyone have experience with MAPI over HTTP used in Microsoft exchange server 2013 SP1 in conjunction with squid (as a reverse proxy) ? Somehow it seems that it does not work with auth = PASS. If anyone got it working, please let me know. Regards, Martin
Re: [squid-users] squid 3.3.10 under freeBSD
Am 12.06.2014 um 12:56 schrieb Amos Jeffries squ...@treenet.co.nz: On 11/06/2014 2:40 a.m., Martin Fuchs wrote: perhaps i should also tell you that FreeBSD is a 64-bit Version... From: Martin Fuchs Hi ! I maintain a package fort he pfSense project and need some help: We’re running squid 3.3.10 under freebsd 8.3 release p16 and i’m gettin There is a 3.3.11 update AFAIK for FreeBSD. errors when trying to start squid: 2014/06/10 11:02:43 kid1| WARNING: failed to find or read error text file error-details.txt 2014/06/10 11:02:43 kid1| sendto FD 36: (1) Operation not permitted 2014/06/10 11:02:43 kid1| ipcCreate: CHILD: hello write test failed 2014/06/10 11:03:06 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3... May be a bug we had way back about Squid parsing of the error-details.txt file. Though it is occuring for other common languages as well so may be you need to update or replace your translation template files. http://www.squid-cache.org/Versions/langpack/ has the download and instructions for installing the basic languages. There is also an aliases script that can be run to generate all the dialect aliases when doing it manually. ./aliase-link.sh /usr/sbin/ln /usr/sbin/rm \ /usr/share/squid/errors/ ./aliases 4 arguments: - path to symlink creator tool (ln) - path to file removal tool (rm) - directory where the error languages sub-directories exist - file mapping which languages and how to build symlinks Amos Hi Amos ! Thanks a lot for your answer. You do not think, it's the language file. Somehow it seems, the squids child process does not have sufficient rights. I'll have a try with the new squid version. Regards, Martin
Re: [squid-users] Fwd: gmail.com certificate name mismatch
Interesting, I thought bump server first solved this type of problem. I wonder how is google serving different certs for gmail.com vs mail.google.com at the same IP is this SNI. Is that something squid is likely to support one day? On Sun, Jun 15, 2014 at 6:57 AM, Eliezer Croitoru elie...@ngtech.co.il wrote: This is one of the downsides of using ssl-bump. It's just bumps the IP first before the client and this is one of the side effects which happens and cannot be prevented for now due to the basic nature and structure of SSL. Eliezer On 06/13/2014 09:56 PM, Douglas Davenport wrote: I have squid 3.3.10 setup with sslbump working for all sites except when a user tries to type in gmail.com. For some reason the browser complains about certificate name mismatch. On examination the generated cert is actually for mail.google.com. Apparently google is redirecting buy why does this error happen only with sslbump. Anyone else have this issue, workarounds? Thanks in advance!
Re: [squid-users] Fwd: gmail.com certificate name mismatch
On 06/15/2014 09:31 PM, Douglas Davenport wrote: Interesting, I thought bump server first solved this type of problem. I wonder how is google serving different certs for gmail.com vs mail.google.com at the same IP is this SNI. Is that something squid is likely to support one day? There are couple types of certificates out-there. a range of domains using a Joker like asterisk that validates the certificate for usage on a whole bunch of subdomains of a specific domain. There is another way to use one certificate for multiple domains(the client must support it). Maybe there are couple other forms of certificates but these are the most commonly used as far as I understand and know. From a server and client point of view the SNI can be used to allow the server send a valid certificate which matches the request... for example if you would use an ip address with https you will get the same warning you are getting these days with ssl-bump on gmail.com. The certificate by itself is a *good* certificate from the issuer side but it's not matching 100% the expectation of the client request and intelligence. Once you have installed the certificate you are good to go on and surf the site as you wish(in firefox). There is another option which it is to use a reverse proxy for all the clients in the LAN that will be a proxy for all *.google.com domain with a certificate signed by the local rootCA. you can use the same for *.gmail.com. then you just need to use DNS(bad choice it is but it's what we have) for the whole domain. I remember that if i'm not wrong BlueCoat used this technique to do couple tricks. squid for now dosn't know how to work with SNI but the project I think wants if possible to allow it later on. I had an assumption that can verify if specific IP address was meant for gmail or googlemail a specific certificate can be assigned to it by the user and which by that can allow a more flexible way to overcome specific issues. Alex can be asked about this option. Eliezer
[squid-users] WARNING! Your cache is running out of filedescriptors
Hi Everyone, I know this has been addressed before, but i am getting this error with just making one change to the squid.conf file. The system filelimit is set at 16384 and squid at 4096. Here is my squid.conf acl localnet src 192.168.13.0/24 acl localnet src 127.0.0.1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localnet http_access allow localhost http_access deny all http_port 192.168.13.1:3128 http_port 192.168.13.1:3129 intercept https_port 192.168.13.1:3130 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/myCA.pem dns_nameservers 127.0.0.1 acl ip_https_targets dst /etc/squid/ip_https_targets.conf ssl_bump server-first ip_https_targets sslproxy_cert_error allow all sslcrtd_children 5 cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache 0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache 0 icap://127.0.0.1:1344/respmod acl icap_exclusions dstdomain /etc/squid/icap_exclusion_domains.conf adaptation_access qlproxy1 deny icap_exclusions adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all max_filedesc 4096 cache deny all debug_options ALL,1 33,2 The small change i have to make to cause squid to reach the file limit is ssl_bump server-first all Does anyone know why this would happen? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Your-cache-is-running-out-of-filedescriptors-tp4666357.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] WARNING! Your cache is running out of filedescriptors
On 06/16/2014 01:51 AM, MrErr wrote: Hi Everyone, I know this has been addressed before, but i am getting this error with just making one change to the squid.conf file. The system filelimit is set at 16384 and squid at 4096. Here is my squid.conf And how is it related to the issue exactly? The issue is that squid is getting lots of requests and reaches it maximum open FD. in a system with users it happens that each connection that requires from 5 to more open FD will eventually reach the limit either from usage or leak.. To make sure about the issue try to see lsof -n|wc -l output and also ss -n|wc -l it will give you a basic view on the concurrent open sockets on the server and will give us a direction about the issue. By the way, what OS are you using? Eliezer
[squid-users] Re: WARNING! Your cache is running out of filedescriptors
I guess i should have mentioned something about the load. It is a home machine for now. There are 4 of us, me, my wife, a 7 year old and a 4 year old :) So the load could not have been huge. At the most i was sharing/torrenting fedora 20 images. The system that squid is running on is also fedora 20. Before adding the statement ssl_bump server-first all the output from the commands are [root@Router etc]# lsof -n|wc -l; ss -n|wc -l lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. 37846 497 When the warning start appearing in cache.log the output from the commands are [root@Router etc]# lsof -n|wc -l; ss -n|wc -l lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. 41789 4451 So, i noticed the big increases in those numbers. What do they mean and what could be causing them? sam -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Your-cache-is-running-out-of-filedescriptors-tp4666357p4666359.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: WARNING! Your cache is running out of filedescriptors
It means that you are using lots of FD by squid and the reason I think is a loop... Is this the Gateway machine? What are the iptables rules you use for interception? iptables-save will give the basic answer to what rules you are using live. Eliezer On 06/16/2014 02:36 AM, MrErr wrote: I guess i should have mentioned something about the load. It is a home machine for now. There are 4 of us, me, my wife, a 7 year old and a 4 year old :) So the load could not have been huge. At the most i was sharing/torrenting fedora 20 images. The system that squid is running on is also fedora 20. Before adding the statement ssl_bump server-first all the output from the commands are [root@Router etc]# lsof -n|wc -l; ss -n|wc -l lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. 37846 497 When the warning start appearing in cache.log the output from the commands are [root@Router etc]# lsof -n|wc -l; ss -n|wc -l lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. 41789 4451 So, i noticed the big increases in those numbers. What do they mean and what could be causing them? sam -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-Your-cache-is-running-out-of-filedescriptors-tp4666357p4666359.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Is squid for OpenBSD 5.5 broken????
Speaking to the subject question ... no more than some other OS. The code assumes a 32-bit time_t value. OpenBSD seems to have migrated to a 64-bit or larger size. There is a patch working its ways down to the stable branch now. For now you can change that lines format macro to %lld or cast the time parameters to (long int). Amos On 16/06/2014 2:00 a.m., Monah Baki wrote: Hi all, Using ./configure --prefix=/usr/local/squid --with-filedescriptors=32768 --enable-snmp --with-large-files I installed OpenBSD 5.4 on a vmware workstation and squid 3.4.5, works fine. However, OpenBSD 5.5 on both vmware workstation and on a SPARC64 T5220, I get the following error running make, po -c -o client_side.o client_side.cc mv -f $depbase.Tpo $depbase.Po depbase=`echo client_side_reply.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`; g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/ local/squid/etc/squid.conf\ -DDEFAULT_SQUID_DATA_DIR=\/usr/local/squid/share\ -DDEFAULT_SQUID_CONFIG_DIR=\/usr/local/squid/etc\ -I.. -I../include -I../lib -I../src -I../include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../libltdl -I../src -I../libltdl -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -I/usr/include/kerberosV -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT client_side_reply.o -MD -MP -MF $depbase.Tpo -c -o client_side_reply.o client_side_reply.cc mv -f $depbase.Tpo $depbase.Po cc1plus: warnings being treated as errors client_side_reply.cc: In member function 'void clientReplyContext::buildReplyHeader()': client_side_reply.cc:1326: warning: format '%ld' expects type 'long int', but argument 4 has type 'long long int' *** Error 1 in src (Makefile:6970 'client_side_reply.o') *** Error 1 in src (Makefile:7116 'all-recursive') *** Error 1 in src (Makefile:6036 'all') *** Error 1 in /home/mbaki/squid-3.4.5 (Makefile:587 'all-recursive') Thanks
Re: [squid-users] MAPI over HTTP
On 16/06/2014 2:36 a.m., Martin Fuchs wrote: Hi ! Does anyone have experience with MAPI over HTTP used in Microsoft exchange server 2013 SP1 in conjunction with squid (as a reverse proxy) ? Somehow it seems that it does not work with auth = PASS. If anyone got it working, please let me know. Regards, Martin This may help you: http://windowsitpro.com/exchange-server-2013/exchange-server-2013-transition-rpc-http *apparently* MAPI should work find over any HTTP software such as Squid. The long-polling connections it uses are just standard HTTP transactions that take a very long time. What do you mean by auth = PASS ? Amos
