[squid-users] squid 3.3.8 kerberos and ldap auth
Hi all!
Please help me.
My problem is: I want to setup squid with two auth methods. The first
method is: kerberos auth. The second is: BASIC ldap auth as a fail back
method for users without a kerberos ticket.
I see that is don't work. When user wants to login without kerberos,
browser (IE 8/9/10 ; FF 30/31 ; chrome) asks for a BASIC login and
password, after insert a correct login and pass browser ask again for
BASIC auth - and again and again. - In access.log I see only 407 code
and nothing any and an error about NTLM auth. If I disable kerberos
auth , I can use BASIC auth without any problem. Why Windows wants to
use NTLM..?
I use samba 4.1.9 as a DC/kerberos server. Kerberos works fine in
Windows client, but not good for linux - it get proxy refuse connection
from time to time.
I use squid from ubuntu 14.04 repo:
# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
# cat krb5.conf
[libdefaults]
default_realm = COMPANY.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
COMPANY.RU = {
kdc = domainctrl.company.ru
admin_server = domainctrl.company.ru
default_domain = COMPANY.RU
}
[domain_realm]
domainctrl.company.ru = COMPANY.RU
.domainctrl.company.ru = COMPANY.RU
# egrep -v '^($|#)' /etc/squid3/squid.conf
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r
auth_param negotiate children 150 startup=20 idle=20
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid3/basic_pam_auth -n squid -t 300 -o
auth_param basic children 5 startup=5 idle=1
auth_param basic credentialsttl 10800 seconds
acl auth proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access allow auth
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$ 0 20%2880
refresh_pattern .020%4320
# cat /etc/pam.d/squid
auth sufficient pam_krb5.so alt_auth_map=%s...@company.ru
account required pam_krb5.so
I have played with BASIC ldap auth with the same result. I have played
with krb5.conf without success.
Best regards,
Victor.
[squid-users] error: #error .... is not 32-bit or 64-bit
Hello Experts, I am getting below error while compiling Squid 3.4.7 : [root@localhost squid-3.4.7]# make all Making all in compat make[1]: Entering directory `/opt/squid-3.4.7/compat' source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c assert.cc -o .libs/assert.o In file included from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: error: #error size_t is not 32-bit or 64-bit In file included from ../compat/compat.h:81, from ../include/squid.h:66, from assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO VARARGS ** XX In file included from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/compat_shared.h:97: error: field 'ru_stime' has incomplete type ../compat/compat_shared.h:98: error: field 'ru_utime' has incomplete type In file included from ../compat/compat_shared.h:219, from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: error: 'int64_t' does not name a type assert.cc: In function 'void xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not declared in this scope assert.cc:36: error: 'fprintf' was not declared in this scope assert.cc:37: error: 'abort' was not declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: Leaving directory `/opt/squid-3.4.7/compat' make: *** [all-recursive] Error 1 Please help. Regards Santosh
[squid-users] SSL Bump and certificate pinning
Mozilla have announced that Firefox 32 does public key pinning: http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public-key-pinning.html Obviously this has the potential to render SSL-bump considerably less useful. At the moment it seems to be restricted to a small number of domains, but that's sure to increase. Whilst I support the idea of ensuring that traffic isn't surreptitiously intercepted, there are legitimate instances where interception is necessary *and* the user is fully aware that it is happening (and has therefore imported the proxy's CA certificate into their key chain). So I'm wondering if there is any kind of workaround to keep SSL-bump working with these sites? 1. It seems to me that imported CA certs should have some kind of flag associated with them to indicate that they should be trusted even for pinned domains. 2. I'm guessing that this is not an issue for devices that *always* go through an intercepting proxy, since presumably they would never get to see the real cert, so wouldn't pin it? So this is mainly an issue for devices that move between networks? -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
Re: [squid-users] SSL Bump and certificate pinning
On Monday 01 September 2014 at 12:07:57 (EU time), Steve Hill wrote: Mozilla have announced that Firefox 32 does public key pinning: http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public- key-pinning.html Obviously this has the potential to render SSL-bump considerably less useful. At the moment it seems to be restricted to a small number of domains, but that's sure to increase. Whilst I support the idea of ensuring that traffic isn't surreptitiously intercepted, there are legitimate instances where interception is necessary *and* the user is fully aware that it is happening (and has therefore imported the proxy's CA certificate into their key chain). So I'm wondering if there is any kind of workaround to keep SSL-bump working with these sites? From https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. That seems to me to say that if the root of the certificate chain is a user- added cert, pinning will not be enforced, therefore the user isn't affected? 1. It seems to me that imported CA certs should have some kind of flag associated with them to indicate that they should be trusted even for pinned domains. 2. I'm guessing that this is not an issue for devices that *always* go through an intercepting proxy, since presumably they would never get to see the real cert, so wouldn't pin it? So this is mainly an issue for devices that move between networks? Regards, Antony. -- Tinned food was developed for the British Navy in 1813. The tin opener was not invented until 1858. Please reply to the list; please *don't* CC me.
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/09/2014 9:34 p.m., Santosh Bhabal wrote: Hello Experts, I am getting below error while compiling Squid 3.4.7 : [root@localhost squid-3.4.7]# make all Making all in compat make[1]: Entering directory `/opt/squid-3.4.7/compat' source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c assert.cc -o .libs/assert.o In file included from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: error: #error size_t is not 32-bit or 64-bit In file included from ../compat/compat.h:81, from ../include/squid.h:66, from assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO VARARGS ** XX In file included from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/compat_shared.h:97: error: field 'ru_stime' has incomplete type ../compat/compat_shared.h:98: error: field 'ru_utime' has incomplete type In file included from ../compat/compat_shared.h:219, from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: error: 'int64_t' does not name a type assert.cc: In function 'void xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not declared in this scope assert.cc:36: error: 'fprintf' was not declared in this scope assert.cc:37: error: 'abort' was not declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: Leaving directory `/opt/squid-3.4.7/compat' make: *** [all-recursive] Error 1 Interesting errors. What operating system are you building on and are you cross-building for any particular other system? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBGuoAAoJELJo5wb/XPRjubUH/0c+c+shBlAmhehbcRJwjeaI Fscp5c7f7k8E4TAdoJqKhFVTSzkEp8MpRLv1OImpf5FsDF5ZZ9apXk87L7rr42Hi lNF/043MVYLsFMTzQX/u/cAVmw65HIVwxVpbrQwvFr9es0JpcZlTmQzb2getzPg4 dQlAtbTjdqbc+T3Up9+lno8VDtOXtKf2tn48CX8BWiBVWzIL8qt70OMtVmsHLBma 8I2faZt7ks6I0yI0gsNhZyWEOo/rX3opLCp01unNKuyn5dJ7LP9v2uCoPik+2X4W yBxmeuLWV+pE3IyZUbAB4kCjlQzNhkIfAUMIq25ZFpRgOBw2R1yF1R8Y3X203ck= =6cz0 -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
CentOS release 6.3 (Final) x86_64 Regards Santosh On Mon, Sep 1, 2014 at 6:20 PM, Amos Jeffries squ...@treenet.co.nz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/09/2014 9:34 p.m., Santosh Bhabal wrote: Hello Experts, I am getting below error while compiling Squid 3.4.7 : [root@localhost squid-3.4.7]# make all Making all in compat make[1]: Entering directory `/opt/squid-3.4.7/compat' source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c assert.cc -o .libs/assert.o In file included from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: error: #error size_t is not 32-bit or 64-bit In file included from ../compat/compat.h:81, from ../include/squid.h:66, from assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO VARARGS ** XX In file included from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/compat_shared.h:97: error: field 'ru_stime' has incomplete type ../compat/compat_shared.h:98: error: field 'ru_utime' has incomplete type In file included from ../compat/compat_shared.h:219, from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: error: 'int64_t' does not name a type assert.cc: In function 'void xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not declared in this scope assert.cc:36: error: 'fprintf' was not declared in this scope assert.cc:37: error: 'abort' was not declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: Leaving directory `/opt/squid-3.4.7/compat' make: *** [all-recursive] Error 1 Interesting errors. What operating system are you building on and are you cross-building for any particular other system? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBGuoAAoJELJo5wb/XPRjubUH/0c+c+shBlAmhehbcRJwjeaI Fscp5c7f7k8E4TAdoJqKhFVTSzkEp8MpRLv1OImpf5FsDF5ZZ9apXk87L7rr42Hi lNF/043MVYLsFMTzQX/u/cAVmw65HIVwxVpbrQwvFr9es0JpcZlTmQzb2getzPg4 dQlAtbTjdqbc+T3Up9+lno8VDtOXtKf2tn48CX8BWiBVWzIL8qt70OMtVmsHLBma 8I2faZt7ks6I0yI0gsNhZyWEOo/rX3opLCp01unNKuyn5dJ7LP9v2uCoPik+2X4W yBxmeuLWV+pE3IyZUbAB4kCjlQzNhkIfAUMIq25ZFpRgOBw2R1yF1R8Y3X203ck= =6cz0 -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 12:53 a.m., Santosh Bhabal wrote: CentOS release 6.3 (Final) x86_64 Did you run ./configure before building? We built Squid on CentOS 6 and 7 without problems before releasing. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBG6nAAoJELJo5wb/XPRjJsUIAIo4dyCrvEbgBG9/gdZHmRJf 7acCu/OKn1teLnets1WpzAEytgpQvS6tfF8XEwq7sWet8ECUfhSCPtG/9evKluEw 9xPekYf+eLYrZkt6X8e6Uw5FKWkL3Ng6CslWyKFtwp9tepa49h/ZZA322R3ca6ks Ui8ABuvc0ebw2TqH5TJCUWR5zM9RGMK5m4TABKrGx0fNRdCvzH5t6veoSVXn+C9C +3yQ9oTtiD3JWGioAWuho+PrfKRDIr4SZpJcZDZ0vFprOYbTevMOi04Vjcr8in9V 5JEFmuNxjzEGtE+CRel3u/ssxzRLrdWy2XXOwzuL8ASTPC9te8+J6sTD0i23ka8= =h/ks -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Yes, './configure --prefix=/usr/local/squid' command successfully completed. Facing issue with 'make all' command. Regards Santosh On Mon, Sep 1, 2014 at 6:33 PM, Amos Jeffries squ...@treenet.co.nz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 12:53 a.m., Santosh Bhabal wrote: CentOS release 6.3 (Final) x86_64 Did you run ./configure before building? We built Squid on CentOS 6 and 7 without problems before releasing. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBG6nAAoJELJo5wb/XPRjJsUIAIo4dyCrvEbgBG9/gdZHmRJf 7acCu/OKn1teLnets1WpzAEytgpQvS6tfF8XEwq7sWet8ECUfhSCPtG/9evKluEw 9xPekYf+eLYrZkt6X8e6Uw5FKWkL3Ng6CslWyKFtwp9tepa49h/ZZA322R3ca6ks Ui8ABuvc0ebw2TqH5TJCUWR5zM9RGMK5m4TABKrGx0fNRdCvzH5t6veoSVXn+C9C +3yQ9oTtiD3JWGioAWuho+PrfKRDIr4SZpJcZDZ0vFprOYbTevMOi04Vjcr8in9V 5JEFmuNxjzEGtE+CRel3u/ssxzRLrdWy2XXOwzuL8ASTPC9te8+J6sTD0i23ka8= =h/ks -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: Yes, './configure --prefix=/usr/local/squid' command successfully completed. Facing issue with 'make all' command. Have you successfully compiled other software on this machine? Antony -- If you were ploughing a field, which would you rather use - two strong oxen or 1024 chickens? - Seymour Cray, pioneer of supercomputing Please reply to the list; please *don't* CC me.
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Yes :) Regards Santosh On Mon, Sep 1, 2014 at 6:50 PM, Antony Stone antony.st...@squid.open.source.it wrote: On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: Yes, './configure --prefix=/usr/local/squid' command successfully completed. Facing issue with 'make all' command. Have you successfully compiled other software on this machine? Antony -- If you were ploughing a field, which would you rather use - two strong oxen or 1024 chickens? - Seymour Cray, pioneer of supercomputing Please reply to the list; please *don't* CC me.
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 1:21 a.m., Santosh Bhabal wrote: Yes :) Can you mail me the config.log and include/autoconf.h files produced by the Squid ./configure please? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBHOyAAoJELJo5wb/XPRj/aEIAMT26s9gu1Kwd9alSOEmt6rE Ix4zGKIbnjPgigOYN0P0uqBG/Otdj67ZvEDQ0bhgnDPeRug2soog9xnQn+frqokH rfHfSVB0vvEmvxMf6MlyEo9rHk3pfMpouLOJyVpd4TExyZZy1hBpJaESAcesJdpD AQsnnr6ZlfA+YoPq7WBhjIGIccDzaY9SHemcA7qF9eVZ+R+51ul7EPA2Y4lT/rsz 7IeeSBwuvuZTaD9EeWmM0GKbdEmNoFBr+UyzXHEr7lfuM1jS+2b2TQTu16thaypE cR7EHjFyDXEz4ud4vCwyeNnakP6yukizK0CIAgUXmFXiFJknGBLSj+lnKMcPtFU= =TEX6 -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On Mon, 2014-09-01 at 18:51 +0530, Santosh Bhabal wrote: Yes :) Regards Santosh On Mon, Sep 1, 2014 at 6:50 PM, Antony Stone antony.st...@squid.open.source.it wrote: On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: Yes, './configure --prefix=/usr/local/squid' command successfully completed. Facing issue with 'make all' command. Have you successfully compiled other software on this machine? Antony -- If you were ploughing a field, which would you rather use - two strong oxen or 1024 chickens? - Seymour Cray, pioneer of supercomputing Please reply to the list; please *don't* CC me. Do a: file 'which squid` and ldd `which squid` and ls -l --full `which squid` Just to see what we're looking at here... James
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Please find the attached autoconf.h Regards Santosh On Mon, Sep 1, 2014 at 6:55 PM, Amos Jeffries squ...@treenet.co.nz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 1:21 a.m., Santosh Bhabal wrote: Yes :) Can you mail me the config.log and include/autoconf.h files produced by the Squid ./configure please? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBHOyAAoJELJo5wb/XPRj/aEIAMT26s9gu1Kwd9alSOEmt6rE Ix4zGKIbnjPgigOYN0P0uqBG/Otdj67ZvEDQ0bhgnDPeRug2soog9xnQn+frqokH rfHfSVB0vvEmvxMf6MlyEo9rHk3pfMpouLOJyVpd4TExyZZy1hBpJaESAcesJdpD AQsnnr6ZlfA+YoPq7WBhjIGIccDzaY9SHemcA7qF9eVZ+R+51ul7EPA2Y4lT/rsz 7IeeSBwuvuZTaD9EeWmM0GKbdEmNoFBr+UyzXHEr7lfuM1jS+2b2TQTu16thaypE cR7EHjFyDXEz4ud4vCwyeNnakP6yukizK0CIAgUXmFXiFJknGBLSj+lnKMcPtFU= =TEX6 -END PGP SIGNATURE- autoconf.rar Description: application/rar
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your machine is missing a C++ compiler. Squid is known to build on g++ and usually clang or Intel CC. Others are a best-effort situation. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBHl6AAoJELJo5wb/XPRj/oEH/jDoqnX61gfzfR6IiCzWc0zF bhJEcArG7zwEVSjkCukXGh4x1HRLcbDpswEvN99maZDXKoSzvqkxWpD9W4gAr7iU 5ImocqSVLIinNWnyKYEbK8KKqX4Urj2TfObmsL/guNMuChcrEKZtw9D13DboSg2y aTJemwF1nKp5tOGxKriBREEuxvq1p685EvWogZMxDqPwsYyEIMoOXmGQkZjnfH7t HW5ZRxgbBXtRkD9Ou/NVHaBL51zssDtOb6rWLwxiEXGJ6XNnMDXyiDudMvB3bXPB 2L2uuZvQitnGyZIkqVhSqK9PyisbUa9bu7ORH0gGZ+fyjvIsKbdAHSR3hNdpVrI= =8IwO -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On 09/01/2014 12:34 PM, Santosh Bhabal wrote: Hello Experts, I am getting below error while compiling Squid 3.4.7 : To make sure you have everything to build squid try to run this script: http://www1.ngtech.co.il/squid/basic_data.sh It will give many details and also one of them is the installed packages on the OS. Take a look at the installed packages on the build node of squid here: http://wiki.squid-cache.org/BuildFarm/CentosInstall Eliezer
Re: [squid-users] Forward Proxy Mode HTTPS Connect with invalid server certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/08/2014 6:55 a.m., Eduard Deffner wrote: Dear Team! My problem is about using squid in the forward proxy mode. Squid Version 3.3.8 under openSUSE 13.1 in conjunction with squidguard The general function everythings works well. But if any client in our LAN try to connect to a https-Site that have a invalid server certificate (the URL of the cert is other than the URL of the site) the proxy refuse the connection. If the cert is valid everything is OK. If you are using proper forward proxy mode and CONNECT requests then teh proxy has nothign to do with the HTTPS. All the proxy does is open a TCP connection to the server and pump bytes back and forth between client and server machines. Anything related to te connection TLS is strictly between the client and server software which are communicating over that tunnel. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBH01AAoJELJo5wb/XPRj1KYIAJP/GAV7fN+sskeBlmrJiQGh X6RBcmhU3WvSLcjIMoejFWFXZ9RvRXOOQxq5sGHcdMMIseF/ePusgkaHrJGstk3c qZBpePyrgxh3r6i7KNSd99vsCo9u+786DtjO+1d7aXy09zgJJ6Hh/K2kysL/wO0C LFt3XfKElULmqQqPEKWHcwRmAeXCXURVAjar7chuBa/333bWRMxt0l5O9y4I3AQg 7sVvpwGoEAg3el/PBxDgX1jiNuZziGSsMkqpiHldbF/gYLckgsckHB0bbU1hFjWP xoCfTx3sgxCDTIJ9RPTEKOeE8BArCmqzyE8kYhaC7LIrJMXsxZzL26T0CQwU8QE= =cJ+5 -END PGP SIGNATURE-
Re: [squid-users] SSL Bump and certificate pinning
On 09/01/2014 01:19 PM, Antony Stone wrote: Fromhttps://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. That seems to me to say that if the root of the certificate chain is a user- added cert, pinning will not be enforced, therefore the user isn't affected? Hey Antony, It means that if the user will disable the Pinning check it will work. I assume they will choose option 2 of the 4 but it's different from chrome which do not allow you to disable the pinning at all for google.com. Eliezer
Re: [squid-users] Forward Proxy Mode HTTPS Connect with invalid server certificate
On 08/29/2014 09:55 PM, Eduard Deffner wrote: Dear Team! My problem is about using squid in the forward proxy mode. Squid Version 3.3.8 under openSUSE 13.1 in conjunction with squidguard The general function everythings works well. But if any client in our LAN try to connect to a https-Site that have a invalid server certificate (the URL of the cert is other than the URL of the site) the proxy refuse the connection. If the cert is valid everything is OK. Hey Eduard, How exactly do you see that the proxy is denying the connection by any way? What do you see in squid access.log? Did you tried to disable squidguard which might be the reason for that? Also do you use any cache_peer directive in your squid.conf? Can you share the squid.conf file? Elizer
[squid-users] I was wondering about htcp and ssl connections.
Hey All, I am unsure what would be the result and there for asking. In a case I have couple cache_peers and they are htcp enabled, would the main ssl_bump server send htcp query to the cache_peers about any of the https urls? (I want it to do that..) Thanks, Eliezer
Re: [squid-users] squid yum install
On 08/29/2014 09:43 PM, Lawrence Pingree wrote: Awesome! Thank you. Will that roll into their prod repositories? I am not sure about it, Sorry. Eliezer
