AW: [squid-users] block TOR
The question is with traffic of tor should be blocked. Outgoing client traffic to the tor network or incoming httpd requests from tor exit nodes ? Andreas -Ursprüngliche Nachricht- Von: Jenny Lee [mailto:bodycar...@live.com] Gesendet: Sonntag, 4. Dezember 2011 00:09 An: charlie@gmail.com; leolis...@solutti.com.br Cc: squid-users@squid-cache.org Betreff: RE: [squid-users] block TOR I dont understand how you are managing to have anything to do with Tor to start with. Tor is speaking SOCKS5. You need Polipo to speak HTTP on the client side and SOCKS on the server side. I have actively tried to connect to 2 of our SOCKS5 machines (and Tor) via my Squid and I could not succeed. I have even tried Amos' custom squid with SOCKS support and still failed. Can someone explain to me as to how you are connecting to Tor with squid (and consequently having a need to block it)? Jenny > Date: Sat, 3 Dec 2011 16:37:05 -0500 > Subject: Re: [squid-users] block TOR > From: charlie@gmail.com > To: leolis...@solutti.com.br > CC: bodycar...@live.com; squid-users@squid-cache.org > > Sorry for reopen an old post, but a few days ago i tried with this > solution, and . like magic, all traffic to the Tor net it's > blocked, just typing this: > acl tor dst "/etc/squid3/tor" > http_access deny tor > where /etc/squid3/tor it's the file that I download from the page you > people recommend me !!! > > Thanks a lot, this is something that are searching a lot of admin that > I know, you should put somewhere where are easily to find !!! Thanks > again !! > > Sorry for my english > > On Fri, Nov 18, 2011 at 4:17 PM, Carlos Manuel Trepeu Pupo > wrote: > > Thanks a lot, I gonna make that script to refresh the list. You´ve > > been lot of helpful. > > > > On Fri, Nov 18, 2011 at 3:39 PM, Leonardo Rodrigues > > wrote: > >> > >> i dont know if this is valid for TOR ... but at least Ultrasurf, > >> which i have analized a bit further, encapsulates traffic over > >> squid always using CONNECT method and connecting to an IP address. > >> It's basically different from normal HTTPS traffic, which also uses > >> CONNECT method but almost always (i have found 2-3 exceptions in some years) connects to a FQDN. > >> > >> So, at least with Ultrasurf, i could handle it over squid simply > >> blocking CONNECT connections which tries to connect to an IP > >> address instead of a FQDN. > >> > >> Of course, Ultrasurf (and i suppose TOR) tries to encapsulate > >> traffic to the browser-configured proxy as last resort. If it finds > >> an NAT-opened network, it will always tries to go direct instead of > >> through the proxy. So, its mandatory that you do NOT have a > >> NAT-opened network, specially on ports > >> TCP/80 and TCP/443. If you have those ports opened with your NAT > >> rules, than i really think you'll never get rid of those services, > >> like TOR and Ultrasurf. > >> > >> > >> > >> > >> Em 18/11/11 14:03, Carlos Manuel Trepeu Pupo escreveu: > >>> > >>> So, like I see, we (the admin) have no way to block it !! > >>> > >>> On Thu, Sep 29, 2011 at 3:30 PM, Jenny Lee wrote: > > > Date: Thu, 29 Sep 2011 11:24:55 -0400 > > From: charlie@gmail.com > > To: squid-users@squid-cache.org > > Subject: [squid-users] block TOR > > > > There is any way to block TOR with my Squid ? > > How do you get it working with tor in the first place? > > I really tried for one of our users. Even used Amos's custom > squid with SOCKS option but no go. > > Jenny > >> > >> > >> -- > >> > >> > >> Atenciosamente / Sincerily, > >> Leonardo Rodrigues > >> Solutti Tecnologia > >> http://www.solutti.com.br > >> > >> Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br > >> My SPAMTRAP, do not email it > >> > >> > >> > >> > >>
[squid-users] Problem using different ports
Hello, I have a little problem using 2 ports for an accel. Port 80 should be send to cache peer on port 80 (originalserver) Port 8080 should be send to cache peer on port 8080 (originalserver) Here's the config I used: -- visible_hostnamewww.domain.tld http_port 1.1.1.1:80 accel defaultsite=www.domain.tld http_port 1.1.1.1:8080 accel defaultsite=www.domain.tld cache_peer 2.2.2.2 parent 80 0 no-query originservername=myAccel1 cache_peer 2.2.2.2 parent 80800 no-query originservername=myAccel2 acl our_sites dstdomain www.domain.tld acl our_sites dstdomain images.domain.tld acl port80 port80 acl port8080port8080 http_access allow our_sites http_access denyall cache_peer_access myAccel1allow port80 cache_peer_access myAccel1denyall cache_peer_access myAccel2allow port8080 cache_peer_access myAccel2denyall -- At the moment alle requests to port 8080 are send to cache paar on port 80. Any idea? Kind regards, Andreas Müller
[squid-users] Problem understanding ACL
Hello, I try so setup squid as reverse proxy for the following situation: 1. www.domain.tld:80 -> server:80 2. www.domain.tld:8080-> server:8080 3. www.domain.tld/dir/:80 -> server:8080 1.+2. I'v solved: http_port 1.1.1.1:80 accel defaultsite=www.domain.tld http_port 1.1.1.1:8080 accel defaultsite=www.domain.tld cache_peer 2.2.2.2 parent 80 0 no-query originservername=cpa80 cache_peer 2.2.2.2 parent 80800 no-query originservername=cpa8080 acl our_sites dstdomain www.domain.tld http_access allow our_sites http_access denyall acl port80 myport 80 acl port8080myport 8080 cache_peer_access cpa80allow port80 cache_peer_access cpa80denyall cache_peer_access cpa8080 allow port8080 cache_peer_access cpa8080 denyall But I've no idea how to setup number 3. I think I need and "and" for the acl but I can't find. If I would have and "and" I could make 2 ACL's for port 80: acl port80_dir urlpath_regex ^/dir "AND" myport 80 acl port80 myport 80 Kind regards, Andreas Müller
[squid-users] Problem with name based virtual hosts
Hello,
I've a problem with a squid as accl for one apache with different name based
virtual hosts.
It seems that squid doesn't request the apache with the right http host as
send by the client. I can check this on a second IP address with is direct
bound to apache. Using the bypass works, using via squid accl calls the
"main" vhost.
See the config below. When I call one of the "dstdomain" hosts I always get
a request to www.domain.de on apache.
Does anybody now what I doing wrong? Is there somewhere a switch missing to
pass the original hostname?
squid.conf
-
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_dir ufs /var/cache/squid102416 256
visible_hostnamewww.domain.de
http_port 123.123.123.123:80 accel defaultsite=www.domain.de
http_port 123.123.123.123:8080 accel defaultsite=www.domain.de
https_port 123.123.123.123:443 accel defaultsite=www.domain.de
cert=/home/httpd/vhosts/domain.de/ssl/www.domain.de.crt
key=/home/httpd/vhosts/domain.de/ssl/www.domain.de.key
cache_peer 127.0.0.1 parent 80 0 no-query
originservername=myAccel1 login=PROXYPASS
cache_peer 127.0.0.1 parent 80800 no-query
originservername=myAccel2
cache_peer 127.0.0.1 parent 443 0 no-query
originservername=myAccel3 ssl sslflags=DONT_VERIFY_PEER
acl our_sites dstdomain www.domain.de
acl our_sites dstdomain sbwc.domain.de
acl our_sites dstdomain dereferer.domain.de
acl our_sites dstdomain images.domain.de
acl our_sites dstdomain .home.domain.de
acl our_sites dstdomain .domain-home.de
acl our_sites dstdomain shop.domain.de
acl out_sites dstdomain stats.domain.de
http_access allow our_sites
http_access denyall
acl port80 myport 80
acl port443 myport 443
acl port8080myport 8080
acl dir urlpath_regex ^/web
cache_peer_access myAccel1denydir
cache_peer_access myAccel1denyport8080
cache_peer_access myAccel1denyport443
cache_peer_access myAccel3denyport8080
cache_peer_access myAccel2allow port8080
cache_peer_access myAccel2allow dir
cache_peer_access myAccel2denyall
---------
Kind regards,
Andreas Müller
[squid-users] Getting Source-IP
Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is "HTTP_X_FORWARDED_FOR" but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. So I'm searching for an option to inject a custom parameter with the source IP into http header. Or is the a secure rule to extract the correct source IP of the request as just taking the "last" IP in the list? Kind regards, Andreas
AW: [squid-users] Getting Source-IP
Hello, I know that I can't trust in XFF. What is new for me that the comma is optional and so its more difficult to parse the value. In my case I have the control of the accel-Proxy and can trust it. So my idea was to inject an additional field with the IP of the incoming call to the proxy - the same IP I would get if my webserver gets this call directly as remote_addr. The reason is just to restore the behavior after putting the webserver behind the proxy. Mit freundlichen Grüßen, Andreas Müller -- +--+ | Nur zwei Dinge sind unendlich: | | Das Weltall und die menschliche Dummheit.| | Beim Weltall bin ich mir aber nicht ganz sicher. | | | | ~Albert Einstein~| +--+
[squid-users] X-Cache Header
Hello, I'm using squid 3 as accel proxy to a web application. Caching is turned off but in the response header to the client squid inserts 2 lines: X-Cache: X-Cache-Lookup: I'm looking for an option to disable this but I can't found anything. I don't want the client to know that it comes from a proxy. The response should look like a normal webserver response. Kind regards, Andreas
