Re: [squid-users] Ubuntu 22.04 LTS repository for Squid 6.9 (rebuilt from sources in Debian)
11.04.2024 13:30, Rafael Akchurin пишет: Hello everyone, Online repository with latest Squid 6.9 why not 6.10? ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Compilation error for v6.8
14.03.2024 16:21, Miha Miha пишет: Hello Squid team, I get following error while compiling v6.8 ... In file included from basic_nis_auth.cc:15: ../../../../src/auth/basic/NIS/nis_support.h:8: error: unterminated #ifndef #ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H basic_nis_auth.cc: In function 'int main(int, char**)': basic_nis_auth.cc:71:21: error: 'get_nis_password' was not declared in this scope nispasswd = get_nis_password(user, nisdomain, nismap); ^~~~ ... Build environment: CentOS7.9; gcc version 8.3.1 20190311 (Red Hat 8.3.1-3) (GCC) Note: I'm able to compile successfully v6.7 in same build environment. Regards, Mihail Mihaylov ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users Do you really need NIS auth? I just disabled it when got the same problem on ubuntu 20.04 :-) ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 6.1 esi compile error, ubuntu 22.04
07.08.2023 17:27, Alex Rousskov пишет: On 8/7/23 04:00, Dmitry Melekhov wrote: Built using --disable-esi without problems. First of all, if you do not need ESI, I recommend building with --disable-esi to avoid accidental exposure to dangerous ESI bugs in deployments that should not be using ESI features. Thank you! Really, I know nothing about it, so most probably I don't need it. FWIW, in Project CI environment that also uses GCC on Ubuntu 22.04, Squid v6.1 ESI build[1] succeeds, including the Libxml2Parser.cc compilation step that fails in your environment. [1] https://github.com/squid-cache/squid/actions/runs/5471818575 $ grep -A6 LIBEXPAT configure.log checking for LIBEXPAT... yes checking for expat.h... yes checking for LIBXML2... yes checking for libxml/parser.h... yes checking for libxml/HTMLparser.h... yes checking for libxml/HTMLtree.h... yes configure: Enabling ESI processor: -lexpat -lm -lxml2 $ grep HAVE_LIBXML include/autoconf.h #define HAVE_LIBXML2 1 #define HAVE_LIBXML_HTMLPARSER_H 1 #define HAVE_LIBXML_HTMLTREE_H 1 #define HAVE_LIBXML_PARSER_H 1 Can you share the corresponding ./configure output and include/autoconf.h lines from your build environment? Could you tell me what can cause this? I suspect your system lacks libxml/HTMLparser.h or Squid ./configure was unable to find that header. I cannot find relevant libxml2 documentation, but if libxml promises to declare xmlParserCtxtPtr in libxml/HTMLparser.h, then this is a Squid bug: When that bug (if it is a Squid bug) is fixed, your build will fail at ./configure time instead of "make" time. Next steps: * If your system lacks libxml/HTMLparser.h, then install the missing libxml2 headers. Check the output sampled above to confirm that the installation led to header discovery by ./configure. * If your system has libxml/HTMLparser.h, set/adjust CPPFLAGS given to ./configure. Check the output sampled above to confirm that your adjustments led to header discovery by ./configure. It is in place, the same as in Ubuntu 20.04, where I compiled squid 6.1 without problems, but configure can't find it: configure:28616: checking for libxml/parser.h configure:28616: g++ -std=c++17 -c -g -O2 conftest.cpp >&5 conftest.cpp:120:10: fatal error: libxml/parser.h: No such file or directory 120 | #include | ^ compilation terminated. export CPPFLAGS=-I/usr/include/libxml2/ helps now : configure:28616: checking for libxml/parser.h configure:28616: g++ -std=c++17 -c -g -O2 -I/usr/include/libxml2/ conftest.cpp >&5 configure:28616: $? = 0 configure:28616: result: yes and squid is compiled. This is new install of ubuntu 22.04, just about a month ago, so I don't think I break something in it... Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 6.1 esi compile error, ubuntu 22.04
Hello! Built using --disable-esi without problems. Could you tell me what can cause this? /bin/bash ../../libtool --tag=CXX --mode=compile g++ -std=c++17 -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/etc/squid/squid.conf\" -DDEFAULT_SQUID_DATA_DIR=\"/usr/share/squid\" -DDEFAULT_SQUID_CONFIG_DIR=\"/etc/squid\" -I../.. -I../../include -I../../lib -I../../src -I../../include -isystem /usr/include/mit-krb5 -isystem /usr/include/mit-krb5 -I../../libltdl -Wall -Wextra -Wimplicit-fallthrough=5 -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Wmissing-declarations -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -MT Libxml2Parser.lo -MD -MP -MF $depbase.Tpo -c -o Libxml2Parser.lo Libxml2Parser.cc &&\ mv -f $depbase.Tpo $depbase.Plo libtool: compile: g++ -std=c++17 -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/etc/squid/squid.conf\" -DDEFAULT_SQUID_DATA_DIR=\"/usr/share/squid\" -DDEFAULT_SQUID_CONFIG_DIR=\"/etc/squid\" -I../.. -I../../include -I../../lib -I../../src -I../../include -isystem /usr/include/mit-krb5 -isystem /usr/include/mit-krb5 -I../../libltdl -Wall -Wextra -Wimplicit-fallthrough=5 -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Wmissing-declarations -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -MT Libxml2Parser.lo -MD -MP -MF .deps/Libxml2Parser.Tpo -c Libxml2Parser.cc -fPIC -DPIC -o .libs/Libxml2Parser.o In file included from Libxml2Parser.cc:20: ../../src/esi/Libxml2Parser.h:66:13: error: 'xmlParserCtxtPtr' does not name a type 66 | mutable xmlParserCtxtPtr parser; /* our parser */ | ^~~~ Libxml2Parser.cc:45:8: error: 'htmlDocPtr' does not name a type 45 | static htmlDocPtr entity_doc = nullptr; | ^~ Libxml2Parser.cc:51:43: error: 'xmlChar' does not name a type 51 | esi_startElementSAXFunc(void * ctx, const xmlChar * name, const xmlChar ** atts) | ^~~ Libxml2Parser.cc:51:65: error: 'xmlChar' does not name a type 51 | esi_startElementSAXFunc(void * ctx, const xmlChar * name, const xmlChar ** atts) | ^~~ Libxml2Parser.cc: In function 'void esi_startElementSAXFunc(void*, const int*, const int**)': Libxml2Parser.cc:54:5: error: 'xmlChar' was not declared in this scope 54 | xmlChar **tmp = (xmlChar **)atts; | ^~~ Libxml2Parser.cc:54:15: error: 'tmp' was not declared in this scope; did you mean 'tm'? 54 | xmlChar **tmp = (xmlChar **)atts; | ^~~ | tm Libxml2Parser.cc:54:32: error: expected primary-expression before ')' token 54 | xmlChar **tmp = (xmlChar **)atts; | ^ Libxml2Parser.cc: At global scope: Libxml2Parser.cc:70:40: error: 'xmlChar' does not name a type 70 | esi_endElementSAXFunc(void *ctx, const xmlChar *name) | ^~~ Libxml2Parser.cc:77:37: error: 'xmlChar' does not name a type 77 | esi_commentSAXFunc(void *ctx, const xmlChar *value) | ^~~ Libxml2Parser.cc:84:40: error: 'xmlChar' does not name a type 84 | esi_charactersSAXFunc(void *ctx, const xmlChar *ch, int len) | ^~~ Libxml2Parser.cc:90:8: error: 'xmlEntityPtr' does not name a type 90 | static xmlEntityPtr | ^~~~ Libxml2Parser.cc: In constructor 'ESILibxml2Parser::ESILibxml2Parser(ESIParserClient*)': Libxml2Parser.cc:110:5: error: 'xmlSAXHandler' was not declared in this scope 110 | xmlSAXHandler sax; | ^ Libxml2Parser.cc:111:5: error: 'xmlInitParser' was not declared in this scope 111 | xmlInitParser(); | ^ Libxml2Parser.cc:112:13: error: 'sax' was not declared in this scope; did you mean 'max'? 112 | memset(, 0, sizeof(sax)); | ^~~ | max Libxml2Parser.cc:117:21: error: 'esi_getEntitySAXFunc' was not declared in this scope 117 | sax.getEntity = esi_getEntitySAXFunc; | ^~~~ Libxml2Parser.cc:120:5: error: 'parser' was not declared in this scope; did you mean 'Parser'? 120 | parser = xmlCreatePushParserCtxt(, static_cast*>(this), nullptr, 0, nullptr); | ^~ | Parser Libxml2Parser.cc:120:14: error: 'xmlCreatePushParserCtxt' was not declared in this scope 120 | parser = xmlCreatePushParserCtxt(, static_cast*>(this), nullptr, 0, nullptr); | ^~~ Libxml2Parser.cc:122:9: error: 'entity_doc' was not declared in this scope 122 | if (entity_doc == nullptr) | ^~ Libxml2Parser.cc:123:22: error: 'htmlNewDoc' was not declared in this scope 123 | entity_doc = htmlNewDoc(nullptr, nullptr); | ^~ Libxml2Parser.cc: In destructor 'virtual ESILibxml2Parser::~ESILibxml2Parser()':
[squid-users] squid 5.3 crash
Hello! Testing squid 5.3 on Ubuntu 20.04. Looks good for several weeks , but just got this: 2021/12/28 09:58:01 kid1| assertion failed: Read.cc:61: "Comm::IsConnOpen(conn)" current master transaction: master28713185 After this squid ate almost 100% of cpu, then crashed, unfortunately gdb says core dump is truncated: /var/crash/squid-dump/CoreDump is truncated: expected core file size >= 303022080, found: 177070080 Is this assertion fail known problem? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing
19.04.2020 13:53, Antony Stone пишет: What's misleading? Sorry, I read it wrong. Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing
19.04.2020 12:37, Amos Jeffries пишет: On 19/04/20 8:22 pm, Dmitry Melekhov wrote: 19.04.2020 12:18, TarotApprentice пишет: I am not sure if you have any contact with the Debian maintainers. I raised a bug with Debian in March asking for 4.10 to get promoted to buster-backports on the grounds of security fixes. If we’re on the stable release (buster) we are stuck with 4.6 until the next stable release (up to 2 years), use the testing release which has other changes or we have to compile our own. Link to bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954488 4.10 does not contain fix :-) Which fix are you talking about? The bug TarotApprentice referenced is a publishing issue within Debian. Requesting an event which has not happened yet. The bug this advisory is talking about definitely is fixed in Squid 4.10 code. The patch was added way back in 4.8 release. Affected versions: Squid 3.5.18 -> 3.5.28 Squid 4.0.10 -> 4.7 Well, this announcement is extremely misleading then... ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing
19.04.2020 12:18, TarotApprentice пишет: I am not sure if you have any contact with the Debian maintainers. I raised a bug with Debian in March asking for 4.10 to get promoted to buster-backports on the grounds of security fixes. If we’re on the stable release (buster) we are stuck with 4.6 until the next stable release (up to 2 years), use the testing release which has other changes or we have to compile our own. Link to bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954488 4.10 does not contain fix :-) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 4.10 crash
Hello! see this in log, after this squid dies. 2020/02/26 11:17:47 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.23.54/ABDRASHITOV-RR.p98a3.belkam.com abdrashitovrr CONNECT myip=192.168.22.254 myport=8090'. Future Squid wil l treat this as part of the URL. 2020/02/26 11:17:48 kid1| assertion failed: MemBuf.cc:354: "new_cap > (size_t) capacity" from systemctl status: фев 26 11:17:48 inetgw2 squid[1167]: Squid Parent: squid-1 process 11576 exited due to signal 6 with фев 26 11:17:48 inetgw2 squid[1167]: Squid Parent: squid-1 process 11576 will not be restarted for 3 фев 26 11:17:48 inetgw2 squid[1167]: Exiting due to repeated, frequent failures I see this several times, have no idea what caused this, even if this is redirector error, squid should not crash... Is there any way to fix this? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is Squid 4.9 gone?
20.12.2019 12:35, Amos Jeffries пишет: On 20/12/19 9:03 pm, netadmin wrote: At the address: http://www.squid-cache.org/Versions/ the latest version appears as 4.8 although I am running 4.9! What happened to version 4.9? I'm not entirely certain what happened there. I suspect it was just an oversight on my part not copying the files from the release directory to the web server. That has now been corrected. As to why you could be running a version not available on the www site; Vendors pull their release code from any one (or several) different sources we provide them - our public git repository, FTP servers, or rsync servers. No, 4.9 was available on squid-cache.org some time ago :-) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] https://web.whatsapp.com/ , no qr code
Hello! Users complains that they do not get qr code while using squid on https://web.whatsapp.com/ I checked this and got the same result with or without ssl-bump: 1576573551.547 0 192.168.22.229 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - is all I see in logs. squid --version Squid Cache: Version 4.9 Firefox 71.0 Direct connection works. Is there any way to solve this? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
23.01.2019 8:53, Amos Jeffries пишет: On 23/01/19 5:40 pm, Dmitry Melekhov wrote: Thank you for explanation, it is easier for me to contact rejik developer and ask him to pass traffic if client address is "-" as he already did for fff...fff. So, I'll inform him that such change is planned and he will be ready :-) Um, to be more prescriptive ... The (%>a) part *before* the '/' is the actual "client IP address". If that is '-' (like your logs show it already is) then the reverse-DNS FQDN part *after* the '/' cannot be relied upon at all so should generally be ignored. Thank you! Looks like it's better to wait until it will be fixed, because rejik developer is very responsive and , I guess, will provide fix very soon. Whether or not we change the FQDN parts display, it could still have an IPv6 address when a real IPv6 client arrives - and the IP part before the '/' would then also still have an IPv6 address too. So IPv6 support is needed regardless. Yes, sure, but , really, here we have no ISP which provides ipv6, so it is not problem for next several years. Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
22.01.2019 19:51, Alex Rousskov пишет: It sounds like you misunderstood my questions. I will detail them below. I suspect that fff...fff comes from %>A (whether that %code comes from the default url_rewrite_extras in your configuration is unimportant). %>A is documented to to be a client FQDN. I am not sure, and this is not documented, but perhaps when the client IP address does not point back to a domain name, %>A should be a client IP address. For intermediate certificate downloading transactions, Squid does not have a client address because those transactions are not initiated by a client connection to Squid. They are generated internally by Squid. In such cases, Squid should be sending a dash (-), not 127.0.0.1, not fff...fff, not localhost, and not anything else that might be misinterpreted as a client IP address or domain name. I have not investigated why Squid does not send a dash, or what it would take to fix Squid, but it is likely that this will be eventually fixed because lying about client address is a bug. To plan the deployment of that future fix, it may be useful to know whether the redirector you use handles a dash value for %>A correctly. You may be able to test that by configuring url_rewrite_extras explicitly and replacing %>A with a dash. Thank you for explanation, it is easier for me to contact rejik developer and ask him to pass traffic if client address is "-" as he already did for fff...fff. So, I'll inform him that such change is planned and he will be ready :-) Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
21.01.2019 22:29, Alex Rousskov пишет: On 1/21/19 9:08 AM, Dmitry Melekhov wrote: Your Squid (or some helper) appears to be adding an "-/...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. Is there any reasons squid sends ::::::: to redirector? What Squid logformat %code or url_rewrite_extras %code does that address come from? default on my case Should the corresponding request have that address? For example, internally-generated requests do not have HTTP client addresses. Will the redirector work if that address is sent as a "-" instead of "ff...fff"? rejik redirector developer thinks its better to use 127.0.0.1 as squid address, but said that this is squid preference... if can read discussion here https://rejik.ru/bb_rus/viewtopic.php?f=1=1979 in russian. Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
21.01.2019 14:30, Dmitry Melekhov пишет: Your Squid (or some helper) appears to be adding an "-/...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. Yes, I suspected this, there is no helper which can add this, as far as I know These mangled URLs are the expected result of a URL-rewrite/redirector helper written to use the long ago deprecated Squid-1.x version of helper protocol. Being used in a Squid configured to allow whitespace in URLs. When those two features are combined there is no way for Squid to identify garbage after the end of URL in helper 1.0 syntax response, from a v2.x syntax response with whitespace in the URL. Squid-3.5 and later are only backward compatible to the Squid-2.0 helper protocol. The older syntax is no longer supported at all. Details of the Squid helper protocol can be found at <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>. Thank you! You are absolutely right. This is redirector, if I disable it, everything works. Will contact redirector developer. There is new rejik (rejik.ru) version, if somebody uses it, you can solve this problem by upgrade. btw, according to redirector developer problem is in lack of ipv6 support. Is there any reasons squid sends ::::::: to redirector? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
21.01.2019 8:39, Dmitry Melekhov пишет: 18.01.2019 21:08, Amos Jeffries пишет: On 19/01/19 4:31 am, Alex Rousskov wrote: On 1/18/19 4:35 AM, Dmitry Melekhov wrote: 17.01.2019 21:02, Alex Rousskov пишет: On 1/16/19 10:30 PM, Dmitry Melekhov wrote: 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) In access log: 1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html 1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/:::::::-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html Your Squid (or some helper) appears to be adding an "-/...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. Yes, I suspected this, there is no helper which can add this, as far as I know These mangled URLs are the expected result of a URL-rewrite/redirector helper written to use the long ago deprecated Squid-1.x version of helper protocol. Being used in a Squid configured to allow whitespace in URLs. When those two features are combined there is no way for Squid to identify garbage after the end of URL in helper 1.0 syntax response, from a v2.x syntax response with whitespace in the URL. Squid-3.5 and later are only backward compatible to the Squid-2.0 helper protocol. The older syntax is no longer supported at all. Details of the Squid helper protocol can be found at <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>. Thank you! You are absolutely right. This is redirector, if I disable it, everything works. Will contact redirector developer. There is new rejik (rejik.ru) version, if somebody uses it, you can solve this problem by upgrade. Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
18.01.2019 21:08, Amos Jeffries пишет: On 19/01/19 4:31 am, Alex Rousskov wrote: On 1/18/19 4:35 AM, Dmitry Melekhov wrote: 17.01.2019 21:02, Alex Rousskov пишет: On 1/16/19 10:30 PM, Dmitry Melekhov wrote: 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) In access log: 1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html 1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/:::::::-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html Your Squid (or some helper) appears to be adding an "-/...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. Yes, I suspected this, there is no helper which can add this, as far as I know These mangled URLs are the expected result of a URL-rewrite/redirector helper written to use the long ago deprecated Squid-1.x version of helper protocol. Being used in a Squid configured to allow whitespace in URLs. When those two features are combined there is no way for Squid to identify garbage after the end of URL in helper 1.0 syntax response, from a v2.x syntax response with whitespace in the URL. Squid-3.5 and later are only backward compatible to the Squid-2.0 helper protocol. The older syntax is no longer supported at all. Details of the Squid helper protocol can be found at <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>. Thank you! You are absolutely right. This is redirector, if I disable it, everything works. Will contact redirector developer. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5, can't download certificate?
17.01.2019 21:02, Alex Rousskov пишет: On 1/16/19 10:30 PM, Dmitry Melekhov wrote: 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) In access log: 1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html 1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/:::::::-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html Your Squid (or some helper) appears to be adding an "-/...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. That suffix is not present in the lkk-udm.esplus.ru certificate AFAICT: Yes, I suspected this, there is no helper which can add this, as far as I know, I'm out of office till Monday, I'll turn everything possible off on Monday, and retest, but I don't th think is is helper... Could you tell me - can squid add this and , if yes, how can I turn this off? Thank you! $ openssl x509 -in cert.pem -noout -text | fgrep http: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 4.5, can't download certificate?
Hello! While accessing site I can't access it through ssl bump. See in cache log: 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) In access log: 1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html 1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/:::::::-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/h tml I can access site directly from browser. Could you tell me why it doesn't work and how can I fix this? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump, CA certificate renewal, how to?
15.01.2019 20:52, elie...@ngtech.co.il пишет: With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need. Eliezer 5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-( I don't need to replace certificate every year or so, but I need to have minimal service interruption for every user during certificate replacement, and I'm sure that certificate will need replacement for some reason. * I have seen security companies( AV ) that updates their root ca certificate using the AV or agent, if running an update file/service every startup is an option we can try to find a nice solution. Download certificate at every boot or user login This is good idea, thank you! * Eliezer Croitoru <http://ngtech.co.il/main-en/> Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il <mailto:elie...@ngtech.co.il> cid:image001.png@01D2675E.DCF360D0 *From:*squid-users *On Behalf Of *Dmitry Melekhov *Sent:* Tuesday, January 15, 2019 07:02 *To:* squid-us...@squid-cache.org *Subject:* [squid-users] ssl bump, CA certificate renewal, how to? Hello! According to https://wiki.squid-cache.org/Features/DynamicSslCert recommended way to create certificate openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem-out myCA.pem we can create certificate for longer time. But sooner or later we'll have to renew it. In this case, once we replaced certificate, it should be immediately replaced on user's computers, not easy task, I don't sure it can be achieved in our environment. We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file, so we had old and new certificates for some time. I don't know is it possible to do something similar with squid and dynamic certificate generation, I know it does not work now. Could you share your experience? How do you replace certificates? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ssl bump, CA certificate renewal, how to?
Hello! According to https://wiki.squid-cache.org/Features/DynamicSslCert recommended way to create certificate openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem we can create certificate for longer time. But sooner or later we'll have to renew it. In this case, once we replaced certificate, it should be immediately replaced on user's computers, not easy task, I don't sure it can be achieved in our environment. We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file, so we had old and new certificates for some time. I don't know is it possible to do something similar with squid and dynamic certificate generation, I know it does not work now. Could you share your experience? How do you replace certificates? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4.5 , ssl bump and c-icap on google sites
Hello! Problem was on c-icap side, my build had no br support. Thank you! 10.01.2019 14:44, Dmitry Melekhov пишет: Hello! We are testing ssl-bump with squid 4.5. Also we run c-icap with squid. What is strange here - ssl-bump works for google domains if icap is disabled, but if it is on, then we get an error from c-icap: You tried to upload/download a file that contains the virus: *uncompress: Uncompression Failure * The Http location is: *https://www.youtube.com/ * * * Although it works on most other sites. Could you tell me why it does not work and is it possible to fix it? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 4.5 , ssl bump and c-icap on google sites
Hello! We are testing ssl-bump with squid 4.5. Also we run c-icap with squid. What is strange here - ssl-bump works for google domains if icap is disabled, but if it is on, then we get an error from c-icap: You tried to upload/download a file that contains the virus: *uncompress: Uncompression Failure * The Http location is: *https://www.youtube.com/ * * * Although it works on most other sites. Could you tell me why it does not work and is it possible to fix it? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ssl , TAG_NONE/503 0 CONNECT
Hello! User complained that he can't access https://es.ciur.ru/auth/login-page over squid. I tried, and all I see in log is: 1479206688.068 59865 192.168.22.229 TAG_NONE/503 0 CONNECT es.ciur.ru:443 - HIER_NONE/- - Direct connection from browser works OK. Squid 3.5.22, compiled from sources, on Ubuntu 12.04... Any ideas how to solve this? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [squid-announce] Squid 3.5.15 is available
Hello! After installing 3.5.15 on ubuntu 12.04 I get squid crash: 2016/02/24 10:07:23 kid1| assertion failed: FwdState.cc:447: "serverConnection() == conn" 3.5.14 had no such problem. Thank you! 24.02.2016 08:46, Amos Jeffries пишет: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.15 release! This release is a security release resolving several major vulnerabilities found in the prior Squid releases. The major changes to be aware of: * SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response processing http://www.squid-cache.org/Advisories/SQUID-2016_2.txt The visible symptoms of these are various assertions about: "String.cc:*: 'len_ + len <65536'" "store.cc:*: 'isEmpty()'" There are a number of known attacks involved for both of these assertions. Almost all are now fully fixed or rendered harmless to other transactions. However some hard to trigger ones are not yet resolved. Normally we would not release this advisory and packages until a full fix or workaround was confirmed. However these assertions have recently become the topic of a lot of public discussion and a trivial PoC is now available. We have chosen to release the existing fixes now as work continues towards a final resolution. All Squid-3 and Squid-4 releases to date are affected. See the advisory for further details. Upgrade or patching should be considered a high priority. All users of Squid-3 or older are urged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-announce ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] https://www.waterfoxproject.org/, squid
27.11.2015 16:28, Dmitry Melekhov пишет: Hello! User just complained he can't open https://www.waterfoxproject.org/ I tried to reproduce this and I can't too: 1448627177.123 79 192.168.22.229 TCP_TUNNEL/200 0 CONNECT www.waterfoxproject.org:443 dm HIER_DIRECT/104.28.27.103 - squid 3.5.11 on ubuntu 12.04, compiled by me. Although directly site is accessible.. Any ideas? Oops, sorry, this is provider problem , when I tried direct connection I used backup one by mistake. Sorry! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] https://www.waterfoxproject.org/, squid
Hello! User just complained he can't open https://www.waterfoxproject.org/ I tried to reproduce this and I can't too: 1448627177.123 79 192.168.22.229 TCP_TUNNEL/200 0 CONNECT www.waterfoxproject.org:443 dm HIER_DIRECT/104.28.27.103 - squid 3.5.11 on ubuntu 12.04, compiled by me. Although directly site is accessible.. Any ideas? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 3.5.5 https problem
Hello! Just tried to install 3.5.5 on production proxy, users complained about slow https connections, I see errors in cache.log like 2015/06/03 09:00:34 kid1| local=192.168.42.130:32922 remote=213.180.193.119:443 FD 964 flags=1: read/write failure: (32) Broken pipe 2015/06/03 09:00:46 kid1| local=192.168.42.130:52239 remote=178.154.131.216:443 FD flags=1: read/write failure: (32) Broken pipe 2015/06/03 09:01:56 kid1| local=192.168.42.130:34841 remote=213.180.193.119:443 FD 467 flags=1: read/write failure: (32) Broken pipe Switching back to 3.4.13 solved problem, but.. Any ideas what can cause this ? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid crashes with 3.5.1
08.05.2015 11:29, Prashanth Prabhu пишет: As I pointed out in my earlier email, the crash occurs with c-icap connections I guess this is why my 3.5.4 crashes too, although had no chance to debug yet, I found info in log that there are no enough redirectors, which never happend with 3.4. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 3.4.9 and tls 1.2
Hello! I just found that I have problems with using google maps , i.e. https://maps.google.com with firefox 33.0 ovr squid 3.4.9- it works extremely slow, sometimes street view can't be loaded and showed black screen. This is wit default security.tls.version.max=3, i.e. tls 1.2 , but if I change this to 2, i.e. tls 1.1 all works fine. Direct, i.e. without squid, connection always works OK, so, I guess this is squid problem. Any ideas how to solve this? Thank you! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
On 29.08.2014 18:46, Dmitry Melekhov wrote: On 29.08.2014 18:17, babajaga wrote: I remember a bug, I detected in my favourite squid2.7, also in a sandwiched config, with another proxy inbetween: It was not possible to have both squids listen on 127.0.0.1:a/b; had to use 127.0.0.1:a; 127.0.0.2:b That's what I have- one listens on 8090 another one on 8092. So this is not problem. What I can't understand now what is difference between firefox request - which works, and squid request- on which squid says that it is missed, I have to look into traffic :-) OK, I see correct requests from squid to parent squid. But looks like they are http 1.1. But, as I said before, havp works, and it use 1.0, as I see too. Looks like bug, so I'll report one asap :-)
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
29.08.2014 15:34, Dmitry Melekhov пишет: 29.08.2014 10:45, babajaga пишет: I suspect, you might have some statement like never_direct / always_direct in the squid.conf of first squid with some ACL, which does not match any more. To get a clear picture, pls publish both of actual squid.conf, anonymized. Well, in this case there will be just no requests to parent, right? Anyway , configs are attached. Sorry, configs are too large... :-( I can't attach them here :-( So main question is- if I see request on external squid- then never_direct or always_direct are not responsible, right?
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
29.08.2014 16:21, babajaga пишет: Yes. You might also try on inner squid.conf: cache_peer 127.0.0.1 parent8092 0 no-digest no-query no-net-db-exchange I get the same TCP_MISS/403 on parent with this :-( assuming, you only have one upstream proxy. Outer squid.conf should have NO intercept/transparent in http_port. Yes, sure, as I wrote it works if I connects to outer squid from browser, it just doesn't want to process request from another squid. I tried to reverse havp config- and it process requests from havp , really from internal squid+havp. Looks very strange- it somehow know that these requests are from squid and don't want to forward them...
Re: [squid-users] Re: parent problem - TCP_MISS/403 from parent
On 29.08.2014 18:17, babajaga wrote: I remember a bug, I detected in my favourite squid2.7, also in a sandwiched config, with another proxy inbetween: It was not possible to have both squids listen on 127.0.0.1:a/b; had to use 127.0.0.1:a; 127.0.0.2:b That's what I have- one listens on 8090 another one on 8092. So this is not problem. What I can't understand now what is difference between firefox request - which works, and squid request- on which squid says that it is missed, I have to look into traffic :-) To be pragmatic: Whats the purpose of having two squids directly coupled ? At least three :-) first, afaik, icap doesn't check cached content, so first squid can cache, second checks for viruses. second, authentication- first squid is for users, so it requires auth, second don't, it's practical from logging reason. third, first squid has redirector, so user's can be banned from pron ;-) , second not. Why not to use just one ?
[squid-users] parent problem - TCP_MISS/403 from parent
Hello! I used havp with squid for several years, but now decided to drop havp to c-icap. So I had squid-havp-squid scheme. first squid listens on port 8090, havp on 8091, external squid on 8092. All of them are on the same host. Now I don't need havp, but I can't get external squid work as parent , I always get TCP_MISS/403 from it. 1409286793.325 0 127.0.0.1 TCP_MISS/403 5150 GET http://www.gismeteo.ru/city/daily/4508/ - HIER_NONE/- text/html If I connect to it directly- it works: 1409287034.615 72 192.168.22.229 TCP_MISS/200 16605 GET http://www.gismeteo.ru/city/daily/4508/ - HIER_DIRECT/212.24.42.230 text/html for havp I had : cache_peer 127.0.0.1 parent8091 0 no-query no-digest no-netdb-exchange default now I wrote cache_peer 127.0.0.1 parent8092 0 no-digest no-query default and it doesn't work. I can't understand what is wrong here :-( I currently run squid 3.4.7. Thank you!
[squid-users] https for one site doesn't work over squid
Hello! I run squid 3.4.3. Users complained they can't connect to following url: https://kz.grfc.ru/portal/faces/app/materials/active.jspx I tried to reproduce this and it is always reproducable. I get - connection was terminated ( back translation from russian ) in firefox 27.0. This is what I see in squid log: 1392371365.469 47 192.168.22.229 TCP_MISS/200 7 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - If I connect site directly (i.e. just over nat, no proxy) - it works with the same firefox version. Surprisingly ( I tried this on windows) it works with IE: 1392371835.532130 192.168.22.111 TCP_MISS/200 26597 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.620 76 192.168.22.111 TCP_MISS/200 602 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.645102 192.168.22.111 TCP_MISS/200 10543 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.724 78 192.168.22.111 TCP_MISS/200 3354 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.752129 192.168.22.111 TCP_MISS/200 17145 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.805 78 192.168.22.111 TCP_MISS/200 655 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - Just because it works on firefox 27.0 directly I guess this is some incompatibilty between squid and firefox. Could you tell what can I do to solve this? Thank you!
[squid-users] Re: https for one site doesn't work over squid
14.02.2014 14:00, Dmitry Melekhov пишет: Hello! I run squid 3.4.3. Users complained they can't connect to following url: https://kz.grfc.ru/portal/faces/app/materials/active.jspx I tried to reproduce this and it is always reproducable. I get - connection was terminated ( back translation from russian ) in firefox 27.0. This is what I see in squid log: 1392371365.469 47 192.168.22.229 TCP_MISS/200 7 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - If I connect site directly (i.e. just over nat, no proxy) - it works with the same firefox version. Surprisingly ( I tried this on windows) it works with IE: 1392371835.532130 192.168.22.111 TCP_MISS/200 26597 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.620 76 192.168.22.111 TCP_MISS/200 602 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.645102 192.168.22.111 TCP_MISS/200 10543 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.724 78 192.168.22.111 TCP_MISS/200 3354 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.752129 192.168.22.111 TCP_MISS/200 17145 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.805 78 192.168.22.111 TCP_MISS/200 655 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - Just because it works on firefox 27.0 directly I guess this is some incompatibilty between squid and firefox. Could you tell what can I do to solve this? Thank you! btw, just tested firefox 24.3.0. It works. Just curious, what can prevent 27.0 to work over proxy Thank you!
[squid-users] Re: https for one site doesn't work over squid
OK, finally, I found that problem is it tls. As I see in firefox 27.0 tls 1.1 and 1.2 are enabled by default. So if I change security.tls.version.max from default 3 ( I guess this means 1.2 ) to 1 ( 1.0 ? ) site works. 2 (1.1? ) doesn't work too. Just because firefox 27.0 works without proxy, I guess there is problem with tls 1.1/1.2 in squid. I'm right? :-) If yes- is there any way to fix squid? Thank you! 14.02.2014 14:15, Dmitry Melekhov пишет: 14.02.2014 14:00, Dmitry Melekhov пишет: Hello! I run squid 3.4.3. Users complained they can't connect to following url: https://kz.grfc.ru/portal/faces/app/materials/active.jspx I tried to reproduce this and it is always reproducable. I get - connection was terminated ( back translation from russian ) in firefox 27.0. This is what I see in squid log: 1392371365.469 47 192.168.22.229 TCP_MISS/200 7 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - If I connect site directly (i.e. just over nat, no proxy) - it works with the same firefox version. Surprisingly ( I tried this on windows) it works with IE: 1392371835.532130 192.168.22.111 TCP_MISS/200 26597 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.620 76 192.168.22.111 TCP_MISS/200 602 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.645102 192.168.22.111 TCP_MISS/200 10543 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.724 78 192.168.22.111 TCP_MISS/200 3354 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.752129 192.168.22.111 TCP_MISS/200 17145 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - 1392371835.805 78 192.168.22.111 TCP_MISS/200 655 CONNECT kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 - Just because it works on firefox 27.0 directly I guess this is some incompatibilty between squid and firefox. Could you tell what can I do to solve this? Thank you! btw, just tested firefox 24.3.0. It works. Just curious, what can prevent 27.0 to work over proxy Thank you!
Re: [squid-users] squid 3.4.1 , basic auth and timeout
12.12.2013 07:08, Amos Jeffries пишет: Try setting grace period to a value larger than 0. The grace period is a short time before the credentials TTL expires when they can be looked up at the helper for validity without needing to block the client request or send an immediate pass/fail result to the access control. ** there was a bug in this for some 3.2-3.3 releases. If you are using the auth check in a fast-type access control the TTL expiry will cause a fail result after the credentials have expired even if the helper lookup will some time later produce a valid/success result. Grace allows that lookup to be started before the TTL is over and hopefully the credentials next TTL can be assigned before the old one expires. Amos Hello! Thank you! Looks like problem is solved :-)
[squid-users] squid 3.4.1 , basic auth and timeout
Hello! Just tried to install 3.4.1 to production. Users complain that need to do reauth after some timeout. Parts of config: external_acl_type LdapGroup children-max=30 children-startup=10 concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN /usr/sbin/sq uid_ldap_group -v 3 -h 127.0.0.1 -b o=company,c=RU -B org=company,ou=People,o=company,c=RU -f ((cn=%g)(memberUid=%u)) -F ((objectClass=acc ount)(uid=%s)) -s sub and auth_param basic program /usr/sbin/squid_ldapauth auth_param basic credentialsttl 600 seconds auth_param basic children 10 auth_param basic realm Squid proxy-caching web server #auth_param basic casesensitive on auth_param basic casesensitive off I see following in my logs, firefox doesn't ask me for auth info though: 1386754087.151 2 192.168.22.229 TCP_DENIED/407 6701 GET http://www.rbc.ru/? dm HIER_NONE/- text/html 1386754810.393 2 192.168.22.229 TCP_DENIED/407 6702 GET http://www.rbc.ru/? dm HIER_NONE/- text/html 1386755534.579 2 192.168.22.229 TCP_DENIED/407 6702 GET http://www.rbc.ru/? dm HIER_NONE/- text/html as far as I remember, there was such problem in 3.2, or something like this, so I installed 3.3 before it was released- this was acl problem. Some changes were introduced in 3.4 ? Or I need to reconfigure something? Thank you!
Re: [squid-users] squid 3.4.1 and basic auth
11.12.2013 10:31, Dmitry Melekhov пишет: Will contact rejik developer. btw, there is already updated version... http://rejik.ru/bb_rus/viewtopic.php?f=1t=1196
[squid-users] 3.4 and external_acl_type
Hello! Just tried to start 3.4 instead of 3.3.8 just to check does it work or not ( sooner or later 3.3 will be deprecated ;-) ) and got: 2013/08/06 15:10:13| Macros are not supported here: %g)(memberUid=%u)) -F ((objectClass=account)(uid=%s)) -s sub FATAL: Bungled /etc/squid3/squid.conf line 1929: external_acl_type LdapGroup children-max=30 children-startup=10 concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN /usr/sbin/squid_ldap_group -v 3 -h 127.0.0.1 -b o=Aspec,c=RU -B org=belkam,ou=People,o=Aspec,c=RU -f ((cn=%g)(memberUid=%u)) -F ((objectClass=account)(uid=%s)) -s sub Squid Cache (Version 3.4.0.1): Terminated abnormally. CPU Usage: 0.008 seconds = 0.000 user + 0.008 sys Maximum Resident Size: 19744 KB Page faults with physical i/o: 0 Yes, I use old squid_ldap_group which can't be compiled even with 3.3, just because it is patched for our needs, but I guess, may be it can still be usable, just some changes in config for 3.4. Here is line from config: external_acl_type LdapGroup children-max=30 children-startup=10 concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN /usr/sbin/squid_ldap_group -v 3 -h 127.0.0.1 -b o=Aspec,c=RU -B org=belkam,ou=People,o=Aspec,c=RU -f ((cn=%g)(memberUid=%u)) -F ((objectClass=account)(uid=%s)) -s sub could you tell me, is it possible to change it to 3.4 compatibility? Thank you!
Re: [squid-users] 3.4 and external_acl_type
06.08.2013 16:10, Pavel Kazlenka пишет: Hi Dmitry, This is known problem with configuration file parsing in 3.4.0.1. Just wait for stable version. Details in this thread: http://www.squid-cache.org/mail-archive/squid-users/201308/0016.html Hello! Thank you!
Re: [squid-users] Squid 3.2.5 wants to use IPv6 address?
19.12.2012 16:19, Ralf Hildebrandt пишет: When trying to access http://www.vkontakte.ru/, I'm getting an error: Connection to 2a00:bdc0:3:103:1:0:403:900 failed. (101) Network is unreachable to solve this problem I just compiled squid without ipv6 support :-)
Re: [squid-users] Squid 3.2.5 wants to use IPv6 address?
19.12.2012 16:29, Ralf Hildebrandt пишет: * Dmitry Melekhov d...@belkam.com: 19.12.2012 16:19, Ralf Hildebrandt пишет: When trying to access http://www.vkontakte.ru/, I'm getting an error: Connection to 2a00:bdc0:3:103:1:0:403:900 failed. (101) Network is unreachable to solve this problem I just compiled squid without ipv6 support :-) dns_v4_first on also solves the issue at hand, but I wonder why that particular hostname will not be contacted using v4.. Well, as I wrote- I don't have ipv6, so I just disabled it :-) If you want better answer- may be someone have it, I'm interesting too ;-)
Re: [squid-users] Squid 3.2.5 wants to use IPv6 address?
20.12.2012 00:05, Eliezer Croitoru пишет: Just a nice suggestion to get started on IPV6 if you can and not just disable it. tell this to my internet provider please :-) there is no ipv6 connections abailable here. Sometime soon IPV6 will be here and you will need to work with it. will be here- will use ;-)
[squid-users] squid 3.3, https download problem on bad link
Hello! I run squid 3.3.0.2 (just installed, previous version had the same problem too) on ubuntu 12.04 and have problem with files download over https- connection becomes closed after about 50 Mb of download from 4Gb or so files. Looks like there are some link quality problems at this time, but direct (over nat) download or http download over squid works OK. What can I do to improve squid performance in such situations? Thank you!
[squid-users] Going into hit-only-mode for 5 minutes... and wrong urls
Hello! I switched to 3.HEAD-20120627-r12185 from 2.6 two days ago and now I see in log something like: 2012/08/01 08:25:48 kid1| Failed to select source for 'http://izavia.su/favicon.ico' 2012/08/01 08:25:48 kid1| always_direct = DENIED 2012/08/01 08:25:48 kid1|never_direct = DENIED 2012/08/01 08:25:48 kid1|timedout = 0 2012/08/01 08:28:47 kid1| Failure Ratio at 1.017 2012/08/01 08:28:47 kid1| Going into hit-only-mode for 5 minutes... Yes, this is situation described in FAQ, but this is just wrong url- user mistake, not DNS or connectivity problem. Is there any way to avoid this? Thank you!
[squid-users] acl dstdomain, bypass authorization
Hello! I need to allow users access some sites without authorization. If I write acl: acl 1sk dstdomain 1sk.ru http_access allow our_nets 1sk it doesn't work but if acl 1sk dst 194.186.36.214 http_access allow our_nets 1sk it works. our_nets is acl our_nets src 192.168.21.0/24 192.168.22.0/24 It is not very good to have acls based on dst ip address, because it can be changed ;-) Is it possible to use acl dstdomain in my situation?
Re: [squid-users] SQUINT
nonama wrote: Hi All, Has anyone got any experience with configuring SQUINT ? I manage to get it up and out on the browser.It creates directories and html files but all empty and I cannot see any report. Where should I configure for it to grab data from the access log. Kindly help. you have to start it with parameter :-) /usr/local/bin/squint.cron.sh weekly /usr/local/bin/squint.cron.sh daily ... And as I see in squint.cron.sh it looks for logs in: for DIR in \ /var/squid/logs \ /var/log/squid ; do if [ -d $DIR ] ; then LOGDIR=$DIR; fi done
Re: [squid-users] Squid antivirus
How to check incoming http traffic for viruses? We use snort with inline capability and clamav preprocessor. Looks good for things like .js viruses , etc :-)
[squid-users] authorization, number of retries
Hello! Is it possible to not allow users retry authorisation on squid? I.e. can squid show error page just after first failed authorisation attempt? Thank you!
Re: [squid-users] authorization, number of retries
Henrik Nordstrom wrote: On Tue, 5 Apr 2005, Dmitry Melekhov wrote: Is it possible to not allow users retry authorisation on squid? I.e. can squid show error page just after first failed authorisation attempt? Depends. For failed authentication (bad password) you can not. But for failed authorization (account not authorized to use the proxy, or access the requested resource) you can. Thank you! I moved my checks from one script to another and all is OK now :-)
[squid-users] users authorisation- ip
Hello! Sorry, I know almost nothing about squid, so my question can be not asked correctly. We need to use one proxy server for several firms. Each firm will pay to ISP, every firm have block of ip addresses, but one connection to ISP. What we want- We need to assign several ip addresses from each firm block to proxy server. User authorises on proxy, now proxy knows from which fir user is. And proxy need to send request from ip, belonged to firm's block. Is it possible with squid? Or, may be, with another proxy?