Re: [squid-users] Searching squid logs for pornographic sites
Quoting Rob Asher <[EMAIL PROTECTED]>: blocking egress traffic for everything except known services(our own proxies) so anonymous proxies and vpn's won't be able to connectUNLESS they can get to them through the proxies somehow. Things like PHProxy and all the anonymizing sites make it tougher. There's ways around anything I know but we adapt and keep plugging away. but there still exists the possibility to connect to outside service sitting on for example 80 or 443 port (actually very easy achievable with average skills needed and working like a charm) and then what? the only thing which can help in that case is packet analysis (i assume) J. This message was sent using IMP, the Internet Messaging Program.
Re: [squid-users] Configuring cache_peer to use ssl
Quoting Henrik Nordstrom <[EMAIL PROTECTED]>: A workaround is to forward CONNECT requests over http as usual instead of wrapping them in yet another ssl layer. Another workaround if you really MUST wrap the CONNECT requests in SSL between the proxy servers is to offload the SSL wrapper from Squid by using stunnel. Or the better solution is to fix Squid to behave proper and establis the SSL wrapper on CONNECT requests forwarded to ssl peers just as it does in normal forwarded http requests... it's clear regarding stunnel, but the seccond option is not for me - i only know what the C is and what it is used for, not more. btw - do you know how to start stunnel at the system's start (from start-up script)? I am able to fire it up only manually from root shell. Janis This message was sent using IMP, the Internet Messaging Program.
Re: [squid-users] Configuring cache_peer to use ssl
Quoting Henrik Nordstrom <[EMAIL PROTECTED]>: On tor, 2008-05-15 at 11:27 +0300, Jancs wrote: 2008/05/15 11:20:04| clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) This means a proxy client contacted a https_port when it should have talked to a http_port. didn't got: i am on my machine trying to contact https://sourceforge.net/my/, my browser contacts "slave" cache, which in it's order connects to parent cache using ssl and parent is supposed to connect to the site I want. In no place use of http_port is intended actually, broken session in log shows so: -BEGIN SSL SESSION PARAMETERS- ... -END SSL SESSION PARAMETERS- follwed with 10 of 2008/05/15 18:58:40| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) normally (not connection to explicit https sites), only -BEGIN SSL SESSION PARAMETERS- ... -END SSL SESSION PARAMETERS- are observed and i hope, the communications between proxies are going on over secure channel Janis This message was sent using IMP, the Internet Messaging Program.
Re: [squid-users] Configuring cache_peer to use ssl
Quoting Amos Jeffries <[EMAIL PROTECTED]>: in access.log 192.168.0.1 TCP_MISS/000 0 CONNECT sourceforge.net:443 - FIRST_UP_PARENT/__ip__ - What does cache.log have to say about those failed requests? What version is the parent cache? Same details from them if possible. it says nothing And finally, does the patch for the bug change things? http://www.squid-cache.org/bugs/show_bug.cgi?id=2332 after applying patch on STABLE5, on the parent proxy side i see such messages 2008/05/15 11:20:04| clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) or: 2008/05/15 11:25:54| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) BUT - only in case i am trying to connect to https:// sites. for the normal ones everything works. Both ends are identical - slack 12.1, squid3.0STABLE5 with patch, running now with log level 1 Janis This message was sent using IMP, the Internet Messaging Program.
Re: [squid-users] Configuring cache_peer to use ssl
Quoting Amos Jeffries <[EMAIL PROTECTED]>: Janis wrote: I succeded in setting up chain of proxies using ssl for inter-communication, but - i lost possibility to tunnel https requests - instead of it i get empty page without any messages. Where should I look to correct this? Could be TCP issues with window scalin, or ECN, or HTTP server issues with chunked-encoding. Google has the answers to both. in the cache.log I am getting such messages: 192.168.0.1 TCP_MISS/000 0 CONNECT sourceforge.net:443 - FIRST_UP_PARENT/__ip__ - (Squid 3.0.ST5) This message was sent using IMP, the Internet Messaging Program.
