Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hi Alex, That will be awesome if that works. I will try this option. Thanks, Jatin > On 23 Aug 2014, at 10:24, Alex Rousskov > wrote: > >> On 08/21/2014 07:06 PM, Jatin Bhasin wrote: >> >> So, can somebody suggest me if there is a way to pass a flag to squid >> from ecap adapter to decrypt a site regardless of what ACL says. For >> example if I have an acl as below which says do not decrypt >> www.888.com but If my ecap adapter could pass a message to squid >> asking it to decrypt www.888.com (for that session only) and ignore >> the below acl. >> Is it possible? > > > Given a recent-enough Squid version, an adaptation service can control > Squid behavior via the annotations mechanism and the "note" ACL > associated with it. For example, your eCAP adapter can return an > X-Bump:yes annotation(**) that Squid can then match using the note ACL. > Something along these untested lines: > > acl note toBump X-Bump yes > ssl_bump server-first toBump > ssl_bump server-first ... > ssl_bump none all > > This mechanism should be supported for ssl_bump ACLs but I have not > tested that claim myself. > > > HTH, > > Alex. > (**) In eCAP terminology, an X-Bump:yes annotation is an adapter > transaction option named X-Bump with a "yes" value. See > libecap::Options, which is a parent of libecap::adapter::Xaction. >
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all Thanks, Jatin On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin wrote: > Hello, > > Yes, that is the same scenario what I have been experiencing but when > I call function (x->blockVirgin()) from my ecap adapter then > squid does print the "access denied page" which is one of my squid > error pages. So as I see that squid does complete the SSL handshake > and then paints the "access denied page" which works fine. > > > > But if I try to paint a custom message then squid does not complete > the handshake and just continues to paint the blockpage which then is > rejected by the browser (as browser is expecting a proper handshake > before receiving any response data). > > May be this is a bug in squid or I am not doing it right, but it would > be great if somebody can suggest if I am doing something wrong. > > > Thanks, > Jatin > > On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin > wrote: >> Hello Jatin, >> >> May be this (for ICAP not for eCap) describes your issue - >> http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked >> >> Raf >> >> From: Jatin Bhasin >> Sent: Thursday, August 21, 2014 12:47 PM >> To: squid-users@squid-cache.org >> Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response >> does not work >> >> When I see a CONNECT request in my eCap adapter then if I call >> function blockVirgin then I see a squid ACCESS DENIED page which is >> good. >> >> But if instead of calling blockVirgin if I generate a CUSTOM response >> message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build >> response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 >> then it fails. >> >> Although the same code (request satisfaction) works if I build a >> custom response for a GET request. >> >> Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x->blockVirgin()) from my ecap adapter then squid does print the "access denied page" which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the "access denied page" which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin wrote: > Hello Jatin, > > May be this (for ICAP not for eCap) describes your issue - > http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked > > Raf > ________ > From: Jatin Bhasin > Sent: Thursday, August 21, 2014 12:47 PM > To: squid-users@squid-cache.org > Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does > not work > > When I see a CONNECT request in my eCap adapter then if I call > function blockVirgin then I see a squid ACCESS DENIED page which is > good. > > But if instead of calling blockVirgin if I generate a CUSTOM response > message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build > response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 > then it fails. > > Although the same code (request satisfaction) works if I build a > custom response for a GET request. > > Please suggest how can I achieve CUSTOM response for a CONNECT.
[squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT. I had asked this question on ecap but I was suggest to raise this query here. Thanks, Jatin
Re: [squid-users] https://weather.yahoo.com redirect loop
Hi, Thanks, for that. It solved for me as well. But does anyone why this loop happens and how does these squid directives resolve the issue? Thanks, Jain > On 20 Aug 2014, at 16:16, Amm wrote: > > >> On 08/20/2014 10:52 AM, Jatin Bhasin wrote: >> And when I browse to https://weather.yahoo.com then it goes in >> redirect loop. I am using Chrome browser and I get a message at >> the end saying 'This webpage has a redirect loop'. > > Happens in 3.4 series too. > > I added these in squid.conf as a solution: > > via off > forwarded_for delete > > Amm
[squid-users] https://weather.yahoo.com redirect loop
Hello All, I am using SSL Bump in transparent mode in squid 3.3.12. And when I browse to https://weather.yahoo.com then it goes in a redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. On checking the developer console I found that response code received for the GET is 301 Moved Permanently. But when I go to the same site direct (without squid in the middle) then it works normally and I see 200 OK for the same GET. Thanks, Jatin
Re: [squid-users] Passing Information up to the eCap adapter
Hi Antony, Yes I need the source and destination MAC address of the packet which is received by squid (I am happy with that). Also I did think at first that squid would not have access to the source and destination MAC of the packet as you said that it would have been stripped off by the networking stack, but then I saw that squid has acls based on MAC addresses. Please visit below link: http://wiki.squid-cache.org/SquidFaq/SquidAcl * ACL TYPES AVAILABLE * arp: Ethernet (MAC) address matching Seeing this I hope that we have MAC address of the packet and so that I can push that information up to the eCap adapter. Thanks, Jatin On Thu, Jul 10, 2014 at 8:46 PM, Antony Stone wrote: > On Thursday 10 July 2014 at 12:34:37, Jatin Bhasin wrote: > >> Hello, >> >> As I understand currently squid can send client IP address up to the eCap >> adapter using squid configuration directive *adaptation_send_client_ip.* >> >> I needed more information in my eCap adapter so I changed the squid source >> code to be able to send *Client Port, Destination Address and Destination >> port* to the eCap adapter. >> >> But now my requirement is to be able to pass *source MAC address and >> destination MAC address* as well to the eCap adapter. But I am not able to >> understand how I can do it. > > What do you mean by destination MAC address? > > So long as you're aware that this will be the MAC address of the Squid proxy, > and not the MAC address of the server with the destination IP address, okay, > but there's no way for a machine to find out the MAC address of another > machine > which is not on its own local subnet. > > That said, I'd be slightly surprised if Squid even knows the MAC addresses > (they're likely to be stripped off by the networking stack shortly before it > passes the IP packet to Squid), however I'm happy to be corrected on this by > someone more familir with its internals than I am. > > > Regards, > > > Antony. > > -- > Normal people think "If it ain't broke, don't fix it". > Engineers think "If it ain't broke, it doesn't have enough features yet". > >Please reply to the list; > please *don't* CC me.
[squid-users] Passing Information up to the eCap adapter
Hello, As I understand currently squid can send client IP address up to the eCap adapter using squid configuration directive *adaptation_send_client_ip.* I needed more information in my eCap adapter so I changed the squid source code to be able to send *Client Port, Destination Address and Destination port* to the eCap adapter. But now my requirement is to be able to pass *source MAC address and destination MAC address* as well to the eCap adapter. But I am not able to understand how I can do it. Can someone please guide me where should I start looking at in squid source code so that the MAC address can be passed up to the eCap adapter. Thanks, Jatin
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) But because of firewall rules settings, the only way we can connect to internet is through PROXY2. PROXY1 will not be allowed to connect to internet. So cannot go to internet via PROXY1 and still needs to bump the connection to see the decrypted traffic. So what are my options? Should I be looking towards changing squid code to handle this scenario? Thanks, Jatin On Sun, Jun 8, 2014 at 12:20 PM, Amos Jeffries wrote: > On 8/06/2014 10:03 a.m., Jatin Bhasin wrote: >> Hello, >> >> 1) I have to bump the SSL request because I want to pass the decrypted >> traffic to the eCap adapter so that I can look for viruses in the >> traffic and block them if found. >> >> 2) I cannot inroduce Proxy1 in the client browser. The only option I >> have is PROXY1 sitting in the middle of Client and PROXY2 and then >> PROXY1 should decrypt the traffic and send it to the ecap adapter for >> virus checking and block them. > > Okay so far so good. > > Use intercept rules in the PROXY1 machines networking stack *without* > the intercept flag in squid.conf. PROXY1 does not have to do any network > level un-NAT hacks to process requests destined explicitly to itself or > any other HTTP proxy. > > You may encounter problems getting the decoded traffic back to PROXY2 > though. The released Squid versions do not yet generate CONNECT requests > for upsream unless one is intercepting port 443 traffic and *bypassing* > the ssl-bump. > PROXY1 will try to use port 443 HTTPS itself. > > Amos
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) I have to bump the SSL request because I want to pass the decrypted traffic to the eCap adapter so that I can look for viruses in the traffic and block them if found. 2) I cannot inroduce Proxy1 in the client browser. The only option I have is PROXY1 sitting in the middle of Client and PROXY2 and then PROXY1 should decrypt the traffic and send it to the ecap adapter for virus checking and block them. > So, client is connecting to Proxy2 with a proxy request - Proxy2 should then > make the request and return the content. What's the problem? Yes PROXY2 is returning the content but that's encrypted and I want to see decrypted traffic to look for virus in them. Thanks, Jatin On Sun, Jun 8, 2014 at 1:46 AM, Antony Stone wrote: > On Saturday 07 June 2014 at 14:33, Jatin Bhasin wrote: > >> Hello, >> >> 1) PROXY2 is not configured to bump the traffic and I cannot remove it >> from the set up. > > You don't need a bump if the client is configured to use Proxy2 as a proxy. > >> 2) PROXY2 is listening on port 3128. I have to intercept proxy port >> because all the requests are going to PROXY2 on port 3128 and I have >> to bump it. > > Why do you "have to bump it"? > >> Currently Client is connecting to PROXY2 and I cannot change >> configuration on PROXY2 to bump the traffic neither I can remove it >> from the netwrok setup. > > So, client is connecting to Proxy2 with a proxy request - Proxy2 should then > make the request and return the content. What's the problem? > >> So is this all possible? > > Sorry, I'm still trying to work out not whether it's posible, but why it's > necessary. > > A client configured to use a proxy has been able to make SSL/HTTPS requests > for years - way before Squid's bump feature became available. > > It's only when the proxy (Proxy2 in this case) is configured to intercept > traffic in transparent mode that you can't proxy HTTPS requests and have to > handle that traffic some other way, but that doesn't appear to be the > situation in your case: > > - the client is configured to use a proxy > - Proxy2 is not running in transparent intercept mode > > so again, what doesn't work, which means you need to introduce Proxy1? > > > Antony. > > -- > Tinned food was developed for the British Navy in 1813. > > The tin opener was not invented until 1858. > > Please reply to the list; >please don't CC me.
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) PROXY2 is not configured to bump the traffic and I cannot remove it from the set up. 2) PROXY2 is listening on port 3128. I have to intercept proxy port because all the requests are going to PROXY2 on port 3128 and I have to bump it. Currently Client is connecting to PROXY2 and I cannot change configuration on PROXY2 to bump the traffic neither I can remove it from the netwrok setup. So is this all possible? Thanks, Jatin On Sat, Jun 7, 2014 at 11:24 PM, Antony Stone wrote: > On Saturday 07 June 2014 at 14:16, Jatin Bhasin wrote: > >> Hello, >> >> We have a test set up as below: >> >> Client <> SQUID(PROXY1) <> PROXY2 <-> SERVER >> >> In the above set up Client browser is configured to point to PROXY2. >> So client sends the CONNECT request to PROXY2. >> >> PROXY1 which is running SQUID is transparently detecting this CONNECTION. > > 1. Why are you using transparent intercept when the client is configured to > connect to Proxy2? Why not just let the client connect, and have Proxy1 > ignore it? > > 2. What port number/s are you intercepting? You would normally use > transparent intercept on ports 80/443, for example, whereas a client-proxy > connection would be on 3128. Why intercept the proxy port, instead of just > the HTTP port? > >> The goal is that PROXY1 should bump the SSL connection between client >> and the PROXY2. > > What's the purpose of this? Why not just connect from the client to proxy2? > >> Hence, I believe that PROXY1 should send the CONNECT request to PROXY2 >> and then all the data transfers occurs between PROXY1 and PROXY2. >> PROXY1 should then bump the traffic and send it to client. >> >> Is this possible? Please suggest the SQUID(PROXY1) configuration >> settings to achieve this. > > Regards, > > > Antony. > > -- > "Black holes are where God divided by zero." > > - Steven Wright > > Please reply to the list; >please don't CC me.
[squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, We have a test set up as below: Client <> SQUID(PROXY1) <> PROXY2 <-> SERVER In the above set up Client browser is configured to point to PROXY2. So client sends the CONNECT request to PROXY2. PROXY1 which is running SQUID is transparently detecting this CONNECTION. The goal is that PROXY1 should bump the SSL connection between client and the PROXY2. Hence, I believe that PROXY1 should send the CONNECT request to PROXY2 and then all the data transfers occurs between PROXY1 and PROXY2. PROXY1 should then bump the traffic and send it to client. Is this possible? Please suggest the SQUID(PROXY1) configuration settings to achieve this. Thanks, Jatin
Re: [squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Thanks I was able to solve this issue by setting up effective user permissions. On Tue, May 6, 2014 at 9:22 PM, Amos Jeffries wrote: > On 6/05/2014 11:16 p.m., Jatin Bhasin wrote: >> Hello, >> >> icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); >> >> The above command works fine in squid. But if I run the same command >> in my eCap adapter I get an error. >> EPERM (Operation not permitted). >> >> Can you please help? Is this related the way dll are handled in linux. > > It is related to the application "effective user" permissions. > > The Squid helper program which that code is in requires to be run with > root user privileges solely in order to do that. Whereas the main Squid > binary running your eCAP library is operating under a protected / > unprivileged user account when it processes HTTP traffic. > > Why are you trying to do ICMP from an eCAP adaptor? > > Amos >
Re: [squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Hello, Thanks for the response. I have to write an application where I have to send icmp pings when I receive certain data in my eCap adapter. But I am stuck at this issue and not able to move forward. I am running squid with cache_effective_user root. What else I would have to do to be able to open socket in my eCap adapter. Thanks, Jatin On Tue, May 6, 2014 at 9:22 PM, Amos Jeffries wrote: > On 6/05/2014 11:16 p.m., Jatin Bhasin wrote: >> Hello, >> >> icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); >> >> The above command works fine in squid. But if I run the same command >> in my eCap adapter I get an error. >> EPERM (Operation not permitted). >> >> Can you please help? Is this related the way dll are handled in linux. > > It is related to the application "effective user" permissions. > > The Squid helper program which that code is in requires to be run with > root user privileges solely in order to do that. Whereas the main Squid > binary running your eCAP library is operating under a protected / > unprivileged user account when it processes HTTP traffic. > > Why are you trying to do ICMP from an eCAP adaptor? > > Amos >
[squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Hello, icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); The above command works fine in squid. But if I run the same command in my eCap adapter I get an error. EPERM (Operation not permitted). Can you please help? Is this related the way dll are handled in linux. Thanks, Jatin
