RE: [squid-users] Google SSL searches
Instead of dstdomain, you could use a regular expression. You could use a pattern like: ^(www\.)?(google\.com?(\...)?) Which would catch: google.co google.com google.co.XX where XX is any two characters google.com.XX (with and without www.) That would probably catch most of them without blocking too many legitimate sites. However, I think Google uses encrypted.google.com for HTTPS. -Dan -Original Message- From: Marcus Kool [mailto:marcus.k...@urlfilterdb.com] Sent: Monday, July 26, 2010 8:37 AM To: Henrik Nordström Cc: Dave Burkholder; squid-users@squid-cache.org Subject: Re: [squid-users] Google SSL searches If you want to block HTTPS for Google you need to block it for all domains including google.co.uk, google.com.br, google.co.nz google.com.au and 130 more. Henrik Nordström wrote: tor 2010-05-27 klockan 15:35 -0400 skrev Dave Burkholder: Is there some way to specify via a Squid ACL that requests via port 443 to google.com are blocked, but requests to google.com via port 80 are allowed? acl https port 443 acl google dstdomain google.com http_access deny https google Regards Henrik
RE: [squid-users] File Descriptors
Did you set the limit before you compiled it? The upper limit is set at compile time. I ran into this problem myself. -Dan -Original Message- From: Superted666 [mailto:ruckafe...@gmail.com] Sent: Mon 7/5/2010 3:33 PM To: squid-users@squid-cache.org Cc: Subject:[squid-users] File Descriptors Hello, Got a odd problem with file descriptors im hoping you guys could help me out with? Background I'm running CentOS 5.5 and squid 3.0 Stable 5. The system is configured with 4096 file descriptors with the following : /etc/security/limits.conf *- nofile 4096 /etc/sysctl.conf fs.file-max = 4096 Also /etc/init.d/squid has ulimit -HSn 4096 at the start. Problem Running a ulimit -n on the box does indeed show 4096 connectors but squid states it is using 1024 despite what is said above. I noticed this because im starting to get warnings in the logs about file descriptors... Any help greatly appreciated. Thanks Ed Ed -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/File-Descriptors-tp2278923p2278923.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] SQUID 3.1 + sslBump https interception and decryption
From: Franz Angeli [mailto:franz.ang...@gmail.com] I configured one debian box with squid 3.1 (compiling it with ssl support) enabling sslBump feature with a self signed certificate, obviously browser and applications warn about the certificate but all seems to work. Is there a way to use trusted certificate for removing that warning (sorry for this dumb question but some applications doesn't permit certificate exception list like firefox for example)? If you have the signed certificate for the URL you're developing for, then yes, you can use the certificate. For example, if your app is going to app.squid-cache.org and you have the signed certificate for app.squid-cache.org or *.squid-cache.org, then everything will be happy. But, if you're trying to intercept the traffic for a third-party domain, no, you can't. The best you can do, is to create your own CA and add the public certificate to the browser/application, if it even allows you to. -Dan
RE: [squid-users] Logging failed authentication requests
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 10:56 PM Mellem, Dan wrote: Hi, Thanks for your response. Please see below. From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 7:33 PM On Wed, 07 Apr 2010 19:12:53 -0700, Mellem, Dan I do a: tail -f access.log | fgrep 'my IP address' and only get responses for allowed traffic. I also don't have any 407s at all in the log. You said the logging is on by default. Is there a way to it off or to turn on debugging that would show where it's getting dropped? [...] If I type the wrong password, I get re-prompted for authentication again. I get the normal: GET 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (wrong password) 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (right password) 200 OK Okay thats good then. Those 407 _should_ be in the access.log. If you grep the log for 407 (note the spaces) or the date and minute when the tests were done instead of your IP you may see them. It should have been visible with an IP though. The only ways to get things not logged is to add ACL after the specific access_log line, or to add log_access lines preventing things being logged globally. Amos Hi, Amos, I searched the logs for 407 results and didn't find any at all (I searched for ' 407 ' since I was getting some file sizes of 407 bytes [the pattern ' 404 ' did find matches]). The access log is the default, and has no ACL associated. access_log /usr/local/squid/var/logs/access.log There are no log_access entries in the configuration, either. Update: OK, I found the problem. The accessLogLog() function in access_log.c had been altered to only log successful requests. It was left over from an old Smartfilter installation. I commented out the lines and I'm now getting the 407 entries in the log. Thanks for your help. -Dan
RE: [squid-users] url_regex file format
-Original Message- From: Jean-Luc Wasmer [mailto:sq...@2010.jl.wasmer.ca] Sent: Thursday, April 08, 2010 1:02 PM Hi, What is the format of the regex file when defining an ACL based on regexes? Just a list of matches. E.g.: ^http://www\.google\.com #Allow access to Google # News sites ^http://news\.yahoo\.com ^http://news\.google\.com Can I have comments in there? Yes. What is the -i option for? Not case sensitive. It's like the -i flag for grep. Also, what RE are supported? The same as egrep / grep -E. Thanks, Jean-Luc -Dan
[squid-users] Logging failed authentication requests
Hi, We're running Squid version 2.6. In our configuration, some URLs require proxy authentication so we use the squid_ldap_auth helper with basic auth. Everything works fine. We would like to log any password failures, including the source IP address, to track down password guessers. The failure could be logged to access.log or to another log. Only successful requests are logged currently. Is there any way to log authentication failures? I've been digging through acl.c, authenticate.c, and client_side.c to see if there's something in there, but I'm not familiar with the source. I could log from the helper but only the username and password are available to it. Just in case any of this is helpful, here are a few lines from the config: emulate_httpd_log on auth_param basic program /usr/local/squid/libexec/multi_auth access_log /usr/local/squid/var/logs/access.log acl authenticated proxy_auth REQUIRED (other ACLs) http_access allow no_auth http_access allow no_auth_dst http_access allow no_auth_regex http_access deny wireless http_access allow authenticated http_access deny all Thank you, -Dan
RE: [squid-users] Logging failed authentication requests
Hi, Thanks for your response. Please see below. From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, April 07, 2010 7:33 PM On Wed, 07 Apr 2010 19:12:53 -0700, Mellem, Dan access.log or to another log. Only successful requests are logged currently. Is there any way to log authentication failures? They _are_ logged by default. Reply status codes 401 and 407 in access.log are failed www-server and proxy authentication attempts respectively which were re-challenged. Other denials will be logged with other 4xx codes. I do a: tail -f access.log | fgrep 'my IP address' and only get responses for allowed traffic. I also don't have any 407s at all in the log. You said the logging is on by default. Is there a way to it off or to turn on debugging that would show where it's getting dropped? Just in case any of this is helpful, here are a few lines from the config: emulate_httpd_log on auth_param basic program /usr/local/squid/libexec/multi_auth access_log /usr/local/squid/var/logs/access.log acl authenticated proxy_auth REQUIRED (other ACLs) http_access allow no_auth http_access allow no_auth_dst http_access allow no_auth_regex http_access deny wireless http_access allow authenticated http_access deny all Problem: None of your ACL involve denial based on auth credentials. Therefore bad auth credentials will never be challenged, only the general access denied will ever happen. So ... non-working credentials may show up in the access.log as a 404/403 status with NONE/- for the source information. If I type the wrong password, I get re-prompted for authentication again. I get the normal: GET 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (wrong password) 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (right password) 200 OK I'm not sure what I'd need to specifically deny if authentication fails. Do you have an example? The Squid faq http://wiki.squid-cache.org/Features/Authentication suggests something like: auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd acl foo proxy_auth REQUIRED http_access allow foo http_access deny all and that's what I have. It also talks about adding a deny with a negated group if there's some point where they need to change authentication, but, the way I'm reading the FAQ, it doesn't look like the deny is usually needed. Thanks again, -Dan