Re: [squid-users] deny_info TCP_RESET all for hiding squid
On 6/08/2013 12:57 a.m., Alfredo Rezinovsky wrote: I need a squid in tproxy mode to work in stealth mode Please outline the requirements of your stealth mode and we might be able to offer suggestions. Hint: You *will* come down to the choice of whether to advertise the proxy existence in HTTP protocol things or break clients connectivity. Hint #2: no matter what choice you select from the above the proxy becomes visible. Even by its action of breaking the connectivity it reveals itself. ... There is *no* stealth mode. I tried deny_info TCP_RESET all Well. That tells me you will choose to break clients connectivity. deny_info outlines the response action Squid us to deliver to the client if an *access control* has explicitly resulted in deny all. It has no effect on: * default access permission policies (ie denial due to an access control setting being completely absent from squid.conf) * HTTP protocol parsing or processing error responses (including timeouts). These are *mandatory* in most cases. * HTTP protocol auto-negotiation features. Such as rejecting unsupported Expect: functionality. These are *mandatory* in some circumstances. but when squid timeouts or the destination server rejects the connection squid returns an error. I want squid to just reset the connection with no messages. Note that some of the responses I qualified with most cases some circumstances. At present Squid has a blanket sending out of those responses in all such occurances. This can be improved upon, but simply does not exist yet in Squid. Amos
[squid-users] deny_info TCP_RESET all for hiding squid
I need a squid in tproxy mode to work in stealth mode I tried deny_info TCP_RESET all but when squid timeouts or the destination server rejects the connection squid returns an error. I want squid to just reset the connection with no messages. -- Alfrenovsky
Re: [squid-users] deny_info TCP_RESET all ?
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . What that config statement means is: When user is blocked by the 'all' ACL, reset their TCP connection immediately. okay .. I see what you mean ... To use: add 'all' at the end of each *_access line you want clients to receive no error page from. now ... let we take an example ... let's immagine somebody connect on this squid and type something completely wrong ... $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd .. this the config .. acl PROTO proto HTTP acl METHOD method GET .. http_access deny !PROTO deny_info TCP_RESET PROTO .. http_access deny !METHOD deny_info TCP_RESET METHOD below lines I received in cache.log files ( with debug activated so I get the internal parsing ). You see squid really complains due invalid method, so he considers this as a bad request .. 2008/08/25 16:26:18| parseHttpRequest: Unsupported method 'hsjhdqksdkqshdkjqshkd 2008/08/25 16:26:18| clientReadRequest: FD 13 (x.x.x.x:50535) Invalid Request but as you can see it I still get a text/html response .. $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE16 Date: Mon, 25 Aug 2008 14:26:18 GMT Content-Type: text/html Content-Length: 1200 Expires: Mon, 25 Aug 2008 14:26:18 GMT .. So I tested some other things with success and I see your explanation is completely right ... but what did I make wrong in this case ?? thks for your help. Amos (NP: to general readers, only half of the text above attributed to me is by me, the rest is by VB.) In my experience Squid has some weirdness where the deny_info needs to be created before any http_access lines that are expected to use it. Moving it up a line or two might show different results. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE8
[squid-users] deny_info TCP_RESET all ?
just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
Re: [squid-users] deny_info TCP_RESET all ?
[EMAIL PROTECTED] wrote: just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . What that config statement means is: When user is blocked by the 'all' ACL, reset their TCP connection immediately. To use: add 'all' at the end of each *_access line you want clients to receive no error page from. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE8
RE: [squid-users] deny_info TCP_RESET all ?
[EMAIL PROTECTED] wrote: just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . What that config statement means is: When user is blocked by the 'all' ACL, reset their TCP connection immediately. okay .. I see what you mean ... To use: add 'all' at the end of each *_access line you want clients to receive no error page from. now ... let we take an example ... let's immagine somebody connect on this squid and type something completely wrong ... $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd .. this the config .. acl PROTO proto HTTP acl METHOD method GET .. http_access deny !PROTO deny_info TCP_RESET PROTO .. http_access deny !METHOD deny_info TCP_RESET METHOD below lines I received in cache.log files ( with debug activated so I get the internal parsing ). You see squid really complains due invalid method, so he considers this as a bad request .. 2008/08/25 16:26:18| parseHttpRequest: Unsupported method 'hsjhdqksdkqshdkjqshkd 2008/08/25 16:26:18| clientReadRequest: FD 13 (x.x.x.x:50535) Invalid Request but as you can see it I still get a text/html response .. $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE16 Date: Mon, 25 Aug 2008 14:26:18 GMT Content-Type: text/html Content-Length: 1200 Expires: Mon, 25 Aug 2008 14:26:18 GMT .. So I tested some other things with success and I see your explanation is completely right ... but what did I make wrong in this case ?? thks for your help. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE8 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -