Wouldn't it be better to have a pipe option (a helper with persistence -
I'm thinking of postfix options here) and a totally separate project to
handle encryption and mitm? If you had something independent to help, you
might be able to detect other protocols and handle them properly vs
different
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sounds good,
but server world is not end on Linux. ;)
Now exists another *NIX systems. And will exists further.
Also. I have an idea, gents.
Do we can easy and quickly detect SSL Pinned destinations? And remember
it, for example, in database?
On 01/01/15 00:11, James Harper wrote:
The helper connects to the IP:port and tries to obtain the certificate, and
then caches the result (in an sqlite database). If it can't do so within a
fairly
short time it returns failure (but keeps trying a bit longer and caches it for
next time).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Don't think so.
AFAIK, the firewall-based/external router solution will be
OS/infrastructure-specific. Also, separate subsystem also will be heavy
and KISS-aware. I.e crutch. :)
So, I think all we need - good fast and scalable helper for external
Much of the discussion so far has been about bumping traffic on port 443,
bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
other traffic. Since port 443 is used for many protocols, it is in many
cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
are common,
Yuri,
Do not worry, I need more ot be offended
Yes regexp is great but this is not clear for all, I mean they have to
understand regexp and speak Perl...
Nice to see you reach 70% with your rules, I really doubt about the 70% with
those simple rules but I'm ready to believe you.
Maybe you could
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
May be.
Now on my production server hit ratio is:
http://i.imgur.com/7E6RXq7.png
Yes, regular expressions takes long time to debug for me. :) Also, this
is not at all - I also use very custom refresh_pattern rules. Which is
violates HTTP. ;)
On 01/05/2015 11:11 AM, Yuri Voinov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And also:
don't forget about bogus homebrew internet-bankings. Which is uses bogus
SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of
them also uses 443 port. And often HTTPS
Hi All,
Advanced Caching Add-On for Linux Squid Proxy Cache for Videos, Music,
Images, Libraries and CDNs.
By default your existing Squid Proxy Cache cannot properly cache most
popular multi-media websites like YouTube, Netflix, Facebook, DailyMotion,
Vimeo, Vevo, Google Maps Apps, Apple,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sure :)
do not be offended. :)
But regexp is great, is it? ;)
05.01.2015 19:47, Stakres пишет:
Hi Yuri,
Does the we don't need means you don't need or do you speak for all
users of Squid ?
We have done tons of tests with the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think,
non-HTTP/HTTPS security issues is never ever Squid function.
Squid is not all-in-one-security-solution. It's only HTTP proxy.
For others security breches (i.e SSH tunnels, various browser
tunnel-related plugins, Tor etc., ) we have
Hi Yuri,
Does the we don't need means you don't need or do you speak for all
users of Squid ?
We have done tons of tests with the storeid_file_rewrite, sorry to tell
you it does not achieve 70% because:
- The prog you provide is nude, I mean there is 1 example only
- Admins have to check hundred
Hi.
I am Priya. I want to modify the squid code only in places where it is
actually communicating with the hardware to send or receive packets. I do
not intent to change its functionality or how it works.
I am facing some difficulty in understanding the full code. If I could get
some hints on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is not right.
We HAVE good cache solution in our current Squid proxy.
It named storeid_file_rewrite. And it built in Squid by default.
All we need - right config for it.
We have it. It's quick and easy solution with half-dozen regular
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.
Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or
do you just mean that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wait a minute, gents.
What about ICAP? What I skipped?
05.01.2015 20:38, Douglas Davenport пишет:
Marcus, not to distract from the very important main points being discussed
here but I have to
question your last line:
i.e. there is not yet an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/01/2015 2:27 a.m., Priya Agarwal wrote:
Hi.
I am Priya. I want to modify the squid code only in places where it
is actually communicating with the hardware to send or receive
packets. I do not intent to change its functionality or how it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2015 05:18 PM, Yuri Voinov wrote:
We haven't filtering non_HTTP over port-443. Just recognize and
pass.
So let's separate security which is one of the goals of squid and
which some like and other don't.
For now squid 3.4 is stable and 3.5
On 10.12.14 17:09, Amos Jeffries wrote:
I'm looking for advice on figuring out what is causing intermittent
high CPU usage.
It appears that the connections gradually gain more and more notes with
the key token (and values containing Kerberos tokens). I haven't been
able to reproduce the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Steve,
Can you share the squid -v output and the OS you are using?
Eliezer
On 01/05/2015 06:29 PM, Steve Hill wrote:
On 10.12.14 17:09, Amos Jeffries wrote:
I'm looking for advice on figuring out what is causing
intermittent high CPU
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Agreed.
I'm expert on shell, not Perl/Python. :)
But will try to make some useful with it.
05.01.2015 22:28, Eliezer Croitoru пишет:
On 01/05/2015 05:18 PM, Yuri Voinov wrote:
We haven't filtering non_HTTP over port-443. Just recognize and
On 05.01.15 16:35, Eliezer Croitoru wrote:
Can you share the squid -v output and the OS you are using?
Scientific Linux 6.6, see below for the squid -v output.
I've now more or less confirmed that this is the cause of my performance
problems - every so often I see Squid using all the CPU
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Did you had the chance to take look at bug 3997:
http://bugs.squid-cache.org/show_bug.cgi?id=3997
The issue is being tested and there is something that causing it and
from my understanding squid does something wrong but I cannot confirm
it as the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/01/2015 6:01 a.m., Priya Agarwal wrote:
Thank you for the reply.
I do not intend to change its functionality. I just want to make it
run on a processor (Freescale's T4240). For that it has to use some
new architectural features (Data Path
On 01/05/2015 12:38 PM, Douglas Davenport wrote:
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.
Is that not the whole point of Squid's ICAP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We haven't filtering non_HTTP over port-443. Just recognize and pass.
05.01.2015 21:15, Marcus Kool пишет:
On 01/05/2015 12:38 PM, Douglas Davenport wrote:
Marcus, not to distract from the very important main points being
discussed here but I
Hi.
I am Priya. I want to modify the squid code only in places where it is
actually communicating with the hardware to send or receive packets. I do
not intent to change its functionality or how it works.
I am facing some difficulty in understanding the full code. If I could get
some hints on
27 matches
Mail list logo