Re: [squid-users] Squid and systemd

le and in squid.conf are the same. > Marcus > On 13/06/18 09:27, James Lay wrote: > WellI'll just say up front that systemd is not my friend. When > running squid via cli: sudo /opt/squid/sbin/squid it runs like a > champ. But using the service file at: > https://raw.githubu

[squid-users] Squid and systemd

WellI'll just say up front that systemd is not my friend. When running squid via cli: sudo /opt/squid/sbin/squid it runs like a champ. But using the service file at: https://raw.githubusercontent.com/squid-cache/squid/master/tools/system d/squid.service it times out after a few: 06:20:11 gat

Re: [squid-users] About to upgrade from 3 to 4

On Sun, 2018-06-10 at 19:55 +1200, Amos Jeffries wrote: > On 10/06/18 02:23, James Lay wrote: > On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote: > On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote: > On 10/06/18 01:02, James Lay wrote: > So in my config file I have: > ss

Re: [squid-users] About to upgrade from 3 to 4

On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote: > On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote: > > On 10/06/18 01:02, James Lay wrote: > > > > So in my config file I have: > > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB > >

Re: [squid-users] About to upgrade from 3 to 4

On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote: > On 10/06/18 01:02, James Lay wrote: > > So in my config file I have: > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB > However I do not see this after compiling and installing. Has this > goneaway in 4?

Re: [squid-users] About to upgrade from 3 to 4

On Fri, 2018-06-08 at 09:36 -0600, James Lay wrote: > On Sat, 2018-06-09 at 03:04 +1200, Amos Jeffries wrote: > > On 09/06/18 02:33, James Lay wrote: > > Hey all! > > Topic says itI'm starting to look at doing an upgrade from 3 to > > 4.Any glaring surprises? D

Re: [squid-users] About to upgrade from 3 to 4

On Sat, 2018-06-09 at 03:04 +1200, Amos Jeffries wrote: > On 09/06/18 02:33, James Lay wrote: > Hey all! > Topic says itI'm starting to look at doing an upgrade from 3 to > 4.Any glaring surprises? Doing a transparent forward proxy with > somepeek/splice for conten

[squid-users] About to upgrade from 3 to 4

Hey all! Topic says itI'm starting to look at doing an upgrade from 3 to 4. Any glaring surprises? Doing a transparent forward proxy with some peek/splice for content filtering only (no decryption). Has anyone gone through an upgrade, and how painful was it, if at all? Thank you. James___

Re: [squid-users] Working peek/splice no longer functioning on some sites

On 2017-11-29 07:29, Amos Jeffries wrote: On 28/11/17 03:50, James Lay wrote: On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote: Perhaps an alternative is to peek only on step1: acl step1 at_step SslBump1 ssl_bump peek step1 acl allowed_https_sites ssl::server_name_regex "/opt/etc/

Re: [squid-users] Working peek/splice no longer functioning on some sites

d_https_sites > ssl_bump terminate all Hrmm...wouldn't that negate the ability to read the cert on step2? In layman's terms I'm thinking: "peek at step1" "splice acl allow matched sni's" "peek at step2" "splice acl allow'd matched certs&qu

Re: [squid-users] Working peek/splice no longer functioning on some sites

On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote: > On 26/11/17 00:52, James Lay wrote: > > > > On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: > > > > > > On 25/11/17 08:30, James Lay wrote: > > > > > > > > Topic says it..

Re: [squid-users] Working peek/splice no longer functioning on some sites

On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: > On 25/11/17 08:30, James Lay wrote: > > > > Topic says it...this setup has been working well for a long time, > > but  > > now there are some sites that are failing the TLS handshake. > >  Here's my

Re: [squid-users] Working peek/splice no longer functioning on some sites

I should add this is squid-3.5.27.  Thank you. On Fri, 2017-11-24 at 12:30 -0700, James wrote: > Topic says it...this setup has been working well for a long time, but > now there are some sites that are failing the TLS handshake.  Here's > my setup: > > acl localnet src 192.168.1.0/24 > acl SSL_po

[squid-users] Working peek/splice no longer functioning on some sites

Topic says it...this setup has been working well for a long time, but now there are some sites that are failing the TLS handshake.  Here's my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl allowed_http_sit

Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

On Mon, 2017-01-23 at 19:54 -0700, Alex Rousskov wrote: > On 01/23/2017 04:28 PM, David Touzeau wrote: > > > > ssl_bump peek ssl_step1 > > ssl_bump splice all > > > > sslproxy_flags DONT_VERIFY_PEER > > sslproxy_cert_error allow all > > > > > When connecting to mozilla.org using transparent, we

Re: [squid-users] Peeking on TLS traffic: unknown cipher returned

with a tiny amount of sites, > but I suppose its because of server-side misconfigurations that > LibreSSL simply don't like. > > > On 21 October 2016 at 13:01, James Lay > wrote: > > > > On 2016-10-21 09:58, Leandro Barragan wrote: > > > > > >

Re: [squid-users] Peeking on TLS traffic: unknown cipher returned

se of some obscure error. Do you remember what version of squid and libressl you used? BTW I tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but it doesn't work either, same error (unknown cipher) Thanks! On 21 October 2016 at 10:55, James Lay wrote: On 2016-10-20 20:15, L

Re: [squid-users] Peeking on TLS traffic: unknown cipher returned

On 2016-10-20 20:15, Leandro Barragan wrote: Thanks for your time Alex! I modified my original config based on Amos recommendations, so I think now I have a more consistent peek & splice config: acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit ssl_bump peek all ssl_bump terminat

Re: [squid-users] Additional ecap/icap questions

On 2016-10-17 15:01, Alex Rousskov wrote: On 10/17/2016 11:51 AM, James Lay wrote: Here's what I'm wanting to accomplish and it's been proving a challenge: Detect keywords (think DLP maybe) in http/https flows. I've got ecap and icap compiled in and working. My challeng

[squid-users] Additional ecap/icap questions

Well this has been a pretty amazing bit of learning that's for sure. Here's what I'm wanting to accomplish and it's been proving a challenge: Detect keywords (think DLP maybe) in http/https flows. I've got ecap and icap compiled in and working. My challenges: a)with icap, it appears that t

Re: [squid-users] Squid 2.5.20 fails to compile with ecap

On 2016-10-11 10:52, Alex Rousskov wrote: On 10/11/2016 08:45 AM, James Lay wrote: Can you point me in the right direction on where to tell squid that libecap lives in /opt/ecap? This is not my area of expertise, but if ./configure --enable-ecap does not work "as is", then you may n

Re: [squid-users] Squid 2.5.20 fails to compile with ecap

On 2016-10-11 08:42, Alex Rousskov wrote: On 10/11/2016 06:54 AM, James Lay wrote: EXT_LIBECAP_CFLAGS="-I/opt/ecap/include" EXT_LIBECAP_LIBS="-L/opt/ecap/lib" ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl --enable-ssl-crtd --enable-linux-netfilt

[squid-users] Squid 2.5.20 fails to compile with ecap

Pretty much topic..sorry for the wall of text here.  Config'd with: EXT_LIBECAP_CFLAGS="-I/opt/ecap/include" EXT_LIBECAP_LIBS="- L/opt/ecap/lib" ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable- follow-x-forwarded-for --with-la

Re: [squid-users] ICAP question

@ngtech.co.il I am not sure...I am going by the below: http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP James > > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > ] On > Behalf Of James Lay > Sent: Sunday, October 9, 2016 8:03 PM > To

Re: [squid-users] ICAP question

On Sun, 2016-10-09 at 12:43 -0600, Alex Rousskov wrote: > On 10/09/2016 11:02 AM, James Lay wrote: > > > > > WARNING: Squid is configured to use ICAP method REQMOD for service > > icap://localhost:1344/srv_cfg_filter but OPTIONS response declares > > the >

[squid-users] ICAP question

Trying to just get some content filtering working and I'm running into the below: WARNING: Squid is configured to use ICAP method REQMOD for service icap://localhost:1344/srv_cfg_filter but OPTIONS response declares the methods are RESPMOD  Here's the icap snippet from squid.conf: icap_enable on

Re: [squid-users] Clarification on icap

On 2016-09-26 10:40, Alex Rousskov wrote: On 09/26/2016 08:55 AM, James Lay wrote: any recommended open source ICAP/eCAP services that squid works well with? You do not need an ICAP/eCAP service that Squid works well with. You need an ICAP/eCAP service that integrates with your IDS. All

Re: [squid-users] Clarification on icap

On 2016-09-26 08:52, Alex Rousskov wrote: On 09/26/2016 08:43 AM, James Lay wrote: So, from what I've read, it appears that squid sends the data to a listening ICAP/eCAP service, which in turn the IDS can access, depending on the IDS...is that about right? Not exactly. Yes, Squid send

Re: [squid-users] Clarification on icap

On 2016-09-26 08:30, Alex Rousskov wrote: On 09/26/2016 05:41 AM, James Lay wrote: So I'm going to try and get some visibility into tls traffic. Not concerned with the sslbumping of the traffic, but what I DON'T know what to do is what to do with the traffic once it's decrypt

Re: [squid-users] Clarification on icap

On 2016-09-26 06:50, Amos Jeffries wrote: On 27/09/2016 12:41 a.m., James Lay wrote: Hey all, So I'm going to try and get some visibility into tls traffic. Not concerned with the sslbumping of the traffic, but what I DON'T know what to do is what to do with the traffic once it&#

[squid-users] Clarification on icap

Hey all, So I'm going to try and get some visibility into tls traffic.  Not concerned with the sslbumping of the traffic, but what I DON'T know what to do is what to do with the traffic once it's decrypted.  This squid machine runs IDS software as well, so my hope was to have the IDS software list

Re: [squid-users] Squid 3.5.20 compile issue

On Tue, 2016-09-20 at 11:05 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 07:20:14PM -0600, James Lay wrote: > > > > > > Well last word on this...squid starts but dies with: > > /squid: symbol lookup error: ./squid: undefined symbol: > > SSL_set_alpn_protos >

Re: [squid-users] Squid 3.5.20 compile issue

On Mon, 2016-09-19 at 18:44 -0600, James Lay wrote: > On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote: > > On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote: > > > > > > On 09/19/2016 06:22 PM, James Lay wrote: > > > > > > >

Re: [squid-users] Squid 3.5.20 compile issue

On Tue, 2016-09-20 at 10:26 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 06:44:38PM -0600, James Lay wrote: > > > > > > > > > > > > > > > > At a guess add this to the libraries list after openssl: -ldl > > > > > Thank

Re: [squid-users] Squid 3.5.20 compile issue

On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote: > > > > On 09/19/2016 06:22 PM, James Lay wrote: > > > > > > Ok so this is with the 1.0.2 branch of openssl: > > > > > > dso_d

Re: [squid-users] Squid 3.5.20 compile issue

Thanks...off to git cloning the 1.0.1 branch...all this work for chacha and poly...yugh 8-| James On Mon, 2016-09-19 at 18:37 -0600, Alex Rousskov wrote: > On 09/19/2016 06:22 PM, James Lay wrote: > > > > Ok so this is with the 1.0.2 branch of openssl: > > > > dso_dlfc

[squid-users] Squid 3.5.20 compile issue

Ok so this is with the 1.0.2 branch of openssl: make[3]: Entering directory `/home//nobackup/build/squid- 3.5.20/src/ssl' /bin/bash ../../libtool  --tag=CXX   --mode=link g++ -Wall -Wpointer- arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64   -g -O2 -m

Re: [squid-users] Squid 3.5.20 fails to compile with openssl

On 2016-09-19 16:05, Alex Rousskov wrote: On 09/19/2016 04:01 PM, James Lay wrote: Openssl git latest commit version commit e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae. Please see http://bugs.squid-cache.org/show_bug.cgi?id=4599 Thank you, Alex. And there you go...thanks Alex. James

[squid-users] Squid 3.5.20 fails to compile with openssl

So I know I posted this a while ago...thought I'd give it a shot today, but still no luck: make[3]: Entering directory `/home/nobackup/build/squid-3.5.20/src/anyp' depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ /bin/bash ../../libtool --tag=CXX --mode=compile g++ -DH

Re: [squid-users] Yet another new cipher?

On 2016-06-30 07:18, James Lay wrote: On Fri, 2016-07-01 at 01:04 +1200, Amos Jeffries wrote: On 1/07/2016 12:43 a.m., James Lay wrote: On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote: Yugh...starting around 10:00 facebook no longer works via peek/splice. pcap contents show: 1QTV01...CHLO

Re: [squid-users] Yet another new cipher?

On Fri, 2016-07-01 at 01:04 +1200, Amos Jeffries wrote: > On 1/07/2016 12:43 a.m., James Lay wrote: > > > > On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote: > > > > > > Yugh...starting around 10:00 facebook no longer works via > > > peek/splice.  pcap

Re: [squid-users] Yet another new cipher?

On Wed, 2016-06-29 at 19:33 -0600, James Lay wrote: > Yugh...starting around 10:00 facebook no longer works via > peek/splice.  pcap contents show: > > 1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1 > > after the threeway handshake and an instant reset.  Anyone k

[squid-users] Yet another new cipher?

Yugh...starting around 10:00 facebook no longer works via peek/splice.  pcap contents show: 1QTV01...CHLOSNI.VERSscontent.xx.fbcdn.netQTV1 after the threeway handshake and an instant reset.  Anyone know what this is?  Cause I haven't a cluescreenshot of success after bypassing inc

Re: [squid-users] Latest ssl and Squid stable compile issue

On Thu, 2016-06-23 at 17:47 +1200, Amos Jeffries wrote: > Yay that you got it going with LibreSSL. > > But I'm still interested in why you got the errors in the first place > with OpenSSL. It is supposed to be the better supported one :-P > > So if you have the time to assist my edufication; > >

Re: [squid-users] Latest ssl and Squid stable compile issue

hoo! James On 2016-06-22 15:17, Yuri Voinov wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I suggest this will not solve your unknown cipher issue. :) 23.06.2016 3:12, James Lay пишет: Had zero issues when compiling against libressl-2.4.1. I now have ChaCha Poly cipher support...happ

Re: [squid-users] Latest ssl and Squid stable compile issue

Had zero issues when compiling against libressl-2.4.1. I now have ChaCha Poly cipher support...happy days! James On 2016-06-22 13:29, James Lay wrote: So yea...git pulled latest ssl, here's my results: make[3]: Entering directory `/home/nobackup/build/squid-3.5.19/src/anyp' dep

[squid-users] Latest ssl and Squid stable compile issue

So yea...git pulled latest ssl, here's my results: make[3]: Entering directory `/home/nobackup/build/squid- 3.5.19/src/anyp' depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ /bin/bash ../../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H   -I../.. -I../../include -I.

Re: [squid-users] Unknown Cipher Suite

; supported. > > This time only exists unsupported patch from CloudFlare. And, as > alternative, LibreSSL. Which is not available for all platforms. > > 22.06.2016 22:48, Amos Jeffries пишет: > > > > On 23/06/2016 4:12 a.m., James Lay wrote: > > > > > &

[squid-users] Unknown Cipher Suite

Well this is newstarted seeing this on Instagram.  Message I get when debugging: 2016/06/22 09:43:26| Error negotiating SSL on FD 14: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0) And sure enough...even Wireshark doesn't know what this is: Any hints on h

Re: [squid-users] Transparent Mode w/ Peek and Splice trouble

On 2016-05-18 08:14, s...@kpa.gr wrote: Hello! I am currently setting up a squid server, which should serve as a transparent proxy in our network. We mainly need it to do the following: Allow and Block Domains on HTTP and HTTPS protocol (withOUT bumping the traffic). We only want to allow domai

Re: [squid-users] Logging of https

Box 1328, Lancaster, PA 17608-1328 -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of James Lay Sent: Thursday, March 24, 2016 4:14 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Logging of https On 2016-03-24 13:41, Mark

Re: [squid-users] filtering http(s) sites, transparently

On Sun, 2016-04-03 at 21:18 -0700, Jok Thuau wrote: > I'm attempting to build a transparent proxy (policy based routing on > firewall to squid proxy) with the following behavior: > > > > 1) proxies http traffic for a given set of domains, provide an message > otherwise such "domain not allowed"

Re: [squid-users] Logging of https

On 2016-03-24 13:41, Markey, Bruce wrote: I'm hoping this is a simple question, I've gotten/seen differing answers and I'd just like a final answer. With squid setup as a transparent proxy via wccp will there be any log entries for https sites, even just the ip? Just the initial get request is

Re: [squid-users] HTTPS interception and filtering?

That's the one. James On Mon, 2016-03-14 at 00:42 +0200, Eliezer Croitoru wrote: > Are you referring to: > http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389 > > Eliezer > > On 12/03/2016 15:58, James Lay wrote: > > On Sun, 2016-03-13 at

Re: [squid-users] HTTPS interception and filtering?

On Sun, 2016-03-13 at 00:09 +1100, Tim Bates wrote: > Is it possible to do this: > > * Intercept HTTPS and send it via Squid? > * Apply ACLs to the intercepted HTTPS traffic based on host/domain name? > * Not change any configuration on clients? > > Should I keep researching how this peeking and

Re: [squid-users] HTTPS Content Filtering without de-crypting traffic?

On 2016-01-26 15:59, Panda Admin wrote: > Hello, > > I attempting to terminate https traffic based on ACLs using ssl_bumping > WITHOUT de-crypting the traffic in intercept/transparent mode. Has anyone > got this to work before? I have copied my configuration and what my iptables > nat ru

Re: [squid-users] Fwd: Re: Squid Log messages Database

On 2016-01-18 14:59, Antony Stone wrote: Forwarding private reply back to the list... -- Forwarded Message Starts -- Thanks for your answer. Sorry for my poor english, I'll try to reword because I'm not looking for a log analyzer. In fact, I don't even need Squid itself inst

Re: [squid-users] squid http & https intercept based on DNS server

On Thu, 2015-11-12 at 09:37 +0300, Ahmad Alzaeem wrote: > Sorry , didn’t understand , could you explain more ?? > > cheers > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of James Lay > Sent: Thursday, No

Re: [squid-users] squid http & https intercept based on DNS server

On 2015-11-11 12:23, Ahmad Alzaeem wrote: Hi guys I want to ask a question Assume I have a dns server that resolve all the names to the ip of squid So we will have all websites go to squid The question is being asked here is : If I used squid in intercept mode Will I be able to handle http

Re: [squid-users] Fwd: Problems with the List

On 2015-10-27 09:06 AM, Amos Jeffries wrote: On 28/10/2015 2:29 a.m., Elvis Altherr wrote: Hello Admins of the List Seems there some problems with the list.. i receive strange Mails from different users watch example below Thanks. We had a spam run that looks like it was from one of the sub

Re: [squid-users] SSL Peek and Splice

On Thu, 2015-10-01 at 13:26 +0200, Job wrote: > Hello, > > by reading the 3.5 Squid verson "Peek and splice" features: > http://wiki.squid-cache.org/Features/SslPeekAndSplice > > i would like to ask you two questions, please: > > 1. in this implementations, i have to install the selfmade Certif

Re: [squid-users] 3.5.8 — SSL Bump questions

On Fri, 2015-09-11 at 11:25 -0600, James Lay wrote: > On 2015-09-11 09:39 AM, Alex Rousskov wrote: > > On 09/11/2015 09:21 AM, James Lay wrote: > >> On 2015-09-09 08:29 PM, Alex Rousskov wrote: > >>> Please see http://bugs.squid-cache.org/show_bug.cgi?id=4303 >

Re: [squid-users] 3.5.8 — SSL Bump questions

On 2015-09-11 09:39 AM, Alex Rousskov wrote: On 09/11/2015 09:21 AM, James Lay wrote: On 2015-09-09 08:29 PM, Alex Rousskov wrote: Please see http://bugs.squid-cache.org/show_bug.cgi?id=4303 Confirming that this now works: ssl_bump peek all ssl_bump splice step3 allowed_https_sites

Re: [squid-users] 3.5.8 — SSL Bump questions

On 2015-09-09 08:29 PM, Alex Rousskov wrote: On 09/09/2015 07:06 PM, Dan Charlesworth wrote: if I change ssl_bump peek step1 to ssl_bump peek all, I get this assertion failure: PeerConnector.cc:747: "!callback" Please see http://bugs.squid-cache.org/show_bug.cgi?id=4303 Alex. Confirmi

Re: [squid-users] 3.5.8 — SSL Bump questions

On 2015-09-08 02:32 PM, Alex Rousskov wrote: On 09/08/2015 02:18 PM, James Lay wrote: I'm currently having great success with 3.5.8 and this peek/splice only method using transparent intercept: ### acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl

Re: [squid-users] 3.5.8 — SSL Bump questions

On 2015-09-08 01:54 PM, Alex Rousskov wrote: On 09/07/2015 11:36 PM, Dan Charlesworth wrote: First, here’s my config (shout out to James Lay): acl client_hello_peeked at_step SslBump2 ssl_bump splice client_hello_peeked bump_bypass_domains ssl_bump bump client_hello_peeked Just in case

Re: [squid-users] ssl_bump updates coming in 3.5.8

On Fri, 2015-08-21 at 05:26 -0600, James Lay wrote: > On Fri, 2015-08-21 at 19:28 +1200, Amos Jeffries wrote: > > > Hi all, > > > > Christos has managed (we think) to resolve a fairly major design issue > > that has been plaguing the 3.5 series peek-and-spli

Re: [squid-users] ssl_bump updates coming in 3.5.8

On Fri, 2015-08-21 at 19:28 +1200, Amos Jeffries wrote: > Hi all, > > Christos has managed (we think) to resolve a fairly major design issue > that has been plaguing the 3.5 series peek-and-splice feature so far. > () > > The problem was t

Re: [squid-users] ssl_crtd process doesn't start with Squid 3.5.6

On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote: > Thanks for that. Any ideas why I am experiencing that? > > > > Stan > > > > > On Fri, Jul 24, 2015 at 7:07 PM, James Lay > wrote: > > On Fri, 2015-07-24 at 17:25 -0500, Stanford Pr

Re: [squid-users] ssl_crtd process doesn't start with Squid 3.5.6

On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote: > I have a working implementation of Squid 3.5.5 with ssl-bump. When > 3.5.5 is started with ssl-bump enabled all the squid and ssl_crtd > processes start and Squid functions as intended when bumping ssl > sites. However, when I bump Squid

Re: [squid-users] RE Peek and Splice error SSL_accept failed

On Fri, 2015-07-24 at 12:09 +, Sebastian Kirschner wrote: > Hi , > > I minimized the configuration a little bit(you could see it at the bottom of > these message). > > Also I still try to understand why these error happen , I increased the Debug > level and saw that squid tried 48 times to

Re: [squid-users] Transparent Proxy Configuration

On 2015-06-30 12:21 PM, Chris Greene wrote: I’ve had Squid running on Ubuntu for a few weeks. I’d configured the proxy settings in the browsers. Everything has been working well and I've been pleased with the results. But now I need to make this a transparent proxy and I’m running into trouble

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

--- > > Tom Mowbray > > tmowb...@dalabs.com > 703-829-6694 > > > > On Wed, Jun 24, 2015 at 2:05 PM, James Lay > wrote: > > On 2015-06-24 11:46 AM, Tom Mowbray wrote: > > James, &

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

On Thu, 2015-06-25 at 13:57 +1200, Jason Haar wrote: > On 25/06/15 06:05, James Lay wrote: > > openssl s_client -connect x.x.x.x:443 > Just a FYI but you can make openssl do SNI which helps debugging (ie > doing it your way and then doing it with SNI) > > openssl s_client

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

;s (as you have it), it seems to simply allow ALL https without doing any filtering whatsoever. Thanks for the response. -Tom Mowbray _tmowbray@dalabs.com_ _703-829-6694_ On Wed, Jun 24, 2015 at 1:31 PM, James Lay wrote: On 2015-06-24 09:41 AM, Tom Mowbray wrote

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

On 2015-06-24 09:41 AM, Tom Mowbray wrote: Squid 3.5.5 I seem to have some confusion about how acl lists are processed in squid.conf regarding the handling of SSL (HTTPS) traffic, attempting to use ssl_bump directives with transparent proxy. Based on available documentation, I believe my squid.

Re: [squid-users] Quick peek-splice clarification

On Tue, 2015-06-23 at 09:11 +0200, Klavs Klavsen wrote: > Hi James, > > Did you ever find an answer for this? > > James Lay wrote on 06/11/2015 02:16 AM: > > All, > > > > From the docs at: > > > > http://wiki.squid-cache.org/Features/SslPeekAndSplic

[squid-users] Properly filtering http and https traffic in a transparent proxy environment

Resending this with photobucket links instead of including images: http://i290.photobucket.com/albums/ll269/DigiDemon/allowed.png http://i290.photobucket.com/albums/ll269/DigiDemon/terminate.png Hey All, Sohere's what I have for filtering http and https in the same instance. This is using

[squid-users] Quick peek-splice clarification

All, >From the docs at: http://wiki.squid-cache.org/Features/SslPeekAndSplice peek step1, step2 Receive SNI and client certificate (step1), or server certificate (step2) while preserving the possibility of splicing the connection. Peeking at the server certificate usually precludes future bu

Re: [squid-users] Installing certificate on Andriod to use with SSL-bump

On 2015-06-10 10:22 AM, Amos Jeffries wrote: On 10/06/2015 4:46 p.m., dkandle wrote: I would like to be able to inspect traffic from my android device. I have a transparent squid proxy working with SSL bump (using WiFi to get traffic through my proxy server). Everything works fine as long as I

Re: [squid-users] ssl_crtd breaks after short time

On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote: > Amos Jeffries wrote on 2015-06-09 17:10: > [CUT] > > You have to first configure ssl_bump in a way that lets Squid receive > > the clientHello message (step1 -> peek) AND the serverHello message > > (step2 -> peek). Then you can use those c

Re: [squid-users] Utilities for testing question

On Sat, 2015-06-06 at 13:49 +1200, Amos Jeffries wrote: > On 6/06/2015 12:35 p.m., James Lay wrote: > > All, > > > > I'm looking for a command line app like wget or curl that I can use to > > test TLS. I'm trying to find out how to send a get request witho

[squid-users] Utilities for testing question

All, I'm looking for a command line app like wget or curl that I can use to test TLS. I'm trying to find out how to send a get request without sending the SNI. Any pointers would be appreciated. Thank you. James ___ squid-users mailing list squid-use

Re: [squid-users] Looking for a recomendation for tutorial for transparent proxy under Ubuntu

On 2015-06-01 10:40 AM, dkandle wrote: I am using Ubuntu 14.04 on a server with multiple NICs. I would like to set it up as a transparent proxy. I have the router working and I had squid working as an explicit proxy (where I set the IP address of the server as the proxy in my client's browser)

Re: [squid-users] ssl_bump and SNI

y_id, sni = line.split() > > if sni == 'wellsfargo.com': > sys.stdout.write('%s OK\n' % concurrency_id) > else: > sys.stdout.write('%s ERR\n' % concurrency_id) > > line = sys.stdin.read() > > Hope that helps, &g

Re: [squid-users] Ssl-bump deep dive (intercept last post and final thoughts)

On Mon, 2015-06-01 at 13:00 +1200, Amos Jeffries wrote: > On 1/06/2015 11:56 a.m., James Lay wrote: > > So this has been REALLY good! The tl;dr: ssl-bumping is pretty easy > > even with intercept, ssl-bumping with access control is a little more > > difficult...jump to t

[squid-users] Ssl-bump deep dive (intercept last post and final thoughts)

So this has been REALLY good! The tl;dr: ssl-bumping is pretty easy even with intercept, ssl-bumping with access control is a little more difficult...jump to the config to skip the chit chat. My goal has always been to a content filter based on url regex. This works just fine for http traffic,

Re: [squid-users] Conditional question

On Sat, 2015-05-30 at 16:24 -0600, James Lay wrote: > On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: > > > On 31/05/2015 4:48 a.m., James Lay wrote: > > > Per the docs: > > > > > > # Conditional configuration > > > # > > >

Re: [squid-users] Conditional question

On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: > On 31/05/2015 4:48 a.m., James Lay wrote: > > Per the docs: > > > > # Conditional configuration > > # > > # If-statements can be used to make configuration directives > > # depend

Re: [squid-users] Conditional question

On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: > On 31/05/2015 4:48 a.m., James Lay wrote: > > Per the docs: > > > > # Conditional configuration > > # > > # If-statements can be used to make configuration directives > > # depend

[squid-users] Conditional question

Per the docs: # Conditional configuration # # If-statements can be used to make configuration directives # depend on conditions: # # if # ... regular configuration directives ... # [else # ... regular configuration directives ...] #

[squid-users] Ssl-bump deep dive (sni and access control) some success

Config first: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all #https_server_names.

Re: [squid-users] ssl_bump and SNI

On 2015-05-29 08:57 AM, Nathan Hoad wrote: Yes, I have it working on about a dozen deployments so far, using an external ACL to make bumping decisions based on the SNI server name and a few other things. No complaints from me, it Just Works. On 29/05/2015 5:50 pm, "sp_" wrote: Hello, does any

[squid-users] Ssl-bump deep dive (testing)

So I took the advice of those here to get explicit working first, so here's my first attempt. My test environment is Ubuntu 15.04 Server as the squid server with virtualbox running on it with Kali linux as the client. Here's my Squid 3.5.4 configure line: /configure --prefix=/opt --enable-icap-c

Re: [squid-users] Ssl-bump deep dive (self-signed certs in chain)

Thanks for this AmosI will try and do more experimenting this week with more results. James On Tue, 2015-05-26 at 19:46 +1200, Amos Jeffries wrote: > On 26/05/2015 4:26 a.m., James Lay wrote: > > So following advice and instructions on this page: > > > > http:/

Re: [squid-users] ipf transparent enabled, but squid says not supported

On 2015-05-27 09:45 AM, Stephen Borrill wrote: I have: Squid Cache: Version 3.5.4 Service Name: squid configure options: '--sysconfdir=/usr/pkg/etc/squid' '--localstatedir=/var/squid' '--datarootdir=/usr/pkg/share/squid' '--disable-strict-error-checking' '--enable-auth' '--enable-cachemgr-hostna

[squid-users] Ssl-bump deep dive (self-signed certs in chain)

So following advice and instructions on this page: http://wiki.squid-cache.org/Features/DynamicSslCert I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my

Re: [squid-users] Ssl-bump deep dive (properly creating certs)

On Mon, 2015-05-25 at 08:48 +1200, Jason Haar wrote: > On 25/05/15 04:25, James Lay wrote: > > > > > My first question is about properly creating the certs. Looking at: > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > &g

[squid-users] Ssl-bump deep dive (properly creating certs)

Hey all, SoI'm sure those on the list have seen my posts a number of times, usually all questions (sorry I'm not very helpful). That being said, whenever there is something I can't get to work right, or don't understand as well as I think I should, I do kind of a deep dive into it for about a

Re: [squid-users] Config audit for 3.5.3

On Sat, 2015-04-25 at 14:25 +1200, Amos Jeffries wrote: > On 25/04/2015 12:50 a.m., James Lay wrote: > > Hey all. > > > > Topic says itI'm running squid-3.5.3-20150420-r13802 and wanted to > > see if there's anything glaring that I'm missing/hav

  1   2   >