Hi,
I'm new to this list, so let me introduce myself. I'm a 50-year old
Austrian living in Montpezat (South France), and I'm the manager of a
small IT company with a focus on Linux and free software.
I've been using Squid for a few years, but only as a transparent HTTP
proxy. Here's my blog artic
Hi,
I have Squid setup as a transparent HTTP+HTTPS proxy in my local
network, using SSL-Bump.
The configuration works quite nicely, according to
/var/log/squid/cache.log and /var/log/squid/access.log.
This being said, I am having trouble with a handful of domains like
Github, or my OwnCloud inst
Le 11/03/2018 à 09:24, Amos Jeffries a écrit :
> What you need to start with is switch your thinking from "domains" to
> considering things in terms of connections and individual servers. Since
> "domain" is a URL concept, and URLs are all hidden inside the encrypted
> part of the traffic there is
Le 11/03/2018 à 10:17, Amos Jeffries a écrit :
> In your config you changed your 3128 to receiving port-80 (origin-form)
> syntax with "intercept". So port 3130 was necessary to takeover
> receiving of the normal proxy traffic.
>
> The TLS wrappers on HTTPS need special handling to decrypt so that
Le 11/03/2018 à 09:24, Amos Jeffries a écrit :
> What you need to start with is switch your thinking from "domains" to
> considering things in terms of connections and individual servers. Since
> "domain" is a URL concept, and URLs are all hidden inside the encrypted
> part of the traffic there is
Le 11/03/2018 à 11:17, Amos Jeffries a écrit :
> The process is not getting anywhere close to caching being relevant. The
> error you mentioned earlier is in the TLS handshake part of the process.
I've experimented some more, and I have a partial success. Here, I'm
redirecting all HTTPS traffic *e
Le 11/03/2018 à 12:31, Amos Jeffries a écrit :
> The whois system can provide info on the IP ranges owned by the
> companies like Google which own their own ranges.
>
>
> The alternative for ssl-bump is the splice action. For that you only
> need to know the server names each company uses.
OK, I
Le 11/03/2018 à 12:31, Amos Jeffries a écrit :
> The whois system can provide info on the IP ranges owned by the
> companies like Google which own their own ranges.
>
>
> The alternative for ssl-bump is the splice action. For that you only
> need to know the server names each company uses.
I'd s
Le 11/03/2018 à 16:48, Alex Crow a écrit :
>
> It would be a lot easier to just create exceptions on the squid device
> for sites where bumping doesn't work which cause then to be tunnelled or
> spliced rather then bumped. You can then at least use dstdomain or
> ssl:servername rules. dstdomain wi
Le 11/03/2018 à 19:44, Yuri a écrit :
> It's trivial to implement. Here is my config snippet:
>
> # SSL bump rules
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/acl.url.nobump"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLInter
Hi,
I have a few prospective clients who want/need to log and monitor all
their web traffic and asked me to find a viable solution for this.
After a couple of weeks of fiddling, I decided to opt for the
Squid+SquidAnalyzer setup, which works quite well. I have a sandbox
installation here in my of
Hi,
I've been working with Squid + SquidGuard for a few years, though only
on Slackware. I'm currently transferring my proxy expertise to CentOS 7,
and right now I'm having a little problem with that.
Squid works perfectly so far as a transparent HTTP + HTTPS cache proxy.
The next step is to add
Le 14/03/2018 à 13:33, Amos Jeffries a écrit :
> You do not need SG or any fancy redirector helpers at all for that.
Yes, I do. Because this is part of a step-by-step course about
SquidGuard, which worked perfectly under Slackware Linux. And my
filtering rules are becoming increasingly complex.
N
Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
> Yes, I do. Because this is part of a step-by-step course about
> SquidGuard, which worked perfectly under Slackware Linux. And my
> filtering rules are becoming increasingly complex.
FYI, this is the course. It's a HOWTO in simp
Le 14/03/2018 à 14:06, Amos Jeffries a écrit :
> Then the first thing you and your readers need to be clear on is that
> SquidGuard was end-of-life'd many years ago. It is long overdue for
> removal or replacement. This has impact such as the one you saw on HTTPS
> traffic support which was only ad
Le 14/03/2018 à 14:46, Marcus Kool a écrit :
> ufdbGuard is the tool that you need.
> It is an old fork of ufdbGuard with many new features, very good
> performance and it has regular maintenance.
> If you have a question, you can ask the support desk at
> www.urlfilterdb.com.
> You will get an ans
Le 14/03/2018 à 15:02, Yuri a écrit :
> I can confirm - ufdbguard is up-to-date and very good customizable
> replacement for SquidGuard. Using ufdbguard last three years gives
> perfect results and bring functionality which is absent in
> SquidGuard.
>
> ufdbguard has good support of https (incl
Hi,
I have Squid + SquidGuard + SquidAnalyzer running on my LAN server as a
transparent cache + filtering proxy, and it's working real nicely.
When a client in my company wants to connect to the wifi, all he or she
has to do is this:
1. Connect to http://nestor.microlinux.lan
2. Download the ne
Le 16/03/2018 à 13:43, Yuri a écrit :
> I guess better way to do this is create special ACL to catch exactly
> certificate error and then redirect by 302 using deny_info to proxy
> page with explanation and certificate.
This sounds like the way to go.
I just removed the root certificate from one
Le 25/03/2018 à 13:08, Yuri a écrit :
> The problem is not install proxy CA. The problem is identify client
> has no proxy CA and redirect, and do it only one time.
That is exactly the problem. And I have yet to find a solution for that.
Current method is instruct everyone - with a printed paper
Hi,
I've been running the Squid + SquidGuard combination for quite some time
in our local school. I'm also filtering HTTPS connections using the
Squid SSL Bump functionality.
I'd like to test ufdbguard, since SquidGuard doesn't seem to be
maintained anymore, and it's also quite RAM-consuming.
I'
Le 25/03/2019 à 20:15, Heiler Bemerguy a écrit :
> We've seen some high upload bandwidth usage on our router graphs and
> we'd like to know what was happening at that time...
>
> Any tools or tricks to know that? I bet most of you have had this
> "curiosity" already too lol
Here's what I use to c
22 matches
Mail list logo
