On Saturday 14 April 2018 at 13:22:32, MK2018 wrote:
> I had used squid effectively and perfectly for more than a year before I
> could understand (on my own) how to craft an 'allow' or 'deny' line that
> contains all of: source acl, dst acl, connection method, HTTP command, TCP
> port, excluded d
Amos Jeffries wrote
> Which parts (if any in the current text) are you getting confused or
> lost by?
It is not about confusion as much as it is about syntax. Since I'm always
bumping to fight unwanted user traffic / analyze traffic consumption, I
would need to use 'stare' verb. But, I had only tr
On 14/04/18 20:51, MK2018 wrote:
> Amos Jeffries wrote
>> FYI this is "server-first all". peek and splice before "bump all" is
>> similar but also different in ways that allow it to handle more problems
>> in better ways.
>
> I never really got to understand how to implement peek and splice verbs.
Amos Jeffries wrote
> FYI this is "server-first all". peek and splice before "bump all" is
> similar but also different in ways that allow it to handle more problems
> in better ways.
I never really got to understand how to implement peek and splice verbs. I
was glad I could get away with server-f
On 14/04/18 10:05, MK2018 wrote:
> Aaron Turner wrote
>> Thanks Yuri. That helps. As for the "sslproxy_flags
>> DONT_VERIFY_PEER", yes I understand the risks. In my specific case,
>> where my "users" are actually a bunch of automated web clients doing
>> some web crawling it's the right thing to
Aaron Turner wrote
> Thanks Yuri. That helps. As for the "sslproxy_flags
> DONT_VERIFY_PEER", yes I understand the risks. In my specific case,
> where my "users" are actually a bunch of automated web clients doing
> some web crawling it's the right thing to do.
> --
> Aaron Turner
I tried using
squid-users On Behalf Of
Danilo V
Sent: Tuesday, March 13, 2018 15:45
To: squid-users@lists.squid-cache.org
Subject: [squid-users] SSL intercept in explicit mode
Is it possible/feasible to configure squid in explicit mode with ssl intercept?
Due to architecture of my network it is not possib
I guess, your using wrong approach.
You trying to find ready-to-use solution for /custom/ configuration.
At maximum, you can find some bricks for this. And anyway you should
build your custom solution yourself.
Bricks is here: https://wiki.squid-cache.org :-)
14.03.2018 20:28, Danilo V пишет:
>
Thanks for the explanation.
Do you have any guide?
Em qua, 14 de mar de 2018 às 10:26, Matus UHLAR - fantomas <
uh...@fantomas.sk> escreveu:
> On 13.03.18 14:44, Danilo V wrote:
> >I mean SSL bump in explicit mode.
> >So intercept is a essencial requirement for running SSL bump?
>
> No, you asked
On 13.03.18 14:44, Danilo V wrote:
I mean SSL bump in explicit mode.
So intercept is a essencial requirement for running SSL bump?
No, you asked for "explicit mode with ssl intercept" which I pointed out is
illogical.
Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas <
uh...@fantoma
Behalf
Of Yuri
Sent: Tuesday, March 13, 2018 19:45
To: Aaron Turner
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] SSL intercept in explicit mode
AFAIK,
SSL bump subsystem uses OpenSSL memory routines. So, first of all, most
probably leaks (if any) can be OpenSSL-related, but not
As practical experience shows, it is counterproductive to swear. :)
Especially when you need to solve the problem;)
It's just that sometimes a bad character wins :)
14.03.2018 03:30, Alex Rousskov пишет:
> Yuri,
>
> The quality of many of your recent mailing list posts was
> exceptionally hig
Yuri,
The quality of many of your recent mailing list posts was
exceptionally high: to-the-point, with a healthy level of technical
detail, cool triage, actionable advice, and no distractions (up to the
footer:-). Your new approach resulted in a much more enjoyable
experience for me personally
Thanks Yuri. That helps. As for the "sslproxy_flags
DONT_VERIFY_PEER", yes I understand the risks. In my specific case,
where my "users" are actually a bunch of automated web clients doing
some web crawling it's the right thing to do.
--
Aaron Turner
https://synfin.net/ Twitter: @synfina
FInally,
just take a look:
This is SSL Bump-aware setup. Seems no memory leaks, yes? Normal memory
distribution.
Let's see on overall OS memory:
No leaks.
13.03.2018 23:44, Yuri пишет:
>
> AFAIK,
>
> SSL bump subsystem uses OpenSSL memory routines. So, first of all,
> most probably leaks (if a
AFAIK,
SSL bump subsystem uses OpenSSL memory routines. So, first of all, most
probably leaks (if any) can be OpenSSL-related, but not squid itself.
Now let's see your config snippets.
13.03.2018 23:00, Aaron Turner пишет:
> "Usually misconfiguration leads to memory overhead."
>
> This may be tr
"Usually misconfiguration leads to memory overhead."
This may be true, but if you look in the list archives a few months
ago I basically chased my tail in circles and nobody could tell me
what I was doing wrong and so many of the docs are so old that they're
worse then useless, they seem to sugges
I've used it on all versions starting from 3.4.
Now I'm using Squid 5.0.0.
I'm afraid, my config is completely useless, because of it contains tons
of optimizations/tweaks/tricks and designed for customized Squid 5.0.0,
with different memory allocator for custom infrastructure.
You can't just ta
What version are you using Yuri? Can you share your config?
Everytime I use ssl bump, I have massive memory leaks. It's been
effectively unusable for me.
--
Aaron Turner
https://synfin.net/ Twitter: @synfinatic
My father once told me that respect for the truth comes close to being
the bas
Moreover,
SSL Bump combines with interception/explicit proxy in one setup.
And works perfectly.
13.03.2018 21:14, Marcus Kool пишет:
> "SSL bump" is the name of a complex Squid feature.
> With ssl_bump ACLs one can decide which domains can be 'spliced' (go
> through the proxy untouched) or can
"SSL bump" is the name of a complex Squid feature.
With ssl_bump ACLs one can decide which domains can be 'spliced' (go through
the proxy untouched) or can be 'bumped' (decrypted).
Interception is not a requirement for SSL bump.
Marcus
On 13/03/18 11:44, Danilo V wrote:
I mean SSL bump in exp
I mean SSL bump in explicit mode.
So intercept is a essencial requirement for running SSL bump?
Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas <
uh...@fantomas.sk> escreveu:
> On 13.03.18 13:44, Danilo V wrote:
> >Is it possible/feasible to configure squid in explicit mode with ssl
>
On 13.03.18 13:44, Danilo V wrote:
Is it possible/feasible to configure squid in explicit mode with ssl
intercept?
explicit is not intercept, intercept is not explicit.
explicit is where browser is configured (manually or automatically via WPAD)
to use the proxy.
intercept is where network de
Is it possible/feasible to configure squid in explicit mode with ssl
intercept?
Due to architecture of my network it is not possible to implement
transparent proxy.
What would be the behavior of applications that dont support proxy - i.e.
dont forward requests to proxy?
Any guides?
Danilo
24 matches
Mail list logo
