Re: [squid-users] squid "make check" error

On 20/07/24 03:19, Alex Rousskov wrote: On 2024-07-19 09:20, Rafał Stanilewicz wrote: Thank you. It worked. Glad to hear that! Seconded. I incorrectly assumed all dependencies would be captured by aptitude build-dep squid and ./configure. AFAIK that is a correct assumption for

Re: [squid-users] Squid Version squid-5.7-150400.3.6.1.x86_64 -- Squid is crashing continusly

On 19/07/24 04:23, M, Anitha (CSS) wrote: Hi Team, We are seeing squid is continuously crashing with signal 6. "signal 6" in system log means there should be an "assertion" error message in the cache.log. Please look for that. Any known issues with this version? Many. It is not clear

Re: [squid-users] Prefer or force ipv6 usage on dual stack interface

On 17/07/24 01:31, Rasmus Horndrup wrote: Hi, On a dual stack network interface I’m interested in using squid as a ipv6 only forward proxy. My general understanding was that squid will prefer to use ipv6 whenever available, but I’m having issues with squid seemingly preferring ipv4 in some

Re: [squid-users] Rewriting HTTP to HTTPS for generic package proxy

On 12/07/24 10:10, Alex Rousskov wrote: On 2024-07-11 17:03, Amos Jeffries wrote: On 11/07/24 00:49, Alex Rousskov wrote: On 2024-07-09 18:25, Fiehe, Christoph wrote: I hope that somebody has an idea, what I am doing wrong. AFAICT from the debugging log, it is your parent proxy

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

On 13/07/24 04:16, Jonathan Lee wrote: tested with removal of IP and port failed If I leave port I get this 2024/07/12 09:15:17| Processing: http_port :3128 intercept No ":" before thr port number. Amos ___ squid-users mailing list

Re: [squid-users] cachemgr.cgi isn't mgr:info ?

Per your subject question "cachemgr.cgi isn't mgr:info ?" Correct. cachemgr.cgi is an old tool to access multiple proxies manager reports. "mgr:info" is a command line parameter for the squidclient tool to access a proxies "info" manager report. Also, commonly used shorthand in Squid

Re: [squid-users] TCP_MISS_ABORTED/502

On 13/07/24 01:52, Alex Rousskov wrote: On 2024-07-12 08:06, Ben Toms wrote: Seems that my issue is similar to - https://serverfault.com/questions/1104330/squid-cache-items-behind-basic-authentication You are facing up to two problems: 1. Some authenticated responses are not cachable by

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

On 12/07/24 11:50, Jonathan Lee wrote: I recommend changing your main port to this:   http_port 3128 ssl-bump This is set to this when it processes http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

Oh, I see the problem: http_port 127.0.0.1:3128 intercept ... (which also means you lack a firewall rule preventing external software like squidclient from sending traffic directly to your intercept port.) Please **do not** use port 3128 to receive intercepted traffic. I recommend

Re: [squid-users] TCP_MISS_ABORTED/502

On 12/07/24 03:37, Ben Toms wrote: Hi folks, We’re looking to leverage squid-cache as an accelerator, but for large content. For example, a local cache of macOS installers so that the internet line isn’t swamped when updating Photoshop etc across devices. Below is an example of the conf

Re: [squid-users] Rewriting HTTP to HTTPS for generic package proxy

On 11/07/24 00:49, Alex Rousskov wrote: On 2024-07-09 18:25, Fiehe, Christoph wrote: I hope that somebody has an idea, what I am doing wrong. AFAICT from the debugging log, it is your parent proxy that returns an ERR_SECURE_CONNECT_FAIL error page in response to a seemingly valid "HEAD

Re: [squid-users] Squid 6.6 error clientProcessHit: Vary object loop!

On 12/07/24 06:43, Jonathan Lee wrote: What is Vary Object loop?? In HTTP URLs can point at a set or "variants" of a resource. Squid "Vary Object" is an entry in the cache that is used to represent these types of resource. When the URL-only is looked up, the "Vary Object" is found and

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

Lets see ... >>> On Jul 11, 2024, at 11:02, Jonathan Lee wrote: >>> Shell Output - squidclient -h 127.0.0.1 -v -U admin -W redacted >>> mgr:info >>> >>> Request: >>> GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0 >>> Host: 127.0.0.1:3128 >>> User-Agent: squidclient/6.6 >>>

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

On 12/07/24 05:27, Jonathan Lee wrote: Thanks what about the password is it set with@ or -p where would I place that? Neither. It is set with -W . Amos Sent from my iPhone On Jul 11, 2024, at 10:17, Amos Jeffries wrote: It is very relevant. As Matus already mentioned, both -U and -W

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

On 11/07/24 06:08, Alex Rousskov wrote: On 2024-07-10 12:55, Jonathan Lee wrote: Embedding a password in a cache manager command requires providing a username with -U squidclient -w /squid-internal-mgr/info -u admin squidclient -w /squid-internal-mgr/info@redacted -u admin squidclient -w

Re: [squid-users] Rewriting HTTP to HTTPS for generic package proxy

On 10/07/24 22:57, Fiehe, Christoph wrote: The idea behind was to find a way to cache packages from a repository that only provides HTTPS-based connections. It would work, when the HTTPS connection terminates at the Squid Proxy and not at the client, so that the proxy can forward the message

Re: [squid-users] Unable to explain 407 Proxy Authentication Required

On 9/07/24 02:39, Random Dude wrote: Hey everyone. I'm trying to get a minimal forward proxy with authentication set up. I have the following config (purposely kept as minimal as possible) and have followed these steps - https://wiki.squid-cache.org/ConfigExamples/Authenticate/

Re: [squid-users] Rewriting HTTP to HTTPS for generic package proxy

On 10/07/24 10:25, Fiehe, Christoph wrote: Hallo, I hope that somebody has an idea, what I am doing wrong. I try to build a generic package proxy with Squid and need the feature to rewrite (not redirect) a HTTP request to a package repository transparently to a HTTPS-based package source.

Re: [squid-users] ICMP and QUIC

On 8/07/24 16:42, Jonathan Lee wrote: Does anyone use this directive for QUIC in the mean time… what’s weird is that IP address is Apple when Facebook is running on_unsupported_protocol This directive is only relevant to protocols Squid receives over TCP connections. For SSL-Bumped CONNECT

Re: [squid-users] Upgrade path from squid 4.15 to 6.x

On 14/06/24 20:43, NgTech LTD wrote: Hey Amis, Ok, so with the tools we have available, can we take this case and maybe write a brief summary of changes between the squid features versions? That what the Release Notes are. Cheers Amos ___

Re: [squid-users] Information Request: "Accept-Ranges" with use of SSL intercept and dynamic update caching

On 11/06/24 16:47, Jonathan Lee wrote: The reason I ask is sometimes Facebook when I am using it locks up and my fan goes crazy I close Safari and restart the browser and it works fine again. It acts like it is restarting a download over and over again. Because it is. Those websites use

Re: [squid-users] Upgrade path from squid 4.15 to 6.x

Regarding the OP question: Upgrade for all Squid-3 is to: * read release notes of N thru M versions (as-needed) about existing feature changes * install the new version * run "squid -k parse" to identify mandatory changes * fix all "FATAL" and "ERROR" identified * run with new version

Re: [squid-users] Samba DNS Invalid zone operation IsSigned

Hi Ronny, This is the Squid users mailing list. You would be better served contacting the Samba help channels for this problem. Cheers Amos On 8/06/24 23:05, Ronny Preiss wrote: Hi Everybody, Does someone know where this comes from and how to solve it? I've changed nothing for weeks.

Re: [squid-users] can't explain 403 denied for authenticated

On 7/06/24 07:08, Kevin wrote: > >> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com >> http_access deny trellix_phone_cloud >> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl HostBasedRules external host_based_filter >> http_access allow

Re: [squid-users] can't explain 403 denied for authenticated

Free config audit inline ... On 6/06/24 05:24, Kevin wrote: Understood.   Here it is: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Re: [squid-users] can't explain 403 denied for authenticated user

On 25/05/24 07:28, Kevin wrote: Hi, We have 2 external ACLs that take a request's data (IP, authenticated username, URL, user-agent, etc) and uses that information to determine whether a user or host should be permitted to access that URL.   It almost always works well, but we have a

Re: [squid-users] Validation of IP address for SSL spliced connections

On 30/05/24 18:30, Rik Theys wrote: Hi, On 5/29/24 11:31 PM, Alex Rousskov wrote: On 2024-05-29 17:06, Rik Theys wrote: On 5/29/24 5:29 PM, Alex Rousskov wrote: On 2024-05-29 05:01, Rik Theys wrote: squid doesn't seem to validate that the IP address we're connecting to is valid for the

Re: [squid-users] log_referrer question

On 22/05/24 07:51, Alex Rousskov wrote: On 2024-05-21 13:50, Bobby Matznick wrote: I have been trying to use a combined log format for squid. The below line in the squid config is my current attempt. logformat combined %>a %[ui %[un [%tl "%rm %ru HTTP/%rv" %>Hs %"%{Referer}>h"

Re: [squid-users] Tune Squid proxy to handle 90k connection

On 17/05/24 02:23, Bolinhas André wrote: Hi Alex Has I explain, by default I set those directives to off to avoid high cpu consumption. Ah, actually with NTLM auth you are using *more* CPU per transaction with those turned off. The thing is that auth takes a relatively long time to

Re: [squid-users] deny_info URL not working

On 12/05/24 17:48, Dieter Bloms wrote: Hello, On Sat, May 11, Vilmondes Queiroz wrote: deny_info http://example.com !authorized_ips does it works, if you add the http status code like: deny_info 307:http://example.com !authorized_ips Also the "!" is not valid here. The ACL on deny_info

Re: [squid-users] Dynamic ACL with local auth

On 8/05/24 19:55, Albert Shih wrote: Le 06/05/2024 à 12:21:10+0300, ngtech1ltda écrit Hi, The right way to do it is to use an external acl helper that will use some kind of database for the settings. Ok. I will check that. The other option is to use a reloadable ACLs file. But those

Re: [squid-users] Linux Noob - Squid Config

your attention, but they are not related to Squid. Cheers Amos - Josh -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Monday, May 6, 2024 12:59 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Linux Noob - Squid Config Caution: This email

Re: [squid-users] Linux Noob - Squid Config

FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

On 4/05/24 11:17, Emre Oksum wrote: >In this case, all your tcp_outgoing_addr lines being tested. Most of >them will not match. Sorry I'm not really a Squid guy I was working on it due to a job that I took but I cannot figure this out. What do you mean most of them do not match? Does it mean

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

On 4/05/24 09:48, Emre Oksum wrote: Hi Amos, >FTR, "debug_options ALL" alone is invalid syntax and will not change >from the default cache.log output Yes, you were right! I was surely missing on that one. I changed debug_options ALL to debug_options ALL 5 and now, I found these warnings in

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

On 4/05/24 08:33, Emre Oksum wrote: Hi Jonathan, >> Have you attempted to enable debugging ?? Yes, debugging was enabled but as I have pointed out, unfortunately it didn't give any information about the issue. Maybe I was missing something? I don't know. debug_options was ALL in my

Re: [squid-users] Linux Noob - Squid Config

On 4/05/24 07:59, Piana, Josh wrote: Hey Everyone. I apologize in advance for any lack of formality normally shared on mailing lists such as these, it’s my first time seeking product support in this manner. NO need to apologize. Help and questions is most of what we do here :-) I want

Re: [squid-users] Squid TCP_TUNNEL_ABORTED/200

On 4/05/24 02:29, Emre Oksum wrote: Hi everyone, I'm having a issue with Squid Cache 4.10 which I cannot fix for weeks now and kinda lost at the moment. I will be appreciated if someone can guide me through the issue I'm having. I need to create a IPv6 HTTP proxy which should match the entry

Re: [squid-users] Best way to utilize time constraints with squid?

onnections don’t work during the timeframe so that is a plus. Sent from my iPhone On Apr 27, 2024, at 00:41, Amos Jeffries wrote: On 26/04/24 17:15, Jonathan Lee wrote: aclblock_hourstime01:30-05:00ssl_bumpterminateallblock_hourshttp_accessdenyallblock_hours In this a good way to time

Re: [squid-users] Container Based Issues Lock Down Password and Terminate SSL

On 24/04/24 17:27, Jonathan Lee wrote: Hello fellow Squid users I wanted to ask a quick question for use with termination would http access for cache still work with this type of setup and custom refresh patterns? I think it would terminate all but the clients and if they use the cache it

Re: [squid-users] enctype aes256-cts found in keytab but cannot decrypt ticket

On 24/04/24 17:31, ivc chgaki wrote: hello. i hve Samba DC and squid. i created user, then SPN, and then exported keytab and imported him to squid. im using kerberos negotiate helper but when i try go to internet i have popup window with login/password and in cace.log log error 2024/04/21

Re: [squid-users] tls_key_log

On 25/04/24 19:57, Andrey K wrote: Hello, Does squid 6.9 allow you to log TLS 1.3 keys so that you can then decrypt traffic using Wireshark? I found that there was an issue earlier with using tls_key_log to decrypt TLS 1.3:

Re: [squid-users] Best way to utilize time constraints with squid?

On 26/04/24 17:15, Jonathan Lee wrote: aclblock_hourstime01:30-05:00ssl_bumpterminateallblock_hourshttp_accessdenyallblock_hours In this a good way to time lock squid with times lock down? That depends on your criteria/definition of "good". Be aware that http_access only checks *new*

Re: [squid-users] Container Based Issues Lock Down Password and Terminate SSL

On 23/04/24 11:52, Jonathan Lee wrote: Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users I think this might resolve any container based issues/fears if they happened to get into the cache. Ie a Docker Proxy got installed and tried to data marshal the network card

Re: [squid-users] Warm cold times

On 22/04/24 17:42, Jonathan Lee wrote: Has anyone else taken up the fun challenge of doing windows update caching. It is amazing when it works right. It is a complex configuration, but it is worth it to see a warm download come down that originally took 30 mins instantly to a second client. I

Re: [squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR

On 11/04/24 08:22, Jonathan Lee wrote: Could it be related to this ?? "WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'. error:1E08010C:DECODER routines::unsupported” That would certainly make Squid unable to use EC (Elliptic Curve) ciphers. Unfortunately OpenSSL is not

Re: [squid-users] Squid as a http/https transparent web proxy in 2024.... do I still have to build from source?

On 11/04/24 21:55, PinPin Poola wrote: I don't care which Linux distro tbh; but would prefer Ubuntu as I have most familiarity with it. Latest Ubuntu provide the "squid-openssl" package, which contains the SSL-Bump and other OpenSSL-exclusive features. Just install that package as you

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

On 6/04/24 18:48, Jonathan Lee wrote: Correction I can’t access it from the loop back From the config in the other "Squid cache questions" thread you are only intercepting traffic on the loopback 127.0.0.1:3128 port. You cannot access it directly on "localhost". You do have direct proxy

Re: [squid-users] Squid cache questions

On 6/04/24 11:34, Jonathan Lee wrote: if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) { // Modern cipher suites $sslproxy_cipher =

Re: [squid-users] Squid cache questions

On 5/04/24 17:25, Jonathan Lee wrote: ssl_bump splice https_login ssl_bump splice splice_only ssl_bump splice NoSSLIntercept ssl_bump bump bump_only markBumped ssl_bump stare all acl markedBumped note bumped true url_rewrite_access deny markedBumped for good hits should the url_rewirte_access

Re: [squid-users] Squid cache questions

On 4/04/24 17:48, Jonathan Lee wrote: Is there any particular order to squid configuration?? Yes. Does this look correct? Best way to find out is to run "squid -k parse", which should be done after upgrades as well to identify

Re: [squid-users] Chrome auto-HTTPS-upgrade - not falling to http

There is no way to configure around this. The error produced by Squid is a hard-coded reaction to TLS level errors in the SSL-Bump process. Squid needs some significant code redesign to do a better job of handling the situation. Which I understand is already underway, but still some way off

Re: [squid-users] BWS after chunk-size

On 2/04/24 16:03, root wrote: Hi Team, after an upgrade from squid 5.4.1 to squid 5.9, unable to parse HTTP chunked response containing whitespace after chunk size. > I think the following bugs were fixed and worked fine in squid 5.9 and earlier.

Re: [squid-users] GCC optimizer is provably junk. Here is the evidence.

This inflammatory post is not relevant to Squid. Please do not followup to this thread. Cheers Amos Jeffries The Squid Software Foundation ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid

Re: [squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles

On 12/03/24 04:31, Dieter Bloms wrote: Hello, after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a lot of messages from type: ICAP_ERR_GONE/000 ICAP_ERR_OTHER/200 ICAP_ERR_OTHER/408 ICAP_ERR_OTHER/204 and some of our users claim about bad performance and some get "empty

Re: [squid-users] Manipulating request headers

On 12/03/24 04:00, Ben Goz wrote: By the help of God. Hi all, I'm using squid with ssl-bump I want to remove br encoding for request header Accept-Encoding currently I'm doing it using the following configuration: request_header_access Accept-Encoding deny all request_header_add

Re: [squid-users] Squid Proxy timing out 500/503 errors

On 6/03/24 07:23, M, Anitha (CSS) wrote: Hi team, We are using squid service deployed as a KVM VM on SLES 15 Sp5 os image. We are using squid. Rpm: *squid-5.7-150400.3.20.1.x86_64* ** We are seeing too many 503 errors with this version of squid. This is the squid configuration file. Pls

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:1 Denial of Service in HTTP Chunked Decoding

__ Squid Proxy Cache Security Update Advisory SQUID-2024:1 __ Advisory ID: | SQUID-2024:1 Date: | Mar 4, 2024 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:2 Denial of Service in HTTP Header parser

__ Squid Proxy Cache Security Update Advisory SQUID-2024:2 __ Advisory ID: | SQUID-2024:2 Date: | Feb 15, 2024 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:11 Denial of Service in Cache Manager

__ Squid Proxy Cache Security Update Advisory SQUID-2023:11 __ Advisory ID: | SQUID-2023:11 Date: | Jan 24, 2024 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:10 Denial of Service in HTTP Request parsing

__ Squid Proxy Cache Security Update Advisory SQUID-2023:10 __ Advisory ID: | SQUID-2023:10 Date: | Dec 10, 2023 Summary: | Denial of

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

On 5/03/24 08:03, Dragos Pacher wrote: Hello, I am a Squid beginner and we would like to use Squid inside our organization only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we bought, something close to what a "MITM proxy" is called but we will not do that, instead

Re: [squid-users] ICAP response to avoid backend

On 26/02/24 06:52, Ed wrote: On 2024-02-24 17:26+, Ed wrote: In varnish land this is doable in the vcl_miss hook, but I don't know how to do that in squid. I think I found a way, but maybe there's a better method - I'd like to the cache_peer_access to apply to all backends, but this does

Re: [squid-users] Can't verify the signature of squid-6.7.tar.gz

, I still get an issue, although a slightly different one: #gpg --verify squid-6.7.tar.gz.asc squid-6.7.tar.gz gpg: Signature made Tue 06 Feb 2024 10:51:28 PM EET using ? key ID FEF6E865 gpg: Can't check signature: Invalid public key algorithm On Thu, Feb 8, 2024 at 7:58 AM Amos Jeffries wrote

Re: [squid-users] Squid Segment Violation with authorization

On 16/02/24 15:30, Eternal Dreamer wrote: Hi! When I'm trying to send curl request with provided basic proxy-authorization credentials through my proxy I see Segment Violation error in my logs and empty reply from server. Command is: curl -v --proxy-basic --proxy-user login:password --proxy

Re: [squid-users] Error files removed from 6.7

On 15/02/24 05:01, Stephen Borrill wrote: I see the translations of error messages have been removed from 6.7 compared to 6.6 (and earlier), but I see no mention of this in the changelog: https://github.com/squid-cache/squid/blob/552c2ceef220f3bbcdbedf194eae419fc791098e/ChangeLog Was this

Re: [squid-users] Anyone build Squid for on multiarch ie arm and arm64?

On 13/02/24 07:22, ngtech1ltd wrote: I have couple RouterOS devices which supports containers with the next CPU arches: • x86_64 • arm64 • armv6 • armv7 And I was wondering if someone bothered compiling squid containers for these arches? I know that there are packages for Debian and Ubuntu

Re: [squid-users] Can't verify the signature of squid-6.7.tar.gz

licate signature removed gpg: key B268E706FF5CF463: 4 signatures not checked due to missing keys gpg: /tmp/squid/trustdb.gpg: trustdb created gpg: key B268E706FF5CF463: public key "Amos Jeffries " imported gpg: key 4250AB432402F2F8: 1 signature not checked due to a missing key gpg: key

Re: [squid-users] stale-if-error returning a 502

On 8/02/24 07:45, Robin Carlisle wrote: Hi, I have just started my enhanced logging journey and have a small snippet below that might illuminate the issue ... /2024/02/07 17:06:39.212 kid1| 88,3| client_side_reply.cc(507) handleIMSReply: origin replied with error 502, forwarding to client

Re: [squid-users] Is Squid 6 production ready?

On 1/02/24 11:22, Miha Miha wrote: On 10/01/24 12:18, Miha Miha wrote: Release note of latest Squid 6.6 says: "...not deemed ready for production use..." For comparison Squid 5.1 was 'ready'. When v6 is expected to be ready for prod systems? On Fri, Jan 12, 2024 at 3:37 PM Amo

Re: [squid-users] Security advisories are not accessible

Thanks for the notice. This appears to be a github issue that has been occuring to many other projects for at least 5hrs now. For now we can only hope that it gets resolved soon Cheers Amos On 30/01/24 01:50, Adam Majer wrote: Hi, http://www.squid-cache.org/Versions/v6/ lists security

Re: [squid-users] offline mode not working for me

On 20/01/24 02:05, Robin Carlisle wrote: I do have 1 followup question which I think is unrelated, let me know if etiquette demands I create a new post for this. When I test using chromium browser, chromium sends OPTION requests- which I think is something to do with CORS.   These always

Re: [squid-users] offline mode not working for me

On 19/01/24 03:53, Robin Carlisle wrote: Hi, Hoping someone can help me with this issue that I have been struggling with for days now.   I am setting up squid on an ubuntu PC to forward HTTPS requests to an API and an s3 bucket under my control on amazon AWS.  The reason I am setting up the

Re: [squid-users] Is Squid 6 production ready?

On 10/01/24 12:18, Miha Miha wrote: Release note of latest Squid 6.6 says: "...not deemed ready for production use..." For comparison Squid 5.1 was 'ready'. When v6 is expected to be ready for prod systems? Sorry, that is an oversight in the release notes text. Removing it now. Squid 6 is

Re: [squid-users] squid hangs and dies and can not be killed - needs system reboot

On 19/12/23 16:29, Amish wrote: Hi Alex, Thank you for replying. On 19/12/23 01:14, Alex Rousskov wrote: On 2023-12-18 09:35, Amish wrote: I use Arch Linux and today I updated squid from squid 5.7 to squid 6.6. > Dec 18 13:01:24 mumbai squid[604]: kick abandoning conn199 I do not know

Re: [squid-users] IP based user identification/authentication

On 7/12/23 15:34, Andrey K wrote: Hello, I was interested if I can configure some custom external helper that will be called before any authentication helpers and can perform user identification/authentication based on the client src-IP address. Well, yes and no. The order of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding

__ Squid Proxy Cache Security Update Advisory SQUID-2023:9 __ Advisory ID: | SQUID-2023:9 Date: | December 1, 2023 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:8 Denial of Service in Helper Process management

__ Squid Proxy Cache Security Update Advisory SQUID-2023:8 __ Advisory ID: | SQUID-2023:8 Date: | December 1, 2023 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:7 Denial of Service in HTTP Message Processing

__ Squid Proxy Cache Security Update Advisory SQUID-2023:7 __ Advisory ID: | SQUID-2023:7 Date: | December 1, 2023 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:4 Denial of Service in SSL Certificate validation

__ Squid Proxy Cache Security Update Advisory SQUID-2023:4 __ Advisory ID: | SQUID-2023:4 Date: | November 2, 2023 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:5 Denial of Service in FTP

__ Squid Proxy Cache Security Update Advisory SQUID-2023:5 __ Advisory ID: | SQUID-2023:5 Date: | October 22, 2023 Summary: | Denial of

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:1 Request/Response smuggling in HTTP(S) and ICAP

fidence until the impact has been established. __ Credits: This vulnerability was discovered by Keran Mu and Jianjun Chen, from Tsinghua University and Zhongguancun Laboratory. Fixed by Amos Jeffries of Treehouse Networks Ltd. ___

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:2 Multiple issues in HTTP response caching

__ Squid Proxy Cache Security Update Advisory SQUID-2023:2 __ Advisory ID: | SQUID-2023:2 Date: | October 22, 2023 Summary: | Multiple

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:3 Denial of Service in HTTP Digest Authentication

__ Squid Proxy Cache Security Update Advisory SQUID-2023:3 __ Advisory ID: | SQUID-2023:3 Date: | October 22, 2023 Summary: | Denial of

Re: [squid-users] SSL Virtual Hosting Problem

On 1/12/23 04:55, Mario Theodoridis wrote: I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.pem \    

Re: [squid-users] Module c-icap help

On 30/11/23 22:22, MIKA wrote: Hello everyone, Thank you again for all the work you were able to do on this project. I try to control the cookies with squid but it's impossible. the c-icap module in the squid.conf file does not seem to work because the c-icap server does not seem to work. Can

Re: [squid-users] SSL Virtual Hosting Problem

On 28/11/23 23:29, Mario Theodoridis wrote: Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers

Re: [squid-users] how to avoid use http/1.0 between squid and the target

On 27/11/23 23:05, David Komanek wrote: On 11/27/23 10:40, Amos Jeffries wrote: On 27/11/23 22:21, David Komanek wrote: here are the debug logs (IP addresses redacted) after connection attempt to https://samba.org/ : ... 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274

Re: [squid-users] Https from sibling peers does not work

On 27/11/23 22:38, Mihkel Tammepuu wrote: Hello! I am trying to set up a sibling cluster of 4 Squid instances. The purpose of the cluster is redundancy AND sharing cache disk space. FWIW, if these are running on the same machine you may find SMP workers with rock type cache_dir easier to

Re: [squid-users] Intercepted connections are not bumped

On 23/11/23 23:05, Andrea Venturoli wrote: Hello. I've got the following config: ... http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/etc/squid/proxyCA.pem

Re: [squid-users] how to avoid use http/1.0 between squid and the target

On 27/11/23 22:21, David Komanek wrote: here are the debug logs (IP addresses redacted) after connection attempt to https://samba.org/ : ... 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) sendStartOfMessage: HTTP Client REPLY: - HTTP/1.1 400 Bad Request Server: squid/6.5

Re: [squid-users] What's this 'errorno=104' error?

On 22/11/23 07:01, Wen Yue wrote: I configured Squid6.3 as a MITM proxy and used Chrome to browse web pages through this Squid proxy, such as twitter.com. However, I noticed these error messages in the cache.log: ... 2023/11/22 01:33:38 kid1| ERROR: system call failure while accepting a TLS

Re: [squid-users] how to avoid use http/1.0 between squid and the target

On 22/11/23 23:03, David Komanek wrote: Hello, I have a strange problem (definitely some kind of my own ignorance) : If I try to access anything on the site https://www.samba.org WITHOUT proxy, my browser negotiate happily for http/2 protocol and receives all the data. For 

Re: [squid-users] mime.conf path

On 13/11/23 09:35, Sai Eshwar wrote: Hello, I am trying to install squid on CentOS without root privilege following the information present at https://stackoverflow.com/questions/36651091/how-to-install-packages-in-linux-centos-without-root-user-with-automatic-depen

Re: [squid-users] access.log - POST requests

On 4/11/23 20:53, Stefan Meurer wrote: Hello, is there a way to remove out all POST requests from access.log file? acl POST method POST access_log stdio:/var/log/squid/access.log format=squid !POST Cheers Amos ___ squid-users mailing list

Re: [squid-users] [DMARC] log_db_daemon errors

On 3/11/23 08:14, jose.rodriguez wrote: On 2023-11-02 13:46, Brendan Kearney wrote: list members, i am trying to log to a mariadb database, and cannot get the log_db_daemon script working.  i think i have everything setup, but an error is being thrown when i try to run the script manually.

Re: [squid-users] Cache NTLM Authenticaion

On 27/10/23 14:08, Andre Bolinhas wrote: Hi It's possible squid cache NTLM authentication from users? NTLM tokens are unique per TCP connection. So no, caching is a pointless waste of CPU and memory. The best that can be done already is. My goal is to store the credentials in cache in

Re: [squid-users] [ext] Re: Squid 6.4 assertion errors: FATAL: assertion failed: stmem.cc:98: "lowestOffset () <= target_offset" current master transaction: master655 (backtrace)]

On 24/10/23 22:26, Ralf Hildebrandt wrote: I'll add a "me too" to this. 6.3 reliable, 6.4 crashes and this is under _very_ low load. NetBSD 9.3_STABLE. You can check the debugging recommendation in https://bugs.squid-cache.org/show_bug.cgi?id=5309 I'll try 6.4 on my test proxy now (with very

Re: [squid-users] Spliced domains tunnel connect is very slow

On 19/10/23 01:21, Ben Goz wrote: By the help of God. Hi, I saw in my access log a traces that shows that spliced URLs tunneling is very slowly: Please clarify what you mean by "slow" ? How have you determined speed ? What speed are you expecting / would you call non-slow ? FYI,

Re: [squid-users] How to configure a transparent, pass-all, Squid proxy?

On 20/10/23 07:17, Bud Miljkovic wrote: Chain EXTERNAL_RULES (2 references) pkts bytes target prot opt in out source destination 83158 15M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 FYI, All of the traffic leaving the machine is being dropped by your iptables

  1   2   3   4   5   6   7   8   9   10   >