Re: [squid-users] Recommended squid settings when using IPS-based domain blocking

2024-03-13 Thread Jason Marshall
I would certainly be willing to give it a shot, yes! Thank you! Jason <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail> Virus-free.www.avast.com <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_conten

[squid-users] Recommended squid settings when using IPS-based domain blocking

2024-03-06 Thread Jason Marshall
144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 debug_options rotate=1 ALL,2 negative_dns_ttl 0 seconds dns_timeout 5 seconds Thank you for any help that you can provi

Re: [squid-users] A few things about Squid-cache

2023-09-24 Thread Jason Long
Hello,Thank you so much for your reply.1- Regarding security, what parameters should be changed or added in the configuration file? 2- How to configure Squid-cache service for 1000 clients? On Sat, Sep 23, 2023 at 12:26 AM, Francesco Chemolli wrote: Hi Jason! Squid is a complex piece

[squid-users] A few things about Squid-cache

2023-09-21 Thread Jason Long
Hello,I have some questions:1- What tips should be considered to keep Squid-cache safe? 2- How strong is Squid-cache? How many users can use it at the same time? 3- Can Squid-cache also play the role of a firewall? Something like the Microsoft ForeFront TMG Replacement or the Kemp LoadMaster.

Re: [squid-users] Does Squid-cache support SOCKS5 protocol?

2023-09-12 Thread Jason Long
Hello, Thank you so much for your reply. Dante (https://www.inet.no/dante/)? How does it performance? Can it also act as an HTTP server? On Tuesday, September 12, 2023 at 10:08:01 AM GMT+3:30, Matus UHLAR - fantomas wrote: >On 9/11/23 4:23 AM, Jason Long wrote: >>Does the Sq

Re: [squid-users] Does Squid-cache support SOCKS5 protocol?

2023-09-11 Thread Jason Long
 PM Jason Long wrote: > Hello, > Can I use Squid-cache to set up a SOCKS5 proxy server? > > Thank you  > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-user

[squid-users] Does Squid-cache support SOCKS5 protocol?

2023-09-10 Thread Jason Long
Hello,Can I use Squid-cache to set up a SOCKS5 proxy server? Thank you ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-cache authentication is not working

2023-09-09 Thread Jason Long
Hello, Thanks again. You right, I must move the following lines after the authentication lines: http_access allow localnet http_access allow localhost http_access deny all It worked. On Sunday, September 10, 2023 at 01:57:32 AM GMT+3:30, Alex Rousskov wrote: On 2023-09-09 15:09, Jason

Re: [squid-users] Squid-cache authentication is not working

2023-09-09 Thread Jason Long
ote: On 2023-09-09 09:09, Jason Long wrote: > Hello, > I installed the Squid-cache on Debian 12, then I installed the Apache utils: > > $ sudo apt install apache2-utils > > After it, I did the following steps: > > $ sudo touch /etc/squid/passwd > $ sudo chown proxy /e

[squid-users] Squid-cache authentication is not working

2023-09-09 Thread Jason Long
Hello, I installed the Squid-cache on Debian 12, then I installed the Apache utils: $ sudo apt install apache2-utils After it, I did the following steps: $ sudo touch /etc/squid/passwd $ sudo chown proxy /etc/squid/passwd Then: $ sudo htpasswd /etc/squid/passwd jason After it, I opened

[squid-users] ACL evaluation from ICAP response header

2022-04-01 Thread Jason Spashett
, but it doesn't seem a good option in any case. - Jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Domain fronting detection

2022-03-15 Thread Jason Spashett
examine each and every Host header and compare it to the TLS SNI to see if there is a discrepancy. Looking at the code at the moment I can only see absolute URL vs host header checks, which do not appear to look at the CONNECT TLS SNI, which I think to be found in the master xaction. Regards, Jason

Re: [squid-users] squid-5.4 blocking on ipv6 outage

2022-02-21 Thread Jason Haar
again (I have never seen this before) I'll be sure to do the debugging thang. On Tue, Feb 22, 2022 at 3:16 AM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2/20/22 20:43, Jason Haar wrote: > > > I've noticed that the Internet ipv6 is not quite as reliable as ipv

[squid-users] squid-5.4 blocking on ipv6 outage

2022-02-20 Thread Jason Haar
what's going on there? thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squi

Re: [squid-users] security_file_certgen I/O

2021-12-01 Thread Jason Spashett
On Wed, 1 Dec 2021 at 18:29, Alex Rousskov wrote: > > On 12/1/21 12:06 PM, David Touzeau wrote: > > > > Hi > > > > We used Squid 5.2 and we see that security_file_certgen consume I/O > > Is there any way to put the ssldb in memory without need to mount a tmpfs ? > > Yes, there are at least two

Re: [squid-users] squid5: assert with IPv6 address

2021-11-30 Thread Jason Spashett
Hello Alex, Thanks I did not see that one. ... > AFAICT, this assertion is tracked as Bug 5154: > https://bugs.squid-cache.org/show_bug.cgi?id=5154 ... ___ squid-users mailing list squid-users@lists.squid-cache.org

[squid-users] squid5: assert with IPv6 address

2021-11-30 Thread Jason Spashett
a07056701e in SquidMain (argc=, argv=) at main.cc:1716 #16 0x55a07040fac1 in SquidMainSafe (argv=0x7ffc00c111b8, argc=6) at main.cc:1403 #17 main (argc=6, argv=0x7ffc00c111b8) at main.cc:1391 Regards, Jason ___ squid-users mailing list squid-users@l

Re: [squid-users] acl / format code evaluation

2021-11-05 Thread Jason Spashett
hat %master_axtion is a counter which resets when you restart squid, and is not unique among squids (or restarts), is there not a case to be made for making one available? Regards, Jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] acl / format code evaluation

2021-11-05 Thread Jason Spashett
est may dematerialise, but by this time is there not a note on the client connection with conn_id="some already-evaluated thing" which persists until the client connection closes? What perhaps you mean is that the client connection object does change on account of the connect being intercep

[squid-users] acl / format code evaluation

2021-11-04 Thread Jason Spashett
Hello, I am using squid 5, and after reading the following I have attempted to link the connect requests to the other requests within a TLS tunnel. http://lists.squid-cache.org/pipermail/squid-users/2021-April/023526.html I added an extra log format code to squid 5, called %random, which always

Re: [squid-users] ICAP latency information, Bench-marking

2021-07-27 Thread Jason Spashett
If you look at the squid logformat page you can find various additional logging options available to start with, such as ICAP processing time. This is a good place to start if you are not using a custom format already: http://www.squid-cache.org/Doc/config/logformat/ .e.g.

Re: [squid-users] SNMP mib data a subset of that available via cache:// ?

2021-07-05 Thread Jason Spashett
On Mon, 5 Jul 2021 at 17:02, Alex Rousskov wrote: > > On 7/5/21 11:19 AM, Jason Spashett wrote: > > > I saw some anecdotal information on the web that said the SNMP data > > available from squid was a restricted subset of that available via the > > cache-manager inter

[squid-users] SNMP mib data a subset of that available via cache:// ?

2021-07-05 Thread Jason Spashett
Hello, I saw some anecdotal information on the web that said the SNMP data available from squid was a restricted subset of that available via the cache-manager interface. Is this still largely the case? Looking to use squid4, and 5, shortly. Regards, Jason

[squid-users] More detail for access logs on error

2021-06-29 Thread Jason Spashett
they do play a role in the causal chain of events. Does anyone have any suggestions on extracting further details in the case of failed requests? Regards, Jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org

Re: [squid-users] Proxy auth exception

2020-09-15 Thread Jason Loel
Got it ! Just add the following line before : acl vip dst 192.168.1.10 http_access allow vip Sorry for the noise. Le 2020-09-15 11:08, Jason Loel a écrit : Hi, I use Squid 4.6 with Debian 10 (Buster). I use Kerberos Authentication and it works : auth_param negotiate program /usr/lib

[squid-users] Proxy auth exception

2020-09-15 Thread Jason Loel
Hi, I use Squid 4.6 with Debian 10 (Buster). I use Kerberos Authentication and it works : auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.lab@lab.lan auth_param negotiate children 10 auth_param negotiate keep_alive on acl lan proxy_auth REQUIRED

[squid-users] XSS issue only affects bump doesn't it?

2018-10-28 Thread Jason Haar
ability? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squi

[squid-users] unsubscribe

2018-03-21 Thread Jason Zions
unsubscribe ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure basic authentication on Squid

2017-12-05 Thread Jason Haar
please *don't* > CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > __

Re: [squid-users] dumb question: how to get http server IP into logs?

2017-08-09 Thread Jason Haar
f Of Amos Jeffries > Sent: Monday, July 31, 2017 13:22 > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] dumb question: how to get http server IP into > logs? > > On 30/07/17 22:02, Jason Haar wrote: > > Hi there > > > > We're running squid-3.5.2

[squid-users] dumb question: how to get http server IP into logs?

2017-07-30 Thread Jason Haar
that by default? (DIRECT/1.2.3.4?). All our logs are now "HIER_DIRECT" Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-use

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-11 Thread Jason Chiu
I reconfigured add " --with-nat-devpf " (squid-3.5.24 on FreeBSD 9.1) This issue *has been resolved* thanks to Amos Jeffries The follow is my squid version and configure. Squid Cache: Version 3.5.24-20170331-r14150 Service Name: squid configure options: '--prefix=/usr/local/squid'

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-08 Thread Jason Chiu
test case 1 : - I changed my squid setting (don't use intercept mode) http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB thab client Web Browser set proxy to 192.168.95.81:3129

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-08 Thread Jason Chiu
I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-07 Thread Jason Chiu
I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response

[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-07 Thread Jason Chiu
I had a FreeBSD 9.1 bridge (em0, em1) environment, Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1: 3129) Squid *3.3.11* ssl bump is OK. The following is the setting of squid 3.3.11 Squid Cache: Version 3.3.11-20140220-r12672 Configure options: '--prefix = / usr /

Re: [squid-users] Squid stopped working after cache.log and access.log rotation

2017-03-22 Thread Jason B. Nance
If you do "lsof /var/log | grep -i delete" does it show squid writing to a deleted access.log / cache.log? j From: "Chee M Gui" To: squid-users@lists.squid-cache.org Sent: Wednesday, March 22, 2017 10:17:32 AM Subject: [squid-users] Squid stopped working after

Re: [squid-users] URL list from a URL

2017-03-22 Thread Jason B. Nance
--- Original Message - From: "Alex Rousskov" <rouss...@measurement-factory.com> To: squid-users@lists.squid-cache.org Cc: "Jason Nance" <ja...@tresgeek.net> Sent: Tuesday, March 21, 2017 4:42:33 PM Subject: Re: [squid-users] URL list from a URL On 03/21/2017 02:30

Re: [squid-users] URL list from a URL

2017-03-21 Thread Jason B. Nance
, March 21, 2017 1:19:43 PM Subject: Re: [squid-users] URL list from a URL Yes. Functionality you required is: http://wiki.squid-cache.org/Features/StoreID 21.03.2017 21:52, Jason B. Nance пишет: > Hello, > > I'm using Squid 3.5.20 and wonder if it is possible to define an ACL wh

Re: [squid-users] URL list from a URL

2017-03-21 Thread Jason B. Nance
oinov" <yvoi...@gmail.com> To: squid-users@lists.squid-cache.org Sent: Tuesday, March 21, 2017 1:19:43 PM Subject: Re: [squid-users] URL list from a URL Yes. Functionality you required is: http://wiki.squid-cache.org/Features/StoreID 21.03.2017 21:52, Jason B. Nance пишет: > Hello,

[squid-users] URL list from a URL

2017-03-21 Thread Jason B. Nance
Hello, I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which retrieves the list of URLs from another URL (similar to pointing to a file). In this specific use case it is to allow a Foreman server to sync Yum content from the CentOS mirrors. I tell Foreman to use the

Re: [squid-users] Peeking on TLS traffic: unknown cipher returned

2016-10-19 Thread Jason Haar
t to avoid as I believe it has no future due to pinning. Off to upgrade to 3.5.22 :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _

[squid-users] Problem with Squid3 Caches

2016-10-03 Thread Jason Alexander
Greetings - I’m trying to install squid on an Ubuntu workstation in a VM.  I install squid but unable to initialize caches.  I get the following error:Initializing the Squid cache with the command squid3 -f /etc/squid/squid.conf -z ..FATAL: Bungled /etc/squid/squid.conf line 3467: cache_dir rock

Re: [squid-users] SSO and Squid, SAML 2.0 ?

2016-09-22 Thread Jason Haar
is more secure over cleartext - but it's also noticeably slower than Basic over latency links, so you can choose your poison there If you're really keen, you can actually do proxy-over-TLS via WPAD with Firefox/Chrome - at which point I'd definitely recommend Basic for the performance reasons ;-)

Re: [squid-users] Cannot get ACL to work

2016-09-15 Thread Jason Leshchyshyn
It's version 3.3.8 Sent from my Bell Samsung device over Canada's largest network. Original message From: erdosain9 Date: 2016-09-14 8:05 PM (GMT-07:00) To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Cannot get ACL to work Hi.

[squid-users] Cannot get ACL to work

2016-09-13 Thread Jason Leshchyshyn
Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone. This is what I have in squid.conf # NTLM auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param

Re: [squid-users] Browser circunvents acl's blocking https (intercept mode)

2016-04-23 Thread Jason Haar
lls block it so as to force it to tcp/443 - but you're implying there are yet more alternatives? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

[squid-users] Need help with Squid on Windows

2016-04-22 Thread Jason Spegal
not seeing this when squid tried to execute it, so I'm fairly certain it has something to do with the execution of the script rather than a problem with the script itself. I've also examined the permissions, and those should be good. Thanks in advance for the help. --Jason squid.conf

Re: [squid-users] grove.microsoft.com

2016-04-14 Thread Jason Haar
sponse to a public > records request, do not send electronic mail to this entity. Instead, > contact this office by phone or in writing. > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar
5 acl SSL_https port 443 ssl_bump splice SSL_https On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino < vitoantonio.smald...@istruzione.it> wrote: > Hi all, > great, i'm just searching for this. Jason can you kindly post the whole > squid.conf? > Thanks > V > >

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar
to this simplest case for the moment and avoid the "peek" call Thanks! Jason On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 21/03/2016 10:29 a.m., Jason Haar wrote: > > Hi there > > > > I'm wanting to use tls intercept to just log (well

[squid-users] intercepting tcp/443 purely for logging purposes

2016-03-20 Thread Jason Haar
intercept basically ditches the tcp/443 connection - which is as good as it gets without getting into the wonderful world of real "bump" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE

Re: [squid-users] SSL Peek and Splice with SIP over TCP

2016-03-09 Thread Jason Haar
Or use socat. I have used it to allow ancient SSLv3-only clients to communicate with TLS-only servers. Jason On Thu, Mar 10, 2016 at 12:28 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 9/03/2016 6:53 p.m., Howard Kranther wrote: > > Hello, I am investigating the use of sq

Re: [squid-users] host header forgery false positives

2016-02-15 Thread Jason Haar
On Tue, Feb 16, 2016 at 2:48 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > Thanks for the reminder. I dont recall seeing a bug report being made. > Though Jason has sent me a more detailed cache.log trace to work with. > Yeah - I actually got half-way through putting in a b

[squid-users] any way to get squid-4 compiled on CentOS-6?

2016-02-12 Thread Jason Haar
anyone figured out how to get squid-4 working on such older systems? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [squid-users] https full url

2016-01-17 Thread Jason Haar
y like content filtering proxies find it hard to keep up as they have become the enemy (because they can be used for evil as well as good). -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9

[squid-users] host header forgery false positives

2016-01-11 Thread Jason Haar
navailable really isn't an option (in the case of "peek-and-splice" over intercepted they seem to hang forever when this error occurs). Perhaps an option to change it's behaviour would be better? eg enable/disable and maybe "ignore client and use the IP addresses squid thinks are

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

2016-01-07 Thread Jason Haar
e scraping are you also filtering for duplicates and reducing > multiple URLs in one doman down to fewer entries? Yeah - no dupes - but no manually reading to figure out patterns either. That would take a human eye - and I want set-and-forget automation -- Cheers Jason Haar Corporate Informa

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

2016-01-07 Thread Jason Haar
acl type - so regex it is (can't use dstdomain because we want to block "http://good.site/bad.url; - not all of "good.site") -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

2016-01-06 Thread Jason Haar
1sec). I'd say "outsourcing" this kind of function to another process (such as url_rewriter or ICAP) still has it's advantages ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

2016-01-05 Thread Jason Haar
files that allowed for rapid searching for matches - is this done within squid now? (presumably it wasn't some time ago?). If so, is that done in memory or via the acl files? (ala SG) - the former means a much slower squid startup? Thanks -- Cheers Jason Haar Corporate Information Security Manager, T

Re: [squid-users] confused over ipv6 failing on ipv4-only network

2016-01-05 Thread Jason Haar
On 06/01/16 17:39, Amos Jeffries wrote: > On 6/01/2016 5:04 p.m., Jason Haar wrote: >> Hi there >> >> Weird - several times in the past couple of months I have found I cannot >> get to http://wiki.squid-cache.org/ - I get the error below from my >> squid-3.5.11 se

[squid-users] confused over ipv6 failing on ipv4-only network

2016-01-05 Thread Jason Haar
request again. Your cache administrator is webmaster. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing lis

Re: [squid-users] Host header forgery affects pure splice environment too?

2015-12-27 Thread Jason Haar
at what cache.log says about > the state of the request that is being checked and failing. I think we know what the problem is: TOR is making TLS connections (I don't know if they're HTTPS) on port 443 and uses SNI names that aren't real? -- Cheers Jason Haar Corporate Information Security Manager

Re: [squid-users] Host header forgery affects pure splice environment too?

2015-12-27 Thread Jason Haar
acl SSL_https port 443 ssl_bump splice SSL_https -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signat

[squid-users] Host header forgery affects pure splice environment too?

2015-12-27 Thread Jason Haar
ssfully used TOR, it must have cached a bunch of things because I then re-enabled intercept and it's no longer making any tcp/443 connections - it goes straight out on other "native" TOR ports. So it may be this can only be tested on a fresh install (or after some cache timeout period) --

Re: [squid-users] HTTP performance hit with Squid

2015-10-22 Thread Jason Haar
ient browser. Could that be DNS? Is the server configured to use valid DNS servers? Check each of them yourself to see what their response times are like, eg time nslookup some.valid.site.that.isn't.in.cache maybe you'll see 2sec show up on one of them... -- Cheers Jason Haar Corporate Informat

Re: [squid-users] debug skype ssl_bump numeric ips to be spliced

2015-10-15 Thread Jason Haar
On 15/10/15 14:25, Amos Jeffries wrote: > All those lines imply is a certificate verify problem inside the SSL > library. Would it be possible to put the ip:port in those error messages? Would certainly help answer those questions... -- Cheers Jason Haar Corporate Information Security M

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
this can't have anything to do with Elliptic Curves or pinning Jason On 15/10/15 12:19, Alex Rousskov wrote: > On 10/14/2015 05:00 PM, Dan Charlesworth wrote: > >> I feel like if server-first is working there must be *some* >> combination of peek/stare/bump that’ll

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
On 16/10/15 13:08, Dan Charlesworth wrote: > ORLY > > I seem to recall this happening on 10.10 as well, but it could be an El > Capitan thing. Do you mind reminding me of your squid config Jason? With my config I trying to "aggressively" figure out if the transaction is s

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-15 Thread Jason Haar
t; k=/System/Library/Keychains/X509Anchors > /dev/null 2>&1 || true The "ipsec/smime" stuff is actually not needed - but I don't care ;-) I went for the carpet bombing approach for the Mac (which I don't know well) -- Cheers Jason Haar Corporate Information Security Manager, Tr

Re: [squid-users] Safari 9 vs. SSL Bump

2015-10-13 Thread Jason Haar
the CAs used by those sites - thus causing the problem you see? Certainly matches the symptoms -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 84

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Jason Haar
ly (ie I'm making sure revoked certs are never bumped) But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-10-03 Thread Jason Haar
ally got anything to do with the CA itself) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing l

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-10-02 Thread Jason Haar
. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-10-02 Thread Jason Haar
and there's no obvious signs of a cert error - so I can't figure out what is going wrong. I've manually downloaded the server cert using "openssl s_client" and the cert chain validates just fine - so what is squid doing to it? Weird... -- Cheers Jason Haar Corporate Information Securi

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

2015-10-02 Thread Jason Haar
.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9.. Signature Algorithm: sha256WithRSAEncryption Fake: X509v3 Basic Constraints: CA:FALSE Signature Algorithm: sha256WithRSAEncryption -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd

Re: [squid-users] Problems with wpad in Squid3

2015-09-10 Thread Jason Haar
browsers Jason PS: also note WPAD is about browsers - so don't expect miracles for non-browser applications. Some apps can use it - bit most can't On 10/09/15 08:39, Marcio Demetrio Bacci wrote: > Hi, > > I'm having the following problem with my squid3: > > When I set the browser: &qu

Re: [squid-users] 3.5.8 — SSL Bump questions

2015-09-09 Thread Jason Haar
g format, log parsers would skip all PEEKED/CONNECT lines as redundant (although they're useful for us humans) Yeah, it would break existing logging tools - but so does the "GET https://...; stuff anyway - so they need updating too ;-) -- Cheers Jason Haar Corporate Information Security Manager,

[squid-users] trying to recompile with maxtcplistenports squid version 3.5.7 CentOS6

2015-09-07 Thread Jason Enzer
runninng ./configure CXXFLAGS="-DMAXTCPLISTENPORTS=200" when i make install squid is not showing me the increased listen ports. squid -v shows Squid Cache: Version 3.5.7 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'

Re: [squid-users] recompiling squid 3.5.7

2015-09-07 Thread Jason Enzer
Amos Got the build working finally and the cxx Maxtcp flag shows in my -v but still getting the 128 port limit! What a let down Thought I had it for a moment. On Monday, September 7, 2015, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 8/09/2015 2:11 p.m., Jason Enzer wrote: &

[squid-users] recompiling squid 3.5.7

2015-09-07 Thread Jason Enzer
trying to build in larger maxtcplistenports into 3.5.7 for centos 6 what would i need out of here to get a build working? i mean like it does from elizers repo? ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu --program-prefix=

[squid-users] best practices for setting up large proxy server

2015-09-03 Thread Jason Enzer
a quad core i5 3.1ghz with 16GB ram running centos 6.6 any points in the right direction are greatly appreciated! jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] best practices for setting up large proxy server

2015-09-03 Thread Jason Enzer
not a popular topic i guess. can anyone point in the right direction for setting up multiple squid instances on centos 6.6? thanks, jason On Thu, Sep 3, 2015 at 3:43 PM, Jason Enzer <enz...@gmail.com> wrote: > if i had 250+ ip addresses and wanted to run a large anonymous proxy >

[squid-users] doing user/pass auth and src acl on same instance

2015-09-02 Thread Jason Enzer
connect to 172.5:3172 it asks for password once authed ( which i dont want to auth ) then shows outgoing address of 172.4. i realize its acl related and the acl logic isnt correct. can someone point me in the right direction? thanks, jason ___ squid-users

Re: [squid-users] Dropbox and GoogleDrive apps won't connect with SSLBump enabled

2015-08-31 Thread Jason Haar
ept is bleak -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-ca

Re: [squid-users] can't get bump to work anymore on 3.5.7?

2015-08-22 Thread Jason Haar
) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid

Re: [squid-users] can't get bump to work anymore on 3.5.7?

2015-08-20 Thread Jason Haar
On 20/08/15 12:42, Jason Haar wrote: So now I can: 1. ###dynamically whitelist/splice non-SNI traffic via it's existence (commented because it didn't work - ended up splicing everything) Figured that one out: .* is a file - .* is a regex :-) -- Cheers Jason Haar Corporate Information

Re: [squid-users] can't get bump to work anymore on 3.5.7?

2015-08-19 Thread Jason Haar
who bash their way through multiple layers of browser warning popups/etc in order to get infected are out of scope ;-) Thanks again for your help Alex. Hopefully this conversation will be useful for others. TLS intercept is a bit of a step up in complexity over standard TCP ;-) -- Cheers Jason

Re: [squid-users] can't get bump to work anymore on 3.5.7?

2015-08-19 Thread Jason Haar
is useful) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http

Re: [squid-users] issue with multiple outgoing addresses for same source address

2015-07-12 Thread Jason Enzer
any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid thanks! -jason

Re: [squid-users] issue with multiple outgoing addresses for same source address

2015-07-12 Thread Jason Enzer
outgoing address from first acl statement... if i comment out the first acl the 2nd acl works and the outgoing address is what is expected. stumped! -jason On Sun, Jul 12, 2015 at 11:29 AM, Dan Purgert d...@djph.net wrote: On Sun, 12 Jul 2015 11:13:02 -0700, Jason Enzer wrote: [...] Looks like

[squid-users] issue with multiple outgoing addresses for same source address

2015-07-12 Thread Jason Enzer
! -Jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL-bump and Public Key Piinning (HPKP)

2015-07-05 Thread Jason Haar
commercial CAs to create fake server certs (let's be honest - all of this is about stopping government snooping - not about normal criminal behavior) Jason ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org

Re: [squid-users] Force LDAP groups to de-authenticate?

2015-07-03 Thread Jason Haar
to mind -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http

Re: [squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

2015-06-24 Thread Jason Haar
www.site.name as the SNI) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] confused about ICAP and who's downloading what

2015-06-22 Thread Jason Haar
On 21/06/15 10:45, Antony Stone wrote: The former - squid does the download and passes the content to ICAP. Great. So squid does all the network calls and ICAP simply gets to review the content (request and/or response) and potentially change it. Perfect :-) Thanks! -- Cheers Jason Haar

[squid-users] confused about ICAP and who's downloading what

2015-06-20 Thread Jason Haar
, ipv6 support,etc) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users

Re: [squid-users] problem with some ssl services

2015-06-17 Thread Jason Haar
optional) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http

Re: [squid-users] Fw: 3.5.5 Win x64 SquidTray crash

2015-06-07 Thread Jason Haar
. Yeah - windows firewall is a major pain. Better to turn the darn thing off and rely on something else -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

  1   2   3   4   5   6   >