Re: [squid-users] Squid problem, one client for one user

2015-01-29 Thread Amos Jeffries
On 29/01/2015 8:53 p.m., 456mb wrote:
> Hi i try disable multilogin of the same user (avoid share accounts), but not
> luck, i used that config
> 
> *auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users
> auth_param basic casesensitive off
> 
> authenticate_ip_ttl 0 seconds
> acl max_user max_user_ip -s 1
> http_access deny max_user*
> 
> thanks for you time, all response is important  for me ;)
> 

The idea of limiting "users" based on IP in the modern Internet does not
work in most networks.
* NAT can (and is) used to also share IP addresses as well as accounts -
this is in fact the default of Windows machines sharing network access.
* The existence of IPv6 also means that any given machine has a minimum
of 4 IP addresses it can use for any connection. Some of which change
unpredictably.

Your config is correct. So we will need more details about why its not
working to provide any more help than this.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Error negotiating SSL connection on FD 20: error:00000000:lib(0):func(0):reason(0) (5/-1/131)

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Not yet. Works on it.

29.01.2015 4:54, HackXBack пишет:
> You solve It ?
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-negotiating-SSL-connection-on-FD-20-error--lib-0-func-0-reason-0-5-1-131-tp4669338p4669397.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUygWAAAoJENNXIZxhPexGGk8H/334ojyBR5946IXOZEe98r4m
Zt9mk82urTI6hnmGfKmzE6xPsAoRA2thu+vYGiVFGhz3NjSugvSr+znEkoNe8IwW
E8KwYevkVvkSt5R8TAHzOJlJTb7tjAe8i7kxOI/v7+nvbZDYyNYCOpCHrdVSYcOg
eFhAH9OYQocg/I6Ysvw54LRkUszyi1DyfguvlBIiCh9UqwkMP12/RgVa636dMcLu
rLcls9fn1qULKHdOWJH2qiXe+aaGSyzIiz12hs66rYcqvLlvtGlsn5db0uYz2Gos
CKFDRJw6ezgQ2bZsDm066g6sUGeDLEkOhmv/ENAUJYf51xiYAS00349me9+JPpE=
=KdD8
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Amos,

btw.

Which type of hits cachemgr collects and shows? TCP_HIT only?

What about other HIT-types?

WBR, Yuri
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUygpwAAoJENNXIZxhPexGUOIIAIA3BMaeVCD8UvSFQ+IH0rOM
g45WXGARa6NS9pmPHMhRsyhgbKyAbOh4mMtbhTrIQ/FOAnD7lWKvtvauStOozsAj
LvPg2saqCMLuyaUMO1khtObPftbWFPOY2m0y9qkDFHnYAhSS/YYb+dFwwa7xct4j
4mjHUq0t+kZoPYqgArCoxLQ9kjzQPqSUTEgONmgxhmKQjYjcLoLB3syk4bKQW0ez
zbC4xe346LqaBbbNiYq6SOn6R+dOOe76+Iozs519RO2dVcQq/VHWrFAiyKCjKhgK
XfjVf4UdgHYD0nYG2uA2TWQLmPZDL70ZvKPlL0al1ypkWeN5hmdc1zY2qPUm6MY=
=zdbO
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] How to force squid to ask for client certificate during tls handshake on https_port?

2015-01-29 Thread Pavel Kazlenka

Answering my own question:

Adding clientca= and cafile= options of https_port is enough to trigger 
client certificate request.


On 01/28/2015 03:44 PM, Pavel Kazlenka wrote:

Hi gentlemen,

I have https_port configured as the next:
https_port 3128 cert=/home/tester/certificates/server.crt 
key=/home/tester/certificates/server.key


and would like to force squid to retrieve client's certificate. 
According to 
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif 
, client certificate request is optional and looks like squid doesn't 
request the one by default.

Squid version if 3.5.1.

Is that possible at all and if so, how to do this?

TIA,
Pavel
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] How to force squid to ask for client certificate during tls handshake on https_port?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
 Just read squid.conf.documented, is it? ;)

29.01.2015 16:26, Pavel Kazlenka пишет:
> Answering my own question:
>
> Adding clientca= and cafile= options of https_port is enough to
trigger client certificate request.
>
> On 01/28/2015 03:44 PM, Pavel Kazlenka wrote:
>> Hi gentlemen,
>>
>> I have https_port configured as the next:
>> https_port 3128 cert=/home/tester/certificates/server.crt
key=/home/tester/certificates/server.key
>>
>> and would like to force squid to retrieve client's certificate.
According to
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif
, client certificate request is optional and looks like squid doesn't
request the one by default.
>> Squid version if 3.5.1.
>>
>> Is that possible at all and if so, how to do this?
>>
>> TIA,
>> Pavel
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUygr6AAoJENNXIZxhPexGFTQH/ilYlldxB3PI0aWTP4ngfTQM
SOwo3J73tG5ohi7MMutua8PmhMj28kuGEDXtXj8TradpGeIRcLS8RM2L6yxWFA5C
ac2T/WjuH0PLLUCYx7mWeFz7WV7lUpf1CmZIiXf5gNxNCrMDHZd+fXphVaAph15T
QE7W606yKmSM3zGbki7s8GtaBVh9TXSbkzpivnZbvbuvVN8FZow7rUzg9YWqgy79
wBRJy0GcJx39DsEEhB7KC56ov8nFNe2kMWL7V6E1HbH4bZNMToPM53YO/9S06M9z
/5dd9z9QReSwLgFEXMH1+yBFCfrA2onozJFcVoXOfu6UiUZbOFrczugwejH81Cc=
=UTXu
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Hi,

Having a problem with a new Squid installation, 3.3.8 in Ubuntu 14.04.

When trying to load certain webpages: twitter.com, reddit.com,
ubuntugeek.com and experts-exchange.com the pages just sit there loading and
eventually in the case of Twitter some text will load but not in the correct
order, no images or advanced features etc. With the other two the pages just
don't load in the slightest.

My config is attached squid.conf
  

Any help would be great as I'm completely stumped! Obviously bypassng Squid
makes these websites load and using an older version of Squid 2.7 for
Windows works fine too.

Thanks,

Rich



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[squid-users] Compile error with Squid-3.5.1 under OpenBSD 5.5

2015-01-29 Thread Theron ZORBAS
Hi, 

I'm trying to compile squid-3.5.1 under OpenBSD 5.5 amd64. 


I use gnutls as a depency package: 
# pkg_info |grep gnutls 
gnutls-3.2.15 GNU Transport Layer Security library 


My configure parameters are: 
./configure --enable-arp-acl --disable-auth-basic --disable-auth-digest 
--enable-delay-pools --enable-external-acl-helpers="SQL_session file_userip 
session time_quota" --enable-forw-via-db --enable-negotiate-auth-helpers="no" 
--enable-removal-policies="lru heap" --enable-ssl --enable-ssl-crtd 
--enable-storeio="aufs ufs diskd" --with-pthreads --with-default-user=_squid 
--enable-follow-x-forwarded-for --mandir='/usr/local/man' 
--infodir='/usr/local/info' --enable-ipfw-transparent --disable-devpoll 
--disable-epoll --disable-ident-lookups --disable-loadable-modules 
--enable-forw-via-db --enable-http-violations --enable-icap-client 
--enable-ipv6 --with-filedescriptors=32768 --enable-stacktraces 
--enable-log-daemon-helpers="DB file" --enable-url-rewrite-helpers="fake" 
--enable-pf-transparent --with-openssl --disable-strict-error-checking 
--disable-arch-native 

And compile faults with these error messages: 
depbase=`echo squidclient.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ 
-DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include 
-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -pipe -D_REENTRANT 
-I/usr/include -I/usr/local/include -I/usr/local/include/p11-kit-1 
-I/usr/include -O0 -g -fno-strict-overflow -Wno-error -MT squidclient.o -MD -MP 
-MF $depbase.Tpo -c -o squidclient.o squidclient.cc && mv -f $depbase.Tpo 
$depbase.Po 
In file included from squidclient.cc:17: 
../../tools/squidclient/Transport.h:81: error: 
'gnutls_anon_client_credentials_t' does not name a type 
../../tools/squidclient/Transport.h:84: error: 
'gnutls_certificate_credentials_t' does not name a type 
../../tools/squidclient/Transport.h:87: error: 'gnutls_session_t' does not name 
a type 
squidclient.cc: In function 'int main(int, char**)': 
squidclient.cc:538: error: 'gnutls_error_is_fatal' was not declared in this 
scope 
squidclient.cc:539: error: 'gnutls_strerror' was not declared in this scope 
squidclient.cc:541: error: 'gnutls_strerror' was not declared in this scope 
*** Error 1 in tools/squidclient (Makefile:892 'squidclient.o') 
*** Error 1 in tools/squidclient (Makefile:994 'all-recursive') 
*** Error 1 in tools (Makefile:1067 'all-recursive') 
*** Error 1 in /opt/squid-3.5.1 (Makefile:592 'all-recursive') 


How can I fix this? Thanks. 


--
Theron
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
This one:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

is deprecated.

And your Squid is ancient. :)

Why don't build from sources latest version?

29.01.2015 17:24, Rich549 пишет:
> Hi,
>
> Having a problem with a new Squid installation, 3.3.8 in Ubuntu 14.04.
>
> When trying to load certain webpages: twitter.com, reddit.com,
> ubuntugeek.com and experts-exchange.com the pages just sit there
loading and
> eventually in the case of Twitter some text will load but not in the
correct
> order, no images or advanced features etc. With the other two the
pages just
> don't load in the slightest.
>
> My config is attached squid.conf
>
 

>
> Any help would be great as I'm completely stumped! Obviously bypassng
Squid
> makes these websites load and using an older version of Squid 2.7 for
> Windows works fine too.
>
> Thanks,
>
> Rich
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUyiQDAAoJENNXIZxhPexGXxMH/0cWaC7eDoATJTXpV+v3Y19/
rohJoBU7XMfZrpFV8JZlxxgmpUhtmom9AqcC/Y3G9mmSp5409EwWmWLKkyuB7jwk
Txy/glaefd1hFIvm1V8MBQNkQMMexlgHQyE48xPsSJS1onWvUAT+th0dfijZxEXa
VT6tguBYUddUcsQl2MebbYvi8mfJnVnVmr2mCC8+GIxVk8XaYns6FtAauBPBdtaT
tWecKgvUB0guQYUGxA4lANqSI//dxuFJe8QukvKwQFYzfjj2D4DxiSzhiiW+2+CK
K9KkHLcYkEj27qyG65GBl9OT/VwdvrUsy2R/pq1RzDrBTD5hH9Rz7F4kSJR2SDA=
=OAq3
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
And your access rules looks skew:

http_access deny BlacklistedSites StoresAllow
http_access allow OK_Unauthenticated
http_access allow StaticIPWhitelist
http_access allow InetAllow
http_access allow StoresAllow


http_access allow ftp
http_access allow CONNECT Safe_ports
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all

Where is allow rule for internal networks?

Something like:

http_access allow localnet

?

29.01.2015 17:24, Rich549 пишет:
> Hi,
>
> Having a problem with a new Squid installation, 3.3.8 in Ubuntu 14.04.
>
> When trying to load certain webpages: twitter.com, reddit.com,
> ubuntugeek.com and experts-exchange.com the pages just sit there
loading and
> eventually in the case of Twitter some text will load but not in the
correct
> order, no images or advanced features etc. With the other two the
pages just
> don't load in the slightest.
>
> My config is attached squid.conf
>
 

>
> Any help would be great as I'm completely stumped! Obviously bypassng
Squid
> makes these websites load and using an older version of Squid 2.7 for
> Windows works fine too.
>
> Thanks,
>
> Rich
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUyiTKAAoJENNXIZxhPexGCFwH/1i3YSltQtTu19CaN1nzMOC2
YN0rsUar1HNzuMTSzwrM/kzV1gjyLH/BDoX2iO9RLfzjGOm4osf4r5yry3uasWwW
5KUP9zQbBuzUhhB4YVRhxidjrQ9G1wEErGlkzyAsXC6mKFfiGNiEuFFfmUReM+Nq
Dc32EN3f82mmXMuTRAprd/Z8OHmztgN0+KKJeCBe/PSXreduw6Gw57cm0SJ4m49m
Kgbt5nxmRvsqWu8JeVrGm3aUPZQiH8ErwRWRaWV9ebo4xe6jmxmdIFhVu0jbNvBm
0mgRwkM7avg011GtMRGdb4VfDX0/tqPbiMzqKjH7GfMIozaEkMSfWNndVMYpa3I=
=8DyG
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] testttttt

2015-01-29 Thread Ahmad
Lol ...it  seems a good joke :)

Thanks for all guys @ this nice mailing list .



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of HackXBack
Sent: Wednesday, January 28, 2015 2:53 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] testt

Ping request could not find host testt. Please check the name and try again.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/testt-tp4669368p4669396.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Yuri Voinov wrote
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>  
> This one:
> 
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> 
> is deprecated.
> 
> And your Squid is ancient. :)
> 
> Why don't build from sources latest version?

I'll have a look at removing those from the config then, I'm surprised it
doesn't moan when I run 'squid3 -k reconfigure'.

The reason I have an older version is because this was the latest one
available in Aptitude and I don't like to stray outside of that normally as
it makes updating a (more or less) simple process. Plus I don't know how to
compile Squid from source for Ubuntu.

- Rich




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669413.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Yuri Voinov wrote
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>  
> And your access rules looks skew:
> 
> http_access deny BlacklistedSites StoresAllow
> http_access allow OK_Unauthenticated
> http_access allow StaticIPWhitelist
> http_access allow InetAllow
> http_access allow StoresAllow
> 
> 
> http_access allow ftp
> http_access allow CONNECT Safe_ports
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> http_reply_access allow all
> 
> Where is allow rule for internal networks?
> 
> Something like:
> 
> http_access allow localnet
> 
> ?

We can access all of our local sites ok, is this required?
Any ideas about my original problem too? Or would updating to the latest
version be the fix for that?

Thanks,
- Rich



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669414.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 29/01/2015 11:24 p.m., Yuri Voinov wrote:
> 
> Amos,
> 
> btw.
> 
> Which type of hits cachemgr collects and shows? TCP_HIT only?
> 
> What about other HIT-types?

All of them, broken down into cache-HITs and near-HITs categories.

As you can see in the info report, like this:

"
Median Service Times (seconds)  5 min60 min:
HTTP Requests (All):   0.05331  0.04519
Cache Misses:  0.03622  0.04519
Cache Hits:0.0  0.01387
Near Hits: 0.09219  0.23230
"

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUyjw4AAoJELJo5wb/XPRjJ5AH+wcwdbjiffPx9Fe1/ugLXs6u
9aqXK+SZZdKijwBTj4MrJwBDoeVvYQyJ9f0AgEq1Vq9UJjcScPrYq+YcARzaSB4Y
1OYBuNt41s09ByrNeXHhtAZ4O6IfDpBI/IyGNlNcF63AmBINK1z6VidQnvUV1jUH
/1EdZTB1ry0k/A3rzXY/W4qDfXMKs+7afLCDmRNd9cDLq9qYxCOztfS+eWvGbXYL
+CXOSDV+zOVk80wf68uFCvfymPxCTfC6fl8cjKY0LT4DGeZ+xgv9GcOhviIuXoWf
IKPITFbOLc2/tkNHbajigMF9CBkh861xTQaoBVAxcZlqPbNrJVhxb5JpuUNTyHQ=
=qu4g
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Amos Jeffries
On 30/01/2015 2:49 a.m., Rich549 wrote:
> Yuri Voinov wrote
>> And your access rules looks skew:
>>
>> http_access deny BlacklistedSites StoresAllow
>> http_access allow OK_Unauthenticated
>> http_access allow StaticIPWhitelist
>> http_access allow InetAllow
>> http_access allow StoresAllow
>>

NP: He has the above rules instead of a localnet acess permission.

The worst part though is that since the above does not deny invalid user
credentials the following two lines...

>>
>> http_access allow ftp
>> http_access allow CONNECT Safe_ports

... effectively make the proxy an open relay for any type of abuse
anybody on the Internet wants to spew through it.


>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports

The above basic security checks are shuffled down here almost to the
end, which makes them almost ineffective...

>> http_access deny all

... then a deny all" which makes the security checks not only
ineffective but do nothing that would not have happened anyway. ie useless.


>> http_reply_access allow all
>>
>> Where is allow rule for internal networks?
>>
>> Something like:
>>
>> http_access allow localnet
>>
>> ?
> 
> We can access all of our local sites ok, is this required?

I reckon its a close call as to whether I could as well, using your
proxy. Just hinges on whether a TCP connection can be made from outside
your network to your Squid listening port.


To avoid that risk, order your http_access rules like this:


 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 http_access deny BlacklistedSites StoresAllow

 http_access allow OK_Unauthenticated
 http_access allow StaticIPWhitelist

 acl login proxy_auth REQUIRED
 http_access deny !login

 http_access allow InetAllow
 http_access allow StoresAllow

 http_access allow localhost manager
 http_access deny all


Notice particularly how I moved the basic security checks up top again,
and erased the "allow ftp" and "allow CONNECT" lines.

The extra auth check is to catch and reject invalid login attempts
quickly without involving the external ACL helpers. It also helps with
some external ACL bugs we see had in some of the older versions.


If you encounter problems with people making legitimate CONNECT requests
to services with ports other than 443, please fix that by just adding
the ports to SSL_Ports ACL instead of moving the CONNECT security rule
around.
 That way they are still controlled by your auth, whitelist, and
blacklist policies.


> Any ideas about my original problem too? Or would updating to the latest
> version be the fix for that?

The current releases are faster, they also have fixed a bug in the
handling of CONNECT requests which is triggered by modern web protocols
like HTTP/2, SPDY, and Websockets. Any one of which those websites you
listed may be attempting to use and failing on a timeout before getting
through with HTTP/1.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Looks like I have some work to do then, thanks for your help!

With regards to compiling Squid 3.5 for Ubuntu, would this guide be the
correct thing to follow: http://wiki.squid-cache.org/SquidFaq/CompilingSquid

- Rich



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669417.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Amos Jeffries
On 30/01/2015 3:23 a.m., Rich549 wrote:
> Looks like I have some work to do then, thanks for your help!
> 
> With regards to compiling Squid 3.5 for Ubuntu, would this guide be the
> correct thing to follow: http://wiki.squid-cache.org/SquidFaq/CompilingSquid
> 

Specifically this part of it:


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Cool, that's the bit I was looking at so I'll follow that, thanks.

I've made the suggested changes to my security but I'm getting the following
error when I run reconfigure:

2015/01/29 14:50:37| aclParseAclList: ACL name '%LOGIN' not found.
FATAL: Bungled /etc/squid3/squid.conf line 312: http_access deny %LOGIN
Squid Cache (Version 3.3.8): Terminated abnormally.
CPU Usage: 0.014 seconds = 0.014 user + 0.000 sys
Maximum Resident Size: 21984 KB
Page faults with physical i/o: 0

My security now looks like this:

# 
# -- Permit/Deny access as appropriate ---
# 

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
shutdown_lifetime 10 seconds
acl SSL_ports port 443 563 21
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 22  # sftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 4004# Radii website download site uses this port
acl Safe_ports port 1   # Webmin
acl Safe_ports port 900 # Swat
acl Safe_ports port 82  # Pacejet request - test site hosted on HTTP 82
acl Safe_ports port 81  # Image plus test server (hepplewhite)

acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny BlacklistedSites StoresAllow

http_access allow OK_Unauthenticated
http_access allow StaticIPWhitelist

acl auth proxy_auth REQUIRED
http_access deny %LOGIN

http_access allow InetAllow
http_access allow StoresAllow

http_access allow localhost manager
http_access deny all

acl ftp proto FTP
#http_access allow ftp
#http_access allow CONNECT Safe_ports
http_access deny manager
http_reply_access allow all
icp_access allow all
cache_mgr o...@hammonds-uk.com
forwarded_for off


Sorry for all of the questions...



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669419.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Rich549
Oh...ignore the %LOGIN, that should be !LOGIN in both the error and my
config, I was fiddling with it to see if I could make it work.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Webpages-won-t-load-or-load-slowly-tp4669408p4669420.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Yep. Can we sum near hits with hits to determine real cache hit ratio?
Or this is not correct?

29.01.2015 19:57, Amos Jeffries пишет:
> On 29/01/2015 11:24 p.m., Yuri Voinov wrote:
>
> > Amos,
>
> > btw.
>
> > Which type of hits cachemgr collects and shows? TCP_HIT only?
>
> > What about other HIT-types?
>
> All of them, broken down into cache-HITs and near-HITs categories.
>
> As you can see in the info report, like this:
>
> "
> Median Service Times (seconds)  5 min60 min:
> HTTP Requests (All):   0.05331  0.04519
> Cache Misses:  0.03622  0.04519
> Cache Hits:0.0  0.01387
> Near Hits: 0.09219  0.23230
> "
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUykuqAAoJENNXIZxhPexGPFcIAJ55XDBJKp6zitqyg4YBwZ4a
2Et8V9WjEarpbhA/a3AlbVOWPpufQDwUNDXAgfYuWQQM5G24Fyr+baybZV8jbzEb
pJ9zvH8xJ0+a4kBNYjjya8bLXU9PzxuSVyLiQUxtShyzE2aB5MxNsZ37vj1lcXYb
P6MyA/bn6sFr+uV7ixdRs6LklGTow60toXv+5F17NgwTj3vSa/rKkoTfS3FXHf/G
oAJQH90If5KOOapR7wo6sTr5EU6OceIwrDLmtRbqwBtRxdDXi3AQcE8lUcDGb16k
8qzPgmSGCBJYwpxnaL0gFYjgs/HWq+DMh3xvnOT1iZDe4osa9hkJgVlmJohFqzw=
=KPd1
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] How to force squid to ask for client certificate during tls handshake on https_port?

2015-01-29 Thread Pavel Kazlenka
Not really. There's no place in documentation where it is said which 
directives trigger user certificate retrieval. This has sense and could 
be assumed, but, e.g. acl user_cert doesn't trigger acquiring user 
certificate though this directive works with user certificate too.


On 01/29/2015 01:27 PM, Yuri Voinov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
  
 Just read squid.conf.documented, is it? ;)


29.01.2015 16:26, Pavel Kazlenka пишет:

Answering my own question:

Adding clientca= and cafile= options of https_port is enough to

trigger client certificate request.

On 01/28/2015 03:44 PM, Pavel Kazlenka wrote:

Hi gentlemen,

I have https_port configured as the next:
https_port 3128 cert=/home/tester/certificates/server.crt

key=/home/tester/certificates/server.key

and would like to force squid to retrieve client's certificate.

According to
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif
, client certificate request is optional and looks like squid doesn't
request the one by default.

Squid version if 3.5.1.

Is that possible at all and if so, how to do this?

TIA,
Pavel
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
  
iQEcBAEBAgAGBQJUygr6AAoJENNXIZxhPexGFTQH/ilYlldxB3PI0aWTP4ngfTQM

SOwo3J73tG5ohi7MMutua8PmhMj28kuGEDXtXj8TradpGeIRcLS8RM2L6yxWFA5C
ac2T/WjuH0PLLUCYx7mWeFz7WV7lUpf1CmZIiXf5gNxNCrMDHZd+fXphVaAph15T
QE7W606yKmSM3zGbki7s8GtaBVh9TXSbkzpivnZbvbuvVN8FZow7rUzg9YWqgy79
wBRJy0GcJx39DsEEhB7KC56ov8nFNe2kMWL7V6E1HbH4bZNMToPM53YO/9S06M9z
/5dd9z9QReSwLgFEXMH1+yBFCfrA2onozJFcVoXOfu6UiUZbOFrczugwejH81Cc=
=UTXu
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2015 4:03 a.m., Yuri Voinov wrote:
> 
> Yep. Can we sum near hits with hits to determine real cache hit
> ratio? Or this is not correct?

You want to sum an average time/duration ?!

Lets take a step back...

 What are you trying to get out of all this?

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUyk8nAAoJELJo5wb/XPRjTz0H/3EwiAxIHAJdC2uq2n+gwO7a
Ez3tP4rdRIrh23TsHHm/MXGJte4LHHLQuJODOgChrEUSBUXyDwnAxnZVYEr9AYff
aqTr2M3GnJefepzKF5MRCvVQXTnLHVROlRquBtQ2+3bnvED8/zSFar6TuSCoQrqo
9hBN8IZtj+2I91Gdll6cvHs2ROlegahK73zjCpt0dFU5g691v+RvPJXsG10PXbyH
ypFmrNtINhwx1RvATKK1mHSspW3/6lIws9avI0omhqyxdYMlA85e/fT7/GJ2xrx8
sPs234suX/t8PfTlrowxRSnpEZSbIWp/GMp9xfgQEmOT6gL8/D7m1YqmXv6WjaA=
=//oG
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
No. I want to count all hits :) Not only TCP_HIT/MEMORY_HIT. But also
complementary - TCP_UNMODIFIED_REFRESH, for example. AFAIK, this is also
HIT, no?

29.01.2015 21:18, Amos Jeffries пишет:
> On 30/01/2015 4:03 a.m., Yuri Voinov wrote:
>
> > Yep. Can we sum near hits with hits to determine real cache hit
> > ratio? Or this is not correct?
>
> You want to sum an average time/duration ?!
>
> Lets take a step back...
>
>  What are you trying to get out of all this?
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUyk/PAAoJENNXIZxhPexGs54IAMxauyXT31Fr8R5XbQfwnaGb
YxXEYg2hyRHAI7nSXm0mPZ+78GYCrXqS3JxzO4gTscKXAaexvASIAtzShGgcwIzE
UUubEcmv0F4SYv9VBngcsWuFQHWBSw5ttI6b2A5SIh0GiN3A62JpM+kfH1rGRCVr
k9ZyREPmQshVum8AK7hH3GN2NYDjGgof7aeCNgycxn26362UJnm/6ARdIYpH2TGB
P0vJj/FHd+yIs+B8yWntZtB68DgkWT4VAp8YQ1uhdziQ+Sn73bB03rX3U0lu8CoJ
miPmLI/ScwI8m53vikbnnLUCmGwlmu/QHDd/weYTRBk95xhIv10x5KcSr50i2Mc=
=zMYT
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Webpages won't load or load slowly

2015-01-29 Thread Amos Jeffries
On 30/01/2015 3:50 a.m., Rich549 wrote:
> Oh...ignore the %LOGIN, that should be !LOGIN in both the error and my
> config, I was fiddling with it to see if I could make it work.
> 

Should have been "!auth" by the last snippet you posted. Its a '!'
(invert match results) in front of the name of the ACL you define on the
line above.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Compile error with Squid-3.5.1 under OpenBSD 5.5

2015-01-29 Thread Amos Jeffries
On 30/01/2015 12:56 a.m., Theron ZORBAS wrote:
> Hi, 
> 
> I'm trying to compile squid-3.5.1 under OpenBSD 5.5 amd64. 
> 
> 
> I use gnutls as a depency package: 
> # pkg_info |grep gnutls 
> gnutls-3.2.15 GNU Transport Layer Security library 
> 
> 
> My configure parameters are: 
> ./configure --enable-arp-acl --disable-auth-basic --disable-auth-digest 
> --enable-delay-pools --enable-external-acl-helpers="SQL_session file_userip 
> session time_quota" --enable-forw-via-db --enable-negotiate-auth-helpers="no" 
> --enable-removal-policies="lru heap" --enable-ssl --enable-ssl-crtd 
> --enable-storeio="aufs ufs diskd" --with-pthreads --with-default-user=_squid 
> --enable-follow-x-forwarded-for --mandir='/usr/local/man' 
> --infodir='/usr/local/info' --enable-ipfw-transparent --disable-devpoll 
> --disable-epoll --disable-ident-lookups --disable-loadable-modules 
> --enable-forw-via-db --enable-http-violations --enable-icap-client 
> --enable-ipv6 --with-filedescriptors=32768 --enable-stacktraces 
> --enable-log-daemon-helpers="DB file" --enable-url-rewrite-helpers="fake" 
> --enable-pf-transparent --with-openssl --disable-strict-error-checking 
> --disable-arch-native 
> 
> And compile faults with these error messages: 
> depbase=`echo squidclient.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ 
> -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src 
> -I../../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow 
> -pipe -D_REENTRANT -I/usr/include -I/usr/local/include 
> -I/usr/local/include/p11-kit-1 -I/usr/include -O0 -g -fno-strict-overflow 
> -Wno-error -MT squidclient.o -MD -MP -MF $depbase.Tpo -c -o squidclient.o 
> squidclient.cc && mv -f $depbase.Tpo $depbase.Po 
> In file included from squidclient.cc:17: 
> ../../tools/squidclient/Transport.h:81: error: 
> 'gnutls_anon_client_credentials_t' does not name a type 
> ../../tools/squidclient/Transport.h:84: error: 
> 'gnutls_certificate_credentials_t' does not name a type 
> ../../tools/squidclient/Transport.h:87: error: 'gnutls_session_t' does not 
> name a type 
> squidclient.cc: In function 'int main(int, char**)': 
> squidclient.cc:538: error: 'gnutls_error_is_fatal' was not declared in this 
> scope 
> squidclient.cc:539: error: 'gnutls_strerror' was not declared in this scope 
> squidclient.cc:541: error: 'gnutls_strerror' was not declared in this scope 
> *** Error 1 in tools/squidclient (Makefile:892 'squidclient.o') 
> *** Error 1 in tools/squidclient (Makefile:994 'all-recursive') 
> *** Error 1 in tools (Makefile:1067 'all-recursive') 
> *** Error 1 in /opt/squid-3.5.1 (Makefile:592 'all-recursive') 
> 
> 
> How can I fix this? Thanks. 
> 

NP: If you dont specifially want HTTPS support in that command line tool
then the quick way is to use --without-gnutls. That will get past this
without affecting the HTTPS abilities in other parts of Squid.


Can you please provide the output of the command:
   pkg-config gnutls

(that is what Squid is using to find GnuTLS location).

If GnuTLS is installed at an unusual location you may need to add to the
./configure options:
  --with-gnutls=/path


Also, unrelated but the clang compiler is generally better to use than
GCC on recent BSD systems. You should only need to add these to your
./configure parameters:   CC="clang" CXX="clang++"


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Squid problem, one client for one user

2015-01-29 Thread 456mb
with the actually confi, only appear pop-up message to login, but dont limit
the conexion

i new in squid, dont existe a method more easy?

only i want one user per session, but actually i can login 999 times with
the same user and pass





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-problem-one-client-for-one-user-tp4669402p4669427.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Also - how to count Store ID gotten files?

29.01.2015 21:18, Amos Jeffries пишет:
> On 30/01/2015 4:03 a.m., Yuri Voinov wrote:
>
> > Yep. Can we sum near hits with hits to determine real cache hit
> > ratio? Or this is not correct?
>
> You want to sum an average time/duration ?!
>
> Lets take a step back...
>
>  What are you trying to get out of all this?
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUylRLAAoJENNXIZxhPexGaxkH/jW6EJi4kCldr23RV2lfqCDw
q9myQJas2UUFDC++p+Ssj68xEJXS+ostKQTGqlOI11yyHuj6k1+QOwi6EW/g6Go0
/R8rMIuIVod7pluoxwpwjUsoXpF10Y9FoOpWBpT/Ue9SILNdVvqvprShwfKIOQu5
tCGmxwngmiSq5o+h7Jzz9lyYZjcqQ574mmUEDtJvDrodA5Il9PKMl+DN3RRsu4ck
9mSn75gVv+CDFAQxJXcfBXtkmCX+7PXday7A94FlWw/UeQMLLyV/jAEqMUSYpAeA
4Zi+BUoRIS3JOLRyyqKkrsW5z0q61Eyx7UDT4a4y81nAYEWjPdbo78uCHq8LwII=
=D2zd
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Squid problem, one client for one user

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I think, this is not Squid, but external auth system issue.

29.01.2015 21:34, 456mb пишет:
> with the actually confi, only appear pop-up message to login, but dont limit
> the conexion
>
> i new in squid, dont existe a method more easy?
>
> only i want one user per session, but actually i can login 999 times with
> the same user and pass
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-problem-one-client-for-one-user-tp4669402p4669427.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUylSGAAoJENNXIZxhPexGidEH/ii6JjZowY3BvBMUnllUoPdW
vV0NcYsehbLdLfTlrYNIBVgddiUQLMYMKdqBm7P6o7E6ciBts7x23uUY8Zpb0sZW
i2MU+6HGu8ED5Uw+Sw5XgoOcWlShpnUHzFC0caH10NDbfriqoz0a9OfEfknNtg0r
OTLlMtovsk50dfyIyGiji/gVrBijlSXV2Ti63oZChMKzgChItW1wmfxzcW/+1RJc
/YDyVfkrp+o2AnGumNNz8klQZPUZqzdrbKuhJnNI8sDXxrylnXtZRZRl/fQy6FE8
5ywnWRie0uzluHo/qe0kTm3XQTx1S8HW/SDZgz3dDfn8ZiyL383O0gfW1/gNGxo=
=t3Oh
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2015 4:20 a.m., Yuri Voinov wrote:
> 
> No. I want to count all hits :) Not only TCP_HIT/MEMORY_HIT. But
> also complementary - TCP_UNMODIFIED_REFRESH, for example. AFAIK,
> this is also HIT, no?

Yes. Straight from the code here is what is counted as a hit and added
into the relevant HIT statistic (HIT count, bandwidth used, ratios, etc):

 HIT
 IMS_HIT
 REFRESH_FAIL
 REFRESH_UNMODIFIED
 NEGATIVE_HIT
 MEM_HIT
 OFFLINE_HIT

The rest are accounted as MISS events.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEbBAEBAgAGBQJUylWUAAoJELJo5wb/XPRjBYkH92Ti6l3gEJXg9eC+ZUzh6cZD
2Hfvdycnyh77YrAAPg2P8Myvf/l794qvk3We1Gerwbc+3gVsNPvaXFMJXGDR57TM
KwTdMd7ogRsA/QXqMHZpI1IsL8sSHI2C9+AIV9m2xgMcpg7grke8f0HtSHENKavC
cKcE69yTNs49eu3p4+PUASZD48A2JOjteAd5aPNq0jd6CrWYsssHHJwFx9zMFEHd
O72oyYDiOIcX3oAbZZU4RXatCUuc936rbtKCWxrAS3Ci4Jri8mC4cstG9WsuxGdd
FqRM0updKLvNDuLqNyB6BeyuQ5IbUXn12GM1NmVx5i7eaX2Fp4j1QHhV20c27Q==
=CtlY
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2015 4:39 a.m., Yuri Voinov wrote:
> 
> Also - how to count Store ID gotten files?
> 

All StoreID is doing is modifying a hash key. Its not even part of the
index lookups, nor in any resulting network activity from those lookups.

You can count how many times the helper was used etc. But not what
happened afterwards.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUylbkAAoJELJo5wb/XPRjDO8IAK0m1rPbbo2uNgFuv0N5E3Lv
EiVj/4PtnmGX2wEHmsxwXfwkloWUCbdGud9HB6u0Ko7WRTZh+W5exMXpzrTJfGgm
4BUM61KSRo1nXxV/YoQeBMXfI9nxDMdYg0/oIYPCPK2RXeaf2kvkYMxxpooCf9zE
O8qWAnjSMHtkTepLjvEgqLAfRaGc8OfvInWBhjQ9v2j5btqYqalQyt1Vi6iwmCrJ
utMMMrCz+rOp0d4DmipjMbCgAhMM+FyCX82tibnTihyZ6cMgSLWTLacMHftLCs6s
Pp0S7jDyZR96XlfJt0BY+OmrgTApp6jVIOIRaylw5DNkN5qfyx7XixIVXGcMf/U=
=bhKg
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Squid problem, one client for one user

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2015 4:40 a.m., Yuri Voinov wrote:
> 
> I think, this is not Squid, but external auth system issue.
> 
> 29.01.2015 21:34, 456mb пишет:
>> with the actually confi, only appear pop-up message to login, but
>> dont limit the conexion
> 
>> i new in squid, dont existe a method more easy?
> 
>> only i want one user per session, but actually i can login 999
>> times with the same user and pass
> 

I spy:

 authenticate_ip_ttl 0 seconds

... instructing Squid *not* to remember what IPs a user is logged in with.

The default value is "1 second", so Squid at least has a chance to
remember IPs between consecutive requests if not for very long.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUylgxAAoJELJo5wb/XPRjLqAH/1zsh0M23wywAvVQOQVgeM6R
LVTi/jzXOTD08H4hWTeERlUwvJIJNOhbUlf57okNTd59Q7+RiXrDpUCGiN2gAKUX
8gwZYBTFA82WiK+OKF2d4k34wlZgRYKb3g8lufqS1myjEqwxdhDZU8wgOiP2l6jI
+ZrJaDYbOr68ETt8mNzLuhDT4biVmJWOGLI1GLI2RdTkjgoFPCSocgqK0Su80Klk
Q7fSE38NfflBykYByS+W7k8UpHdwKbrCMAOyPw9BuEC4GYsGU8wiSGHlkDteiYyl
Ab6JGBlofShcmBox5s0JTGjzHj54Idl4efVX3vOybmlC5GlL08LVLJrTJ4z61N8=
=Cs/B
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Understand. As I thought.

Finally, just for clarity, is this refresh_pattern is meaningful with
store id helper:

refresh_pattern -i (video-srv|ytimg).*SQUIDINTERNAL1440099%   
518400override-expire override-lastmod refresh-ims reload-into-ims
ignore-reload ignore-no-store ignore-private ignore-auth
ignore-must-revalidate store-stale

?

29.01.2015 21:51, Amos Jeffries пишет:
> On 30/01/2015 4:39 a.m., Yuri Voinov wrote:
>
> > Also - how to count Store ID gotten files?
>
>
> All StoreID is doing is modifying a hash key. Its not even part of the
> index lookups, nor in any resulting network activity from those lookups.
>
> You can count how many times the helper was used etc. But not what
> happened afterwards.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUyl2DAAoJENNXIZxhPexGEHsH/RdkxvZJPzAL7b98lamKvEW4
iX/5ljlXW+8UPH6czGFFsiG1W+QCBMTCdcY7/iktEpKR4CR0Hev80lICgdSnzWdZ
4/i0poAtXwZyCJzLaH8TJsONqG4EY84WHveIYDQf5x0XlN6bUuSXtYOXsbsBGl7A
fUN4OWOK4a2WIsNJzuCmLpcvTLMHbow3rDfu/1M7uvF98Cy1goh+wLXJ6FeFO2bK
5p3BzaPnXkD/8scFY8fhjV8VsxdpPepD05nMXYTgq8OgsaYzbNrbLY+FVl8EdeGE
IJZDrUJ7hR3SCa1v8++F7/YuBdiLyLp3bo6X6IXQaMFSLu13DImDsSOGXN9Y+uk=
=uy/4
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] squid3

2015-01-29 Thread FredB

 
> 
> It is but it’s the latest version available through apt-get on Debian
> 7 without adding backports which I may end up doing anyway. However
> I don’t think that is my problem, I think I may have missed
> something in my config and was wondering if anyone had seen this
> before with the usernames not seeming to be passed to dansguardian.
> 
> 
> 


Which version of DG, anonymizelogs set to on ?
There is no authentication problem ?



Regards,

Fred

http://numsys.eu
http://e2guardian.org


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Amos Jeffries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 30/01/2015 5:19 a.m., Yuri Voinov wrote:
> 
> Understand. As I thought.
> 
> Finally, just for clarity, is this refresh_pattern is meaningful
> with store id helper:
> 
> refresh_pattern -i (video-srv|ytimg).*SQUIDINTERNAL1440099%
>  518400override-expire override-lastmod refresh-ims
> reload-into-ims ignore-reload ignore-no-store ignore-private
> ignore-auth ignore-must-revalidate store-stale
> 

Possibly, depend on whether the helper is providing IDs that match
that pattern or clients fetching URLs that match it (also very
possible given what the pattern will match).

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUymIRAAoJELJo5wb/XPRjqYcIANaER+sut8vrO4eaWj9Eucm2
fuu/YzQHgbkvx4U2ZktMBEIj4iLKmbxZCOrvyFgC3Yp2G+XEHD24/WmyfleHt4Ba
4vOdSNuODoI+AUgs5vvzMXKtWPHLDhLJgLWP3DSogzNlJrbsDkvc0LYfzrai32mU
TwKjrgh52HgR/Jt9cx7v+i7pp8WPTyYsaF47EnMCSpv4ED/IJlI6hiERG1F+gpbb
JtlW4WyONhP3/AcNuNeIZTIyMzVHmWoaEzCosxsi9/s+9xfTXYuUS1jIbcKkY5Mi
i1owVOQwFuRXDuF/gKtMRawB1zF4IUNMRY4QhEPIKxnGAmYtrloLkK9rwWsqS8Q=
=LmB+
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Which hits cachemgr shows?

2015-01-29 Thread Yuri Voinov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Thank you, Amos.

You break it down. :)

I think, this is removes most of the questions.

29.01.2015 22:38, Amos Jeffries пишет:
> Possibly, depend on whether the helper is providing IDs that match
> that pattern or clients fetching URLs that match it (also very
> possible given what the pattern will match).

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUymQEAAoJENNXIZxhPexGzh4H/RnxLem54dFVw8DsdxFnvgA1
AJUddBVxZrb+f3OaNfPVGa1t+tdJAkEbXADgDhXGui0CyM95TRPZu6E18eY0zUHj
cgayhZH9KG+CmpRRKAU2ATtoi30mcjlBJqt820XkrqXjYpg1N2RZlE3QsyqJGf3H
zTMxSWKzYaHedd4NFMJc/aB5w3SXnGGNd2jeX5VtKdmgXx54WtuP6oXJzPCgPsyV
r5VX+5Z3hGueh67r4JYba48aTUpNTtb/U7W2cBjYZC8D2ttC7eVpcYvqDfcKr2EV
yaqJWnSm9YZHiZucLlSed4Rrqno9xciZVqIrVuI+NUMd28FoSaxG4K5HSnAkKl8=
=UdI/
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[squid-users] SSL Bump, CA Cert

2015-01-29 Thread Christian Kundela

Dear all,

I have problems setting up explicit proxy. (interrcept tcp 80 no problem)

If i doaself signed Cert, and i install it in Firefox or IE, no problem.

but if i use a CA-Cert i am using a signed cert from cacert.org, SSl 
Site only TXT loaded and no pictures ... this i know, when something is 
wrong with keyor else ?

(Install also all certs from cacert.org (also Firefox addons))

Key, CSR is generatedwith:
openssl genrsa -out /etc/squid/squid.key 2048
openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr

Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt

My question: what CA Cert Squid expects ? wildcard * ? as common name i 
choose www.mydomain.net (is an example, for csr i used my real domain name).


How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...


Best regards

Many Thanks in advice



Here is the squid.conf (changes done in config, added SquidGuard, C-Icap 
and MS update (from squid-cache.org) works all perfect)

IP of server is 192.168.1.1/24

## squid.conf begin
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network 
range
acl localnet src fe80::/10  # RFC 4291 link-local (directly 
plugged) machines

acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

# MS Update
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain ctldl.windowsupdate.com

acl CONNECT method CONNECT

# MS Update
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# MS Update
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# SSL Stuff
always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

# Squid normally listens to port 3128
http_port localhost:3128
http_port 192.168.1.1:3130 ssl-bump cert=/etc/squid/server.crt 
key=/etc/squid/server.key# TEST

http_port localhost:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 4 16 256

# Added
cache_mem 2 GB

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

# MS Update
refresh_pattern -i 
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 
43200 reload-into-ims
refresh_pattern -i 
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 
80% 43200 reload-into-ims
refresh_pattern -i 
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 
43200 reload-into-ims


#
# Add any of your own refresh_pattern entries 

Re: [squid-users] SSL Bump, CA Cert

2015-01-29 Thread Amos Jeffries
On 30/01/2015 1:43 p.m., Christian Kundela wrote:
> Dear all,
> 
> I have problems setting up explicit proxy. (interrcept tcp 80 no problem)
> 
> If i doaself signed Cert, and i install it in Firefox or IE, no problem.
> 
> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl
> Site only TXT loaded and no pictures ... this i know, when something is
> wrong with keyor else ?
> (Install also all certs from cacert.org (also Firefox addons))

Something is definitely wrong with your understanding of TLS/SSL.

You are not alone in this, we get people every few weeks asking about
this same "problem".

> 
> Key, CSR is generatedwith:
> openssl genrsa -out /etc/squid/squid.key 2048
> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr
> 
> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt
> 
> My question: what CA Cert Squid expects ? wildcard * ? as common name i
> choose www.mydomain.net (is an example, for csr i used my real domain
> name).

SSL-Bump cert generator requires both public and *private* security key
for a CA which is eligible to generate signed certificates.

To do what you are trying with a cacert.org signed certificate chain you
would need to have a copy of the private key belonging to cacert.org.
Or, to somehow convince them to grant *you* the same worldwide powers
and responsibilities that the global Trusted CA organisations have.

I hope you can see why that is not possible?


> 
> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...
> 

Use the self-signed cert in the way that you found works.

There are two situations where certificate generation is potentially
legitimately used:
 1) if you have legal authority to install your self-signed CA into the
client browser,
  - cacert.org and other Trusted CA organisations are unnecessary.

 2) if you own the domain being visited and are only delivering the cert
cacert.org verified as belonging to you.
  - interception of the traffic is unnecessary.

In neither situation do a Trusted CA signed certificate and interception
happen together.


Definitely do check up your local laws. Some countries its outright
illegal to use that Squid feature, others require a govt license, etc.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users