[squid-users] Unsubscribe me please

2022-08-11 Thread Wade Gibson 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQL DB squid.conf backend, who was it that asked about it?

2022-08-11 Thread Leonardo Rodrigues 


    Hi Marcelo,

    Is this going to be released as free and open-source software, or 
it's a closed project? If 1st answer, then I might be able to help! 
While I wouldn't call myself an squid expert, I have to admit I have 
some knowledge on it. And i'm also from Brazil, noticed your .com.br 
email address!



Em 10/08/2022 13:25, marcelorodr...@graminsta.com.br escreveu:

Hi Amos,

It was me indeed.
We have developed a squid based php application to create VPSs and 
deliver proxies via web panel.
It is still in development, but fase 1 is working already running SQL 
user management, create VPSs and squid.conf auto configuration.
We are heading to fase 2 to use cache pears and IPv4/IPv6 routing 
depends on source.


Squid.conf got so complex at this point that its getting very hard to 
implement fase 2.


Lack of deep squid knowledge is still our weak spot.


--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

2022-08-11 Thread Joel Howard 
Hi all,

I'm trying to use Squid (3.5.27, in a docker container) as a non-caching
reverse proxy with http inbound and https outbound, to support an
application that requires a proxy for internet access but does not allow
proxy configuration (and I do not have access to the application's host
machine). Ideally the squid proxy itself would not have a tls cert, since
inbound traffic would be http, and I would like to add headers.

What keeps stopping me is that I also need to support a parent forward
proxy, which itself may support http or https inbound.

I've tried the various examples here
, but I'm struggling to
"flip" the proxy direction - receive the request as a reverse proxy,
configure the outbound request appropriately, and then send it on *via* the
parent proxy. I'm not sure if cache_peers can be "chained" like this, or if
they can't, how I can configure the single cache_peer so that proxied https
works correctly.

This is my first foray into complex proxy configuration, so I'm not sure
whether I'm close or completely off base. Can provide more details or try
any suggestions.

Thanks!

-- 

*Joel Howard*
Software Technical Lead
jhow...@tetrascience.com | (330) 209-5779

[image: Logo Description automatically generated]





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.8+ intercept

2022-08-11 Thread ngtech1ltd 
Hey Grant,

The issue is very simple, if squid and the clients sits on the same subnet( not 
the same network segment)
then squid will send the traffic back directly to the client.
WCCP is not related to the network level of things and will not resolve this 
exact same issue in most similar use cases.
(there are which can but this is not the use case)

You should never SNAT traffic from local network to the proxy since you will 
cause some issue with this.
What you might want to do is to give the proxy a special subnet against the 
mikrotik and to use policy based routing
to forward the clients traffic to the proxy.

If you can plug the proxy to another port on the Mikrotik device and give it a 
special subnet it much more preferable.

I believe that WCCP is not an option for Mikrotik so unless you have a specific 
device that supports WCCP, don't bother thinking about it.
Also, in the same breath I can tell you that most commercial services that 
implement MITM have not been using and are not using WCCP.
There are much smarter ways these days then basic WCCP to make sure that the 
traffic will be passed to the right proxy.

Also just take a minute and think: what WCCP gives exactly that a Mikrotik 
admin cannot do?
A Mikrotik can be automated in such a way that WCCP would be inferior to what 
Mikrotik can offer.
(To my knowledge)

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

-Original Message-
From: squid-users  On Behalf Of 
Grant Taylor
Sent: Thursday, 11 August 2022 6:48
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 4.8+ intercept

On 8/10/22 3:47 AM, ngtech1...@gmail.com wrote:
> If the proxy sits in the same network that the clients sit it won’t work.

Why not?

Is this because of -- what I call -- the TCP triangle problem?  - 
Meaning that Squid sees the source as the client and replies directly?

If that's the case, you can cheat by SNATing the traffic that's going to 
Squid such that Squid sees the router as the source of the traffic. 
Thus Squid replies to the router which unDNATs it and sends it back to 
the original / real client.

Aside:  Isn't this what WCCP was originally meant to address?  Is WCCP a 
non-starter any more?  Even with TLS bump / monkey in the middle?



-- 
Grant. . . .
unix || die


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

2022-08-11 Thread Alex Rousskov 

On 8/11/22 16:00, Joel Howard wrote:

I'm trying to use Squid (3.5.27, in a docker container) 


My response below should cover Squid v3 in principle, but there may be 
important caveats that I am forgetting about that apply to that 
unsupported and ancient version. You should not use that version.



as a non-caching 
reverse proxy with http inbound and https outbound, to support an 
application that requires a proxy for internet access but does not allow 
proxy configuration (and I do not have access to the application's host 
machine). Ideally the squid proxy itself would not have a tls cert, 
since inbound traffic would be http, and I would like to add headers.


Are you trying to configure Squid to convert a received "GET 
http://example.com/"; request into a "GET https://example.com"; request 
sent from Squid (to the parent proxy)?



What keeps stopping me is that I also need to support a parent forward 
proxy, which itself may support http or https inbound.


Does the parent forward proxy accept plain text TCP connections or TLS 
connections? What port does the parent proxy listens on? Can you telnet 
or otherwise probe it to figure out whether it expects TLS? Most proxies 
expect plain text TCP connections, but there are HTTPS proxies that 
expect TLS.



I've tried the various examples here 
, but I'm struggling 
to "flip" the proxy direction - receive the request as a reverse proxy, 
configure the outbound request appropriately, and then send it on *via* 
the parent proxy. I'm not sure if cache_peers can be "chained" like 
this, or if they can't, how I can configure the single cache_peer so 
that proxied https works correctly.


I have not tested this, but I would expect the reverse/forward "flip" 
itself to work more-or-less automatically -- Squid should do what is 
necessary on its own IIRC. I suspect your problem is elsewhere.


Perhaps you should try to make everything work for plain text HTTP 
traffic first? Outside of a docker?


Please share your http_port and cache_peer configuration and the 
errors/problems they currently cause.



Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid and Epic Games HCapctca

2022-08-11 Thread Adam Barnett 
I have finally managed to get hold of someone from Epic Games and they took
a look over their secret logs and said that it looks like squid is
dropping/closing the connection too soon

Any suggestions on what i can change to keep the connection open or from
dropping

Thanks

On Fri, 5 Aug 2022 at 15:57, Alex Rousskov 
wrote:

> On 8/5/22 05:10, Adam Barnett wrote:
> > maybe i am doing something wrong, here is my config
>
> > ssl_bump splice ...
> > ssl_bump bump dst_quixel
> > ssl_bump peek dst_quixel
> > ssl_bump stare dst_quixel
>
>
> The combination of the last three ssl_bump rules does not make sense
> because Squid will never reach those peek and stare rules. The bump rule
> can be applied during any SslBump step, so Squid will not see any
> same-ACL ssl_bump directives below it -- the first matching rule (that
> can be applied during the current step) wins.
>
> I do not know what logic you are trying to express with those rules, but
> the above configuration does not express that (or any) logic well. I
> hope Eliezer can guide you towards a reasonable solution here.
>
>
> HTH,
>
> Alex.
>
>
>
> >
> > On Thu, 4 Aug 2022 at 22:58,  > > wrote:
> >
> > Please don’t bang your head… everybody is here for you.
> >
> > Sometimes it takes time to respond but you will get your answers.
> >
> > __ __
> >
> >
> https://www.ngtech.co.il/squid/support-save/support-save-2022-08-05_00-51-47.tar.gz
> > <
> https://www.ngtech.co.il/squid/support-save/support-save-2022-08-05_00-51-47.tar.gz
> >
> >
> > __ __
> >
> > Is not the fastest connection and it has a blacklist in the DB dump
> > so for now it’s a production system but works good enough for me.
> >
> > I hope it’s not too much information in the support save file.
> >
> > __ __
> >
> > Let me know if it makes more sense for you.
> >
> > AlsoI am happy that you have asked this question since now others
> > can enjoy from the answer 😊
> >
> > __ __
> >
> > Eliezer
> >
> > __ __
> >
> > 
> >
> > Eliezer Croitoru
> >
> > NgTech, Tech Support
> >
> > Mobile: +972-5-28704261
> >
> > Email: ngtech1...@gmail.com 
> >
> > Web: https://ngtech.co.il/ 
> >
> > My-Tube: https://tube.ngtech.co.il/ 
> >
> > __ __
> >
> > *From:*Adam Barnett mailto:abarn...@belofx.com
> >>
> > *Sent:* Friday, 5 August 2022 0:44
> > *To:* ngtech1...@gmail.com 
> > *Cc:* squid-users@lists.squid-cache.org
> > 
> > *Subject:* Re: [squid-users] Squid and Epic Games HCapctca
> >
> > __ __
> >
> > Sure, the more the beter, ive been banging my head against the wall
> > for a while on this
> >
> > __ __
> >
> > Adam 
> >
> > __ __
> >
> > On Thu, 4 Aug 2022 at 22:41,  > > wrote:
> >
> > You are welcome.
> >
> > 
> >
> > I wrote an app that does everything for me so I just need to
> > dump the database into a:
> >
> > ssl::server_namedirective
> >
> > 
> >
> > it’s basically:
> >
> > ## START
> >
> > aclNoBump_server_name ssl::server_name
> > "/etc/squid/no-ssl-bump-server-name.list"
> >
> > 
> >
> > acltls_to_splice any-of inspect_only NoBump_src
> > NoBump_server_name NoBump_server_regex_by_urls_domain
> > NoBump_server_regex
> >
> > 
> >
> > ssl_bumppeek app_matcher_helper
> >
> > ssl_bumppeek tls_s1_connect
> >
> > 
> >
> > ssl_bumpbump app_matcher_helper
> >
> > ssl_bumpbump app_reader_helper
> >
> > ssl_bumpbump deny_note
> >
> > 
> >
> > ssl_bumpsplice app_matcher_helper
> >
> > ssl_bumpsplice tls_to_splice
> >
> > 
> >
> > ssl_bumpstare app_matcher_helper
> >
> > ssl_bumpstare tls_s2_client_hello
> >
> > 
> >
> > ssl_bumpbump app_matcher_helper
> >
> > ssl_bumpbump tls_to_bump
> >
> > ## END
> >
> > 
> >
> > If you want I can upload a snippet of the whole setup dump with
> > hope you could make use of it.
> >
> > 
> >
> > Eliezer
> >
> > 
> >
> > 
> >
> > Eliezer Croitoru
> >
> > NgTech, Tech Support
> >
> > Mobile: +972-5-28704261
> >
> > Email: ngtech1...@gmail.com 
> >
> > Web: https://ngtech.co.il/ 
> >
> > My-Tube: https://tube.ngtech.co.il/  >
> >
> > 
> >
> >

Re: [squid-users] Squid and Epic Games HCapctca

2022-08-11 Thread Adam Barnett 
Sorry to bombard, but the plot thickens. it all works find on linux chrome
( centos 7) but windows 10/2022 server chrome you get the error

i did not think anything in squid is os specific



On Thu, 11 Aug 2022 at 21:41, Adam Barnett  wrote:

> I have finally managed to get hold of someone from Epic Games and they
> took a look over their secret logs and said that it looks like squid is
> dropping/closing the connection too soon
>
> Any suggestions on what i can change to keep the connection open or from
> dropping
>
> Thanks
>
> On Fri, 5 Aug 2022 at 15:57, Alex Rousskov <
> rouss...@measurement-factory.com> wrote:
>
>> On 8/5/22 05:10, Adam Barnett wrote:
>> > maybe i am doing something wrong, here is my config
>>
>> > ssl_bump splice ...
>> > ssl_bump bump dst_quixel
>> > ssl_bump peek dst_quixel
>> > ssl_bump stare dst_quixel
>>
>>
>> The combination of the last three ssl_bump rules does not make sense
>> because Squid will never reach those peek and stare rules. The bump rule
>> can be applied during any SslBump step, so Squid will not see any
>> same-ACL ssl_bump directives below it -- the first matching rule (that
>> can be applied during the current step) wins.
>>
>> I do not know what logic you are trying to express with those rules, but
>> the above configuration does not express that (or any) logic well. I
>> hope Eliezer can guide you towards a reasonable solution here.
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>
>> >
>> > On Thu, 4 Aug 2022 at 22:58, > > > wrote:
>> >
>> > Please don’t bang your head… everybody is here for you.
>> >
>> > Sometimes it takes time to respond but you will get your
>> answers.
>> >
>> > __ __
>> >
>> >
>> https://www.ngtech.co.il/squid/support-save/support-save-2022-08-05_00-51-47.tar.gz
>> > <
>> https://www.ngtech.co.il/squid/support-save/support-save-2022-08-05_00-51-47.tar.gz
>> >
>> >
>> > __ __
>> >
>> > Is not the fastest connection and it has a blacklist in the DB dump
>> > so for now it’s a production system but works good enough for
>> me.
>> >
>> > I hope it’s not too much information in the support save file.
>> >
>> > __ __
>> >
>> > Let me know if it makes more sense for you.
>> >
>> > AlsoI am happy that you have asked this question since now others
>> > can enjoy from the answer 😊
>> >
>> > __ __
>> >
>> > Eliezer
>> >
>> > __ __
>> >
>> > 
>> >
>> > Eliezer Croitoru
>> >
>> > NgTech, Tech Support
>> >
>> > Mobile: +972-5-28704261
>> >
>> > Email: ngtech1...@gmail.com 
>> >
>> > Web: https://ngtech.co.il/ 
>> >
>> > My-Tube: https://tube.ngtech.co.il/ > >
>> >
>> > __ __
>> >
>> > *From:*Adam Barnett > abarn...@belofx.com>>
>> > *Sent:* Friday, 5 August 2022 0:44
>> > *To:* ngtech1...@gmail.com 
>> > *Cc:* squid-users@lists.squid-cache.org
>> > 
>> > *Subject:* Re: [squid-users] Squid and Epic Games HCapctca
>> >
>> > __ __
>> >
>> > Sure, the more the beter, ive been banging my head against the wall
>> > for a while on this
>> >
>> > __ __
>> >
>> > Adam 
>> >
>> > __ __
>> >
>> > On Thu, 4 Aug 2022 at 22:41, > > > wrote:
>> >
>> > You are welcome.
>> >
>> > 
>> >
>> > I wrote an app that does everything for me so I just need to
>> > dump the database into a:
>> >
>> > ssl::server_namedirective
>> >
>> > 
>> >
>> > it’s basically:
>> >
>> > ## START
>> >
>> > aclNoBump_server_name ssl::server_name
>> > "/etc/squid/no-ssl-bump-server-name.list"
>> >
>> > 
>> >
>> > acltls_to_splice any-of inspect_only NoBump_src
>> > NoBump_server_name NoBump_server_regex_by_urls_domain
>> > NoBump_server_regex
>> >
>> > 
>> >
>> > ssl_bumppeek app_matcher_helper
>> >
>> > ssl_bumppeek tls_s1_connect
>> >
>> > 
>> >
>> > ssl_bumpbump app_matcher_helper
>> >
>> > ssl_bumpbump app_reader_helper
>> >
>> > ssl_bumpbump deny_note
>> >
>> > 
>> >
>> > ssl_bumpsplice app_matcher_helper
>> >
>> > ssl_bumpsplice tls_to_splice
>> >
>> > 
>> >
>> > ssl_bumpstare app_matcher_helper
>> >
>> > ssl_bumpstare tls_s2_client_hello
>> >
>> > 
>> >
>> > ssl_bumpbump app_matcher_helper
>> >
>> > ssl_bumpbump tls_to_bump
>> >
>> > ## END
>> >
>> > 
>> >
>> > If you want I can upload a snippet of the whole setup dump with
>> > hope you could make use of it.
>> >
>> > 
>> >
>

Re: [squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

2022-08-11 Thread Joel Howard 
Hey Alex,

Thanks for the quick and detailed response! I inherited this service
recently - would you recommend upgrading to 5? My configs are fairly
simple, so upgrade should be easy.

Here's my desired flow - let "reverse" and "parent" represent the IPs of
those proxies, and "target" represent the target API hostname.

Application sends GET (POST, PUT, etc) http://reverse/some/path
(Note: Application doesn't know target, and couldn't reach it if it did.)

Reverse adds headers to the request
Reverse sends the request to https://target/some/path, using parent as a
forward proxy.

The parent proxy in my test case accepts TCP, although if possible I would
like to support parent TLS proxies as well - this reverse proxy is deployed
in different environments where the parent proxy may differ.

I set this up outside of a docker and without trying to force ssl. The
config below was my first attempt - it works *if* the reverse proxy has
direct internet access, but just hangs otherwise; my understanding is that
requests that use the first cache_peer do not use the second to proxy.

# Reverse proxy to google.com
http_port 80 accel vhost defaultsite=www.google.com
cache_peer google.com parent 80 0 no-query originserver forceddomain=
www.google.com name=target
request_header_add Joel Joel

# Simplified acl
http_access allow all
cache_peer_access target allow all

# Parent proxy
cache_peer 10.60.4.178 parent 3128 0 no-query default
acl all src 0.0.0.0/0.0.0.0
never_direct allow all

This was my second attempt, using forceddomain to replace the host header
but sending the request directly to the parent proxy. This results in the
parent receiving GET /, which it does not understand (it expects GET
target/somepath).

# Reverse proxy directly to forward proxy google.com
http_port 80 accel vhost defaultsite=www.google.com
cache_peer 10.60.4.178 parent 3128 0 no-query originserver forceddomain=
www.google.com name=parent
request_header_add Joel Joel

# Misc
cache deny all
shutdown_lifetime 1 seconds

I suspect this would need a url rewriter to force the url to target - I'm
failing to get any of the example rewriters working (maybe due to the old
squid version?) so I haven't been able to test that yet. But I suspect it
will fail for HTTPS, because the rewritten URL will be sent as GET
target/something to the parent proxy, instead of CONNECT target/something -
I still think I'm missing something to get my squid to use the forward *as
a proxy* while itself functioning in reverse.

I'll rewrite these for squid 5 and try to get URL rewriting working. In the
meantime, could you let me know if either of these two general approaches
is remotely correct and if so, what I can do to get further with them?

Thanks so much! If you happen to be on StackOverflow, I've asked the
question with a bounty there

as well (although less squid-specific).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users