Re: [squid-users] Squid Reverse Proxy to Exchange 2010 OWA

This is mine against 2008. haven't had any issues with attachments up to 10M cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/o.crt sslkey=/etc/httpd/conf.d/o.key name=webServer cache_peer 10.32.69.11 p

[squid-users] Squid Reverse Proxy to Exchange 2010 OWA

We have setup Squid as a reverse proxy to Exchange 2010 OWA server we thought everything was working OK, but found out that any file attachments over 2MB cause a timeout after 5 minutes. I remembered having this issue a while back with HTTPS, and it just went away after some updates. Some searc

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome [SOLVED]

Roel van Meer writes: >> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. >> > Traffic is redirected from port 443 top 3130 with iptables. >> >> ... and with an older version of OpenSSL missing many of the last few >> years worth of TLS crypto features. IIRC the library rele

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On 11/03/2015 4:08 a.m., Klavs Klavsen wrote: > hmm.. > > I've read the config examples.. > > I would very much like to understand how/why it works, if I've setup a > client to route package to squid (instead of trying to send directly).. I suggest diagramming your network traffic flow, writing

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On Tuesday 10 March 2015 at 15:32:25 (EU time), Amos Jeffries wrote: > On 11/03/2015 3:18 a.m., Antony Stone wrote: > > On Tuesday 10 March 2015 at 15:09:14 (EU time), Klavs Klavsen wrote: > >> so intercept mode is only used, if you actually do the nat'ing on the > >> same server as squid is runni

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

hmm.. I've read the config examples.. I would very much like to understand how/why it works, if I've setup a client to route package to squid (instead of trying to send directly).. I'm trying to follow this on a test client (haven't gotten it working yet): http://wiki.squid-cache.org/ConfigEx

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

Amos Jeffries writes: see Nathan Hoads thread just the other day about a setup same as yours NOT working. There are two patches that need applying. One already in the 3.5 series snapshots to fix SNI on some traffic cases, one still in QA review for adding an ACL "server_name" that can match SNI

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

On 11/03/2015 3:28 a.m., Roel van Meer wrote: > Amos Jeffries writes: > >> > The relevant portions of squid.conf: >> > >> > https_port 192.168.13.1:3130 intercept ssl-bump options=ALL >> > cert=/etc/ssl/certs/server.pem >> >> With "options=ALL" you have enabled all features in the OpenSSL library

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On 11/03/2015 3:18 a.m., Antony Stone wrote: > On Tuesday 10 March 2015 at 15:09:14 (EU time), Klavs Klavsen wrote: > >> so intercept mode is only used, if you actually do the nat'ing on the >> same server as squid is running.. > > You can do the NATting somewhere else; the important point is tha

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

Amos Jeffries writes: > The relevant portions of squid.conf: > > https_port 192.168.13.1:3130 intercept ssl-bump options=ALL > cert=/etc/ssl/certs/server.pem With "options=ALL" you have enabled all features in the OpenSSL library including features which can cause the popular modern browsers t

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On 11/03/2015 3:09 a.m., Klavs Klavsen wrote: > Amos Jeffries wrote on 03/10/2015 02:48 PM: > [CUT] >>> ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) - >>> to have failover, if squid server should fail.. >> >> In which case you would NOT be intercepting by Squid. The LB devi

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On Tuesday 10 March 2015 at 15:09:14 (EU time), Klavs Klavsen wrote: > so intercept mode is only used, if you actually do the nat'ing on the > same server as squid is running.. You can do the NATting somewhere else; the important point is that the traffic must be NATted, not direct. > ie. I sho

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

On 11/03/2015 2:46 a.m., Roel van Meer wrote: > Hi list! > > I'm trying to get peek/splice working with intercepted https > connections. The final goal is to accept or reject connections based on > the SNI info that we get from the first peek. So first, I would like to > be able to do peek/splice

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

Amos Jeffries wrote on 03/10/2015 02:48 PM: [CUT] ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) - to have failover, if squid server should fail.. In which case you would NOT be intercepting by Squid. The LB device would be doing that. The haproxy would be configured to p

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On 11/03/2015 2:19 a.m., Klavs Klavsen wrote: > Amos Jeffries wrote on 03/10/2015 01:50 PM: >> On 11/03/2015 1:29 a.m., Klavs Klavsen wrote: >>> Hi, >>> >>> I just setup a squid trying to get it to work in intercept mode.. >>> >>> I seem to hit some squid internal loop where it goes haywire interna

[squid-users] peek/splice working with lynx but not with firefox or chrome

Hi list! I'm trying to get peek/splice working with intercepted https connections. The final goal is to accept or reject connections based on the SNI info that we get from the first peek. So first, I would like to be able to do peek/splice on all requests, and then later I can use an extern

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

Amos Jeffries wrote on 03/10/2015 01:50 PM: On 11/03/2015 1:29 a.m., Klavs Klavsen wrote: Hi, I just setup a squid trying to get it to work in intercept mode.. I seem to hit some squid internal loop where it goes haywire internally somehow? You have explicitly configured Squid instructing it

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On 11/03/2015 1:29 a.m., Klavs Klavsen wrote: > Hi, > > I just setup a squid trying to get it to work in intercept mode.. > > I seem to hit some squid internal loop where it goes haywire internally > somehow? You have explicitly configured Squid instructing it that traffic arriving on port 3129

Re: [squid-users] squid "internal?" loop - with no firewall nat going on..?

On Tuesday 10 March 2015 at 13:29:15 (EU time), Klavs Klavsen wrote: > Hi, > > I just setup a squid trying to get it to work in intercept mode. Is it working correctly in non-intercept mode? It can be helpful to check the simple setup first, and then try something more complex... > When I acc

Re: [squid-users] Whether squid 3.5.2 can support rock at wccp tproxy environment really ?

On 10/03/2015 1:43 a.m., johnzeng wrote: > Hello Amos: > > --- > > > For starters, > WCCP is a network protocol Squid uses to inform remote routers that it > is active and what tr

Re: [squid-users] Fast acl for ip-based url

Amos Jeffries writes: > is there a fast acl to match ip-based urls? > > I would have thought to use dstdom_regex, but the docs say that a > reverse lookup is done if no match is found, which means (I think) that > it will become a slow acl for all regular urls. dtsdom* will only do a lookup if

[squid-users] squid "internal?" loop - with no firewall nat going on..?

Hi, I just setup a squid trying to get it to work in intercept mode.. I seem to hit some squid internal loop where it goes haywire internally somehow? When I access it via port 3129 (tried from both localhost and from another host - same problem) - using curl -H "Host: www.bt.dk" http://ip

Re: [squid-users] Fast acl for ip-based url

On 11/03/2015 12:17 a.m., Roel van Meer wrote: > Hi list, > > is there a fast acl to match ip-based urls? > > I would have thought to use dstdom_regex, but the docs say that a > reverse lookup is done if no match is found, which means (I think) that > it will become a slow acl for all regular url

[squid-users] Fast acl for ip-based url

Hi list, is there a fast acl to match ip-based urls? I would have thought to use dstdom_regex, but the docs say that a reverse lookup is done if no match is found, which means (I think) that it will become a slow acl for all regular urls. Thanks, Roel _

Re: [squid-users] FATAL: xcalloc: Unable to allocate 18446744073487757627 blocks of 1 bytes!

this is my configure option , what may cause the problem ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datadir=/usr/share/squid --infodir=/usr/share/info --mandi

Re: [squid-users] FATAL: xcalloc: Unable to allocate 18446744073487757627 blocks of 1 bytes!

On 10/03/2015 8:44 a.m., HackXBack wrote: > root@debian:/etc/squid# gdb /usr/sbin/squid /var/spool/squid/cache/squid/core > GNU gdb (GDB) 7.4.1-debian > Copyright (C) 2012 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > > This is free