Re: [squid-users] ACL and http_access

What i want if it's possible is : Users can't access Internet, except during two periods each day i 'll define. During these two periods, they can access only a few sites i define in the file (basic url http or https per line)I have to know if it's possible with Squid ? or Squidguard ? Or not at

Re: [squid-users] Watchguard firewall behind SQUID and the internet

On 12.11.15 18:59, christian.bufac...@kemone.com wrote: We have implemented a SQUID proxy between our clients and a Watchguard firewall, the which contains user access rules based on our MS Active Directory. So we currently have the following flow : Client => SQUID proxy => Watchguard => Internet

Re: [squid-users] Help, long response time(2 seconds) in squid!

On 10/11/2015 10:49, 徐永健 wrote: http_load -parallel 1 -seconds 20 url.txt Hey, Can you run a simple test and share something from the cache manager interface? - Start or restart squid. - make sure there are no running requests - dump the cache manager info page - run one single run of the ht

Re: [squid-users] Multicast WCCPv2 + Squid 3.3.8

On 11/11/2015 5:25 p.m., Fatah Mumtaz wrote: > Hi everyone, > Currently i'm building lab for my thesis on the topic Multicast WCCPv2 with > Squid. I'm trying to config WCCPv2 to work with single proxy server (Squid > 3.3.8) and multiple Cisco 2821 routers. WCCPv2 works well with one proxy > server

Re: [squid-users] Help, long response time(2 seconds) in squid!

On 10/11/2015 9:49 p.m., 徐永健 wrote: > Hi, All: > I tried to use squid as a web cache server today, but when I test it with > http_load, I found squid may have a latency of 2 seconds in some cases. > Someone help me? Thanks! > The test is > --- > http_load -parallel 1 -seconds 20 url.txt > # th

Re: [squid-users] File rotation problem

On 13/11/2015 12:30 a.m., Verónica Ovando wrote: > Thanks for your answer, Amos. > > Yes, squid 3.5 is running over Debian8. > > What do you refer with "All the squid3 things you are checking may not > actually exists anymore"? If you are running the official Debian 3.5 package, it went through

Re: [squid-users] sslBump and intercept

On 13/11/2015 1:04 a.m., Steve Hill wrote: > On 12/11/15 09:04, Eugene M. Zheganin wrote: > >> I decided to intercept the HTTPS traffic on my production squids from >> proxy-unware clients to be able to tell them there's a proxy and they >> should configure one. >> So I'm doing it like (the proces

Re: [squid-users] sslBump and intercept

On 13/11/2015 3:00 a.m., Yuri Voinov wrote: > > Read carefully - this is not complete fix. Just dirty hack. And will not > guarantee fixed on _all_ platforms. That bug is only relevant to Solaris. It is a hack, but a hack that all non-Solaris OS have been using for several decades without issues

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

On 13/11/2015 1:02 a.m., Edouard Gaulué wrote: > > In the https case I observe just 1 stream: > CONNECT ad.doubleclick.net:443 HTTP/1.1 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) > Gecko/20100101 Firefox/42.0 > Proxy-Connection: keep-alive > Connection: keep-alive > Host:

Re: [squid-users] disable/enable user accounts--please help

On 13/11/2015 12:22 p.m., Ramos-Estevez, Abraham wrote: > Squid beginner seeking help with disabling users in Squid for testing > purposes. > > Basically testing on a client that uses a squid http proxy and > requires users to submit proxy credentials. I would like to know if > test proxy credent

Re: [squid-users] Squid "bumping" traffic despite using "splice" directive

On 11/12/2015 04:47 PM, Amos Jeffries wrote: > On 13/11/2015 8:12 a.m., Alex Rousskov wrote: >> On 11/12/2015 11:31 AM, Tom Mowbray wrote: >>> acl sslallow ssl::server_name "/path/to/file" >>> ssl_bump peek all >>> ssl_bump splice sslallow >>> ssl_bump terminate all > I am wondering if this is al

Re: [squid-users] Squid "bumping" traffic despite using "splice" directive

On 13/11/2015 8:12 a.m., Alex Rousskov wrote: > On 11/12/2015 11:31 AM, Tom Mowbray wrote: >> Here is the significant portion of our squid.conf: >> >> acl sslallow ssl::server_name "/path/to/file" >> ssl_bump peek all >> ssl_bump splice sslallow >> ssl_bump terminate all >> >> Most of the sites in

[squid-users] disable/enable user accounts--please help

Squid beginner seeking help with disabling users in Squid for testing purposes. Basically testing on a client that uses a squid http proxy and requires users to submit proxy credentials. I would like to know if test proxy credentials can be disabled to validate the error message from the client

Re: [squid-users] Squid "bumping" traffic despite using "splice" directive

For what it's worth, I was able to "fix" issue by adding "generate-host-certificates=off" to the end of my https_port configuration. It's not ideal (because I'm not sure why these sites don't splice correctly after being peeked on certain browsers), but it does cause the pages to time out rather t

Re: [squid-users] Squid "bumping" traffic despite using "splice" directive

Thanks for your response. I don't see anything strange in the access log, just the initial CONNECT request, but nothing follows because of the error at the client. We have squid set to "deny all" on certificate error. While your suggestions would surely solve the problem, they don't work for our

Re: [squid-users] Watchguard firewall behind SQUID and the internet

On 13/11/2015 6:59 a.m., christian.bufacchi wrote: > Hello. > > We have implemented a SQUID proxy between our clients and a Watchguard > firewall, the which contains user access rules based on our MS Active > Directory. > So we currently have the following flow : Client => SQUID proxy => > Watc

Re: [squid-users] Squid "bumping" traffic despite using "splice" directive

On 11/12/2015 11:31 AM, Tom Mowbray wrote: > We're seeing some strange behavior where certain sites, especially those > hosted by Google, including youtube.com , where the > HTTPS traffic is being "bumped" and users are getting certificate errors > with our self-signed certifica

[squid-users] Squid "bumping" traffic despite using "splice" directive

We're seeing some strange behavior where certain sites, especially those hosted by Google, including youtube.com, where the HTTPS traffic is being "bumped" and users are getting certificate errors with our self-signed certificate and CA appearing in the certificate details. What is strange is that

Re: [squid-users] Watchguard firewall behind SQUID and the internet

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 We knows nothing meaningful about your infrastructure. Ergo, we can't get any meaningful advice. 12.11.15 23:59, christian.bufac...@kemone.com пишет: > Hello. > > We have implemented a SQUID proxy between our clients and a Watchguard > firewall,

[squid-users] Watchguard firewall behind SQUID and the internet

Hello. We have implemented a SQUID proxy between our clients and a Watchguard firewall, the which contains user access rules based on our MS Active Directory. So we currently have the following flow : Client => SQUID proxy => Watchguard => Internet. At the moment, the Watchguard only receives

Re: [squid-users] Large Files Not Caching

On 11/12/15 12:35 PM, Antony Stone wrote: >>> I'm trying to set up a CDN-like frontend to our (bandwidth-constrained) >>> >>> master package repository. Everything seems to be working (including >>> memory cache hits) except for some reason it does not seem to be >>> caching/keeping large files.

Re: [squid-users] Large Files Not Caching

On Thursday 12 November 2015 at 18:31:10, Benjamin Reed wrote: > I'm trying to set up a CDN-like frontend to our (bandwidth-constrained) > master package repository. Everything seems to be working (including > memory cache hits) except for some reason it does not seem to be > caching/keeping larg

[squid-users] Large Files Not Caching

I'm trying to set up a CDN-like frontend to our (bandwidth-constrained) master package repository. Everything seems to be working (including memory cache hits) except for some reason it does not seem to be caching/keeping large files. Attached is my configuration. Is there something obvious that

Re: [squid-users] ACL and http_access

On Thursday 12 November 2015 at 15:55:10, Magic Link wrote: > Hi, > I want people don't have access to Internet, except one hour twice a day > with only some urls.listed in a file.I use the ACL type "time" and > "url_regex" but it doesn't work. Please elaborate on "it doesn't work". Do you mean

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

On 05.11.2015 04:26, Amos Jeffries wrote: There was a bug about the wrong SNI being sent to servers on bumped traffic that got re-written. That got fixed in Squid-3.5.7 and re-writers should have been fully working since then. This seems to be a bug in 3.5.x only with 3.4.10 this works fine ..

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Le 12/11/2015 13:28, Marcus Kool a écrit : I cannot make much of the logs and expect that information is missing. But using just logic, it seems that Squid has a problem with the redirect to a CONNECT. I suggest to set debug all,9 and to look closely at what happens with the redirection. Marc

[squid-users] ACL and http_access

Hi, I want people don't have access to Internet, except one hour twice a day with only some urls.listed in a file.I use the ACL type "time" and "url_regex" but it doesn't work. I think i don't do well with the order of http_access too.Is it possible with squid only to do what i want ? Here is my

Re: [squid-users] sslBump and intercept

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Read carefully - this is not complete fix. Just dirty hack. And will not guarantee fixed on _all_ platforms. 12.11.15 19:44, Eugene M. Zheganin пишет: > Hi, > > On 12.11.2015 17:48, Yuri Voinov wrote: > >> More probably this is bug >> http://bugs.

Re: [squid-users] sslBump and intercept

Hi, On 12.11.2015 17:48, Yuri Voinov wrote: > More probably this is bug > http://bugs.squid-cache.org/show_bug.cgi?id=4188. > Page said it's fixed, and applied to 3.5. If it's already in 3.5.11, then it's not it - I just tested 3.5.11, and the behavior is the same. Thanks. Eugene. __

Re: [squid-users] sslBump and intercept

Hi. On 12.11.2015 17:04, Steve Hill wrote: > > proxy_auth won't work on intercepted traffic and will therefore always > return false, so as far as I can see you're always going to peek and > then splice. i.e. you're never going to bump, so squid should never > be generating a forged certificate.

Re: [squid-users] sslBump and intercept

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 More probably this is bug http://bugs.squid-cache.org/show_bug.cgi?id=4188. 12.11.15 18:04, Steve Hill пишет: > On 12/11/15 09:04, Eugene M. Zheganin wrote: > >> I decided to intercept the HTTPS traffic on my production squids from >> proxy-unware

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

I cannot make much of the logs and expect that information is missing. But using just logic, it seems that Squid has a problem with the redirect to a CONNECT. I suggest to set debug all,9 and to look closely at what happens with the redirection. Marcus On 11/12/2015 10:02 AM, Edouard Gaulué w

Re: [squid-users] squid http & https intercept based on DNS server

On 12/11/15 12:08, James Lay wrote: Some applications (I'm thinking mobile apps) may or may not use a hostname...some may simply connect to an IP address, which makes control over DNS irrelevant at that point. Hope that helps. Also, redirecting all the DNS records to Squid will break everythi

Re: [squid-users] squid http & https intercept based on DNS server

On Thu, 2015-11-12 at 09:37 +0300, Ahmad Alzaeem wrote: > Sorry , didn’t understand , could you explain more ?? > > cheers > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of James Lay > Sent: Thursday, November 12, 2015 12:29 AM

Re: [squid-users] sslBump and intercept

On 12/11/15 09:04, Eugene M. Zheganin wrote: I decided to intercept the HTTPS traffic on my production squids from proxy-unware clients to be able to tell them there's a proxy and they should configure one. So I'm doing it like (the process of forwarding using FreeBSD pf is not shown here): ===

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi Marcus and all, I have option_debug ALL,2 61,9. Logs don't tell me a lot, the squidguard answer is exactly the same with or without ssl. === 2015/11/12 11:51:13.320 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=192.168.0.233:3128 remote=192.168

Re: [squid-users] Dansguardian Squid and HTTPS

On 12/11/2015 9:54 p.m., FredB wrote: > > This is not the right place to speak about DansGuardian > >> OK, but in squid log i saw only the IP of listen >> dansguardian > > Take a look at forwarder = on (dg) and forwarder_for on (squid) No, follow_x_forwarded_for in Squid. It needs to allow for

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi again, Just forget what I said about REDIRECT answers, there are the same with or without SSL (it was a side effect of "-C5" on my logs grep). But, why are browsers handling that in a different way? Without SSL, it's all right. With SSL it's getting to the conclusion it should try to conn

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

On 11/12/2015 07:03 AM, Edouard Gaulué wrote: Hi Marcus, Amos and maybe others, Here were I am. I've looked in the log. Let me describe what I observe. It's maybe linked with some other posts I've read. Imagine I try to connect to http://ad.doubleclick.net/ad.jpg. I observe the request in w

[squid-users] sslBump and intercept

Hi. This question is unrelated directly to my yesterday's one. I decided to intercept the HTTPS traffic on my production squids from proxy-unware clients to be able to tell them there's a proxy and they should configure one. So I'm doing it like (the process of forwarding using FreeBSD pf is not

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi Marcus, Amos and maybe others, Here were I am. I've looked in the log. Let me describe what I observe. It's maybe linked with some other posts I've read. Imagine I try to connect to http://ad.doubleclick.net/ad.jpg. I observe the request in wireshark. It goes to the squid process: there is

Re: [squid-users] Dansguardian Squid and HTTPS

This is not the right place to speak about DansGuardian > OK, but in squid log i saw only the IP of listen > dansguardian Take a look at forwarder = on (dg) and forwarder_for on (squid) > First, there is a way to dansguardian pass username to > squid ? Second, in sites https If I understand