Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

They’re probably matching about 40% of the time on twitter.com, though 😒 > On 25 Nov 2015, at 11:40 AM, Dan Charlesworth wrote: > > Alright, thanks for the hint. > > My proxy and clients definitely have the same DNS server (I removed the > secondary and tertiary ones to make totally sure) but

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Alright, thanks for the hint. My proxy and clients definitely have the same DNS server (I removed the secondary and tertiary ones to make totally sure) but the results definitely aren’t matching 99% of the time. Probably more like 90%. Perhaps it’s 'cause my clients are caching records locally

Re: [squid-users] 2 way SSL on a non standard SSL Port

Hey Bart, What OS are you using? I have just pushed the latest(3.5.11) CentOS RPMs, details at: http://wiki.squid-cache.org/KnowledgeBase/CentOS . Eliezer On 25/11/2015 02:11, Amos Jeffries wrote: That said, there are a few major bugs in CONNECT handling that have been uncovered and fixed si

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

On 25/11/2015 12:20 p.m., Dan Charlesworth wrote: > Thanks for the perspective on this, folks. > > Going back to the technical stuff—and this isn’t really a squid thing—but is > there any way I can minimise this using my DNS server? > > Can I force my local DNS to only ever return 1 address fro

Re: [squid-users] 2 way SSL on a non standard SSL Port

On 25/11/2015 11:41 a.m., Bart Spedden wrote: > Hello, > > I have a java application that is successfully making REST calls to a 3rd > party vendor that requires 2 way SSL on port 8184 for some calls and 1 way > SSL on port 8185 for other calls. However, when I start proxying the calls > with squi

Re: [squid-users] Problems with NTLM authentication

On 25/11/2015 4:44 a.m., Brendan Kearney wrote: > On 11/24/2015 10:08 AM, Verónica Ovando wrote: >> My Squid Version: Squid 3.4.8 >> >> OS Version: Debian 8 >> >> I have installed Squid on a server using Debian 8 and seem to have the >> basics operating, at least when I start the squid service, I

Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Thanks for the perspective on this, folks. Going back to the technical stuff—and this isn’t really a squid thing—but is there any way I can minimise this using my DNS server? Can I force my local DNS to only ever return 1 address from the pool on a hostname I’m having trouble with? > On 30 Oc

Re: [squid-users] Duplicate Headers

On 25/11/2015 6:58 a.m., Benjamin Reed wrote: > Any idea how my X-Cache, X-Cache-Lookup, and Via: headers are getting > messed up on my accelerator configuration? > > Here's the output from a sample HEAD request: > > http://paste.opennms.eu/?26c282e7abba631e#oqU/8pAmAUXHhMXPHhr9vWjJAA1FVcgn49W5BWO1

[squid-users] 2 way SSL on a non standard SSL Port

Hello, I have a java application that is successfully making REST calls to a 3rd party vendor that requires 2 way SSL on port 8184 for some calls and 1 way SSL on port 8185 for other calls. However, when I start proxying the calls with squid all 1 and 2 way SSL calls fail. I added ports 8184 and

Re: [squid-users] [SOLVED] Transparent HTTPS Squid proxy with upstream parent

On 24/11/15 18:26, Amos Jeffries wrote: That is two separate and entirely different traffic types: A) [client] -> HTTP--(NAT)--> [my_proxy] B) [client] -> TLS--(NAT)--> [my_proxy] (A) requires "http_port ... intercept ssl-bump cert=/path/to/cert" (B) requires "https_port ... intercept ssl-bu

Re: [squid-users] [Squid 3.5.10] - Unable to cache objects from Cloudflare

Have you tried clearing the local cache of the browser before you run your test each time? Eliezer On 20/11/2015 01:59, David Touzeau wrote: Hi It seems that squid is not able to save in cache objects from CloudFlare websites. Here it is the header information: Connecting to 127.0.0.1:8182.

Re: [squid-users] Duplicate Headers

On 11/24/15 1:09 PM, Antony Stone wrote: > squid.conf, minus blank lines and comments, please? Here you go. Each system is identical but with itself commented out of the "cache_peer" and "cache_peer_access" lines. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port

Re: [squid-users] Duplicate Headers

On Tuesday 24 November 2015 at 18:58:01, Benjamin Reed wrote: > Any idea how my X-Cache, X-Cache-Lookup, and Via: headers are getting > messed up on my accelerator configuration? > > Here's the output from a sample HEAD request: > > http://paste.opennms.eu/?26c282e7abba631e#oqU/8pAmAUXHhMXPHhr9v

[squid-users] Duplicate Headers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Any idea how my X-Cache, X-Cache-Lookup, and Via: headers are getting messed up on my accelerator configuration? Here's the output from a sample HEAD request: http://paste.opennms.eu/?26c282e7abba631e#oqU/8pAmAUXHhMXPHhr9vWjJAA1FVcgn49W5BWO1vIs= Th

Re: [squid-users] Problems with NTLM authentication

On 11/24/2015 10:08 AM, Verónica Ovando wrote: My Squid Version: Squid 3.4.8 OS Version: Debian 8 I have installed Squid on a server using Debian 8 and seem to have the basics operating, at least when I start the squid service, I have am no longer getting any error messages. At this time,

[squid-users] Problems with NTLM authentication

My Squid Version: Squid 3.4.8 OS Version: Debian 8 I have installed Squid on a server using Debian 8 and seem to have the basics operating, at least when I start the squid service, I have am no longer getting any error messages. At this time, the goal is to authenticate users from Active D

Re: [squid-users] routing to parent using carp

Thanks. I should have read the documentation completely before posting. carp-key=key-specification rgds, Sreenath On 11/24/15, Amos Jeffries wrote: > On 24/11/2015 11:11 p.m., Sreenath BH wrote: >> Hi all, >> >> We are planning to use carp to route requests based on request URL. >> A part of

Re: [squid-users] [Squid 3.5.10] - Unable to cache objects from Cloudflare

Hey, I do not see any issue. I analyzed the logs and they seem to work as expected. The logs all personal details removed at: http://paste.ngtech.co.il/p8ncwgnlg What issue do you see in the logs? What would you expect? Does the site loads slower in any form? What would expect to be "fixed" in

Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 14:31:15, Ahmad Alzaeem wrote: > The DNS is not broken , it will resolve some websites to ip address of > squid and other websites will rslve to other ip That sounds pretty broken to me (unless the Squid machine really is the web server for those sites whose hostna

Re: [squid-users] TCP-MISS 503 for wrong destination ip

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 24.11.15 19:31, Ahmad Alzaeem пишет: > Ok > > > 1. Have you fixed DNS so that clients are now resolving the correct addresses for destination servers? > No , the issues will not be solved and will always dns resolve the ip of websites to the ip

Re: [squid-users] TCP-MISS 503 for wrong destination ip

Ok 1. Have you fixed DNS so that clients are now resolving the correct addresses for destination servers? No , the issues will not be solved and will always dns resolve the ip of websites to the ip address of squid ( http & https requestst with the wrong ds tip will hit squid) Again , I want

Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 13:34:51, Ahmad Alzaeem wrote: > Well , what I have done is : > > I configured squid http_port xx and http_port xxy intercept > > And uses iptables to redirect http & https to squid ports 1. Have you fixed DNS so that clients are now resolving the correct addresse

Re: [squid-users] TCP-MISS 503 for wrong destination ip

Well , what I have done is : I configured squid http_port xx and http_port xxy intercept And uses iptables to redirect http & https to squid ports But it don’t work and I have logs : 1448121527.423 10.1.1.1 TCP_MISS/503 4183 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html 1448

Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 13:13:17, Ahmad Alzaeem wrote: > Guys I understand that > > The question is being asked , can squid fix this issue or not? Yes, provided you use it in configured-proxy mode, instead of intercept mode. Antony. > -Original Message- > From: squid-users [mai

Re: [squid-users] TCP-MISS 503 for wrong destination ip

Guys I understand that The question is being asked , can squid fix this issue or not ? -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Antony Stone Sent: Tuesday, November 24, 2015 2:42 PM To: squid-users@lists.squid-cache.org Subj

Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 12:22:40, Ahmad Alzaeem wrote: > Hi Devs , > > I have a server that send to squid http/https with wrong destination ips It has already been recommended that you fix your DNS so that it works correctly / normally. > So assume I want to open google > > The reques

Re: [squid-users] TCP-MISS 503 for wrong destination ip

In the case of obviously faulty DNS you can, for example, set up your own caching DNS (for example, Unbound), which takes data from a known clean source - for example, by using DNSCrypt and, possible, with DNSSEC validation. And specifying it as a source of information for Squid's name resolvin

Re: [squid-users] TCP-MISS 503 for wrong destination ip

The reason may be, for example, in the DNS cache poisoning. Or the transparent interception of DNS requests. In either case, the need to solve various actions and they are not connected with the SQUID. 24.11.15 17:22, Ahmad Alzaeem пишет: Hi Devs , I have a server that send to squid http/htt

Re: [squid-users] TCP-MISS 503 for wrong destination ip

We do not know and can not know why the server sends such a request. There are only assumptions of varying degrees of reliability. SQUID configuration in this case is absolutely not enough to give a reasonable answer. If the problem is DNS - then what's the Squid? 24.11.15 17:22, Ahmad Alzaee

[squid-users] TCP-MISS 503 for wrong destination ip

Hi Devs , I have a server that send to squid http/https with wrong destination ips So assume I want to open google The request hit the squid with https/http packet with payload www.google.com with ds tip 10.0.0.1 not the real ds tip of google like 74.125.x.x

Re: [squid-users] routing to parent using carp

On 24/11/2015 11:11 p.m., Sreenath BH wrote: > Hi all, > > We are planning to use carp to route requests based on request URL. > A part of the URL refers to a part of the file that is being requested > in the GET request(say a part of a video file) > > However, to make the back-end more efficient

[squid-users] routing to parent using carp

Hi all, We are planning to use carp to route requests based on request URL. A part of the URL refers to a part of the file that is being requested in the GET request(say a part of a video file) However, to make the back-end more efficient, it would be great if all requests for a particular file

Re: [squid-users] Fwd: LDAP group authorisation not supported

On 24/11/2015 10:18 p.m., Serge Tarik wrote: > its in cache.log when im enabling it in squid conf ,and in command line > when im testing ext_kerberos_ldap_group_acl -a -i -g DenyInternet -m 64 -D >> EXAMPLE.ORG -u squid -p passWD > Aha. That happens when the helper was built

Re: [squid-users] Fwd: LDAP group authorisation not supported

On 24/11/2015 10:06 p.m., Serge Tarik wrote: > Hello,im getting this error while trying to configuring > integration of squid 3.3.8 with Active Directory and by > ext_kerberos_ldap_group_acl helper,im getting this error ,LDAP group > authorisation not supported ? Where is that message seen?

Re: [squid-users] [Squid 3.5.10] - Unable to cache objects from Cloudflare

What version of squid are you using? what squid.conf? CloudFlare in general is cache friendly but squid maybe have a bug here and there. To test a theory I would like you to try the next log format: logformat cache_headers %ts.%03tu %6tr %>a %Ss/%03>Hs %%Sh/%h" "%{Cache-Control}>ha" "%{Pragma}>h

[squid-users] Fwd: LDAP group authorisation not supported

Hello,im getting this error while trying to configuring integration of squid 3.3.8 with Active Directory and by ext_kerberos_ldap_group_acl helper,im getting this error ,LDAP group authorisation not supported ? cant find the solution on web,any help will do. ive configured keytab, and get helper

Re: [squid-users] Squid3.x have issue with some sites, squid2.x not.

On 24/11/2015 8:53 p.m., Matus UHLAR - fantomas wrote: > On 24.11.15 15:27, Amos Jeffries wrote: >> 3.4 has about 12 years of code development difference to 2.7. >> It is no surprise when they act different (good or bad). > > how do you compare this? 2.7 versions were produces in 2008 to 2010, whe