Dear all,
i have a strange problem with my squid 3.5.19 and authentication NTLM.
On my configuration i have 2 auth method:
NTLM negotiated with ntlm_auth from samba 3
auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm chil
You clowns are over complicating this.
Simply add a firewall rule allowing the ip of the squid box to bypass
your redirect rule.
( squid has to be able to bypass your port 80 redirect rule to fetch
http data from the web, hence, forward loop error )
--
Signed,
Benjamin E. Nichols
http://ww
On 2016-06-28 08:57, Antony Stone wrote:
On Monday 27 June 2016 at 22:45:19, Ataro wrote:
Hi there,
I've set up a FreeBSD machine inside a VirtualBox machine and used
IPFW to
forward all the requests to the internet through a squid server
running on
the same machine in port 3128 in intercep
On 2016-06-28 04:23, Ozgur Batur wrote:
Hi,
ICAP handles plain HTTP very well but it is not possible to
filter/change or even log content of websocket communication after
websocket upgrade over HTTP as far as I know. Is there any plan or
interest in developing some capability for Squid to contro
On Monday 27 June 2016 at 22:45:19, Ataro wrote:
> Hi there,
>
> I've set up a FreeBSD machine inside a VirtualBox machine and used IPFW to
> forward all the requests to the internet through a squid server running on
> the same machine in port 3128 in intercept mode.
Please show us your IPFW rul
Did you add a firewall rule to allow your squid box/ip to go direct?
You need to, otherwise youll be sending your traffic in a loop.
On 6/27/2016 3:45 PM, Ataro wrote:
Hi there,
I've set up a FreeBSD machine inside a VirtualBox machine and used
IPFW to forward all the requests to the inter
Hi there,
I've set up a FreeBSD machine inside a VirtualBox machine and used IPFW to
forward all the requests to the internet through a squid server running on the
same machine in port 3128 in intercept mode.
The problem is that I get 403 http responses on every site I try to access to,
even
My question is what is the purpose of this? What are you trying to
accomplish. There maybe a different (read easier) way to accomplish
your end goal.
On 6/27/2016 1:27 PM, Benjamin E. Nichols wrote:
It would also be trivial to gather up all known ip ranges issued to
consumer cable isps and
It would also be trivial to gather up all known ip ranges issued to
consumer cable isps and convert them to a domain name acl compatible format.
I will put it on the whiteboard.
On 6/27/2016 12:21 PM, Antony Stone wrote:
On Monday 27 June 2016 at 19:06:17, Michael Pelletier wrote:
Does anyo
On Monday 27 June 2016 at 19:06:17, Michael Pelletier wrote:
> Does anyone know of a good blacklist of home cable modems?
I don't think you'll get any list of *home* cable modems, which excludes small
business connections as well.
Also, with a lot of ISPs, I don't think you'll get a list of *ca
Hello,
Does anyone know of a good blacklist of home cable modems?
--
*Disclaimer: *Under Florida law, e-mail addresses are public records. If
you do not want your e-mail address released in response to a public
records request, do not send electronic mail to this entity. Instead,
contact thi
On 06/27/2016 10:23 AM, Ozgur Batur wrote:
> ICAP handles plain HTTP very well but it is not possible to
> filter/change or even log content of websocket communication after
> websocket upgrade over HTTP as far as I know. Is there any plan or
> interest in developing some capability for Squid to c
Hi,
ICAP handles plain HTTP very well but it is not possible to filter/change
or even log content of websocket communication after websocket upgrade over
HTTP as far as I know. Is there any plan or interest in developing some
capability for Squid to control websocket communication content?
There
Is there a way to verify that the SSL library doesn't support SSLv3?
Renato Jop
On Mon, Jun 27, 2016 at 8:43 AM, Yuri wrote:
> Looks like your SSL library does not contain SSLv3 protocol support
> already, but site announce it.
>
> 27.06.2016 20:42, Renato Jop пишет:
>
> I removed the NO_SSLv2,
Thanks Yuri.
On Mon 27.Jun'16 at 19:39:20 +0600, Yuri wrote:
> This is GOST-based ciphers included in LibreSSL. Don't worry about it.
>
>
> 27.06.2016 19:30, C. L. Martinez пишет:
> > Hi all,
> >
> > After some tunning to configure my squid's host with ssl_bump and
> > intermediate CA (many
Browser i used to test runs on same machine with squid, i changed it to
explicit mode(no intercept - I set proxy ip in browser) during my attempts
for ssl interception. Sorry I forgot to mention that in my last post of
logs. So xff localhost is normal I guess. Here is the request log with
port in
Thanks so much for your help on this. So I'm changing it up a little bit.
Disregard the backend server certificates. I'm using 3 frontend servers
but I want to use LetsEncrypt to create the SAN certificate for them. Is
the concept the same with how you described this? Just as I mentioned, one
of
And finally:
root @ cthulhu / # ping s.yimg.com
s.yimg.com is alive
root @ cthulhu / # telnet s.yimg.com 443
Trying 66.196.65.111...
Connected to s.gycs.b.yahoodns.net.
Escape character is '^]'.
^]
telnet> quit
Connection to s.gycs.b.yahoodns.net closed.
root @ cthulhu / # wget -S s.yimg.com
--2
Looks like your SSL library does not contain SSLv3 protocol support
already, but site announce it.
27.06.2016 20:42, Renato Jop пишет:
I removed the NO_SSLv2, NO_SSLv3 however, right before the
SSL3_GET_RECORD:wrong version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is sh
I removed the NO_SSLv2, NO_SSLv3 however, right before the
SSL3_GET_RECORD:wrong version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
Renato Jop
On Mon, Jun 27, 2016 at 8:29 AM, Yuri wrote:
> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported
Forgot about it: during testing reddit connectivity via squid squid
itself got errors in cache.log:
2016/06/27 20:37:21 kid1| Error negotiating SSL on FD 7:
error::lib(0):func(0):reason(0) (5/0/0)
2016/06/27 20:37:22 kid1| Error negotiating SSL on FD 10:
error::lib(0):func(0):r
Yet another non-porn site: reddit.com
Let's check.
root @ cthulhu / # dig reddit.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21722
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0
[ Please reply to the mailing list I dont do private support except for
paying customers. And you have not arranged for that in advance. ]
On 28/06/2016 2:06 a.m., Adam Wright wrote:
> - Ok, ISP will see my http traffic, but will the ISP see which websites I'm
> surfing?
If anyone can see HTTP tr
Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse
software. I.e., you use custom ciphers/protocols combinations, which can
lead issue.
27.06.2016 20:25, Renato Jop пишет:
Thank you both for your valuable help
Thank you both for your valuable help.
I've configured the tls-dh param with a strong Diffie-Hellman group (2048
bits) and configured the cipher as Yuri specified and I was able to get
pass the unknown cipher, however now I get a "SSL
routines:SSL3_GET_RECORD:wrong version number". Here's the confi
On 28/06/2016 1:43 a.m., Adam Wright wrote:
> I always thought for years, using a proxy server hides me from my isp to
> see which websites I'm using etc... Because I'm only connecting to my vps
> server with the help of squid.
You need a VPN or similar encrypted tunnel for that use case. Use of
i
On 27/06/2016 12:35, Silamael wrote:
> On 27.06.2016 13:19, Amos Jeffries wrote:
>> On 27/06/2016 9:16 p.m., Silamael wrote:
>>> Hi,
>>>
>>> I'm playing around with the SMP feature on OpenBSD 5.9 and noticed that
>>> Squid does not run due to hard coded limits for the receive and send
>>> buffer si
This is GOST-based ciphers included in LibreSSL. Don't worry about it.
27.06.2016 19:30, C. L. Martinez пишет:
Hi all,
After some tunning to configure my squid's host with ssl_bump and
intermediate CA (many thanks Yuri), I have tested my setup against
https://www.ssllabs.com and https://ho
One note:
I have the same issue with *supportforums.cisco.com*.
It also blocked/filter by ISP? Every time via Squid I has this issue.
Directly connected browser still works.
27.06.2016 19:30, Amos Jeffries пишет:
On 28/06/2016 1:13 a.m., Adam Wright wrote:
Nothing changed, I'm still tryin
On 28/06/2016 1:13 a.m., Adam Wright wrote:
> Nothing changed, I'm still trying to understand what's going on. I'm trying
> different scenarios. I ended up something very interesting.
>
> When I use the 4g internet of my mobile phone with squid, those websites
> works! But with my adsl connection,
Hi all,
After some tunning to configure my squid's host with ssl_bump and intermediate
CA (many thanks Yuri), I have tested my setup against https://www.ssllabs.com
and https://howsmyssl.com and both sites returns me the following error:
Some unknown cipher suite: 0xff85 (SSLLabs says UNKNOWN
On 27.06.2016 13:19, Amos Jeffries wrote:
> On 27/06/2016 9:16 p.m., Silamael wrote:
>> Hi,
>>
>> I'm playing around with the SMP feature on OpenBSD 5.9 and noticed that
>> Squid does not run due to hard coded limits for the receive and send
>> buffer sizes of Unix Domain Sockets. In contrary to ot
On 27/06/2016 11:01 p.m., Ozgur Batur wrote:
> Yes that is much easier, thank you.
>
> Rafaels line is response header, I received the same. Here is the related
> cachelog:
>
What is the content of the line above this one. With the IP:port details ?
> 2016/06/27 13:52:49.194 kid1| 11,2| http.cc
On 27/06/2016 9:16 p.m., Silamael wrote:
> Hi,
>
> I'm playing around with the SMP feature on OpenBSD 5.9 and noticed that
> Squid does not run due to hard coded limits for the receive and send
> buffer sizes of Unix Domain Sockets. In contrary to other OSes these
> limits cannot be adjusted by a
Yes that is much easier, thank you.
Rafaels line is response header, I received the same. Here is the related
cachelog:
2016/06/27 13:52:49.194 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server
REQUEST:
GET / HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q
On 27/06/2016 9:04 p.m., Ozgur Batur wrote:
> Hello Amos,
>
> This is the via header sent by my local proxy as part of the request.
> *Via: 1.1 ubuntuozgen (squid/3.5.19)*
>
> It is not fqdn but ubuntu concatanated with a Turkish name so it is highly
> unlikely that yahoo have such named reverse
Hi,
I'm playing around with the SMP feature on OpenBSD 5.9 and noticed that
Squid does not run due to hard coded limits for the receive and send
buffer sizes of Unix Domain Sockets. In contrary to other OSes these
limits cannot be adjusted by a sysctl.
The attached patch adds some setsockopt() cal
Hello Amos,
This is the via header sent by my local proxy as part of the request.
*Via: 1.1 ubuntuozgen (squid/3.5.19)*
It is not fqdn but ubuntu concatanated with a Turkish name so it is highly
unlikely that yahoo have such named reverse proxy. I could not decrypt the
squid <--> flicker traffic
38 matches
Mail list logo
