Re: [squid-users] Unable to open youtube.com

2018-10-16 Thread Timur Lagutenko
I will try fresh installation of FreeBSD 11.2-RELEASE And see how it works. Maybe something was corrupted during upgrade. Just FYI please look on my pf.conf and squid.conf: *# cat /etc/pf.conf* outif=re0 #outer interface inif=re1#iner interface outip

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Amos Jeffries
On 17/10/18 3:15 PM, Amish wrote: > > My proposal for would be to add "-n" (nobump) option to deny_info. > > If -n is specified then squid will send 307 directly instead of 200. > > Case 1) > deny_info http://192.168.1.1/blocked.html denyit > > Return with 200 and bump it (existing behaviour) >

Re: [squid-users] Unable to open youtube.com

2018-10-16 Thread Amos Jeffries
On 17/10/18 5:17 PM, Timur Lagutenko wrote: > i'm sure that the issue is not related to firewall rules. > because if I pass traffic from client IP (using NAT, browser is not > configured to use proxy) it works. Ah, you said earlier that you did not have SSL-Bump features enabled. How are you inte

Re: [squid-users] Unable to open youtube.com

2018-10-16 Thread Timur Lagutenko
i'm sure that the issue is not related to firewall rules. because if I pass traffic from client IP (using NAT, browser is not configured to use proxy) it works. I think it is related to some SSL/TLS lib in the system. Because today i've tried CLI browser - links. Launching it directly from gateway

Re: [squid-users] Unable to open youtube.com

2018-10-16 Thread Amos Jeffries
On 17/10/18 6:22 AM, Bruno de Paula Larini wrote: > > Em 16/10/2018 02:46, Timur Lagutenko escreveu: >> Hello friends, >> >> recently I've updated my freebsd gateway. >> from 11.1 to 11.2. >> also I've updated squid form 3.5 to 4.1 >> i have no transparency, no ssl-bump/splice etc.. >> simple inst

Re: [squid-users] Delay pools and external acl

2018-10-16 Thread Amos Jeffries
On 16/10/18 11:09 AM, Danilo V wrote: > Hi all, > > Has anyone succeeded applying delay pools on groups from AD? > > I'm using squid 3.5.23 with basic_ldap_auth. > I initially tried to combine mapping groups with external acl type > (ext_ldap_group_acl) to delay pools. It's a trap :-( > A trap?

Re: [squid-users] acl "clientside_mark" problem

2018-10-16 Thread Amos Jeffries
On 16/10/18 11:13 PM, Antony Stone wrote: > On Tuesday 16 October 2018 at 11:38:53, morteza omidian wrote: > >> Hi >> why anybody don't answer me? > > Maybe we don't have experience with precisely what you're trying to do. > > Maybe we're busy with our day jobs. > > Maybe we're confused by the

Re: [squid-users] squid clientside_mark problem

2018-10-16 Thread Amos Jeffries
On 16/10/18 8:06 PM, morteza omidian wrote: > Hi > Witch options do i have to compile with to enable "clientside_mark"?? > Let me copy and paste the text from the ACL documentation page I referenced you to read right at the beginning of these many splintered discussion multi-thread(s). Note the

Re: [squid-users] How to create a simple whitelist using regexes?

2018-10-16 Thread Amos Jeffries
In addition to what Matus and Alex have already said about your problem, you do not appear to understand regex patterns properly. On 16/10/18 4:11 AM, RB wrote: > Hi Matus, > > Thanks for responding so quickly. I uploaded my configurations here if > that is more helpful: https://bit.ly/2NF4zNb >

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Amish
On 16/10/18 10:07 PM, Alex Rousskov wrote: On 10/16/2018 10:01 AM, Amish wrote: Thing is that squid behaves differently for 2 exactly same CONNECT request with only difference being ssl-bump Yes, Squid behaves differently when configured differently. * My original response was specific to Ssl

Re: [squid-users] Unable to open youtube.com

2018-10-16 Thread Bruno de Paula Larini
Em 16/10/2018 02:46, Timur Lagutenko escreveu: Hello friends, recently I've updated my freebsd gateway. from 11.1 to 11.2. also I've updated squid form 3.5 to 4.1 i have no transparency, no ssl-bump/splice etc.. simple installation. browser is configured to use proxy. squid configuration is def

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Alex Rousskov
On 10/16/2018 10:01 AM, Amish wrote: > On 16/10/18 9:05 PM, Alex Rousskov wrote: >> On 10/16/2018 06:29 AM, Amish wrote: >>> In my opinion correct flow should be like this: >>> >>> 1) Browser sends CONNECT request >>> 2) Check ACL >>> 3) If denied, return with 307 (or 302) >>> 4) If allowed, go ahe

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Amish
On 16/10/18 9:05 PM, Alex Rousskov wrote: On 10/16/2018 06:29 AM, Amish wrote: In my opinion correct flow should be like this: 1) Browser sends CONNECT request 2) Check ACL 3) If denied, return with 307 (or 302) 4) If allowed, go ahead with tunneling / bumping as applicable Unfortunately, t

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Alex Rousskov
On 10/16/2018 06:29 AM, Amish wrote: > It seems that current algorithm for ssl-bump is: > > 1) Browser sends CONNECT request > 2) Squid sends status 200 Connection Established > 3) Check ACL > 4) If denied, bump the connection with squid certificate > 5) If allowed, go ahead with tunneling / bump

Re: [squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Amish
Further to this: I have ssl-bump setup on port 8080. If I remove ssl-bump squid works just like I mentioned in my earlier e-mail. > curl -ix 192.168.1.1:8080 https://google.com HTTP/1.1 307 Temporary Redirect Server: squid/4.3 Mime-Version: 1.0 Date: Tue, 16 Oct 2018 12:01:41 GMT Content-Type:

[squid-users] deny_info and CONNECT for https request gives SSL error

2018-10-16 Thread Amish
Hello I have this simplified ACL in squid.conf acl denyit src all deny_info http://192.168.1.1/blocked.html denyit http_access deny denyit The purpose is to block everything and redirect to http://192.168.1.1/blocked.html It works fine with http (non-secure) CONNECT request ... > curl -ix 1

Re: [squid-users] acl "clientside_mark" problem

2018-10-16 Thread Antony Stone
On Tuesday 16 October 2018 at 11:38:53, morteza omidian wrote: > Hi > why anybody don't answer me? Maybe we don't have experience with precisely what you're trying to do. Maybe we're busy with our day jobs. Maybe we're confused by the multiple messages you send about approximately the same top

[squid-users] acl "clientside_mark" problem

2018-10-16 Thread morteza omidian
Hi why anybody don't answer me? Please help! I compiled Squid 4.3 with this options in linux server: ./configure   --enable-linux-netfilter  --enable-zph-qos when i change my squid configuration file and add this line "acl MY_CLIENTs clientside_mark 0x1" I got  error messages

Re: [squid-users] squid clientside_mark problem

2018-10-16 Thread morteza omidian
Hi Witch options do i have to compile with to enable "clientside_mark"?? tank On Sunday, October 14, 2018, 6:48:00 PM GMT+3:30, morteza omidian wrote: Hi I installed squid4.3 in my linux OS, when I configure squid with clientside_mark i get an error tells me this is not possible!! I