Re: [squid-users] distinguish between IPv4 and IPv6

Can you share this solution of yours? These days it’s good to know about any piece of IPv4 vs/with IPv6 stack solutions. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon From: squid-

Re: [squid-users] distinguish between IPv4 and IPv6

Hello, I did something different, that prevents using the IPv6 of the tunnel device als source address; (a general solution not just squid) Walter On 11.01.2021 21:29, Eliezer Croitoru wrote: The detection of an IPV6 available DST can be determined by DNS and external ACL helper. It will

Re: [squid-users] Microsoft store issues with ssl-bump

On 1/12/21 10:46 AM, Eliezer Croitoru wrote: > I am using the next stare rule: > acl tls_s1_connect at_step SslBump1 > acl tls_s2_client_hello at_step SslBump2 > acl tls_s3_server_hello at_step SslBump3 > ssl_bump stare tls_s2_client_hello I do not know what you are trying to acheive, but if the

Re: [squid-users] Microsoft store issues with ssl-bump

Alex, I am using the next stare rule: acl tls_s1_connect at_step SslBump1 acl tls_s2_client_hello at_step SslBump2 acl tls_s3_server_hello at_step SslBump3 ssl_bump stare tls_s2_client_hello Which I am not sure about. For now this issue seems to be gone. I don't know why or how but it seems that

Re: [squid-users] Microsoft store issues with ssl-bump

On 1/12/21 3:33 AM, Eliezer Croitoru wrote: > The Windows 10 MS Store tries to connect the domains: > storeedgefd.dsx.mp.microsoft.com > which is bypassed from SSL BUMP with a regex and server-name. > * Squid 5.0.4 on Fedora 33. It sounds like you have tried to configure Squid to splice traff

Re: [squid-users] Microsoft store issues with ssl-bump

On 1/12/21 7:42 AM, Amos Jeffries wrote: > IIRC latest Squid force the client to TLS/1.2 when > preparing to bump, but may not for spliceand stare. So YMMV. FTR: Bugs notwithstanding, modern Squid changes nothing on TLS level when peeking, splicing, and/or terminating. Squid changes TLS bytes when

Re: [squid-users] How do I rotate access.log?

On 12.01.21 15:09, roee klinger wrote: Thanks, everyone for making it clear, I will investigate how to do it using logrotated. do you have squid installed from raspbian? squid 4.6 is in debian 10 thus should be in raspbian too. it comes with /etc/logrotate.d/squid and if you have logrotate pac

Re: [squid-users] Microsoft store issues with ssl-bump

-Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Tuesday, January 12, 2021 2:42 PM To: Squid Users Subject: Re: [squid-users] Microsoft store issues with ssl-bump On 12/01/21 11:32 pm, NgTech LTD wrote: > Im saying that my config might be wrong and I will send you a

Re: [squid-users] How do I rotate access.log?

Thanks, everyone for making it clear, I will investigate how to do it using logrotated. Roee. On Tue, Jan 12, 2021 at 3:26 AM Amos Jeffries wrote: > On 11/01/21 8:53 am, Matus UHLAR - fantomas wrote: > > On 10.01.21 17:24, roee klinger wrote: > >> I just wanted to give an update in case anyone

Re: [squid-users] cache_peer selection based on username

Hey Amos, Thanks, I fixed the keys with the proper "_" character. Seems like I was in a hurry and did some config mistakes, "proxy0.2" and "proxy0.3" are supposed to be "proxy1" and "proxy2". Regarding the helper, I also forgot to mention, I am using 2 helpers, one for IP whitelisting and one for u

Re: [squid-users] Microsoft store issues with ssl-bump

On Tue, Jan 12, 2021 at 10:33:00AM +0200, Eliezer Croitoru wrote: > > Any hints might help to find and resolve this issue From my experience MS Update and probably the store too use custom root certificates; check if that's the case. It's also possible that that connection is so hardwired that it

Re: [squid-users] Microsoft store issues with ssl-bump

On 12/01/21 11:32 pm, NgTech LTD wrote: Im saying that my config might be wrong and I will send you a full config save which can show you the whole setup like most vendors has. I have upgraded squid in production. Let me verify first before shouting "bug". Eliezer Okay. I see a few things t

Re: [squid-users] Microsoft store issues with ssl-bump

Im saying that my config might be wrong and I will send you a full config save which can show you the whole setup like most vendors has. I have upgraded squid in production. Let me verify first before shouting "bug". Eliezer On Tue, Jan 12, 2021, 12:15 Amos Jeffries wrote: > On 12/01/21 10:15

Re: [squid-users] Microsoft store issues with ssl-bump

On 12/01/21 10:15 pm, Eliezer Croitoru wrote: This works in another proxy which looks at the SNI only without any bump involved. So you are saying you find a bug with Squid? or .. ?? Amos ___ squid-users mailing list squid-users@lists.squid-cache.

Re: [squid-users] cache_peer selection based on username

On 12/01/21 9:17 pm, Eliezer Croitoru wrote: Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. That can be added in via the the key_extras detail. Though I am still worried that the OP *only* asked abou

Re: [squid-users] ERROR connecting to squid proxy server

On 12/01/21 6:30 pm, Reshma V Kumar wrote: Hi ! This is the error from cache.log file 2021/01/11 23:21:07 kid1| idnsSendQuery FD -1: sendto: (0) No error. "-1" is a closed socket. It looks like there is no UDP port open for sending traffic to your DNS server(s). You are starting Squid with

Re: [squid-users] Change cipher suite ordering

On 12/01/21 5:44 pm, vinod mg wrote: Hello Team, I need some help in configuring cipher suite ordering. I am using squid with SSL configs and trying to configure the cipher order but not able to do so, I am using below sites to check my chipher ordering and its showing different ordering then

Re: [squid-users] Microsoft store issues with ssl-bump

This works in another proxy which looks at the SNI only without any bump involved. Remember that Squid should splice the connection based on regex and server-name dst. On the other proxy this is what I have: Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64632 - 104.79.

Re: [squid-users] Microsoft store issues with ssl-bump

Even with splice??? This is a weird way of MS Store of handling things I was sure that when I am using SPLICE it is expected to work. Maybe there is a way to handle these IP addresses before even peeking, which should work. I think that there is some level of a BUMP happening when it shouldn't. I

[squid-users] Microsoft store issues with ssl-bump

I am trying to implement a full SSL-BUMP and I am having trouble with MS Store. The Windows 10 MS Store tries to connect the domains: storeedgefd.dsx.mp.microsoft.com which is bypassed from SSL BUMP with a regex and server-name. For some reason the store claims that there is an issue with th

Re: [squid-users] cache_peer selection based on username

Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. With separated auth and external_acl helper you can change/apply a note/rule/acl in a lower ttl ie 3 seconds which can be critical to some applications. If