Thanks for all the pointers :) I figured it out. Seamless.com's PTR lookups are
slow and end up in SERVFAIL.
And that was causing the delay here. I purged that ACL and it's all good.
-Original Message-
From: Amos Jeffries
Sent: Friday, February 15, 2019 9:24 AM
To: Ahmad
Regards,
Ahmad
-Original Message-
From: squid-users On Behalf Of Amos
Jeffries
Sent: Saturday, February 9, 2019 10:20 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] High response times with Squid
On 8/02/19 7:30 pm, Ahmad, Sarfaraz wrote:
> Hi,
>
>
>
>
Did you add them to "safe_ports" acl ? ( assuming you have one )
Look here some more inputs,
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-conf-blocking-live-video-stream-td4680866.html
From: squid-users On Behalf Of
? ??
Sent: Wednesday, February 13, 2019
Hi,
I am using Squid 4.5 with WCCP. Intercepting SSL by peeking at step1 and then
deciding to either splice or bump upon the SNI.
I am noticing a weird behavior for some of my TCP connections. Squid is taking
over 20s to decide what do with the ClientHello sent by the browser. It is only
after
I think almost every time squid opens a TCP connection, It also tried to open a
raw socket of type AF_NETLINK. Syscall pasted below.
All that I can make sense of this is that Squid is trying to engage with
iptables subsystem somehow ?
I have SELinux enforcing and would like to know what Squid is
Tested with Squid-4.2 and ended with same results.
How do we proceed here ?
-Original Message-
From: Alex Rousskov
Sent: Tuesday, September 4, 2018 9:14 PM
To: Ahmad, Sarfaraz ;
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid fails to bump where there are too many
Forgot to mention, this is with Squid-4.0.24.
-Original Message-
From: Ahmad, Sarfaraz
Sent: Tuesday, September 4, 2018 1:04 PM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Cc: 'rouss...@measurement-factory.com'
Subject: RE: [squid-users] Squid fails to
/03/2018 01:34 AM, Ahmad, Sarfaraz wrote:
>
>> interception/MITM appears to fail where remote certificates from
>> origin servers have way too many dnsnames in the SAN field.
>>
>> I have noticed this behavior with at least these 2 websites. In both
>> the cases, my s
Hi,
I am using Squid in an interception role with WCCP.
I am peeking at Step1 to read the SNI and determining whether to splice or bump.
That interception/MITM appears to fail where remote certificates from origin
servers have way too many dnsnames in the SAN field.
I have noticed this behavior
gone far enough
>> into the processing of that message to identify that detail.
What would usually be the next step here? Could DNS be involved ?
-Original Message-
From: Amos Jeffries
Sent: Tuesday, August 7, 2018 11:14 PM
To: Ahmad, Sarfaraz ;
squid-users@lists.squid-cache.org
Su
az
-Original Message-
From: Amos Jeffries
Sent: Tuesday, August 7, 2018 9:04 PM
To: Ahmad, Sarfaraz ;
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response
time but the internet access itself looks okay
On 08/08/18 02:14, Ahmad, Sa
4 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response
time but the internet access itself looks okay
On 07/08/18 21:55, Ahmad, Sarfaraz wrote:
> Hi,
>
>
>
> I am WCCPv2 for redirecting traffic to Squid.
>
Squid
Hi,
I am WCCPv2 for redirecting traffic to Squid.
Intermittently I see these messages in access.log and the internet for clients
goes away.
1533612202.312 79102 NONE_ABORTED/000 0 CONNECT 198.22.156.64:443 -
HIER_NONE/- -
1533612202.312 82632 NONE_ABORTED/000 0 CONNECT 173.194.142.186:443 -
using SMP workers.
Regards,
Sarfaraz
-Original Message-
From: squid-users On Behalf Of Amos
Jeffries
Sent: Wednesday, July 18, 2018 9:23 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Cache ran out of descriptors due to ICAP service/TCP
SYNs ?
On 18/07/18 18:30, A
nal Message-
From: squid-users On Behalf Of Amos
Jeffries
Sent: Tuesday, July 17, 2018 6:22 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Cache ran out of descriptors due to ICAP service/TCP
SYNs ?
On 17/07/18 19:17, Ahmad, Sarfaraz wrote:
> Can somebody please ex
Can somebody please explain what could have happened here?
First squid(4.0.25) encountered a URL > 8K bytes. I think this caused it to
crash.
Jul 13 11:04:13 squid[9102]: parse URL too large (9697 bytes)
Jul 13 11:04:13 squid[29254]: Squid Parent: squid-1 process 9102
exited due to signal 11
Hi,
I have disabled weak ciphers through tls_outgoing_options . Is there a way to
allow weak ciphers for selected websites, say, using an ACL and without
splicing the connections?
Regards,
Sarfaraz
___
squid-users mailing list
squid-users@lists.squid
s work without splicing TLS connections
On 04/07/18 00:19, Ahmad, Sarfaraz wrote:
> Guys,
>
>
>
> Can you think of a way to make websockets work without splicing TLS
> connections ?
>
Squid does not understand WebSocket protocol (yet). So splicing is the only
option
Guys,
Can you think of a way to make websockets work without splicing TLS connections
?
I don't think on_unsupported _protocol would work here . Also would
on_unsupported_protocol work where the remote server abuses 443 for something
other than TLS ?
Regards,
Sarfaraz
_
I need to provide access to my clients to a service on the internet that is
using a private CA.
I do not want to trust that CA outside the scope of that destination domain.
(The thought is to not just blindly trust a random CA, rather if we have to, we
limit it to the particular domain.)
Can so
I realize that unlike other proprietary MITM appliances, Squid doesn't fiddle
with the original client hello.
I think this magnifies into the fact that we cannot look at the SubjectCN/SAN
in the remote server certificate and then decide whether we want to splice or
bump. (peeking at step 2 reall
I was wrong. There is no way to read the remote certificate and then decide
whether to bump/splice the connection.
-Original Message-
From: Ahmad, Sarfaraz
Sent: Wednesday, June 20, 2018 7:35 PM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Subject: RE: [squid-use
error and splice by ssl::server_name at
the same time
On 21/06/18 00:25, Ahmad, Sarfaraz wrote:
> I found the answer to my problem. The SNI and Subject CN were
> different in my case and I was not peeking at step2 (meaning not
> looking at the server certificate) that is why my
I found the answer to my problem. The SNI and Subject CN were different in my
case and I was not peeking at step2 (meaning not looking at the server
certificate) that is why my ACLs were ineffective.
Regards,
Sarfaraz
From: Ahmad, Sarfaraz
Sent: Wednesday, June 20, 2018 3:25 PM
To: '
Forgot to add. Remote IP addresses are not expected to remain constant. So I
cannot build ACLs that way. So ssl::server_name is the only other hope.
From: Ahmad, Sarfaraz
Sent: Wednesday, June 20, 2018 2:34 PM
To: 'squid-users@lists.squid-cache.org'
Subject: Ignore SSL error and spl
Hi,
I need to provide access to a API service exposed on the internet to my
clients. That API uses a certificate signed by a private CA.
I don't want to trust that private CA in my proxies (lest it gets abused and I
end up trusting certificates in the proxy that I shouldn't be. My clients
woul
Hi,
Can I leverage other information available in a server certificates's SAN field
to build my ACLs ?
Here's a sample from the SAN field ,
DNS Name=abc.example.com
IP Address=10.0.97.72
I haven't tried it but would using ssl::server_name_regex work to match
IP=10.0.97.* work?
Also I couldn't f
Unavailable
Post splicing the webpage opens just fine. That website (www.pcmag.com) has
over 750 DNS names added to SAN field. The RFC does not set an upper bound on
the number of DNS names you can have in there.
Regards,
Sarfaraz
-Original Message-
From: Ahmad, Sarfaraz
Sent: Thursday, May
Hi,
I am using Squid as an explicit proxy (configured in the browsers) and have
configured it to authenticate all users with Kerberos.
Here are the relevant bits from squid.conf
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s
HTTP/proxytest1.mydomain@mydomain.com
Hi,
I have setup Squid as a SSL MITM proxy.
I am also using the cert download feature with these configurations in my
squid.conf
acl cert_fetch transaction_initiator certificate-fetching
http_access allow cert_fetch
Websites where certificates just share AIA information using CA-issuer method,
Guys,
Any thoughts ?
Regards,
Sarfaraz
-Original Message-
From: Ahmad, Sarfaraz
Sent: Wednesday, May 16, 2018 10:36 AM
To: 'Marcus Kool' ;
squid-users@lists.squid-cache.org
Subject: RE: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com
I see a message similar
I see a message similar to Marcus' in cache.log.
2018/05/16 00:20:10 kid1| ERROR: negotiating TLS on FD 77: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
And I am running squid-4.0.24.
Sarfaraz
-Original Message-
From: squid-users On Behalf
Hi Folks,
I am using Squid as a HTTPS interception proxy. When I try to access
https://www.pcmag.com , (which is supposed to be bumped in my environment ), I
get
"unable to forward request at this time" even though the website is perfectly
accessible outside of the proxy.
A packet capture sugg
Thanks Amos.
Turns out it had nothing to do with the proxy but different MTU on the
networks. I now have a little better understanding of this amazing piece of
software.
Sarfaraz
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lis
Hi Folks,
I am using WCCP and redirecting traffic to Squid for both HTTP/HTTPS
interception.
In this setup, I have spliced most of the Windows updates's services using SNI
in squid's acls. Yet even with TCP tunnel, I am getting failures with these
messages in the accesslog.
Why could that respo
35 matches
Mail list logo
