Re: [squid-users] Error during build of version 7.1 from sources

Good afternoon! Installed version 1.1.1w on OpenSSL and the compiler successfully assembled the problem package. Thank you! пн, 15 сент. 2025 г. в 17:44, Alex Rousskov : > > On 2025-09-15 09:47, alex ' wrote: > > error: invalid conversion from 'const ASN1_STRING*

Re: [squid-users] Which versions of squid Support ident ?

On 2025-09-15 10:09, Ohms, Jannis wrote: Ist the ident protocoll still supported by squid? YMMV, but Squid have not supported Ident properly for many years (if ever). Buggy Ident code was removed in Squid v7. I have quoted a variation of the corresponding release note below. HTH, Alex

Re: [squid-users] Error during build of version 7.1 from sources

On 2025-09-15 09:47, alex ' wrote: error: invalid conversion from 'const ASN1_STRING*' [-fpermissive] error: invalid conversion from 'const char*' to 'char*' [-fpermissive] These errors are caused by an outdated OpenSSL declaration of ASN1_STRING_to_UTF8()

Re: [squid-users] Error during build of version 7.1 from sources

nter to another place, or how to declare the type of the variable? сб, 13 сент. 2025 г. в 14:41, Francesco Chemolli : > > Do you need snmp? If you don't, maybe it's enough to disable that > functionality by replacing --enable-snmp with --disable-snmp. > > > > On Fri,

Re: [squid-users] Forward Squid work with AWS ALB

em as well. You should also plan to upgrade: Squid v3 is very buggy and unsupported by Squid Project. However, the basics described about apply to any Squid version. HTH, Alex. My questions are: 1. Is there any Squid configuration that can make it compatible with AWS ALB (which handles

Re: [squid-users] Error during build of version 7.1 from sources

On Thu, Sep 11, 2025 at 10:07 AM alex ' wrote: > > > > Good afternoon! To build version 7.1, the gcc compiler version 9.1.1 > > is used. The compiler returned an error during the build process: > > > > gadgets.cc: In function 'std::optional ParseAsUtf8(con

[squid-users] Error during build of version 7.1 from sources

Good afternoon! To build version 7.1, the gcc compiler version 9.1.1 is used. The compiler returned an error during the build process: gadgets.cc: In function 'std::optional ParseAsUtf8(const ASN1_STRING&)': gadgets.cc:483:67: error: invalid conversion from 'const ASN1_STRING*' {aka 'const asn1_st

Re: [squid-users] Old style - detailed Release notes

found in the source code repository. That should change when we switch from SGML to Markdown (and require some automated post-processing/indexing at commit time). When that happens, we could easily add the corresponding link to our release descriptions at [1] AFAICT. HTH, Alex. [1] https

Re: [squid-users] Squid 7.1 workers options without kernel SO_REUSEPORT param

t clear (to me) what prevents you from upgrading Squid while keeping your squid.conf the same. Thank you, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] is tls_outgoing_options cipher ignored in squid 7.1?

that feature for the affected connections). Cheers, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] server-side FTP support

anges (e.g., net.ipv4.ip_local_port_range and friends on Linux). HTH, Alex. Native FTP commands accepted at ftp_port are internally converted or wrapped into HTTP-like messages. The same happens to Native FTP responses received from FTP origin servers. Those HTTP-like

Re: [squid-users] DNS round-robin behaviour

ng. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WCCP: duplicate security definition

WCCP code has many problems. AFAICT, no Squid developer is currently focusing on addressing them. HTH, Alex. - ASA logs show that Squid is visible but marked as “NOT Usable” and gets 0% hash allocation. - I’m running Squid version 5.9 on Linux Ubuntu. Questions: 1. Is there a known issue when

Re: [squid-users] HTTP support

On 2025-06-26 20:10, Angela Yu wrote: I was wondering if Squid support or intend to support HTTP3? Squid does not support HTTP/3 today. We are working on adding HTTP/2 support and intend to support HTTP/3 after that work is completed. Cheers, Alex

Re: [squid-users] How to do transparent rewrite with https requests?

from the subsequent GET request (if any). However, the primary error generation activity happens at error discovery time, before that GET. In a sense, Squid has a response before it has a request, which creates various problems/complications!.. HTH, Alex. 2025/05/28 1:19、Alex Rouss

Re: [squid-users] How to do transparent rewrite with https requests?

ecked, but speculate that rewriting request target does not trigger opening a new Squid-to-server TLS connection and re-pinning. IIRC, a Squid that is configured to bump during SslBump step1 does not pin. Such a configuration is rarely usable on a modern internet, but YMMV.

Re: [squid-users] SSL_Bump: Unexpected decryption of non-whitelisted domains

error to the client. This behavior was implemented because most browsers refuse to show CONNECT errors to users; they only show GET errors. If you do not like this behavior, you may, for example, configure your Squid to allow CONNECTs to servers that should be spliced. HTH, Alex. Squid first re

Re: [squid-users] connect with http and https protocols

at tunnel starts with a TLS handshake, then you may be able to recover the underlying protocol from ALPN extension in %>handshake. See logformat directive for the above %code documentation: https://www.squid-cache.org/Doc/config/logformat/ HTH, Alex. _

Re: [squid-users] ACL with the same name

are ORed. For more information, see the following wiki page, especially its Notes section: https://wiki.squid-cache.org/SquidFaq/SquidAcl HTH, Alex. On Wed, Apr 16, 2025 at 5:48 PM Renzo Marengo wrote: I don't understand what happens if I have multiple acl with same name, e.g.

Re: [squid-users] Status page error

proxy listening port is configured with the https_port directive. ... and as long as you are not using SMP Squid: SMP Squids do not yet support responding to certain(*) cache manager requests received on TLS connections. Alex. (*) Affected (i.e. TLS-incompatible) cache manager reports are t

Re: [squid-users] Fwd: Issue with proxy-protocol in http_port on Squid 6.13 via Docker

rt is not "proxy-protocol" but "require-proxy-header". See http_port directive description in your generated squid.conf.documented or at https://www.squid-cache.org/Doc/config/http_port/ HTH, Alex. However, on startup I consistently get this error: |2025/04/08 13:14:44|

Re: [squid-users] cacheNumbObject unreasonably small with rock cache

On 2025-04-02 13:05, Dave Dykstra wrote: Yes that helps a lot, Alex. I do see at the end of mgr:info: Internal Data Structures: 576 StoreEntries 576 StoreEntries with MemObjects 557676 Hot Object Cache Items 584657 on-disk objects We'll work on a

Re: [squid-users] cacheNumbObject unreasonably small with rock cache

on-disk objects" line in "Internal Data Structures" section of mgr:info cache manager report. I hope that mgr:storedir statistics that you have mentioned also reflects the actual disk cache usage, at least for rock caches. HTH, Alex. ___

Re: [squid-users] squid 6.3: client internal ip address PTR DNS query

wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction If you would like to proceed with the above analysis, please email me a link to the corresponding compressed cache.log. HTH, Alex. ___ squid-users mailing list squid-users@l

Re: [squid-users] assertion failed: Queue.cc:388: "EX"

On 2025-03-13 07:49, Andrey K wrote: I implemented the A-example functionality and made PR: https://github.com/squid-cache/squid/pull/2023 Thank you. ButthemodifiedSquid projectis notbeingbuilt ongithub,althoughthere are noproblemsduringthe localbuilds. Alex, Amos and Francesco, could

Re: [squid-users] assertion failed: Queue.cc:388: "EX"

On 2025-03-10 23:56, Andrey K wrote: > Alex: FWIW, related future Squid improvements may include: >  * Detecting such shared memory segments clashes; refusing to start. >  * Disabling shared memory use when caching is completely disabled. But ... segments may remain from the

Re: [squid-users] assertion failed: Queue.cc:388: "EX"

ments may include: * Detecting such shared memory segments clashes; refusing to start. * Disabling shared memory use when caching is completely disabled. Quality pull requests welcome. Cheers, Alex. чт, 6 мар. 2025 г. в 17:11, Alex Rousskov: On 2025-03-06 08:59, Amos Jeffries wrote:

Re: [squid-users] assertion failed: Queue.cc:388: "EX"

r Squids name their shared memory segment "files"? For example, on some Linux OSes, those segments could be in /var/run/shm/ with names like squid-tr_map_anchors.shm and squid-tr_spaces.shm. Thank you, Alex. ___ squid-users mailing list

Re: [squid-users] assertion failed: Queue.cc:388: "EX"

supported version, I would start by turning on shared_memory_locking in hope that the problem lies in a problematic OS configuration. BTW, that bogus exception text "EX" is a bug. It was fixed in Squid v6. Squid v5.10 has a backport of that fix (commit 31f20fda). Alex. We have recent

Re: [squid-users] Need clarifications on custom log timestamps

_exclude_) and * excludes the time spent waiting for client I/O (which Benjamin may want to _include_). Alex. However, the calculations for that are still apparently inaccurate. So you would be best also logging these for comparison measures:  %dt = DNS latency  %     .. also excluding

Re: [squid-users] Need clarifications on custom log timestamps

feature-enhance-of-fix-something HTH, Alex. On Wed, Feb 19, 2025 at 5:39 PM Alex Rousskov wrote: On 2025-02-19 06:26, BENJAMIN DELANNOY wrote: > For % next hop and stops when the last response byte is received."  Are we > talking of last request / last response of a

Re: [squid-users] disable/block ipv6 requests

info*&, int) Your old Squid is suffering from Bug 5154 (at least): https://bugs.squid-cache.org/show_bug.cgi?id=5154 I have squid 5.7 on Debian 12 Consider upgrading to a modern Squid[1]. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6 with ssl-bump doesn't cache binary content over 100 kb

On 2025-02-25 09:56, Alex Rousskov wrote: On 2025-02-25 09:47, Thomas PALFRAY wrote: we tried version 6.13 as recommended, but the behavior is the same. Thank you for testing v6.13. That test eliminates many suspects. What additional information would you need to understand the the problem

Re: [squid-users] Squid 6 with ssl-bump doesn't cache binary content over 100 kb

-transaction If you would like to proceed with the above analysis, please email me a link to the corresponding compressed cache.log. Thank you, Alex. *De :*squid-users *De la part de* Thomas PALFRAY *Envoyé :* lundi 3 février 2025 17:08 *À :* squid-users@lists.squid-cache.org *Objet :* [squid

Re: [squid-users] Need clarifications on custom log timestamps

traffic with SSL Bump) Based on this, I would be able to check if a squid server is taking too much time making a decision. Is this something feasible? Please detail what you mean by "choice" or "decision". For example, do you want to stop the timer when Squid makes its fin

Re: [squid-users] Need clarifications on custom log timestamps

e server side (e.g., awaiting the next response body byte), complicating things. If existing %codes are not enough, please detail your needs in terms of events that Squid can recognize (e.g., receiving the first response header byte or sending the last request body byte). HTH, Alex. We

Re: [squid-users] To Do List (smart pointer examples)

recommendation alone is probably enough to avoid the pitfalls often present in such conversions! HTH, Alex. On Squid's easy to do list it states... 1. update a /HttpRequest/ raw pointer to a |HttpRequest::Pointer|. Including all code performing locking on it 2. update a |HttpReply

Re: [squid-users] test ICAP server

s://c-icap.sourceforge.net/ HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] bypassing the domains

. HTH, Alex. http_port 3128 http_port 3129 tproxy https_port 3127 tproxy ssl-bump cert=/etc/squid_av/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRS

Re: [squid-users] Squid 6 with ssl-bump doesn't cache binary content over 100 kb

inspection that your Squid does not use. If you have not tested v6.13, please do. HTH, Alex. When content sizes are smaller, the expected behaviour occurs and data is returned from the cache. On the client side, for content larger than 100kb : * squid 5 returns x-cache = “MISS” and x-ca

Re: [squid-users] squid_icap to icap to system_2

, and if so, how to do it. It is possible to write an ICAP proxy program that does what you want, but Squid is not such a program, and I doubt such a program exists today. HTH, Alex. Current version of squid is 6.6 P.S. It is not possible to filter icap traffic directly on the main proxy

Re: [squid-users] Squid workers on non cache dir rock system

the authors of that other software can help you enable rock cache_dir? N.B. Modern Squids do not support COSS cache_dirs. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Resource management, backend application

r scenario unless you configure it specially). HTH, Alex. But can squid handle this scenario in a way that only the site with the misbehaving application goes offline without pulling the other sites down with it? I understand that the way squid and apache works is different, but that&#x

Re: [squid-users] File descriptor usage for squid statistics

at 1 at times however it shows failed to parse headers or something also. Those events are probably unrelated, but I cannot be sure without seeing the exact failure messages. HTH, Alex. File descriptor usage for squid: Maximum number of file descriptors: 97578 La

Re: [squid-users] Optimization

ome cases, but that difference in memory consumption is unlikely to have a measurable effect on performance in most cases. HTH, Alex. acl AorBorC any-of A B C acl DE all-of D E acl AorBorCorDE any-of AorBorC DE acl FG all-of F G Parsed—— acl splice_group any-of h

Re: [squid-users] SQUID problem with unavailability of Google services

rison documented a few lines above can be used as an excuse to categorize dstdomain as a fast ACL, but "you should not rely on that behavior" advice is correct, and configurations that are not using that trick consistently/correctly (while using dstdomain with directives that do not

Re: [squid-users] Squid-internal-mgr/forward help

how-to-add-a-new-squid-feature-enhance-of-fix-something [2]: https://github.com/measurement-factory/squid/commit/ec91885e04aeab5597c8792a14854ef653cb5cbf.patch HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID problem with unavailability of Google services

2023-April/025784.html HTH, Alex. вс, 22 дек. 2024 г. в 22:47, Alex Rousskov <mailto:rouss...@measurement-factory.com>>: On 2024-12-22 08:13, A. Pechenin wrote: > The reason and solution were not simple and obvious at first glance. > I have two providers access

Re: [squid-users] SQUID problem with unavailability of Google services

ng_address check time. For a somewhat related example, look for "markSpecial" in squid.conf.documented or search this mailing list archives for annotate_transaction discussions. HTH, Alex. сб, 21 дек. 2024 г. в 20:26, A. Pechenin : This week, when connecting users through a proxy

Re: [squid-users] SQUID problem with unavailability of Google services

een client-side problems and these timeout errors in cache.log? Thank you, Alex. When clicking on the services section in the browser on the Google portal, the page does not open and then a connection error is displayed. When directly going to the calendar section, the connection also hangs

Re: [squid-users] Proxy-Protocol inside cache_peer

On 2024-12-08 09:26, David Touzeau wrote: Is there any way or development plan to include “proxy-protocol” in cache_peer? I am not aware of any specific current development plans, but there is interest in adding that feature, and I expect it to be added eventually. Alex. Squid is able to

Re: [squid-users] squid-6.10-150600.3.6.1.src.rpm and ident

he error is not related to any identd answer because there is none, it will even not be requested. Is this behavior known, any idea? Filed also a bug request, but no answer yet. Unfortunately, Squid Bugzilla notifications are unreliable. AFAIK, I have not seen your bug report[2] until now. Sorry

Re: [squid-users] memory_pools_limit question

t;use". N.B. Some Squid memory allocations do not go through memory pools. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL dstdomain and use of -n

meaningful answer. If the above discussion does not let you answer this question, consider asking a more specific question: Name the directive and the ACL while describing what you are trying to optimize (i.e. defining "better"). HTH, Alex. ___

Re: [squid-users] messages when "squid -k rotate" is run

stdout. I can imply redirect the "squid -k rotate" stderr to /dev/null but I would like to avoid it when possible - if any error happens, I't like to know about that. On 21.11.24 16:16, Alex Rousskov wrote: If you are OK with not seeing these particular messages in cache.log

Re: [squid-users] Can I force certain destinations to ipv4?

t use IPv4 addresses. In other words, tcp_outgoing_address rules select an outgoing address _within_ the already determined address family. HTH, Alex. Using: == # squid --version Squid Cache: Version 6.12-VCS more precisely: squid-6.12-20241031-r

Re: [squid-users] messages when "squid -k rotate" is run

ging of all stderr messages: squid -k rotate |& \ tee squid-last-rotate.log | \ grep -E "FATAL:|ERROR:" However, the above sketches need more work/adjustments to preserve "squid -k rotate" exit status code! HTH, Alex. ___

Re: [squid-users] squid crash: ERROR: system call failure while accepting a TLS connection

limitations, you can use stdio module instead of "daemon" module. Such a workaround may have performance implications so proceed with care. HTH, Alex.    connection: conn17735104 local=[redacted]:3128 remote=[redacted]:445

Re: [squid-users] assertion failed: Controller.cc:930: "EX"

nderstand the problem? I cannot help with understanding why undefined Squid behavior in an unsupported configuration manifests itself this particular way, but I hope that switching to a supported version and configuration helps avoid this problem. Good luck, Alex. _

Re: [squid-users] [SQUID] Some Web Page never complete download

analysis. You will find some relevant hints at https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction HTH, Alex. I have downgraded till version 6.7, and it works a older version, even if the same kind of request ends by a NONE_NONE_ABORTED/000. The request does not stay

Re: [squid-users] v6.12 build error from release tarball

ents for my patch within Yocto. I am very glad to hear that you are making progress. Good luck, Alex. -----Original Message- From: Alex Rousskov Sent: Friday, November 8, 2024 5:27 To: squid-users@lists.squid-cache.org Cc: Marko, Peter (FT D EU SK BFS1) Subject: Re: [squid-users] v6.12 bu

Re: [squid-users] v6.12 build error from release tarball

ownloading _bootstrapped_ sources?! Clarifying this contradiction may help identify and address the underlying problem. Thank you, Alex. | autoreconf: configure.ac: not using Gettext | autoreconf: running: aclocal --system-acdir=WORKDIR/recipe-sysroot/usr/share/aclocal/ -I WORKDIR/squid-6.12

Re: [squid-users] Redmine Bug #14390: Squid: SECURITY ALERT: Host header forgery detected

son like a PHP issue that causes configuration issues. AFAICT, Redmine Bug #14390 is not specific to PHP clients, and there are no good configuration-only solutions for the problem that bug identifies. HTH, Alex. Bug #14390: Squid: SECURITY ALERT: Host header forgery detected - pfSens

Re: [squid-users] proxy_auth_regex

xed, you will not be able to use authentication ACLs reliably or at all, as detailed at https://lists.squid-cache.org/pipermail/squid-users/2024-October/027224.html Alex. Here's an example of one of our rules: # block certain user IDs from using proxy server acl block_user proxy_

Re: [squid-users] FW: proxy_auth_regex

desired name; }} Yes, I have already responded to email with that information. Please continue that thread: https://lists.squid-cache.org/pipermail/squid-users/2024-October/027224.html Alex. -Original Message- From: Alex Rousskov Sent: Thursday, October 24, 2024 4:46 PM To: Piana

Re: [squid-users] Help regarding access controls for TLS connections

t does not make prohibited DNS queries. And whenever that resolver receives a prohibited DNS query, investigate what triggered it -- there may be more bugs in Squid that result in unwanted DNS queries. Belt and suspenders... HTH, Alex. # deny if not authenticated auth_para

Re: [squid-users] Help regarding access controls for TLS connections

s probably missing an "dst_is_ip" or similar ACL(s) to make such checks reliable. And, only perform validation against the CONNECT request URI. See above regarding using "dstdomain -n" for this. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Square Bracket in LogFormat

acter specifies a particular encoding algorithm for that %code values. To find documentation for that encoding, search for the words "Custom Squid encoding where percent" in recent squid.conf.documented or at http://www.squid-cache.org/Doc/config/logformat HTH, Alex. For example:

Re: [squid-users] proxy_auth_regex

not be specific to any HTTP(S) transaction that Squid is handling. If you can test your authentication helper in isolation by starting it from the command line and feeding it helper commands, do that. Alex. -Original Message- From: Alex Rousskov Sent: Thursday, October 24, 2024 4:46

Re: [squid-users] proxy_auth_regex

ain things. > How would you recommend I test plain http traffic? I would start with curl --verbose ... http://example.com/ or a similar request (add proxy/other options instead of "..." as needed). Alex. However, I think some of my log information may be missing. I believe

Re: [squid-users] proxy_auth_regex

uses to authenticate its requests because Squid intercepts TLS client connections rather than receiving HTTP CONNECT requests from the client? Have you tested this with plain text traffic? Alex. we would like to use these ACL’s but for right now I have these rules commented out. Here&#x

Re: [squid-users] Squid 6.10 SSL-Bump Woes

On 2024-10-10 20:48, Jonathan Lee wrote: miss means it stored items Just to correct a misunderstanding: A cache miss does _not_ imply that Squid stored the response. Alex. On Oct 10, 2024, at 15:27, Bryan Seitz wrote:  I removed the header mods and changed the refresh pattern to

Re: [squid-users] Squid 6.10 SSL-Bump Woes

terminology is post-cache RESPMOD. To allow Squid to violate HTTP caching rules when deciding whether to a cache a response, see refresh_pattern options (e.g., "ignore-private"). http://www.squid-cache.org/Doc/config/refresh_pattern/ HTH, Alex. I have the following configurat

Re: [squid-users] Questions about Squid configuration

S connections. Thus, TLS clients will be able to request/do anything (if their intercepted TCP connections are allowed using TCP-level information). Whether that effect is a "disadvantage" is your call. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + c-icap + SquidClamav + ClamAV

two problematic cases. Please make sure to patch your Squid with 6567eac.patch you reference below before collecting those logs -- we do not want to analyze a known/fixed bug. HTH, Alex. [1]: You can share that sample with me or anybody you trust (who can analyze Squid debugging logs and i

Re: [squid-users] Squid + ecap + clamav

On 2024-10-03 10:12, Andrea Venturoli wrote: On 10/2/24 23:30, Alex Rousskov wrote: Disadvantages of using eCAP+ClamAV adapter include being dependent on a relatively old libecap and ClamAV eCAP adapter implementation. I got it all wrong then... I thought ICAP was older and eCAP was meant to

Re: [squid-users] Squid + ecap + clamav

. Nothing more, nothing less. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Could we have variables in squid conf file ?

value like string , number and call it in another place in squid.conf file ? No, squid.conf does not support such variables (yet?). Needless to say, you can emulate that functionality using a custom preprocessor. HTH, Alex. ___ squid-users mailing

Re: [squid-users] Issues with Squid Listening on 254 IP Addresses

./configure failure was missed in your build sequence? Or perhaps you are building one Squid binary but testing another? HTH, Alex. I’ve tested with various versions of Squid, ranging from 4.8 to 5.9, but none of them seem to apply the custom flag for increasing the number of listening

Re: [squid-users] Squid appears to be ignoring url_rewrite_program

On 2024-09-17 10:43, Martin A. Brooks wrote: On 2024-09-17 15:13, Alex Rousskov wrote: What makes you think that CONNECT requests are not sent to the rewriter? In my quick-and-dirty tests, Squid does send CONNECT request targets to the URL rewriter program and honors rewriter's rewrit

Re: [squid-users] Squid appears to be ignoring url_rewrite_program

it; if you cannot bump in your environment, then you cannot redirect https using an HTTP proxy. (*) See ssl_bump directive and the following URL, but keep in mind that bumping is naturally full of bad side effects and corner cases: https://wiki.squid-cache.org/Features/SslPeekAndSplice

Re: [squid-users] Looking for a solution to identify "unauthenticated" squid proxy users.

On 2024-09-17 08:07, Xavier Lecluse wrote: Hello, with the advice from Alex, we managed to add a custom field to the access.log, using an always matching "annotate_transaction" ACL. We had to add the ACL on each line of our rulesets and the value inserted was the rule_name. Then,

Re: [squid-users] Unable to access internal resources via hostname

he explicit rules matched. That implicit default is "ever-changing" because it depends on the last explicit http_access rule action (which, naturally, may change as folks update their rules). FWIW, the following FAQ entry covers the same concepts: https://wiki.squid-cache.org/SquidFaq/Sq

Re: [squid-users] Unable to access internal resources via hostname

" means in terms of the test transaction outcome) and share debugging log of that test transaction again. HTH, Alex. So there's something wrong with either the order of the squid.conf or I'm missing some "allow" vari

Re: [squid-users] Problem with 'delay_access' using acl external

refully, but this could be a bug fixed in v6. The corresponding commit says "delay_pool_access lacked ... details beyond src/dst addresses". Upgrade to v6+. If you are still getting a similar runtime WARNING, then there is another Squid bug that needs to be fixed. HTH, Alex.

Re: [squid-users] Questions about Squid configuration

o broad and is seemingly unnecessary. I also recommend deleting a similar rule that allows all port-80 requests, for similar reasons: acl http_port port 80 http_access allow http_port If you think you do need those two broad rules, please clarify what you think you need them for.

Re: [squid-users] squid5.5 restart failure due to domain list duplication

ng such cases during reconfiguration; if our changes are officially accepted, Squid v7 should be significantly better in this regard. Please see Matus's earlier response on this thread for ways to avoid such deaths. HTH, Alex. ___ squid-users

Re: [squid-users] Unable to access internal resources via hostname

the user has not authenticated itself -- Squid sends HTTP 407 response to request authentication. If you are still having problems after changing the test proxy and its configuration (as you discussed in your recent posts), please restate the primary problem and share debugging log of a test transac

Re: [squid-users] Unable to access internal resources via hostname

e" name to an unknown to me set of names inside "etc/squid/local_dst_dom" file. I wonder whether that file path is correct: Did you mean that path to be relative (i.e. "etc...") rather than absolute (i.e. "/etc...")? Try using an absolute path and double c

Re: [squid-users] negotiate_kerberos_auth not working anymore

at the actual spelling is "auth_param". Disclaimer: I do not know much about kerberos and negotiate_kerberos_auth. HTH, Alex. I can call a kerberos ticket when using kinit root@sv-asa-proxy:/var/log/squid# kinit -kt /etc/squid/sv-asa-proxy.keytab HTTP/sv-asa-proxy@ASA.LOCAL r

Re: [squid-users] Squid traffic paths

ant to force traffic other than HTTP and FTP through Squid. In other words, Squid is not a "universal" proxy that can proxy everything. HTH, Alex. On 2024-08-28 09:14, Alex Rousskov wrote: On 2024-08-28 08:52, Scott Bates wrote: Alex: What protocol do those external services use in

Re: [squid-users] Looking for a solution to identify "unauthenticated" squid proxy users.

%note logformat code is documented at http://www.squid-cache.org/Doc/config/logformat/ HTH, Alex. Actually, this is the log from an authenticated user : Sep 2 17:08:32 FPVPXI2 squid[312387]: 02/Sep/2024:17:08:32 +0200 test TCP_TUNNEL 200 10.x.x.250:51994 6765 CONNECT www.google.com:443 -

Re: [squid-users] Unable to access internal resources via hostname

directory. 3. Start Squid. If the problem persists, share the command you use to start Squid and any console output you get from that command. In general, avoid using "squid -k reconfigure" when possible, especially when using Squid v5 and earlier. HTH, Alex. -Original Message

Re: [squid-users] Questions about Squid configuration

requests are allowed, and all invalid requests are rejected. If necessary, ask questions, file bug reports, patch Squid, and/or adjust your configuration to pass this test. HTH, Alex. 2024年8月8日(木) 21:33 Alex Rousskov : On 2024-08-06 20:59, にば wrote: When using Squid transparently, is it po

Re: [squid-users] Unable to access internal resources via hostname

Squid before. And you will learn a few new tricks... I'll update those logs and wait for your response to this before sending them or sending you a personal drop link. A link usually works best. Thank you, Alex. -Original Message- From: squid-users On Behalf Of Alex Rousskov S

Re: [squid-users] Unable to access internal resources via hostname

g noise can be challenging! ALL,9 debugging is for Squid developers to study. My recommendation for the next step remains the same. Look for "The best option" in my previous response. HTH, Alex. I've also cleaned up our ACL's to better reflect what is going on: #

Re: [squid-users] Unable to access internal resources via hostname

expected authentication" mystery may not be directly related to the "HTTP 500 error responses" mystery we discussed earlier, but it may help to fix authentication first. HTH,

Re: [squid-users] Unable to access internal resources via hostname

On 2024-08-28 14:18, Alex Rousskov wrote: On 2024-08-28 11:24, Piana, Josh wrote: Here's the log and (I think) relevant ACL's? According to your access.log, Squid denies problematic CONNECT requests with HTTP 407 errors responses. Usually, that means those requests match an &q

Re: [squid-users] Unable to access internal resources via hostname

so, does mgr:ipcache cache manager query confirm that Squid has read your /etc/hosts file and cached the record you expect it to use? Alex. --- # /var/log/squid/access.log results for

Re: [squid-users] Squid traffic paths

On 2024-08-28 08:52, Scott Bates wrote: Alex: What protocol do those external services use in problematic use cases?>> Does Squid see the corresponding requests from VMs? Squid can only proxy HTTP and FTP... http and https only Does Squid log the corresponding problematic transacti

  1   2   3   4   5   6   7   8   9   10   >