Re: [squid-users] c-icap documentation getting stuck

i dont get any errors but when i run the below i get warnings  /usr/local/bin/c-icap WARNING Bad configuration keyword: enable_libarchive 0 WARNING Bad configuration keyword: banmaxsize 2M thanks, rob You should be asking these questions on whatever resources c-icap provide for that purpose

Re: [squid-users] c-icap documentation getting stuck

robert, I'd go the ecap way if I was you - no daemons to set up, just a library. c-icap has always been an issue as distros packages have never really acknowledged it exists in terms of permissions. The ecap way avoids all of that mess entirely. http://www.e-cap.org/docs/ http://www.e-cap.o

Re: [squid-users] cant download microsoft cert file

On 16/12/2019 09:10, robert k Wild wrote: Would this work aswell refresh_pattern -i /etc/squid/wu.txt/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)  4320 80% 43200 reload-into-ims And

Re: [squid-users] cant download microsoft cert file

On 16/12/2019 08:06, robert k Wild wrote: How can I make a pattern that matches multiple domains please Amos? > > refresh_pattern -i .microsoft.com .windows.com > .windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)

Re: [squid-users] Digicert replacing couple root CA, why it wasn't mentioned here?

It was all over the IT news sites I read (Register, Slashdot, etc). Changed all our Thawte certs from Symantec to Digicert a few months ago. Pretty painless actually. Alex On 17/01/2019 17:03, Eliezer Croitoru wrote: I noticed that there was a change in the RootCA world: https://www.digicer

Re: [squid-users] Fwd: Encrypted browser-squid connection

On 12/11/2018 02:45, supraja sridhar wrote: Hi, When I try out the encrypted browser-squid connection, no URL loads. I get the following error message in the squid access log. 1541989360.999     0 XXX.XX.XXX.XX NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - I h

Re: [squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI

... until the browser starts using DNS over HTTPS (with a pinned certificate of the "resolving" HTTPS server)?   Alex. It is relatively easy to block DNS over HTTPS and I think there will be demand for that. And I predict that Squid will have a feature to selectively block connections with E

Re: [squid-users] want to change squid name

Hi Ahmad, I still don't understand properly. Do you want to run Squid as your own nonprivileged user, "ahmad" or "stinger", instead of the "squid" or "webproxy" user that is the usual in distros? That is easy, but trying to sed squid to in the codebase is likely to fail, imagine trying to do

Re: [squid-users] want to change squid name

What about this? http://www.squid-cache.org/Doc/config/via/ we just don't understand the reason you are asking for this. As was already mentioned (iirc), technically  you can change the name "squid" to something else, but it is not supported (which means, there's no standard way to do that)

Re: [squid-users] Using CA signed certificate for SSL bump

You can set up your own internal CA. You then have the CA key (so can generate certificates for any domain) and install the CA public certificate on all client machines. That CA can be anything from a local CA on the squid box, using a central VM with something like XCA installed, all the way

Re: [squid-users] simple question Installed squid right now all internet access is blocked

If it's an internal/RFC1918  IP then it makes no difference to your security in telling the list. If it's a public IP address then I hope you have your squid firewalled off from the internet. If you at least paste your access.log and cache.log it will help. Alex On 16/08/18 12:29, Oldman wro

Re: [squid-users] NgTech repo new service: fastest.ngtech.co.il/repo/

On 16/07/18 00:17, Eliezer Croitoru wrote: Hey Squid-Users, I am running a trial period to see how it works for these who needs it. The RPM’s repository is sitting at: http://fastest.ngtech.co.il/repo/ and will give faster speed ie 10Mbps++ compared to the local server which has only 1Mbps

Re: [squid-users] Question about traffic calculate

On 08/06/18 17:29, Amos Jeffries wrote: On 09/06/18 02:56, Tiraen wrote: Small clarification If the normal behavior of the proxy server described above is correct, then maybe there are other methods of gathering information on traffic in online mode? What is "online mode" ? SNMP is built i

[squid-users] Sibling cache with ssl peek/splice/bump?

Hi list, Is it currently possible in v4 with bumping to have a cache_peer setup so that https:// resources can be fetched from a peer if they are available there? Many thanks Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are tha

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

Unless the protocol design changes to expose full URLs and/or MIME types, nothing will replace Squid Bumping. That being said, we are headed to the vortex by 2018.05.01. Let's drown together, while we yell and curse at Google! MK Erm, can someone elucidate the issue here? Can't see anythi

Re: [squid-users] Assertion failed on Squid 4 when peer restarted.

On 28/03/18 02:22, Amos Jeffries wrote: On 28/03/18 03:24, Alex Crow wrote: I have a squid 4.0.22 running peered with a 3.5.24 proxy. The latter machine stopped responding and I had to reboot it, and then the 4.0.22 one crashed. Here's a log snippet: 2018/03/27 15:01:48 kid1| WARNING: f

[squid-users] Assertion failed on Squid 4 when peer restarted.

I have a squid 4.0.22 running peered with a 3.5.24 proxy. The latter machine stopped responding and I had to reboot it, and then the 4.0.22 one crashed. Here's a log snippet: 2018/03/27 15:01:48 kid1| WARNING: failed to unpack metadata because store entry metadata is too big 2018/03/27 15:04:

Re: [squid-users] Allow some domains to bypass Squid

. The alternative for ssl-bump is the splice action. For that you only need to know the server names each company uses. OP, It would be a lot easier to just create exceptions on the squid device for sites where bumping doesn't work which cause then to be tunnelled or spliced rather then

Re: [squid-users] I can't understand the SSL connectios interception concept in explicit mode

On 02/02/18 15:12, Roberto Carna wrote: OK Matus, now I understandbut let me ask one more question: In explicit mode, is it possible that a given person with Squid advanced knowledge can see the plain text of the traffic? Because if this person is the admin of the proxy server, I think it ma

Re: [squid-users] Squid 4 and missing intermediate certs

On 26/01/18 17:50, Alex Rousskov wrote: On 01/26/2018 02:30 AM, Alex Crow wrote: I've just set up a new SSL interception proxy using peek/splice/bump using squid 4.0.22 and I'm getting SSL errors on some site indicating missing intermediate certs as described here: https://blog.di

[squid-users] Squid 4 and missing intermediate certs

Hi List, I've just set up a new SSL interception proxy using peek/splice/bump using squid 4.0.22 and I'm getting SSL errors on some site indicating missing intermediate certs as described here: https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bum

Re: [squid-users] squid asking for authentication repeatedly

Firefox is not great at Auth. Chrome works better imho. FF seems ok with digest, ie AD. ⁣Sent from TypeApp ​ On 11 Dec 2017, 22:05, at 22:05, Paul Hackmann wrote: >Has anyone had the instance where the proxy will ask the user to >authenticate several times as they are browsing the web? I have

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

On 18/11/17 12:56, Walter H. wrote: On 18.11.2017 13:51, Walter H. wrote: Hello, still certificate issues: missing intermediate certificate Greetings, Walter @Amos:  There is  *no* chain. Our cert is directly signed by the LetsEncrypt CA.  Amos that's wrong;  LetsEncrypt is only an inte

Re: [squid-users] Website pointed to 127.0.0.1

On 15/09/17 13:58, Matheus Fernandes wrote: Hello! I have a fqdn that points to 127.0.0.1, when I try to access it through squid, I get an error. I need to make it process on the same machine that made the request, and not on squid server. I tried using always_direct directive, but squid alwa

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 17/11/16 18:11, Patrick Chemla wrote: > > Hi Alex, sorry for disturbing, but it works with > > https_port 5.39.105.241:443 accel defaultsite=www.sempli.com > cert=/etc/squid/ssl/sempli.com.crt > key=/etc/squid/ssl/sempli.com.key > > Many, many, many Thanks for valuable help. > > Pa

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 16/11/16 17:33, Patrick Chemla wrote: > Thanks for your answers, I am not doing anything illegal, I am trying to > build a performant platform. > > I have a big server running about 10 different websites. > > I have on this server virtual machines, each specialized for one-some > websites, a

Re: [squid-users] Trusted CA Certificate with ssl_bump

I'm not sure what you are trying to do. It sounds like you're running a reverse proxy, which has nothing to do with SSL bump or peek/splice. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- This message is intended only for the addressee and may contain confidential info

Re: [squid-users] Trusted CA Certificate with ssl_bump

That's why you gain their consent when they sign their employment contract. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its cont

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 16:22, Yuri Voinov wrote: You can if you have control over the clients, ie install your CA into the browser/OS. ... and this can be illegal ;) YMMV (depending on where you live/work)! -- This message is intended only for the addressee and may contain confidential information. Un

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 14:28, Yuri Voinov wrote: So, you can't do SSL bump without users notification. You can if you have control over the clients, ie install your CA into the browser/OS. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you a

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 14:22, Sergio Belkin wrote: Hi, When using something like that: http_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private Is possible to use a certific

Re: [squid-users] Caching Google Chrome googlechromestandaloneenterprise64.msi

On 24/10/16 11:26, Yuri wrote: No, Amos, I'm not trolling your or another developers. I just really do not understand why there is a caching proxy, which is almost nothing can cache in the modern world. And that in vanilla version gives a maximum of 10-30% byte hit. From me personally, it ne

Re: [squid-users] Force DNS queries over TCP?

On 30/06/16 19:40, brendan kearney wrote: > > Nscd or name server caching daemon may be of help. I believe you can > run your own bind instqnce and point it at the roots, instead of using > your isp's broken implementation > > On Jun 30, 2016 2:21 PM, "Chris Horry" > wr

Re: [squid-users] Force DNS queries over TCP?

Packt Publishing has a book about FreeSWAN (don't use that) which is almost all applicable to LibreSWAN (do use this, it's a newer fork). Easiest is to set up a tunnel with PSKs, more secure is with RSA keys or X509 certs. Alex On 30/06/16 19:20, Chris Horry wrote: > > On 06/30/

Re: [squid-users] Force DNS queries over TCP?

I'd suggest changing IP as this practice is a) a violation of trust, forcing you to use a potentially compromised resource you have no control over b) a clear violation of net-neutrality c) a violation of standards (as it's probably one of those that instead of returning NXDOMAIN as required sends

Re: [squid-users] SSL Bump with valid CA

> > Now i need to try to configurate squid with a non self-signed certificate > This is impossible, as you don't have access to the CA's signing key, for very good reason (you could create certs for any site in the world and it would be trusted by any browser that trusts StartSSL's CA). You

Re: [squid-users] SSL certifcate on android device not working

On 06/05/16 14:09, Reet Vyas wrote: Hi I have squid ssl bump working but when I added squid.crt to my android , it not working but working with Iphone cause they have certificate installer app , I dont know exact issue cause my apps are on working . I have installed squid.crt on mobile brows

Re: [squid-users] Squid 3.5.5 CentOS RPMs release

ed in the RPMs you would have seen that I changed\removed a helper or two from the build. I didn't had time to inspect the issue yet. How do you rebuild from SRPM?(important) Eliezer On 30/06/2015 21:48, Alex Crow wrote: Thanks for this Eliezer - however I can't rebuild the SRPM o

Re: [squid-users] Squid 3.5.5 CentOS RPMs release

Thanks for this Eliezer - however I can't rebuild the SRPM on latest CentOS: configure: Authentication support enabled: yes checking for ldap.h... (cached) no checking winldap.h usability... no checking winldap.h presence... no checking for winldap.h... no configure: error: Basic auth helper LDAP

[squid-users] Centos7 rpms?

On 11/06/15 20:25, Eliezer Croitoru wrote: What is the issue?? Did you tried the latest RPM's ?? http://wiki.squid-cache.org/KnowledgeBase/CentOS Eliezer Hi, Are there any plans to build centos/rhev7 packages? Native LVM caching on SSD is something that may well benefit Squid performance.

Re: [squid-users] Tracking user connection times

On 20/04/15 15:34, Dan Berry wrote: I have setup a squid proxy as a POC for user tracking. I am looking for a way to track for close events, most of the customer sites that are accessed are HTTPS so I can’t track activity. I might be able to get by with tracking total connect time, so I know

Re: [squid-users] 100Mbps Connection Issues

Speed tests will always enforce "nocache" so you will always see overhead from a speed test site. That's just the way proxies work. You can't make a single, "new" download any quicker that it would be, and since it has a flag telling Squid not to cache it, Squid has to go the the trouble of bo

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

Hi, That is how NTLM works. It doesn't (normally) indicate anything is wrong. You do seem to have a /lot/ of DENIED though. NTLM Auth will slow down browsing somewhat because authentication is performed for every object retrieved. Google Maps can be a real nasty because it loads lots of smal