On 2025-07-25 05:13, Dieter Bloms wrote:
Hello,
I'am running squid on debian bookworm with all patches.
I configured the following ciphers:
tls_outgoing_options
cipher=TLSv1.2:!CBC:!kRSA:!DSS:!PSK:!aNULL:!ARIA:!CAMELLIA:!AESCCM:!SHA256:!SHA384@SECLEVEL=2
With squid 6.13 I get the following ci
On 2025-07-25 08:43, Matus UHLAR - fantomas wrote:
I see that squid has FTP support for some time:
# TAG: ftp_port ...
But I can't see any options related to PASV and PORT session setup.
From what I saw in sources (with my limited knowledge of C++) it seems
that squid tries to pass
Squ
On 2025-07-11 05:54, paolo.pr...@gmail.com wrote:
how does Squid behave when it receives a DNS
response containing multiple IP addresses? Does it pick a random one in
the list, or does it stick to a certain order?
Modern Squids usually use the first received IPv4 address for all
transactions
On 2025-07-10 06:39, MAB IT System wrote:
Dear Squid team,
I’m currently working on deploying Squid as a transparent proxy using
WCCPv2 with a Cisco ASA firewall.
The ASA selects a router ID x.x.x.x automatically and uses GRE
encapsulation. However, in my Squid configuration, I’m using
wccp
On 2025-06-26 20:10, Angela Yu wrote:
I was wondering if Squid support or intend to support HTTP3?
Squid does not support HTTP/3 today. We are working on adding HTTP/2
support and intend to support HTTP/3 after that work is completed.
Cheers,
Alex.
from the
subsequent GET request (if any). However, the primary error generation
activity happens at error discovery time, before that GET. In a sense,
Squid has a response before it has a request, which creates various
problems/complications!..
HTH,
Alex.
2025/05/28 1:19、Alex Rouss
On 2025-05-27 10:37, Yves MARTIN wrote:
My team expects to transparently rewrite requests through squid,
replacing original URL/hostname by another target URL/host.
Main objective is to redirect original HTTPS requests triggered by
“docker pull alpine” to a local mirrored registry without obv
On 2025-05-27 08:47, 中山稀斗 wrote:
Dear Squid-Users,
I’m configuring SSL_Bump to decrypt only a specific list of domains and
to splice (pass through encrypted) all others, but I’m seeing
non-whitelisted domains still being decrypted.
### Observed behavior (access log excerpt):
26.56.128.144 -
On 2025-04-29 02:54, Renzo Marengo wrote:
When client uses CONNECT directive I understand that proxy establishes
tunnel to destination host on specified port
Yes, the proxy establishes a TCP tunnel with the destination.
1. I don't understand if this occurs both in presence of http and https
On April 16, 2025 23:19:13 Francesco Chemolli wrote:
acl SSL_ports port 82
acl SSL_ports port 443
acl SSL_ports port 563
is exactly the same as:
acl SSL_ports port 82 443 563
ACLs with the same name need to be of the same type, and they get appended
To be more precise, their conditions a
On 2025-04-11 01:08, Amos Jeffries wrote:
On 11/04/25 03:47, Jonathan Lee wrote:
Hello fellow Squid users,
Does anyone use pfSense squid package that knows a possible solution
to this issue ? I have went as far as to remove all custom config and
go to complete splice all and it still occurs w
On 2025-04-08 08:24, Michael Tint wrote:
I'm running into a blocking issue while deploying Squid 6.13 ... My goal is
to enable the PROXY protocol support via the following config line:
http_port 3128 proxy-protocol
The correct http_port option name for enabling PROXY protocol support is
no
, Apr 02, 2025 at 11:21:15AM -0400, Alex Rousskov wrote:
On 2025-04-02 10:45, Dave Dykstra wrote:
We're trying rock cache for the first time, on squid 6.13. The
machine is quite large and heavily used, with 10 workers configured,
140G of shared memory cache, and 500G of rock cache configure
On 2025-04-02 10:45, Dave Dykstra wrote:
We're trying rock cache for the first time, on squid 6.13. The
machine is quite large and heavily used, with 10 workers configured,
140G of shared memory cache, and 500G of rock cache configured.
However, the cacheNumObject SNMP counter is staying quite
On 2025-03-18 06:25, David Touzeau wrote:
We note that Squid performs a client DNS PTR query each time client
sends query.
We have taken care to ensure that
* that the log model does not use machine names
* No acls concerning workstation hostnames are added.
FWIW, the phrase "workstati
regards,
Ankor.
вт, 11 мар. 2025 г. в 17:12, Alex Rousskov
mailto:rouss...@measurement-factory.com>>:
On 2025-03-10 23:56, Andrey K wrote:
> > Alex: FWIW, related future Squid improvements may include:
> > * Detecting such shar
0,23 136
1212704040 /dev/shm/squiduser-cf__readers.shm
squid.use 3685356 root 9u REG 0,23 2093368
1212704041 /dev/shm/squiduser-tls_session_cache.shm
Kind regards,
Ankor.
пт, 7 мар. 2025 г. в 17:48, Alex Rousskov
mailto:rouss.
ments may include:
* Detecting such shared memory segments clashes; refusing to start.
* Disabling shared memory use when caching is completely disabled.
Quality pull requests welcome.
Cheers,
Alex.
чт, 6 мар. 2025 г. в 17:11, Alex Rousskov:
On 2025-03-06 08:59, Amos Jeffries wrote:
On 2025-03-06 08:59, Amos Jeffries wrote:
On 6/03/25 19:17, Andrey K wrote:
Hello,
I have a similar configuration: two SMP squids running on the same OEL
host.
They were built with different configurations: with different
installation path prefixes and different names of binary files: squid
On 2025-03-02 15:47, Lubos Uhliarik wrote:
2024/10/16 17:52:44 kid10| Adaptation support is off.
2024/10/16 17:52:44 kid10| assertion failed: Queue.cc:388: "EX"
Squid v6 has a few changes that affect SMP startup and shutdown
sequences. Since you have ruled out upgrading to a supported versio
On 2025-02-26 01:58, Amos Jeffries wrote:
On 26/02/25 00:33, BENJAMIN DELANNOY wrote:
> Please detail what you mean by "choice" or "decision". For example, do
you want to stop the timer when Squid makes its final http_access
decision?
I mean I want to monitor the latency on what I could mana
feature-enhance-of-fix-something
HTH,
Alex.
On Wed, Feb 19, 2025 at 5:39 PM Alex Rousskov wrote:
On 2025-02-19 06:26, BENJAMIN DELANNOY wrote:
> For % next hop and stops when the last response byte is received." Are we
> talking of last request / last response of a
On 2025-02-26 07:05, Matus UHLAR - fantomas wrote:
I'd like squid to avoid considering using ipv6,
because even if any ipv6 attempt failed, there still were some being made
... at least I assume so from squid logs:
1740062747.503 0 192.0.2.1 NONE_NONE/503 0 CONNECT ad.turn.com:443
- HIER
On 2025-02-25 09:56, Alex Rousskov wrote:
On 2025-02-25 09:47, Thomas PALFRAY wrote:
we tried version 6.13 as recommended, but the behavior is the same.
Thank you for testing v6.13. That test eliminates many suspects.
What additional information would you need to understand the the problem
On 2025-02-25 09:47, Thomas PALFRAY wrote:
we tried version 6.13 as recommended, but the behavior is the same.
Thank you for testing v6.13. That test eliminates many suspects.
What additional information would you need to understand the the problem
For the next step in triage, I can offer
traffic with SSL Bump)
Based on this, I would be able to check if a squid server is taking too
much time making a decision.
Is this something feasible?
Please detail what you mean by "choice" or "decision". For example, do
you want to stop the timer when Squid makes its fin
On 2025-02-17 10:02, BENJAMIN DELANNOY wrote:
I try to figure out what is exactly measured with the I don't get what are the difference between them, what is the difference
between "peer response time" & "time spent forwarding to origin
servers",
Have you seen %updated in August 2024, and sq
On 2025-02-07 18:41, Jonathan Lee wrote:
Can someone show me an example of doing one of these requests on the to
do list?
Please direct future development questions and followups to squid-dev
mailing list! This squid-users mailing list is meant for Squid operators
or administrators rather th
On 2025-02-07 05:15, Robin Wood wrote:
I want to write my own ICAP server
FWIW, nearly all attempts to quickly write a production-quality ICAP
server (that I have seen) have failed. The protocol is much more complex
than it seems. In most cases, folks looking for a free ICAP server
should b
On 2025-02-05 05:54, udhayakumar wrote:
if i put whitelist_regex in below config which domains i was try
browse in browser it's says*SSL_ERROR_RX_RECORD_TOO_LONG*
IIRC, that usually happens when Squid responds with a plain text error
page while the browser expects TLS. You may be able to conf
On 2025-02-03 09:07, Thomas PALFRAY wrote:
My team and I are working on setting up *a squid with ssl-bump* to cache
binary content (jpeg, png, pdf and json) on a remote site over HTTPS.
The size of the binary content can vary from a few dozen KB to several
hundred MB.
We had a working HTTP
On 2025-01-21 05:41, Илья Щелоков wrote:
I have a squid proxy, it sends data to the system via icap. I need to
install another squid between the proxy and the system so that it
receives icap from the proxy
Squid is an ICAP client: it sends ICAP requests and received ICAP responses.
Squid is
On 2025-01-13 13:29, Jonathan Lee wrote:
Is there anyway to use more workers on a non rock system, without
disabling the cache? I can use them when cache is disabled. Without
it I get assertion failed: controller:cc:930: EX"
I will try to clarify in hope to reduce misunderstanding, especially
On 2025-01-07 04:49, Tony Albers wrote:
Is it possible in squid to ensure that a badly behaving backend
application doesn't eat up all squid resources?
Yes, especially if you know about that application behavior in advance.
You can configure Squid to start denying requests for the problematic
On 2025-01-06 00:37, Jonathan Lee wrote:
Can you please help I have noticed for a long time under information
page that Store Disk Files Open is a lot of the times showing 0
Is this of concern?
If your Squid is not configured to use a cache_dir, then seeing zero
Store Disk files open is OK.
On 2024-12-30 11:55, Jonathan Lee wrote:
what is faster or better for performance? The parsed ssl_bump lists
or the singular list?
To remove very distracting noise, I am posting an abridged version of
your "before" and "after" configurations:
# before
ssl_bump splice A
ssl_bump s
ical
application of the techniques used in the topics you have provided.
I would be grateful for practice specifically in my case for a
better understanding of the work.
пн, 23 дек. 2024 г. в 00:42, Alex Rousskov
mailto:rouss...@measurement-factory.com>>:
O
On 2024-12-23 00:27, Eternal Dreamer wrote:
I need some help with my squid-6.7 installation. I need to see
forwarding status codes for my monitoring system, but squidclient -h
3128 mgr:forward is empty. Another stats from mgr:* works fine.
You are suffering from a Squid bug: In many cases, Sq
2023-April/025784.html
HTH,
Alex.
вс, 22 дек. 2024 г. в 22:47, Alex Rousskov
<mailto:rouss...@measurement-factory.com>>:
On 2024-12-22 08:13, A. Pechenin wrote:
> The reason and solution were not simple and obvious at first glance.
> I have two providers access
On 2024-12-22 08:13, A. Pechenin wrote:
The reason and solution were not simple and obvious at first glance.
I have two providers accessing the gateway, the main and backup
channels, and automatic switching is configured when the connection on
the main channel is lost.
To check, I switched the
On 2024-12-21 12:26, A. Pechenin wrote:
This week, when connecting users through a proxy server, some Google
services became inaccessible, such as Calendar, Translator, user profile.
Do you use any ssl_bump directives? You have mentioned a test with
"default configuration file" below. That con
On 2024-12-08 09:26, David Touzeau wrote:
Is there any way or development plan to include “proxy-protocol” in
cache_peer?
I am not aware of any specific current development plans, but there is
interest in adding that feature, and I expect it to be added eventually.
Alex.
Squid is able to
On 2024-12-15 13:32, Hering, Uwe wrote:
We are using squid (version see above) on SLES15, rebuild with
“--enable-ident-lookups".
This works great up to SP5, but is broken with this squid version above
belonging to SP6.
2024/12/12 10:16:06 kid1| FATAL: assertion failed: FilledChecklist.cc:2
On 2024-12-02 03:56, Masanari Iida wrote:
Hi,
I would like to understand memory_pools and memory_pools_limits setting.
In case memory_pools_limit is set to none (as default),
all squid process memory that can be seen by ps(1) is being used by squid?
Yes, for some definition of "being used". So
On 2024-11-26 00:53, Jonathan Lee wrote:
-n Disable lookups and address type conversions. If lookup or
conversion is required because the parameter type (IP or
domain name) does not match the message address type (domain
name or IP), then the ACL would immediately declare a mism
stdout. I can imply redirect
the "squid -k rotate" stderr to /dev/null
but I would like to avoid it when possible - if any error happens,
I't like to know about that.
On 21.11.24 16:16, Alex Rousskov wrote:
If you are OK with not seeing these particular messages in cache.log
On 2024-11-21 08:44, Ralf Hildebrandt wrote:
Can I force certain destinations to be reached using ipv4 only?
Not reliably. IMHO, it is a missing feature (or two).
Various tricks exist, but none of them work well in general, for various
reasons. See other responses on this thread for some spe
On 2024-11-21 07:29, Matus UHLAR - fantomas wrote:
I run squid 6 (currently 6.10) on some debian hosts.
when rotating logs in the night, I get mail about cron output:
2024/11/21 00:00:41| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2024/11/21 00:00:41| Processing Configurati
On 2024-11-18 09:59, Martin A. Brooks wrote:
I am running 3 squid instances behind a load balancer. It was running
fine for a couple of weeks but but there were suddenly tens of thousands
of this sort of message in the log:
squid[507015]: ERROR: system call failure while accepting a TLS
con
On 2024-11-17 18:41, Gaetano wrote:
We are running three squid proxy 5.5,
Please note that Squid Project does not support Squid v5. I recommend
upgrading to Squid v6+ (regardless of what your Linux distribution
currently ships).
on three different VMs, same
number of CPUs (4), same memor
On 2024-11-14 13:15, slagaute...@hotmail.com wrote:
Recently I have updated
my version from version 6.0 (early age) to the latest version 6.12.
I have some web sites like www.google.com for which my browser never
complete the download of the page. There is a pending request to URIs
like https
ents for my patch within Yocto.
I am very glad to hear that you are making progress.
Good luck,
Alex.
-----Original Message-
From: Alex Rousskov
Sent: Friday, November 8, 2024 5:27
To: squid-users@lists.squid-cache.org
Cc: Marko, Peter (FT D EU SK BFS1)
Subject: Re: [squid-users] v6.12 bu
On 2024-11-07 16:48, Marko, Peter wrote:
Commit [1] removed directory libltdl/m4 from release tarball by merging
all those files into libltdl/aclocal.m4,
Clarification: While commit b4addc22 itself did not remove any
directories or merged any files, bootstrapping Squid after that commit
may
On 2024-10-30 20:46, Jonathan Lee wrote:
Hello, thank you for the update Francesso, there is also some chatter
about bugs within the Netgate community. Is this also related to the
fixes in V7 (please see Redmine attached)?
AFAICT, Redmine Bug #14390 is pretty much unrelated to "Joshua 55"
vul
on where the
issue is. Authentication seems to be working, but it's like this term either
doesn't pass the credentials along, or it's expecting some other response. Is
there anyone that could help me figure out what the issue is with this?
Thank you,
Josh
-Original Message
desired name; }}
Yes, I have already responded to email with that information. Please
continue that thread:
https://lists.squid-cache.org/pipermail/squid-users/2024-October/027224.html
Alex.
-Original Message-
From: Alex Rousskov
Sent: Thursday, October 24, 2024 4:46 PM
To: Piana
data in the DNS request itself.
- DNS data egress attacks are potent because they exploit a
foundational internet protocol for covert data transmission. Solutions
demand vigilant DNS traffic analysis and strict egress filtering
policies.
---
On Mon, Oct 28, 2024 at 12:14 AM Alex Rousskov
wrote:
On 2024-10-25 18:18, Erik Schulz wrote:
I would like to use squid as an egress proxy, to prevent unauthorized egress.
Let's say that the only allowed egress is 'example.com'.
I can define acl along the lines of:
```
acl allowed_domains ssl::server_name .example.com
http_access allow allowed_dom
On 2024-10-25 14:28, GM Test wrote:
I'm not sure if this is the right place to ask this question
Yes, it is.
but in the
*logformat *command, I cannot seem to work out what the square bracket
is for?
When used at the beginning of a logformat %code name, a single square
bracket character s
not be specific to any HTTP(S) transaction that
Squid is handling. If you can test your authentication helper in
isolation by starting it from the command line and feeding it helper
commands, do that.
Alex.
-Original Message-
From: Alex Rousskov
Sent: Thursday, October 24, 2024 4:46
On 2024-10-24 16:23, Piana, Josh wrote:
From what I can tell, squid does not receive a good username. When I check the
access logs, I receive something like this:
24/Oct/2024:16:01:08 -0400.334 10.46.49.190 TCP_DENIED/407 7821 CONNECT
www.google.com:443 - \ HIER_NONE/- text/html ERR_CACHE_A
On 2024-10-24 15:53, Piana, Josh wrote:
Hey Squid users,
Running into an issue I’m trying to figure out.
We have a few acl directives using “proxy_auth_regex –i” and when I have
these active, it blocks any proxy connection with an HTTP 407 error,
according to the logs.
Here’s an example:
#
:
refresh_pattern . 15 20% 1800
override-expire ignore-no-cache ignore-no-store ignore-private
And I always get TCP_MISS. Any other thoughts?
Thanks!
On Thu, Oct 10, 2024 at 12:35 PM Alex Rousskov
<mailto:rouss...@measurement-factory.com>> wrote:
On 2024-10
On 2024-10-09 15:40, Bryan Seitz wrote:
> SSL-Bump Woes
AFAICT, the problem you are trying to solve is not caused by SslBump.
> reply_header_access Cache-Control deny all
> reply_header_add Cache-Control "public, max-age=1800"
The above directives are applied to responses that Squid sends to
On 2024-09-25 01:57, にば wrote:
We then added the following settings that were in the existing Squid proxy
# SSL_BUMP
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist"
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent"
acl allowed_https_sites ssl::server_na
On 2024-10-03 11:10, Andrea Venturoli wrote:
> Out of 10 installations, ... on one it's very frequent.
> Any idea on what to check or try? ... Any way to get better logs?
Since the problem is frequent on that one host, I recommend privately
sharing[1] a pointer to compressed debugging cache.lo
On 2024-10-03 10:12, Andrea Venturoli wrote:
On 10/2/24 23:30, Alex Rousskov wrote:
Disadvantages of using eCAP+ClamAV adapter include being dependent on
a relatively old libecap and ClamAV eCAP adapter implementation.
I got it all wrong then... I thought ICAP was older and eCAP was meant
to
On 2024-09-29 12:40, Andrea Venturoli wrote:
I've been using Squid + C-icap + SquidClamAV + ClamAV for a long time in
order to filter web content.
However this has lately been troublesome, leading to occasional
hard-to-diagnose temporary failures ("ICAP protocol error").
So I'm pondering mov
On 2024-10-01 11:49, Dr.X wrote:
Just wondering if I can have in squid.conf like :
export FRONTEND='1.2.3.4'
http_port {FRONTEND}:3128
But the way above did not work and seems not recognized by squid .
My question is , Is it possible that I identify a variable and give it a
value like string
On 2024-09-30 09:08, Alexis DAVEAU wrote:
wget http://www.squid-cache.org/Versions/v5/squid-5.2.tar.gz
tar -xzf squid-5.2.tar.gz
cd squid-5.2
export CXXFLAGS="-DMAXTCPLISTENPORTS=254"
./configure --prefix=/usr --localstatedir=/var
--libexecdir=/usr/lib/squid --datadir=/usr/share/squid \
--sysc
On 2024-09-17 10:43, Martin A. Brooks wrote:
On 2024-09-17 15:13, Alex Rousskov wrote:
What makes you think that CONNECT requests are not sent to the
rewriter? In my quick-and-dirty tests, Squid does send CONNECT request
targets to the URL rewriter program and honors rewriter's
rewrit
On 2024-09-17 09:34, Martin A. Brooks wrote:
Proxied HTTPS requests use
CONNECT and, for whatever reason, this appears to bypass the url
rewriter.
What makes you think that CONNECT requests are not sent to the rewriter?
In my quick-and-dirty tests, Squid does send CONNECT request targets to
tate all their rules.
(*) Similar breadcrumbs will be collected for other directives as well.
Alex.
- Mail original -
De: "Alex Rousskov"
À: squid-users@lists.squid-cache.org
Envoyé: Lundi 2 Septembre 2024 22:38:44
Objet: Re: [squid-users] Looking for a solution to identify
he explicit rules
matched. That implicit default is "ever-changing" because it depends on
the last explicit http_access rule action (which, naturally, may change
as folks update their rules).
FWIW, the following FAQ entry covers the same concepts:
https://wiki.squid-cache.org/SquidFaq/Sq
On 2024-09-16 09:58, Piana, Josh wrote:
I removed all of the special, custom ACL's and we still don't have internal to
internal browsing via hostname.
FWIW, these first two http_access rules make all subsequent http_access
rules irrelevant/unused because these two rules match all traffic:
On 2024-09-10 13:54, Carlos André wrote:
My "delay_class" simple DON'T with if I use a acl external (helper -
LDAP or winbind [ext_wbinfo_group_acl], same problem), delay_class work
ok using a acl proxy_auth or acl src but nothing with a external.
I believe your configuration is suffering
to confirm that all valid requests to banned sites are
denied, all other valid requests are allowed, and all invalid requests
are rejected. If necessary, ask questions, file bug reports, patch
Squid, and/or adjust your configuration to pass this test.
HTH,
Alex.
2024年8月8日(木) 21:33 Alex Rousskov
On 2024-09-05 01:52, YAMAGUCHI NOZOMI (JIT ICC) wrote:
If there were duplicate domains in the list of domains used, restarting
the squid would cause the process to stop.
Below is the error statement.
ERROR: 'a.example.com' is a subdomain of 'example.com
FATAL: /etc/squid/squid.conf
Hi Nichol
ork. This whole config
that we have has been pieced together and I'd like to get it to the way it's
supposed to be.
What do you recommend? I can send the whole config again, exactly as we have it
now, and see what we can fix/remove/replace.
Appreicate you helping,
Josh
-Original Messag
- HIER_NONE/- text/html
29/Aug/2024:10:27:17 -0400.514 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443
JPIANA@AD..COM HIER_NONE/- -
I'm not sure the debugging and extra log details were added correctly, because
these look the same.
Thanks,
Josh
-Original Message-
From: squid
On 2024-08-30 08:35, Michael Egert wrote:
I have a little problem with this helper, it worked fine for a while and
then suddely stopped working.
It may help others if you detail "stopped working" based on a test case
involving Squid. AFAICT, your email contains an attempt to manually feed
th
ant to force traffic other
than HTTP and FTP through Squid. In other words, Squid is not a
"universal" proxy that can proxy everything.
HTH,
Alex.
On 2024-08-28 09:14, Alex Rousskov wrote:
On 2024-08-28 08:52, Scott Bates wrote:
Alex: What protocol do those external services use in
On 2024-09-02 15:00, Xavier Lecluse wrote:
I am facing a problem with my actual access.log configuration.
I use this logformat for the access.log :
"logformat timereadable %tl %un %Ss %>Hs %>a:%>p %st %rm %ru %mt %.
But I have some users which are not authentified (because of incompatiblity with
directory.
3. Start Squid.
If the problem persists, share the command you use to start Squid and
any console output you get from that command.
In general, avoid using "squid -k reconfigure" when possible, especially
when using Squid v5 and earlier.
HTH,
Alex.
-Original Message
requests are allowed, and all invalid requests
are rejected. If necessary, ask questions, file bug reports, patch
Squid, and/or adjust your configuration to pass this test.
HTH,
Alex.
2024年8月8日(木) 21:33 Alex Rousskov :
On 2024-08-06 20:59, にば wrote:
When using Squid transparently, is it po
Squid before. And you will learn a few new tricks...
I'll update those logs and wait for your response to this before
sending them or sending you a personal drop link.
A link usually works best.
Thank you,
Alex.
-Original Message-
From: squid-users On Behalf Of Alex
Rousskov
S
HIER_NONE/- text/html
29/Aug/2024:10:27:17 -0400.514 10.46.49.190 NONE_NONE/500 0 CONNECT hexcelssp:443
JPIANA@AD..COM HIER_NONE/- -
I'm not sure the debugging and extra log details were added correctly, because
these look the same.
Thanks,
Josh
-Original Message-
From: squi
all.
I apologize for the wall of text, looking forward to what you guys have to say
about this.
Thanks,
Josh
-Original Message-
From: squid-users On Behalf Of Alex
Rousskov
Sent: Wednesday, August 28, 2024 2:31 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-user
On 2024-08-28 14:18, Alex Rousskov wrote:
On 2024-08-28 11:24, Piana, Josh wrote:
Here's the log and (I think) relevant ACL's?
According to your access.log, Squid denies problematic CONNECT requests
with HTTP 407 errors responses. Usually, that means those requests match
an &q
On 2024-08-28 11:24, Piana, Josh wrote:
Here's the log and (I think) relevant ACL's?
According to your access.log, Squid denies problematic CONNECT requests
with HTTP 407 errors responses. Usually, that means those requests match
an "http_access deny" rule. Clearly, you expect an "allow" out
On 2024-08-28 08:52, Scott Bates wrote:
Alex: What protocol do those external services use in problematic
use cases?>> Does Squid see the corresponding requests from VMs?
Squid can only proxy HTTP and FTP...
http and https only
Does Squid log the corresponding problematic transactions to i
On 2024-08-27 14:07, Scott Bates wrote:
My lab is setup as such:
Hypervisor host
Squid VM
Test VM 1 (windows)
Test VM 2 (windows)
Test VM 3 (windows)
I have my proxies setup in the squid config. On the test vms I have the
windows proxy settings pointing to the squid IP and port. If I check the
On 2024-08-26 02:23, Alexandru Mateescu wrote:
In October 2023 the free vulnerabilities scanner of Greenbone (Openvas)
has started reporting high vulnerabilities on squid for all versions.
When I questioned them about it they indicated
https://megamansec.github.io/Squid-Security-Audit/ as the
On 2024-08-23 12:07, Piana, Josh wrote:
The problem we’re having now is that we’re unable to access local
resources on different subnets. For instance, our “main” networks are
10.46.x.x and 10.47.x.x, but the proxy is blocking us when we try to get
to 172.26.x.x as well as 10.96.x.x.
Blocki
On 2024-08-23 06:29, ngtech1...@gmail.com wrote:
OK so the issue was that:
The http_port was used for ssl bump with intercept
I would not phrase it that way because "bump" is a red herring here. I
would instead say that the issue was that "http_port was used for
intercepted TLS traffic" or "
accurately to become valid.
HTH,
Alex.
-Original Message-
From: squid-users On Behalf Of Alex
Rousskov
Sent: Thursday, August 22, 2024 9:21 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump
SSL Traffic
On 2024-08-20
On 2024-08-20 15:57, Alex Rousskov wrote:
On 2024-08-19 19:32, NgTech LTD wrote:
> curl -v -k https://www.youtube.com/
1724109013.783 0 192.168.78.252 NONE_NONE/000 0 -
error:invalid-request - HIER_NONE/- - -
OK, let's focus on this curl interception test. It feels like your S
On 2024-08-21 09:37, David Touzeau wrote:
Configure:
./configure --prefix=/usr --build=x86_64-linux-gnu --includedir=/include
--mandir=/share/man --infodir=/share/info --localstatedir=/var
--libexecdir=/lib/squid3 --disable-maintainer-mode
--disable-dependency-tracking --datadir=/usr/share/squ
ata]
* schannel: failed to decrypt data, need more data
{ [2756 bytes data]
* schannel: failed to decrypt data, need more data
{ [9336 bytes data]
* schannel: failed to decrypt data, need more data
{ [2756 bytes data]
* schannel: failed to decrypt data, need more data
{ [13803 bytes data]
* sch
On 2024-08-20 06:35, ngtech1...@gmail.com wrote:
Attached a link for the pcap file that might shed some light on the
issue from a technical perspective
That link does not work for me: Nothing is shown but a page with generic
background and a "get your own free account" signature at the bottom
1 - 100 of 1071 matches
Mail list logo
