Re: [squid-users] Squid appears to be ignoring url_rewrite_program

Hello Martin, On Tue, Sep 17, Martin A. Brooks wrote: > On 2024-09-17 13:39, Martin A. Brooks wrote: > > I am trying to use a URL rewriter program to redirect client requests > > for certain URLs elsewhere. I found this on github which seems to do > > what I need: > > > > https://github.com/rch

Re: [squid-users] Prefer or force ipv6 usage on dual stack interface

Hello Rasmus, squid has implemented the happy eyeballs algorithm, so squid uses the best protocol to reach the server. More infos about happy eyeball can be found here: https://datatracker.ietf.org/doc/html/rfc8305 On Tue, Jul 16, Rasmus Horndrup wrote: > Hi, > On a dual stack network interfac

Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

Hello Alex, thank you for your answer! On Mon, Jun 10, Alex Rousskov wrote: > On 2024-06-10 08:10, Dieter Bloms wrote: > > > I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION > > option to enable access to https://cisco.com. > > The web server

[squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

option ALLOW_UNSAFE_LEGACY_RENEGOTIATION” How can I activate secure renegotiation for squid? -- Regeards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it

Re: [squid-users] deny_info URL not working

Hello, On Sat, May 11, Vilmondes Queiroz wrote: > deny_info http://example.com !authorized_ips does it works, if you add the http status code like: deny_info 307:http://example.com !authorized_ips -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outl

Re: [squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles

Hello Amos, thank you for your answer! I opened a bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5353 with some debug infos attached. On Thu, Mar 14, Amos Jeffries wrote: > > On 12/03/24 04:31, Dieter Bloms wrote: > > Hello, > > > > after an upgrade from s

[squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles

Hello, after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a lot of messages from type: ICAP_ERR_GONE/000 ICAP_ERR_OTHER/200 ICAP_ERR_OTHER/408 ICAP_ERR_OTHER/204 and some of our users claim about bad performance and some get "empty pages". Unfortunately it is not determinis

Re: [squid-users] New Squid prefers IPv4

Hello Rob, On Mon, Feb 05, Rob van der Putten wrote: > After upgrading Squid from 3 to 5 the percentage of IPv6 reduced from 61% to > less then 1%. > Any ideas? yes, since squid5 the happy eyeball algorithm as described in rfc 8305 is used. If your ipv4 connectivity is better than ipv6 than ipv4

[squid-users] does the logging of cache.log support the log modules like daemon, syslog, udp ...

Hello, I would like to run the squid in a Kubernetes environment. I can simply send the access.log outside the container with the syslog module. I have tried it with the cache.log, but unfortunately I don't see any log entries from the cache.log. The access.log lines are transmitted: --snip-- #

[squid-users] 2 year old security bugs not fixed?

Hello, I stumbled across this page https://joshua.hu/squid-security-audit-35-0days-45-exploits and wonder if all these security holes are really still there. Can someone from the developers give a status? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use M

[squid-users] trickeling support in squid as icap client

Hello, we are currently using the Squid with an ICAP virus scanner, which is capable of trickling. There are many manufacturers who support the ICAP protocol but not trickling. Therefore, in my opinion, it would make sense if squid supported trickeling as ICAP client. Then you could use any IC

[squid-users] is it possible to restrict the use of websocket for security reason?

Hello, is it possible to restrict the use of websockets for seurity reason like prevent long-lived Websocket communication or define a limit for total size of transfered payload? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not

[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"

Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS

[squid-users] does squid 5.7 support HTTP/2 protocol

Hello, does squid 5.7 support the HTTP/2.0 protocol? >From https://wiki.squid-cache.org/Features/HTTP2 it seem some work seems to be done, but not all. But sometimes the docu is outdated, so I hope it is outdated and squid does support HTTP/2 -- Regdards Dieter -- I do not get viruses becaus

Re: [squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works

Hello Amos, On Sat, Nov 12, Amos Jeffries wrote: > On 12/11/2022 2:49 am, Dieter Bloms wrote: > > Hello, > > > > I'm using squid 5.7 with enabled sslbump and can't reach the website > > https://www.ilo.org/global/lang--en/index.htm > > I get an

[squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works

Hello, I'm using squid 5.7 with enabled sslbump and can't reach the website https://www.ilo.org/global/lang--en/index.htm I get an error of type ERR_INVALID_RESP, but when I disable sslbump the webcontent is shown in the browser. Can anybody confirm this and can tell me what causes this problem

Re: [squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved

Hello Alex, thank you for the quick answer! On Mon, Oct 10, Alex Rousskov wrote: > On 10/10/22 04:05, Dieter Bloms wrote: > > > since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns > > label can not be resolved (for example https://dnslabeldoesnotexist.c

[squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved

Hello, since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns label can not be resolved (for example https://dnslabeldoesnotexist.com/). I expect the error page of type ERR_DNS_FAIL instead of ERR_READ_ERROR. Can somebody confirm this behavior ? -- Regards Dieter Bloms

[squid-users] got many messages after upgrade from 4.16 to 5.1: assertion failed: Transients.cc:221: "old == e"

Hello, I did an upgrade from squid 4.16 and got many messages like: assertion failed: Transients.cc:221: "old == e" and it seems, that the childs crash and restart: --snip-- 2021/09/20 04:37:47 kid2| assertion failed: Transients.cc:221: "old == e" current master transaction: master368193 202

[squid-users] Proxy Authentication optional

Hello, I want to implement user authentication (kerberos) on an already existing proxysystem without user authenticaion. But I know that there are clients, which can't do any authentication. So is it possible to configure squid, that it ask for proxy authentication credentials, but if the client

[squid-users] Is it possible to force some dstdomain to ipv4 protocol without define an outgoing ip address ?

Hello, I use squid 4.15 and want to configure it to connect to some destinations via IPv4. I know about the tcp_outgoing_address option, but my outgoing ipv4 and ipv6 addresses changes every day. So is there an option like: acl myipv4onlydest dstdomain .example1.com .example2.com tcp_outgoing_p

Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

Hello Alex, thank yout for the fast response. On Thu, May 20, Alex Rousskov wrote: > On 5/20/21 8:12 AM, Dieter Bloms wrote: > > > I've a working setup with squid 4.14 and enabled sslbump under debian > > buster. > > But when I try destinations like ht

[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

Hello, I've a working setup with squid 4.14 and enabled sslbump under debian buster. But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID The alternate DNS Names in the certificate of the original webserver is: X509v3 Subject Alternative Name: DNS:c

Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled

ile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > -Original Message----- > From: squid-users On Behalf Of > Dieter Bloms > Sent: Wednesday, January 20, 2021 1:26 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] chromium based

[squid-users] chromium based browsers don't play a video, when sslbump is enabled

Hello, I use squid 4.13 with enabled sslbump. Chromium based browsers like chrome and edge don't play this video https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 The firefox browser and the old internet explorer have no problems. When I disable sslbumping for this destinat

Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

Hello Amos, On Thu, Jan 14, Amos Jeffries wrote: > On 13/01/21 11:27 pm, Dieter Bloms wrote: > > Hello, > > > > the wiki of squid cache project (wiki.squid-cache.org) has an incomplete > > certificate chain. > > I can't access the website with enabled ss

[squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

ite should add the intermediate certificate. More infos can be see here: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid%2dcache.org -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in yo

Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites

Hello Matus, thank you for your answer. On Tue, Jul 21, Matus UHLAR - fantomas wrote: > On 21.07.20 09:41, Dieter Bloms wrote: > > we use the sslbump feature and it works very well. > > But some sites can't be reached because of missing intermediate > > certificate.

[squid-users] squid doesn't fetch the intermediate certificate for some sites

.cloudapps.cisco.com ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. __

[squid-users] print errormessage (like %E in ERR_* pages) in squid logfile ?

Hello, more and more clients aren't browser but are programs, which call a restapi through our squid proxy. Those clients aren't able to show the errorpage (ERR_*) from proxy in case the request wasn't successful for any reason. I added %err_code and %err_detail, but %err_detail is filled with "

[squid-users] get no content for https://wiki.squid-cache.org/SquidFaq/SquidLogs

-- -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-

Re: [squid-users] sometimes intermediate certificates were not downloaded when using sslbump

t- > > Van: squid-users > > [mailto:squid-users-boun...@lists.squid-cache.org] Namens Dieter Bloms > > Verzonden: woensdag 8 april 2020 13:37 > > Aan: squid-users@lists.squid-cache.org > > Onderwerp: [squid-users] sometimes intermediate certificates > > wer

[squid-users] sometimes intermediate certificates were not downloaded when using sslbump

ain.badssl.com/ But squid doesn't fetch the intermediate certificates for the site https://www.formulare-bfinv.de/ and I don't know why. I checked all AiA entries in the certificates and it looks good to me. Can anybody try the site http

[squid-users] sslbump with pkcs11 possible ?

Hello, I have a working setup with openssl, which use softhsm as pkcs11 backend. I can sign csr requests with openssl command line tool. Now I want to use this mechanism for squid ssl-bump. Is it possible to use the pkcs11 mechanism with squid and openssl ? I tried someting like: http_port MYIP

[squid-users] sslbump with squid 4.9 and websockets doesn't work

Hello, I use squid 4.9 with enabled sslbump and it works great for the most websites. There are some websites, which use websockets like web.whatsapp.com and can not be reached with enabled sslbump. When I exclude this destination from sslbump, I get the qrcode, which can be scanned with the smar

Re: [squid-users] AIA fetching in squid

Hello, On Wed, Feb 06, Yann Girardin wrote: > I am using ssl bump and it's work fine a lot of SSL sites, but some of > those are misconfigured and squid won't succeed to get the correct > certificate, and give me the following error : > SEC_ERROR_UNKNOWN_ISSUER > > Looking on the internet I unde

[squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Hello, I've compiled squid 4.5 with openssl1.1 as shipped with debian9. Sslbump works fine for all sides, but I can't access only one site https://www.finanzamt.bayern.de/ and don't know the reason. Ssllabs gives "A". Here are the squid compile options: --snip-- Squid Cache: Version 4.5 Service N

[squid-users] Support for DistributionPoints in the dynamic creates certificate via sslbump

Hello, we use the sslbump feature of squid, and it works very well. One of our http clients expect a CRL distribution point in the dynamic generated certificate. I've setup a http server, which delivers this crl list, but don't know how to configure squid to set this distribution point in every dy

[squid-users] squid 4.1 works great ;)

Hi, I run squid4.1 for several days in production and have to say it works pretty good. It is stable and it downloads the missing intermediate certificates automatically. Great work! Thank you very much for this version. -- Regards Dieter -- I do not get viruses because I do not use MS so

Re: [squid-users] can squid use dns server on random port(non-53)?

Hello, On Tue, Jun 26, Gordon Hsiao wrote: > checked the manual it seems I can only set dnsserver with a new IP, is it > possible to make squid support non-standard DNS port, e.g. 5353? maybe you can use a dns resolver like unbound, dnscache, dnsmasq, which can be configure to listen on loc

Re: [squid-users] native ftp and proxy authentication

Hello Alex, thank you for your answer! On Fri, Dec 15, Alex Rousskov wrote: > On 12/15/2017 03:53 AM, Dieter Bloms wrote: > > > I use the native ftp support of squid-4.0.22 and it works well without proxy > > authentication. > > > I want to enable the proxy authent

[squid-users] native ftp and proxy authentication

Hello, I use the native ftp support of squid-4.0.22 and it works well without proxy authentication. I want to enable the proxy authentication, but don't know how to login to the proxy with the native ftp client. Without proxy authentication the string ftpuser@ftpserver works fine. When I enable p

Re: [squid-users] get many logentries "ACL is used in context without an ALE state. Assuming mismatch" after upgrade from 3.5 to 4.0.21 when using external helper

Hello Amos, thank you for your answer! On Thu, Sep 14, Amos Jeffries wrote: > On 14/09/17 18:08, Dieter Bloms wrote: > > > > As I said before, squid works fine and checks the acls, but I get many > > warnings in the cache.log and don't know the cause of it. > >

[squid-users] get many logentries "ACL is used in context without an ALE state. Assuming mismatch" after upgrade from 3.5 to 4.0.21 when using external helper

Hello, I used external helper with squid 3.5.xx several years without any problem. Now I tried to upgrade to squid 4.0.21 and squid seems to work fine, but I get many logentries like: --snip-- 2017/09/14 07:43:12 kid3| WARNING: blockhostsdomain ACL is used in context without an ALE state. Assumi

[squid-users] customize timeformat in error pages

Hello, I want to customize the time format for %t in my error pages. For the logfiles it is in strftime format like %{%d.%m:%Y %H:%M:%S}tl, but when I put it in my error page templates like %{%d.%m:%Y %H:%M:%S}t, squid doesn't consider it. Is there any way to define the timeformat for %t in the er

Re: [squid-users] Huge amount of time_wait connections after upgrade from v2 to v3

Hi Ivan, On Tue, Jun 06, Ivan Larionov wrote: > We recently updated from squid v2 to v3 and now see huge increase in > connections in TIME_WAIT state on our squid servers (verified that this is > clients connections). I can confirm that since 3.5.22 to our ICAP scanners. with 3.5.21 we had no pr

Re: [squid-users] custom error pages with stylesheets doesn't work for me

Hello Amos, On Sat, May 20, Amos Jeffries wrote: > On 19/05/17 20:10, Dieter Bloms wrote: > >Hello Alex, > > > >On Thu, May 18, Alex Rousskov wrote: > > > >>On 05/18/2017 03:17 AM, Dieter Bloms wrote: > >> > >>>I wrote some custom error pa

Re: [squid-users] custom error pages with stylesheets doesn't work for me

Hello Alex, On Thu, May 18, Alex Rousskov wrote: > On 05/18/2017 03:17 AM, Dieter Bloms wrote: > > > I wrote some custom error pages and activated style sheets in the header of > > the error pages like: > > > > > > %l > > > > > >

[squid-users] custom error pages with stylesheets doesn't work for me

Hello, I use squid 3.5.25 compiled with following options: Squid Cache: Version 3.5.25 Service Name: squid configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--man

[squid-users] assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" after upgrade from 3.5.8 to 3.5.11

Hello, I did an upgrade from 3.5.8 to 3.5.11 and now sometimes I get the message: assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" in cache.log and squid dies. Is this a known problem or shall I create a bugreport ? -- Regards Dieter -- I do not get viruses becau

[squid-users] is it possible to pass the destination ip address to external_acl_type program ?

Hello, I want to write a little script for an external_acl_type to block access to many ip addresses. As far as I can see %DST contains the fqdn of the destination and not the ip address. I know that I can do dns lookups in my script, but I think squid does it anyway, so it may be faster to pass t

Re: [squid-users] Squid3 Support for TLS 1.1 and TLS 1.2

Hi, On Fri, Nov 06, Fullyrealized LLC wrote: > I have been trying to bolster my pfsense systems and found one > difficulty with squid3. I cant figure out how to allow for support of > tls 1.1 and 1.2. It supports tls 1 of course but the new reports from > qualys give a "C" for such. I am wonderin

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Hallo Marcus, On Thu, Sep 17, Marcus Kool wrote: > I just tried accessing https://banking.postbank.de/ > using Squid 3.5.8 and Chrome. > I also got the ERR_CONNECTION_CLOSED error. thank you for testing, so I think the fault is not my config. May it be a bug in squid or openssl, or maybe the web

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Hello Amos, thank you for your hints. On Thu, Sep 17, Amos Jeffries wrote: > > the relevant part ist: > > > > --snip-- > > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > > generate-host-certificates=

Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Hello Antony, On Wed, Sep 16, Antony Stone wrote: > On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: > > > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are > > accessible via HTTPS and sslbump enable. > > But I can't get

[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

abled sslbump can confirm that this destination is not accessible. Thank you very much. -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won

[squid-users] howto disable tls compression when using sslbump in squid-3.5.5 between squid and https webserver ?

: sslproxy_flags No_Compression but squid claims "FATAL: Unknown ssl flag 'No_Compression'". Is it possible to disable TLS compression for the connection from squid to the webserver when sslbump is used ? Thank you very much. -- Regards Dieter Bloms -- I do not get viruses bec

Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

Hello Amos, On Sat, Dec 20, Amos Jeffries wrote: > > When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 > > to ipv4 works fine, but when I do a > > https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't > > do a fallback to ipv4. > > > > I would be nice, if you can tr

Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

Hello Amos, thank you for the reply. On Thu, Dec 11, Amos Jeffries wrote: > > we use squid 3.4.9 as proxy for our company with ipv4 and ipv6 > > dual stack. It works good, but if a destination has an A and > > record and the webserver isn't reachable via ipv6, squid generates > > an error p

[squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

Hello, we use squid 3.4.9 as proxy for our company with ipv4 and ipv6 dual stack. It works good, but if a destination has an A and record and the webserver isn't reachable via ipv6, squid generates an error page instead of trying a connection via ipv4. One example is the url: https://ssl.ra

Re: [squid-users] SSL bump fails accessing .gov.uk servers

Hi Steve, On Fri, Oct 31, Steve Hill wrote: > This is probably not a problem with Squid, but I'm posting here in the > hope that someone may have more clue than me when it comes to SSL :) ... > If I force openssl into TLS1 mode (with the -tls1 argument) then it > works fine. TLS 1.1 and 1.2 bo