Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>1. block visit 80/443 browsing via IP(no domain name) (Gordon Hsiao)
>2. Re: block visit 80/443 browsing via IP(no domain name)
> (Amos Jeffries)
>
>
> -
is there a way to block any attempt to visit http/https by _any_ IP
directly, i.e.
http://my-IP or https://my-IP (yes this will give a warning for SSL most
likely). here my-IP could be any IPv4 address, for example.
Basically I want to have Squid to enforce all 80/443 access should be done
via a
I'm running squid4.1 interception peek+splice mode.
Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS
max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep
redirecting https<-->http until it failed(too many redirects). Once Squid
is removed all is good.
I als
http://www.squid-cache.org/Versions/v4/cfgman/host_verify_strict.html
looks like squid did handle this already.
On Sat, Jul 21, 2018 at 4:10 PM Gordon Hsiao wrote:
> I just read "RFC 2616 compliant proxy will rewrite the Host header making
> it impossible to do domain fronting o
I just read "RFC 2616 compliant proxy will rewrite the Host header making
it impossible to do domain fronting over HTTP or where SSL/TLS interception
is taking place", also checked RFC 2616 page at squid site, it is unclear
to me that if squid can enforce host-header consistence with SNI to avoid
d
uss...@measurement-factory.com> wrote:
> On 07/16/2018 05:08 PM, Gordon Hsiao wrote:
> > On a x86/64bit ubuntu machine if I set 'workers 4' and run:
>
> > squid --foreground -f /etc/squid.conf 2>&1 |grep mlock
> > mlock(0x7f2e5bfb2000, 8)= 0
>
y question is that, is this mlock file-backed-up or
is it anonymous mmaped(in this case on Linux it will use /dev/shm by
default)?
Thanks a lot,
Gordon
On Mon, Jul 16, 2018 at 11:58 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 07/15/2018 08:47 PM, Gordon Hsiao wrote:
after increased shared memory(/dev/shm on linux), it does not help, still
don't know why mlock fails, or how much memory it needs to mlock to avoid
failing.
On Sun, Jul 15, 2018 at 9:47 PM Gordon Hsiao wrote:
> Just upgraded squid to 4.1, however if I enabled shared_memory_locking I
>
Just upgraded squid to 4.1, however if I enabled shared_memory_locking I
failed to start squid:
"FATAL: shared_memory_locking on but failed to
mlock(/squid-tls_session_cache.shm, 2101212): (12) Out of memory"
How do I know how much memory it is trying to mlock? is 2101212(~2MB) the
shm size of no
t;6951b4aa-6c8e-d386-8e80-2471ccfa4...@solutti.com.br>
>Content-Type: text/plain; charset=utf-8; format=flowed
>
>Em 09/07/18 20:45, Gordon Hsiao escreveu:
>>
>> Assuming I need _absolutely_ no cache what-so-ever(to the point to
>> change compile flags to disable that,
I noticed my Squid doubles its memory usage even though I had:
cache deny all
cache_mem 0 MB
access_log none
Assuming I need _absolutely_ no cache what-so-ever(to the point to change
compile flags to disable that, if needed), no store-to-disk neither, i.e.
no objects need to be cached at all. I j
>
> Date: Wed, 27 Jun 2018 11:55:29 -0500
> From: Gordon Hsiao
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] http_port vs https_port
> Message-ID:
> <
> cak0ifyxx6_jyme1hdsdsvoof5_pbmevoatavnbzh56uljni...@mail.gmail.com>
> Content
Still reading all the options, noticed dns_packet_max is off by default. My
squid uses dnsmasq, that has EDNS on by default and it "defaults to 4096,
which is the RFC5625-recommended size"
In this case what will happen then? dnsmasq may receive EDNS up to 4K,
which squid by default only takes 512B
ext/plain; charset=utf-8
>
> On 27/06/18 16:29, Dieter Bloms wrote:
> > Hello,
> >
> > On Tue, Jun 26, Gordon Hsiao wrote:
> >
> >> checked the manual it seems I can only set dnsserver with a new IP, is
> it
> >> possible to make squid support non-st
Reading all the cfg options in Squid 3.5 I noticed http_port has lots of
SSL related options(which it should not), plus https_port is referring to
http_port for those options, should http_port have nothing to do with
ssl-specific options and those ssl-options could be better moved to
https_port sec
does it exist somewhere? Just notice this option in 3.5 but google does not
say any location I can fetch like the way a typical ca-bundle is.
Gordon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squi
checked the manual it seems I can only set dnsserver with a new IP, is it
possible to make squid support non-standard DNS port, e.g. 5353?
Thanks,
Gordon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo
Assuming I allow a domain to pass in ACL, but deny it in my redirector,
which one will work?
Also, assuming I deny a domain in squid.conf, but allow in in the
redirector, which one will take precedence?
Will there be a difference for the above when peek+splice / peek+bump was
used?
Thanks,
Gordo
squid4 has been released for quite a while, when will it be production
ready or any rough timeline on the horizon?
Some little features are attractive such as automatic intermediate CA
download.
on another notes, it would be great if someone can update Squid book on
3.5/4.x, especially on ssl-bum
>
> On 25/06/18 14:59, Gordon Hsiao wrote:
> > On 25/06/18 05:15, Gordon Hsiao wrote:
> > > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I
> noticed
> > > redirectors are way ahead of ssl-bump in the callout order, in a
> > >
>
> On 25/06/18 05:15, Gordon Hsiao wrote:
> > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed
> > redirectors are way ahead of ssl-bump in the callout order, in a
> > https-ssl-bump case
>
> There is not really any "https-ssl-bump" c
at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed
redirectors are way ahead of ssl-bump in the callout order, in a
https-ssl-bump case you will need ssl-bump to run (so you can get full URL
for example), then you can run redirector based on the result of ssl-bump,
correct? why is
22 matches
Mail list logo
