Hello Amos and thank you!
>> sinec i upgraded two Squid proxy servers to the Squid-3.4.4 versions, we
>> have some huges bottleneck with ahtenticated ntlm (old style!) users.
>> If i disable authentication and enable per-ip surf, it works fine.
>From what earlier version?
I did upgrade from the
Hello,
sinec i upgraded two Squid proxy servers to the Squid-3.4.4 versions, we have
some huges bottleneck with ahtenticated ntlm (old style!) users.
If i disable authentication and enable per-ip surf, it works fine.
Plesae note that squid process raise up to 100%.
Here is my auth ntlm configur
Hello,
i am writing because, with Squid 3.4.4 (i use it in production), i cannot use a
website (used in Schools!):
http://bandidgstudente.it/it/home-page/
I have lots of server-side error, and i thought it was a problem with remote
webserver.
If i disable transparent proxy and i nat connectio
cesco
Da: Job
Inviato: lunedì 26 ottobre 2015 13.49
A: Amos Jeffries; squid-users@lists.squid-cache.org
Oggetto: R: [squid-users] Squid 100% CPU and possible attack
Hello Amos!
>Something that would cause a machine to make lots of HTTP requests.
>You have provide
Hello Amos!
>Something that would cause a machine to make lots of HTTP requests.
>You have provided almost no information about the network, it
>configuration, or uses etc. Having eliminated the usual problem(s) it is
>a waste of time to guess.
I have investigate better about the problem that bri
>>That looks like the side effects of a forwarding loop DoS. Look for the
>>following line in your squid.conf and remove it:
>> via off
Hello Amos!
I do not have via off in my squid.conf, so i think it is set to on, default
value.
Otherwise, i redirect outbount http/80 to the internal 8080 on
xy to this
destination IP and address.
100% CPU in many cases is not something odd but you can try fail2ban
with a special rule to block this client in the iptables of the machine
(if this is a linux..)
Eliezer
On 23/10/2015 00:43, Job wrote:
> Hello,
>
> sometimes, for about half an ho
Hello,
sometimes, for about half an hour, tour Squid becomes unstable and, by typing
"top -s", Squid is taking the 100% of the CPU.
In Squid's access.log, i see lots of entry like this:
"Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:808
Hello,
i have only this problem actually, finally interception works.
But in logs, when i access a Https website, i see:
fwdNegotiateSSL: Error negotiating SSL connection on FD 14: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
WARNING: ssl_crtd #Hlp
Hi Amos!
Resolved: in squid.conf i have to write ip:port instead of :port.
As example, 192.168.10.254:3129 works with interception.
Only with :3129 it does not works!
Francesco
Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Job
Hello,
i can intercept SSL Bumped connection actually.
But in squid logs i have this error, and clients disolay a squid error page.
These are the logs:
fwdNegotiateSSL: Error negotiating SSL connection on FD 20:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest
al
Hello Amos!
>The connection arriving at Squid does not have any NAT records in the
>Squid machine kernel.
>It is mandatory that NAT be done on the Squid machine. Not on some
>remote router (aka CPE "port-forwarding").
The iptables gateway is in the same machine where Squid+SSL bump run.
Our tr
Hello Amos!
>> i was trying the "null" storage module in Squid 3.4.x.
>It does not exist.
excuse me for my misunderstood: i was referring to this for the "null module".
Is it right?
Can I make Squid proxy only, without caching anything?
Sure, there are few things you can do.
You can use the ca
Hello,
i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 port
of my Squid server but https sites are not accessible anymore and i can see
these errors in logs:
ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx
The section regardings SSL Bump in squid.con
Hello,
i was trying the "null" storage module in Squid 3.4.x.
I have some systems with huge users and with high traffic peaks expecially
during the morning.
We use Squid to filter internet traffic.
Do you think that enabling the cache_dir null will give us better performances
and less system u
...@gmail.com]
Inviato: giovedì 1 ottobre 2015 13.29
A: squid-users@lists.squid-cache.org
Oggetto: Re: [squid-users] SSL Peek and Splice
01.10.15 17:26, Job пишет:
> Hello,
>
> by reading the 3.5 Squid verson "Peek and splice" features:
> http://wiki.squid-cache.org/Features/SslPee
Hello,
by reading the 3.5 Squid verson "Peek and splice" features:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
i would like to ask you two questions, please:
1. in this implementations, i have to install the selfmade Certification
Authority as for SSL Bump?
2. how can i block domain (
Hello Yuri!
>>Only before Squid - using Cisco or something like.
>>Either Cisco acl's, or NBAR protocol discovery.
is there a way to implement a sort of layer 7 for hotshield vpn (or ultrasurf)
working on Linux?
Thank you again!
Francesco
___
squid-us
Hello,
is there a way to block Hot Shield VPN with Squid, maybe in conjunction with
something else?
I made some tries but is seems very difficult to block with Squid+Iptables.
Thank you, best best regards!
Francesco
___
squid-users mailing list
squid-u
exist with
interception and ssl bump?
Or i have to duplicated configurations of host and ports in squid.conf?
Thank you again,
Francesco
Da: Amos Jeffries [squ...@treenet.co.nz]
Inviato: giovedì 13 novembre 2014 5.51
A: Job; squid-users@lists.squid-cach
iptables rule is wrong?
Thank you!
Francesco
Da: Amos Jeffries [squ...@treenet.co.nz]
Inviato: mercoledì 12 novembre 2014 4.25
A: Job; squid-users@lists.squid-cache.org
Oggetto: Re: R: [squid-users] Problem with Squid 3.4 and transparent SSL proxy
-BEGIN
>That means in your case avoid directly connecting to the intercepting
>port. Connect to port 80/443 on some Internet server instead and see
if> the packets are properly delivered through Squid.
>Also, avoid telnet for the 443 tests. Use an HTTPS client.
Hello Amos and thank you, first of all.
I
details?
Eliezer
On 11/11/2014 04:20 PM, Job wrote:
> Hello,
>
> i initialize correctly SSL Bump with Squid 3.4.4, following some
> guides. In iptables i redirect 80 and 443 ports to squid ports.
>
> Squid starts with no error, lines involving SSL bump are the
> followin
Hello,
i initialize correctly SSL Bump with Squid 3.4.4, following some guides.
In iptables i redirect 80 and 443 ports to squid ports.
Squid starts with no error, lines involving SSL bump are the following:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=o
Hello, since Google switch definitely on SSL connection it seems there is no
way to filter semantic (with danguardian, squidguard or squid).
SSL Bump can help in this case, both on explicit or transparent proxying?
Is there another way to filter searches (and image searches!)?
Thank you!
France
Hello,
integrating squid in a captive portal environment, i have to setup different
profiles in order to apply restrictions dinamically.
The squid -k reconfigure kill active sessione/connections?
I tried when downloading a file, it stops for one/two seconds and then
continues download, but i
26 matches
Mail list logo
