ufdbGuard supports filtering based on a dynamically updated list of hostnames
(with the execdomainlist feature).
See the Reference Manual at https://www.urlfilterdb.com for more information.
Marcus
On 18/02/2025 08:12, Cursed Boss wrote:
thanks for the response any idea which helper could do
I am not :-)
On 01/06/2024 06:24, Jonathan Lee wrote:
Marcus are you the same guy that does the pfSense Squid GUI package
interference code??
Sent from my iPhone
On May 30, 2024, at 01:38, Marcus Kool wrote:
Not sure if this message was meant for the Squid mailing list but for those
who
Not sure if this message was meant for the Squid mailing list but for those who
are interested, the DNS provider had an issue with DNSSEC resigning and all is
well now.
Marcus
On 28/05/2024 15:23, Anton Kornexl wrote:
Hello,
since two days the domain urlfilterdb.com is not resolved to an IP
Hi Eliezer,
I am not aware of a tool that has all functionality that you seek so you
probably have to make it yourself.
I know that you are already familiar with ufdbGuard for Squid to block access, but you can also use ufdbGuard for temporary access by including a time-restricted whitelist in t
The squid log file contains the IP address of clients and could be a good field
to use for counting users. But a NAT shows 1 IP for all users behind the NAT...
Marcus
On 19/01/2023 15:48, Ben Goz wrote:
By the help of God.
Hello,
I have a certain task to count the number of unique devices c
On 20/09/2022 20:52, Pintér Szabolcs wrote:
Hi squid community,
I need to find most best and sustainable way to build a stable High
Availability squid cluster/solution for abou 40k user.
Parameters: I need HA, caching(little objects only not like big windows
updates), scaling(It is just sec
I would have expected that the remote host ip:port and sni would be logged
as well in the above mentioned line.
SNI is one of the details TLS/1.3 encrypts now :(
To prevent misunderstandings, TLS 1.3 does not encrypt the SNI.
See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni :
Hi, I am the author of ufdbGuard and ufdbGuard supports Squid 5.x
The SARG error in access.log has nothing to do with ufdbGuard.
On 09/11/2021 08:45, Majed Zouhairy wrote:
hmmm, this started happening after the last squid update.. i just noticed it is
now version 5.2
i have ufdbguard but i do
sslbump can be used in peek+splice and peek+bump modes.
Depending on what Squid finds in the peek (e.g. a teamviewer FQDN) Squid can
decide to splice (not interfere) the connection.
Below is an example.
Marcus
# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
# define acl
DNS over HTTPS is used for privacy and also to circumvent filters.
If one wants to filter websites, one must block /all/ filter circumvention
techniques as well (or the filter is useless).
shameless plug: the URL database of URLfilterDB has a category dnsoverhttps
which can be used to block DN
Of course this script is sluggish since it reads many category files and forks
at least 3-6 times.
If you *really* want to implement this with a perl script, it should read all
files at startup and the script does a lookup using perl data structures.
But I suggest to look at ufdbGuard which is
bugs.squid-cache.org is not working now, but I think this is bug 4906.
Marcus
On 2020-07-28 15:01, Alex Rousskov wrote:
On 7/28/20 5:38 AM, ama...@tin.it wrote:
thank for your suggestion.
That specific suggestion was not mine :-)
For free Squid support, please keep the conversation on squi
yes, I have seen this with Squid _with_ ssl_bump. In trying to resolve the issue I also upgraded to Squid 4.11, removed the certificate cache and still had messages that the certificate expired on
May 30 2020. Doublechecked all certificates but none has this expiry date.
We have a wildcard cer
Amos,
The latest version of Squid is 4.10. Do you mean "fixed in 4.10" instead of "fixed
in 4.8" ?
Thanks,
Marcus
On 18/04/2020 14:10, Amos Jeffries wrote:
__
Squid Proxy Cache Security Update Advisory SQUID-2019:4
On 02/03/2020 08:46, Ralf Hildebrandt wrote:
* Andrea Venturoli :
On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:
I guess DoH means dns over https and thus needs sslbump enabled. the easy
but limited way would be to disable connections to publicly available DoH
servers.
Thanks.
Is someone
On Linux you can use iptables to do qos and make sure that a single connection
does not consume all bandwidth.
Marcus
On 30/07/2019 10:22, Service MV wrote:
Just to explain clearly, my goal is that no user of my LAN can download more
than 15 megabits/s, because some downloads consume me 100
The ufdbGuard source files and packages have an example config file.
If you have a ufdbGuard-specific issue I suggest to use the list of ufdbGuard
or go directly to the support desk of URLfilterDB.
Marcus
On 18/03/2019 06:39, Nicolas Kovacs wrote:
Hi,
I've been running the Squid + SquidGuar
I think you are suffering from this bug:
https://bugs.squid-cache.org/show_bug.cgi?id=4906
Marcus
On 13/03/2019 10:09, Joey Officer wrote:
I’m running a squid instance in AWS behind a network load balancer. As part of the health checks, at least that’s what I believe, we’re seeing this log
Squid is an ICAP client, not an ICAP server!, and does not repond on port 1344.
Marcus
On 02/03/2019 22:29, steven wrote:
Hi,
i would like todo modifications on https connections and therefore enabled ssl
bump in squid 4.4, now i would like to see the real traffic and icap looks like
a way
ufdbGuard supports blacklists, whitelists, large numbers of whitelists, users
and acls.
The configuration file is intuitive and if the Reference Manual does not
explain everything, one can also write to the support desk of URLfilterDB or
the ufdbguard mailing list.
Just for the record, I am b
For those who do not know it yet: ufdbGuard is free.
ufdbGuard supports user-defined URL databases, 3rd party plain-text URL
databases, and a commercial database from www.urlfilterdb.com.
Marcus
On 03/01/2019 13:45, Benjamin E. Nichols wrote:
Why are you asking support questions about a comm
ilto:elie...@ngtech.co.il>
cid:image001.png@01D2675E.DCF360D0
*From:* squid-users *On Behalf Of
*Marcus Kool
*Sent:* Friday, December 28, 2018 12:14
*To:* squid-users@lists.squid-cache.org
*Subject:* Re: [squid-users] Whitelisting youtube
Wolfgang, why don't you stop using squidguard which has
Wolfgang, why don't you stop using squidguard which has no support for 5+ years
and switch to ufdbGuard?
ufdbGuard is regularly maintained and has a Reference Manual that explains what
and how to whitelist domains.
Marcus
On 28/12/2018 07:18, Wolfgang Paul Rauchholz wrote:
Problem staqtemen
On Wed, Nov 28, 2018 at 12:24:30PM +0100, Matus UHLAR - fantomas wrote:
> On 27.11.18 15:04, Marcus Kool wrote:
> > 4.5 would be nice. 4.6 would also be nice.
>
> OK, I will rephrase my question: which squid version do you find this in?
This issue was found in Squid 4.3
>
&g
4.5 would be nice. 4.6 would also be nice.
On 27/11/2018 14:47, Matus UHLAR - fantomas wrote:
On 11/27/18 5:21 AM, Marcus Kool wrote:
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/l
On 27/11/2018 13:58, Alex Rousskov wrote:
On 11/27/18 5:21 AM, Marcus Kool wrote:
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_
I have an issue with access_log acls when a load balancer sends a TCP probe.
The goal is to not log errors caused by the TCP probes of the load balancer.
All other errors must be logged.
I did a test with the following acls on one of our test systems to illustrate
the issue:
logformat combha
When there is an issue with a certificate, it is good practice to go to ssllabs
to verify what is going on.
https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which
means that the server
On 19/10/18 14:09, Alex Rousskov wrote:
On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote:
On 10/19/2018 02:01 AM, Amish wrote:
Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
universal. (Ofcourse it may be few years away)
Probably only way out to detect the domain n
The sub-thread starts with "do not use the url rewriter helper because of
complexity"
and ends with that the (not less complex) external acl helpers are fine to use.
And in between there is an attempt to kill the URL rewriter interface.
It would be a lot less confusing if you started with someth
On 20/09/18 08:46, Amos Jeffries wrote:
On 19/09/18 11:49 PM, Marcus Kool wrote:
On 18/09/18 23:03, Amos Jeffries wrote:
On 19/09/18 1:54 AM, neok wrote:
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me
On 18/09/18 23:03, Amos Jeffries wrote:
On 19/09/18 1:54 AM, neok wrote:
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConver
On 04/09/18 11:20, Amos Jeffries wrote:
On 4/09/18 7:33 PM, Ahmad, Sarfaraz wrote:
With debug_options ALL,9 and retrieving just this page, I found the following
relevant loglines (this is with an explicit CONNECT request) ,
... skip TLS/1.2 clientHello arriving
Later on after about 10 s
URL video
"https://www.youtube.com/embed/ff9sDLGtnK8?rel=0&showinfo=0";.
How should I set te DNS entries please?
Regards,
2018-08-17 9:51 GMT-03:00 Marcus Kool :
OP asked about blocking Youtube but allowing a single Youtube video.
How would you do that with a couple of DNS entries ?
lot less effort by simply adding a
couple dns entries for Googles safesearch servers.
#justsayin
Signed,
Benjamin E. Nichols
Founder & Chief Architect
http://www.squidblacklist.org
1-405-301-9516
Original message
From: Marcus Kool
Date: 8/16/18 7:53 PM (GMT-06:00)
To: s
yes, with ufdbguard you put
youtube.com/watch?v=VIDEOID
in a urls file and create a URL table with ufdbGenTable.
ufdbGenTable adds many URLs automagically, i.e.
youtube.com/embed/VIDEOID
youtube.com/get_video_info?video_id=VIDEOID
ytimg.googleusercontent.com/vi/VIDEOID
and many more.
-size may need adjustment
Thanks
Marcus
On 03/07/18 17:50, Alex Rousskov wrote:
On 07/03/2018 10:52 AM, Marcus Kool wrote:
I do like to see better documentation for the new queue-size option.
Including your one-liner in squid.conf.documented is enough for me.
I wish it were that simple! For
On 03/07/18 12:54, Alex Rousskov wrote:
On 07/03/2018 08:19 AM, Marcus Kool wrote:
If you think Squid should use a different default for all or some helper
categories, please post a proposal that documents pros and cons and
justifies the change. The URL above can be used as your guide to
Thanks for the clarification. The squid.conf.documented file says
The queue-size=N option sets the maximum number of queued requests to N.
which, for me at least, is hard to translate into
maximum number of requests buffered because no helper can accept it.
On 03/07/18 13:09, Alex Roussko
.
My proposal of higher of (2*NCONC) and (2*NCHILD) would mean that load is now
regularly high enough that atleast 2 more children are needed.
We can start with that and then find a better formula.
Amish
On Tuesday 03 July 2018 07:49 PM, Marcus Kool wrote:
The original intention of this default
The original intention of this default value is have a queue that is twice the size of the messages being processed, so for helpers with concurrency=NCONC and num_children=NCHILD it makes a lot of
sense to set the default queue length to 2*NCONC*NCHILD.
I do not understand that "compatibility" wi
I have seen systemd killing daemons when it times out waiting for the pid file
to appear.
I suggest to doublecheck that the pid filename in the service file and in
squid.conf are the same.
Marcus
On 13/06/18 09:27, James Lay wrote:
WellI'll just say up front that systemd is not my friend.
I do not block my Kaspersky AV.
Do you want the Kaspersky software contact the servers of Kaspersky ?
On 17/05/18 09:30, Vacheslav wrote:
Yeah all that I know, The million dollar question is should I continue blocking
it?
-Original Message-
From: squid-users On Behalf Of
Marcus Kool
195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is
indicated by 'https-option', most likely because the config has
option enforce-https-with-hostname on # default is off.
Marcus
On 17/05/18 08
The proxies that I used for the test have Squid 4.0.22 and Squid 4.0.23.
Marcus
On 15/05/18 15:40, Amos Jeffries wrote:
On 16/05/18 01:32, Marcus Kool wrote:
pcmag.com also does not load here, although my config parameters are
slightly different.
The certificate is indeed huge...
Do you have
pcmag.com also does not load here, although my config parameters are slightly
different.
The certificate is indeed huge...
Do you have
ERROR: negotiating TLS on FD NNN: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
or other errors in cache.log ?
M
On 14/03/18 10:55, Nicolas Kovacs wrote:
Le 14/03/2018 à 14:46, Marcus Kool a écrit :
ufdbGuard is the tool that you need.
It is an old fork of ufdbGuard with many new features, very good
performance and it has regular maintenance.
If you have a question, you can ask the support desk at
ufdbGuard is the tool that you need.
It is an old fork of ufdbGuard with many new features, very good performance
and it has regular maintenance.
If you have a question, you can ask the support desk at www.urlfilterdb.com.
You will get an answer from me or a colleague.
Marcus
On 14/03/18 09:39
"SSL bump" is the name of a complex Squid feature.
With ssl_bump ACLs one can decide which domains can be 'spliced' (go through
the proxy untouched) or can be 'bumped' (decrypted).
Interception is not a requirement for SSL bump.
Marcus
On 13/03/18 11:44, Danilo V wrote:
I mean SSL bump in exp
On 13/11/17 10:46, Bike dernikov1 wrote:
On Mon, Nov 13, 2017 at 12:15 PM, Marcus Kool
wrote:
On 13/11/17 07:46, Bike dernikov1 wrote:
are you saying that you have
cache_mem 14G
If yes, you should read the memory FAQ and reduce this.
'cache_mem 14G' explains that Squid sta
On 13/11/17 07:46, Bike dernikov1 wrote:
are you saying that you have
cache_mem 14G
If yes, you should read the memory FAQ and reduce this.
'cache_mem 14G' explains that Squid starts 'small' and grows over time.
For our case, what do you recomend. 10GB or even lower ?
Plan reading today
On 10/11/17 12:11, Bike dernikov1 wrote:
On Thu, Nov 9, 2017 at 5:13 PM, Marcus Kool wrote:
On 09/11/17 11:04, Bike dernikov1 wrote:
[snip]
Memory compsumption:squid use largest part of memory (12GB now,
second proces use 300MB memory), 14GB used by all process. So squid
use over 80% of
disk caching.
Thanks for help,
Marcus
Thanks for help,
On Wed, Nov 8, 2017 at 10:53 AM, Marcus Kool
wrote:
There is definitely a problem with available memory because Squid cannot
fork.
So start with looking at how much memory Squid and its helpers use.
Do do have other processes on this s
Hi Vieri,
I suggest to replace squidGuard with ufdbGuard.
Then you can set
ufdb-debug-filter 1
or
ufdb-debug-filter 2 # very verbose
in ufdbGuard.conf and see exactly what happens.
Note that squidguard has no maintenance for over 5 years and ufdbGuard has
regular maintenance.
Marcus
O
ly this is not the issue.
When Squid cannot fork the helpers, helper settings do not matter much.
For 2500 users you probably need 32-64 squidguard helpers.
Marcus
Thanks for help,
On Wed, Nov 8, 2017 at 10:53 AM, Marcus Kool
wrote:
There is definitely a problem with available memory bec
There is definitely a problem with available memory because Squid cannot fork.
So start with looking at how much memory Squid and its helpers use.
Do do have other processes on this system that consume a lot of memory ?
Also note that ufdbGuard uses less memory that squidGuard.
If there are 30 he
It is not clear what exactly you want to achieve.
Block everything from youtube ?
Amos told you that squidGuard is not maintained for many years but forgot to
mention that ufdbGuard does the same thing and has regular updates.
ufdbGuard has a feature to block a set of Youtube videos identified b
wrote:
I installed this package to resolve this: libssl1.0-dev
why not libssl-dev?
On 13.10.17 15:16, Marcus Kool wrote:
Debian 9 has openssl 1.1.x while most platforms have older versions.
that means, you should use libssl-dev unless you know squid can't compile
with openssl-1.1
Opens
Debian 9 has openssl 1.1.x while most platforms have older versions.
I noticed myself when I ported ufdbGuard to Debian 9 that openssl 1.1.x has
many changes in the API.
Marcus
On 13/10/17 13:19, Sérgio Abrantes Junior wrote:
Hello,
I installed this package to resolve this: libssl1.0-dev
20
On 09/08/17 05:15, Ralf Hildebrandt wrote:
* Marcus Kool :
I have only seen regex failing with such short RE on AIX.
what is your OS, distro, CPU and lib version ?
Ubuntu Linux LTS 16.04 (xenial)
x86_64 (amd64)
I guess you mean libc:
ii libc6:amd642.23-0ubuntu9
I am trying to debug ssl-bump and am looking specifically for decisions that
Squid takes with regard to bumping, splicing and unsupported protocol.
The config file for Squid 4.0.21 has
debug_options ALL,1 33,9 83,9
http_port 10.10.10.1:3230ssl-bump ...
acl tls_is_skype ssl::server_na
Hi Eliezer,
what is the analyzer looking at?
Does it detect gambling and support other languages than English ?
Thanks
Marcus
On 08/07/17 18:47, Eliezer Croitoru wrote:
Hey All,
I have been working for quite some time on a basic YouTube videos filtering
integration into SquidBlocker.
I have a v
If you use foxyproxy for firefox, you can use switchysharp for Chrome.
Marcus
On 25/05/17 09:00, j m wrote:
Thought I'd try getting this to work in Chrome too. NOTHING I try makes it
work in Chrome. Isn't running this from the Windows command line supposed to
work?
chrome --proxy-server=h
You have not stated which version of Squid you are using but my guess is that
it is 3.5.x.
facebook app and other apps use port 443 but do not use HTTPS and therefore
Squid does not how to bump it and consequently the app does not work.
What you need is the not yet stable Squid 4.0 and use the
Hi Edouard,
To block GET https://www.example.com/foo.html and to pass CONNECT
www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard
ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.
Since ssl-bump is not easy it i
Looks like MS uses multiple servers for msftconnecttest.com and that they send
different content.
On 02/05/17 08:59, Ralf Hildebrandt wrote:
In some cases, our proxies (got 4 of them) return a empty result when
querying "http://www.msftconnecttest.com/ncsi.txt"; (whcih is used by
Microsoft Brwo
ufdbGuard is a URL filter which given the input
www.youtube.com/watch?v=XX
blocks the following URLs:
www.youtube.com/watch?v=XX
www.youtube.com/embed/XX
www.youtube.com/get_video_info?video_id=XX
ytimg.googleusercontent.com/vi/XX/
i.ytimg.
The root cause of why admins configure SMP + [A]UFS is the lack of good
documentation.
A few lines in the wiki and squid.conf.documented should be enough.
Marcus
On 19/03/17 06:11, Eliezer Croitoru wrote:
I think that some warning message like "WARNING: be sure you know that UFS\AUFS
doesn'
maintained,
uses less resources and has more features than squidGuard.
ufdbGuard can be downloaded from https://sourceforge.net and
https://www.urlfilterdb.com
Marcus Kool
author of ufdbGuard
___
squid-users mailing list
squid-users@lists.squid
On 10/03/17 16:27, Yosi Greenfield wrote:
Thanks!
Netflow is much larger.
I really want to know exactly what site is costing my users data. Many of
our users are on metered connections and are paying for overage, but I can't
tell where that overage is being used. Are they using youtube, webma
On 21/02/17 17:17, Amos Jeffries wrote:
Is it possible to path %-encoded URL to squidGuard ?
Not with Squid-3.4. The 3.5 releases have a url_rewrite_extras directive
which takes logformat codes. You could use that to send an extra
%-encoded copy of the URL to the helper in addition to the no
The terminology may be confusing:
ssl_bump means more or less "looking at HTTPS traffic"
ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates
are used"
ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA
certificate"
So the question is
On 23/01/17 17:23, Yuri Voinov wrote:
[snip]
I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659
a week ago but there has not been any activity.
Is there someone who has sslproxy_foreign_intermediate_certs
working in Squid 4.0.17 ?
Seems works as by as in 3.5.x. As I can see
On 23/01/17 15:31, Alex Rousskov wrote:
On 01/23/2017 04:28 AM, Yuri wrote:
1. How does it work?
My response below and the following commit message might answer some of
your questions:
http://bazaar.launchpad.net/~squid/squid/5/revision/14769
This seems that the feature only goes to
Is it an EdgeRouter ?
I am interested since Ubiquiti has poor documentation.
Marcus
On 11/20/2016 05:31 PM, Eliezer Croitoru wrote:
I have a tiny Ubiquiti edge router here and I can publish the rules for
routing ports 80 and 443 and 53 into the squid\dns box.
Any interest in such a guide in th
---
Hash: SHA256
Because ssl :: server_name_regex works reliably. As shown by my personal
practice. But in general it is by op's choice.
12.09.2016 20:38, Marcus Kool пишет:
>
>
> On 09/12/2016 11:14 AM, Yuri Voinov wrote:
>>
On 09/12/2016 11:14 AM, Yuri Voinov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Oooops,
acl must be:
acl excludeSSL ssl::server_name_regex web\.whatsapp\.com
why a regex?
why not the following ?
acl excludeSSL ssl::server_name web.whatsapp.com
Marcus
___
On 09/07/2016 05:58 PM, Antony Stone wrote:
On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:
08.09.2016 2:25, erdosain9 пишет:
Hi.
A query. Sslbump is possible without installing the certificate,
machine by machine ???
Bump impossible. Splice - possible.
Is there any way th
On 09/07/2016 05:58 PM, Antony Stone wrote:
On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:
08.09.2016 2:25, erdosain9 пишет:
Hi.
A query. Sslbump is possible without installing the certificate,
machine by machine ???
Bump impossible. Splice - possible.
Is there any way th
to be sure that the link speed and duplex is OK, you need to look at both sides.
Marcus
On 09/07/2016 01:01 PM, Pol Hallen wrote:
Since you have an ancient version of Squid I am assuming that you also
have ancient hardware.
:-)
NIC are not so ancient :-) hw also..
Settings for eth0:
Sup
On 09/07/2016 10:05 AM, Pol Hallen wrote:
Hello all :-) I'm sorry if this couldn't squid problem.. honestly I don't know..
I've a small lan:
dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP
lan2_192.168.1.0/24 (NIC2)<--->switch+AP
I've squi
about the implications.
Thanks
Marcus
On 09/04/2016 01:12 PM, Amos Jeffries wrote:
On 31/08/2016 5:25 a.m., Marcus Kool wrote:
Do I understand it correctly that Squid in normal proxy mode
allows malware to do a CONNECT to any destination, while in
transparent proxy mode does extra security ch
On 08/27/2016 02:20 PM, Marcus Kool wrote:
On 07/30/2016 04:21 PM, Alex Rousskov wrote:
*snip*
Update: The question still stands, but we now know more about what
happens if the on_unsupported_protocol bug (in code and/or
documentation, depending on how you look at it) discussed above is
Do I understand it correctly that Squid in normal proxy mode
allows malware to do a CONNECT to any destination, while in
transparent proxy mode does extra security checks which causes
some regular (non-malware) clients to fail?
And philosophical questions: is Squid the right tool
to stop malware?
On 07/30/2016 04:21 PM, Alex Rousskov wrote:
*snip*
Update: The question still stands, but we now know more about what
happens if the on_unsupported_protocol bug (in code and/or
documentation, depending on how you look at it) discussed above is
fixed: Squid then starts tunneling traffic as it
On 08/24/2016 02:43 AM, Alex Rousskov wrote:
On 08/23/2016 08:34 AM, Marcus Kool wrote:
ok, I suggest that you review what is done already.
I have made a few corrections and improvements, trying to document every
change (and some suggestions for future work) in the commit messages.
The
On 08/23/2016 11:26 AM, Alex Rousskov wrote:
On 08/23/2016 07:59 AM, Marcus Kool wrote:
On 08/23/2016 12:44 AM, Alex Rousskov wrote:
On 08/22/2016 08:14 PM, Marcus Kool wrote:
When I think I am done, I will let you know for a review.
It is best to commit all your intended changes at once
On 08/23/2016 12:44 AM, Alex Rousskov wrote:
On 08/22/2016 08:14 PM, Marcus Kool wrote:
Thanks for your reply.
I will start changing the wiki page.
When I think I am done, I will let you know for a review.
It is best to commit all your intended changes at once (if at all)
rather than to use
Thanks for your reply.
I will start changing the wiki page.
When I think I am done, I will let you know for a review.
What is left is my desire to get a fake CONNECT with FQDN (see below).
Marcus
On 08/22/2016 04:20 PM, Alex Rousskov wrote:
On 08/21/2016 06:46 AM, Marcus Kool wrote:
there
The ssl-bump peek/splice/bump feature is now maturing and many are using it but
there are still some issues with the wiki page that I like to clarify.
wiki: http://wiki.squid-cache.org/Features/SslPeekAndSplice
section "processing steps"
Can action "none" be removed from step 1?
Step 1. what i
It seems that squid is doing a lot of calls to vfprintf.
The first thing that comes to mind is that you have debugging on.
What is the setting for debug_options ?
Marcus
On 08/13/2016 04:18 AM, Omid Kosari wrote:
Hello,
Recently 2 different squid boxes grows from ~40% cpu usage to 100% without
On 08/04/2016 10:08 AM, Heiler Bemerguy wrote:
Sorry Amos, but I've tested with modifying JUST these two sysctl parameters and
the difference is huge.
Without maximum tcp buffers set to 8MB, I got a 110KB/s download speed, and
with a 8MB kernel buffer I got a 9.5MB/s download speed (via squ
On 08/03/2016 10:27 AM, Amos Jeffries wrote:
On 3/08/2016 9:45 p.m., Marcus Kool wrote:
On 08/03/2016 12:30 AM, Amos Jeffries wrote:
If thats not fast enough, you may also wish to patch in a larger value
for HTTP_REQBUF_SZ in src/defines.h to 64KB with a matching incease to
On 08/03/2016 12:30 AM, Amos Jeffries wrote:
If thats not fast enough, you may also wish to patch in a larger value
for HTTP_REQBUF_SZ in src/defines.h to 64KB with a matching incease to
read_ahead_gap in squid.conf. That has had some mixed results though,
faster traffic, but also some assert
Hi Michael,
Can you share with us what you ended up with?
Thanks
Marcus
On 06/18/2015 12:28 AM, Michael Pelletier wrote:
Which one would be good for capacity\load? I have a very, very large
environment. I have 220,000 users on 8 Gig to the INTERNET. I am running a load
balancer, ipvsadm (Dir
On 07/07/2016 10:49 AM, Yuri wrote:
A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
information in the fake CONNECT request because it will interfere with
HTTP rules, but it is not clear where that point is
On 07/07/2016 09:23 AM, Amos Jeffries wrote:
On 7/07/2016 11:30 p.m., Marcus Kool wrote:
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be doing broken things with the SNI.
The app is making an
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with an iOS
app which seems to be doing broken things with the SNI.
The app is making an HTTPS connection to a server and presenting an SNI with a wildcard
in it - i.e. "*.example.com
1 - 100 of 201 matches
Mail list logo
