Re: [squid-users] correct regular expression to use to capture all

On 08.07.2023 14:07, robert k Wild wrote: True but I don't want to create two ACL lists, one for "ssl name" and one for "ssl name regex" If I were you, I would create two ACL lists, because the one without regex as already mentioned needs less resources - CPU, memory - and can have more rule

[squid-users] Squid 4.11, Almalinux 8.4 (RHEL 8.4 based) - user defined directory for certificate cache?

Hello, this sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/local/squid/ssl_db -M 4MB gives the error /usr/lib64/squid/security_file_certgen: Cannot create /var/local/squid/ssl_db but this sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -

Re: [squid-users] a specific host generates a 503 ...

On 15.03.2021 10:14, Matus UHLAR - fantomas wrote: On 12/03/21 1:14 am, Eliezer Croitoru wrote: It's sitting behind:  DDoS protection by Cloudflare So it makes sense that you would not be able to download it using wget. The only option probably is using a web browser. I would suggest contactin

Re: [squid-users] a specific host generates a 503 ...

On 11.03.2021 15:33, Amos Jeffries wrote: On 12/03/21 1:14 am, Eliezer Croitoru wrote: Hey Walter, It's sitting behind:  DDoS protection by Cloudflare So it makes sense that you would not be able to download it using wget. The only option probably is using a web browser. I would suggest contact

[squid-users] a specific host generates a 503 ...

Hello, can someone test the following URL http://db.local.clamav.net/daily-26102.cdiff e.g.   wget http://db.local.clamav.net/daily-26102.cdiff I have an older squid (v3.1) there this works, but with the newer ones (v3.4 and v3.5) this doesn't; is there an explanation why? the log shows this

Re: [squid-users] wiki.squid-cache.org has invalid SSL certificate

On 23.01.2021 13:07, Matus UHLAR - fantomas wrote: On 22.01.21 15:32, Alex Rousskov wrote: On 1/22/21 3:10 PM, Walter H. wrote: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org there is an invalid certificate as the intermediate FWIW, I see nothing marked as "invali

[squid-users] wiki.squid-cache.org has invalid SSL certificate

Hello, look here https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org there is an invalid certificate as the intermediate Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-users@lists.s

Re: [squid-users] distinguish between IPv4 and IPv6

f required. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Zoom: Coming soon *From:* squid-users *On Behalf Of *?Amos Jeffries? *Sent:* Monday, January 11, 2021 10:10 PM *To:* Walter H. ; squid-u

[squid-users] distinguish between IPv4 and IPv6

Hello, is there a way, that I can do something like if ( dst is IPv4 ) go direct if ( dst is IPv6 ) use parent proxy xxx The reason for my question, I'm using a IPv6-in-IPv4 tunnel, and it would make sense to forward all traffic going to IPv6 to squid running on tunnel end; Thanks, Walter

Re: [squid-users] Cannot access web servers with a specific browser

On 14.09.2020 14:50, Vieri wrote: Hi, Before digging into the whole squid configuration, I'd like to know what the following line means: NONE_ABORTED/200 0 CONNECT 216.58.211.36:443 - HIER_NONE/- - I get this when trying to access a web page with a specific browser (Google Chrome). However,

Re: [squid-users] Gateway Proxy failure - but only with one browser ...

rowser and squid is different from the one between squid and server; how can there be a SSL handshake problem between squid and server when using an old browser? On 29.04.2020 19:26, Walter H. wrote: I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3

[squid-users] Gateway Proxy failure - but only with one browser ...

I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS 6) everything works, I have a site that uses SSL/TLS, and two different browsers (one in a VM with old windows), when I use the squid without SSL bump, the site works with both browsers, b

Re: [squid-users] several sites - cloudflare not working with ssl-bump ...

On Tue, February 25, 2020 06:30, Amos Jeffries wrote: > On 25/02/20 5:00 am, Walter H. wrote: >> Hello, >> >> can someone explain, why >> sites as https://dnslytics.com/ >> do not work any more if 'server-first', >> they only work with 'clie

[squid-users] several sites - cloudflare not working with ssl-bump ...

Hello, can someone explain, why sites as https://dnslytics.com/ do not work any more if 'server-first', they only work with 'client-first' why? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-u

[squid-users] difference of settings doing the same as it seems

Hello, I found out something strange acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" # I had these 3 settings - most worked, but only a few hosted at cloudflare worked: problems with SNI the

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root certifi

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

Hello Amos, On 29.06.2019 14:13, Amos Jeffries wrote: That is a good sign. That exact combo is in the set supported by the breaking server so it is unlikely your Squid or its OpenSSL is contributing to this particular problem. quite strange only a few sites don't work, https://www.3bg.at is an

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

On 29.06.2019 10:17, Amos Jeffries wrote: On 29/06/19 3:03 am, Walter H. wrote: sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

ong ago i seen a site good configured for ones with its TLS settings. So most probely, your downgrading the connection within the proxy settings to sslv3 And sharing you config might help to see that. Greetz, Louis *Van:* squid-users [mailto:squid-users-boun...@lists.squid-ca

[squid-users] SQUID_ERR_SSL_HANDSHAKE

Hello, at some specific hosts this is shown in cache.log 2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0) and this is the error page I get Failed to establish a secure connection to .../ (71) Protocol error (T

Re: [squid-users] Useragent request/reply headers with squid .

On 15.06.2019 10:57, --Ahmad-- wrote: Hello Folks , im trying to disable user agent info to be leaked out of squid using : request_header_access User-Agent deny all reply _header_access User-Agent deny all squid very 3.5.x the reply_header_access is sensless, remove it and add the following

[squid-users] strange thing in the squid logs ...

Hello, in iptables I have this: *nat ... -A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT --to-destination 192.168.1.1:3129 192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid, ... running here the log 192.168.1.100 - - [05/Feb/2019:20:57:09 +0100] "CO

[squid-users] Message with SSL-bump with a specific site ...

Hello, can some explain what is causing this message While trying to retrieve the URL: https://www.3bg.at/* The following error was encountered: * *Failed to establish a secure connection to 193.138.123.75 * The system returned: /(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/

[squid-users] Error Message alert handshake failure

Hello, what does this message 2018/08/29 16:11:28 kid1| Error negotiating SSL on FD 22: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0) in cache.log mean? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature _

Re: [squid-users] [squid-announce] Squid 4.2 is available

On 10.08.2018 07:41, Amos Jeffries wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.2 release! will there be a RPM for latest CentOS 6 available? Walter smime.p7s Description: S/MIME Cryptographic Signature __

Re: [squid-users] block visit 80/443 browsing via IP(no domain name)

On 29.07.2018 06:11, Gordon Hsiao wrote: is there a way to block any attempt to visit http/https by _any_ IP directly, i.e. http://my-IP or https://my-IP (yes this will give a warning for SSL most likely). here my-IP could be any IPv4 address, for example. Basically I want to have Squid to e

Re: [squid-users] Wpad problem (DNS)

On 26.07.2018 17:32, erdosain9 wrote: Hi, thanks I try Explorer 8.0 and Chrome 68.0... this can be deactivated on browser side; then wpad is for the cats ... Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing l

Re: [squid-users] Chrome 67 Issue with SSL Bump

On 26.06.2018 19:03, Amit pasari wrote: Dear Walter I have tried with both SHA1 and SHA256 cert . Sent from my iPhone On Jun 26, 2018, at 9:43 PM, Walter H. <mailto:walte...@mathemainzel.info>> wrote: On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am using

Re: [squid-users] Chrome 67 Issue with SSL Bump

On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote: I am using squid in transparent mode . Everything working fine in Firefox and IE after i have imported the certificate in both the browser , but in Chrome 67 version on Windows 10 i am facing the below issue NET::ERR_CERT_WEAK_S

Re: [squid-users] SSL errors with Squid 3.5.27

On 10.06.2018 08:49, Amos Jeffries wrote: Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely dis

Re: [squid-users] Google analytics screwing up a lot of sites?

Hello On 26.03.2018 21:27, Bob Cochran wrote: We use squid 3.5.20 and a custom content filter to block undesirable (tracking) sites (e.g., google-analytics.com). get 3.5.27 ... It seems that Google's JavaScript ( or missing scripts ) is rendering various modal / dialog boxes useless (typically

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

On 18.11.2017 13:51, Walter H. wrote: Hello, still certificate issues: missing intermediate certificate Greetings, Walter @Amos: There is *no* chain. Our cert is directly signed by the LetsEncrypt CA. Amos that's wrong; LetsEncrypt is only an intermediate, and MUST be given b

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

Hello, still certificate issues: missing intermediate certificate Greetings, Walter On 17.11.2017 13:39, Walter H. wrote: for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable

[squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

for more information see https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org - missing intermediate certificate - ssl3 active, poodle vulnerable ... Greetings, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-u

Re: [squid-users] IPv6 and TPROXY

ail: elie...@ngtech.co.il -Original Message- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Saturday, August 19, 2017 23:23 To: Eliezer Croitoru Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello, not really, I must live with the fact, that I can'

Re: [squid-users] IPv6 and TPROXY

mail: elie...@ngtech.co.il -Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Sunday, August 13, 2017 21:31 To: Eliezer Croitoru Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello Eliezer yes, because all my Linux systems ar

Re: [squid-users] Squid IPv4:port to IPv6

On 19.08.2017 04:03, davidjesse...@aol.com wrote: I'm trying to connect to Squid with one IPv4 IP and based on the port I'm connecting with, I want Squid to use a different IPv6 IP for the connection. Below is my config file |acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 2

Re: [squid-users] IPv6 and TPROXY

ng connections, would it be possible? Would the usage of: http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ override the tproxy function? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message-----

Re: [squid-users] IPv6 and TPROXY

ork-scripts ... Thanks, Walter On 12.08.2017 20:23, Eliezer Croitoru wrote: Any progress with this issue? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -----Original Message- From: Walter H. [mailto:walte...@mathemainzel.info

Re: [squid-users] IPv6 and TPROXY

level issue and maybe > sysctl will help to reveal couple things about the subject. > > All The Bests, > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > -Original Message

Re: [squid-users] IPv6 and TPROXY

liezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, August 8, 2017 17:15 To: squid-users@lists.squid-cache

[squid-users] wiki.squid-cache.org SSL configuration problem ...

Hello, the intermediate certificate which is provided doen't go with the end entitiy certificate ... the intermediate that is provided: Let's Encrypt Authority X1 the intermediate that should be provided: Let's Encrypt Authority X3 for more see: https://www.ssllabs.com/ssltest/analyze.html

[squid-users] IPv6 and TPROXY

Hello, I did at the ip6tables like this: https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIV

Re: [squid-users] This list generates a forward loop ...

On 20.07.2017 05:35, Walter H. wrote: On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: (expanded from ): mail forwarding loop for squid-us...@squid-cache.org Why? You sent a mail to the address squid-users@squid-cache.* The mailing list address is

Re: [squid-users] This list generates a forward loop ...

On 19.07.2017 08:54, Amos Jeffries wrote: On 19/07/17 01:42, Walter H. wrote: (expanded from ): mail forwarding loop for squid-us...@squid-cache.org Why? You sent a mail to the address squid-users@squid-cache.* The mailing list address is squid-users@lists.* No, see the log of my

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, July 18, 2017 15:29 To: squid-users@lists.squid-cache.org Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) a

Re: [squid-users] Squid Version 3.5.20 Any Ideas

Hello, this seems not to be the problem, as the error messages are in cache.log, which is not a browser problem ... the question: are the SSL bumped sites in intranet, which use a self signed CA cert itself, which squid doesn't know? On 19.07.2017 17:36, Yuri wrote: http://wiki.squid-cach

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Wed, July 19, 2017 11:31, Antony Stone wrote: > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote: > >> I added these rules, and will see which packets are caught >> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: >> "

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Wed, July 19, 2017 03:21, Amos Jeffries wrote: > On 19/07/17 01:37, Walter H. wrote: >> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: >>> On 18.07.17 14:29, Walter H. wrote: >>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT >>

[squid-users] This list generates a forward loop ...

Hello, On every post I get an error mail back: Subject:Undelivered Mail Returned to Sender From: "Mail Delivery System" Date: Tue, July 18, 2017 15:36 To: ... Priority: Normal This is the mail system at host lists.squid-cache.org. I'm sorry to hav

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote: > On 18.07.17 14:29, Walter H. wrote: >>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT > >>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT > >>-A INPUT -j LOG --log-pref

[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Hello, my Router Box runs a CentOS 6, with the EPEL squid34 RPM package this the iptables *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allow multicast -A INPUT -d 224.0.0.0/4 -j ACCEPT -A OUTPUT -d 224.0.0.0/4 -j ACCEPT # Allow anything on the local link -A INPUT -i lo -j

Re: [squid-users] Squid and SSLBump

On 09.06.2017 09:33, FredB wrote: Hi all, There is way to approximately estimate the "cost" of CPU/Memory usage of SSLbump ? be careful, if there is a "cost" value now, this will be very probably wrong when SSL gets more common ... smime.p7s Description: S/MIME Cryptographic Signature ___

Re: [squid-users] CentOS6 and squid34 package ...

On 5/25/2017 14:07 PM, Walter H. wrote: On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; th

Re: [squid-users] CentOS6 and squid34 package ...

On 25.05.2017 21:51, Mike wrote: Walter, what I've found is when compiling to squid 3.5.x and higher, the compile options change. Also remember that many of the options that were available with 3.1.x are depreciated and likely will not work with 3.4.x and higher. the compile options are not

Re: [squid-users] CentOS6 and squid34 package ...

On 25.05.2017 12:50, Amos Jeffries wrote: On 25/05/17 20:19, Walter H. wrote: Hello what is the essential difference between the default squid package and this squid34 package, Run "squid -v" to find out if there are any build options different. Usually its just two alternativ

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

On 25.05.2017 11:25, Amos Jeffries wrote: On 25/05/17 19:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could expect

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

On 25.05.2017 09:51, Miguel Barbero wrote: Good morning, We have a special requirement and we are not sure whether it's possible to accomplish. We have defined a whitelist and a blacklist on our Squid. Its behaviour is as usual and how it could expect. All the traffic less blacklist is pas

[squid-users] CentOS6 and squid34 package ...

Hello what is the essential difference between the default squid package and this squid34 package, as I have problems using this squid34 package for FTP connections; there are no shown icons, when going to e.g. ftp://ftp.adobe.com/ when I tell the browser to show the image then I get this squid

Re: [squid-users] Squid custom error page

On 18.05.2017 19:40, chcs wrote: One more cuestion: With 2 CA differents certificates to block twitter.com>> differents results Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html Result: no problem, it's show me squid custom error page Is

[squid-users] list generates error messages ...

whenever I send a mail to the list, I get such an error message back from mailer-dae...@squid-cache.org This is the mail system at host lists.squid-cache.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further ass

Re: [squid-users] Squid custom error page

On 17.05.2017 16:04, Amos Jeffries wrote: On 17/05/17 23:32, chcs wrote: Expected Results: Display proxy server error page with deny info. This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.

Re: [squid-users] Squid + IPv6

On 16.05.2017 21:21, IAPS Security Services, Ltd. wrote: How can I compile squid for windows to get around the 128 ip limit imposed? have you ever tried to give each network interface more than 128 IP addresses at a time? smime.p7s Description: S/MIME Cryptographic Signature __

[squid-users] Object Size?

Hello, the setting maximum_object_size 4 MB is the default; would the following setting maximum_object_size 2 MB also mean, that there would be stored much more objects on disk? Thanks Walter ___ squid-users mailing list squid-users@lists.squid-ca

Re: [squid-users] Hint for howto wanted ...

On Tue, November 29, 2016 03:59, Amos Jeffries wrote: > On 29/11/2016 7:49 a.m., Walter H. wrote: >> Hey, >> >> On 28.11.2016 14:51, Eliezer Croitoru wrote: >>> Now to me the picture is much clear technically. >>> As Amos suggested fix the first proxy(and

Re: [squid-users] Hint for howto wanted ...

Hello, On Mon, November 28, 2016 22:45, Eliezer Croitoru wrote: > So much clear now to a solution. > If you don’t know what Policy Based Routing and you have a bunch of VM's and you are configuring the proxy in the browser manually you just need to install on the first proxy 3.5.22 that allows yo

Re: [squid-users] Hint for howto wanted ...

Hey, On 28.11.2016 14:51, Eliezer Croitoru wrote: Now to me the picture is much clear technically. As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones. why fix the first proxy, I wouldn't need it, if ssl-bump plus parent proxy (the re

Re: [squid-users] Hint for howto wanted ...

SSL BUMP missing? > What iptables rules are you using on the client machine(3.1.X)? > > All the above matters to understand how to offer the right solution. > > Eliezer > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: e

Re: [squid-users] Hint for howto wanted ...

On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote: > OK so the next step is: > Routing over tunnel to the other proxy and on it(which has ssl-bump) > intercept. by now only the 3.5.20 squid on the local VM does SSL-bump > If you have a public on the remote proxies which can use ssl-bump the

Re: [squid-users] Hint for howto wanted ...

squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Sunday, November 27, 2016 19:17 To: squid-users@lists.squid-cache.org Subject: [squid-users] Hint for howto wanted ... Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks -

[squid-users] Hint for howto wanted ...

Hello, I've got a special problem ... I have several devices in my LAN: - PCs, Notebooks - a Tablet-PC - a Smartphone - a Television on my LAN I've two squids as VMs on my PC (both are CentOS 6) I also have a virtual server (a CentOS 6, too) at a webhoster in a different country, which I hav

[squid-users] CentOS 6, Squid 3.5.20, Error message in /var/log/squid/cache.log

Hello, can someone tell me, especially the maintainer of the binary packages for CentOS what this message 2016/11/23 19:08:58 kid1| Error negotiating SSL on FD 39: error::lib(0):func(0):reason(0) (5/0/0) should say to me ... Thanks, Walter smime.p7s Description: S/MIME Cryptog

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

On Tue, October 18, 2016 13:31, Garri Djavadyan wrote: > On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote: >> Hello, >> >> just in case anybody wants to run Squid 3.5.x on CentOS >> with SELinux enforcing, >> >> here is the semodule >>

[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

Hello, just in case anybody wants to run Squid 3.5.x on CentOS with SELinux enforcing, here is the semodule module squid_update 1.0; require { type squid_conf_t; type squid_t; type var_t; class file { append open read write getattr lock execute_no_trans }; } #=

[squid-users] Ciphersuites with SSL bump [squid 3.5.19]

Hello, I'd like to disable some ciphersuites when connecting with web servers; when I go there: https://cc.dcsec.uni-hannover.de/ I'm shown this (only the column with ciphersuite names): ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384

[squid-users] SSL-Bump and generated certificates ...

Hello, I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the generated certificates are now SHA2 and not SHA1, can I influence somewhere to generate still SHA1 certificates? (I have devices which use this proxy and are not able to handle SHA2) Thanks, Walter smime.p7s Descri

Re: [squid-users] Regular expressions with dstdom_regex ACL

On Fri, May 13, 2016 07:32, Amos Jeffries wrote: > On 13/05/2016 3:44 p.m., Walter H. wrote: >> p.s. >> the sample here >> http://wiki.squid-cache.org/ConfigExamples/Chat/Skype >> doesn't work, too >> > > The skype pattern is matching the port Skype u

Re: [squid-users] Regular expressions with dstdom_regex ACL

On 12.05.2016 22:20, Walter H. wrote: Hello, can someone please tell me how I can achive this? the result should be that any URL like this http(s)://ip-address/ should be blocked by the specified error page Thanks and Greetings from Austria, Walter p.s. the sample here http://wiki.squid

[squid-users] Regular expressions with dstdom_regex ACL

Hello, can someone please tell me which regular expression(s) would really block domains which are IP hosts for IPv4 this is my regexp: ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$ and this works as expected acl block_domains_iphost dstdom_regex ^[12]?[0-9]{1,2}\.[12]?[

[squid-users] DNS-Errors ... squid-cache.org

Hello, has anybody an idea where this errors come from, or what is causing them? May 10 11:21:00 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED) resolving 'lists.squid-cache.org/MX/IN': 173.255.241.90#53 May 10 11:21:01 lxwaldivm-001 named[30098]: error (connection refused) resolving

Re: [squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

On 26.03.2016 11:53, Yuri Voinov wrote: Look at this, gents. http://i.imgur.com/kxrOEVd.png can you give me the complete URL just for testing purpose; https://download.microsoft.com/ does a forward to https://www.microsoft.com/en-us/download which squid version is in use? smime.p7s Desc

Re: [squid-users] SSL-bump and Ciphersuite?

Hello Amos, On Mon, January 11, 2016 11:13, Amos Jeffries wrote: > On 11/01/2016 10:50 p.m., Walter H. wrote: >> Hello, >> >> I'd restrict the client by using a less resource consuming TLS >> encryption; >> >> I though doing just this >> >

[squid-users] SSL-bump and Ciphersuite?

Hello, I'd restrict the client by using a less resource consuming TLS encryption; I though doing just this e.g. http_port 3128 ... cipher=3DES ... (for restricting clients connecting to 3DES) or what would be less resource consuming? AES128? but where can I see, which ciphersuite is really use

Re: [squid-users] Using subordinate CA for SSL Bump

On 17.12.2015 18:01, Alex Rousskov wrote: On 12/17/2015 03:12 AM, Yuri Voinov wrote: This looks like. Root CA doesn't send. Subordinate CA uses as signer for mimicked. All and any clients got security alert. There may still be some terminology misunderstanding here because not sending the root

Re: [squid-users] Using subordinate CA for SSL Bump

On 14.12.2015 22:26, Yuri Voinov wrote: Hi all. Does anybody can tell me - is it possible to use subordinate secondary CA in squid for SSL Bumping purpose? this is possible; I had this for several months this way; I.e., we have self-signed primary CA for issue subordinate CA, subordinate CA

Re: [squid-users] http request header must use hostname

On 07.12.2015 08:49, Amos Jeffries wrote: On 7/12/2015 5:41 p.m., Walter H. wrote: On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname ... the

Re: [squid-users] http request header must use hostname

On 07.12.2015 00:21, Amos Jeffries wrote: Getting complicated... So xxiao8, why does one want to censor these requests anyway? Amos try to connect natively with the IP-Address instead of the hostname ... the SSL certificate of the host itself prevents the connection without message in the use

Re: [squid-users] http request header must use hostname

On 06.12.2015 11:07, Yuri Voinov wrote: # Numeric IP's acl acl numeric_IPs dstdom_regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ # Deny access to numeric IP's http_access deny CONNECT numeric_IPs deny_info TCP_RESET numeric_IPs and not to forget IPv6 ... acl numeric_IPs_ipv4 dstdom_regex [0-9]+\.[0-9]+

Re: [squid-users] Block google pictures

use SSL bump and block URLs and/or URL-paths On 26.11.2015 15:27, Funke, Martin wrote: Im using squid + squid guard in a primary school and sometimes the primary-school pupil search for penis and things like that :). That’s why I need a way to stop them doing these things. smime.p7s Descr

Re: [squid-users] sslBump adventures in enterprise production environment

On 13.11.2015 14:53, Yuri Voinov wrote: There is no solution for ICQ with Squid now. You can only bypass proxying for ICQ clients. from where do the ICQ clients get the trusted root certificates? maybe this is the problem, that e.g. the squid CA cert is only installed in FF and nowhere else .

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

On 05.11.2015 04:26, Amos Jeffries wrote: There was a bug about the wrong SNI being sent to servers on bumped traffic that got re-written. That got fixed in Squid-3.5.7 and re-writers should have been fully working since then. This seems to be a bug in 3.5.x only with 3.4.10 this works fine ..

Re: [squid-users] Ssl-Bump and revoked server certificates

it was just the solution I did for myself, and brought it to the "public" AS IS. On 21.10.2015 00:53, Brett Lymn wrote: On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote: The style guide-line is not compatible with mine (space - tab); which can be fixed mostly by indent

Re: [squid-users] Ssl-Bump and revoked server certificates

On 19.10.2015 01:01, Amos Jeffries wrote: If you are interested in getting this helper bundled with Squid No; the details on how to prepare and submit a patch to squid-dev mailing list are at: The style guide-line is not compatible with mine (spa

Re: [squid-users] Ssl-Bump and revoked server certificates

On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the

Re: [squid-users] Ssl-Bump and revoked server certificates

On 07.10.2015 16:48, Amos Jeffries wrote: or sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 can I have a working sample of valid_cert.pl that results in an "access denied" or any other error page of squid? An

Re: [squid-users] Ssl-Bump and revoked server certificates

On 07.10.2015 11:05, Amos Jeffries wrote: On 7/10/2015 4:27 a.m., Alex Rousskov wrote: On 10/06/2015 01:27 AM, Jason Haar wrote: Good catch - I don't think squid does CRL/OCSP checks But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look IIRC, Squid

Re: [squid-users] Ssl-Bump and revoked server certificates

Hello, can you please provide an example of how to use this in squid.conf by the way how would I use these sslcrtvalidator_program and sslcrtvalidator_children Thanks, Walter On Tue, October 6, 2015 09:27, Jason Haar wrote: > Good catch - I don't think squid does CRL/OCSP checks > > I'm using

[squid-users] Possible Bug in squid? [Fwd: Re: [openssl-users] Problem checking certificate with OCSP]

r. Stephen Henson" Date:Mon, October 5, 2015 17:11 To: openssl-us...@openssl.org -- On Mon, Oct 05, 2015, Walter H. wrote: > Hello, > > attached is the certificate and its chain of https://revoked

Re: [squid-users] Ssl-Bump and revoked server certificates

On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the

[squid-users] Ssl-Bump and revoked server certificates

Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with squid, the page is shown ... Thanks,

  1   2   >