Re: [squid-users] ssl-bump with url_regex [SOLVED]

*À :* squid-users@lists.squid-cache.org *Objet :* [squid-users] ssl-bump with url_regex Hello, I am using Squid 5.7 on a Debian 12 system. I would like to grant only some given URL path for a site using HTTPS. For example, in the following configuration: ... http_port 3128 ssl-bump tcpkeep

Re: [squid-users] ssl-bump with url_regex [SOLVED]

too large) De : squid-users de la part de BOISIAUD Jean-Yves Envoyé : lundi 24 février 2025 16:38 À : squid-users@lists.squid-cache.org Objet : [squid-users] ssl-bump with url_regex Hello, I am using Squid 5.7 on a Debian 12 system. I would like to grant only some given URL path

[squid-users] ssl-bump with url_regex

Hello, I am using Squid 5.7 on a Debian 12 system. I would like to grant only some given URL path for a site using HTTPS. For example, in the following configuration: ... http_port 3128 ssl-bump tcpkeepalive=60,30,3 \ cert=/etc/squid/certs/signingCA.crt \ key=/etc/squid/certs/signin

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Am 14.12.24 um 17:26 schrieb R: My current goal is to set up a caching instance for https static content with squid 6.12. ssl-bump is set up according to https://wiki.squid-cache.org/Features/SslBump and it works fine, at least from the clients' perspectives and without any noticeable issues

Re: [squid-users] ssl-bump works, but leads to many client errors being logged (NONE_NONE/200)

Hello Rod, Not an expert, but from my understanding it seems that your NONE_NONE/200 are all related to a CONNECT. That means it is a SSL Tunnel, which is the initial log of a HTTPS connection when doing ssl_bumping. It is normally followed by another "regular" log, where you can get more informat

Re: [squid-users] SSL Virtual Hosting Problem

On 01/12/23 21:34, Amos Jeffries wrote: On 1/12/23 04:55, Mario Theodoridis wrote: I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \ tls-cert=/etc/ssl/certs/

Re: [squid-users] SSL Virtual Hosting Problem

On 1/12/23 04:55, Mario Theodoridis wrote: I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.pem \     tls-cert=/etc/ssl/c

Re: [squid-users] SSL Virtual Hosting Problem

I do have one more problem at this point. Using openssl i can work with what i have below, but i cannot add a 2nd certificate https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.pem \     tls-cert=/etc/ssl/certs/foo.com.pem gives me ERROR: OpenSSL doe

Re: [squid-users] SSL Virtual Hosting Problem

Thank you Amos and Alex, this is a config i managed to get working for http and https acl SSL_ports port 443 acl Safe_ports port 80  # http acl Safe_ports port 443 # https # listeners https_port 0.0.0.0:443 accel defaultsite=regify.com \     tls-cert=/etc/ssl/certs/regify.com.p

Re: [squid-users] SSL Virtual Hosting Problem

On 2023-11-28 05:29, Mario Theodoridis wrote: Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers ba

Re: [squid-users] SSL Virtual Hosting Problem

On 28/11/23 23:29, Mario Theodoridis wrote: Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers base

[squid-users] SSL Virtual Hosting Problem

Hello everyone, i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers. I would like to proxy the incoming connections to the appropriate backend servers based on the hostname using SNI. I'm using the

[squid-users] ?????? ssl-bump peek and select pinned destination failed

Thank you for your detailed answer. As you said, Squid does not support rewrite-url after ssl-bumped. but I don't understand why it is designed this way. If I want to modify the ssl-bumped returned content, not through 302,307 http redirect url? can I use ecap or other methods to achieve it?

Re: [squid-users] ssl-bump peek and select pinned destination failed

On 2023-09-20 04:17, linfengfeiye wrote: Hi, what does "PeerSelector186 found pinned, destination" that appears in the Squid log mean? Please note that Squid debugging logs (cache.log at level 3 and above) are for developer use. This mailing list is not. In triage, I recommend focusing on acc

[squid-users] ssl-bump peek and select pinned destination failed

Hi, what does "PeerSelector186 found pinned, destination" that appears in the Squid log mean? The log is as follows?? 2023/09/20 15:49:57.086 kid1| 28,3| Checklist.cc(62) markFinished: 0x30798c8 answer ALLOWED for match 2023/09/20 15:49:57.086 kid1| 28,3| Ch

Re: [squid-users] ssl-bump strange behaviour with incomplete config

On 2023-09-13 12:47, sq...@iotti.biz wrote: I'm only peeking as long as possible, and then splice at step3. I got the regular Squid access denied screen (and this is right, since the CONNECT is not allowed) but in access.log I find: 2023-09-13T17:12:52.855+0200 12 192.168.1.179 TCP_DENIED/

[squid-users] ssl-bump strange behaviour with incomplete config

Hi all I was trying to configure the ssl-bump feature. I forgot to allow the initial CONNECT (or the fake CONNECT, in case of intercepting proxy). This led me to some strange results which I'd like to point out. I am using CentOS 8 with squid 6.13 recompiled from the Fedora RPM. First case, forwar

Re: [squid-users] ssl-bump connect issues

Hey, thank you for your response. >> The logs show that clients did issue a CONNECT, however the connections are >> stuck (and eventually timeout) and netstat is showing exactly 10 connections >> in SYN_SENT state towards npm registry. I am kinda puzzled, where this >> number comes from. > >

Re: [squid-users] ssl-bump connect issues

On 23/05/22 17:41, Jernej Porenta wrote: The logs show that clients did issue a CONNECT, however the connections are stuck (and eventually timeout) and netstat is showing exactly 10 connections in SYN_SENT state towards npm registry. I am kinda puzzled, where this number comes from. This

[squid-users] ssl-bump connect issues

Hey, I am trying to establish a caching squid proxy - 5.5 openssl - ( to be used with our CI/CD system and cache npm modules (we configure http_proxy in our npm configuration). I've created a configuration with ssl bump-ing and aggressive npm module caching. When a client starts fetching the

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 15/09/21 1:21 pm, Grant Taylor wrote: On 9/14/21 6:09 PM, Amos Jeffries wrote: b) If those upstream servers are embedding URLs for clients to directly contact the XaaS services. Then your desire is not possible without redesigning the upstream service(s) such that they stop exposing their u

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/14/21 6:09 PM, Amos Jeffries wrote: b) If those upstream servers are embedding URLs for clients to directly contact the XaaS services. Then your desire is not possible without redesigning the upstream service(s) such that they stop exposing their use of the XaaS. Which often also means red

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/14/21 7:12 PM, Grant Taylor wrote: I have concerns about "SSL terminating".  It sounds to me like you are decidedly outside of the typical enterprise or home network scenario where you are wanting to terminate / intercept / bump-in-the-wire TLS connections.  As such, I have *SERIOUS* /conc

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 9/12/21 10:16 PM, Mehrdad Fatemi wrote: Hi Everyone, Hi, TL;DR: Proxy Auto Configuration I'm looking for an elegant technology option to have telcos zero-rate all of the traffic to a set of online destinations. I assume that "zero rating" means that specific destinations, e.g. the pro

Re: [squid-users] SSL Terminating Reverse Proxy with Referral Tracking

On 13/09/21 4:16 pm, Mehrdad Fatemi wrote: Hi Everyone, I'm looking for an elegant technology option to have telcos zero-rate all of the traffic to a set of online destinations. Can you clarify what you mean exactly by "zero rate" ? What does it have to do with actions the proxy is performing

[squid-users] SSL Terminating Reverse Proxy with Referral Tracking

Hi Everyone, I'm looking for an elegant technology option to have telcos zero-rate all of the traffic to a set of online destinations. Using an SSL terminating reverse proxy could be a potential answer to this as we can focus on zero-rating the proxy's downstream traffic with each ISP/Telco without

Re: [squid-users] SSL handshake

@lists.squid-cache.org Subject: Re: [squid-users] SSL handshake On 8/8/21 1:48 AM, senor wrote: > Can you point to a patch under test or other changes that we can use > to alleviate this pain? I will probably regret sharing this unfinished work, but our current changes can be found at [1]. A F

Re: [squid-users] SSL handshake

ix for the official review ASAP. My current ballpark ETA for that is ~6 weeks. HTH, Alex. > From: squid-users on behalf of > Alex Rousskov > Sent: Tuesday, August 3, 2021 1:04 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] SSL handshake > >

Re: [squid-users] SSL handshake

1:04 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL handshake FWIW, Factory can reproduce this (popular origin server) problem with and without Squid. We are adding a Squid enhancement that will work around the problem (and improve TLS support in general). Alex. > c

Re: [squid-users] SSL handshake

FWIW, Factory can reproduce this (popular origin server) problem with and without Squid. We are adding a Squid enhancement that will work around the problem (and improve TLS support in general). Alex. > curl: (35) error:1423506E:SSL routines:ssl_next_proto_validate:bad extension

Re: [squid-users] SSL handshake

Hi, I don't know if my situation is like Nishant's, but today my issues have gone away without intervention on my behalf. I'm guessing the cause was on the remote server's side or some in-between SSL inspection... Thanks, Vieri ___ squid-users mailin

[squid-users] SSL handshake

Hi, Just recently I've noticed that LAN clients going through Squid with sslbump are all of a sudden unable to access certain HTTPS sites such as login.yahoo.com. The squid log has lines like: kid1| 4,3| Error.cc(22) update: recent: ERR_SECURE_CONNECT_FAIL/SQUID_ERR_SSL_HANDSHAKE+TLS_LIB_ERR=1

Re: [squid-users] SSL handshake

On 27/07/21 9:15 pm, Vieri wrote: > > I have not changed anything in the OS so it might be because of change in the > remote web service. > It might be that my openssl version is already too old (1.1.1g), and that the > web site forces the use of an unsupported cypher? I have also observed it o

Re: [squid-users] SSL handshake

On 7/27/21 11:45 AM, Vieri wrote: > Just recently I've noticed that LAN clients going through Squid with sslbump > are all of a sudden unable to access certain HTTPS sites such as > login.yahoo.com. > The squid log has lines like: > > kid1| 4,3| Error.cc(22) update: recent: > ERR_SECURE_CONNEC

Re: [squid-users] SSL BUMP

On 2021-05-10 22:26, Stephane Simon wrote: Hello, I try to configure https with ssl bump. I use redhat 8. i follow https://blog.microlinux.fr/squid-https-centos-7/ when i restart squid, he doesn't cooperate and say: "FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M

[squid-users] SSL BUMP

Hello, I try to configure https  with ssl bump.I use redhat 8. i follow https://blog.microlinux.fr/squid-https-centos-7/when i restart squid, he doesn't cooperate and say: "FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 64MB helpers are crashing too rapidly, need he

[squid-users] ssl bump Cannot create /var/lib/squid/ssl_db

Hello, I'm trying to configure Intercept HTTPS CONNECT messages with SSL-Bump in redhat 8 with help of: https://blog.microlinux.fr/squid-https-centos-7/ https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Intercept_HTTPS_CONNECT_messages_with_SSL-Bump https://support.kaspersky.

Re: [squid-users] SSL Squid 5 Cipher suite ordering issue

On 2/4/21 10:32 AM, Prem Chand wrote: > I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order > changes when I access the below website through Squid and without using > squid I'm getting correct order. > > https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html > > I wan

[squid-users] SSL Squid 5 Cipher suite ordering issue

Hi Team, I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order changes when I access the below website through Squid and without using squid I'm getting correct order. https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html I want to know why and how Squid is changing the

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 1/2/21 3:08 PM, ngtech1...@gmail.com wrote: > I am trying to configure 5.0.4 with sslbump to bump only a set of domains. > * Should I bump all connections with exceptions? > * Should I bump non else then the exceptions? > * Based on server_name regex and/or server_name domains Policy-wis

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

Comments bellow -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Sunday, January 3, 2021 9:12 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected On 3/01/21 9:08 am, ngtech1ltd wrote: > I am trying to config

[squid-users] SSL-BUMP 5.0.4 not working as expected

ect: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected On 3/01/21 9:08 am, ngtech1ltd wrote: > I am trying to configure 5.0.4 with sslbump to bump only a set of domains. > > I am unsure about the right way it should be done. > > The basic constrains are POLICY vs a set of rul

Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 3/01/21 9:08 am, ngtech1ltd wrote: I am trying to configure 5.0.4 with sslbump to bump only a set of domains. I am unsure about the right way it should be done. The basic constrains are POLICY vs a set of rules. * Should I bump all connections with exceptions? * Should I bump non else t

[squid-users] SSL-BUMP 5.0.4 not working as expected

I am trying to configure 5.0.4 with sslbump to bump only a set of domains. I am unsure about the right way it should be done. The basic constrains are POLICY vs a set of rules. * Should I bump all connections with exceptions? * Should I bump non else then the exceptions? * Bas

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

https://bugs.squid-cache.org/createaccount.cgi Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com From: DIXIT Ankit Sent: Tuesday, October 20, 2020 8:02 PM To: Eliezer Croitor Cc: 'Squid Users' Subject: RE: SSL issue

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

On 10/19/20 1:16 PM, Eliezer Croitor wrote: > To get a response you would need to respond in the Bugzilla. > Maybe Alex might be able to answer some of your questions about the subject. FWIW, the October 19 email from Ankit Dixit (quoted below) did not reach me. It probably did not reach others o

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey Dixit, To get a response you would need to respond in the Bugzilla. Maybe Alex might be able to answer some of your questions about the subject. All The Bests, Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey Dixit, Have you seen the next bug report: https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4 Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-2870

Re: [squid-users] SSL on different ports

Hi Amos, > You are referring to the SSL_ports ACL ? Yes. Got your point. Thanks for the clarification Ronan On Wed, Oct 7, 2020 at 4:55 PM Amos Jeffries wrote: > > On 7/10/20 2:16 pm, Ronan Lucio wrote: > > Hi, > > > > By default, Squid accepts SSL connection only to port 443. > > You are ref

Re: [squid-users] SSL on different ports

On 7/10/20 2:16 pm, Ronan Lucio wrote: > Hi, > > By default, Squid accepts SSL connection only to port 443. You are referring to the SSL_ports ACL ? That does not mean accepting SSL connections. Only that the port is known to be used primarily for SSL. So that opening opaque CONNECT tunnels ther

[squid-users] SSL on different ports

Hi, By default, Squid accepts SSL connection only to port 443. Are there any security concerns when need to accept HTTPS connections on other ports? Thank you, Ronan ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache

Re: [squid-users] SSL issue on Squid version 4 after blacklisting

Hey, First of all you need to know who is contacting and what is the other end of the connection. It’s possible that the certificate is invalid. If you do have the remote service/server name and ip address you can try to resolve this issue by “creating” a set of certificates your service ca

Re: [squid-users] SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

On 28/08/20 8:12 pm, i...@schroeffu.ch wrote: > > Hi Squid Community, > > the last weeks it felt that more and more websites are going to be > "incompatible" with Squid SSL bump. "feelings" aside, that is exactly the situation. SSL-Bump is literally a security attack on clients traffic. Exactly

[squid-users] SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

Hi Squid Community, the last weeks it felt that more and more websites are going to be "incompatible" with Squid SSL bump. Some Websites are not displayed at all and a "403 Forbidden" from their proxy is displayed, others are displayed very ugly because some CSS is missing due to HTTP Error 403

[squid-users] SSL certificate not working for windows update

Hi, I have proxy server that use self signed certificate/basic username/password authentication for the http port 2128. Some how the windows update is not working for my proxy box. The proxy server is working fine with wget in powershell. Below are my error log, not sure why it's failing at 503.

Re: [squid-users] ssl proxy and decrypted forwarding

w a similar old squid-users thread: http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html HTH, Alex. > - Original Message - > From: "Alex Rousskov" > To: "Sam Castellano" , "squid-users" > > Sent: Friday, April 17, 2

Re: [squid-users] ssl proxy and decrypted forwarding

;Alex Rousskov" To: "Sam Castellano" , "squid-users" Sent: Friday, April 17, 2020 11:49:13 AM Subject: Re: [squid-users] ssl proxy and decrypted forwarding On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap >

Re: [squid-users] ssl proxy and decrypted forwarding

On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap > functionality. I currently have ssl bump/ interception working and > communicating with a local ICAP server. Im trying to understand the > process of how the decrypted data gets sent to the

[squid-users] ssl proxy and decrypted forwarding

Good morning, My question relates to ssl bumping and potentially Icap/Ecap functionality. I currently have ssl bump/ interception working and communicating with a local ICAP server. Im trying to understand the process of how the decrypted data gets sent to the ICAP server for analysis in things

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi, Sorry for the noise. In fact, it works. It's just squid couldn't connect to the local cgi page (while it could for squidclamav), and then did its best that was rather strange. I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid redirection during connection establishm

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

Hi all, I know it's an old subject but I come back on it as I moved my old proxy server to Debian Buster. I now have a 4.10 version from git. Here are my last tests regarding this subject :  * Using c-icap for virus detection works well. I mean if I download a virus from an HTTPS server like

[squid-users] ssl::server_name matches non-TLS Host: header

Hi, I just noticed that ssl::server_name matches against the Host: header of non-TLS connections, which is handy, but it's not documented thusly in http://www.squid-cache.org/Doc/config/acl/ Is that behaviour expected? I'm running 4.9 btw. Thanks, Scott

Re: [squid-users] ssl::server_name_regex with multiple domains

done #allow SSL cert acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/pubkey.txt" ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all in my pubkey.txt .microsoft.com .adobe.com On Wed, 15 Jan 2020 at 00:12, robert

[squid-users] ssl::server_name_regex with multiple domains

hi all, will this work ie multiple domains on one line? # SSL bump rulesacl DiscoverSNIHost at_step SslBump1acl NoSSLIntercept ssl::server_name_regex -i .adobe.com .microsoft.comssl_bump peek DiscoverSNIHostssl_bump splice NoSSLInterceptssl_bump bump all ie acl NoSSLIntercept ssl::server_name_r

Re: [squid-users] ssl negotiation error

On 3/12/19 12:19 am, robert k Wild wrote: > hi all, > > managed to get squid to work at last and i can browse all website when > my browser is going through the proxy but when i run squid i see a bunch > of errors and i havnt got a clue what its about - > You will need a packet trace on the Squi

[squid-users] ssl negotiation error

hi all, managed to get squid to work at last and i can browse all website when my browser is going through the proxy but when i run squid i see a bunch of errors and i havnt got a clue what its about - Error negotiating SSL connection on FD 46: error:0001:lib(0):func(0):reason(1) (1/0) its w

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate. It can only be used to receive explicit TLS proxy or HTTPS origin server traffic. Amos Sent from my alcatel U5 ___ squid-user

Re: [squid-users] ssl bump intermediate certificate

Hello, I already tried adding root ca to the pem file int the cert= option. But it had no effect. the squid -k parse seems good point. I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt If I add the root ca, that one is reported to be added, but still ignoring the bump ca. Why is

Re: [squid-users] ssl bump intermediate certificate

On 31/10/19 9:49 am, Marek Greško wrote: > Hello, > > Matus, I also found the document. It should be sending the chain, but > is not. When I specify cafile option it responds I shoud use > tls-cafile. But in either case it is not sending. > > Walter, if squid has such requirement, then it is unfi

Re: [squid-users] ssl bump intermediate certificate

Hello, Matus, I also found the document. It should be sending the chain, but is not. When I specify cafile option it responds I shoud use tls-cafile. But in either case it is not sending. Walter, if squid has such requirement, then it is unfinished. Every other proxy is able to run its CA as an i

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? On 30.10.19 10:11, Walter H. wrote: the ssl-bum certificate is either

Re: [squid-users] ssl bump intermediate certificate

On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root certifi

[squid-users] ssl bump intermediate certificate

Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek ___ squid-users mailing list squid-users@lists.

Re: [squid-users] SSL negotiation errors on https_port

On 10/17/19 4:52 PM, Robert wrote: > I see many lines like these in the cache.log file: > 2019/10/17 22:38:33.552 kid1| Error negotiating SSL connection on FD 44: > error:0001:lib(0):func(0):reason(1) (1/-1) OpenSSL refused to accept a TLS client connection with a generic SSL_ERROR_SSL:

[squid-users] SSL negotiation errors on https_port

Hi there, I have configured squid's https_port for client certificate authorization: https_port [2001:XXX:XX:XXX::2]:8008 cert=/etc/ssl/private/mydomain_de/mydomain_de.crt key=/etc/ssl/private/mydomain_de/mydomain_de.key clientca=/etc/squid/ssl-proxy/ca.crt tls-dh=/etc/squid/ssl/dh_2048.pem T

Re: [squid-users] SSL termination problem - squid's requests using https

On Wed, Sep 18, 2019 at 7:11 AM Amos Jeffries wrote: > > > All these *_port things are a red herring. The initial problem was > connections to the origin server using HTTPS. > > Connections to originserver peer do not send URL scheme, and use the > settings on the cache_peer directive as the proto

Re: [squid-users] SSL termination problem - squid's requests using https

On 18/09/19 10:22 am, Alex Rousskov wrote: > On 9/17/19 5:02 PM, Sam Holden wrote: > >> When I have protocol=http is reports: >> 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections > >> When I don't set the protocol is reports: >> 2019/09/17 20:17:38| Accepting reverse-proxy HTTP

Re: [squid-users] SSL termination problem - squid's requests using https

On 9/17/19 5:02 PM, Sam Holden wrote: > When I have protocol=http is reports: > 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections > When I don't set the protocol is reports: > 2019/09/17 20:17:38| Accepting reverse-proxy HTTPS Socket connections > So it seems to be following t

Re: [squid-users] SSL termination problem - squid's requests using https

On Tue, Sep 17, 2019 at 4:07 PM Alex Rousskov wrote: > > On 9/17/19 2:07 PM, Sam Holden wrote: > > > https_port 4277 accel ... protocol=http > > > sees port 4227 act as an http port (no ssl) > > Assuming you meant "4277" when you said "4227" (or vice versa), your > statement sounds like an indicat

Re: [squid-users] SSL termination problem - squid's requests using https

On 9/17/19 2:07 PM, Sam Holden wrote: > https_port 4277 accel ... protocol=http > sees port 4227 act as an http port (no ssl) Assuming you meant "4277" when you said "4227" (or vice versa), your statement sounds like an indication of a Squid bug to me: The "protocol" option is documented to affe

[squid-users] SSL termination problem - squid's requests using https

I'm converting a reasonably large configuration from squid v3 to squid v4 and I'm having a problem with SSL termination. I'm clearly missing something but I haven't been able to work out what. I'm using openssl not gnutls. Using the following: https_port 4277 accel defaultsite= cert=/etc/pki/tls/

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, >The feature has already been rejected from the official v4 inclusion >because the underlying changes are too big/risky for that branch. I see. I understood that the v4 won't be able to support it. Anyway, when will you release v5 officially ? Regards, -- Mikio Kishi On Mon, Jul 15, 2019

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 10:51 AM, mikio.ki...@gmail.com wrote: >>In addition to what Amos has said, you may be interested in the v4 patch >>described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 > Do you have plan to support above officially ? The feature has already been rejected from the officia

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

Alex, Thank you for your reply. >In addition to what Amos has said, you may be interested in the v4 patch >described at https://bugs.squid-cache.org/show_bug.cgi?id=4968#c1 Do you have plan to support above officially ? Regards, -- Mikio Kishi On Sun, Jul 14, 2019 at 9:58 PM Alex Rousskov < ro

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 7/14/19 3:35 AM, Amos Jeffries wrote: > On 14/07/19 5:33 pm, mikio.kishi wrote: >> Hi all, >> >>  https://www.spinics.net/lists/squid/msg90523.html >> >> As mentioned in the above URL, I would like to use "SSL Bump with HTTP >> Cache Peer Parent" as well. >> However, still seems not be supported

Re: [squid-users] SSL Bump with HTTP Cache Peer Parent

On 14/07/19 5:33 pm, mikio.kishi wrote: > Hi all, > >  https://www.spinics.net/lists/squid/msg90523.html > > As mentioned in the above URL, I would like to use "SSL Bump with HTTP > Cache Peer Parent" as well. > However, still seems not be supported like the following. > ... > > Do you have any

[squid-users] SSL Bump with HTTP Cache Peer Parent

Hi all, https://www.spinics.net/lists/squid/msg90523.html As mentioned in the above URL, I would like to use "SSL Bump with HTTP Cache Peer Parent" as well. However, still seems not be supported like the following. - FwdState.cc (in squid-4.8 which is currect stable version) 825 FwdState::c

Re: [squid-users] SSL Accel Connection Reset

Hi Robert, How did you resolve this issue? From what I read curl doesn't support https proxy till version 7.52.0 I'm running into similar problem where my machine is sending plaintext CONNECT to the https proxy instead of starting a TLS handshake. I'm using python urlib2 but I also used curl pre 7.

[squid-users] ssl bump

--- Hi againtax for your reply Amos.My problem is when i disable generate-host-certificates sslcrtd_program I cant redirect HTTPS requests to block err page!!I don't really understand what this configuration do!What does actually this configurations "generate-host-certificates and dynamic-cert-m

Re: [squid-users] ssl bump

On 28/02/19 2:31 am, leomessi983 wrote: > Hi all > Can i use this conf only for blocking purpose?! You could. I suggest you keep the default security Safe_ports and SSL_ports ACL and http_access rules though. They exist to protect your proxy against malicious attacks and Dos situations. Your cus

[squid-users] ssl-bump

- - - - - Hi all Can i use this conf only for blocking purpose?!Is set dynamic_cert_mem_cache_size=0MB wrong?I have more than 1000 clients and i only want to block http and https pages and show err page for both of those. My configurations is like this:

[squid-users] ssl bump

Hi allCan i use this conf only for blocking purpose?!Is set dynamic_cert_mem_cache_size=0MB wrong?I have more than 1000 clients and i only want to block http and https pages. My configurations is like this:-https_port 3130 tproxy ssl-bump \     cert

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 11:22 PM, leomessi...@yahoo.com wrote: > Actually i don't understand if it could be done or not!! And I do not know what you mean by "it" here. * Can Squid send a blocking error page to an HTTPS client? Yes. * Will the browser show that error page to the user without any additional w

Re: [squid-users] ssl-bump does not redirect to block page

On 14/02/19 1:10 am, leomessi983 wrote: > I use this configuration to solve my problem. > Whit this configuration at first step I use bump action for sites that i > want to block and show ACCESS_DENIED page then splice all other requests!! > My problem in this config is when my clients want to see

Re: [squid-users] ssl-bump does not redirect to block page

ousskov)   6. Re: ssl-bump does not redirect to block page       (leomessi...@yahoo.com) -- Message: 1 Date: Tue, 12 Feb 2019 14:21:34 + (UTC) From: "leomessi...@yahoo.com" To: squid-users@lists.squid-cache.org Subject

Re: [squid-users] ssl-bump does not redirect to block page

>> aka the 'bump' action. > This part is misleading: Modern Squids _automatically_ bump connections > to report [access denied] errors -- no explicit bump action is required > (or even desirable). I do not know whether> * that bumping does not happen > for leo (e.g., due to Squid bugs), or > * i

Re: [squid-users] ssl-bump does not redirect to block page

On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote: > Do i have to use CA and Certificate configuration if i want to block > only HTTPS requests with splice action?! IIRC, you currently need a CA certificate if you want to use SslBump, regardless of the SslBump actions in use. In some ways, this is

[squid-users] ssl-bump does not redirect to block page

Hi againDo i have to use CA and Certificate configuration if i want to block only  HTTPS requests with splice action?! https_port 3130 tproxy ssl-bump \   cert=/etc/squid/ssl_cert/myCA.pem \   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/securi

Re: [squid-users] ssl-bump does not redirect to block page

On 2/6/19 12:57 PM, Amos Jeffries wrote: > On 7/02/19 3:52 am, leo messi wrote: >> My squid config is something like this: >> acl blk ssl::server_name .google.com >> http_access deny blk >> http_access allow all >> ssl_bump peek step1 >> ssl_bump splice all >> My problem is when i block some page

  1   2   3   4   5   6   >