25.01.2017 5:25, Alex Rousskov пишет:
> On 01/24/2017 02:11 PM, Yuri Voinov wrote:
>> 25.01.2017 2:50, Alex Rousskov пишет:
>>> A short-term hack: I have seen folks successfully solving somewhat
>>> similar problems using a localport ACL with an "impossible" value of
>>> zero. Please try this hac
On 01/24/2017 02:11 PM, Yuri Voinov wrote:
> 25.01.2017 2:50, Alex Rousskov пишет:
>> A short-term hack: I have seen folks successfully solving somewhat
>> similar problems using a localport ACL with an "impossible" value of
>> zero. Please try this hack and update this thread if it works for you:
25.01.2017 2:50, Alex Rousskov пишет:
> On 01/24/2017 12:20 PM, Yuri Voinov wrote:
>> 25.01.2017 1:10, Alex Rousskov пишет:
>>> On 01/24/2017 11:33 AM, Yuri Voinov wrote:
http_access deny to_localhost
>>> Does not match. The destination is not localhost.
>> Yes, destination is squid itself.
On 01/24/2017 12:20 PM, Yuri Voinov wrote:
> 25.01.2017 1:10, Alex Rousskov пишет:
>> On 01/24/2017 11:33 AM, Yuri Voinov wrote:
>>> http_access deny to_localhost
>> Does not match. The destination is not localhost.
> Yes, destination is squid itself. From squid to squid.
No, not "to squid": Th
On my setup it is easy to reproduce.
It is enough to execute with wget:
wget -S https://yandex.com/company/
access.log immediately shows
0 - TCP_DENIED/403 3574 GET http://repository.certum.pl/ca.cer -
HIER_NONE/- text/html;charset=utf-8
before request to Yandex destination.
However it execut
Under detailed ACL debug got this transaction:
2017/01/25 01:36:35.772 kid1| 28,3| DomainData.cc(110) match:
aclMatchDomainList: checking 'repository.certum.pl'
2017/01/25 01:36:35.772 kid1| 28,3| DomainData.cc(115) match:
aclMatchDomainList: 'repository.certum.pl' NOT found
2017/01/25 01:36:35.77
25.01.2017 1:10, Alex Rousskov пишет:
> On 01/24/2017 11:33 AM, Yuri Voinov wrote:
>
>>> 1485279884.648 0 - TCP_DENIED/403 3574 GET
>>> http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
>
>> http_access deny !Safe_ports
> Probably does not match -- 80 is a safe port.
>
On 01/24/2017 11:33 AM, Yuri Voinov wrote:
>> 1485279884.648 0 - TCP_DENIED/403 3574 GET
>> http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
> http_access deny !Safe_ports
Probably does not match -- 80 is a safe port.
> # Instant messengers include
> include "/usr
This is working production server. I've checked configuration twice. See
no problem.
Here:
# -
# Access parameters
# -
# Deny requests to unsafe ports
http_access deny !Safe_ports
# Instant messengers include
include "/usr/
On 01/24/2017 11:19 AM, Yuri Voinov wrote:
> It is downloads directly via proxy from localhost:
> As I understand, downloader also access via localhost, right?
This is incorrect. Downloader does not have a concept of an HTTP client
which sends the request to Squid so "via localhost" or "via any
May be, this feature is mutually exclusive with
sslproxy_foreign_intermediate_certs option?
25.01.2017 0:19, Yuri Voinov пишет:
> Mm, hardly.
>
> It is downloads directly via proxy from localhost:
>
> root @ khorne /patch # http_proxy=localhost:3128 curl
> http://repository.certum.pl/ca.cer
>
Mm, hardly.
It is downloads directly via proxy from localhost:
root @ khorne /patch # http_proxy=localhost:3128 curl
http://repository.certum.pl/ca.cer
0
0>1 *H
0UPL1U
270611104639Z0>1o.10U Certum CA0
0 UPL1U
0 *H. z o.o.10U Certum CA0"0
AK°jk̘gŭ&_O
On 01/24/2017 10:48 AM, Yuri Voinov wrote:
> It seems 4.0.17 tries to download certs but gives deny somewhere.
> However, same URL with wget via same proxy works
> Why?
Most likely, your http_access or similar rules deny internal download
transactions but allow external ones. This is possible, fo
Hm. Another question.
It seems 4.0.17 tries to download certs:
1485279884.648 0 - TCP_DENIED/403 3574 GET
http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
but gives deny somewhere.
However, same URL with wget via same proxy works:
root @ khorne /patch # wget -S htt
On 01/23/2017 03:59 PM, Amos Jeffries wrote:
> On 24/01/2017 8:22 a.m., Yuri Voinov wrote:
>> 24.01.2017 0:06, Alex Rousskov пишет:
>>> FWIW, IMO, storing the generated fake certificates in the regular Squid
>>> cache would also be better than using an OpenSSL-administered database.
>> Exactly.
>
On 24/01/2017 7:06 a.m., Marcus Kool wrote:
>
>
> On 23/01/17 15:31, Alex Rousskov wrote:
>> On 01/23/2017 04:28 AM, Yuri wrote:
>>
>>> 1. How does it work?
>>
>> My response below and the following commit message might answer some of
>> your questions:
>>
>> http://bazaar.launchpad.net/~squi
On 24/01/2017 8:22 a.m., Yuri Voinov wrote:
>
>
> 24.01.2017 0:06, Alex Rousskov пишет:
>> On 01/23/2017 10:41 AM, Yuri Voinov wrote:
>>> 23.01.2017 23:31, Alex Rousskov пишет:
On 01/23/2017 04:28 AM, Yuri wrote:
>>
> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
24.01.2017 2:25, Marcus Kool пишет:
>
>
> On 23/01/17 17:23, Yuri Voinov wrote:
> [snip]
>
>>> I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659
>>> a week ago but there has not been any activity.
>>> Is there someone who has sslproxy_foreign_intermediate_certs
>>> working in
On 23/01/17 17:23, Yuri Voinov wrote:
[snip]
I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659
a week ago but there has not been any activity.
Is there someone who has sslproxy_foreign_intermediate_certs
working in Squid 4.0.17 ?
Seems works as by as in 3.5.x. As I can see
24.01.2017 0:06, Marcus Kool пишет:
>
>
> On 23/01/17 15:31, Alex Rousskov wrote:
>> On 01/23/2017 04:28 AM, Yuri wrote:
>>
>>> 1. How does it work?
>>
>> My response below and the following commit message might answer some of
>> your questions:
>>
>> http://bazaar.launchpad.net/~squid/squid/
24.01.2017 0:06, Alex Rousskov пишет:
> On 01/23/2017 10:41 AM, Yuri Voinov wrote:
>> 23.01.2017 23:31, Alex Rousskov пишет:
>>> On 01/23/2017 04:28 AM, Yuri wrote:
I.e., where downloaded certs stored, how it
handles, does it saves anywhere to disk?
>>> Missing certificates are fetched
On 01/23/2017 10:41 AM, Yuri Voinov wrote:
> 23.01.2017 23:31, Alex Rousskov пишет:
>> On 01/23/2017 04:28 AM, Yuri wrote:
>>> I.e., where downloaded certs stored, how it
>>> handles, does it saves anywhere to disk?
>> Missing certificates are fetched using HTTP[S]. Certificate responses
>> should
On 23/01/17 15:31, Alex Rousskov wrote:
On 01/23/2017 04:28 AM, Yuri wrote:
1. How does it work?
My response below and the following commit message might answer some of
your questions:
http://bazaar.launchpad.net/~squid/squid/5/revision/14769
This seems that the feature only goes to
23.01.2017 23:31, Alex Rousskov пишет:
> On 01/23/2017 04:28 AM, Yuri wrote:
>
>> 1. How does it work?
> My response below and the following commit message might answer some of
> your questions:
>
> http://bazaar.launchpad.net/~squid/squid/5/revision/14769
>
>> I.e., where downloaded certs s
On 01/23/2017 04:28 AM, Yuri wrote:
> 1. How does it work?
My response below and the following commit message might answer some of
your questions:
http://bazaar.launchpad.net/~squid/squid/5/revision/14769
> I.e., where downloaded certs stored, how it
> handles, does it saves anywhere to di
Hi, gents.
I have some stupid questions about subject.
1. How does it work? I.e., where downloaded certs stored, how it
handles, does it saves anywhere to disk? Because of this feature is
completely undocumented and it did not follow from the source code.
2. How this feature is related to ss
26 matches
Mail list logo
