Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-31 Thread Vieri
From: Alex Rousskov > > You need to figure out why. Two common reasons are SSL-level errors and > http_access denials. Both should be reflected in access.log and > debugging cache.log. I finally found out it was an http_access deny on an ACL match with url_regex

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-28 Thread Alex Rousskov
On 05/28/2017 05:40 AM, Vieri wrote: > Please keep in mind that I'm basically an end-user, a sys-admin. I > wish I had the time to study Squid's source code. Nobody (certainly not me) has suggested anything that requires studying Squid source code. If you think that I have, you have misinterprete

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-28 Thread Vieri
Hi Alex et al., Thank you very much for your analysis and help. I really appreciate it. Please keep in mind that I'm basically an end-user, a sys-admin. I wish I had the time to study Squid's source code. All I can do for now is read the docs that so many people have kindly published. In 99% o

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Alex Rousskov
On 05/26/2017 05:22 PM, Vieri wrote: > If I have this: > > ssl_bump peek all > ssl_bump splice AllowTroublesome > ssl_bump bump all ... then you have a configuration that does not make sense because one cannot bump after peeking at step2. Your configuration is equivalent to * if the current s

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Vieri
I forgot to put the emphasis on one thing. I did not change my squid.conf or my ACLs. The only difference is in the ssl_bump configuration directives. If I have this: acl AllowTroublesome ssl::server_name .google.com .gmail.com acl DenyTroublesome ssl::server_name mail.google.com http_access den

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Amos Jeffries
On 27/05/17 03:44, Vieri wrote: Hi, I'd like to block access to Google Mail but allow it to Google Drive. I also need to intercept Google Drive traffic (https) and scan its content via c-icap modules for threats (with clamav and other tools which would block potentially harmful files). I've

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Alex Rousskov
On 05/26/2017 09:44 AM, Vieri wrote: > I know that in TLS traffic there are only IP addresses This is a gross exaggeration. The reality is much more nuanced. > I added mail.google.com to a custom file named "denied.domains" and loaded as > denied_domains ACL in Squid. > [...] > acl denied_do

Re: [squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Benjamin E. Nichols
Here is a list of google domains that may help you, http://www.squidblacklist.org/downloads/whitelists/google.domains On 5/26/2017 10:44 AM, Vieri wrote: Hi, I'd like to block access to Google Mail but allow it to Google Drive. I also need to intercept Google Drive traffic (https) and scan i

[squid-users] Squid TPROXY issues with Google sites

2017-05-26 Thread Vieri
Hi, I'd like to block access to Google Mail but allow it to Google Drive. I also need to intercept Google Drive traffic (https) and scan its content via c-icap modules for threats (with clamav and other tools which would block potentially harmful files). I've failed so far. I added mail.googl

Re: [squid-users] Squid tproxy net unreachable

2017-05-16 Thread Abi Askushi
Thank you Amos. I have the following at squidguard: default { pass !porn !adv !drugs !custom any redirect http://localhost:10080/error.php } Which when squid in intercept mode the user is "redirected" to error page. I'm not sure if squidguard is rewriting or redirecti

Re: [squid-users] Squid tproxy net unreachable

2017-05-14 Thread Amos Jeffries
On 14/05/17 01:59, Abi Askushi wrote: Hi, I have setup squid (v 3.1.20) with tproxy and relevant iptables and policy routes. It is functioning ok except one thing, squid is not able to redirect to deny page (located on same device) and it gives error "101 network unreachable". I have squidgua

[squid-users] Squid tproxy net unreachable

2017-05-13 Thread Abi Askushi
Hi, I have setup squid (v 3.1.20) with tproxy and relevant iptables and policy routes. It is functioning ok except one thing, squid is not able to redirect to deny page (located on same device) and it gives error "101 network unreachable". I have squidguard in the setup as a helper program and squ

Re: [squid-users] squid tproxy connection time out

2017-01-03 Thread Eliezer Croitoru
...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of mr ghorbani Sent: Monday, January 2, 2017 8:16 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] squid tproxy connection time out hello masters I have a problem on the

Re: [squid-users] squid tproxy connection time out

2017-01-03 Thread Omid Kosari
No it is not what i mentioned. Your mikrotik router should be for example ether1 -> Internet ether2 -> Clients ether3 -> Squid So the mikrotik is between clients and squid . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-connection-time-out-tp

Re: [squid-users] squid tproxy connection time out

2017-01-03 Thread mrghorbani
also what about this topology? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-connection-time-out-tp4681027p4681044.html Sent from the Squid - Users mailing list ar

Re: [squid-users] squid tproxy connection time out

2017-01-03 Thread mrghorbani
hello, i had created the topology diagram as i get from your idea, does it that you mentioned? but, according to that my bgp and wireless points are connected to mikrotik router, i can not move squid to the end point...in this network, now and in exists network, i routed the client to the mikrotik

Re: [squid-users] squid tproxy connection time out

2017-01-03 Thread Omid Kosari
Hello, I think your problem is topology . I suggest change the position of squid so the mikrotik router stands between clients and squid box . Also assign a private ip address to your squid and also one ip from same range to your mikrotik router . Then try to mangle and route to that private ip .

[squid-users] squid tproxy connection time out

2017-01-02 Thread mr ghorbani
hello masters I have a problem on the squid in tproxy mode and it is that squid return Error "110 connection the timeout." for all Requests on port 3129, which is related to tproxy Of course, by eliminating the code ip route add local 0.0.0.0/0 dev lo table 100 Problem solved, but in this case, Sq

[squid-users] squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

2016-09-29 Thread Vieri
Hi, I'm running a Squid proxy like so: http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem The squid server certificate was self-generated: openssl req -new -newkey rsa:2048 -sha256 -days 7300 -

Re: [squid-users] squid tproxy

2015-08-29 Thread Amos Jeffries
On 29/08/2015 5:27 a.m., Vieri wrote: > Hi, > > > [reposting a trimmed-down message] > > My goal is to allow lan users to access a greater number of sites if they explicitly configure the squid proxy server in their browsers and authenticate. If they don't then traffic to port 80 and 443 will b

[squid-users] squid tproxy

2015-08-28 Thread Vieri
Hi, [reposting a trimmed-down message] My goal is to allow lan users to access a greater number of sites if they explicitly configure the squid proxy server in their browsers and authenticate. If they don't then traffic to port 80 and 443 will be transparently redirected to a squid proxy serv