On 15/10/2015 9:51 a.m., Ian Silvester wrote:
> Hi all,
>
> I'm following the instructions on this page
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> to set up Squid as an end-point for HTTPS communications, and am hitting
> an error when attempting to create and initial
Hi all,
I'm following the instructions on this page
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
to set up Squid as an end-point for HTTPS communications, and am hitting
an error when attempting to create and initialize an SSL certificates
cache directory.
Having take
Thanks for the props about Smoothwall. For SOHO environments, it's one of
the best, IMHO. But then, I am not prejudiced at all. ;-)
On Mon, Jul 27, 2015 at 7:33 AM, Eliezer Croitoru
wrote:
> It's pretty famous.
> I have even used it for sometime in the past and from many firewall
> distros it wa
It's pretty famous.
I have even used it for sometime in the past and from many firewall
distros it was one of the good ones.
Eliezer
On 26/07/2015 18:26, Stanford Prescott wrote:
The OS is Smoothwall Express v3.1. A linux firewall distro not really based
on any other of the major distros.
_
The OS is Smoothwall Express v3.1. A linux firewall distro not really based
on any other of the major distros.
On Sun, Jul 26, 2015 at 10:15 AM, Eliezer Croitoru
wrote:
> On 26/07/2015 03:33, Stanford Prescott wrote:
>
>> I did a new install of Squid 3.5.6 and it seems to be working now.
>>
> On
On 26/07/2015 03:33, Stanford Prescott wrote:
I did a new install of Squid 3.5.6 and it seems to be working now.
On what OS?
Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
I did a new install of Squid 3.5.6 and it seems to be working now.
On Fri, Jul 24, 2015 at 7:24 PM, James Lay wrote:
> On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
>
> Thanks for that. Any ideas why I am experiencing that?
>
>
> Stan
>
>
>
> On Fri, Jul 24, 2015 at 7:07 PM, Jam
On Fri, 2015-07-24 at 19:15 -0500, Stanford Prescott wrote:
> Thanks for that. Any ideas why I am experiencing that?
>
>
>
> Stan
>
>
>
>
> On Fri, Jul 24, 2015 at 7:07 PM, James Lay
> wrote:
>
> On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
>
> > I
Thanks for that. Any ideas why I am experiencing that?
Stan
On Fri, Jul 24, 2015 at 7:07 PM, James Lay wrote:
> On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
>
> I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5
> is started with ssl-bump enabled all the s
On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote:
> I have a working implementation of Squid 3.5.5 with ssl-bump. When
> 3.5.5 is started with ssl-bump enabled all the squid and ssl_crtd
> processes start and Squid functions as intended when bumping ssl
> sites. However, when I bump Squid
I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5 is
started with ssl-bump enabled all the squid and ssl_crtd processes start
and Squid functions as intended when bumping ssl sites. However, when I
bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid
3.5.6
James Lay wrote on 06/10/2015 03:18 PM:
[CUT]
I'm going to spin this off into a new thread..."Filtering http and https
traffic" sometime later today. I have some questions, and maybe solutions.
Much appreciated and much looked forward to.. hoping I can get what I
had working with 3.4.12 - work
On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote:
> Amos Jeffries wrote on 2015-06-09 17:10:
> [CUT]
> > You have to first configure ssl_bump in a way that lets Squid receive
> > the clientHello message (step1 -> peek) AND the serverHello message
> > (step2 -> peek). Then you can use those c
Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
> You have to first configure ssl_bump in a way that lets Squid receive
> the clientHello message (step1 -> peek) AND the serverHello message
> (step2 -> peek). Then you can use those cert details to bump (step3 ->
> bump).
> The config is quite simple
On 10/06/2015 2:51 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/09/2015 03:06 PM:
>>
>> The HTTP message log (access.log) is only logging the HTTP(S) messages.
>> The non-HTTP protools are not logged.
>>
>>>
>>> 10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
>>> 64.233.184.94:443
Amos Jeffries wrote on 06/09/2015 03:06 PM:
The HTTP message log (access.log) is only logging the HTTP(S) messages.
The non-HTTP protools are not logged.
10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
TCP_TUNNEL:ORIGINAL_DST peek
On 9/06/2015 6:44 p.m., Klavs Klavsen wrote:
> Hi,
>
> James Lay just replied to me with his current config.. (pretty much like
> what he posted), and it seems he does not even try to use http_access
> rules to filter on urls from https requests..
>
> @Amos: are you certain that there's not an er
Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in how http_access
rules are applied to bumped con
On 5/06/2015 2:50 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/04/2015 04:19 PM:
>> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> after moving it here:
>>>
>>> http_access allow okweb-urls testsrv1
>>> http_access allow CONNECT bumpedPorts
>>> http_access deny all
>>>
>>> it still allo
On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
> I would be perfectly fine with allowing the SSL bumping to finish for
> ALL https sites - and then only block when the http request comes..
>
> I'm hoping someone can tell me what I've done wrong in my config.. I'm
> obviously not understanding how it
I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..
I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it works when https is envolved.. it
works as intended wi
Amos Jeffries wrote on 06/04/2015 04:19 PM:
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Sigh. Sorry I must be half aslep right now.
Your rules
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
> after moving it here:
>
> http_access allow okweb-urls testsrv1
> http_access allow CONNECT bumpedPorts
> http_access deny all
>
> it still allows everything..
Sigh. Sorry I must be half aslep right now.
Your rules say:
allow ...
allow ...
a
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Amos Jeffries wrote on 06/04/2015 03:42 PM:
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
Hi,
I added the bumpedports - and now traffic works and
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
> Hi,
>
> I added the bumpedports - and now traffic works and is allowed.. but it
> allows everything on https.. :(
>
> Log says:
> 10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CONNECT 72.51.34.34:443
> HTTP/1.1" lwn.net - 200 28189 TCP_TUNNEL:ORIGIN
I tried this:
http_access allow CONNECT testurls testsrv1
But that doesn't work.
Klavs Klavsen wrote on 06/04/2015 03:20 PM:
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CON
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28189 TCP_TUNNEL:ORIGINAL_DST peek
so it doesn't seem to check the http_access
oops.. forget it.. I missed I had two access logs.. the format from
James Lay - works perfectly.. sorry :)
Klavs Klavsen wrote on 06/04/2015 03:06 PM:
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877 CON
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877 CONNECT
159.20.6.6:443 - ORIGINAL_DST/159.20.6.6 -
instead of logging the url that was accessed..
How can I make it log the url as it did in 3.4.12?
A
Amos Jeffries wrote on 06/04/2015 01:24 PM:
acl bumpedPorts myportname 3129
acl bumpedPorts myportname 3130
http_access allow CONNECT bumpedPorts
Adding that worked.. I did not have any of that ssl_stuff in my 3.4
config (and it worked without).
Thank you very much.
--
Regards,
Klavs
On 4/06/2015 7:55 p.m., Klavs Klavsen wrote:
> Hi Amos,
>
> I tried taking the config from James.. but I have the exact same issue
> as described below :(
>
> After adding the extra logging from James config - I get this in
> access_log:
> 1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONN
Hi Amos,
I tried taking the config from James.. but I have the exact same issue
as described below :(
After adding the extra logging from James config - I get this in access_log:
1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONNECT
216.58.209.106:443 - HIER_NONE/- -
which makes it s
I just wrote with the same issue.. According to Amos this is fixed in
later version, and you should run latest (currently 3.5.5) if you want
transparent proxy'ing with https to work.
I haven't gotten 3.5.5 to work yet in my end.
turgut kalfaoğlu wrote on 06/02/2015 05:58 PM:
Hello everyone..
Hello everyone.. I have been a squid user for a very long time.
Currently I set it up as transparent proxy at a small LAN, proxying http
and https as best as I can.
I get the
(squid-1): The ssl_crtd helpers are crashing too rapidly, need help!
error.. selinux is disabled, and that ssl_db folder
On 3/06/2015 2:46 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/02/2015 04:10 PM:
>> On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> Thank you Amos.
>>>
>>> I'll build 3.5.5 then..
>>>
>>> any config changes I need to be aware of?
>>
>> --with-openssl instead of --enable-ssl is the only o
Amos Jeffries wrote on 06/02/2015 04:10 PM:
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 ha
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
> Thank you Amos.
>
> I'll build 3.5.5 then..
>
> any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 have the lists.
Amos
>
> Amos Jeffrie
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
Amos Jeffries wrote on 06/02/2015 03:38 PM:
On 2/06/2015 8:33 p.m., Klavs Klavsen wrote:
I've got squid 3.4.12 on centos 7, running with ssl bumping.
options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/
On 2/06/2015 8:33 p.m., Klavs Klavsen wrote:
> I've got squid 3.4.12 on centos 7, running with ssl bumping.
> options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/ -M 4MB -b 4096
>
> After a while ssl stops working.
This would be one (or two) of the bugs fixed in the 3.4.13 release.
NOTE:
I've got squid 3.4.12 on centos 7, running with ssl bumping.
options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/ -M 4MB -b 4096
After a while ssl stops working.
How can I make squid or ssl_crtd actually log errors?
Any hints as to what I can investigate to figure out what is happening h
At the moment I'm running Squid 3.4 with bump-server-first using the
internal certificate generation stuff (i.e. not ssl_crtd). I can't find
a lot of information about using/not using ssl_crtd so I was wondering
if anyone can give me a run-down of the pros and cons of using it
instead of the inte
41 matches
Mail list logo
