Hello,
I have a Squid proxy server (proxy A) and I redirect all its traffic to
another proxy (proxy B) using a parent cache peer.
However, proxy B requires a SSL certificate to be used so it can intercept
the HTTPS requests and read them.
I want to specify the path of the CA certificate to Squid
On 3/05/20 12:58 am, Akshay Hegde wrote:
> Dear Amos,
>
> Can you please elaborate, I didnt understand. If possible can you
> explain with one example ? I mean behaviour of security and privacy
> flaws when
> strip_query_terms is on and when strip_query_terms is off.
>
That directive only affec
On 5/05/20 9:04 pm, mariolatif741 wrote:
> Hello,
>
> I have a Squid proxy server (proxy A) and I redirect all its traffic to
> another proxy (proxy B) using a parent cache peer.
>
> However, proxy B requires a SSL certificate to be used so it can intercept
> the HTTPS requests and read them.
>
On 5/05/20 4:31 am, Alex Rousskov wrote:
> On 5/3/20 10:41 PM, Scott wrote:
>
>> acl tcp_open_connect_sslbump at_step SslBump1
>> acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni"
>> acl guest_net_src src x.y.z.0/24
>>
>> ssl_bump peek tcp_open_connect_sslbump
>> ssl_bump
Since you said "If the client is participating in the TLS handshake it
*always* requires
the CA to be installed.", then I guess what I want to do is not possible.
Can I make Squid send the requests received from the client to the cache
peer? (so the cache peer would see the requests coming from t
On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote:
> Since you said "If the client is participating in the TLS handshake it
> *always* requires the CA to be installed.", then I guess what I want to do
> is not possible.
>
> Can I make Squid send the requests received from the client to the
On 5/05/20 9:48 pm, mariolatif741 wrote:
> Since you said "If the client is participating in the TLS handshake it
> *always* requires
> the CA to be installed.", then I guess what I want to do is not possible.
>
> Can I make Squid send the requests received from the client to the cache
> peer? (s
The purpose of proxy A is that its the proxy that will be given to my
clients. The purpose of all what I am doing is to let my clients use proxy B
indirectly through proxy A (so they can use proxy B without installing the
CA certificate)
Antony Stone wrote
> On Tuesday 05 May 2020 at 11:48:12, ma
On Tuesday 05 May 2020 at 12:21:19, mariolatif741 wrote:
> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy
> B indirectly through proxy A (so they can use proxy B without installing
> the CA certific
On 5/05/20 10:21 pm, mariolatif741 wrote:
> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy B
> indirectly through proxy A (so they can use proxy B without installing the
> CA certificate)
>
It soun
hi all,
i wanto to allow only zip files via a specific url regex
atm im allowing all attachments
^https://attachments.office.net/owa/.*
could i do this to lock it down to only zips
^https://attachments.office.net/owa/.zip
thanks,
rob
--
Regards,
Robert K Wild.
_
On 5/05/20 11:38 pm, robert k Wild wrote:
> hi all,
>
> i wanto to allow only zip files via a specific url regex
>
> atm im allowing all attachments
>
> ^https://attachments.office.net/owa/.*
>
> could i do this to lock it down to only zips
>
> ^https://attachments.office.net/owa/.zip
>
That
cool thanks Amos :)
if your interested these are my lines in my config
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access allow special_url
http_reply_access de
On 5/5/20 5:38 AM, Amos Jeffries wrote:
> On 5/05/20 4:31 am, Alex Rousskov wrote:
>> On 5/3/20 10:41 PM, Scott wrote:
>>> https://wiki.squid-cache.org/Features/SslPeekAndSplice says "At no point
>>> during ssl_bump processing will dstdomain ACL work".
>> I have not tested this, but I would expec
On 6/05/20 12:42 am, robert k Wild wrote:
> cool thanks Amos :)
>
> if your interested these are my lines in my config
>
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.t
On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
>
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
>
What is the contents of the denylist.txt file?
This usually happens when things in there are not the right dstdomain
synt
Thanks Amos,
so how would I allow these urls with a wild card then
Http://domain.com/path/1/to/any/where
Http://domain.com/path/2/to/any/where
Would I do this
Http://domain.com/path/*
Thanks,
Rob
On Tue, 5 May 2020, 14:04 Amos Jeffries, wrote:
> On 6/05/20 12:42 am, robert k Wild wrote:
>
On 6/05/20 1:39 am, robert k Wild wrote:
> Thanks Amos,
>
> so how would I allow these urls with a wild card then
>
> Http://domain.com/path/1/to/any/where
>
> Http://domain.com/path/2/to/any/where
>
> Would I do this
>
> Http://domain.com/path/*
>
No. As the url_regex ACL name says, these
Is there plans to support explicit forward proxy over HTTPS to the proxy
with
ssl-bump? We would like to use https_port ssl-bump without using the
intercept or tproxy option. Clients will use PAC with a HTTPS directive
rather than a PROXY directive. The goal is to also encrypted the CONNECT
header
Alex, thank you for the quick reply.
They are not actually passing a url to the squid server. The nginx config
allowed me to have a line as such:
proxy_pass https://calcconnect.vertexsmb.com/vertex-ws/services/CalculateTax
The xml just got passed straight through to the url in the config
I may be mistaken but I believe you don't need to use ssl-bump with
explicit https proxy.
In your browser settings, use an HTTPS proxy instead of HTTP.
On Tue, May 5, 2020 at 10:19 AM Ryan Le wrote:
> Is there plans to support explicit forward proxy over HTTPS to the proxy
> with
> ssl-bump? We
Thanks a lot Amos, as always you have been very helpful
Much appreciated mate
Rob
On Tue, 5 May 2020, 14:55 Amos Jeffries, wrote:
> On 6/05/20 1:39 am, robert k Wild wrote:
> > Thanks Amos,
> >
> > so how would I allow these urls with a wild card then
> >
> > Http://domain.com/path/1/to/any/wh
Hello,
we are using Squid 3.5.21 and trying to implement the negotation
authentification, based on kerberos and ntlm.
Browsing in the internet works fine, even with acls based on active directory
groups.
Unfortunately we can't call java web start applications:
java.io.IOException: Unable to
On 05.05.20 10:24, Felipe Polanco wrote:
I may be mistaken but I believe you don't need to use ssl-bump with
explicit https proxy.
In your browser settings, use an HTTPS proxy instead of HTTP.
and squid needs https_port to accept https traffic.
On Tue, May 5, 2020 at 10:19 AM Ryan Le wrote:
On 5/5/20 10:22 AM, Cindy Yoho wrote:
> They are not actually passing a url to the squid server. The nginx config
> allowed me to have a line as such:
>
> proxy_pass https://calcconnect.vertexsmb.com/vertex-ws/services/CalculateTax
> The xml just got passed straight through to the url in the co
On 5/5/20 10:18 AM, Ryan Le wrote:
> Is there plans to support explicit forward proxy over HTTPS to the proxy
> with ssl-bump?
There have been a few requests for TLS-inside-TLS support, but I am not
aware of any actual sponsors or features on the road map. It is a
complicated project, even though
Hi All
Can any one help on the below issue.
I tried changing the order of deny and allow acl but it did not yield any
result.
RegardsArjun K
On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K
wrote:
Hi All
The below is the configuration defined in the proxy server.The issue is that
the
Hi Amos
Thanks for your response and suggestions and I will incorporate your inputs in
the configuration.Please find the below contents of denylist as I am unable to
attach as a document due to restrictions.
.hotmail.com*.appex-rf.msn.com*.itunes.apple.comauth.gfx.msbroadcast.skype.comc.bing.c
Hi All,
Thanks for providing the information.
The issue is not related to the server certificate SNI. It's related to
exposing a few other sensitive data points such as the domain which is
clearly exposed in the CONNECT header. This would be exposed regardless of
TLS 1.3. Also, there are other head
On 6/05/20 4:47 am, Arjun K wrote:
> Hi Amos
>
> Thanks for your response and suggestions and I will incorporate your
> inputs in the configuration.
> Please find the below contents of denylist as I am unable to attach as a
> document due to restrictions.
>
> .hotmail.com
The above is dstdomain
30 matches
Mail list logo
