[squid-users] squidclient ERR_ACCESS_DENIED

Hello. I'm having trouble accessing cachemgr with squidclient. As a test, I've added the following to my squid.conf as the first http_access line: http_access manager (I know this is dangerous and I've removed it after the test). Opening "http://10.1.2.39:8080/squid-internal-mgr/info"; fro

Re: [squid-users] squidclient ERR_ACCESS_DENIED

On 2/27/24 18:02, Alex Rousskov wrote: Hello and thanks for answering. You are suffering from one or several known problems[1,2] related to cache manager changes in v6+ code. Without going into complicated details, I recommend that you replace deprecated squidclient with curl, wget, or anot

Re: [squid-users] squidclient ERR_ACCESS_DENIED

On 2/28/24 12:51, Francesco Chemolli wrote: Hi Andrea,   there's https://wiki.squid-cache.org/Features/CacheManager/Index , although it could probably be more explicit Hello and thanks. I had seen that document before posting, but,

Re: [squid-users] Tproxy or intercept

On 7/13/24 00:28, Jonathan Lee wrote: For the HTTP and https derivative is it better to use tproxy or intercept on FreeBSD? AFAIK TProxy does not work on FreeBSD, but I'd be glad to be proven wrong. bye av. ___ squid-users mailing list squ

Re: [squid-users] Tproxy or intercept

On 7/13/24 17:04, Jonathan David Lee FreeBSD Alpine wrote: Do you consider pfsense freebsd or openbsd based I know nothing about pfsense. becaause it does work, Good to know. What kind of firewall do you use? ipfw? pf? other? it does not in squid 6.6 requires a different ./ command in squi

Re: [squid-users] Tproxy or intercept

On 7/13/24 20:48, Jonathan Lee wrote: It works 6.6 it just have a different requirement to enable it. I am using a Netgate 2100 with pfSense. The difference is that it spoofs the IP of the client so the host doesn’t see the IP of the firewall when using intercept I am told. So transparent with

Re: [squid-users] RFC: Removal of ESI Support from Squid

On 9/7/24 17:43, Amos Jeffries wrote: Hi all, Hello.   DO you need ESI in Squid?  Yes or No.    Speak Now, or face regrets at upgrade time. I'd gladly answer, but my ignorance forbids me. Supposing I don't use ESI myself, would that me "No". Or can my users access (via Squid) a p

Re: [squid-users] RFC: Removal of ESI Support from Squid

On 9/8/24 18:49, Francesco Chemolli wrote: Hi,   ESI websites are not public; they are meant to be used in a reverse proxy environment. The ESI directives are interpreted by the reverse proxy and replaced with other content Thanks a lot. So I guess the answer if "NO: I don't need ESI in Squi

[squid-users] (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Hello. Running Squid 4.11 on FreeBSD 11.3 with SSLBump, since a few days, I've got several sites (e.g. https://www.kawsaki.it/) failing with: The following error was encountered while trying to retrieve the URL: https://www.kawasaki.it/* Failed to establish a secure connection to 54.39.

[squid-users] FTP proxy

Hello. I'm trying to evaulate FTP proxying with squid and I have a couple of questions. To be clear, I'm not talking about FTP through HTTP, but about the ftp_port option. I've used frox (http://frox.sourceforge.net/) in the past for this. I see this feature was introduced in 3.5 as an expe

Re: [squid-users] FTP proxy

On 12/6/20 4:44 PM, Antony Stone wrote: Where is the firewall, compared to your Squid proxy, in the network? Squid runs on the firewall itself. I'm just wondering how you plan to use Squid's native FTP mode to bypass a firewall, which is therefore presumably blocking FTP...? It's not blo

Re: [squid-users] FTP proxy

On 12/6/20 5:01 PM, Antony Stone wrote: Oh, so you're in charge of both? Yes. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FTP proxy

On 12/6/20 8:41 PM, Alex Rousskov wrote: AFAIK, FTP proxy is successfully used in some production environments, but I bet that most Squid deployments do not use this feature. YMMV. Thanks. Is there a way to restrict the port range of the additional connections (e.g. to 4-5)? I do

Re: [squid-users] FTP proxy

On 12/7/20 4:08 PM, Alex Rousskov wrote: On 12/7/20 5:03 AM, Andrea Venturoli wrote: I'm talking about the ports used by the clients to conect to Squid (besides 21), using passive FTP (i.e. those returned by PASV command). Just to avoid misunderstanding, "those returned by PA

[squid-users] Squid "suspending ICAP service for too many failures"

Hello. On a box I manage, Squids occasionally stops for a few minutes, blaming a communication error with C-ICAP (running SquidClamAV). In cache.log I see: 2021/01/04 14:24:24 kid1| suspending ICAP service for too many failures 2021/01/04 14:24:24 kid1| essential ICAP service is suspended: i

Re: [squid-users] Squid "suspending ICAP service for too many failures"

On 1/27/21 6:11 PM, Alex Rousskov wrote: Enable ICAP debugging and study cache.log for relevant messages, especially just before the "suspending ICAP service" message shown above. debug_options ALL,1 93,7 Thanks a lot. As expected, I see Squid connections to C-ICAP starting to time out:

Re: [squid-users] Squid "suspending ICAP service for too many failures"

On 1/29/21 8:38 PM, Alex Rousskov wrote: IIRC, you did not disclose timeout suspicions before. This explanation is news to me, and it eliminates several suspects. Sorry, I didn't say much in fact. I gave for granted that it was C-ICAP who stopped answering; I didn't suspect a Squid bug and ha

Re: [squid-users] Squid "suspending ICAP service for too many failures"

On 1/31/21 1:11 AM, Amos Jeffries wrote: As I said, they live on the same host, so it can't be a network problem. FYI, that conclusion does not follow. Even on the same host there is a full TCP/IP networking stack between Squid and ICAP server doing things to the packets. All localhost remo

Re: [squid-users] Squid "suspending ICAP service for too many failures"

On 2/1/21 8:56 AM, Andrea Venturoli wrote: It could be a network problem. However, I think that's unlikely (also given the host is monitored and I don't see alerts or other signs of such troubles). While I cannot exclude that completely, I think I should first investigate in other

Re: [squid-users] Squid caching webpages now days?

On 8/1/21 3:48 AM, Periko Support wrote: with most of the web sites running under https. SSL Bumping might help here. Whether it's worth the hassle, legal, etc... depends on your situation. Does caching still a good option with squid? Generally speaking, I find caching is nowadays mostly

[squid-users] ftp_port and squidclamav

Hello. I've got Squid (4.15) configured as an HTTP[s] server, with squidclamav: icap_enable on icap_send_client_ip on icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_s

Re: [squid-users] ftp_port and squidclamav

On 8/28/21 17:10, Alex Rousskov wrote: Sorry for taking so long. Meanwhile I upgraded to Squid 5.0.6, but the problem was not solved. Reproduce the problem using a single transaction on an otherwise idle Squid with full debugging enabled and share the corresponding cache.log: https://wiki.s

Re: [squid-users] ftp_port and squidclamav

On 10/12/21 16:51, Alex Rousskov wrote: I am not sure, but I suspect that you are suffering from your ICAP service inability to handle REQMOD transactions with HTTP 100-Conntinue semantics, including (but not limited to) FTP STOR requests (translated into HTTP by Squid). Squid has a configurati

Re: [squid-users] How to pass TeamViewer traffic

On 10/22/21 17:24, Alex Rousskov wrote: I do not know much about TeamViewer, ... You do not need SslBump and https_port for this. AFAIK you *cannot* use SslBump, as TeamViewer pinpoints certificates. If someone can prove me wrong, I'd be curious to know how they manage this. bye av.

Re: [squid-users] How to pass TeamViewer traffic

On 10/23/21 18:56, Marcus Kool wrote: sslbump can be used in peek+splice and peek+bump modes. Sure. Depending on what Squid finds in the peek (e.g. a teamviewer FQDN) Squid can decide to splice (not interfere) the connection. I know. Perhaps I wasn't clear. What I was saying is that

Re: [squid-users] ftp_port and squidclamav

On 10/12/21 16:51, Alex Rousskov wrote: Squid has a configuration option to work around such adaptation service deficiencies: force_request_body_continuation. Please see if enabling that workaround helps in your environment: http://www.squid-cache.org/Doc/config/force_request_body_continuation

[squid-users] Intercepted connections are not bumped

Hello. I've got the following config: ... http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_s

Re: [squid-users] Intercepted connections are not bumped

On 11/27/23 11:11, Amos Jeffries wrote: First off, thanks for answering. For further assistance please also show your http_access and ACL config lines. They will be needed for a better analysis of what is going on. I'll start from here. It's quite long, but a reduced example is: acl local

Re: [squid-users] Intercepted connections are not bumped [SOLVED]

On 11/27/23 16:59, Andrea Venturoli wrote: That behaviour is why we typically recommend doing "peek" first Well, I thought this was what I was doing. As I said I had: acl step1 at_step SslBump1 ssl_bump splice !bumphosts !jails ssl_bump splice splicedom ssl_bump peek step1 ssl_bum

[squid-users] Regression after upgrading 3.5.27 -> 4.1

Hello. I'm maintaining several installations on FreeBSD and I've been notified a specific web application is not working anymore after the upgrade. Accessing this app with FireFox and Squid 3.5.27, it works correctly. Doing the same after the upgrade to 4.1 lets the user arrive up to a poi

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

On 7/23/18 2:59 AM, Amos Jeffries wrote: FYI: The template delivered has inline javascript for hiding the messages that are irrelevant to this particular request. Sorry, I'm not sure I understand: template = squid's error page? If you open the URL in the browser (not debugging) it should r

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

On 7/22/18 3:29 PM, Andrea Venturoli wrote: http://xxx.xxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=X%20-%20Xxx%20xxx%20xxx%2030/12/2014%20-%20&x_=0¶ms={idDoc:%27C0002019%27,clasDoc:%27XX%27,nomeDoc:%27XXX

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

On 7/25/18 4:54 PM, Alex Rousskov wrote: On 07/25/2018 01:12 AM, Andrea Venturoli wrote: On 7/22/18 3:29 PM, Andrea Venturoli wrote: http://xxx.xxx.xx/rest?method=navi_path.add&opera=I029&tipo=0&descr=X%20-%20Xxx%20xxx%20xxx%2030/12/201

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

On 7/25/18 6:46 PM, Amos Jeffries wrote: What is your "squid -v" output? If --disable-http-violations is used then relaxed parser will not include those "must never be transmitted in un-escaped form" (RFC 2396) characters. It's there!!! Thanks for pointing me in the correct direction. I'm of

Re: [squid-users] Regression after upgrading 3.5.27 -> 4.1

On 7/25/18 7:07 PM, Andrea Venturoli wrote: On 7/25/18 6:46 PM, Amos Jeffries wrote: What is your "squid -v" output? If --disable-http-violations is used then relaxed parser will not include those "must never be transmitted in un-escaped form" (RFC 2396) characters. I

Re: [squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?

On 1/20/19 11:02 PM, Eliezer Croitoru wrote: The issue is that these sites are encrypted but do not offer any way of assuring real ISO and couple other compatibilities of the ORG. For a simple home user it’s fine most of the time but for some it’s not. Just out of curiosity, could you better

[squid-users] SqStat [was How to catch a big spender ?]

On 3/25/19 9:03 PM, Bruno de Paula Larini wrote: Search for "sqstat". The tool is very simple, but it works for me. Hello. I got curious about this and decided to try sqstat. I'm on FreeBSD and used the version in the port, which is 1.20; this seems to be the last available. It doesn't even

[squid-users] Squid won't download intermediate certificates

Hello. I'm experimenting SSLBump and I've got a problem: when a client visits a site which won't provide intermediate SSL certificates, the connection will fail. I read Squid 4 should download such certificates itself, however this does not succeed. I see in the logs something like: 15803343

Re: [squid-users] Squid won't download intermediate certificates

On 2020-01-30 09:15, i...@schroeffu.ch wrote: acl fetched_certificate transaction_initiator certificate-fetching cache allow fetched_certificate http_access allow fetched_certificate Thanks! This is exactly it. bye av. ___ squid-users mailin

[squid-users] Squid and DoH

Hello. In some corporate environment it might be desiderable to have all clients use the internal DNS. This is easily done with firewalls until DNS-over-HTTP comes into play. How does Squid deals with this? How to block it? bye & Thanks av. ___

Re: [squid-users] Squid and DoH

On 2020-02-29 14:17, Matus UHLAR - fantomas wrote: I guess DoH means dns over https and thus needs sslbump enabled.  the easy but limited way would be to disable connections to publicly available DoH servers. Thanks. Is someone maintaining such a list? bye av. ___

Re: [squid-users] Squid and DoH

On 2020-02-29 10:19, Amos Jeffries wrote: With ACL that identify the relevant messages: acl dns-query-url urlpath_regex ^/dns-query\?? acl dns-req-message req_header Content-Type ^application/dns-message$ acl doh_request any-of dns-query-url dns-req-message acl doh_reply rep_heade

[squid-users] Squid + ClamAV

Hello. Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV? Normally I'd look for a specific mailing list, but it seems SquidClamAV has none. If this isn't the right place, can someone give a pointer on where to go? I setup the whole thing and it's working. However I oft

Re: [squid-users] [ext] Squid + ClamAV

On 2020-03-06 16:24, Ralf Hildebrandt wrote: * Andrea Venturoli : Hello. Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV? What do you need SquidClamAV for? Interesting question. I find information on the web scarce, but here (*) it states "In pra

Re: [squid-users] [ext] Squid + ClamAV

On 2020-03-09 16:01, Ralf Hildebrandt wrote: Actually, I don't know :) Thanks anyway. In my setung I'm using squid & c-icap with CLAMD. I'm scanning a few types only: virus_scan.ScanFileTypes EXECUTABLE ARCHIVE FWS CWS DOCUMENT DATA TEXT That was an idea I had to, i.e. limiting scanned

[squid-users] X-Forwarded-For breaks a site

Hello. I've been invited to visit a web site and I couldn't see it. Bypassing squid would solve the problem, so I made some some researches and saw that adding "forwarded_for transparent" to my config would do. I'm wondering what the reason might be... tcpdump showed that: 1) initial connecti

Re: [squid-users] skype connection problem

On 10/25/16 16:26, Yuri Voinov wrote: You LAN settings is too restrictive. AFAIK you require to permit traffic to skype servers directly from your clients. Without proxy. Any hint on how to identify those server? Any IP list? bye & Thanks av. _

Re: [squid-users] skype connection problem

On 10/25/16 16:43, Yuri Voinov wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Wireshark? :) No good: I don't trust MS not to change them the next day. In my environment this not required. Neither in mine, but some customer insists on using this Skype crap and while the Windows

[squid-users] Getting "browser history" from squid logs

Hello. I'd think this question would have appeared so many times, still searching the web did not help... I'm familiar with Squid logs and even with some of the several software that produces reports out of that. However I've been asked to provide something close to a browser history, i.e. g

[squid-users] Squid + ecap + clamav

Hello. I've been using Squid + C-icap + SquidClamAV + ClamAV for a long time in order to filter web content. However this has lately been troublesome, leading to occasional hard-to-diagnose temporary failures ("ICAP protocol error"). So I'm pondering moving from ICAP to eCAP, like described

Re: [squid-users] Squid + ecap + clamav

On 10/2/24 23:30, Alex Rousskov wrote: Disadvantages of using eCAP+ClamAV adapter include being dependent on a relatively old libecap and ClamAV eCAP adapter implementation. Ah! I got it all wrong then... I thought ICAP was older and eCAP was meant to replace it. Thanks for clarifying. I

[squid-users] Squid + c-icap + SquidClamav + ClamAV

Hello. I've got several machines with the following software: FreeBSD 13.3, 13.4 or 14.1 Squid 6.10 c-icap 0.5.12 SquidClamav 7.3 ClamA: 1.3.2 This combination usually works pretty well, but it occasionally chokes, with the client seeing: ICAP protocol error The system returned: [No Error] O

Re: [squid-users] Squid + c-icap + SquidClamav + ClamAV

On 10/3/24 18:29, Alex Rousskov wrote: Since the problem is frequent on that one host, I recommend privately sharing[1] a pointer to compressed debugging cache.log collected while > ... I'll try ASAP. It is enough to record one or two problematic cases. If only it was so easy to know in