On 3/6/24 08:48, Jason Marshall wrote:
We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a
simple pass-through proxy without issue for the past month or so.
Recently our security team implemented an IPS product that intercepts
domain names known to be associated with malware
On 4/18/24 2:46 PM, Albert Shih wrote:
So what I'm trying to do is to use ACL according to the user who make
the ssh connection, I don't want «another» authentication.
About the only thing that comes to mind is RFC 931 (?) ident (might be
okay on the same system) or something that matches the
On 9/4/21 1:58 PM, Alex Rousskov wrote:
the best way is to name your ports and use the myportname ACL instead
of trying to match one of the many port numbers associated with
transparent connections, especially when Squid has a tendency to
"swap" source and destination addresses in that context.
On 9/6/21 1:28 PM, Alex Rousskov wrote:
http_port ... name=PortGettingGreenTraffic
acl greenTraffic myportname PortGettingGreenTraffic
whatever_directive ... greenTraffic
Interesting. I'll have to do some reading ~> learning to understand
better. But I believe you have given
On 9/12/21 10:16 PM, Mehrdad Fatemi wrote:
Hi Everyone,
Hi,
TL;DR: Proxy Auto Configuration
I'm looking for an elegant technology option to have telcos zero-rate
all of the traffic to a set of online destinations.
I assume that "zero rating" means that specific destinations, e.g. the
pro
On 9/14/21 7:12 PM, Grant Taylor wrote:
I have concerns about "SSL terminating". It sounds to me like you are
decidedly outside of the typical enterprise or home network scenario
where you are wanting to terminate / intercept / bump-in-the-wire TLS
connections. As such, I hav
On 9/14/21 6:09 PM, Amos Jeffries wrote:
b) If those upstream servers are embedding URLs for clients to directly
contact the XaaS services. Then your desire is not possible without
redesigning the upstream service(s) such that they stop exposing their
use of the XaaS. Which often also means red
On 9/22/21 6:44 AM, roee klinger wrote:
Hello,
Hi,
I have an internal network in our office where we want to redirect every
google search to a Duckduckgo search instead, I already have a script
written that knows how to take the Google URL and convert it to Duckduckgo.
I am reading about h
On 9/24/21 3:18 PM, Alex Rousskov wrote:
If it is correct, then it is not clear how the change of an IP address
would affect those making API requests using the domain name, and
what role Squid is playing here.
To build on Alex's good question, are the API client's sending the API
calls /thro
On 9/24/21 3:26 PM, Mike Yates wrote:
Ok so let's say the new server outside the dmz has a different name.
Are you going to re-configure the clients to use the new / different
name? Or do you need to re-configure either the intermediate Squid or
the target; Fred, also running squid, to trans
On 9/27/21 7:32 AM, Mike Yates wrote:
Let me ask this then
I just want squid to redirect any requests (http for instance) to
a specific external url so for instance http://mysuidserver:80 to
http://externalserver:80 ...
What does "redirect" mean in this context?
Is it an HTTP 301 / 302
On 9/27/21 6:52 AM, Mike Yates wrote:
So my idea is to install a single squid server and redirect the internal
servers to that url instead of the original one.
Your use of "redirect" sounds like you will be re-configuring the
clients to connect to the squid server.
Will you be configuring th
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the auth
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following scenario:
1) Client uses traditional username and password
On 10/17/21 10:46 AM, Markus Moeller wrote:
I see, I think this would mean using Basic Auth to proxy1 which then
gets a Kerberos ticket for the user to authenticate to proxy2. This is
possible, but I would not think it is a good secure option.
I think that we're now talking about the same fu
On 10/17/21 10:57 AM, Grant Taylor wrote:
My understanding is that you can use Kerberos from clinet0 to proxy1 and
that proxy1 can use the same mechanism to get a special ticket to
communicate from proxy1 to proxy2 as the original user.
I looked at my copy of Kerberos - The Definitive Guide
Hi,
I ran across the following statement referring to Squid in an ancient
Sys Admin article talking about Linux Transparent Proxy.
Source Quench Introduced Delay (SQuID) is a popular freeware proxy
server for UNIX machines (see "Software Resources" sidebar for more
information).
Where the
On 10/3/22 1:35 PM, Alex Rousskov wrote:
There is no relationship between the SQuID concept (RFC 1016) and our
Squid Cache. I double-checked with Duane, the Squid creator. I bet the
author of that article thought that Squid is an acronym and found a
matching acronym in RFC 1016 :-).
Thank you
On 10/19/22 8:33 AM, Alex Rousskov wrote:
I do not know exactly what you mean by "https proxy" in this context,
but I suspect that you are using the wrong FireFox setting. The easily
accessible "HTTPS proxy" setting in the "Configure Proxy Access to the
Internet" dialog is _not_ what you need!
On 10/19/22 11:33 PM, Rafael Akchurin wrote:
The following line set in the Script Address box of the browser proxy
configuration will help - no need for a PAC file for quick tests. Be
sure to adjust the proxy name and port.
data:,function FindProxyForURL(u, h){return "HTTPS proxy.example.lan:8
On 10/20/22 9:49 AM, Matus UHLAR - fantomas wrote:
proxy autoconfig is javascript-based but uses very limited javascript.
My comment was more directed at why is $LANGUAGE_DOESNT_MATTER used /in/
/the/ /location/ /field/?
while I agree javascript is not ideal, it's very hard to configure
pro
On 10/20/22 11:58 PM, Adam Majer wrote:
It's basically by convention now.
Sure.
Conventions change over time.
Long enough ago 3128 wasn't the conventional port for Squid.
It used to be a convention to allow smoking in public / government
offices. Now the convention is the exact opposite.
On 10/21/22 2:25 AM, Matus UHLAR - fantomas wrote:
apparently this is a hack to be able to define proxy autoconfig in the
location field.
Since it has very restricted capabilities, it's apparently non-issue.
I guess that you can only define FindProxyForURL() this way.
ACK
Thank you for the
On 10/21/22 11:25 AM, Grant Taylor wrote:
I remember reading things years ago where people would use a bog
standard FTP client to connect to an /FTP/ server acting as an /FTP/
proxy.
I knew that I had seen something about using an FTP proxy that wasn't
HTTP related.
I encourage you to
On 10/21/22 2:51 AM, Matus UHLAR - fantomas wrote:
I should have added, that squid does support FTP proxying using one of
hacks I mentioned (I haven't tested it yet).
I think I used Squid's FTP protocol support years ago.
And, since this requires other (FTP) protocol than the default (HTTP) at
On 10/21/22 11:30 PM, Amos Jeffries wrote:
Not just convention. AFAICT was formally registered with W3C, before
everyone went to using IETF for registrations.
Please elaborate on what was formally registered. I've only seen 3128 /
3129 be the default for Squid (and a few things emulating squi
On 10/24/22 9:48 AM, LEMRAZZEQ, Wadie wrote:
But anyway, my next step is to use a PAC file, since it is the legacy
method, if this doesn't work either I'm gonna use stunnels
I have (a superset of) the following in my PAC file.
It is working perfectly fine for me across multiple browsers and
m
On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
if by "transparent" you mean "intercepting" proxy, that is incorrect
By "transparent" I mean using network techniques to force clients to use
a proxy that aren't themselves aware that they are using a proxy.
CONNECT is HTTP command designed
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
I prefer to explicitly state what one means by transparent because
RFC2616 has defined transparent proxy diferently:
I do too. I /thought/ that I was explicitly stating. At least that was
my intention.
Aside: That's why I included my wor
On 10/25/22 11:03 AM, Matus UHLAR - fantomas wrote:
I think intercepting is better, more precise.
I think that Squid can be an interception proxy as it can filter / alter
content.
I also think that Squid (as an interception proxy) can be used
transparently.
those two are completely separ
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
term "interception proxy" better defines what happens here:
Instead, an interception proxy filters or redirects outgoing TCP port
80 packets (and occasionally other common port traffic).
Where did you pull that quote from? I don't see "inte
On 10/25/22 12:57 PM, Matus UHLAR - fantomas wrote:
That is why I prefer using "intercepting proxy" for case where
connections between clients and servers intercepted by proxy, without it
being configured in browsers.
Fair enough.
precisely, so what exactly aren't you convinced about? :-)
On 10/25/22 1:01 PM, Matus UHLAR - fantomas wrote:
sorry, this one is from 7230, section 2.3
Thank you for the reference.
If we don't use "data" and "network" in addition to "transparent",
result is ambiguous. "intercepting proxy" is not.
Agreed.
It seems as if "transparent" in the contex
On 10/25/22 1:09 PM, Grant Taylor wrote:
It seems as if "transparent" in the context of proxies is as ambiguous
as "secure" in the context of VPNs.
The former can be "data transparent" and / or "network transparent". The
latter can be "privacy se
On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
These are the FTP protocol "hacks" I mentioned before.
FYI RFC 1919: Classical verses Transparent IP Proxies § 4.1 --
Transparent proxy connection example -- describes the operation of an
intercepting / (network) transparent FTP proxy that do
On 10/26/22 10:43 AM, mingheng wang wrote:
Hello all,
Hi,
Since ssl_bump can generate self signed certificates on the fly, I
wonder if this setup is possible, or even just in theory:
clients with necessary root CA installed connect to a local Squid. With
ssl_bump and self signed certs,
On 10/25/22 7:27 PM, Sneaker Space LTD wrote:
Hello,
Hi,
Is there a way to use specific DNS servers based on the user or
connecting IP address that is making the connection by using acls or any
other method? If so, can someone send an example.
"Any other method" covers a LOT of things. In
On 10/30/22 6:59 AM, squ...@treenet.co.nz wrote:
Duane W. would be the best one to ask about the details.
What I know is that some 10-12 years ago I discovered an message by
Duane mentioning that W3C had (given or accepted) port 3128 for Squid
use. I've checked the squid-cache archives and not
On 10/31/22 7:32 PM, mingheng wang wrote:
Sorry about that, don't know why it only went to you.
Things happen. That's why I let people know, in case unwanted things
did happen.
I delved into the configuration the last few days, and found that
Squid doesn't officially support cache_peer whe
o the configuration the last few days, and found that
Squid doesn't officially support cache_peer when ssl_bump is in use.
But you may be addressing my statement (...):
On 11/1/22 10:44 AM, Grant Taylor wrote:
That surprises me. I wonder if it's a technical limitation or an
oversight.
On 1
On 11/1/22 1:24 PM, squ...@treenet.co.nz wrote:
No I meant W3C. Back in the before times things were a bit messy.
Hum. I have more questions than answers. I'm not aware of W3C ever
assigning ports. I thought it was /always/ IANA.
Indeed, thus we cannot register it with IEFT/IANA now. The
On 11/1/22 6:27 PM, squ...@treenet.co.nz wrote:
No, you cropped my use-case description. It specified a client which was
*unaware* that it was talking to a forward-proxy.
Sorry, that was unintentional.
Such a client will send requests that only a reverse-proxy or origin
server can handle prop
On 11/2/22 4:03 AM, David Touzeau wrote:
It should be a good feature request that the Squid DNS client supports eDNS
eDNS can be used to send the source client IP address received by Squid
to a remote DNS.
Does Squid even have it's own DNS "" / lookup mechanism?
I naively assumed that Squid s
On 11/1/22 4:17 PM, squ...@treenet.co.nz wrote:
Yes I was addressing mingheng's statement.
Thank you for clarifying.
The first thing you need to do is avoid that "HTTPS" term. It has
multiple meanings and they cause confusion. Instead decompose it into
its TLS and HTTP layers.
Largely okay
On 11/4/22 7:05 AM, Amos Jeffries wrote:
Aye, that is the terminology definitions of them. Which does not clearly
convey the recursive layer/nesting properties. They way I suggested to
think of TLS and HTTP as transfer layers helps clarify that property.
I will concede "differentiate", but I d
On 11/14/22 10:08 AM, Alex Rousskov wrote:
AFAICT, "Web Isolation" requires rewriting HTTP responses. Yes, Squid
can use an ICAP/eCAP content adaptation service to rewrite HTTP
responses.
I feel like just saying Web Isolation rewrites HTTP responses is about
like saying you're going to experi
On 3/10/23 7:19 PM, Peter Hucker wrote:
Somebody mentioned if Boinc accesses the internet through a proxy
(and I already have it going through squid to cache data) I can get
the proxy to disable this. Is this possible and how?
As Amos said, it depends.
I would assume that you could use somet
Pre-script: The following is in response to one specific statement from
Antony and not really Squid related.
On 7/1/23 5:08 PM, Antony Stone wrote:
There is no such thing as an ICMP proxy.
I'm not aware of an ICMP proxy. But my ignorance of one doesn't
preclude one (or more) from existing.
On 7/10/23 2:36 PM, Francesco Chemolli wrote:
Hi Robert,
Hi Francesco,
in my understanding that configuration turns Squid into a Socks
client. Outbound squid connections will then be proxied through a socks
proxy.
According to "this page" [1] linked from the "How to enable SOCKS5 for
Squ
On 9/11/23 4:23 AM, Jason Long wrote:
Does the Squid-cache team have any plans to add this feature?
Is there a particular reason that you want to see Squid add support as a
SOCKS server verses using a different existing SOCKS server? E.g. Dante
SOCKS server?
Dante is quite capable and can
50 matches
Mail list logo
