Hi Eliezer,
I am not aware of a tool that has all functionality that you seek so you
probably have to make it yourself.
I know that you are already familiar with ufdbGuard for Squid to block access, but you can also use ufdbGuard for temporary access by including a time-restricted whitelist in t
Not sure if this message was meant for the Squid mailing list but for those who
are interested, the DNS provider had an issue with DNSSEC resigning and all is
well now.
Marcus
On 28/05/2024 15:23, Anton Kornexl wrote:
Hello,
since two days the domain urlfilterdb.com is not resolved to an IP
I am not :-)
On 01/06/2024 06:24, Jonathan Lee wrote:
Marcus are you the same guy that does the pfSense Squid GUI package
interference code??
Sent from my iPhone
On May 30, 2024, at 01:38, Marcus Kool wrote:
Not sure if this message was meant for the Squid mailing list but for those
who
bugs.squid-cache.org is not working now, but I think this is bug 4906.
Marcus
On 2020-07-28 15:01, Alex Rousskov wrote:
On 7/28/20 5:38 AM, ama...@tin.it wrote:
thank for your suggestion.
That specific suggestion was not mine :-)
For free Squid support, please keep the conversation on squi
Of course this script is sluggish since it reads many category files and forks
at least 3-6 times.
If you *really* want to implement this with a perl script, it should read all
files at startup and the script does a lookup using perl data structures.
But I suggest to look at ufdbGuard which is
DNS over HTTPS is used for privacy and also to circumvent filters.
If one wants to filter websites, one must block /all/ filter circumvention
techniques as well (or the filter is useless).
shameless plug: the URL database of URLfilterDB has a category dnsoverhttps
which can be used to block DN
sslbump can be used in peek+splice and peek+bump modes.
Depending on what Squid finds in the peek (e.g. a teamviewer FQDN) Squid can
decide to splice (not interfere) the connection.
Below is an example.
Marcus
# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
# define acl
Hi, I am the author of ufdbGuard and ufdbGuard supports Squid 5.x
The SARG error in access.log has nothing to do with ufdbGuard.
On 09/11/2021 08:45, Majed Zouhairy wrote:
hmmm, this started happening after the last squid update.. i just noticed it is
now version 5.2
i have ufdbguard but i do
I would have expected that the remote host ip:port and sni would be logged
as well in the above mentioned line.
SNI is one of the details TLS/1.3 encrypts now :(
To prevent misunderstandings, TLS 1.3 does not encrypt the SNI.
See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni :
On 20/09/2022 20:52, Pintér Szabolcs wrote:
Hi squid community,
I need to find most best and sustainable way to build a stable High
Availability squid cluster/solution for abou 40k user.
Parameters: I need HA, caching(little objects only not like big windows
updates), scaling(It is just sec
The squid log file contains the IP address of clients and could be a good field
to use for counting users. But a NAT shows 1 IP for all users behind the NAT...
Marcus
On 19/01/2023 15:48, Ben Goz wrote:
By the help of God.
Hello,
I have a certain task to count the number of unique devices c
"SSL bump" is the name of a complex Squid feature.
With ssl_bump ACLs one can decide which domains can be 'spliced' (go through
the proxy untouched) or can be 'bumped' (decrypted).
Interception is not a requirement for SSL bump.
Marcus
On 13/03/18 11:44, Danilo V wrote:
I mean SSL bump in exp
ufdbGuard is the tool that you need.
It is an old fork of ufdbGuard with many new features, very good performance
and it has regular maintenance.
If you have a question, you can ask the support desk at www.urlfilterdb.com.
You will get an answer from me or a colleague.
Marcus
On 14/03/18 09:39
On 14/03/18 10:55, Nicolas Kovacs wrote:
Le 14/03/2018 à 14:46, Marcus Kool a écrit :
ufdbGuard is the tool that you need.
It is an old fork of ufdbGuard with many new features, very good
performance and it has regular maintenance.
If you have a question, you can ask the support desk at
pcmag.com also does not load here, although my config parameters are slightly
different.
The certificate is indeed huge...
Do you have
ERROR: negotiating TLS on FD NNN: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
or other errors in cache.log ?
M
The proxies that I used for the test have Squid 4.0.22 and Squid 4.0.23.
Marcus
On 15/05/18 15:40, Amos Jeffries wrote:
On 16/05/18 01:32, Marcus Kool wrote:
pcmag.com also does not load here, although my config parameters are
slightly different.
The certificate is indeed huge...
Do you have
195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is
indicated by 'https-option', most likely because the config has
option enforce-https-with-hostname on # default is off.
Marcus
On 17/05/18 08
I do not block my Kaspersky AV.
Do you want the Kaspersky software contact the servers of Kaspersky ?
On 17/05/18 09:30, Vacheslav wrote:
Yeah all that I know, The million dollar question is should I continue blocking
it?
-Original Message-
From: squid-users On Behalf Of
Marcus Kool
I have seen systemd killing daemons when it times out waiting for the pid file
to appear.
I suggest to doublecheck that the pid filename in the service file and in
squid.conf are the same.
Marcus
On 13/06/18 09:27, James Lay wrote:
WellI'll just say up front that systemd is not my friend.
The original intention of this default value is have a queue that is twice the size of the messages being processed, so for helpers with concurrency=NCONC and num_children=NCHILD it makes a lot of
sense to set the default queue length to 2*NCONC*NCHILD.
I do not understand that "compatibility" wi
.
My proposal of higher of (2*NCONC) and (2*NCHILD) would mean that load is now
regularly high enough that atleast 2 more children are needed.
We can start with that and then find a better formula.
Amish
On Tuesday 03 July 2018 07:49 PM, Marcus Kool wrote:
The original intention of this default
Thanks for the clarification. The squid.conf.documented file says
The queue-size=N option sets the maximum number of queued requests to N.
which, for me at least, is hard to translate into
maximum number of requests buffered because no helper can accept it.
On 03/07/18 13:09, Alex Roussko
On 03/07/18 12:54, Alex Rousskov wrote:
On 07/03/2018 08:19 AM, Marcus Kool wrote:
If you think Squid should use a different default for all or some helper
categories, please post a proposal that documents pros and cons and
justifies the change. The URL above can be used as your guide to
-size may need adjustment
Thanks
Marcus
On 03/07/18 17:50, Alex Rousskov wrote:
On 07/03/2018 10:52 AM, Marcus Kool wrote:
I do like to see better documentation for the new queue-size option.
Including your one-liner in squid.conf.documented is enough for me.
I wish it were that simple! For
yes, with ufdbguard you put
youtube.com/watch?v=VIDEOID
in a urls file and create a URL table with ufdbGenTable.
ufdbGenTable adds many URLs automagically, i.e.
youtube.com/embed/VIDEOID
youtube.com/get_video_info?video_id=VIDEOID
ytimg.googleusercontent.com/vi/VIDEOID
and many more.
lot less effort by simply adding a
couple dns entries for Googles safesearch servers.
#justsayin
Signed,
Benjamin E. Nichols
Founder & Chief Architect
http://www.squidblacklist.org
1-405-301-9516
Original message
From: Marcus Kool
Date: 8/16/18 7:53 PM (GMT-06:00)
To: s
URL video
"https://www.youtube.com/embed/ff9sDLGtnK8?rel=0&showinfo=0";.
How should I set te DNS entries please?
Regards,
2018-08-17 9:51 GMT-03:00 Marcus Kool :
OP asked about blocking Youtube but allowing a single Youtube video.
How would you do that with a couple of DNS entries ?
On 04/09/18 11:20, Amos Jeffries wrote:
On 4/09/18 7:33 PM, Ahmad, Sarfaraz wrote:
With debug_options ALL,9 and retrieving just this page, I found the following
relevant loglines (this is with an explicit CONNECT request) ,
... skip TLS/1.2 clientHello arriving
Later on after about 10 s
On 18/09/18 23:03, Amos Jeffries wrote:
On 19/09/18 1:54 AM, neok wrote:
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me.
Regarding ufdbGuard, if I understood correctly, what you recommend is to use
the ufdbConver
On 20/09/18 08:46, Amos Jeffries wrote:
On 19/09/18 11:49 PM, Marcus Kool wrote:
On 18/09/18 23:03, Amos Jeffries wrote:
On 19/09/18 1:54 AM, neok wrote:
Thank you very much Amos for putting me in the right direction.
I successfully carried out the modifications you indicated to me
The sub-thread starts with "do not use the url rewriter helper because of
complexity"
and ends with that the (not less complex) external acl helpers are fine to use.
And in between there is an attempt to kill the URL rewriter interface.
It would be a lot less confusing if you started with someth
On 19/10/18 14:09, Alex Rousskov wrote:
On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote:
On 10/19/2018 02:01 AM, Amish wrote:
Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
universal. (Ofcourse it may be few years away)
Probably only way out to detect the domain n
When there is an issue with a certificate, it is good practice to go to ssllabs
to verify what is going on.
https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which
means that the server
I have an issue with access_log acls when a load balancer sends a TCP probe.
The goal is to not log errors caused by the TCP probes of the load balancer.
All other errors must be logged.
I did a test with the following acls on one of our test systems to illustrate
the issue:
logformat combha
On 27/11/2018 13:58, Alex Rousskov wrote:
On 11/27/18 5:21 AM, Marcus Kool wrote:
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb
access_
4.5 would be nice. 4.6 would also be nice.
On 27/11/2018 14:47, Matus UHLAR - fantomas wrote:
On 11/27/18 5:21 AM, Marcus Kool wrote:
logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %ha
acl src_lb src 10.2.2.254/32
acl src_lb src 10.2.2.107/32
access_log stdio:/l
On Wed, Nov 28, 2018 at 12:24:30PM +0100, Matus UHLAR - fantomas wrote:
> On 27.11.18 15:04, Marcus Kool wrote:
> > 4.5 would be nice. 4.6 would also be nice.
>
> OK, I will rephrase my question: which squid version do you find this in?
This issue was found in Squid 4.3
>
&g
Wolfgang, why don't you stop using squidguard which has no support for 5+ years
and switch to ufdbGuard?
ufdbGuard is regularly maintained and has a Reference Manual that explains what
and how to whitelist domains.
Marcus
On 28/12/2018 07:18, Wolfgang Paul Rauchholz wrote:
Problem staqtemen
ilto:elie...@ngtech.co.il>
cid:image001.png@01D2675E.DCF360D0
*From:* squid-users *On Behalf Of
*Marcus Kool
*Sent:* Friday, December 28, 2018 12:14
*To:* squid-users@lists.squid-cache.org
*Subject:* Re: [squid-users] Whitelisting youtube
Wolfgang, why don't you stop using squidguard which has
For those who do not know it yet: ufdbGuard is free.
ufdbGuard supports user-defined URL databases, 3rd party plain-text URL
databases, and a commercial database from www.urlfilterdb.com.
Marcus
On 03/01/2019 13:45, Benjamin E. Nichols wrote:
Why are you asking support questions about a comm
ufdbGuard supports blacklists, whitelists, large numbers of whitelists, users
and acls.
The configuration file is intuitive and if the Reference Manual does not
explain everything, one can also write to the support desk of URLfilterDB or
the ufdbguard mailing list.
Just for the record, I am b
Squid is an ICAP client, not an ICAP server!, and does not repond on port 1344.
Marcus
On 02/03/2019 22:29, steven wrote:
Hi,
i would like todo modifications on https connections and therefore enabled ssl
bump in squid 4.4, now i would like to see the real traffic and icap looks like
a way
I think you are suffering from this bug:
https://bugs.squid-cache.org/show_bug.cgi?id=4906
Marcus
On 13/03/2019 10:09, Joey Officer wrote:
I’m running a squid instance in AWS behind a network load balancer. As part of the health checks, at least that’s what I believe, we’re seeing this log
The ufdbGuard source files and packages have an example config file.
If you have a ufdbGuard-specific issue I suggest to use the list of ufdbGuard
or go directly to the support desk of URLfilterDB.
Marcus
On 18/03/2019 06:39, Nicolas Kovacs wrote:
Hi,
I've been running the Squid + SquidGuar
On Linux you can use iptables to do qos and make sure that a single connection
does not consume all bandwidth.
Marcus
On 30/07/2019 10:22, Service MV wrote:
Just to explain clearly, my goal is that no user of my LAN can download more
than 15 megabits/s, because some downloads consume me 100
On 02/03/2020 08:46, Ralf Hildebrandt wrote:
* Andrea Venturoli :
On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:
I guess DoH means dns over https and thus needs sslbump enabled. the easy
but limited way would be to disable connections to publicly available DoH
servers.
Thanks.
Is someone
Amos,
The latest version of Squid is 4.10. Do you mean "fixed in 4.10" instead of "fixed
in 4.8" ?
Thanks,
Marcus
On 18/04/2020 14:10, Amos Jeffries wrote:
__
Squid Proxy Cache Security Update Advisory SQUID-2019:4
yes, I have seen this with Squid _with_ ssl_bump. In trying to resolve the issue I also upgraded to Squid 4.11, removed the certificate cache and still had messages that the certificate expired on
May 30 2020. Doublechecked all certificates but none has this expiry date.
We have a wildcard cer
Is it an EdgeRouter ?
I am interested since Ubiquiti has poor documentation.
Marcus
On 11/20/2016 05:31 PM, Eliezer Croitoru wrote:
I have a tiny Ubiquiti edge router here and I can publish the rules for
routing ports 80 and 443 and 53 into the squid\dns box.
Any interest in such a guide in th
On 23/01/17 15:31, Alex Rousskov wrote:
On 01/23/2017 04:28 AM, Yuri wrote:
1. How does it work?
My response below and the following commit message might answer some of
your questions:
http://bazaar.launchpad.net/~squid/squid/5/revision/14769
This seems that the feature only goes to
On 23/01/17 17:23, Yuri Voinov wrote:
[snip]
I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659
a week ago but there has not been any activity.
Is there someone who has sslproxy_foreign_intermediate_certs
working in Squid 4.0.17 ?
Seems works as by as in 3.5.x. As I can see
The terminology may be confusing:
ssl_bump means more or less "looking at HTTPS traffic"
ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates
are used"
ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA
certificate"
So the question is
On 21/02/17 17:17, Amos Jeffries wrote:
Is it possible to path %-encoded URL to squidGuard ?
Not with Squid-3.4. The 3.5 releases have a url_rewrite_extras directive
which takes logformat codes. You could use that to send an extra
%-encoded copy of the URL to the helper in addition to the no
On 10/03/17 16:27, Yosi Greenfield wrote:
Thanks!
Netflow is much larger.
I really want to know exactly what site is costing my users data. Many of
our users are on metered connections and are paying for overage, but I can't
tell where that overage is being used. Are they using youtube, webma
maintained,
uses less resources and has more features than squidGuard.
ufdbGuard can be downloaded from https://sourceforge.net and
https://www.urlfilterdb.com
Marcus Kool
author of ufdbGuard
___
squid-users mailing list
squid-users@lists.squid
The root cause of why admins configure SMP + [A]UFS is the lack of good
documentation.
A few lines in the wiki and squid.conf.documented should be enough.
Marcus
On 19/03/17 06:11, Eliezer Croitoru wrote:
I think that some warning message like "WARNING: be sure you know that UFS\AUFS
doesn'
ufdbGuard is a URL filter which given the input
www.youtube.com/watch?v=XX
blocks the following URLs:
www.youtube.com/watch?v=XX
www.youtube.com/embed/XX
www.youtube.com/get_video_info?video_id=XX
ytimg.googleusercontent.com/vi/XX/
i.ytimg.
Looks like MS uses multiple servers for msftconnecttest.com and that they send
different content.
On 02/05/17 08:59, Ralf Hildebrandt wrote:
In some cases, our proxies (got 4 of them) return a empty result when
querying "http://www.msftconnecttest.com/ncsi.txt"; (whcih is used by
Microsoft Brwo
Hi Edouard,
To block GET https://www.example.com/foo.html and to pass CONNECT
www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard
ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.
Since ssl-bump is not easy it i
You have not stated which version of Squid you are using but my guess is that
it is 3.5.x.
facebook app and other apps use port 443 but do not use HTTPS and therefore
Squid does not how to bump it and consequently the app does not work.
What you need is the not yet stable Squid 4.0 and use the
If you use foxyproxy for firefox, you can use switchysharp for Chrome.
Marcus
On 25/05/17 09:00, j m wrote:
Thought I'd try getting this to work in Chrome too. NOTHING I try makes it
work in Chrome. Isn't running this from the Windows command line supposed to
work?
chrome --proxy-server=h
Hi Eliezer,
what is the analyzer looking at?
Does it detect gambling and support other languages than English ?
Thanks
Marcus
On 08/07/17 18:47, Eliezer Croitoru wrote:
Hey All,
I have been working for quite some time on a basic YouTube videos filtering
integration into SquidBlocker.
I have a v
I am trying to debug ssl-bump and am looking specifically for decisions that
Squid takes with regard to bumping, splicing and unsupported protocol.
The config file for Squid 4.0.21 has
debug_options ALL,1 33,9 83,9
http_port 10.10.10.1:3230ssl-bump ...
acl tls_is_skype ssl::server_na
On 09/08/17 05:15, Ralf Hildebrandt wrote:
* Marcus Kool :
I have only seen regex failing with such short RE on AIX.
what is your OS, distro, CPU and lib version ?
Ubuntu Linux LTS 16.04 (xenial)
x86_64 (amd64)
I guess you mean libc:
ii libc6:amd642.23-0ubuntu9
Debian 9 has openssl 1.1.x while most platforms have older versions.
I noticed myself when I ported ufdbGuard to Debian 9 that openssl 1.1.x has
many changes in the API.
Marcus
On 13/10/17 13:19, Sérgio Abrantes Junior wrote:
Hello,
I installed this package to resolve this: libssl1.0-dev
20
wrote:
I installed this package to resolve this: libssl1.0-dev
why not libssl-dev?
On 13.10.17 15:16, Marcus Kool wrote:
Debian 9 has openssl 1.1.x while most platforms have older versions.
that means, you should use libssl-dev unless you know squid can't compile
with openssl-1.1
Opens
It is not clear what exactly you want to achieve.
Block everything from youtube ?
Amos told you that squidGuard is not maintained for many years but forgot to
mention that ufdbGuard does the same thing and has regular updates.
ufdbGuard has a feature to block a set of Youtube videos identified b
There is definitely a problem with available memory because Squid cannot fork.
So start with looking at how much memory Squid and its helpers use.
Do do have other processes on this system that consume a lot of memory ?
Also note that ufdbGuard uses less memory that squidGuard.
If there are 30 he
ly this is not the issue.
When Squid cannot fork the helpers, helper settings do not matter much.
For 2500 users you probably need 32-64 squidguard helpers.
Marcus
Thanks for help,
On Wed, Nov 8, 2017 at 10:53 AM, Marcus Kool
wrote:
There is definitely a problem with available memory bec
Hi Vieri,
I suggest to replace squidGuard with ufdbGuard.
Then you can set
ufdb-debug-filter 1
or
ufdb-debug-filter 2 # very verbose
in ufdbGuard.conf and see exactly what happens.
Note that squidguard has no maintenance for over 5 years and ufdbGuard has
regular maintenance.
Marcus
O
disk caching.
Thanks for help,
Marcus
Thanks for help,
On Wed, Nov 8, 2017 at 10:53 AM, Marcus Kool
wrote:
There is definitely a problem with available memory because Squid cannot
fork.
So start with looking at how much memory Squid and its helpers use.
Do do have other processes on this s
On 10/11/17 12:11, Bike dernikov1 wrote:
On Thu, Nov 9, 2017 at 5:13 PM, Marcus Kool wrote:
On 09/11/17 11:04, Bike dernikov1 wrote:
[snip]
Memory compsumption:squid use largest part of memory (12GB now,
second proces use 300MB memory), 14GB used by all process. So squid
use over 80% of
On 13/11/17 07:46, Bike dernikov1 wrote:
are you saying that you have
cache_mem 14G
If yes, you should read the memory FAQ and reduce this.
'cache_mem 14G' explains that Squid starts 'small' and grows over time.
For our case, what do you recomend. 10GB or even lower ?
Plan reading today
On 13/11/17 10:46, Bike dernikov1 wrote:
On Mon, Nov 13, 2017 at 12:15 PM, Marcus Kool
wrote:
On 13/11/17 07:46, Bike dernikov1 wrote:
are you saying that you have
cache_mem 14G
If yes, you should read the memory FAQ and reduce this.
'cache_mem 14G' explains that Squid sta
* Choices.
Overall, there are three options for handling an impossible situation:
1. Quit Squid process. This is what Squid does today in most cases.
When the impossible happens, you get a crash. Very predictable.
No malformed/corrupted/misleading HTTP messages (some are truncated).
This is not really #4. It is an enhancement for any of the three
options. IIRC, Squid even supported gdb stack tracing natively on some
platforms (but a script would arguably be better, except for busy
proxies that cannot be blocked for 2-4 seconds it takes to run that script).
This already
On 04/29/2016 07:17 PM, joe wrote:
hi i have 2 cpu 4 core each
i need to leave alone first processor and use the second one for squid and
its helper
is that will do ??? taskset 0x00f0 squid -YC -f /etc/squid/squid.conf
or other way around ??
so i can keep the kernel and other program ru
On 06/06/2016 04:27 AM, FredB wrote:
Hello all,
I'm trying to use a server with 64 Go of ram, but I'm faced with a problem,
squid can't works with more than 50% of memory
What is cache_mem ?
See also http://wiki.squid-cache.org/SquidFaq/SquidMemory
After that the swap is totally full and
On 06/06/2016 07:27 AM, FredB wrote:
Thanks for your answer
What is cache_mem ?
See also http://wiki.squid-cache.org/SquidFaq/SquidMemory
Actually 25 Gb
I tried different values, but I guess no matter, the problem is that the squid
limit is only 50% of ram
After that the swap is totally
On 06/08/2016 05:05 PM, Sergio Belkin wrote:
Hi,
I've been using a few years ago squid+dansguardian. But nowadays, DG is not
maintained anymore. I know that exists squidGuard, ufdbGuard, and e2guardian.
Features should be:
- Blocking https url's
Blocking HTTPS URLs is easy.
However, provi
On 06/08/2016 05:54 PM, Sergio Belkin wrote:
- Not need of interception. is that possible?
It depends. If you support smartphones, you most likely need interception
since not all apps can be configured to use a proxy.
With only desktops, interception is not required but
On 06/08/2016 07:53 PM, Sergio Belkin wrote:
Thanks Eliezer, good summary. I've changed the subject to reflect better the
issue. As far I undestand from documention one can bump https only by
interception.
No. ssl-bump works very well with regular proxy mode, i.e. the browsers
configure
On 06/09/2016 11:26 PM, Sergio Belkin wrote:
2016-06-08 20:30 GMT-03:00 Marcus Kool mailto:marcus.k...@urlfilterdb.com>>:
On 06/08/2016 07:53 PM, Sergio Belkin wrote:
Thanks Eliezer, good summary. I've changed the subject to reflect
better the issue. As far I und
On 06/12/2016 12:34 PM, Eng Hooda wrote:
Hello Squid Users,
I have searched for this but I could not find an answer.
After I peek for media streaming sites using sslbump , I terminate the
connection on match , which produces secure connection failed on the client
browser .
Is there a way to r
On 06/15/2016 04:30 AM, FredB wrote:
Maybe I'm wrong, but the server is also using many memories for TCP
cat /proc/net/sockstat
sockets: used 13523
TCP: inuse 8612 orphan 49 tw 31196 alloc 8728 mem 18237
UDP: inuse 14 mem 6
UDPLITE: inuse 0
RAW: inuse 0
FRAG: inuse 0 memory 0
netstat -lataupe
On 06/15/2016 04:22 AM, reqman wrote:
Hello all,
I have been running squid 2.7.X alongside squidguard 1.4 on a FreeBSD
8.x box for years. Started out some 10 years ago, with a much older
squid/squidguard/FreeBSD combination.
Having to upgrade to FreeBSD 10.3, I examined my option regarding
sq
On 06/15/2016 08:24 AM, reqman wrote:
I have been using squidGuard for 10+ years. Not the best one could
have, but I am accustomed to its use and idiosyncrasies. Furthermore,
it is package well supported on FreeBSD.
You are mentioning ufdbGuard. Are its lists free for government use?
If not,
On 06/16/2016 02:19 AM, reqman wrote:
Seems nice. But I did not find any concrete documentation howto.
There is a Reference Manual at the download section of ufdbGuard:
https://www.urlfilterdb.com/downloads/software_doc.html
There is also a mailing list for ufdbGuard at sourceforge and
you c
On 06/16/2016 10:21 PM, Eliezer Croitoru wrote:
I have a non-public question but if you can share it will be nice.
What is the users size\capacity of the system?
I am asking since I have seen that many squidGuard based systems have acted
slower then with ICAP.
By slower I mean that the initial
On 06/22/2016 11:10 AM, hans.mey...@fn.de wrote:
Do you think it's necessary to have an additional https antivir proxy to normal
client antivirus? We are using Avast Business that already offers a web
protection. Can an additional antivir proxy
significant higher the level of protection? In g
On 06/30/2016 09:10 AM, Amos Jeffries wrote:
...
The on_unsupported_protocol directive is about what its name says *any*
unsupported protocol. Not ICQ specific.
I think the issue here is that Skype looks at the binary level like TLS.
TLS being a supported protocol if it looks close enough th
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with an iOS
app which seems to be doing broken things with the SNI.
The app is making an HTTPS connection to a server and presenting an SNI with a wildcard
in it - i.e. "*.example.com
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be doing broken things with the SNI.
The app is making an
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem
On 07/07/2016 09:23 AM, Amos Jeffries wrote:
On 7/07/2016 11:30 p.m., Marcus Kool wrote:
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36
On 07/07/2016 10:49 AM, Yuri wrote:
A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
information in the fake CONNECT request because it will interfere with
HTTP rules, but it is not clear where that point is
Hi Michael,
Can you share with us what you ended up with?
Thanks
Marcus
On 06/18/2015 12:28 AM, Michael Pelletier wrote:
Which one would be good for capacity\load? I have a very, very large
environment. I have 220,000 users on 8 Gig to the INTERNET. I am running a load
balancer, ipvsadm (Dir
On 08/03/2016 12:30 AM, Amos Jeffries wrote:
If thats not fast enough, you may also wish to patch in a larger value
for HTTP_REQBUF_SZ in src/defines.h to 64KB with a matching incease to
read_ahead_gap in squid.conf. That has had some mixed results though,
faster traffic, but also some assert
On 08/03/2016 10:27 AM, Amos Jeffries wrote:
On 3/08/2016 9:45 p.m., Marcus Kool wrote:
On 08/03/2016 12:30 AM, Amos Jeffries wrote:
If thats not fast enough, you may also wish to patch in a larger value
for HTTP_REQBUF_SZ in src/defines.h to 64KB with a matching incease to
On 08/04/2016 10:08 AM, Heiler Bemerguy wrote:
Sorry Amos, but I've tested with modifying JUST these two sysctl parameters and
the difference is huge.
Without maximum tcp buffers set to 8MB, I got a 110KB/s download speed, and
with a 8MB kernel buffer I got a 9.5MB/s download speed (via squ
1 - 100 of 201 matches
Mail list logo
