Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

What distro are you using? בתאריך יום ב׳, 12 בפבר׳ 2024, 13:47, מאת Stephen Borrill ‏< sq...@borrill.org.uk>: > On 16/01/2024 14:37, Alex Rousskov wrote: > > On 2024-01-16 06:01, Stephen Borrill wrote: > >> The problem is no different with 6.6. Is there any more debugging I > >> can provide, Alex

Re: [squid-users] Upgrade path from squid 4.15 to 6.x

Depends on the config structure. If you can send me a private email with the config reduced sensitive details it will to understand the scenario. Eliezer בתאריך יום ד׳, 5 ביוני 2024, 17:31, מאת Akash Karki (CONT) ‏< akash.ka...@capitalone.com>: > Hi Team, > > We are running on squid ver 4.15 and

Re: [squid-users] Upgrade path from squid 4.15 to 6.x

Hey Amis, Ok, so with the tools we have available, can we take this case and maybe write a brief summary of changes between the squid features versions? I can't guarantee time limit but it would be very helpful from the community to get feedback in such cases. If anyone have done this kind of ta

Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid

Hey, The dnat rule should be done on the squid itsef. You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip. It's possible to do that over ipip or gre tunnels. Eliezer בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏< andre.bolin...@articatech.com>: > I h

Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid

also need some kind of > > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ? > > Best regards > Sent from Nine <http://www.9folders.com/> > -- > *De:* NgTech LTD > *Enviado:* terça-feira, 30 de julho de 2024 14:44 > *Para:* B

[squid-users] Threat feed like utility

te devices they have Threat feeds which can be either wildcard which is dstdomain like and also full urls and ip addresses, couple types of feeds. In squid world I would call it an ACL feed which can be used in the context of a real ACL or an external software. An example feed can be seen at:

[squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

I am testing Squid 6.10 on Fedora 40 (their package). And it seems that Squid is unable to bump clients (ESNI/ECH)? I had couple iterations of pek stare and bump and I am not sure what is the reason for that: shutdown_lifetime 3 seconds external_acl_type whitelist-lookup-helper ipv4 ttl=10 childre

Re: [squid-users] squid5.5 restart failure due to domain list duplication

If yo need a helper that will resolve this issue ie cleanup it's pretty simple to write one for you. Eliezer בתאריך יום ה׳, 5 בספט׳ 2024, 8:53, מאת YAMAGUCHI NOZOMI (JIT ICC) ‏< nozomi.yamaguchi...@jalinfotec.co.jp>: > To whom it may concern, > > If there were duplicate domains in the list of do

Re: [squid-users] Trusted first verification regarding cross root cert

Upgrading to 1.1 on a running os is a challenge for any sysadmin. Eliezer On Mon, Jun 29, 2020, 13:30 wrote: > Hi Amos, > > >Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has > >had the feature *partially* backported to it. > >I suggest you upgrade to Squid-4 and build aga

Re: [squid-users] High memory usage under load with caching disabled, memory is not being freed even with no load

I think that the mgr:info or another page there contains the amount of requests per second etc. also netstat or ss -ntp might give some basic understanding about this server size. are you using dynamic memory on the hyper-v hypervisor? Eliezer On Wed, Aug 5, 2020, 19:59 Ivan Bulatovic wrote: >

Re: [squid-users] High memory usage under load with caching disabled, memory is not being freed even with no load

n Hyper-V 2019 server), > with 8 virtual processors and 12GB of RAM (although I can increase > that if that is the problem, but I thought that without caching this > would be more than enough). > > I am not using dynamic memory on Hyper-V (it is turned off for this VM). > > B

[squid-users] NgTech REPO is up for now.

Hey, The ngtech repo is up and running. I cannot guarantee that network bursts will not interrupt the service from time to time. However The repo now is at: http://ngtech.co.il/repo/ There is no HTTPS at all on this service so.. if the browser forces you to use HTTPS I recommend curl or wget. If

Re: [squid-users] How do I rotate access.log?

Hey Roee, On what version of OS can it be tested, also is the package from the distribution or self compiler? Eliezer On Tue, Dec 29, 2020 at 5:36 PM roee klinger wrote: > > Hey, > > I know there is plenty of information on this online but for some reason, > this feature is simply not working

[squid-users] Anyone has experience with Windows clients DNS timeout

I have seen this issue on Windows clients over the past. Windows nslookup shows that the query has timed out after 2 seconds. On Linux and xBSD I have researched this issue and have seen that: the DNS server is doing a recursive lookup and it takes from 7 to 10++ seconds sometimes. When I pre-warn

Re: [squid-users] Anyone has experience with Windows clients DNS timeout

DNS (4096bytes) big packages allowed > > > And is the firewall allowing UDP and TCP packages on port 53 > > > > > > I run 3 samba-AD dns servers with Bind9_DLZ > > > My proxy runs a Bind9 caching and forwarding setup. > > > The primay DNS domain is for

Re: [squid-users] Connection occasionally not ending after adapting response with ICAP

An icap tcpdump pcap file might help to understand something. Eliezer On Wed, Dec 30, 2020, 16:10 Moti Berger wrote: > I have a setup with squid 5.0.4 with ICAP server handling responses. The > ICAP server redirects based on some parameters of the response. > > To test this setup, I use cURL li

[squid-users] Youtube and other search engines strict enfrocment in Squid?

I have seen this article at: https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing Which offers a solution in the DNS resolution level from one domain to another using CNAME records. The basic example would be: www.youtube.com TO restrict.youtu

Re: [squid-users] PCI Certification compliance lists

I'm trying to figure out what can be done with 5.0.4. I believe there is either a bug or misunderstanding by me what and how things should be done or configured. The first thing is to be able to bump all and add exceptions. The second would be to bump specific sites. As i noticed in the past it se

Re: [squid-users] cache_peer selection based on username

Squid provides the acl login or username. http://www.squid-cache.org/Doc/config/acl/ should have maybe ident. you will need to include a usernames file which contains them. I believe a note in a helper should do that better. Eliezer On Sun, Jan 10, 2021, 17:33 roee klinger wrote: > Hey, > > I

Re: [squid-users] Microsoft store issues with ssl-bump

Im saying that my config might be wrong and I will send you a full config save which can show you the whole setup like most vendors has. I have upgraded squid in production. Let me verify first before shouting "bug". Eliezer On Tue, Jan 12, 2021, 12:15 Amos Jeffries wrote: > On 12/01/21 10:15

Re: [squid-users] Making destination IP available in ICAP REQMOD request

Hey Moti, It is a good assumption that the same caching dns server (not 8.8.8.8 or 1.1.1.1) that the client use will return the relevant destination ip for the domain. Its possible to do such a query in the icap service with low timeout(2-3) seconds. can this be good enough for your use case? Eli

Re: [squid-users] Adding headers in ICAP server with no preview

I assume that a null body is based on the logic that the icap client knows the progress and the icap details enough to only modify the headers. it should be tested. I tried to test it but im busy to test it right now. Eliezer On Mon, Jan 18, 2021, 13:46 Moti Berger wrote: > Hi > > If the ICAP s

Re: [squid-users] Originserver load balancing and health checks in Squid reverse proxy mode

Maybe its apparmor. pinger needs to have a setuid permission as root. its a pinger and needs root privleges as far as i remember. Eliezer On Tue, Feb 9, 2021, 17:03 Chris wrote: > Hi, > > thank you Amos, this is bringing me into the right direction. > > Now I know what I'll have to debug: the

Re: [squid-users] squid ssl-bump with icap returns 503

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all? Eliezer בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏: > Hi guys, > > I’m asking here but since I’m not too comfortable with a mailing list, > it’s also on serverfault

Re: [squid-users] Squid full request logging

Hey Niels, Take a peek at: https://github.com/andybalholm/redwood I am using it in production and it was written because of squid limitations. squid is great but take a peek and see how it works for you. I have 2 servers in ha cluster which works great. An example I wrote to filter youtube traff

Re: [squid-users] [SPAM] Squid stops serving requests after squid -k reconfigure

Hey Acid, First you should try 4.x latest. a reload of 50 domains every 10 second doesn't make sense. I don't understand the config and the setup. for 50 sites you just need a basic script and even one in bash will work dor you with grep. I wrote an example in ruby a while ago, I will try to find

Re: [squid-users] Cache Peers and traffic handling

Its not clear what is the factor for a specific cache peer selection. This will affect any advice. Is it only baesd on username? Eliezer בתאריך יום ד׳, 14 באפר׳ 2021, 9:29, מאת koshik moshik ‏< koshikmos...@gmail.com>: > Thank you! Yes, it works fine with 5 peers. So, what would be the best > so

Re: [squid-users] Problems with whatsapp

Hey, can you please share your squid.conf (Excluded sensitive details) so we can try to recommend a solution? בתאריך יום ב׳, 31 במאי 2021, 4:03, מאת Alex Irmel Oviedo Solis ‏< alleinerw...@gmail.com>: > Good night, I'm having problems with a transparent squid proxy (with > squidGuard enabled). W

[squid-users] Fwd: Squid domain block feature is at DNS level ?

Hey, Squid can Intercept both http(port 80) and https(port 443) traffic. When Squid does these it can enforce on both dns and url level. Specifically on https there are technical limitations in some cases. Depends on the setup you can try to test it and make sure it does what you would expect. El

[squid-users] Fwd: Getting a squid clients list

Hey Uzee, You can use squidclient from another machine to access this machine. I do not remember how by heart but Amos might know if I am guessing right. Eliezer בתאריך יום ב׳, 30 באוג׳ 2021, 14:44, מאת U Zee ‏: > I know and sadly installing it is not possible either. Without > going into the

Re: [squid-users] Squid performance issues

Hey Marcio, You will need to add a systemd service file that extends the current one with more FileDescriptors. I cannot guide now I do hope to be able to write later. If anyone is able to help faster go ahead. Eliezer בתאריך יום ג׳, 31 באוג׳ 2021, 18:05, מאת Marcio B. ‏: > Hi, > > I impleme

Re: [squid-users] Multi-clients VPS - Authentication been shared.

I have created an example how to use and match usernames to tcp_outgoing_ports https://github.com/elico/vagrant-squid-outgoing-addresses its better to use a single port with different user names (if possible). Let me know what do you think about the solution I am offering and if the example is u

Re: [squid-users] squid url_rewrite_program how to return a kind of TCP reset

You can try to use deny_info with a customized error page template or an icap service that will respond with a different page. I think that redirecting to an external website is a good choice. Many commercial products use this technique. If you want the traffic of this website to be bypassed from s

Re: [squid-users] Getting SSL Connection Reset Randomly but rarely

What version of amazon linux are you using? 1 or 2? 2 has support for squid 4.17. There are couple options regarding these resets and not all of them are squid side. Eliezer בתאריך יום ה׳, 27 בינו׳ 2022, 5:59, מאת Usama Mehboob ‏< musamamehb...@gmail.com>: > Hi I have squid 3.5 running on amazon

Re: [squid-users] Tune Squid proxy to handle 90k connection

I would recommend you to start with 0 caching. However, for choosing the right solution you must give more details. For example there is an IBM reasearch that prooved that for about 90k connections you can use vm's ontop of such hardware with apache web server. If you do have the set of the other r

Re: [squid-users] [ext] Re: Absolute upper limit for filedescriptors in squid-6?

Hey Ralph, Did you tried to configure the squid proxy systemd service and squid conf with the mentioned max fd? Thanks, Eliezer בתאריך יום ד׳, 2 בפבר׳ 2022, 16:17, מאת Ralf Hildebrandt ‏< ralf.hildebra...@charite.de>: > > I hope somebody will change/fix the related ./configure functionality > a

Re: [squid-users] Vulnerabilities with squid 4.15

Hey Robert, First: your question is not silly. The answer will defer based on the complexity of the upgrade process. What Os are you using and also, did you compiled squid from sources or installed from a specific package? Also, what is your squid setup purpose? Eliezer בתאריך יום ה׳, 10 בפבר׳ 2

Re: [squid-users] Dynamic delay pools in squid?

Hey, Have you tried qos on the os/routing level? Eliezer בתאריך יום ד׳, 16 במרץ 2022, 16:36, מאת Alberto Montes de Oca ‏< snip3...@gmail.com>: > Hi guys, I´d like to implement some bandwidth management using squid delay > pools, but so far I can´t find any solution/example to do it dynamically,

Re: [squid-users] Is Squid 5.5 considered stable?

Hey, I have been using 5.5 in production since its out but yet to find a specific issue with it. My setup is small so I cannot say too much. If some admins can share their cache manager with the project we can try to identify specific abnormal memory leaks. I have been working on a script that wil

Re: [squid-users] how to put the destination ip to an external acl helper ?

But which one of them? בתאריך יום ד׳, 20 ביולי 2022, 0:59, מאת Amos Jeffries ‏: > On 20/07/22 00:05, Dieter Bloms wrote: > > Hello, > > > > I wrote a little external acl helper and want squid to put the > > destination fqdn _and_ the destination ip to it. > > > > I found the parameter %DST and th

Re: [squid-users] logfileHandleWrite: daemon:/var/log/squid/access.log: error writing ((32) Broken pipe)

Good one, Alex. For this specific use case you need a special rotate script which will know the confs file and will loop over them. Later on I will try to see if yave one of these on my servers. Basically you will need an array of config files and loop on them. The pid shouldn't be relevevant for

[squid-users] maintenance period for ngtech www services

Hey List, I have started working on couple things in my web services. The services will be reachable only locally (IL) and later on this week will be available again for the rest of the world. Sorry for the in-convience (it's a surprise for me too). If you need something just email me. Eliezer _

Re: [squid-users] Squid: blocking all requests to plain ip addresses

Do you need to block access to all plain ip addresses or specific ones? What if you will want to allow specific ones but deny all the others? Eliezer בתאריך יום ב׳, 6 בנוב׳ 2023, 12:45, מאת Christian Metzger ‏: > Hello, > is the above feature available, if yes how to configure it? > This feature

Re: [squid-users] squid hangs and dies and can not be killed - needs system reboot

Hey Amish, I want to replicate this issue on a local vm. Can you give us some details on the version of arch and the relevant settings for recreating the issue? How did you installed arch and also squid? Thanks, Eliezer בתאריך יום ב׳, 18 בדצמ׳ 2023, 16:36, מאת Amish ‏: > Hello, > > I use Arch L

Re: [squid-users] SMP + Ssl-Bump squid-tls_session_cache.shm

can you send the output of: squid -v Eliezer On Sun, May 24, 2020, 06:31 Joshua Bazgrim wrote: > Squid 4.9 > Ubuntu 18.04.03 > > I'm trying to implement ssl-bumping into the frontend of a squid smp > setup, but I keep getting the following error: > FATAL: Ipc::Mem::Segment::open failed to > shm

Re: [squid-users] reflecting on Squid Project Status with regard to "Joshua 55" vulnerabilities

Hey Jonathan, I cannot speak for the whole squid community, however if someone in the pfsense community doesn't want to maintain and or use squid it's his own choice. If there is an issue it can be researched and there so much information about this specific "issue" that it's weird nobody bothered

Re: [squid-users] [External Sender] Re: Squid service not restarting properly

Hey Vivek, I am maintaining the CentOS and other RPM based distribution RPM's. The page you are looking for is: Squid on CentOS | Squid Web Cache wiki (squid-cache.org) if you need a rpm specifically For RHEL I will need to spin my VM for that l

Re: [squid-users] Upcoming changes on the methods used to distribute Squid

ool (https://cli.github.com/) . Its 'release' subcommand is very > powerful. See https://cli.github.com/manual/gh_release > > On Mon, Jan 6, 2025 at 3:07 PM NgTech LTD wrote: > >> Hey Francesco, >> >> Thank you for the big effort. >> I had the next git worki

Re: [squid-users] Upcoming changes on the methods used to distribute Squid

Hey Francesco, Thank you for the big effort. I had the next git working for the past 2 years now: https://github.com/elico/squid-latest I have been using it to release my binary builds. I hope that the new releases github format will help to automate squid builds in the long run. Will it be ready

Re: [squid-users] 2FA with Google Authenticator and squid login

7:10, מאת Amos Jeffries ‏: > On 3/02/25 00:43, NgTech LTD wrote: > > What would make a 2fa in squid case? > > > > > When receiving a new login attempt the authentication (auth_param) > helper should initiate whatever side-channel token delivery is needed. >

Re: [squid-users] Can SQUID change the destination address from ip to hostname?

Hey, Unless you have access to the dns resolver resolved domain and ip addresses. With these you can try(not 100%) to find the relevant domain if it's not a multi tenant vps or cdn or waf provider. Eliezer בתאריך יום ד׳, 5 בפבר׳ 2025, 12:01, מאת Matus UHLAR - fantomas ‏< uh...@fantomas.sk>: > O

Re: [squid-users] 2FA with Google Authenticator and squid login

What would make a 2fa in squid case? Thanks, Eliezer בתאריך יום א׳, 2 בפבר׳ 2025, 13:22, מאת Amos Jeffries ‏: > On 2/02/25 07:43, ngtech1ltd wrote: > > Hey, > > > > I was wondering if anyone have implemented any 2FA with squid. > > > > IE a simple forward proxy that implements an external ACL h

Re: [squid-users] windows updates

one responded. > > Doug Tucker > Sr. Director of Networking and Linux Operations > doug.tuc...@navigaglobal.com > ------ > *From:* NgTech LTD > *Sent:* Sunday, March 16, 2025 2:38:35 AM > *To:* Doug Tucker > *Cc:* squid-users@lists.squid-cache.

Re: [squid-users] Kids control and time limit function

; > Squid’s time directive is what you need. > > Sent from my iPhone > > On Mar 16, 2025, at 01:52, NgTech LTD wrote: > >  > I was wondering if there is a ready to use solution with web-ui for kid > time limit. > I am using mikrotik kid-control which is very nice and I w

Re: [squid-users] windows updates

מרץ 2025, 16:34, מאת Doug Tucker ‏< doug.tuc...@navigaglobal.com>: > No, no one responded. > > Doug Tucker > Sr. Director of Networking and Linux Operations > doug.tuc...@navigaglobal.com > ---------- > *From:* NgTech LTD > *Sent:* Sunday, March

Re: [squid-users] Kids control and time limit function

7;re looking for? > > On Mar 16, 2025, at 08:41, Jonathan Lee wrote: > > This would block everything during a time frame > > acl block_hours time 00:30-05:00 > ssl_bump terminate all block_hours > http_access deny all block_hours > > Squid’s time directive is what you nee

[squid-users] Kids control and time limit function

I was wondering if there is a ready to use solution with web-ui for kid time limit. I am using mikrotik kid-control which is very nice and I was wondering if anyone have implemented a similar function for squid with an external-acl helper. The src options are by: * username * src ip address * src m

Re: [squid-users] windows updates

Hey, Did you manage to find a solution for your use case? Let me know if you need assistance with this issue. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com On Tue, Mar 4, 2025 at 1:57 AM Doug Tucker wrote: > I have read through everything I can