Re: [squid-users] Question with ACL and UrlRewrite ?

May be, because of FB is some years ago under HTTPS? 17.01.2018 03:17, Aismel пишет: > > Hi, > >   > > I need allow  all my users navigate through internet but starting at > 14:00pm to 20:00pm to X pages only so before no one can access to that > X pages. > >   > > I need redirect when a user ask

Re: [squid-users] squid office 365

Squid no, sysadmins - yes. 17.01.2018 22:20, Mohammed Rahmatellah пишет: > hello guys, squid have problems with office 365 (outlook2016 exactly)?? > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/li

Re: [squid-users] ACL question ?

#    acl aclname time [day-abbrevs] [h1:m1-h2:m2] #      # [fast] #      #  day-abbrevs: #      #    S - Sunday #      #    M - Monday #      #    T - Tuesday #      #    W - Wednesday #      #    H - Thursday #      #    F - Friday #      #    A - Saturday #      #  h1:m1 must be less than h2:m2 #

Re: [squid-users] log problem

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256   Everything is a little worse. If you need a password to access the cachemanager - it will shown in the logs. I believe that this is a bug and a hole in security. Preventing by ACL can be workaround, but hardly this is feature. 24.01.2018 20:44,

Re: [squid-users] log problem

Then access to cachemgr from any tool like sqstat - with password (basic auth) - and see what will in access.log. Congrats, you just show your proxy manager password to all stats tool and anybody who watch your statistics reports. 25.01.2018 07:25, Yuri пишет: > > Everything is a little worse. If

Re: [squid-users] log problem

Amos, this is good news. Is this clear documented anywhere to write good article in wiki about it? 25.01.2018 07:55, Amos Jeffries пишет: > On 25/01/18 14:25, Yuri wrote: >> Everything is a little worse. If you need a password to access the >> cachemanager - it will shown in the

Re: [squid-users] a host can not access web browsing

(somebody's have too much unlimited personal time :-)) 27.01.2018 03:06, Antony Stone пишет: > On Friday 26 January 2018 at 21:54:48, Bladimir Almeida wrote: > >> Hi, I'm a network administrator of my company, > I wonder how you react to emails from your users which contain so little > specific

Re: [squid-users] TCP out of memory

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256   He's just disabled icap-based service without disabling icap itself. So - yes - this is as expected. Vieri, bupass=1 is different thing. This permit squid to bypass adaptation in case of overloading icap service. And irrelevant thing you done. 27

Re: [squid-users] Squid transparent with SSL interception - CA certificate problem

Mobile devices, depending "OS", often uses CAs different. From system store, from browser's store (I mean FF), and something apps will __never use user's CA__. This is (IMHO useless) security theathre in mobile devices manufacturers. 06.02.2018 19:30, Roberto Carna пишет: > People, I've setup a

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

This irrelevant to host_verify_strict. This is effect of server side CDN IP changes. Squid threats it as security alert. 08.02.2018 00:03, steveno пишет: > I was using squid 3.5.20 I encountered an issue running out of File > Descriptors on Centos7, the scebario was that sockets would be abandoned

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

One stupid idiotic question. Did you build your squid with transparent NAT support? This is mandatory prerequisite for transparent squid. I'm not seen your configuration options for squid. Not squid.conf. Just ./configure options. 08.02.2018 03:11, setuid пишет: > I'll start with the pointedly

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

If you configured squid with '--enable-ipfw-transparent' you should use manual for ipfw configuration. Did you used ipfw NAT configuration on same box with squid? 08.02.2018 05:14, setuid пишет: > On 2/7/18 4:31 PM, Yuri wrote: >> I'm not seen your configuratio

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Squid is relatively difficult to run with transparent mode on virtual platforms due to NAT limitations on virtual platforms (this is not squid's issue, this is issue if virtual platforms). I'm using squid only in transparent mode (only in transparent mode) several years on Solaris (bare metal) wit

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Where ipfw runs? In virtual machine, or on hypervisor? 08.02.2018 05:44, setuid пишет: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em

Re: [squid-users] Certificate Authority with SSLBump

1. Using mozilla CA bundle instead of system (if exists) for squid. 2. Update mozilla CA bundle by script by cron on regular basis. 3. Have own manually maintained custom add_certs.pem list which combines with step 2 during updates. Thats all, folks. 08.02.2018 23:33, FredB пишет: > Hi All, >

Re: [squid-users] Macros

This is OpenSource :) There is no documentation :) (As they say - read the code to get documentation ;)) 09.02.2018 01:26, Alfredo Daniel Rezinovsky пишет: > I know there is a macro ${service_name} > > I like to know if there are other or there's a way to parse > environment variables in squid.co

Re: [squid-users] Macros

lenge accepted. > > > On 08/02/18 16:28, Yuri wrote: >> This is OpenSource :) There is no documentation :) (As they say - read >> the code to get documentation ;)) >> >> >> 09.02.2018 01:26, Alfredo Daniel Rezinovsky пишет: >>> I know there is a macr

Re: [squid-users] Facebook Messenger (Not Internet Connection->Connecting)

Works like charm on 3.5.27. 09.02.2018 23:54, Hery Martin пишет: > Hello guys! > > I'm having this weird issue since 2 month ago. Don't know why when > some body try to use Facebook Menssager (https://www.messenger.com) > after login, you can see all your contacts and messages, but > inmediately

Re: [squid-users] Facebook Messenger (Not Internet Connection->Connecting)

Hard to say. Require to troubleshoot deeper. May be, configuration. May be network. May be ISP. 10.02.2018 01:58, Hery Martin пишет: > Hello Yuri > > Right now I compiled 3.5.27, and still have the same issue, so maybe > its something related with my environment??? But...

[squid-users] Squid SSL db on ramdisk

Amos, how do you think - if I'll put SSL db (usually places in /var/lib/ssl_db) on ramdisk, does this give some gain for bump performance? How reasonable to do that? Also, I think, doing that,  I can reduce in memory cache size for security_file_certgen helper. How do you think? -- **

Re: [squid-users] Squid SSL db on ramdisk

10.02.2018 13:30, Amos Jeffries пишет: > On 10/02/18 12:55, Yuri wrote: >> Amos, >> >> how do you think - if I'll put SSL db (usually places in >> /var/lib/ssl_db) on ramdisk, does this give some gain for bump performance? >> > I expect so, but do not use

Re: [squid-users] How to hide client info?

Opening squid.conf.documented: #  TAG: forwarded_for    on|off|transparent|truncate|delete #    If set to "on", Squid will append your client's IP address #    in the HTTP requests it forwards. By default it looks like: # #        X-Forwarded-For: 192.1.2.3 # #    If set to "off", it will appear a

Re: [squid-users] How to hide client info?

; "Accept-Encoding": "identity", > "Connection": "close", > "Host": "httpbin.org", > "User-Agent": "Wget/1.16.3 (darwin13.4.0)" > }, > "origin": "", > "url": "ht

Re: [squid-users] Squid SSL db on ramdisk

10.02.2018 22:18, Alex Rousskov пишет: > On 02/10/2018 06:43 AM, Yuri wrote: > >> security_file_certgen uses memory cache to buffer slow >> disk IO for certificates DB. > It does not. Ahhaaa, I just misunderstanding options > > >> If we're put ce

Re: [squid-users] Squid SSL db on ramdisk

10.02.2018 22:36, Alex Rousskov пишет: > On 02/10/2018 09:23 AM, Yuri wrote: > >> I can set -M in according FS size, using for store SSL DB, correct? > Yes, -M limits the sum of sizes of all (serialized) certificates stored > in the helper database. The helper tries to account

Re: [squid-users] Squid SSL db on ramdisk

when parsing -M options value root @ lemanruss /patch/tmp # /usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 1024 MB ^C How to correctly specify -M with 2 Gb size? 10.02.2018 22:39, Yuri пишет: > > 10.02.2018 22:36, Alex Rousskov пишет: >> On 02/10/2018 09:23 AM, Yur

Re: [squid-users] Squid SSL db on ramdisk

11.02.2018 00:59, Alex Rousskov пишет: > On 02/10/2018 10:03 AM, Yuri wrote: > >> What is correct syntax for -M option? > The correct syntax is, roughly, > > -M [bytes|KB|MB|GB] Exactly with space between integer and units? > > with "bytes" as the default

Re: [squid-users] Squid SSL db on ramdisk

int m; declaration inside static bool parseBytesOptionValue(size_t * bptr, char const * value) ? If I set it long, as by as int d, seems ok. 11.02.2018 01:04, Alex Rousskov пишет: > On 02/10/2018 12:02 PM, Yuri wrote: >> >> 11.02.2018 00:59, Alex Rousskov пишет: >>> On 0

Re: [squid-users] Squid SSL db on ramdisk

Yes, confirmed. When I've replaced int m; and int d; to long m; and long d; - works like charm. 11.02.2018 01:08, Yuri пишет: > int m; declaration inside static bool parseBytesOptionValue(size_t * > bptr, char const * value) ? > > If I set it long, as by as int d, seems ok. &g

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

No. This reason is obviously not strong enough. As by as requirement configure firewalls also on servers - whenever they placed. Security in depth - did you hear this term? 11.02.2018 02:26, Peng Yu пишет: >> What is your reason for wanting "no restrictions"? > The proxied servers are behind a fi

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

Ah. My bad. Correctly Defence in depth: https://en.wikipedia.org/wiki/Defense_in_depth_(computing) 11.02.2018 02:29, Yuri пишет: > No. This reason is obviously not strong enough. As by as requirement > configure firewalls also on servers - whenever they placed. Security in > depth

Re: [squid-users] Squid SSL db on ramdisk

e problem is gone and replaced with numerous others, like sick > relatives? > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Yuri > Sent: Saturday, February 10, 2018 10:57 PM > To: Alex Rousskov ; > squid-user

Re: [squid-users] All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

#  TAG: sslcrtd_children #    The maximum number of processes spawn to service ssl server. #    The maximum this may be safely set to is 32. #    #    The startup= and idle= options allow some measure of skew in your #    tuning. #    #        startup=N #    #    Sets the minimum number of processe

Re: [squid-users] Forward proxy: TLS connections to server

17.02.2018 21:44, ninadmnaik пишет: > Hello, > We need to communicate with a xmpp server over TLS connections. Now, we know > that our app can open a TLS connection to Squid. But can Squid initiate a > TLS connection to the xmpp server? Only if it goes over HTTP/HTTPS port. With some difficults

Re: [squid-users] Forward proxy: TLS connections to server

IM, which is uses HTTP-similar sessions bootstrap, requires special investigation and custom configuration in case of goes via forwarding proxy. 17.02.2018 22:58, ninadmnaik пишет: > Thanks for the quick reply Yuri. > > "Note that these are not 'https' requests. Just

Re: [squid-users] Can cache_peer be localhost?

May be, assumed to forwarding to parent proxy(-es)? 17.02.2018 23:22, Matus UHLAR - fantomas пишет: >>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat >>> forever. > > On 17.02.18 10:45, Peng Yu wrote: >> Is there a way to configure squid so that anything goes to 3128 will >>

Re: [squid-users] Can cache_peer be localhost?

18.02.2018 01:13, Matus UHLAR - fantomas пишет: > On 18.02.18 00:05, Yuri wrote: >> May be, assumed to forwarding to parent proxy(-es)? > > according to original post, it's different port configured on the same > squid > instance. Ewww. it seems like looping. &g

Re: [squid-users] Where squid deamon is stored?

man find, no? :-) 18.02.2018 23:38, Peng Yu пишет: > I don't find squid3 in /etc/init.d. Does anybody know where the deamon > script is stored? > -- * * C++20 : Bug to the future * * signature.asc Description: OpenPGP digital signature

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Check LDAP port availability on LDAP server. On firewall it should be open. If your LDAP is WIndows server, AFAIK, it has closed firewall by default. I.e. all incoming connections are blocked. 20.02.2018 19:35, erdosain9 пишет: > Hi. Im having this problem. Im running squid on a Centos 7 contain

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Of course, you, as sysadmin, should knows basics of troubleshooting, isn't it? If port is open, try to connect with it from proxy box via ldap client. If it will successfully, next step is turn on squid's debug and investigate detailed logs. 20.02.2018 20:00, erdosain9 пишет: > Hi. > The port is

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

20.02.2018 22:15, erdosain9 пишет: > sorry, yuri, yes is working. > i can connect via ldap and also turn on debug for investigate, and is no > error know... > but time to time, this error is happening... so... is strange. No. Check your network first in this case (generally speaki

Re: [squid-users] squid-5 lost my cached dir

We're never use SMP. Just regular SMP-unaware configuration. 21.02.2018 05:28, Alex Rousskov пишет: > On 02/20/2018 04:22 PM, joseph wrote: >> using squid-5.0.0-20180218-r3b65960 release kill my cache dir some how >> swap.state is empty and the size of the cached dir has 30 geg >> if i run for c

Re: [squid-users] squid-5 lost my cached dir

# - # Store parameters # - minimum_object_size 10 bytes maximum_object_size 4 GB cache_dir aufs /data/cache/d1 48000 64 512 cache_dir aufs /data/cache/d2 48000 64 512 cache_dir aufs /data/cache/d3 48000 64 512 cache_dir aufs /

Re: [squid-users] squid-5 lost my cached dir

It's immediately lost swap.state contents after any restart and starts up with empty swap.state. After removal of swap.state with stopped squid, it's correctly re-indexing cache contents and then run normally. 21.02.2018 05:50, Yuri пишет: > # --

Re: [squid-users] squid-5 lost my cached dir

Yes, after re-indexing, every next restart cleans up swap.state again and again. 21.02.2018 05:57, Yuri пишет: > It's immediately lost swap.state contents after any restart and starts > up with empty swap.state. > > After removal of swap.state with stopped squid, it's c

Re: [squid-users] Kerberos negotiate slow avg service time

Users complains? 23.02.2018 23:29, erdosain9 пишет: > Hi to all. > I dont know why i have this bad values. My network is woking fine. How i can > do to fix this. I think is a high value. > > HTTP/1.1 200 OK > Server: squid/3.5.27 > Mime-Version: 1.0 > Date: Fri, 23 Feb 2018 17:16:25 GMT > Content

Re: [squid-users] help with the error TCP_MISS_ABORTED/000

1519672183.376  3 192.168.201.10 TCP_MEM_HIT/200 99641 GET http://www.rioneg ro.gov.ar/download/images/00033494.jpg - HIER_NONE/- image/jpeg Request size = 99,641 No problem on 3.5.27 and 5.0.0. Try to upgrade proxy first. 27.02.2018 00:57, Juan Manuel P пишет: > I am using Squid Cache: Ve

Re: [squid-users] TCP_MISS_ABORTED/000|

Let's look on your server:  # wget -S http://rionegro.gov.ar/download/images/00033636.jpg --2018-03-01 02:37:38--  http://rionegro.gov.ar/download/images/00033636.jpg Connecting to 127.0.0.1:3128... connected. Proxy request sent, awaiting response...   HTTP/1.1 200 OK   Date: Wed, 28 Feb 2018 19:3

Re: [squid-users] TCP_MISS_ABORTED/000|

Seems so. May be, ever ISP. Misconfigured MPLS can lead this errors. 01.03.2018 02:55, Juan Manuel P пишет: > Hello Yuri today on access.log a get a lot off TCP_MISS_ABORTED/000 on > many diferentes sites: > > 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 || > TCP_MISS_AB

Re: [squid-users] TCP_MISS_ABORTED/000|

igrating from a old proxy server kerio-win-route on windows to > a squid proxy server. > The old proxy server no have problems. > > regards. > > > > 2018-02-28 17:56 GMT-03:00 Yuri <mailto:yvoi...@gmail.com>>: > > Seems so. May be, ever ISP. Misconfigured

Re: [squid-users] Allow some domains to bypass Squid

Alex would like to say, splice, when implemented, more easy to maintenance than iptables/firewall rules. It's trivial to implement. Here is my config snippet: # SSL bump rules acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/acl.url.nobump" ssl_

Re: [squid-users] Allow some domains to bypass Squid

Also, feel free to read our config examples here: https://wiki.squid-cache.org/ConfigExamples 12.03.2018 00:39, Nicolas Kovacs пишет: > Le 11/03/2018 à 16:48, Alex Crow a écrit : >> It would be a lot easier to just create exceptions on the squid device >> for sites where bumping doesn't work wh

Re: [squid-users] Allow some domains to bypass Squid

You're welcome ;) This config works several years on my servers :) 12.03.2018 02:17, Nicolas Kovacs пишет: > Le 11/03/2018 à 19:44, Yuri a écrit : >> It's trivial to implement. Here is my config snippet: >> >> # SSL bump rules >> acl DiscoverSNIHost at_st

Re: [squid-users] Distribute root certificate to clients

I guess, there is no easy solution for this job. The more difficult tasks is also mobile clients. In my case, I use just a bit simple JS-trick solution found on serverfault once upon a time. It is point-and-click based, but not works for each and every browser. Just for Chrome-based/Firefox and

Re: [squid-users] Trouble accessing outlook.com

3.4.8 is too ancient to correctly work with SSL. At least upgrade to 3.5.27 first. 12.03.2018 20:03, Danilo V пишет: > Hello, I'm having trouble accessing *http://outlook.com* through Squid. > The browser returns: Unable to connect (ERR_TUNNEL_CONNECTION_FAILED). > This problem is intermittent,

Re: [squid-users] Trouble accessing outlook.com

But your client do. 12.03.2018 20:19, Danilo V пишет: > 1520862206.757      0 10.32.12.250 TCP_MISS/503 0 CONNECT > www.outlook.com:443 - HIER_NONE/- - -- "C++ seems like a language suitable for firing other people's legs." * * C++20 : B

Re: [squid-users] Trouble accessing outlook.com

plice both domains on step 2, they are tunnels and, finally, I've passed to outlook web interface. 12.03.2018 20:21, Yuri пишет: > > But your client do. > > > 12.03.2018 20:19, Danilo V пишет: >> 1520862206.757      0 10.32.12.250 TCP_MISS/503 0 CONNECT >> www.o

Re: [squid-users] Trouble accessing outlook.com

You are welcome ;) Always consider upgrade first :) 13.03.2018 01:08, Danilo V пишет: > I've tested on 3.5.23 and everything is ok. The issue is in the squid > version. > Thank you Yuri! > > Best, > Danilo > > Thanks. I will test on  > Em seg, 12 de mar de 2

Re: [squid-users] TCP_MISS_ABORTED/000|

balance router tplinkand the problem desapear , later I > will investigate the balance router to found a final solution, and > tell us. > > regards > > 2018-02-28 18:01 GMT-03:00 Yuri <mailto:yvoi...@gmail.com>>: > > Windows often spit on RFC due to do not dist

Re: [squid-users] SSL intercept in explicit mode

Moreover, SSL Bump combines with interception/explicit proxy in one setup. And works perfectly. 13.03.2018 21:14, Marcus Kool пишет: > "SSL bump" is the name of a complex Squid feature. > With ssl_bump ACLs one can decide which domains can be 'spliced' (go > through the proxy untouched) or can

Re: [squid-users] SSL intercept in explicit mode

require to have enough memory in your system. 13.03.2018 22:25, Aaron Turner пишет: > What version are you using Yuri? Can you share your config? > Everytime I use ssl bump, I have massive memory leaks. It's been > effectively unusable for me. > -- > Aaron Turner >

Re: [squid-users] SSL intercept in explicit mode

ter: @synfinatic > My father once told me that respect for the truth comes close to being > the basis for all morality. "Something cannot emerge from nothing," > he said. This is profound thinking if you understand how unstable > "the truth" can be. -- Frank Herbert, Dun

Re: [squid-users] SSL intercept in explicit mode

FInally, just take a look: This is SSL Bump-aware setup. Seems no memory leaks, yes? Normal memory distribution. Let's see on overall OS memory: No leaks. 13.03.2018 23:44, Yuri пишет: > > AFAIK, > > SSL bump subsystem uses OpenSSL memory routines. So, first of all, > mos

Re: [squid-users] SSL intercept in explicit mode

As practical experience shows, it is counterproductive to swear. :) Especially when you need to solve the problem;) It's just that sometimes a bad character wins :) 14.03.2018 03:30, Alex Rousskov пишет: > Yuri, > > The quality of many of your recent mailing list posts was &

Re: [squid-users] Squid + SquidGuard : static block page not working

14.03.2018 19:06, Amos Jeffries пишет: > On 15/03/18 01:43, Nicolas Kovacs wrote: >> Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit : >>> Yes, I do. Because this is part of a step-by-step course about >>> SquidGuard, which worked perfectly under Slackware Linux. And my >>> filtering rules are becom

Re: [squid-users] Squid + SquidGuard : static block page not working

14.03.2018 19:55, Nicolas Kovacs пишет: > Le 14/03/2018 à 14:46, Marcus Kool a écrit : >> ufdbGuard is the tool that you need. >> It is an old fork of ufdbGuard with many new features, very good >> performance and it has regular maintenance. >> If you have a question, you can ask the support desk

Re: [squid-users] SSL intercept in explicit mode

I guess, your using wrong approach. You trying to find ready-to-use solution for /custom/ configuration. At maximum, you can find some bricks for this. And anyway you should build your custom solution yourself. Bricks is here: https://wiki.squid-cache.org :-) 14.03.2018 20:28, Danilo V пишет: >

Re: [squid-users] How to configure a "proxy home" page ?

I guess better way to do this is create special ACL to catch exactly certificate error and then redirect by 302 using deny_info to proxy page with explanation and certificate. Sadly, however I have no full solution for this logic (we're simple install proxy certificate manually), but idea exists ;

Re: [squid-users] How to configure a "proxy home" page ?

    to an IP address or an intercepted SSL connection), Squid cannot detect #    the domain mismatch at certificate generation time when #    bump-server-first is used. #Default: # none 16.03.2018 19:09, Nicolas Kovacs пишет: > Le 16/03/2018 à 13:43, Yuri a écrit : >> I guess better

Re: [squid-users] Intercepting proxy creates forwading loop

http://www.squid-cache.org/mail-archive/squid-users/201105/0264.html http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-1-intercept-Forwarding-loop-detected-for-td4669756.html https://www.google.com/search?q=Squid+forwarding-loop This can helps? 16.03.2018 23:57, Patrick Nick пишет:

Re: [squid-users] http get request with body

Hm, George. In what direction your request tresspasses Squid? Because of by default: #  TAG: request_body_max_size    (bytes) #    This specifies the maximum size for an HTTP request body. #    In other words, the maximum size of a PUT/POST request. #    A user who attempts to send a request

Re: [squid-users] http get request with body

What else goes into head. Hmmm.. May be timeout during long body downloading/uploading session. Anyway, require additional info to make advice. 19.03.2018 05:36, Yuri пишет: > > Hm, George. > > In what direction your request tresspasses Squid? > > Bec

Re: [squid-users] SSLBump, system requirements ?

20.03.2018 21:30, FredB пишет: > Hi all, > > I'm testing SSLBump and Squid eats up all my CPU, maybe I made something > wrong or maybe some updates are required ? Any advice would be greatly > appreciated. > > Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU > E5-2637

Re: [squid-users] SSLBump, system requirements ?

20.03.2018 23:03, FredB пишет: > Hi Yuri, > > 200 mbits, more or less 1000/2000 simultaneous users > > I increase children value, because the limit is reached very quickly Because of SSL processing to slow. Investigate, why. Simple increasing number of children exghausting you

Re: [squid-users] SSLBump, system requirements ?

20.03.2018 23:10, Yuri пишет: > > 20.03.2018 23:03, FredB пишет: >> Hi Yuri, >> >> 200 mbits, more or less 1000/2000 simultaneous users >> >> I increase children value, because the limit is reached very quickly > Because of SSL processing to slow. Inves

Re: [squid-users] SSLBump, system requirements ?

Forgot about: My server is relatively modest (more resources just do not need :)) Just 8 cores (Xeon 2.3 GHz), 16 Gb RAM, SAS HDD's 10k RPM (~300 Gb in RAID-10)  :) Overall CPU usage is ~3% (with SSL Bump). And half of RAM is free :) 20.03.2018 23:14, Yuri пишет: > > 20.03.2018

Re: [squid-users] SSLBump, system requirements ?

21.03.2018 14:55, FredB пишет: >>> Perhaps I should retry SMP but unfortunately in the past I had many >>> issues with, and some features I'm using still SMP-unaware >> Squid's SMP itself does not solves SSL Bump issues. It's about >> different >> things, and, IMHO, irrelevant your load profile.

Re: [squid-users] SSLBump, system requirements ?

21.03.2018 14:55, FredB пишет: >>> Perhaps I should retry SMP but unfortunately in the past I had many >>> issues with, and some features I'm using still SMP-unaware >> Squid's SMP itself does not solves SSL Bump issues. It's about >> different >> things, and, IMHO, irrelevant your load profile.

Re: [squid-users] SSLBump, system requirements ?

AM is. It's important how you use it. Scaling is also done differently. 21.03.2018 19:08, Yuri пишет: > > > > 21.03.2018 14:55, FredB пишет: >>>> Perhaps I should retry SMP but unfortunately in the past I had many >>>> issues with, and some features I&#x

Re: [squid-users] SSLBump, system requirements ?

Aha, this is better. So, next step should be detailed performance statistics to identify bottleneck. As I've said - check wait events first. 21.03.2018 19:23, FredB пишет: > Sorry, it was just a wrong cut/paste cache_size=50MB the previous result > still the same > About children I tried with

Re: [squid-users] SSLBump, system requirements ?

Use OS performance tools. Require to identify bottleneck. Pay attention on wait events. 21.03.2018 20:05, FredB пишет: > I agree, to be honest I started with low values updated again and again, I > should have post my previous tests rather than the latest :) > > > _

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

22.03.2018 23:10, Keith Hartley пишет: > > I am using squid 3.5 for windows as a transparent proxy to provide > internet access to 7 servers in a secure environment that otherwise > does not have internet access. I have two squids running behind a load > balancer, each one is running server 2016

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

And also: your configuration is not transparent proxy. a) Squid 3.5 for windows does not built as transparent proxy (i.e. with NAT support). b) You do not have keyword*intercept* in your configuration. This is simple forwarding proxy. 23.03.2018 04:38, Yuri пишет: > > > > 22.0

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

r II/ > > khart...@geocent.com <mailto:khart...@geocent.com> > > www.geocent.com <http://www.geocent.com> > >   > > *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org] > *On Behalf Of *Yuri > *Sent:* Thursday, March 22, 2018 5:39 PM > *To:

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

checking, advanced caching, content compression - am I right yet? So, firewall is enough. 23.03.2018 05:11, Yuri пишет: > > > > 23.03.2018 05:08, Keith Hartley пишет: >> >> I don’t need it to cache anything – the goal of it is not performance >> optimization, it is to pr

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

And, if you still insist that you need a proxy, consider Privoxy. Lightweight primitive HTTP proxy with basic access control, has Windows implementation, works as service. It will be good enough. https://www.privoxy.org/ 23.03.2018 05:27, Yuri пишет: > > Your task is simple - you need a

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

23.03.2018 21:25, Keith Hartley пишет: > I had not thought to test that. I will do that today. > > In regards to Yuri's comments on firewall vs squid - I don’t agree that a > firewall would be a direct replacement in this case. > > The 30-40 URIs I need to access resolve to a potential pool of s

Re: [squid-users] delay-pool based on authentication

https://wiki.squid-cache.org/Features/DelayPools 24.03.2018 21:15, vv...@gmx.net пишет: > Dear Comunity, > > I have the following question: > Is it possible with squid to select delay pool depending on whether > the user is authenticated or not? > > Background: > I want to set up a slow delay poo

Re: [squid-users] How to configure a "proxy home" page ?

Hey Eliezer, PC browsers non-required automated installers for CA. In it all simple do by JS directly from page. Can you do automated installer for mobile clients? iPhones, Android? For both - mobile browsers and apps as well? The problem is not install proxy CA. The problem is identify client h

Re: [squid-users] How to configure a "proxy home" page ?

25.03.2018 17:46, Nicolas Kovacs пишет: > Le 25/03/2018 à 13:08, Yuri a écrit : >> The problem is not install proxy CA. The problem is identify client >> has no proxy CA and redirect, and do it only one time. > That is exactly the problem. And I have yet to find a solution for

Re: [squid-users] How to configure a "proxy home" page ?

25.03.2018 18:42, Matus UHLAR - fantomas пишет: >> Le 25/03/2018 à 13:08, Yuri a écrit : >>> The problem is not install proxy CA. The problem is identify client >>> has no proxy CA and redirect, and do it only one time. > > On 25.03.18 13:46, Nicolas Kovacs wrote:

Re: [squid-users] How to configure a "proxy home" page ?

25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>> The problem is not install proxy CA. The problem is identify client >>>>> has no proxy CA and redirect, and do it only one time. >>> >>> O

Re: [squid-users] How to configure a "proxy home" page ?

users. But I provide it somewhat differently, carefully protecting the proxy itself, its infrastructure and its cache. 25.03.2018 21:41, Yuri пишет: > > > > 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>

Re: [squid-users] How to configure a "proxy home" page ?

Therefore, please, PLEASE, never mention SSL Bump and security/privacy in one letter.O:-) These are mutually exclusive concepts. Just like HTTPS and security. 25.03.2018 22:00, Yuri пишет: > > In principle, I do not consider as secure the technology that allows > MiTM (even in theory)

Re: [squid-users] How to configure a "proxy home" page ?

26.03.2018 02:45, Amos Jeffries пишет: > On 26/03/18 04:41, Yuri wrote: >> >> 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>>> The problem is not install proxy CA. The problem is identify

Re: [squid-users] How to configure a "proxy home" page ?

26.03.2018 03:02, Amos Jeffries пишет: > On 26/03/18 09:49, Yuri wrote: >> >> 26.03.2018 02:45, Amos Jeffries пишет: >>> On 26/03/18 04:41, Yuri wrote: >>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>>>>> Le 25/03/2018 à 13:0

Re: [squid-users] How to configure a "proxy home" page ?

26.03.2018 03:55, Amos Jeffries пишет: > On 26/03/18 10:16, Yuri wrote: >> >> 26.03.2018 03:02, Amos Jeffries пишет: >>> On 26/03/18 09:49, Yuri wrote: >>>> 26.03.2018 02:45, Amos Jeffries пишет: >>>>> On 26/03/18 04:41, Yuri wrote: &g

Re: [squid-users] How to configure a "proxy home" page ?

And yes, HTTPS is insecure by design and all our actions does not it less insecure :-D 26.03.2018 04:03, Yuri пишет: > > 26.03.2018 03:55, Amos Jeffries пишет: >> On 26/03/18 10:16, Yuri wrote: >>> 26.03.2018 03:02, Amos Jeffries пишет: >>>> On 26/03/18 09:49, Y

Re: [squid-users] How to configure a "proxy home" page ?

27;re can, in this case, just use deny_info to redirect client to proxy page. ;-) 26.03.2018 04:05, Yuri пишет: > And yes, HTTPS is insecure by design and all our actions does not it > less insecure :-D > > > 26.03.2018 04:03, Yuri пишет: >> 26.03.2018 03:55, Amos Jeffries пи

Re: [squid-users] How to configure a "proxy home" page ?

SUES error - it is external or internal issue. 26.03.2018 04:11, Yuri пишет: > > By the way, Amos. I have an idea spinning around. Is it possible to > specify the SSL error of the unknown certificate issuer for the > correct processing of the situation when the client does not have a &g

  1   2   3   4   5   6   7   8   9   10   >