Here is my squid.conf anf followed by cache.log. http_port 8000 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/ssl_cert/myCA.pem
auth_param basic program /cygdrive/c/Squid/lib/squid/basic_ldap_auth.exe -v 3 -P -R -b "DC=CONDUIRA,DC=LOCAL" -D "CN=administrator,CN=Users,DC=CONDUIRA,DC=LOCAL" -w anar_2017 -f sAMAccountName=%s -h 192.168.100.1 auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 1 minute acl localnet src 192.168.100.0/24 fc00::/7 fe80::/10 acl SSL_ports port 443 acl Safe_ports port 21 70 80 210 280 443 488 591 777 1025-65535 acl CONNECT method CONNECT acl CONNECT method CONNECT cache_dir ufs c:/squid/var/cache/squid/cache 100 16 256 access_log stdio:/cygdrive/c/Squid/var/log/squid/access.log squid coredump_dir /cygdrive/c/Squid/var/cache/squid pid_filename /cygdrive/c/Squid/var/run/squid/run/squid/squidsrv.pid acl denyext url_regex -i \.exe$ \.mp3$ \.mpeg$ \.mpg$ \.rar$ \.asx$ \.wma$ \.wmv$ \.avi$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.wmf$ \.mov$ http_access deny denyext all request_body_max_size 1024 KB acl fileupload req_mime_type -i ^multipart/form-data$ http_access deny fileupload ## Full Access Users acl active_directory_authenticated proxy_auth REQUIRED acl user_previleged proxy_auth raju.masina http_access allow active_directory_authenticated user_previleged ## Allowed Domains for ALL_Users acl domains_all dstdomain "c:/Squid/etc/allowed_domains.txt" http_access allow active_directory_authenticated domains_all refresh_pattern -i .*\.(m4f|mp4|txt) 5259487 99% 5259487 override-expire ignore-reload reload-into-ims ignore-no-cache ignore-private refresh-ims acl storeid-helper url_regex -i ^https?:\/\/.*\.s3-ap-southeast-1\.amazonaws\.com(.*\.(m4f|mp4)) store_id_access deny all acl loop_302 http_status 302 acl getmethod method GET http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny localhost manager http_access deny manager http_access deny all always_direct allow all #ssl_bump splice bypast #ssl_bump peek bypast ssl_bump server-first all sslproxy_cert_error deny all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s /cygdrive/c/squid/var/run/squid/run/squid/ssl_db/certs -M 4MB sslcrtd_children 8 startup=1 idle=1 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF cache_mem 8 MB minimum_object_size 0 KB maximum_object_size 1 GB maximum_object_size_in_memory 512 KB cache_swap_low 90 cache_swap_high 95 store_id_access deny !getmethod store_id_access allow storeid-helper dns_nameservers 192.168.100.1 hosts_file /cygdrive/c/windows/system32/drivers/etc/hosts CACHE.LOG 2016/11/04 17:26:39 kid1| Adding nameserver 192.168.100.1 from squid.conf 2016/11/04 17:26:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:26:39 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:26:39 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth.exe' processes 2016/11/04 17:26:39 kid1| helperOpenServers: No 'basic_ldap_auth.exe' processes needed. 2016/11/04 17:26:39 kid1| HTCP Disabled. 2016/11/04 17:26:39 kid1| Finished loading MIME types and icons. 2016/11/04 17:26:39 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:8000 remote=[::] FD 13 flags=9 2016/11/04 17:26:44 kid1| Starting new basicauthenticator helpers... 2016/11/04 17:26:44 kid1| helperOpenServers: Starting 1/5 'basic_ldap_auth.exe' processes 2016/11/04 17:26:44 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:55:39 kid1| Starting new ssl_crtd helpers... 2016/11/04 17:55:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers... 2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers... 2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers... 2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument 2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers... 2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument basic_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' Regards. On Fri, Nov 4, 2016 at 8:13 PM, <squid-users-requ...@lists.squid-cache.org> wrote: > Send squid-users mailing list submissions to > squid-users@lists.squid-cache.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-requ...@lists.squid-cache.org > > You can reach the person managing the list at > squid-users-ow...@lists.squid-cache.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Re: squid warning (Yuri) > 2. Re: squid warning (Matus UHLAR - fantomas) > 3. Squid doesn't use domain name as a request URL in access.log > when splice at step 3 occurs (Garri Djavadyan) > 4. Squid doesn't use domain name as a request URL in access.log > when splice at step 3 occurs (Garri Djavadyan) > 5. Re: squid warning (Yuri Voinov) > 6. Re: Squid doesn't use domain name as a request URL in > access.log when splice at step 3 occurs (Amos Jeffries) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 4 Nov 2016 18:23:05 +0600 > From: Yuri <yvoi...@gmail.com> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] squid warning > Message-ID: <5e2eaab8-71fb-1908-f93a-acea6e451...@gmail.com> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > This warning is irrelevent to your google issue. > > Show your config. > > > 04.11.2016 10:34, Raju M K пишет: > > Hi, > > I installed squid v3.5.22 on windows and enabled with ssl_bump. > > Now my issue is. > > Web page is opening very slowly. For ex. www.google.com > > <http://www.google.com/> its taking more than 30 seconds. > > In cache log showing below warning > > 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' > > processes > > 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid > > argument > > > > Please hepl me.. > > -- > > Regards, > > M K Raju. > > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.squid-cache.org/pipermail/squid-users/ > attachments/20161104/1cd09462/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Fri, 4 Nov 2016 13:39:20 +0100 > From: Matus UHLAR - fantomas <uh...@fantomas.sk> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] squid warning > Message-ID: <20161104123920.ga5...@fantomas.sk> > Content-Type: text/plain; charset=utf-8; format=flowed > > On 04.11.16 18:23, Yuri wrote: > >This warning is irrelevent to your google issue. > > are you sure that creating fake google certificate is not the reason of > delay? > > >04.11.2016 10:34, Raju M K пишет: > >>I installed squid v3.5.22 on windows and enabled with ssl_bump. > >>Now my issue is. > >>Web page is opening very slowly. For ex. www.google.com > >><http://www.google.com/> its taking more than 30 seconds. > >>In cache log showing below warning > >>2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 > >>'ssl_crtd' processes > >>2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > M$ Win's are shit, do not use it ! > > > ------------------------------ > > Message: 3 > Date: Fri, 04 Nov 2016 17:43:33 +0500 > From: Garri Djavadyan <gar...@comnet.uz> > To: squid-us...@squid-cache.org > Subject: [squid-users] Squid doesn't use domain name as a request URL > in access.log when splice at step 3 occurs > Message-ID: <1478263413.30442.5.ca...@comnet.uz> > Content-Type: text/plain; charset="UTF-8" > > I noticed that Squid doesn't use gathered domain name information for > %ru in access.log when splice action is performed at step 3 for > intercepted traffic. The format code ssl::>sni is available at both > steps. Below are examples used to verify the behavior using Squid > 3.5.22, but the results are same for Squid 4.0.16. > > The request used on client: > > $ curl https://www.openssl.org/ > /dev/null > > > The configuration for splice at step 2: > > # diff etc/squid.conf.default etc/squid.conf > 73a74,78 > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > generate-host-certificates > > acl StepSplice at_step SslBump2 > > ssl_bump splice StepSplice > > ssl_bump peek all > > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un > %Sh/%<a %mt %ssl::>sni > > > The result: > > 1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT > 104.124.119.14:443 - HIER_NONE/- - www.openssl.org > 1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.opens > sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org > > > ----- > The configuration for splice at step 3: > > # diff etc/squid.conf.default etc/squid.conf > 73a74,78 > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > generate-host-certificates > > acl StepSplice at_step SslBump3 > > ssl_bump splice StepSplice > > ssl_bump peek all > > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un > %Sh/%<a %mt %ssl::>sni > > > The result: > 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org > > > Is it a bug or intended behavior? Thanks. > > Garri > > > ------------------------------ > > Message: 4 > Date: Fri, 04 Nov 2016 19:06:22 +0500 > From: Garri Djavadyan <gar...@comnet.uz> > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Squid doesn't use domain name as a request URL > in access.log when splice at step 3 occurs > Message-ID: <1478268382.30442.11.ca...@comnet.uz> > Content-Type: text/plain; charset="UTF-8" > > On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote: > > I noticed that Squid doesn't use gathered domain name information for > > %ru in access.log when splice action is performed at step 3 for > > intercepted traffic. The format code ssl::>sni is available at both > > steps. Below are examples used to verify the behavior using Squid > > 3.5.22, but the results are same for Squid 4.0.16. > > > > The request used on client: > > > > $ curl https://www.openssl.org/ > /dev/null > > > > > > The configuration for splice at step 2: > > > > # diff etc/squid.conf.default etc/squid.conf > > 73a74,78 > > > > > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > > generate-host-certificates > > > > > > acl StepSplice at_step SslBump2 > > > ssl_bump splice StepSplice > > > ssl_bump peek all > > > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru > > > %[un > > %Sh/%<a %mt %ssl::>sni > > > > > > The result: > > > > 1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT > > 104.124.119.14:443 - HIER_NONE/- - www.openssl.org > > 1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.ope > > ns > > sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org > > > > > > ----- > > The configuration for splice at step 3: > > > > # diff etc/squid.conf.default etc/squid.conf > > 73a74,78 > > > > > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > > generate-host-certificates > > > > > > acl StepSplice at_step SslBump3 > > > ssl_bump splice StepSplice > > > ssl_bump peek all > > > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru > > > %[un > > %Sh/%<a %mt %ssl::>sni > > > > > > The result: > > 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT > > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org > > > > > > Is it a bug or intended behavior? Thanks. > > > > Garri > > It prevents domain name identification when SNI is not provided by a > client. For example: > > Request: > $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl > s_client -quiet -no_ign_eof -connect www.openssl.org:443 > > Config: > # diff etc/squid.conf.default etc/squid.conf > 73a74,78 > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > generate-host-certificates > > acl StepSplice at_step SslBump3 > > ssl_bump splice StepSplice > > ssl_bump peek all > > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un > %Sh/%<a %mt %ssl::>sni > > Result: > 1478267428.070 347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - - > > > ------------------------------ > > Message: 5 > Date: Fri, 4 Nov 2016 20:07:25 +0600 > From: Yuri Voinov <yvoi...@gmail.com> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] squid warning > Message-ID: <0840e0bf-597d-5493-3562-bb69390c5...@gmail.com> > Content-Type: text/plain; charset="utf-8" > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > > 04.11.2016 18:39, Matus UHLAR - fantomas пишет: > > On 04.11.16 18:23, Yuri wrote: > >> This warning is irrelevent to your google issue. > > > > are you sure that creating fake google certificate is not the reason of > > delay? > I'm talking about this warning: WARNING: no_suid: setuid(0): (22) Invalid > > Did you see Diladele Win64 Squid by your own eyes? If yes, you > understand me. > > However, I suggests (only, because of I'm not seen squid.conf), that the > real problem is here: > > helperOpenServers: Starting 1/8 'ssl_crtd' processes > > It seems at so few ssl_crtd helper processes. > > > >> 04.11.2016 10:34, Raju M K пишет: > >>> I installed squid v3.5.22 on windows and enabled with ssl_bump. > >>> Now my issue is. > >>> Web page is opening very slowly. For ex. www.google.com > <http://www.google.com/> its taking more than 30 seconds. > >>> In cache log showing below warning > >>> 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' > processes > >>> 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid > > > > > > - -- > Cats - delicious. You just do not know how to cook them. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJYHJYcAAoJENNXIZxhPexGJ9oIAJZLwy9Tb3SOkmdLPdrGoi12 > NvkLOBhCVBGWAIuRD/6WO1edhZ7h12v87mvZ10CKVldNe70ZDFNZcpkzfUrx91Lm > Qk1fA0Of830nNoDp+pQMksByUZKcCvgEQnBLgzenUxcFi7qqVaDzXjbcdoAN51tg > R6RLftQGomdHcvvLmacZO8B4NG5BBDyl2psA/bXjwbq17dlHvhzYdUxc+OfInwrS > pRAyPKolo+QnT3euW+2nw0+AjccRiZgQiVHNRu05jhTkAsXaIQEOmgfnIWnIFbM2 > HsJD4M9D2awP8gRyus5Pv7O0uv3F0Wx64mebLOcNjJe9xu6vU47SUa96jGseuHY= > =PKW2 > -----END PGP SIGNATURE----- > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: 0x613DEC46.asc > Type: application/pgp-keys > Size: 2437 bytes > Desc: not available > URL: <http://lists.squid-cache.org/pipermail/squid-users/ > attachments/20161104/da43ac97/attachment-0001.key> > > ------------------------------ > > Message: 6 > Date: Sat, 5 Nov 2016 03:42:45 +1300 > From: Amos Jeffries <squ...@treenet.co.nz> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Squid doesn't use domain name as a request > URL in access.log when splice at step 3 occurs > Message-ID: <5e50526c-5945-8038-d09e-3c7d56ac2...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 5/11/2016 1:43 a.m., Garri Djavadyan wrote: > > The configuration for splice at step 3: > > > > # diff etc/squid.conf.default etc/squid.conf > > 73a74,78 > >> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem > > generate-host-certificates > >> acl StepSplice at_step SslBump3 > >> ssl_bump splice StepSplice > >> ssl_bump peek all > >> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un > > %Sh/%<a %mt %ssl::>sni > > > > > > The result: > > 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT > > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org > > > > > > Is it a bug or intended behavior? Thanks. > > > > The person (Christos) who designed that behaviour is not reading this > mailing list very often. > > AFAIK, it depends on what the SubjectAltName field in the certificate > provided by 104.124.119.14 contains. > > Amos > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 27, Issue 9 > ****************************************** > -- Regards, M K Raju.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
