Discussions relating to development of the Squid Web Proxy Cache

Eliezer Croitoru | 13 Jun 2013 01:18

Picon

I was wondering about SSL\socks support from squid side?

I have seen the wiki:
http://wiki.squid-cache.org/Features/Socks

and was wondering about it very much!
I have a situation that I have access to SSL ports only which are being 
detected by NDPI(Deep Inspection) or similar mechanism.
I want to access my local network resources such as files and other data 
on a secure channel that is not:
1. SSH port forwarding\tunneling.
2. VPN
3. Layer 2 secure channels.

I first want to ask for the existing working options that you might know of.
The main issue about it that most of the natted(super multi nantted like 
a government) complex networks doesn't allow the usage of any tunneling 
protocol that can allow network level routing.
Indeed we can always exploit the TCP stack but for this specific it's 
better to use a common proxy protocol that just works.

The situation is a school which has a filtering solution and we want to 
"exploit" in order to give them transparent support.
This school have a lots of sensitive data which we don't want the third 
party which is reliable for filtering but not security to be aware of.

Thanks,
Eliezer

Tsantilas Christos | 11 Jun 2013 12:16

Picon

[PATCH] Deprecate log_icap and log_access configuration directives


The log_icap and log_access are not really needed.
The users have acls control for access and icap logging using the
access_log and icap_log configuration directives.

This patch removes these options from configuration file.

This is a Measurement Factory project

Attachment (deprecate-log_icap-log_access-v2.patch): text/x-patch, 11 KiB

noc | 11 Jun 2013 00:22

Build failed in Jenkins: 3.HEAD-amd64-opensuse #522

See <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/522/>

------------------------------------------
Started by upstream project "3.HEAD-amd64-CentOS-5.3" build number 2464
originally caused by:
 Started by an SCM change
Building remotely on opensuse-x64 in workspace <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/ws/>
$ bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/ws/>
info result: bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/ws/>
returned 0. Command output: "12903 kinkie <at> squid-cache.org-20130609203558-3u1r8742gqjs9tmg
" stderr: ""
[3.HEAD-amd64-opensuse] $ bzr pull --overwrite http://bzr.squid-cache.org/bzr/squid3/trunk/
bzr: ERROR: Connection error: while sending GET /bzr/squid3/trunk: [Errno 110] Connection timed out
ERROR: Failed to pull
Since BZR itself isn't crash safe, we'll clean the workspace so that on the next try we'll do a clean pull...
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/ws/>
bzr: ERROR: Connection error: while sending POST /bzr/squid3/trunk/.bzr/smart: [Errno 110]
Connection timed out
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-amd64-opensuse/ws/>
bzr: ERROR: Connection error: while sending POST /bzr/squid3/trunk/.bzr/smart: [Errno 110]
Connection timed out
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/

noc | 11 Jun 2013 00:24

Build failed in Jenkins: 3.HEAD-amd64-FreeBSD-7.2 #1887

See <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/1887/>

------------------------------------------
Started by upstream project "3.HEAD-amd64-CentOS-5.3" build number 2464
originally caused by:
 Started by an SCM change
Building remotely on east in workspace <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/ws/>
$ bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/ws/>
info result: bzr revision-info -d
<http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/ws/> returned 0. Command output:
"12903 kinkie <at> squid-cache.org-20130609203558-3u1r8742gqjs9tmg
" stderr: ""
[3.HEAD-amd64-FreeBSD-7.2] $ bzr pull --overwrite http://bzr.squid-cache.org/bzr/squid3/trunk/
bzr: ERROR: Connection error: while sending GET /bzr/squid3/trunk: (60, 'Operation timed out')
ERROR: Failed to pull
Since BZR itself isn't crash safe, we'll clean the workspace so that on the next try we'll do a clean pull...
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/ws/>
bzr: ERROR: Connection error: while sending POST /bzr/squid3/trunk/.bzr/smart: (60, 'Operation timed out')
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/ws/>
bzr: ERROR: Connection error: while sending POST /bzr/squid3/trunk/.bzr/smart: (60, 'Operation timed out')
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/

Alex Rousskov | 10 Jun 2013 18:00

Re: /bzr/squid3/trunk/ r12903: Instruct clang not to treat unused command line arguments as errors

On 06/10/2013 03:27 AM, Amos Jeffries wrote:
> On 10/06/2013 8:35 a.m., Francesco Chemolli wrote:
>> ------------------------------------------------------------
>> revno: 12903
>> committer: Francesco Chemolli <kinkie <at> squid-cache.org>
>> branch nick: trunk
>> timestamp: Sun 2013-06-09 22:35:58 +0200
>> message:
>>    Instruct clang not to treat unused command line arguments as errors
>> modified:
>>    acinclude/compiler-flags.m4
> 
> Anyone known why we have the "-Wno-error=parentheses-equality" option in
> teh first place?
>  It would seem to me to be one of the warnings highlighting a coding
> guideline violation we need to fix in the sources. Not something to be
> suppressed.

I cannot find the description of that clang warning option, but if it
focuses on extra parentheses in benign ((a == b)) cases, then it is a
very minor problem not an important violation. And, as Kinkie pointed
out, if it prevents us from righting (bool a = b), it should stay
disabled even if it finds true problems like (a = b). We can rely on GCC
to spot those true problems.

Cheers,

Alex.

(Continue reading)

Kinkie | 10 Jun 2013 14:59

Picon

Re: /bzr/squid3/trunk/ r12903: Instruct clang not to treat unused command line arguments as errors

On Mon, Jun 10, 2013 at 11:27 AM, Amos Jeffries <squid3 <at> treenet.co.nz> wrote:
> On 10/06/2013 8:35 a.m., Francesco Chemolli wrote:
>>
>> ------------------------------------------------------------
>> revno: 12903
>> committer: Francesco Chemolli <kinkie <at> squid-cache.org>
>> branch nick: trunk
>> timestamp: Sun 2013-06-09 22:35:58 +0200
>> message:
>>    Instruct clang not to treat unused command line arguments as errors
>> modified:
>>    acinclude/compiler-flags.m4
>
>
> Anyone known why we have the "-Wno-error=parentheses-equality" option in teh
> first place?
>  It would seem to me to be one of the warnings highlighting a coding
> guideline violation we need to fix in the sources. Not something to be
> suppressed.

I do, as I added it:

in case of
if (bool foo = somefunction()) {
}

gcc -Werror barfs unless it's expressed as:
if ((bool foo = somefunction())) {
}

(Continue reading)

Amos Jeffries | 10 Jun 2013 09:15

Picon

SSl-bump wiki entry outdated

Alex, Christos - anybody else with good SSL-bump knowledge

Can somebody please udate http://wiki.squid-cache.org/Features/SslBump 
to document the options for bumping in 3.3 and recommend the safest 
possible bumping configuration.
It is currently still stuck on the 3.1 config examples and leading 
people to both warnings in 3.3 and unsafe configurations.

Cheers
Amos

Kinkie | 9 Jun 2013 22:40

Picon

Should we integrate libTrie into our build system?

Hi all,
  while attempting to increase portability to recent clang releases, I
noticed that libTrie hasn't benefited from the portability work that
was done in the past few years.

I can see three ways to move forward:
1- replicate these changes into libTrie
2- change libTrie to piggyback squid's configuration variables
3- fully integrate libTrie into squid's build system. Unless Robert
knows otherwise, squid is the only user of this library..

Comments?

--
    /kinkie

noc | 9 Jun 2013 07:53

Build failed in Jenkins: 3.HEAD-amd64-CentOS-5.3 #2461

See <http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/2461/changes>

Changes:

[Alex Rousskov] Fix detection of concurrent ACLChecklist checks, avoiding !accessList asserts.

Concurrent checks are not supported, but it is possible for the same
ACLChecklist to be used for a sequence of checks, alternating fastCheck(void)
and fastCheck(list) calls. We needed a different/dedicated mechanism to detect
check concurrency (added ACLChecklist::occupied_), and we needed to preserve
(and then restore) pre-set accessList during fastCheck(list) checks.

------------------------------------------
[...truncated 58231 lines...]
make[4]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/file_userip'>
Making uninstall in kerberos_ldap_group
make[4]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/kerberos_ldap_group'>
make[5]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/kerberos_ldap_group'>
 ( cd
'/tmp/am-dc-26578/<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_inst/libexec'>
&& rm -f ext_kerberos_ldap_group_acl )
 ( cd
'/tmp/am-dc-26578/<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_inst/libexec'>
&& rm -f cert_tool )
make[5]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/kerberos_ldap_group'>
make[4]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/kerberos_ldap_group'>
Making uninstall in session
make[4]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_build/helpers/external_acl/session'>
 ( cd
'/tmp/am-dc-26578/<http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/ws/btlayer-05-nodeps-esi/squid-3.HEAD-BZR/_inst/libexec'>

(Continue reading)

Alex Rousskov | 7 Jun 2013 19:02

[PATCH] Fix detection of concurrent ACLChecklist checks, avoiding !accessList asserts

Hello,

    The attached patch prevents asserts when Squid reuses the same
Checklist object for multiple ACL checks. I missed one use case when
adding Checklist reuse controls for trunk r12859 (Boolean ACLs). The bug
can be triggered by a combination of log_access and access_log ACLs, for
example.

Concurrent checks are not supported, but it is possible for the same
ACLChecklist to be used for a sequence of checks, alternating
fastCheck(void) and fastCheck(list) calls. We needed a
different/dedicated mechanism to detect check concurrency (added
ACLChecklist::occupied_), and we needed to preserve (and then restore)
pre-set accessList during fastCheck(list) checks.

HTH,

Alex.

Attachment (acl-checklist-reuse.patch): text/x-diff, 8 KiB

Tsantilas Christos | 7 Jun 2013 18:20

Picon

[PATCH] Sending root certificate for validation


This patch modify squid cert validation subsystem to sent to cert
validator helper the complete certificates chain, not only the
certificates sent by web server. This is may not be possible in all
cases, for example  in cases where the root certificate is not stored
locally.

This is a Measurement Factory project

Attachment (trunk-Sending-root-cert-for-validation-v2.patch): text/x-patch, 10 KiB

Group

gmane.comp.web.squid.devel.

Advertisement

Project Web Page

Discussions relating to development of the Squid Web Proxy Cache

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

June 2013

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

I was wondering about SSL\socks support from squid side? (13 Jun 2013)
[PATCH] Deprecate log_icap and log_access configuration directives (11 Jun 2013)
Build failed in Jenkins: 3.HEAD-amd64-opensuse #522 (11 Jun 2013)
Build failed in Jenkins: 3.HEAD-amd64-FreeBSD-7.2 #1887 (11 Jun 2013)
/bzr/squid3/trunk/ r12903: Instruct clang not to treat unused command (10 Jun 2013)
/bzr/squid3/trunk/ r12903: Instruct clang not to treat unused command (10 Jun 2013)
SSl-bump wiki entry outdated (10 Jun 2013)
Should we integrate libTrie into our build system? (9 Jun 2013)
Build failed in Jenkins: 3.HEAD-amd64-CentOS-5.3 #2461 (9 Jun 2013)
[PATCH] Fix detection of concurrent ACLChecklist checks, avoiding !acc (7 Jun 2013)
[PATCH] Sending root certificate for validation (7 Jun 2013)
[PATCH] https_port interception options (7 Jun 2013)
[PATCH] Fix configure with --disable-internal-dns compile error (6 Jun 2013)
Unsure about the current state of maximum_object_size (4 Jun 2013)
Do we have any connection with RH squid maintainer? (4 Jun 2013)
[PATCH] Tying validation errors to certificates (29 May 2013)
/bzr/squid3/trunk/ r12865: Make GCC on CentOS 5.3 happier by removing (29 May 2013)
Build failed in Jenkins: 3.HEAD-amd64-CentOS-5.3 #2439 (28 May 2013)
A youtube and windows update cache thing. (28 May 2013)
[PATCH] Fix build on icc (28 May 2013)
Build failed in Jenkins: 3.HEAD-x64-debian-unstable #275 (27 May 2013)

Archives

123	June 2013
293	May 2013
88	April 2013
147	March 2013
209	February 2013
369	January 2013
256	December 2012
244	November 2012
360	October 2012
249	September 2012
303	August 2012
289	July 2012
136	June 2012
107	May 2012
119	April 2012
230	March 2012
132	February 2012
240	January 2012
123	December 2011
135	November 2011
336	October 2011
192	September 2011
261	August 2011
170	July 2011
211	June 2011
187	May 2011
107	April 2011
302	March 2011
218	February 2011
175	January 2011
252	December 2010
220	November 2010
237	October 2010
333	September 2010
431	August 2010
298	July 2010
209	June 2010
276	May 2010
200	April 2010
229	March 2010
176	February 2010
126	January 2010
95	December 2009
209	November 2009
260	October 2009
317	September 2009
247	August 2009
223	July 2009
119	June 2009
155	May 2009
110	April 2009
140	March 2009
187	February 2009
97	January 2009
109	December 2008
98	November 2008
183	October 2008
427	September 2008
313	August 2008
316	July 2008
209	June 2008
169	May 2008
487	April 2008
320	March 2008
308	February 2008
298	January 2008
159	December 2007
160	November 2007
193	October 2007
147	September 2007
177	August 2007
129	July 2007
65	June 2007
162	May 2007
145	April 2007
158	March 2007
135	February 2007
98	January 2007
73	December 2006
90	November 2006
69	October 2006
191	September 2006
181	August 2006
104	July 2006
146	June 2006
259	May 2006
197	April 2006
63	March 2006
58	February 2006
41	January 2006
20	December 2005
137	November 2005
201	October 2005
76	September 2005
73	August 2005
85	July 2005
48	June 2005
97	May 2005
119	April 2005
150	March 2005
80	February 2005
76	January 2005
60	December 2004
50	November 2004
65	October 2004
97	September 2004
79	August 2004
44	July 2004
69	June 2004
37	May 2004
86	April 2004
80	March 2004
200	February 2004
77	January 2004
44	December 2003
79	November 2003
69	October 2003
101	September 2003
246	August 2003
43	July 2003

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template