agent_js03 | 23 Jan 18:20 2015
Picon

Squid ssl-bumping: how does squid verify certificates?

Hi,

I am kind of a newbie to SSL, and have been tinkering with squid SSL bumping
for https, so bear with me if this question has already been discussed. So
here is my understanding of how HTTPS works: a browser has a sort of local
repository of trusted certificates, correct? And when you access an HTTPS
website it searches through these certificates and determines whether one is
to be trusted or not. So I've set up squid for SSL bumping and have added by
squid certificate to my browser's list of trusted certificates. However, the
way SSL now works is that squid intercepts my HTTPS request and I never
actually see the certificate sent from the original server, correct? So what
I want to know is how does squid know whether the certificate is valid or
not? I am afraid of getting a man-in-the-middle attack since it is squid
that verifies certificates and not my client. Or is my understanding
incorrect? Does squid have this same list of trusted sources and if not can
I set it up myself?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bumping-how-does-squid-verify-certificates-tp4669296.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Odhiambo Washington | 23 Jan 12:37 2015
Picon

Squid versions and FreeBSD-10.1 headache

So for the past few days I have been struggling with Squid in intercept mode on FreeBSD-10.1.

Using the same squid.conf for Squid-3.4.10 and Squid-3.5.1 and the same Firewall rules (I have tested with IPFilter and PF and these rules work with Squid-2.7.9 on several FreeBSD boxes that I have):

1. Squid-3.5.1 has completely refused to play along - always complaining about "loop detected" and hence denying all requests
2. Squid-3.4.10 plays along, BUT has so much complaints in cache.log as below:

2015/01/23 13:26:43| Set Current Directory to /usr/local/squid/logs
2015/01/23 13:26:43| Set Current Directory to /usr/local/squid/logs
2015/01/23 13:26:43| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
2015/01/23 13:26:43| Process ID 15770
2015/01/23 13:26:43| Process Roles: master worker
2015/01/23 13:26:43| With 114417 file descriptors available
2015/01/23 13:26:43| Initializing IP Cache...
2015/01/23 13:26:43| DNS Socket created at [::], FD 5
2015/01/23 13:26:43| DNS Socket created at 0.0.0.0, FD 6
2015/01/23 13:26:43| Adding domain ili.or.ug from /etc/resolv.conf
2015/01/23 13:26:43| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2015/01/23 13:26:43| helperOpenServers: Starting 5/15 'ssl_crtd' processes
2015/01/23 13:26:43| helperOpenServers: Starting 10/15 'ut-squidbooster' processes
2015/01/23 13:26:43| Logfile: opening log stdio:/usr/local/squid/logs/access.log
2015/01/23 13:26:43| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/01/23 13:26:43| Store logging disabled
2015/01/23 13:26:43| Swap maxSize 104857600 + 131072 KB, estimated 8076051 objects
2015/01/23 13:26:43| Target number of buckets: 403802
2015/01/23 13:26:43| Using 524288 Store buckets
2015/01/23 13:26:43| Max Mem  size: 131072 KB
2015/01/23 13:26:43| Max Swap size: 104857600 KB
2015/01/23 13:26:43| Rebuilding storage in /usr/local/squid/cache (dirty log)
2015/01/23 13:26:43| Using Least Load store dir selection
2015/01/23 13:26:43| Set Current Directory to /usr/local/squid/logs
2015/01/23 13:26:43| Finished loading MIME types and icons.
2015/01/23 13:26:43| HTCP Disabled.
2015/01/23 13:26:43| Pinger socket opened on FD 45
2015/01/23 13:26:43| Squid plugin modules loaded: 0
2015/01/23 13:26:43| Adaptation support is off.
2015/01/23 13:26:43| Accepting NAT intercepted HTTP Socket connections at local=[::]:13128 remote=[::] FD 40 flags=41
2015/01/23 13:26:43| Accepting HTTP Socket connections at local=[::]:13127 remote=[::] FD 41 flags=9
2015/01/23 13:26:43| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:13129 remote=[::] FD 42 flags=41
2015/01/23 13:26:43| Accepting ICP messages on [::]:3130
2015/01/23 13:26:43| Sending ICP messages from [::]:3130
2015/01/23 13:26:43| pinger: Initialising ICMP pinger ...
2015/01/23 13:26:43| pinger: ICMP socket opened.
2015/01/23 13:26:43| pinger: ICMPv6 socket opened
2015/01/23 13:26:43| Store rebuilding is 50.88% complete
2015/01/23 13:26:43| Done reading /usr/local/squid/cache swaplog (7861 entries)
2015/01/23 13:26:43| Finished rebuilding storage from disk.
2015/01/23 13:26:43|      7845 Entries scanned
2015/01/23 13:26:43|         0 Invalid entries.
2015/01/23 13:26:43|         0 With invalid flags.
2015/01/23 13:26:43|      7829 Objects loaded.
2015/01/23 13:26:43|         0 Objects expired.
2015/01/23 13:26:43|        16 Objects cancelled.
2015/01/23 13:26:43|         0 Duplicate URLs purged.
2015/01/23 13:26:43|         0 Swapfile clashes avoided.
2015/01/23 13:26:43|   Took 0.05 seconds (168735.72 objects/sec).
2015/01/23 13:26:43| Beginning Validation Procedure
2015/01/23 13:26:43|   Completed Validation Procedure
2015/01/23 13:26:43|   Validated 7829 Entries
2015/01/23 13:26:43|   store_swap_size = 457188.00 KB
2015/01/23 13:26:44| storeLateRelease: released 0 objects
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x804ce9b78 dns_internal.cc:1131
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x804b1d7d8 ipcache.cc:353
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x8048b2698 Checklist.cc:45
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x804b1d7d8 Checklist.cc:160
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x804b1b618 helper.cc:856
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x804b1d7d8 redirect.cc:176
2015/01/23 13:26:47| CBDATA memory leak. cbdata=0x8049e9498 store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x804ce9b78 ipcache.cc:353
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8048b27d8 Checklist.cc:45
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8094c8058 store_client.cc:154
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8049e9498 store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8049e9498 store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8094c6058 CommCalls.cc:21
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8094c8058 store_client.cc:154
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8049e9498 store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x804ab8458 CommCalls.cc:21
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8094c8058 store_client.cc:154
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8049e9498 store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x804b1d718 clientStream.cc:235
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8048b2558 Checklist.cc:320

I am running squid like:
/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf -N

I do not see any coredumps with this scenario even when I run with -NCd1

For the time being I have opted to run squid with cache_log set to /dev/null. Not elegant at all.

So my questions:

Is anyone else here successfully running squid (3.4.10 or 3.5.x) in intercept mode on FreeBSD 10.x using either PF or IPFilter?

I'd really love to compare notes. Maybe that will help clear my current brain-lock!

Technically, I have reached my /etc on this one.

My squid.conf is available at http://pastebin.com/L16cDmRp





--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Frank Reppin | 22 Jan 16:32 2015

squid-3.5.x / Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (38) Function not implemented

Hi all,

we're following 3.4.x (currently 3.4.11) closely and decided
to upgrade to 3.5.1 in a test environment today:

Environment (test+production) is linux vserver based:

   host system:     Debian Wheezy 7.8 x64
   guest system:    Debian Wheezy 7.8 x64
   kernel+vs patch: 3.14.27-vs2.3.6.14

and squid (all 3.3.x and all 3.4.x) worked without
any flaws so far (without any special tricks)...
... except 3.5.x which now dies after emitting:

   Ipc::Mem::Segment::create failed to 
shm_open(/squid-cf__metadata.shm): (38) Function not implemented

straight after starting up.

We've read through

   http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.1-RELEASENOTES.html

but cannot spot any fundamental change there (which might
cause the aforementioned issue).
We also tend to not think that this is caused by running
squid within a linux vserver context (because it used to
work since years this way).

The squid in question is compiled like:

frank <at> testbed:~# /usr/local/squid-3.5.1/sbin/squid -v
Squid Cache: Version 3.5.1
Service Name: squid
configure options:  '--prefix=/usr/local/squid-3.5.1' 
'--localstatedir=/var' '--with-pidfile=/var/run/squid3.pid' 
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' 
'--with-filedescriptors=65536' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-translation' '--enable-auth' 
'--enable-auth-basic' '--enable-auth-digest' '--enable-auth-negotiate' 
'--enable-auth-ntlm' '--enable-cache-digests' '--enable-delay-pools' 
'--enable-esi' '--enable-external-acl-helpers' 
'--enable-follow-x-forwarded-for' '--enable-icmp' '--enable-inline' 
'--enable-linux-netfilter' '--enable-log-daemon-helpers' 
'--enable-removal-policies=heap,lru' '--enable-snmp' '--with-openssl' 
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' 
'--enable-url-rewrite-helpers' '--enable-zph-qos' '--with-large-files' 
'--with-default-user=proxy'

We'd appreciate any hints! :)

TIA and cheers,
frank\

--

-- 
43rd Law of Computing:
         Anything that can go wr
fortune: Segmentation violation -- Core dumped
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
HackXBack | 22 Jan 13:17 2015
Picon

FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

hello,
every day i found this error and my cache stop

then i remove the ssl database then restart squid

next day the problem happen again , 
am using squid 3.4.11

what may cause this problem ?

thanks.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly-need-help-tp4669257.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
John Gardner | 21 Jan 22:41 2015
Picon

Issues with CMS Redirects and Squid as Reverse Proxy

We have a Squid 3.4 server configured as a Reverse Proxy on Oracle
Linux 6.  It is working correctly for most sites, those which are HTTP
all the way through to the peer, Those which are HTTPS all the way
through to the peer and those which have SSL offloaded at the external
interface on Squid.  We have however come across a problem when using
a proprietary Content Management System.  In this CMS, you set each
page to show how it should be served i.e. HTTP or HTTPS.  If traffic
comes into the CMS with HTTP and it's set for HTTPS, the CMS tries to
re-write/force the URL so that it comes back with https:// at the
start.

The problem is that, this appears to come through Squid as an
indefinite loop and the page fails.  When connecting a Browser
directly to the CMS server, and using the same site and page settings,
it works, but when going through squid, it doesn't.  Now, I'm willing
to believe that the CMS is affecting the HTTP traffic so that it is
not strict and that Squid then fails as it it doesn't know how to
handle it, but I thought I would post here and see if anyone could
help.

Our config is the following (with obfuscation);

http_port 10.x.x.42:80 accel defaultsite=server_2.bl.co.uk
https_port 10.x.x.42:443 accel cert=/usr/newrprgate/CertAuth/www/s.crt
key=/usr/newrprgate/CertAuth/www/southtynesidehomes_key.pem
cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
options=NO_SSLv2,NO_SSLv3 defaultsite=server_2.bl.co.uk
cache_peer 10.x.x.202 parent 80 0 no-query originserver name=server_2_http
cache_peer 10.x.x.202 parent 443 0 no-query originserver login=PASS
connection-auth=on ssl
sslcert=/usr/newrprgate/CertAuth/www/peer_keys/www.pem sslversion=1
sslflags=DONT_VERIFY_PEER front-end-https name=server_2_https
acl sites_server_2 dstdomain www.s.org.uk
cache_peer_access server_2_http allow sites_server_2
cache_peer_access server_2_https allow sites_server_2
cache_peer_access server_2_http deny all
cache_peer_access server_2_https deny all

I have switched full logging on and the output is shown below;

----------
2015/01/13 20:54:38.697 kid1| http.cc(2219) sendRequest: HTTP Server
local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.697 kid1| http.cc(2220) sendRequest: HTTP Server REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b
Via: 1.1 servername.bl.co.uk (squid)
Surrogate-Capability: servername.bl.co.uk="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 92.237.143.136
Cache-Control: max-age=259200
Connection: keep-alive

----------
2015/01/13 20:54:38.732 kid1| ctx: enter level  0:
'https://www.s.org.uk/article/9842/About-us'
2015/01/13 20:54:38.732 kid1| http.cc(749) processReplyHeader: HTTP
Server local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.732 kid1| http.cc(750) processReplyHeader: HTTP
Server REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href="https://www.s.org.uk/article/9842/About-us">here</a>.</h2>
</body></html>

----------
2015/01/13 20:54:38.732 kid1| ctx: exit level  0
2015/01/13 20:54:38.732 kid1| client_side.cc(1459) sendStartOfMessage:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54310 FD 30
flags=1
2015/01/13 20:54:38.732 kid1| client_side.cc(1460) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT
X-Cache: MISS from servername.bl.co.uk
X-Cache-Lookup: MISS from servername.bl.co.uk:80
Via: 1.1 servername.bl.co.uk (squid)
Connection: keep-alive

----------
2015/01/13 20:54:38.773 kid1| client_side.cc(2407) parseHttpRequest:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54307 FD 28
flags=1
2015/01/13 20:54:38.773 kid1| client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b

----------
2015/01/13 20:54:38.774 kid1| http.cc(2219) sendRequest: HTTP Server
local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.774 kid1| http.cc(2220) sendRequest: HTTP Server REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b
Via: 1.1 servername.bl.co.uk (squid)
Surrogate-Capability: servername.bl.co.uk="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 92.237.143.136
Cache-Control: max-age=259200
Connection: keep-alive

----------
2015/01/13 20:54:38.806 kid1| ctx: enter level  0:
'https://www.s.org.uk/article/9842/About-us'
2015/01/13 20:54:38.806 kid1| http.cc(749) processReplyHeader: HTTP
Server local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.806 kid1| http.cc(750) processReplyHeader: HTTP
Server REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href="https://www.s.org.uk/article/9842/About-us">here</a>.</h2>
</body></html>

----------
2015/01/13 20:54:38.806 kid1| ctx: exit level  0
2015/01/13 20:54:38.806 kid1| client_side.cc(1459) sendStartOfMessage:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54307 FD 28
flags=1
2015/01/13 20:54:38.806 kid1| client_side.cc(1460) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT
X-Cache: MISS from servername.bl.co.uk
X-Cache-Lookup: MISS from servername.bl.co.uk:80
Via: 1.1 servername.bl.co.uk (squid)
Connection: keep-alive

----------
2015/01/13 20:54:38.850 kid1| client_side.cc(2407) parseHttpRequest:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54306 FD 32
flags=1
2015/01/13 20:54:38.850 kid1| client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b

----------
2015/01/13 20:54:38.850 kid1| http.cc(2219) sendRequest: HTTP Server
local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.850 kid1| http.cc(2220) sendRequest: HTTP Server REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b
Via: 1.1 servername.bl.co.uk (squid)
Surrogate-Capability: servername.bl.co.uk="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 92.237.143.136
Cache-Control: max-age=259200
Connection: keep-alive

----------
2015/01/13 20:54:38.881 kid1| ctx: enter level  0:
'https://www.s.org.uk/article/9842/About-us'
2015/01/13 20:54:38.881 kid1| http.cc(749) processReplyHeader: HTTP
Server local=10.x.x.40:35186 remote=10.x.x.202:80 FD 34 flags=1
2015/01/13 20:54:38.881 kid1| http.cc(750) processReplyHeader: HTTP
Server REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href="https://www.s.org.uk/article/9842/About-us">here</a>.</h2>
</body></html>

----------
2015/01/13 20:54:38.881 kid1| ctx: exit level  0
2015/01/13 20:54:38.881 kid1| client_side.cc(1459) sendStartOfMessage:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54306 FD 32
flags=1
2015/01/13 20:54:38.881 kid1| client_side.cc(1460) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 176
Content-Type: text/html; charset=utf-8
Location: https://www.s.org.uk/article/9842/About-us
Server: Microsoft-IIS/7.5
Set-Cookie: clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b;
expires=Thu, 15-Jan-2015 21:03:45 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 13 Jan 2015 21:03:44 GMT
X-Cache: MISS from servername.bl.co.uk
X-Cache-Lookup: MISS from servername.bl.co.uk:80
Via: 1.1 servername.bl.co.uk (squid)
Connection: keep-alive

----------
2015/01/13 20:54:38.930 kid1| client_side.cc(2407) parseHttpRequest:
HTTP Client local=10.x.x.42:443 remote=92.237.143.136:54308 FD 25
flags=1
2015/01/13 20:54:38.930 kid1| client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
GET /article/9842/About-us HTTP/1.1
Host: www.s.org.uk
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://www.s.org.uk/article/11445/Publications
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=krnzwqana4w3gz452ogmtki4; mode=0;
clientvars=dca8813b-feb8-4398-ab5f-11fa4cf5bc1b

I'd greatly appreciated it if someone could cast their eyes over the
logs and see if anything pops out as to why this infinite loop is
displayed by Squid.

Thanks very much in advance.

John
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Marcus Kool | 21 Jan 22:11 2015

tcp_outgoing_address and ICAP server

I am using Squid 3.4.9 and have an issue with tcp_outgoing_address.

The Squid server is connceted to the internet with multiple NICs and uses
    tcp_outgoing_address a.public.IP.address

and also want to use an ICAP server on the same host using

icap_service  reqmod_urlfilterdb   reqmod_precache   icap://a.local.ip.address:1344/reqmod_icapd 
bypass=off  routing=on  on-overload=wait ipv6=off

It seems that Squid binds the connection to the ICAP server the same way it binds
connections to webservers using the rule with tcp_outgoing_address
and that it not desired nor workable.

I tried

acl myicaphost dst a.local.ip.address
tcp_outgoing_address a.public.IP.address !myicaphost

but Squid issues the following errors:
2015/01/21 21:58:32 kid1| WARNING: myicaphost ACL is used in context without an HTTP request. Assuming mismatch.
2015/01/21 21:58:32 kid1| commBind: Cannot bind socket FD 10 to XX.XX.XX.XX: (99) Cannot assign
requested address
2015/01/21 21:58:32 kid1| essential ICAP service is down after an options fetch failure:
icap://XX.XX.XX.XX:1344/reqmod_icapd [down,!opt]

So the question is how to send web traffic over a specific NIC and traffic to the ICAP server over an other
(default?) NIC ?

 From the comments in squid.conf.documented it seems that tcp_outgoing_address is used for traffix to
websites so it seems that
the socket to the ICAP server should not be subject to the logic of tcp_outgoing_address.  Is this correct ?

Marcus

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Carl-Daniel Hailfinger | 21 Jan 19:00 2015
Picon
Picon

Local port number logging woes

Hi,

I'm using cascaded/hierarchical Squid instances, one per machine. To get
the ability to correlate access.log entries between instances, I have
extended the default squid log format by %>p and %<lp .
For correlation, I use the following two sets of information:
The parent proxy uses "URL", "timestamp", "client source port".
The child proxy uses "URL", "timestamp", "local port number of the last
server or peer connection".
Even with some slight timing variations due to caching/lookups/network,
the child proxy local port number of the last peer connection and the
parent proxy client source port help tremendously matching those entries
against each other.

This works great except for one oddity: Quite a few Squid log entries of
the child proxy have "0" as local port number of the last server or peer
connection. I have absolutely no idea why that would be the case. AFAICS
cached entries have "-" as local port number and that's fine because it
means there was no associated parent proxy connection.

Am I doing something wrong? Are there any cases where the log format
code %<lp would legitimately yield 0?

Regards,
Carl-Daniel
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
thane | 21 Jan 18:11 2015

Squid as reverse proxy and image theft protection

Dear all,

we configured Squid 3.4.9 as Reverse Proxy/Accellerator versus some
virtual machines located geographically in different country integrating
it with a Geo DNS solution to routing the various user requests to the
Squid Reverse Proxy nearest to them. These virtual machines hosts a J2EE
Web Portal.

This Reverse Proxy provides to the users a huge amount of images and
reduce a lot the download time for that countries away from the primary
data center (see China, India, etc.). These images are at the moment
freely accessible without authentication.

The portal behind squid uses a custom authentication form where the user
insert his "Username" and "Password" in an HTTP Form and these credentials
are routed to a J2EE Servlet (through an HTTP Post) that perform various
authentication checks and release a cookie to grant the session to the
other dynamic contents.

We would like to understand if there are possible solutions to protect the
images on the Squid Reverse Proxy and makes them only available after the
user is authenticated.

Another possible workaround is perform some random scramble of the image
URL but continuing to permitting the caching of the sames.

Thanks and best regards,
Guido M.

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Nuno Fernandes | 21 Jan 17:05 2015

Internal error on squid_peer_access configuration

Hello,

I have a squid 3.3.10-20131120-r12658 with the following configuration 
(redacted):

acl localnet src 10.10.5.0/24
acl serverbox src 10.10.5.2/32

# squid.out
cache_peer 127.0.0.1 parent 8081 0 no-query no-digest default name=out
cache_peer_access out deny all

# Dansguardian
cache_peer 127.0.0.2 parent 8080 0 no-query no-digest default 
login=*:nopassword name=dansguardian
cache_peer_access dansguardian allow all

http_access allow localnet

I would like that serverbox goes to squid.out parent and all other users 
trough dansguardian.
If i add to the configuration:

cache_peer_access out allow serverbox
cache_peer_access dansguardian deny serverbox

i get in the logs an internal error:

1421855467.158      0 10.10.5.2 TCP_MISS/500 4062 GET 
http://ftp.cixug.es/CentOS/5.11/addons/i386/repodata/primary.sqlite.bz2 - 
HIER_NONE/- text/html

Any ideas on how can i achieve this?

Thanks,
Nuno Fernandes
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Jason Haar | 21 Jan 09:40 2015
Picon

ssl-bump doesn't like valid web server

Hi there

I'm running squid-3.4.10 on CentOS-6 and just got hit with ssl-bump
blocking/warning access to a website which I can't figure out why

It's https://myaccount.snap.net.nz/. Signed by a couple of layers of
intermediary certs, but seems fine (works direct with FF/Chrome/MSIE).
curl on the squid server has no trouble accessing it (using default
/etc/pki/tls/certs/ca-bundle.crt), but ssl_crtd creates a fake cert for
it as follows.

Any ideas what's up?

Thanks!

Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NZ, ST=...., CN=Not trusted by "Squid CA"
        Validity
            Not Before: Sep 22 08:36:12 2014 GMT
            Not After : Nov 22 22:46:24 2017 GMT
        Subject: serialNumber=TDtNUZuQo4Ts9hs8qd1ksekvefvr7hdo,
OU=GT11048499, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain
Control Validated - RapidSSL(R), CN=*.snap.net.nz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

--

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Yuri Voinov | 21 Jan 09:35 2015
Picon

Squid project site not available


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://i.imgur.com/j7oeNyV.png
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUv2S4AAoJENNXIZxhPexGVXoH/jiJnsC3eqmwExFwmZTxZ9Jc
6zslBmW9FUsaEJ6zp4XLhGJieTF63BMAjiBEtB00ctEpfwc7fRU7bnVw+O08gfYF
6v8dfPiZqMzz3FT8N30YVQOCX8lBZ2GjsialbOlKt9h94aQJLKFXlgt1PZ5prc24
0MVdv2d0yVBVv+dckZVXrlRNR1fkQ9RMRetEDCgE4YdFpd8bTBz6gq0mVc2LoR52
C11n2e1fPOmmPfStP58MwBEOG613/XGDHDWPb8ADCVQ/8yhcECsyhNxcMhar1dj8
Ndvhz/R5qkIRFpbzQnGodYeK0UG93KT/HQyqQVv57fBhc89K9iR6GaX0C9NtAQQ=
=3hKD
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane