Alejandro Cabrera Obed | 23 Jun 01:08 2016
Picon

Squid3: icmp_sock: (97) Address family not supported by protocol / pinger: Unable to start ICMPv6 pinger

Hi people, when I start squid3 service, I have these lines in the /var/log/squid3/cache.log file:

2016/06/22 19:56:35 kid1| Pinger socket opened on FD 12
2016/06/22 19:56:35| pinger: Initialising ICMP pinger ...
2016/06/22 19:56:35| pinger: ICMP socket opened.
2016/06/22 19:56:35|  icmp_sock: (97) Address family not supported by protocol
2016/06/22 19:56:35| pinger: Unable to start ICMPv6 pinger.

But after that the squid3 daemon runs OK.

My pinger file is:

-rwsr-xr-x 1 root root 18224 March 22 10:50 /usr/lib/squid3/pinger

I use Debian 8 and  squid3 3.4.8-6+deb8u2 (amd64), and I haven't disabled the IPv6 protocol, no references in /etc/default/grub neither in systcl asociated file.

What do the pinger relative lines mean??? Do I have to pay attention or just forget them ??

Really thanks

--
 //  Alejandro   //



_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
James Lay | 22 Jun 21:29 2016
Picon

Latest ssl and Squid stable compile issue

So yea...git pulled latest ssl, here's my results:

make[3]: Entering directory `/home/nobackup/build/squid-3.5.19/src/anyp'
depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/bash ../../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H   -I../.. -I../../include -I../../lib -I../../src -I../../include    -I/opt/openssl/include  -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64   -g -O2 -march=native -std=c++11 -MT PortCfg.lo -MD -MP -MF $depbase.Tpo -c -o PortCfg.lo PortCfg.cc &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I/opt/openssl/include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -MT PortCfg.lo -MD -MP -MF .deps/PortCfg.Tpo -c PortCfg.cc  -fPIC -DPIC -o .libs/PortCfg.o
In file included from ../../src/anyp/PortCfg.h:18:0,
                 from PortCfg.cc:10:
../../src/ssl/gadgets.h:83:45: error: ‘CRYPTO_LOCK_X509’ was not declared in this scope
 typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
                                             ^
../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid
 typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
                                                             ^
../../src/ssl/gadgets.h:83:75: error: invalid type in declaration before ‘;’ token
 typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
                                                                           ^
../../src/ssl/gadgets.h:89:53: error: ‘CRYPTO_LOCK_EVP_PKEY’ was not declared in this scope
 typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
                                                     ^
../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid
 typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
                                                                         ^
../../src/ssl/gadgets.h:89:91: error: invalid type in declaration before ‘;’ token
 typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
                                                                                           ^
../../src/ssl/gadgets.h:116:43: error: ‘CRYPTO_LOCK_SSL’ was not declared in this scope
 typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
                                           ^
../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid
 typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
                                                          ^
../../src/ssl/gadgets.h:116:71: error: invalid type in declaration before ‘;’ token
 typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
                                                                       ^
make[3]: *** [PortCfg.lo] Error 1
make[3]: Leaving directory `/home/jlay/nobackup/build/squid-3.5.19/src/anyp'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/jlay/nobackup/build/squid-3.5.19/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/jlay/nobackup/build/squid-3.5.19/src'
make: *** [all-recursive] Error 1

This is to hopefully compile in chacha support....should I go with dev 4.0.11 squid instead?  Thank you.

James
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Sebastien.Boulianne | 22 Jun 21:07 2016
Picon

WTF ? SSL Certficate error: certificate issuer (CA) not known

Huuuuuuuuuuuuu ?

 

My CA is known… Where is the issue ? :(

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2

Sebastien

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
James Lay | 22 Jun 18:12 2016
Picon

Unknown Cipher Suite

Well this is new....started seeing this on Instagram.  Message I get when debugging:

2016/06/22 09:43:26| Error negotiating SSL on FD 14: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)

And sure enough...even Wireshark doesn't know what this is:



Any hints on how what this is/how to fix?  Thanks all.

James
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Sergio Belkin | 22 Jun 17:09 2016
Picon

Somewhat-OT: e2guardian

Hi,

I wonder if anyone is using e2guardian. If so, I'd like to hear experiences.

I used dans guardian some years ago

Thanks in advance!

--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Pavel Lint | 22 Jun 16:21 2016
Picon

Squid won't listen to ipv4

Good evening, dear sirs. Please kindly assist me in resolving this issue.

After compiling and launching squid 3.5.12 on my Red Had Linux (3.10.0-327.13.1.el7.x86_64), I face the problem of Squid listening to ipv6 only. 

Here’s a related (I think) squid log entry:
2016/06/21 09:52:44.608 kid1| 33,2| AsyncCallQueue.cc
<http://AsyncCallQueue.cc>(57) fireNext: leaving
clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 9 flags=9,
err=0, HTTP Socket port=0x18c3a80)

I see no errors in the log. 
Is there something I’ve missed?

Cheers,
Pavel Lint.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
hans.meyer0 | 22 Jun 16:10 2016
Picon

https antivirus proxy necessary?

Do you think it's necessary to have an additional https antivir proxy to normal client antivirus? We are using Avast Business that already offers a web protection. Can an additional antivir proxy significant higher the level of protection? In general I think two different antivirus programms see more then one. But on the other hand an HTTP/HTTPS antivirus proxy is an additional attack surface. Especially because its costly to build the latest squid version with https support from source on a debian jessi. So the proxy will not be  up a proxy or not?



---
Mail & Cloud Made in Germany mit 3 GB Speicher! Jetzt kostenlos anmelden
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Roberto Carna | 22 Jun 14:53 2016
Picon

Squid3 error: CHILD: hello write test failed logrotate

Dear, I've implemented a Squid3 in reverse mode, and when I test it
with some web access from my PC, everything was OK. But when I put it
in production, there are a lot of web access and everything was OK
until the /var/log/squid3/access.log rotate to access.log.1. From this
moment, the access.log file is not present, and the squid3 daemon
doesn't respond...I'm not sure the cause.

Ia have to create the access.log by hand, and set up the owners. After
that I rebooted the server and squid3 daemon runs OK.

I have this error in /var/log/squid3/cache.log:

2016/06/22 06:25:06 kid1| logfileRotate: daemon:/var/log/squid3/access.log
2016/06/22 06:25:06 kid1| logfileRotate: daemon:/var/log/squid3/access.log
2016/06/22 06:25:06 kid1| sendto FD 14: (1) Operation not permitted
2016/06/22 06:25:06 kid1| ipcCreate: CHILD: hello write test failed

My OS is Debian 8 64 bits, the Squid 3.4.8-6+deb8u2 compiled by hand.

Can you help me ??? Thanks a lot

R.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
reqman | 22 Jun 13:58 2016
Picon

"unknown request" when configured to display custom logo

squid 3.5.19 on FreeBSD 10.3. The system has a LAN and WAN interface,
both in private address spaces. System's name is my.host.local,
listening on LAN at 192.168.0.1:3128. The system is not configured to
listen on localhost.

I am trying to replace the squid logo (SN.png) with the logo of my
agency. To do so:
1) I've copied mylogo.png to /usr/local/etc/squid/icons, alongside
SN.png. Same permissions for both files, same ownership:

 # ls -laF /usr/local/etc/squid/icons/
total 36
drwxr-xr-x  3 root  wheel    512 Jun 22 12:53 ./
drwxr-xr-x  4 root  squid    512 Jun 22 12:54 ../
-rw-r--r--  1 root  wheel  12716 May 19 16:15 SN.png
-rw-r--r--  1 root  wheel   7863 Jun 22 12:08 mylogo.png
drwxr-xr-x  2 root  wheel   1536 May 27 14:17 silk/

2) I've edited /usr/local/etc/squid/errorpage.css and replaced
/squid-internal-static/icons/SN.png with
/squid-internal-static/icons/mylogo.png

Details (filesize etc) of mylogo.png:

#file mylogo.png
mylogo.png: PNG image data, 82 x 72, 8-bit/color RGBA, non-interlaced

I've made both a squid -k reconfigure as well as a service squid
restart to make sure that the change propagates through. The problem
is that even though SN.png shows up just fine everywhere, the logo I
have created does not. The following errors appear when browsing FTP
sites (whereas the logo always appears) or when an HTTP error page has
to be displayed:

2016/06/22 12:57:38 kid1| internalStart: unknown request:
GET /squid-internal-static/icons/mylogo.png HTTP/1.1
Accept: */*
Referer: http://moystakas.gr/
Accept-Language: el
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: moystakas.gr

On access.log:

1466589376.848      1 192.168.0.209 TCP_MISS/404 5632 GET
http://my.host.local:3128/squid-internal-static/icons/mylogo.png -
HIER_NONE/- text/html

BR,

Michael.-
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
jblank | 22 Jun 13:13 2016
Picon

Forward loop when intercepting mode to proxy traffic to local VM

Hey all,

Thanks to a bizarre client requirement (don't ask, it's head-hurty), I am 
required to maintain a legacy server which only supports obsolete SHA-1 
encryption. To keep things relatively safe, I'm attempting to contain the 
problem within a VM and use Squid on the VM's host to "re-encrypt" 
incoming traffic.

That is:
Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the VM; 
Squid gets the response from the VM and passes it along (re-encrypting it 
to SHA2).

At least, that's the idea. But forget about SSL/encryption for the moment; 
I can't even get this concept working with plain old unencrypted HTTP.

The VM is running locally, and accessible via host-only networking on 
192.168.1.101. I set up a local /etc/hosts alternative JUST for 
Squid's use, which tells Squid that "myhost.mydomain.com" is actually 
192.168.1.101. Yet Squid seems to be ignoring this. Incoming requests for 
http://myhost.mydomain.com/ throw a standard Squid "Access Denied." 
page. cache.log reveals the presence of a forward loop:

-------
2016/06/22 06:48:47 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
Host: myhost.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: */*
Referer: http://myhost.mydomain.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Via: 1.1 myhost (squid/3.4.8)
X-Forwarded-For: 1.2.3.4
Cache-Control: no-cache
Connection: keep-alive

2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
-------

access.log, meanwhile, reports:

1466592527.367      0 5.6.7.8 TCP_MISS/403 3917 GET 
http://myhost.mydomain.com/favicon.ico - HIER_NONE/- text/html
1466592527.367      0 1.2.3.4 TCP_MISS/403 4000 GET 
http://myhost.mydomain.com/favicon.ico - ORIGINAL_DST/5.6.7.8 text/html

(Here, "5.6.7.8" is the EXTERNAL IP address of the VM host-- i.e., the 
actual "outside world" IP of myhost.mydomain.com, as opposed to the 
internal-only 192.168.1.101 which it should be translated into. "1.2.3.4" 
is the IP of my workstation running my Web browser.)

Below is the ENTIRE text of my /etc/squid3/squid.conf; at one point in 
this process, I got so frustrated that I pared it down to the absolute 
minimum.

---
hosts_file /etc/squid3/squid_hosts
always_direct allow all
cache deny all
acl FROM_ALL src all
acl TO_LOCAL dst 127.0.0.1
acl TO_LOCAL dst 192.168.1.101
http_access allow FROM_ALL
http_access allow TO_LOCAL
http_access deny all
http_port 80 intercept
---

I've been bashing my head against this problem all evening to no effect. I 
am fairly sure I could simply solve my problem by writing a miniscule 
proxy script in PHP, Perl or Python, and using Apache's mod_rewrite rules 
to point all incoming Web requests through said proxy script. But I'd 
really rather not "re-invent the wheel"; I'd really rather use Squid.

Any help would be very much appreciated!

Best,

Jessica
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Kristopher Lalletti | 22 Jun 05:14 2016
Picon

cache_peer directive with SNI

Hi All,

I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've hit a small snag.  

Basically, I need to tell squid to pass the proper SSL SNI name to the backend webserver which is accessed via
SSL, and naturally, the SSL SNI service-name (service.foo.com) is not the server-hostname
(webserver1.foo.com), because I've got 3 servers providing for that service-name.

Valid Request to my backend server:
curl --verbose --resolve service.foo.com:10.10.10.10 https://service.foo.com/

Bad requests to my backend server:
curl --verbose --header 'Host: service.foo.com' https://webserver1.foo.com/
curl --verbose https://webserver1.foo.com/
curl --verbose https://10.10.10.10/

I've looked at the configuration that was generated for the cached_peer, and it came to this:

cache_peer webserver1.foo.com parent 443 0 proxy-only no-query no-digest originserver
login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER
front-end-https=auto name=rvp_webserver1

Unfortunately, cached_peer doesn't seem to have any directives about this, which leads me to believe
there may be a magic SSL Squid ACL that would tell the cache_peer to transpose the requested hostname as
part of the SSL SNI hello message, or something like this...

Any advice/orientation to approach the problem would be much appreciated.

Cheers
Kris
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane