Nathan Hoad | 13 Apr 04:37 2015

Re: squid 3.5.3 can't get peek and splice to not bump certain sites

Hi Stan,

So one of the things that peek and splice added was support for the
Server Name Indication SSL extension, which let's Squid make bumping
decisions more accurately based on the hostname, rather than the IP
address. Prior to this, bumping on only the IP address caused issues
for virtual hosting and such.

As for a good write-up, this is about the best you can get, which
covers the protocol itself:
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

Essentially external ACLs are processes that Squid will write
"requests" to, which are line-based and configured according to the
format specifiers in your external_acl_type directive. The helper
process should read the request and decide if it's a "match", then
write back to Squid, which Squid will take action on. All
communication is over standard input/output.

Writing external ACLs is usually quite specialised to the situation,
so it's difficult to find concrete examples that will do what you
want. Using the configuration I mentioned earlier, you could write a
simple helper like so (this one is in Python):

import sys

line = sys.stdin.read()

# run loop until an empty read, which indicates the process should shut down.
while line:
(Continue reading)

Stanford Prescott | 12 Apr 20:12 2015
Picon

squid 3.5.3 can't get peek and splice to not bump certain sites

I would like to give my users the ability to "not bump" certain sites. I tried to use the examples given on the SSLPeekandSplice wiki page but can't get it to work.

This is a snippet of my squid.conf file.

https_port 192.168.10.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem

http_port 192.168.20.1:800 intercept
https_port 192.168.20.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem

http_port 127.0.0.1:800 intercept

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 4 MB

acl serverIsBank dstdomain wellsfargo.com

ssl_bump server-first all

ssl_bump none localhostgreen
ssl_bump none localhostpurple

ssl_bump splice serverIsBank
ssl_bump peek all
ssl_bump bump all
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

When I start squid I don't get any error messages and all pages, http and https, load properly. The problem is, using the example above, the https://www.wellsfargo.com website is still getting bumped, evidenced by the appearance of the ssl website in the web proxy access logs. When I don't have ssl_bump enabled then no https websites appear in the access logs, as it should be. But, enabling ssl_bump and peek and splice, web sites that I am trying not to bump still seem to be getting bumped.

Any suggestions on how to properly "not bump" certain websites.

Thanks,

Stan
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Monah Baki | 12 Apr 16:55 2015
Picon

BUG 3279: HTTP reply without Date:

Hi all,

Compiled squid 3.5.2 on CentOS 6.6 as follows:
$ ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock

After approx 24 hours I am seeing this error on my squid 3.5.2 with one user connected for testing:

2015/04/11 15:02:58| Logfile: closing log daemon:/home/cache/var/logs/access.log
2015/04/11 15:02:58| Logfile Daemon: closing log daemon:/home/cache/var/logs/access.log
2015/04/11 15:02:58| Open FD UNSTARTED     0 stdin
2015/04/11 15:02:58| Open FD UNSTARTED     1 stdout
2015/04/11 15:02:58| Open FD UNSTARTED     2 stderr
2015/04/11 15:02:58| Open FD UNSTARTED     8 DNS Socket IPv4
2015/04/11 15:02:58| Open FD UNSTARTED     9 IPC UNIX STREAM Parent
2015/04/11 15:02:58| Squid Cache (Version 3.5.2): Exiting normally.
2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid
2015/04/11 15:06:52| Starting Squid Cache version 3.5.2 for x86_64-unknown-linux-gnu...
2015/04/11 15:06:52| Service Name: squid
2015/04/11 15:06:52| Process ID 2005
2015/04/11 15:06:52| Process Roles: master worker
2015/04/11 15:06:52| With 65536 file descriptors available
2015/04/11 15:06:52| Initializing IP Cache...
2015/04/11 15:06:52| DNS Socket created at 0.0.0.0, FD 8
2015/04/11 15:06:52| Adding nameserver 8.8.8.8 from squid.conf
2015/04/11 15:06:52| Adding nameserver 41.78.211.30 from squid.conf
2015/04/11 15:06:52| Logfile: opening log daemon:/home/cache/var/logs/access.log
2015/04/11 15:06:52| Logfile Daemon: opening log /home/cache/var/logs/access.log
2015/04/11 15:06:52| Store logging disabled
2015/04/11 15:06:52| Swap maxSize 358400000 + 9437184 KB, estimated 28295168 objects
2015/04/11 15:06:52| Target number of buckets: 1414758
2015/04/11 15:06:52| Using 2097152 Store buckets
2015/04/11 15:06:52| Max Mem  size: 9437184 KB
2015/04/11 15:06:52| Max Swap size: 358400000 KB
2015/04/11 15:06:52| Rebuilding storage in /home/cache/var/cache/squid (clean log)
2015/04/11 15:06:52| Using Least Load store dir selection
2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid
2015/04/11 15:06:52| Finished loading MIME types and icons.
2015/04/11 15:06:52| HTCP Disabled.
2015/04/11 15:06:52| Sending SNMP messages from 0.0.0.0:3401
2015/04/11 15:06:52| Squid plugin modules loaded: 0
2015/04/11 15:06:52| Adaptation support is off.
2015/04/11 15:06:52| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9
2015/04/11 15:06:52| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=41
2015/04/11 15:06:52| Accepting SNMP messages on 0.0.0.0:3401
2015/04/11 15:06:52| Done reading /home/cache/var/cache/squid swaplog (94 entries)
2015/04/11 15:06:52| Finished rebuilding storage from disk.
2015/04/11 15:06:52|        94 Entries scanned
2015/04/11 15:06:52|         0 Invalid entries.
2015/04/11 15:06:52|         0 With invalid flags.
2015/04/11 15:06:52|        94 Objects loaded.
2015/04/11 15:06:52|         0 Objects expired.
2015/04/11 15:06:52|         0 Objects cancelled.
2015/04/11 15:06:52|         0 Duplicate URLs purged.
2015/04/11 15:06:52|         0 Swapfile clashes avoided.
2015/04/11 15:06:52|   Took 0.05 seconds (2036.97 objects/sec).
2015/04/11 15:06:52| Beginning Validation Procedure
2015/04/11 15:06:52|   Completed Validation Procedure
2015/04/11 15:06:52|   Validated 94 Entries
2015/04/11 15:06:52|   store_swap_size = 2000.00 KB
2015/04/11 15:06:53| storeLateRelease: released 0 objects
2015/04/11 15:48:51| WARNING: 1 swapin MD5 mismatches
2015/04/11 15:48:51| Could not parse headers from on disk object
2015/04/11 15:48:51| BUG 3279: HTTP reply without Date:
2015/04/11 15:48:51| StoreEntry->key: 039CA6C6725D0A9F31B498354995DE50
2015/04/11 15:48:51| StoreEntry->next: 0
2015/04/11 15:48:51| StoreEntry->mem_obj: 0x21ecd40
2015/04/11 15:48:51| StoreEntry->timestamp: -1
2015/04/11 15:48:51| StoreEntry->lastref: 1428763731
2015/04/11 15:48:51| StoreEntry->expires: -1
2015/04/11 15:48:51| StoreEntry->lastmod: -1
2015/04/11 15:48:51| StoreEntry->swap_file_sz: 0
2015/04/11 15:48:51| StoreEntry->refcount: 1
2015/04/11 15:48:51| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED
2015/04/11 15:48:51| StoreEntry->swap_dirn: -1
2015/04/11 15:48:51| StoreEntry->swap_filen: -1
2015/04/11 15:48:51| StoreEntry->lock_count: 2
2015/04/11 15:48:51| StoreEntry->mem_status: 0
2015/04/11 15:48:51| StoreEntry->ping_status: 2
2015/04/11 15:48:51| StoreEntry->store_status: 1
2015/04/11 15:48:51| StoreEntry->swap_status: 0
2015/04/11 15:49:55| Could not parse headers from on disk object
2015/04/11 20:10:06| BUG 3279: HTTP reply without Date:
2015/04/11 20:10:06| StoreEntry->key: 8749EF6C14DB515AA7E09A4ED2019298
2015/04/11 20:10:06| StoreEntry->next: 0
2015/04/11 20:10:06| StoreEntry->mem_obj: 0x224f3f0
2015/04/11 20:10:06| StoreEntry->timestamp: -1
2015/04/11 20:10:06| StoreEntry->lastref: 1428779406
2015/04/11 20:10:06| StoreEntry->expires: -1
2015/04/11 20:10:06| StoreEntry->lastmod: -1
2015/04/11 20:10:06| StoreEntry->swap_file_sz: 0
2015/04/11 20:10:06| StoreEntry->refcount: 1
2015/04/11 20:10:06| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED
2015/04/11 20:10:06| StoreEntry->swap_dirn: -1
2015/04/11 20:10:06| StoreEntry->swap_filen: -1
2015/04/11 20:10:06| StoreEntry->lock_count: 2
2015/04/11 20:10:06| StoreEntry->mem_status: 0
2015/04/11 20:10:06| StoreEntry->ping_status: 2
2015/04/11 20:10:06| StoreEntry->store_status: 1
2015/04/11 20:10:06| StoreEntry->swap_status: 0
2015/04/12 03:54:21| Could not parse headers from on disk object
2015/04/12 03:54:21| BUG 3279: HTTP reply without Date:
2015/04/12 03:54:21| StoreEntry->key: 2664F79F89A842E097DCD721C4417644
2015/04/12 03:54:21| StoreEntry->next: 0
2015/04/12 03:54:21| StoreEntry->mem_obj: 0x23686e0
2015/04/12 03:54:21| StoreEntry->timestamp: -1
2015/04/12 03:54:21| StoreEntry->lastref: 1428807261
2015/04/12 03:54:21| StoreEntry->expires: -1
2015/04/12 03:54:21| StoreEntry->lastmod: -1
2015/04/12 03:54:21| StoreEntry->swap_file_sz: 0
2015/04/12 03:54:21| StoreEntry->refcount: 1
2015/04/12 03:54:21| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED
2015/04/12 03:54:21| StoreEntry->swap_dirn: -1
2015/04/12 03:54:21| StoreEntry->swap_filen: -1
2015/04/12 03:54:21| StoreEntry->lock_count: 2
2015/04/12 03:54:21| StoreEntry->mem_status: 0
2015/04/12 03:54:21| StoreEntry->ping_status: 2
2015/04/12 03:54:21| StoreEntry->store_status: 1
2015/04/12 03:54:21| StoreEntry->swap_status: 0
2015/04/12 03:55:24| Could not parse headers from on disk object
2015/04/12 03:56:24| StoreEntry->swap_status: 0
2015/04/12 03:56:24| assertion failed: store.cc:1885: "isEmpty()"




Thank you
Monah
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Farci, Anatole V | 12 Apr 06:41 2015
Picon

T3/T3S Protocol

Hi,

I have a JavaClient that uses T3S:443 to connect to Oracle's WLS application server. WLS is in DMZ and I have
Squid proxy between the DMZ and our Intranet (in its own DMZ) to fwd all requests to WLS. The ports (443) is
open since the browsers can talk to the WLS but it appears that the T3S is not going thru the proxy. I have
searched to see what I can add to allow this T3 (RMI protocol) to go thru and our Squid configuration is very
simple and have a whitelist and allows all traffic on port 80 and 443 to go thru.

On the client side, I get this error:
javax.naming.CommunicationException [Root exception is java.net.ConnectException:
t3s://xxxx.yyy.intel.com:443: Destination xxx.yyy.zzz.www, 443 unreachable; nested exception is:
        java.net.ConnectException: Connection timed out: connect; No available router to destination]

on the Squid Acccess.log where <dns> and <fqdn> are the correct values and using a browser, I can open reach
the WLS with either of them using HTTPS:443
1428776399.835  27238 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776414.999  15117 10.254.98.83 TCP_MISS/200 2199 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776430.068  27768 10.254.98.83 TCP_MISS/200 9658 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776445.200  15085 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776460.396  15118 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776480.270  15211 10.254.98.83 TCP_MISS/200 9722 CONNECT <FQDN>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -
1428776495.293  27207 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 -
DIRECT/xxx.yyy.zzz.www -

Store.log has this one entry only:
1428773672.888 RELEASE -1 FFFFFFFF 93F32BC091B147DF27B4355731396BC9  200 1428770072 1428770072
1428773672 application/cache-digest 144/144 GET internal://proxy..intel.com/squid-internal-periodic/store_digest

and the squid config looks like this:
visible_hostname proxy.intel.com
http_port 912

logfile_rotate 30
cache_access_log C:/squid/var/logs/access.log

acl all src 0.0.0.0/0.0.0.0
acl whitelist dstdomain .intel.com
acl http proto http t3
acl port_80 port 80
acl port_443 port 443
acl port_23791 port 23791
acl CONNECT method CONNECT

# rules allowing non-authenticated users
http_access allow http port_80 whitelist
http_access allow CONNECT port_443 whitelist
http_access allow CONNECT port_23791 whitelist

I've tested that the ACL is open from the squid DMZ to WLS DMZ but running the JavaClient on the Squid server.

Any help is appreciated.

Thanks

Anatole

Anatole V. Farci
Product Development IT (PDIT) - Integrated Lifecycle Solutions (ILS)
503-696-2917
Mobile # available on outlook

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
jimdo x | 12 Apr 06:02 2015
Picon

Problem with squid3

Hi,

I'm using squid3 on Ubuntu.
It's very good and stable.

But one question is, when using wechat, with windows phone it connect to mmsns.qpic.cn to retrieve pictures, it ok. When on ios, it trying to connect ip address 203.213.33.75 to retrieve picture, squid returned 400 error, on ios client side, nothing comes up.

I tried to tune squid, but still no luck.

Any help will be appreciated.

Thank you very much!!!
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
mattatrmc | 12 Apr 00:11 2015
Picon

Specify sslproxy_cipher for one site

I've been troubleshoot a site that I haven't been able to load using the
squid proxy.  Based on the information provided I was able to determine it
was an issue with the cipher that the proxy was trying to use.  

When I add sslproxy_cipher RCA-MD5 it allows the site to open.  

Now my concern is that since this isn't a secure encryption option I would
only like to make it available for the one site, however I can't seem to
figure out how to do it with acl rules.  Is it possible to do, or do I have
to leave it open for everyone?

Thanks

Matt

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Specify-sslproxy-cipher-for-one-site-tp4670689.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Ashish Patil | 10 Apr 16:22 2015

Peek and Splice for websites using HSTS

Hello,

I am trying to set up Peek and Splice using Squid 3.5.3. I'm facing issues setting it up for website that have HSTS enabled, like google.com and twitter.com.

My squid.conf is:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl/myCA.pem
acl step3 at_step SslBump3
acl sslBumpAllowedDstDomain dstdomain google.co.in
ssl_bump peek step3 all
ssl_bump splice sslBumpAllowedDstDomain
ssl_bump bump all


The output of access.log is:
1428674512.281    511 192.168.3.31 TCP_MISS/301 634 GET http://google.co.in/ - ORIGINAL_DST/173.194.117.23 text/html
1428674512.703    348 192.168.3.31 TCP_MISS/302 1106 GET http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24 text/html
1428674512.706      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 - HIER_NONE/- -
1428674512.711      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 - HIER_NONE/- -
1428674515.883      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674515.956      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674515.965      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674516.006      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.310      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.327      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.335      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.411      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -


Any input would be welcome.

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Fiorenza Meini | 10 Apr 15:51 2015
Picon

Client delay pools ...doesn't work

Hi,
I'm testing on a 3.4 squid release the client_delay_poolfunctionality.
It seems that isn't working: on my browser I receive the error that 
proxy isn't reachable, and in log file I can't see nothing useful.

Has anyone configured this functionality successfully ?

Regards

Fiorenza Meini
--

-- 
Spazio Web S.r.l.
V. Dante, 10
13900 Biella
Tel.: +39 015 2431982
Fax.: +39 015 2522600
Numero d'Iscrizione al Registro Imprese presso CCIAA Biella, Cod.Fisc.e 
P.Iva: 02414430021
Iscriz. REA: BI - 188936 Cap. Soc.: €. 30.000 i.v.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Tom Tom | 10 Apr 11:06 2015
Picon

Stats about used acl/http_access-directives?

Hi

Is there a way to get stats about matching http_access/acl-directives
in recent squid-versions?

In a way like "http_access allow localhost" matched 1 time, 2 times,
n-times.I would be interesting, to see, which
acl/http_access-directives are used and which ones are configured but
not used.

I searched within squidclient, but didn't found something like this.

Kind regards,
Tom
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Fiorenza Meini | 10 Apr 10:48 2015
Picon

ACL to block installation program

Hi,
is there a way to filter and block update programs which come from 
Internet, for example java update or windows update , withouth using the 
url of the web site, but working with  header/mime types ?

Thanks and regards

Fiorenza Meini
--

-- 
Spazio Web S.r.l.
V. Dante, 10
13900 Biella
Tel.: +39 015 2431982
Fax.: +39 015 2522600
Numero d'Iscrizione al Registro Imprese presso CCIAA Biella, Cod.Fisc.e 
P.Iva: 02414430021
Iscriz. REA: BI - 188936 Cap. Soc.: €. 30.000 i.v.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Henri Wahl | 9 Apr 08:47 2015
Picon

State of www1.ngtech.co.il


Hi list,
does anybody know what is the matter with www1.ngtech.co.il? This is
the source for RPM packages of squid but it seems to be dried up for
some days now.
Regards

-- 
Henri Wahl

IT Department
Leibniz-Institut fuer Festkoerper- u.
Werkstoffforschung Dresden

tel: +49 (3 51) 46 59 - 797
email: h.wahl <at> ifw-dresden.de
https://www.ifw-dresden.de

Nagios status monitor Nagstamon: https://nagstamon.ifw-dresden.de

DHCPv6 server dhcpy6d: https://dhcpy6d.ifw-dresden.de

S/MIME: https://nagstamon.ifw-dresden.de/pubkeys/smime.pem
PGP: https://nagstamon.ifw-dresden.de/pubkeys/pgp.asc

IFW Dresden e.V., Helmholtzstrasse 20, D-01069 Dresden
VR Dresden Nr. 1369
Vorstand: Prof. Dr. Manfred Hennecke, Kaufmännische Direktorin i. V.
Dipl.-Kffr. Friederike Jaeger

Gmane