Gilles Bardouillet | 28 Jan 17:46 2016
Picon

Re: ICAP and Allow 204 Header

Sorry for the response form but I dont received the Alex email, so I 
tried below to recompose the thread discussion
> On 01/25/2016 10:28 AM, Gilles Bardouillet wrote:
>
> >/I'm using SQUID with CAS ICAP Server but I have one issue : />//>/* for some images, squid receive icap
error as ICAP_ERR_OTHER /
> It may be useful to know more details about that ICAP error. What ICAP
> response, if any, does Squid receive when it generates ICAP_ERR_OTHER?
Here is some details from debug mode :

2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(653) parseMore: have 182 
bytes to parse [FD 32;Rr/w job924]
2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(654) parseMore:
ICAP/1.0 200 OK
X-Apparent-Data-Types: JPG
Service: CAS 1.3.1.1(170722)
Service-ID: avscanner
ISTag: "56680096"
Encapsulated: req-body=0
Date: Wed, 09 Dec 2015 10:32:19 GMT

2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(749) parseHeaders: parse 
ICAP headers
2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(1079) parseHead: have 182 
head bytes to parse; state: 0
2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(1094) parseHead: parse 
success, consume 182 bytes, return true
2015/12/09 11:32:11.786 kid3| 93,3| 
../../../src/base/AsyncJobCalls.h(177) dial: 
Adaptation::Icap::Xaction::noteCommRead threw exception: Invalid ICAP 
(Continue reading)

L.P.H. van Belle | 28 Jan 14:38 2016
Picon

forwarded_for problems log client ip apache 2.4

Hai,

 

I having some troubles to get my client ip (and/or hostname) logged in my apache webserver.

I do think this is something in my squid setup, but i can find it.. 

So if anyone can help me out a bit, would be great.

 

I’ve tested with the forwarded_for options tried all options here.

http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html

 

im using Debian Jessie, Apache 2.4 with mod_remoteip

http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader

 

My settings for remoteip   ( and yes the modules is enabled )

a2query -m | grep remote

remoteip (enabled by site administrator)

 

<IfModule mod_remoteip>

    # for remote proxy setup

    RemoteIPHeader X-Forwarded-For

    # for cluster setup

    #RemoteIPHeader X-Real-IP

 

    RemoteIPTrustedProxy 127.0.0.1/8

    RemoteIPTrustedProxy 192.168.x.x/24

    RemoteIPTrustedProxy 192.168.x.x/24

    RemoteIPTrustedProxy prxy1.internal.domain.tld

    RemoteIPTrustedProxy prxy2.internal.domain.tld

 

#original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

</IfModule>

 

 

any tips on howto debug this, i did find lots of things with google, but none worked for me.

 

This is my (sanitized)  squid config, default values are not shown.

Any improvement tips are welkom  ;-) but my bigest problem now is getting the ip of the client in my webserver logs.

 

Greetz,

 

Louis

 

 

# squid 3.5.12 config

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/prxy1.internal.domain.tld <at> REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

auth_param negotiate children 50 startup=10 idle=1

auth_param negotiate keep_alive on

 

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \

    -b "ou=domain,dc=internal,dc=domain,dc=tld" \

    -D changed_to_protect_myself <at> internal.domain.tld -W /etc/squid/private/ldap-bind \

    -f (sAMAccountName=%s) \

    -h dc2.internal.domain.tld \

    -h dc1.internal.domain.tld

auth_param basic children 5 startup=5 idle=1

auth_param basic realm Internet Proxy Autorisation

auth_param basic credentialsttl 2 hours

 

authenticate_cache_garbage_interval 2 hour

authenticate_ttl 2 hour

authenticate_ip_ttl 2 hour

 

# ACCESS CONTROLS

# -----------------------------------------------------------------------------

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

 

## PC Networks

acl localnet src 192.168.XXX.0/24

acl localnet src 10.XXX.0.0/24

acl localnet src 10.XXX.1.0/24

acl localnet src 10.XXX.2.0/24

acl localnet src 10.XXX.3.0/24

acl localnet src 10.XXX.4.0/24

 

## Per location/function networks

acl localnet-funct1 src 192.168.XXX.0/24

acl localnet-funct2 src 10.XXX.0.0/24

acl localnet-funct3 src 10.XXX.1.0/24

acl localnet-funct4 src 10.XXX.2.0/24

acl localnet-funct5 src 10.XXX.3.0/24

acl localnet-funct6 src 10.XXX.4.0/24

acl localnet-funct7 src 10.XXX.210.0/24

acl localnet-funct8 src 172.20.XXX.0/24

 

acl localnet-funct1-server-range src 192.168.XXX.XXX-192.168.XXX.XXX

acl localnet-funct1-mailhopper src 192.168.XXX.XXX

acl localnet-funct1-antivirus src 192.168.XXX.XXX

acl localnet-funct1-xen1 src 192.168.XXX.XXX

acl localnet-funct1-gateway src 192.168.XXX.XXX

acl localnet-funct1-mail1 src 192.168.XXX.XXX

acl localnet-funct1-lin-228 src 192.168.XXX.XXX

acl localnet-funct1-lin-009 src 192.168.XXX.XXX

acl localnet-funct1-monitoring src 192.168.XXX.XXX

acl localnet-funct1-lin-003 src 192.168.XXX.XXX

 

## acl time frames.

acl work-ochtend time MTWHF 08:15-11:59

acl work-pauze time MTWHF 12:00-13:30

acl work-middag time MTWHF 13:31-17:00

acl after-work-hours time MTWHF 17:01-23:59

acl before-work-hours time MTWHF 00:00-08:14

 

######Block Video Streaming##############

acl media rep_mime_type video/flv video/x-flv

acl media rep_mime_type -i ^video/

acl media rep_mime_type -i ^video\/

acl media rep_mime_type ^application/x-shockwave-flash

acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1

acl media rep_mime_type ^application/x-fcs

acl media rep_mime_type ^application/x-mms-framed

acl media rep_mime_type ^video/x-ms-asf

acl media rep_mime_type ^audio/mpeg

acl media rep_mime_type ^audio/x-scpls

acl media rep_mime_type ^video/x-flv

acl media rep_mime_type ^video/mp2t

acl media rep_mime_type ^video/mpeg4

acl media rep_mime_type ms-hdr

acl media rep_mime_type x-fcs

 

acl mediapr urlpath_regex \.flv(\?.*)?$

acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$

acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb|ts|)(\?.*)?$

 

acl whitelistsites url_regex -i "/etc/squid/acl/domain-customer-sites.txt"

acl whitelistsites url_regex -i "/etc/squid/acl/allowed-sites.txt"

acl whitelistdirect url_regex -i "/etc/squid/acl/allowed-direct-sites.txt"

 

acl ads dstdom_regex "/etc/squid/acl/blocked-ads-company.txt"

acl blockedsites dstdom_regex -i "/etc/squid/acl/blocked-sites.txt"

 

acl allow_client_mac arp "/etc/squid/acl/allow-arp-client.txt"

 

acl downloaders rep_mime_type -i ^application/x-nzb$

 

acl lan-domainname dstdomain .internal.domain.tld

acl lan-domainname dstdomain .internal2.domain.tld

acl lan-domainname dstdomain .internal3.domain.tld

acl lan-domainname dstdomain .internal4.domain.tld

acl lan-domainname dstdomain .internal5.domain.tld

acl lan-domainname dstdomain .internal6.domain.tld

acl wan-domainname dstdomain .domain.tld

 

acl windowsupdate dstdomain windowsupdate.microsoft.com

acl windowsupdate dstdomain .update.microsoft.com

acl windowsupdate dstdomain download.windowsupdate.com

acl windowsupdate dstdomain redir.metaservices.microsoft.com

acl windowsupdate dstdomain images.metaservices.microsoft.com

acl windowsupdate dstdomain c.microsoft.com

acl windowsupdate dstdomain www.download.windowsupdate.com

acl windowsupdate dstdomain wustat.windows.com

acl windowsupdate dstdomain crl.microsoft.com

acl windowsupdate dstdomain sls.microsoft.com

acl windowsupdate dstdomain productactivation.one.microsoft.com

acl windowsupdate dstdomain ntservicepack.microsoft.com

acl windowsupdate dstdomain au.download.windowsupdate.com

acl windowsupdate dstdomain ds.download.windowsupdate.com

acl windowsupdate dstdomain ctldl.windowsupdate.com

acl windowsupdate dstdomain .data.microsoft.com

 

acl antivirusupdate dstdomain .trendmicro.com

acl antivirusupdate dstdomain safebrowsing.google.com

acl antivirusupdate dstdomain safebrowsing-cache.google.com

 

acl wuCONNECT dstdomain www.update.microsoft.com

acl wuCONNECT dstdomain sls.microsoft.com

 

## SSL PORTS ( you need to define ssl ports also at Safe_ports )

acl SSL_ports port 443          # https

acl SSL_ports port 631          # cups

acl SSL_ports port 888          # 3dm raid manager

acl SSL_ports port 2812         # Monit

acl SSL_ports port 5225         # HP Toolbox

acl SSL_ports port 8000         # ?

acl SSL_ports port 8080         # ?

acl SSL_ports port 16384-16403  # iChat AV (Audio-RTP, RTCP; Video-RTP, RTCP)

 

acl Safe_ports port 21          # ftp

acl Safe_ports port 80          # http

acl Safe_ports port 70          # gopher

acl Safe_ports port 443         # https

acl Safe_ports port 210         # wais

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 631         # cups

acl Safe_ports port 667         # darkstat

acl Safe_ports port 777         # multiling http

acl Safe_ports port 888         # 3dm raid manager

acl Safe_ports port 8000        # ?

acl Safe_ports port 8080        # ?

acl Safe_ports port 16384-16403 # iChat AV (Audio-RTP, RTCP; Video-RTP, RTCP)

#acl Safe_ports port 1025-65535  # unregistered ports

 

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

http_access deny to_localhost

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

 

## BEFORE AUTH : bypass autorisation ( windows updates/antivirus )

http_access allow CONNECT wuCONNECT localnet

http_access allow windowsupdate localnet

http_access allow antivirusupdate localnet

 

## Deny blocked sites first.

http_access deny blockedsites

 

## Deny Ads servers

http_access deny ads

deny_info TCP_RESET ads

 

#### Override rules for internal use

http_access allow localnet-funct1-server-range

http_access allow localnet-funct2

http_access allow lan-domainname localnet

http_access allow wan-domainname localnet

http_access allow whitelistdirect localnet

 

 

###############################################################################

## AUTH HERE

http_access allow authenticated

###############################################################################

 

##########Access Lists VIDEO STREAMS #########

http_access allow mediapr allow_client_mac

http_reply_access allow media allow_client_mac

http_access deny mediapr

http_reply_access deny media

 

################################## other rules.

# whitelisted sites

http_access allow whitelistsites

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

 

# And finally deny all other access to this proxy

http_access deny all

 

## iptables port 80 redirect to 3128

http_port 192.168.XXX.XXX:3128 intercept connection-auth=off

## company default port set by GPO (must use hostname.internal.domain.tld for kerberos auth )

http_port 192.168.XXX.XXX:8080

 

cache_mem 65536 MB

maximum_object_size_in_memory 5 MB

 

coredump_dir /var/spool/squid

 

# disable cache_log

cache_log /dev/null

## obligated setting for disableing cache_log

logfile_rotate 0

 

ftp_user anonymousftp <at> domain.tld

pinger_enable off

 

# OPTIONS FOR TUNING THE CACHE

# -----------------------------------------------------------------------------

#cache deny localnet-funct3

#cache deny localnet-funct2

 

## order is important, first one hit is used.

## windows cache

refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims

refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims

refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims

 

# debian cache

refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

# range-offset

range_offset_limit 800 MB windowsupdate

range_offset_limit 100 MB antivirusupdate

 

quick_abort_min -1

forward_timeout 1 minutes

connect_timeout 5 seconds

 

cache_mgr webmaster <at> domain.tld

mail_from prxy1 <at> internal.domain.tld

visible_hostname prxy1.internal.domain.tld

hostname_aliases prxy1.internal.domain.tld

httpd_suppress_version_string on

 

snmp_port 3401

snmp_access allow localnet-funct1-monitoring

snmp_access deny all

snmp_incoming_address 192.168.XXX.XXX

icp_port 3130

htcp_port 4827

udp_incoming_address 192.168.XXX.XXX

error_default_language nl

err_page_stylesheet /etc/squid/errorpage.css

 

always_direct allow CONNECT

 

# ICAP OPTIONS

# -----------------------------------------------------------------------------

## Tested with Squid 3.5.10/3.5.12 squidclamav 6.14

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_persistent_connections on

icap_preview_enable on

icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_resp allow all

 

dns_v4_first on

fqdncache_size 2048

memory_pools on

memory_pools_limit 512 MB

 

forwarded_for on

 

refresh_all_ims on

reload_into_ims on

 

workers 8

 

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
mathew abraham | 27 Jan 17:58 2016
Picon

Help - Squid for windows - Configuring upstream proxy with Active Directory authentication details

Hi All,

I am a newbie to squid. I have installed squid 3.5 for windows on a Windows server 2012R2 machine. The idea for this is to act as a proxy which takes request from windows clients and forwards it to cisco scansafe proxy; where scansafe proxy's will look at the request and based on the users AD group membership will allow or deny the request.

I managed to configure the upstream but its not forwarding any AD info hence every page is allowed.

Could some one help?

We are on Windows Server 2012 R2 environment.

TIA 
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Keat Sophea | 27 Jan 09:08 2016
Picon

Cache video facebook & content

Dear Sir,

I want to know configuration file on squid proxy & requirement .

Thank,

Best Regard,

Keat Sophea

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Tory M Blue | 27 Jan 01:03 2016
Picon

http://bugs.squid-cache.org/show_bug.cgi?id=4223

Can we get an update on the bug mentioned here "http://bugs.squid-cache.org/show_bug.cgi?id=4223"

With this unfixed one can't use siblings with HTCP or  anything actually. I should be able to have my origin and  a sibling, I should be able to make a request to my sibling for a document and if that fails the request goes to the origin, and not pass back the failure from the sibling.

Just wondered why this bug is allowed to persist?

Thanks
Tory
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Panda Admin | 26 Jan 23:59 2016
Picon

HTTPS Content Filtering without de-crypting traffic?

Hello,

I attempting to terminate https traffic based on ACLs using ssl_bumping WITHOUT de-crypting the traffic in intercept/transparent mode.  Has anyone got this to work before? I have copied my configuration and what my iptables nat rules look like. 

 I am using squid 3.5.13 with the following compile options:
Squid Cache: Version 3.5.12
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--datadir=/share/squid3' '--sysconfdir=/etc/squid3' '--with-default-user=proxy' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-openssl' '-enable-ssl-crtd' '--enable-icap-client' '--with-large-files' --enable-ltdl-convenience

squid.conf:
acl social dstdomain .google.com .facebook.com .reddit.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump stare step2 all
ssl_bump terminate social
acl localnet src 192.168.50.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 transparent
https_port 3129 intercept ssl-bump cert=/etc/squid3/ssl_cert/squidSSL.pem
cache_dir ufs /cache/squid3/spool 100 16 256
access_log syslog:local5.info squid
coredump_dir /var/spool/squid3
url_rewrite_program /usr/bin/squidGuard -c /cache/config/daemons/squidguard/squidGuard.conf
url_rewrite_children 15
url_rewrite_access allow all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

iptables -L -v -t nat(only relevant rules):
Chain PREROUTING (policy ACCEPT 1083 packets, 233K bytes)
 pkts bytes target     prot opt in     out     source               destination             
  157  9420 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:https to:192.168.11.1:3129


Chain PREROUTING-daemon-tcp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  443 26580 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:http /* 7:PFD::CF-3128 */ to:192.168.11.1:3128
    0     0 DNAT       tcp  --  eth2   any     anywhere             anywhere             tcp dpt:http /* 8:PFD::CF-3128 */ to:172.17.0.1:3128


Right now I can't get it to terminate ANY https traffic. All it does is allow it through.  
Any and all help would be greatly appreciated!

~ Extremely Confused Squid User ~
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Sebastien.Boulianne | 26 Jan 15:20 2016
Picon

Configuring and monitoring Squid using SNMP

Hi all,

 

I just want to know if they are people who monitor Squid using SNMP.

Does it works fine ?

Do you have any issues ?

 

Thanks in advance for your feedbacks.

Sébastien

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
L.P.H. van Belle | 26 Jan 11:22 2016
Picon

Re: How to setup a secure(!) squid proxy

Hai,

 

Ok, good is its working now, i was pulling my hair out for you ;-)

 

This : sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control

Is not any problem, because squid is reconfigured and recompiled with G++ 4.9.

 

If you want a more secure set, you can change this to :

sed -i 's/g++ (>= 4:5.2)/g++ (>= 4:4.9)/g' libecap-1.0.1/debian/control

This way its “locked”  to minimal g++ 4.9.

 

And i cant think of any other restriction.  

Maybe Amos knows, but i dont know that.

 

 

Greetz.

 

 

 

 

Van: startrekfan [mailto:startrekfan75 <at> freenet.de]
Verzonden: dinsdag 26 januari 2016 10:14
Aan: L.P.H. van Belle; squid-users <at> lists.squid-cache.org
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy

 

Hi,

 

the script is working and I have a running squid 3.5. Thank you.

 

But I still think things like this:

 

echo "change GCC 5.2 to Jessie G++ 4.9 in libecap-1.0.1/debian/control"

sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control

 

isn't a good practice. I'm pretty sure that the >=5.2 restriction has a purpose and is not only there to annoy admins.

In this case every thing seems to work. But modifications like this can always lead to unforeseen situations.

 

But thank you again. It's working atm :)

 

L.P.H. van Belle <belle <at> bazuin.nl> schrieb am Mo., 25. Jan. 2016 um 17:14 Uhr:


Hai,

Ok, i missed few of my modifications i did, they arent big changes.
Sorry about that.

This script is tested on a clean debian jessie, with only ssh installed.
Have a look at the script.

The files with modifactions get the extention custom1 to so they wont mixup
Or messup original debian files.
Like :
libecap3_1.0.1-2-custom1_amd64.deb
libecap3-dev_1.0.1-2-custom1_amd64.deb

Files without modifactions keep the original debian name, when updateing to newer debian dist, its automatily upgraded.

And again this should work fine, i doing this already as of debian squeeze..
And Debian wheezy was running 3.4.8 for me, my jessie now is running 3.5.12.


Greetz,

Louis




________________________________________
Van: startrekfan [mailto:startrekfan75 <at> freenet.de]
Verzonden: vrijdag 22 januari 2016 16:15
Aan: squid-users <at> lists.squid-cache.org; L.P.H. van Belle
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy

Found the problem:

The dependencies has changed: https://packages.debian.org/sid/squid (not sure why there is also a https://packages.debian.org/sid/squid3 entry)

Thats excactly the problem with unstable sources. squid3 3.5 requires libecap3 instead of libecap2 (squid3 version 3.4). I can't install libecap3 because it has further dependencies.
I also can't even compile libecap3 without installing n more dependencies.

So I have to use squid 3.4 with the unsafe sha1 furthermore. 

startrekfan <startrekfan75 <at> freenet.de> schrieb am Fr., 22. Jan. 2016 um 15:45 Uhr:
I tried to compile squid from sid repo. It fails, but I'm not sure why. 

When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was not found and fails.(Im not sure why it`s needed. libecap3-dev is not listed in the dependencies. https://packages.debian.org/sid/squid3)

When I add deb and deb-src apt-get build-dep squid3  wants to update/install  adwaita-icon that is not compatible with gnome.

So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
L.P.H. van Belle <belle at bazuin.nl> schrieb am Mo., 18. Jan. 2016 um
09:07 Uhr:

> Really this is an easy thing to do.
>
>
>
> Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )
>
> Run apt-get update.
>
>
>
> apt-get source squid
>
> apt-get build-dep squid
>
>  make changes if needed, in debian/rules and debian/changelog IF you
> changed something.
>
>
>
> Build it
>
> apt-get source squid ?b
>
> it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> installing them you can build squid again.
>
>
>
> put the debs in a repo you can access and your done.
>
> Did it here, works fine.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Gilles Bardouillet | 26 Jan 10:46 2016
Picon

ICAP and Allow 204 Header

Hi,

I'm using SQUID with CAS ICAP Server but I have one issue :

  * for some images, squid receive icap error as ICAP_ERR_OTHER
  * I noticed that for all these errors, Squid dont send the HTTP header
    Allows 204
  * I read the code and find the Allow 204 header _is only set when
    preview is enabled_.

My icap conf activated preview and preview size as follow :
icap_preview_enable on
icap_preview_size 1024

I read that the preview size value can be overwritten by OPTIONS 
requests, so can give me some details in order to find why some pictures 
dont offer preview and then fails ?

Thanks,
Gilles.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
startrekfan | 26 Jan 10:13 2016
Picon

Re: How to setup a secure(!) squid proxy

Hi,

the script is working and I have a running squid 3.5. Thank you.

But I still think things like this:

echo "change GCC 5.2 to Jessie G++ 4.9 in libecap-1.0.1/debian/control"
sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control

isn't a good practice. I'm pretty sure that the >=5.2 restriction has a purpose and is not only there to annoy admins. In this case every thing seems to work. But modifications like this can always lead to unforeseen situations.

But thank you again. It's working atm :)

L.P.H. van Belle <belle <at> bazuin.nl> schrieb am Mo., 25. Jan. 2016 um 17:14 Uhr:

Hai,

Ok, i missed few of my modifications i did, they arent big changes.
Sorry about that.

This script is tested on a clean debian jessie, with only ssh installed.
Have a look at the script.

The files with modifactions get the extention custom1 to so they wont mixup
Or messup original debian files.
Like :
libecap3_1.0.1-2-custom1_amd64.deb
libecap3-dev_1.0.1-2-custom1_amd64.deb

Files without modifactions keep the original debian name, when updateing to newer debian dist, its automatily upgraded.

And again this should work fine, i doing this already as of debian squeeze..
And Debian wheezy was running 3.4.8 for me, my jessie now is running 3.5.12.


Greetz,

Louis




________________________________________
Van: startrekfan [mailto:startrekfan75 <at> freenet.de]
Verzonden: vrijdag 22 januari 2016 16:15
Aan: squid-users <at> lists.squid-cache.org; L.P.H. van Belle
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy

Found the problem:

The dependencies has changed: https://packages.debian.org/sid/squid (not sure why there is also a https://packages.debian.org/sid/squid3 entry)

Thats excactly the problem with unstable sources. squid3 3.5 requires libecap3 instead of libecap2 (squid3 version 3.4). I can't install libecap3 because it has further dependencies.
I also can't even compile libecap3 without installing n more dependencies.

So I have to use squid 3.4 with the unsafe sha1 furthermore. 

startrekfan <startrekfan75 <at> freenet.de> schrieb am Fr., 22. Jan. 2016 um 15:45 Uhr:
I tried to compile squid from sid repo. It fails, but I'm not sure why. 

When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was not found and fails.(Im not sure why it`s needed. libecap3-dev is not listed in the dependencies. https://packages.debian.org/sid/squid3)

When I add deb and deb-src apt-get build-dep squid3  wants to update/install  adwaita-icon that is not compatible with gnome.

So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
L.P.H. van Belle <belle at bazuin.nl> schrieb am Mo., 18. Jan. 2016 um
09:07 Uhr:

> Really this is an easy thing to do.
>
>
>
> Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )
>
> Run apt-get update.
>
>
>
> apt-get source squid
>
> apt-get build-dep squid
>
>  make changes if needed, in debian/rules and debian/changelog IF you
> changed something.
>
>
>
> Build it
>
> apt-get source squid ?b
>
> it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> installing them you can build squid again.
>
>
>
> put the debs in a repo you can access and your done.
>
> Did it here, works fine.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Gilles Bardouillet | 25 Jan 18:28 2016
Picon

ICAP and Allow 204 Header

Hi,

I'm using SQUID with CAS ICAP Server but I have one issue :

  * for some images, squid receive icap error as ICAP_ERR_OTHER
  * I noticed that for all these errors, Squid dont send the HTTP header
    Allows 204
  * I read the code and find the Allow 204 header _is only set when
    preview is enabled_.

My icap conf activated preview and preview size as follow :
icap_preview_enable on
icap_preview_size 1024

I read that the preview size value can be overwritten by OPTIONS 
requests, so can give me some details, hints in order to find why some 
pictures dont offer preview and then fails ?

Thanks,
Gilles.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane