Jake | 1 Oct 21:15 2015

Transparent proxy with Ubuntu 15.04 and Squid3

I have a Squid/Dansguardian proxy server that successfully works when
the client web browser is manually configured to use the proxy address:port.

What I want to do is configure a transparent proxy server, presuming I
wouldn't have to manually configure browsers.

My LAN environment diagram:

This is a home network environment with a cable modem, wifi router,
client web browsers, and I have added the proxy server as a virtualized
VMware server.

For the proxy server I have two virtual network cards on the same subnet:
eth0 (gateway and the proxy address)

Is it possible the proxy server can intercept traffic from the clients,
when the clients have direct access to the internet router? I don't
understand how traffic is "intercepted" in this diagram.

Do I need to change something on the router?

How do I configure for proxy transparency?

I've read some configurations, but they were confusing, or out of date,
or specialized without much explanation.

(Continue reading)

Steve Hill | 1 Oct 15:43 2015

ICAP response header ACL

The latest adaption response headers are available through the 
%adapt::<last_h logformat string, but is there any way to access these 
headers through an ACL?

The documentation says that adaptation headers are available in the 
notes, but this only appears to be headers set with adaptation_meta, not 
the ICAP response headers.  I had also considered using the "note" 
directive to explicitly stuff the headers into the notes, but it looks 
like the note directive doesn't allow you to use format strings (i.e. 
"note icap_headers %adapt::<last_h all" just sets the "icap_headers" 
note to "%adapt::<last_h" rather than substituting the headers.)


  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve <at> opendium.com
    Email:            steve <at> opendium.com
    Phone:            sip:steve <at> opendium.com

Sales / enquiries contacts:
    Email:            sales <at> opendium.com
    Phone:            +44-1792-824568 / sip:sales <at> opendium.com

Support contacts:
    Email:            support <at> opendium.com
    Phone:            +44-1792-825748 / sip:support <at> opendium.com
(Continue reading)

Eliezer Croitoru | 1 Oct 15:21 2015

Basic example for store.log analyzer

I already had a plan to write something like that in the past and I had 
some time so I wrote this store.log tool:

The tool is written in ruby and what it does is "estimating" what is in 
the cache_dir now based on reading the store.log.

Since I have not spent too much time on understanding the store.log but 
I had a basic idea of whats in it that seems to give some results for now.

The tool gets only one argument and it's the location of squid store.log 
and reads it like the store "journal" which takes view from nothing to 
what should exit now.
Each line in the store.log represents one operation and it is expected 
to be logger in the order of execution.
Due to this expectation we can predict that if a certain file was 
written to the disk(using SWAPOUT) and until the end of the log(which 
should represent now) it was not reported to be removed(RELEASE) from 
the cache it is still there but there is no guarantee that it will be 
used as a cache HIT.

The tool needs more functionality to be more accurate and to display the 
estimated cache_dir size.
For now running the script piping it with "wc -l"(reduce 1 line) will 
give you the result of how many objects you have in all your cache_dir 
on the server from the start time of the store.log.

Any suggestions and requests regarding the tool are welcome.

(Continue reading)

S.Kirschner | 1 Oct 13:25 2015

Re: Install squid problems

I think the easiest way for you is to install squid3 via apt-get install

It isnt the version 3.5.9 but is 3.5.8.

Best Regards

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Install-squid-problems-tp4673495p4673502.html
Sent from the Squid - Users mailing list archive at Nabble.com.
squid-users mailing list
squid-users <at> lists.squid-cache.org
Job | 1 Oct 13:26 2015

SSL Peek and Splice


by reading the 3.5 Squid verson "Peek and splice" features:

i would like to ask you two questions, please:

1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump?
2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document

Thank you for your patience and many thanks!

squid-users mailing list
squid-users <at> lists.squid-cache.org
Sebastian Kirschner | 1 Oct 12:54 2015

Squid ignores crlfile options


I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I
removed some uninteresting things from the config like caching).

To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if
it's possible with my skills :-) ) and ocsp (later) .
I´m using the site https://revoked.grc.com/ to test my config.
To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl.
Converted the format of the crl from DER to pem and inserted it my squid.conf  "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".

I tested the "crl.pem" with openssl and the site https://revoked.grc.com/  is revoked in the crl.

But why squid seems to ignore the crlfile option / file ? 
Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log
when the file isn’t available.

2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1684) doCallouts: Doing calloutContext->hostHeaderVerify()
2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1691) doCallouts: Doing calloutContext->clientAccessCheck()
2015/10/01 12:40:45.017 kid1| 83,3| client_side_request.cc(1712) doCallouts: Doing calloutContext->clientRedirectStart()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1720) doCallouts: Doing calloutContext->clientAccessCheck2()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1739) doCallouts: Doing clientInterpretRequestHeaders()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1748) doCallouts: Doing calloutContext->checkNoCache()
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1528) sslBumpNeed: sslBump required: peek
2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1830) doCallouts: calling processRequest()
2015/10/01 12:40:45.025 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 104(6000, 0x7fffffffe51c)
2015/10/01 12:40:45.026 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and
splice on FD 10
(Continue reading)

birbird | 1 Oct 11:41 2015

Can not pass Squid basic authentication

Hi All,

I have setup basic authentication for Squid, but I can not get passed from browser, just asked to inpu user/password time and time again.

I was stuck at, the command
/usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
dose not give any output. I think it means squid can not get the authentication info. But I have no idea what to do next.

I create my password by
htpasswd -d /etc/squid/squid_passwd dan

My squid config is
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

Could anyone please tell what's wrong with this.
Any help will be highly appreciated!

squid-users mailing list
squid-users <at> lists.squid-cache.org
Magic Link | 30 Sep 21:35 2015

squid cache


i configure squid to use cache. It seems to work because when i did a try with a software's download, the second download is TCP_HIT in the access.log.
The question i have is : why the majority of requests can't be cached (i have a lot of tcp_miss/200) ? i found that dynamic content is not cached but i don't understand.very well.

So finally what does this configuration do ?
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Do i have to increase "refresh_pattern -i (/cgi-bin/|\?) 0 0% 0" to take effects ?

Thank you very much.

<!-- .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 12pt; font-family:Calibri } -->
squid-users mailing list
squid-users <at> lists.squid-cache.org
HackXBack | 30 Sep 12:09 2015

remove old data manually

by default squid remove old data by this directive
cache_swap_low 90
cache_swap_high 95

the question now, how i can remove these data manually ?

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/remove-old-data-manually-tp4673480.html
Sent from the Squid - Users mailing list archive at Nabble.com.
squid-users mailing list
squid-users <at> lists.squid-cache.org
Marcio Demetrio Bacci | 30 Sep 01:35 2015

Problems with Squid3 Authentication

I have configured a Squid 3 proxy server on Debian 7, integrated with Samba 4 domain.

For windows machines integrated in the domain, Squid uses the network user credential to allow navigation.

On Linux stations, even in the domain, when is opened the browser, the user's password is requested. When the user type the correct password in the first time, access is allowed. However if the user wrong the password, a new authentication is required. Now is that the problem starts. Even that user to enter the correct password, appear again a box asking the username and password. In this point is not more possible authenticate in the proxy. It is as if the user were wrong the password. To work the user needs logout and logon again and enter the correct password first time in the browser.

Does anyone have an idea what can be?

This is my squid.conf

### Configuracoes Basicas
http_port 3128

#hierarchy_stoplist cgi-bin ?

### Bloqueia o cache de CGI's
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_mem 60 MB

#Para não bloquear downloads
quick_abort_min -1 KB

detect_broken_pconn on

pipeline_prefetch on

fqdncache_size 1024

### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp:    1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
refresh_pattern .        0    20%    4320

### Parametros de cache em RAM e HD
cache_swap_low 90
cache_swap_high 95

### Localizacao dos logs
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log

### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256

#Controle do arquivo de log
logfile_rotate 10

hosts_file /etc/hosts

#Libera acesso ao site da caixa
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa

### Realiza a autenticacao no AD via Winbind

# para quem esta logado em maquinas windows, aproveita a senha do logon
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

#auth_param ntlm keep_alive on

# para clientes nao windows, user/senha tem de ser solicitado
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm "Acesso Monitorado"
auth_param basic credentialsttl 2 hours

external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl

### ACLs

#acl manager proto cache_object
acl localhost src
acl SSL_ports port 22 443 563     # https, snews
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443 563    # https, snews
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 3001        # imprenssa nacional

acl purge method PURGE

### Regras iniciais do Squid

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#acl manager proto cache_object

acl connect_abertas maxconn 8

# acl ligada a autenticacao
acl grupo_admins external ad_group gg_webadmins
acl grupo_liberado external ad_group gg_webliberados
acl grupo_restrito external ad_group gg_webcontrolados

### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"

### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"

### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"

### Realiza o bloqueio por palavras
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"

### Exige autenticacao
acl autenticados proxy_auth REQUIRED

#libera o grupo internet
http_access allow grupo_admins

http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas

##### Libera acesso ao grupo de chefes
http_access allow grupo_liberado

### Liberando midia social e musica no horario do almoco
acl almoco time 11:30-13:30
http_access allow almoco

#bloqueia midia social durante o expediente
acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
http_access deny social_proibido

# Regra para bloqueio de extensoes de radios online / arquivos de streaming:
acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"

#acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
http_access deny proibir_musica
http_reply_access deny streaming

### Controle de banda
### So existe um pool (1)
delay_pools 1
### nr do pool (1) e tipo de classe (2): total da banda disponivel e total de banda por usuario
delay_class 1 2

### aprox 32Mbps para todos e 500Kbps para cada usuario
delay_parameters 1 4194304/4194304 64000/64000
delay_access 1 allow grupo_restrito

http_access allow grupo_restrito

#liberando acesso a todos os usuarios autenticados
#http_access deny !autenticados
http_access allow autenticados

### Rede Local #####
acl rede_local src

### Nega acesso de quem nao esta na rede local
http_access deny !rede_local

#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all

visible_hostname proxy.empresa.com.br

### Erros em portugues
error_directory /usr/share/squid3/errors/Portuguese

#cache_effective_user proxy
coredump_dir /var/spool/squid3

squid-users mailing list
squid-users <at> lists.squid-cache.org
N V | 29 Sep 16:31 2015

warning store.cc

I'm using squid 3.4.8 and i'm seeing many warnings in the cache.log like this:

kid1| WARNING: store.cc:601: found KEY_PRIVATE

I can't found anything similar in the web , any ideas?

Thanks in advance!

squid-users mailing list
squid-users <at> lists.squid-cache.org