Alberto Klocker | 13 Nov 04:11 2014
Picon

mgr:info question

Looking at the squidclient mgr:info command output I was wondering what the difference between these two entries are?

Cache information for squid:
        Hits as % of all requests:      5min: 0.7%, 60min: 0.3%
        Hits as % of bytes sent:        5min: 51.3%, 60min: 25.5%


I can guess the first one means all requests but I'm stumped on the wording of the second entry.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
andrew williams | 13 Nov 02:07 2014
Picon

Squid not using all cache_mem/ Increase TCP_MEM_HIT squid 2.6

Hi,
I'm getting what I think is too low of MEM_HIT ratio..  I would like squid to use all of the cache_mem, thus increasing MEM_HIT?

Cache information for squid:

Request Hit Ratios: 5min: 83.2%, 60min: 81.7%

Byte Hit Ratios: 5min: 85.6%, 60min: 69.4%

Request Memory Hit Ratios: 5min: 31.0%, 60min: 33.5%

Request Disk Hit Ratios: 5min: 41.9%, 60min: 40.5%

Storage Swap size: 13824000 KB

Storage Mem size: 401884 KB

Mean Object Size: 61.24 KB

Requests given to unlinkd: 0



Memory usage for squid via mallinfo():

Total space in arena:  583740 KB

Ordinary blocks:       580311 KB  51632 blks

Small blocks:               0 KB      0 blks

Holding blocks:          4588 KB      3 blks

Free Small blocks:          0 KB

Free Ordinary blocks:    3428 KB

Total in use:          584899 KB 99%

Total free:              3428 KB 1%

Total size:            588328 KB

Memory accounted for:

Total accounted:       517938 KB

memPoolAlloc calls: 604503322

memPoolFree calls: 602248266




Config:
cache_replacement_policy heap LFUDA

memory_replacement_policy heap LFUDA

cache_dir aufs /var/squid/cache 15000 16 256

cache_mem 4096 MB



Why is squid not using all 4096 MB allocated? it's only using 590MB according to mgr:info.  
Is there something extra I need to do?  To me the HIT rate is reasonable... they hit's are just not coming from memory

Thanks!




_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Jason Haar | 12 Nov 23:55 2014
Picon

https://www.bnz.co.nz/?

Hi there

I just found I cannot connect to https://www.bnz.co.nz/ using curl on
Ubuntu (7.35 compiled against openssl-1.0.1f), whereas
https://www.kiwibank.co.nz/ works fine. I first thought it was due to my
messing around with ssl-bump, but it happens when I don't go through
squid too

I have a CentOS-6 server with curl-7.19 (compiled against 1.0.1e) and it
works fine. The same happens with "openssl s_client": it works on CentOS
but not on Ubuntu - so I think it's the root cause (unless I call it
with either "-ssl3" or "-tls1" - explicitly asking for protocols seems
to get around the issue with 1.0.1f). It looks like www.bnz.co.nz
doesn't negotiate SSL/TLS correctly?

Any SSL guru out there willing to explain why newer command line tools
don't like www.bnz.co.nz (whereas browsers do - but I hear it's because
they "double try" in certain error conditions and basically workaround
this kind of issue)

Thanks

--

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
santosh | 12 Nov 20:27 2014

Forceful Reauthentication

Hello Team,

I'm trying to reauthenticate the user once he visits google as per this url 
https://workaround.org/squid-acls <https://workaround.org/squid-acls>   but
it doesnt seem to reprompt the credentials when i access google  , below are
my rules let me know where i'm going wrong 

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

#conatins acl to block sites 
acl bad_url url_regex "/etc/squid3/badsites.conf"

auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
"dc=example,dc=com" -f "uid=%s" -h example.com
acl ldapauth proxy_auth REQUIRED
acl reauth dstdomain .google.co.in
http_access deny bad_url
http_access allow ldapauth
http_access deny  reauth ldapauth
http_access deny all

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Forceful-Reauthentication-tp4668344.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Lorenzo Gollinelli | 12 Nov 17:47 2014
Picon

Squid 3.4.6 POST upload problem

Hello, 

we have squid 3.4.6 talking to websense over icap. 
We have problems in uploading files larger than 55 kB.

this is the icap.log when file is correctly uploaded (<55kB):

1415810436.490      0 192.168.x.x TAG_NONE/000 0 POST http://www.csm-testcenter.org/test DOMAIN/user HIER_NONE/- -

this is the icap.log when file upload hangs:

1415810513.657      0 192.168.x.x TCP_MISS/000 0 POST http://www.csm-testcenter.org/test DOMAIN/user HIER_DIRECT/85.214.28.69 -

It looks like there is something somewhere that behaves differently according to the uploaed file size. 
We only use cache_mem (no disk), 5 workers, and kerberos/ntlm authentication (bypassed without luck).

Any idea?

Thanks

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Ahmed Allzaeem | 12 Nov 23:55 2014

cache peer problem with two squid one Tproxy --->normal Porxy

Hi all

I have two proxies

 

1(tproxy) and configured it to get from another normal proxy

So , my topology is as below

 

 

Tproxy- listen on 6000-----------------ànormal proxy listen 3127

 

The problem is done on the normal proxy , I sont see hit or access logs but I can see logs as below :

 

 

2014/11/12 15:17:25 kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1

Host: 108.61.172.74

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Via: 1.1 localhost.localdomain (squid/3.4.3)

X-Forwarded-For: 176.58.67.238

Cache-Control: max-age=259200

Connection: keep-alive

 

 

2014/11/12 15:17:25 kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1

Host: 108.61.172.74

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Via: 1.1 localhost.localdomain (squid/3.4.3)

X-Forwarded-For: 176.58.67.238

Cache-Control: max-age=259200

Connection: keep-alive

 

 

 

 

As we see , the request reach from the tproxy to the normal proxy , but not processed well <at> the normal proxy.

 

 

Here are config file for the tproxy for the cache peer :

cache_peer xxxxxx  parent 3127 0 default

 

on the normal proxy , I have allowed the ip of the tproxy  there and here is squid.conf file :

[root <at> localhost ~]# cat /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

 

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src 77.221.96.0/19 176.58.67.238/32

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

 

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3127

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

 

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

[root <at> localhost ~]#

 

 

 

 

Squid is 3.4.3 on both squid machines and here is the compilation options :

 

# squid -v

Squid Cache: Version 3.4.3

configure options:  '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--enable-cachemgr-hostname=drx' '--localstatedir=/var' '--libexecdir=/lib/squid' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-arp-acl' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072' '--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' '--enable-ltdl-convenience'

 

 

 

wish to help

 

regards

 

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Hussam Al-Tayeb | 12 Nov 12:17 2014

Cannot purge items that are not upstream anymore

Hello. I have a problem with 'squidclient -m PURGE' and also the purge 
command.
They won't purge urls from disk that are not available online anymore or 
redirect to other links.

For example, 
http://static.firedrive.com/dynamic/previews/75/27577be2d6d86af20265734b64e8d563.jpg
which corresponds to /home/squid/00/BB/0000BBC0

Even "purge -e "static.firedrive.com" -c /etc/squid/squid.conf -P  0x01" reads 
it but will not really remove it from disk.
Are such files stuck on disk forever?
What would the correct way to clear them?
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Rafael Akchurin | 12 Nov 10:36 2014

Troubles compiling latest Squid 3.5 on Windows 7 with Cygwin

Hello all,

I am struggling to compile Squid 3.5 on windows 7 x64 using latest Cygwin. 

During configuration (./configure --disable-wccp --disable-wccpv2)
The following error occurs:

checking for ldap.h... (cached) yes
checking winldap.h usability... no
checking winldap.h presence... yes
configure: WARNING: winldap.h: present but cannot be compiled
configure: WARNING: winldap.h: check for missing prerequisite headers?
configure: WARNING: winldap.h: see the Autoconf documentation
configure: WARNING: winldap.h: section "Present But Cannot Be Compiled"
configure: WARNING: winldap.h: proceeding with the compiler's result
configure: WARNING: ## ------------------------------------------- ##
configure: WARNING: ## Report this to http://bugs.squid-cache.org/ ##
configure: WARNING: ## ------------------------------------------- ##
checking for winldap.h... no
checking w32api/windows.h usability... yes

Similar with mswsock:

checking mswsock.h usability... no
checking mswsock.h presence... yes
configure: WARNING: mswsock.h: present but cannot be compiled
configure: WARNING: mswsock.h: check for missing prerequisite headers?
configure: WARNING: mswsock.h: see the Autoconf documentation
configure: WARNING: mswsock.h: section "Present But Cannot Be Compiled"
configure: WARNING: mswsock.h: proceeding with the compiler's result
configure: WARNING: ## ------------------------------------------- ##
configure: WARNING: ## Report this to http://bugs.squid-cache.org/ ##
configure: WARNING: ## ------------------------------------------- ##
checking for mswsock.h... no

If I run "make" after that it fails at start:

Making all in compat
make[1]: Entering directory '/usr/src/squid-3.5.0.1/compat'
/bin/sh ../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H   -I.. -I../include
-I../lib -I../src -I../include     -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow
-Werror -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 -MT assert.lo -MD -MP -MF .deps/assert.Tpo
-c -o assert.lo assert.cc
libtool: compile:  g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2
-march=native -std=c++11 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc  -DDLL_EXPORT
-DPIC -o .libs/assert.o
In file included from /usr/include/w32api/winsock2.h:56:0,
                 from /usr/include/w32api/ws2spi.h:13,
                 from ../compat/os/mswindows.h:306,
                 from ../compat/compat.h:73,
                 from ../include/squid.h:43,
                 from assert.cc:9:
/usr/include/w32api/psdk_inc/_fd_types.h:100:2: error: #warning "fd_set and associated macros
have been defined in sys/types.      This can cause runtime problems with W32 sockets" [-Werror=cpp]
 #warning "fd_set and associated macros have been defined in sys/types.  \
  ^
In file included from ../compat/compat.h:73:0,
                 from ../include/squid.h:43,
                 from assert.cc:9:
../compat/os/mswindows.h:417:0: error: "FOPEN" redefined [-Werror]
 #define FOPEN           0x01    /* file handle open */
 ^
In file included from /usr/include/sys/fcntl.h:3:0,
                 from /usr/include/fcntl.h:14,
                 from ../compat/os/mswindows.h:41,
                 from ../compat/compat.h:73,
                 from ../include/squid.h:43,
                 from assert.cc:9:
/usr/include/sys/_default_fcntl.h:98:0: note: this is the location of the previous definition
 #define FOPEN  _FOPEN
 ^
In file included from /usr/include/w32api/ws2spi.h:13:0,
                 from ../compat/os/mswindows.h:306,
                 from ../compat/compat.h:73,
                 from ../include/squid.h:43,
                 from assert.cc:9:
/usr/include/w32api/winsock2.h:995:123: error: declaration of C function 'int select(int,
_types_fd_set*, _types_fd_set*, _types_fd_set*, PTIMEVAL)' conflicts with
   WINSOCK_API_LINKAGE int WSAAPI select(int nfds,fd_set *readfds,fd_set *writefds,fd_set
*exceptfds,const PTIMEVAL
timeout);
                                                                                                                           ^
In file included from ../compat/types.h:41:0,
                 from ../compat/compat.h:59,
                 from ../include/squid.h:43,
                 from assert.cc:9:
/usr/include/sys/select.h:31:5: error: previous declaration 'int select(int, _types_fd_set*,
_types_fd_set*, _types_fd_set*, timeval*)' here
 int select __P ((int __n, fd_set *__readfds, fd_set *__writefds,
     ^
In file included from ../compat/compat.h:73:0,
                 from ../include/squid.h:43,
                 from assert.cc:9:

Is this a known issue or am I doing something wrong?
Please note the same commands compile Squid 3.3.8 (from Cygwin) without any problems.

Thank you very much!
Rafael Akchurin
Diladele B.V.

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Jason Haar | 12 Nov 05:49 2014
Picon

connecting directly to ssl-bump intercept port causes runaway CPU

Hi there

I was reading this list about the issue with google.com and was playing
around - and I used telnet to connect directly to the intercept ssl-bump
port. End result was squid immediately went to 99% CPU, and the
cache.log started reporting

WARNING! Your cache is running out of filedescriptors
WARNING! Your cache is running out of filedescriptors
WARNING! Your cache is running out of filedescriptors

The box staggered to it's knees, so I had to kill squid. Restarted it
and everything is fine - until I do that again. If I let the network
redirecting work (ie make outbound port 443 connections), this doesn't
happen - it's only if I directly connect to the intercept port

I have my "http_port intercept" and "https_port intercept" set
identically (except for the ssl stuff of course), and yet if I telnet to
the http_port set to intercept, this does NOT happen - it works fine...

Any ideas where I should look to see what's causing the grief? This is
squid-3.4.9. "127.0.0.1" is in /etc/squid/SSL_noIntercept_sites.txt, but
not the ethernet IP nor hostname of the proxy if that matters.

#egrep '^(https?_port|ssl)|SSL_nonHTTPS|SSL_noInter' /etc/squid/squid.conf
http_port 3128
http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
http_port 3129 intercept
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
acl SSL_nonHTTPS_sites dstdom_regex "/etc/squid/SSL_nonHTTPS_sites.txt"
acl SSL_noIntercept_sites dstdom_regex
"/etc/squid/SSL_noIntercept_sites.txt"
ssl_bump none SSL_nonHTTPS_sites
ssl_bump none SSL_noIntercept_sites
ssl_bump server-first all
sslproxy_cert_error allow SSL_nonHTTPS_sites
sslproxy_cert_error allow all

--

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Peter Gross | 11 Nov 19:47 2014

https://www.google.com and squid interception

Hi,
I am a new user of Squid and would first like to thank the developers 
for this excellent software. This is my first post to the mailing list 
... I have been tasked with setting up quite restrictive web access 
control at work. I plan to use an intercepting squid proxy with SSL 
bump. There will also be WCCPv2 to/from a Cisco IOS router. Since this 
is quite a bit of complexity, I though it prudent to start slowly, in 
steps. So first -- to get my feet wet -- I set up squid (version 3.4.8, 
built using rpmbuild from the src rpm from ngtech) on a home linux 
server (Centos 5.11 -- no Cisco at home) which is also the firewall 
router for my home network. I also decided to start out with plain 
vanilla proxying (no interception -- use browser setting). This worked 
fine. I then tested HTTP interception by changing squid.conf from:
http_port 3128
   -to-
http_port 3128 intercept

and adding the following rule to my shorewall firewall:
REDIRECT:info   loc:192.168.101.9       3128    tcp     http

I wanted to test intercepting just one host before turning it on for all 
hosts and wireless devices in my network.

192.168.101.9 is another Centos PC on my network. Squid is running on 
192.168.101.253.

The interception seemed to work fine ... access.log showed lots of 
successful proxy activity. Then came the problem: going to 
https://www.google.com failed (not every time, but frequently). If I 
turned off the REDIRECT line in the shorewall rules file and restarted 
shorewall, no problem. This seemed very peculiar because no HTTPS 
traffic should be redirected to the proxy. Here are the errors that 
showed up in cache.log when redirection (NAT-ing) was on:

2014/11/11 11:03:42 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on 
local=192.168.101.253:3128 remote=192.168.101.9:34165 FD 11 flags=33: 
(92) Protocol not available

Note that other HTTPS sites worked fine! It appears to be confined to a 
google specific issue.

Thanks for any comments/suggestions you might have,
--peter

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Job | 11 Nov 16:06 2014
Picon

Problem with Squid 3.4 and transparent SSL proxy

Hello Elizier,

first of all thank you for your patience and help!
I use this directives in iptables:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 (for http)
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3129 (for https)

In a normal http-only transparent proxy everything works fine, but i would like to implement ssl bump for
proxying transparently https connection.

When telnetting 3128 or 3129 mode, from Linux machine shell, it seems that connection fails.
When telnetting 3128 port not in interception mode (for standard http transparent proxying), the socket
opens and stay connected!

The squid.conf seciont regarding SSL:

http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all

Thank you again,
Francesco

________________________________________
Da: squid-users [squid-users-bounces <at> lists.squid-cache.org] per conto di Eliezer Croitoru [eliezer <at> ngtech.co.il]
Inviato: martedì 11 novembre 2014 15.31
A: squid-users <at> lists.squid-cache.org
Oggetto: Re: [squid-users] Problem with Squid 3.4 and transparent SSL proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

Your configuration seems to not include any iptables and other
relevant details.
What is this machine details?

Eliezer

On 11/11/2014 04:20 PM, Job wrote:
> Hello,
>
> i initialize correctly SSL Bump with Squid 3.4.4, following some
> guides. In iptables i redirect 80 and 443 ports to squid ports.
>
> Squid starts with no error, lines involving SSL bump are the
> following:
>
> http_port 3128 intercept https_port 3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>
> But no request arrives to squid.
>
> If i telnet, from Linux machine, this:
>
> telnet localhost 3128 or telnet localhost 3129, even though the
> socket is open (netstat -avn | grep 3128 and 3129), connection
> close immediately.
>
> I see no errors in cache.log, access.log and messages.
>
> Thank you Francesco

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUYh2nAAoJENxnfXtQ8ZQUoEEIAI71G38BNCtTTyeGeNB0VHu8
0r2ta5KZKcFLcI3NxcyHN6ygKatSk1zkZQu8uzFOlPIrrAQ1bvql1shpq5vhPjLw
8T8IGEeiULrhx5ms+6ErgvB8sg3wkq1Z+jyJ4Q40lgcPU07ncXzBOyWV5ODaSFXC
zYPII8hrtVH0taPgJpW35XcNb/0htyjxdtXbEs3ZCoAmXLwJQsRfHmdeSdn0Am+Y
swDybjHpMsaf90SJUVFZN3uDLVxKOcMBVLhbCpWt50g+lsJcQeNCZ4xo2QaRURxT
c2lfQD4h1k3ck52r/70dtMZzwTYnoSymyfEGp5zUh8yYSzmd2moDC2z89PEGSQI=
=2uuM
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane