James Harper | 11 Jul 13:43 2014
Picon

transparent https interception without mitm

Is it possible for squid to intercept and apply acl's to https without actually decrypting and generating
certificates etc? The conversation would go something like:

. Client makes connection to IP 1.2.3.4
. Squid intercepts the connection (but doesn't respond yet)
. Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1]
. Squid applies ACL rules to the hostname [2]
. If the ACL results in a deny then the client connection is dropped [3]
. If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the
TCP connection

[1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be
taken into account
[2] stream is encrypted, so obviously no access to URL etc
[3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could
be used to supply an "access denied" page?

The main thing I would find this useful for is simply for logging.

I've checked the docs but https_port appears to require a certificate, which isn't what I want.

Thanks

James

masterx81 | 11 Jul 12:53 2014
Picon

Basic LDAP on 2008 R2, groups and refresh time

Hi!
I've configured a squid version 3.HEAD-20140127-r13248 on centos (get
precompiled by http://ngtech.co.il/rpm/centos/6/$basearch) and i've
successfully configured it with basic LDAP authentication and groups
management.
It work as it should. If i add an user to a group it navigate, else it's not
allowed.
The problem is that if i remove an user from the group, the navigation isn't
blocked until i do a -k reconfigure on the squid server (and viceversa, if i
add someone, i'll need to do a reconfigure on the server for get it
working).
I can bypassing this with a cron every hour, but i think that there is a
more elegant way to do this...
The strange thing is that if i call manually the helpers from command line,
they work as they should and as soon as i remove the user from the group,
the ext_ldap_group_acl helper give me the error as the user isn't in the
group. Seem that squid caches the group membership and doesn't update until
a new reconfigure.
I've found others with same problem on the net (with different versions of
squid) but they also haven't solved the problem (or they haven't posted a
solution)

What i can try to do?

Any help is much appreciated!
Thanks!

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Basic-LDAP-on-2008-R2-groups-and-refresh-time-tp4666845.html
Sent from the Squid - Users mailing list archive at Nabble.com.
(Continue reading)

shawn wilson | 11 Jul 08:54 2014
Picon

svn support

How do I get svn+http working through squid? I've already got the svn
prereq of ~/.subversion/servers http-proxy-host/port

But I haven't been able to find a modern doc describing how to make
squid handle the requests. I tried:
acl CONNECT method GET POST HEAD CONNECT PROFIND PROPATCH PATCH

But that caused a warning when reloading the config and didn't have
the desired effect.

johnzeng | 11 Jul 06:09 2014
Picon

sorry, i updated my email mode, and i have a question about wccp

Hello Dear Everyone:
>
> i config wccp mode recently , but i found http request don't succeed
> to be sent via gre tunnel at wccp mode .
>
> This is my config , if possible , give me some advisement , Thanks again.
>
>
>
> 19:36:58.728514 IP 192.168.5.66.37225 > 180.149.132.165.http: Flags
> [F.], seq 0, ack 1, win 108, length 0
> 19:37:00.304327 IP 192.168.5.66.41485 >
> rev.opentransfer.com.28.147.130.98.in-addr.arpa.http: Flags [S], seq
> 2204475760, win 5840, options [mss 1460,sackOK,TS val 3757970 ecr
> 0,nop,wscale 6], length 0
> 19:37:00.976403 IP 192.168.5.66.40789 > 202.104.237.103.http: Flags
> [S], seq 2214840108, win 5840, options [mss 1460,sackOK,TS val 3758139
> ecr 0,nop,wscale 6], length 0
> 19:37:03.597139 IP 192.168.5.66.58461 > 101.226.142.33.http: Flags
> [.], ack 2180972149, win 227, options [nop,nop,TS val 3758794 ecr
> 2556809136], length 0
> 19:37:03.806973 IP 192.168.5.66.58461 > 101.226.142.33.http: Flags
> [.], ack 1, win 227, options [nop,nop,TS val 3758846 ecr
> 2556809198,nop,nop,sack 1 {0:1}], length 0
> 19:37:03.976184 IP 192.168.5.66.40789 > 202.104.237.103.http: Flags
> [S], seq 2214840108, win 5840, options [mss 1460,sackOK,TS val 3758889
> ecr 0,nop,wscale 6],
>
>
> 19:06:33.356333 IP 192.168.5.1 > 192.168.2.2: GREv0, length 48:
(Continue reading)

freefall12 | 11 Jul 04:34 2014
Picon

how to implement access control using connetcing hostname and port

some http proxy service providers here just assigned an unique proxy address
and port to a user, and the user just need to enter the necessary proxy
address and port to get access.I think this method is superior to username
and password authentication, and also,this makes it possible to proxy a lot
of mobile apps on ios devices and android which don't support traditional
proxy authentication. i found they are using squid for caching and proxying.
can squid alone achieve this? Thank you

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-implement-access-control-using-connetcing-hostname-and-port-tp4666818.html
Sent from the Squid - Users mailing list archive at Nabble.com.

fernando | 10 Jul 21:18 2014
Picon

access log request size x google drive

Hi there,

I configured my squid.conf to generate a second access log but using 
the client request size  (%>st) in place of the response size (%<st):

logformat upload %ts.%03tu %6tr %>a %Ss/%03>Hs %>st %rm %ru %[un 
%Sh/%<a %mt
access_log stdio:/var/log/squid/upload.log logformat=upload
access_log stdio:/var/log/squid/access.log

My goal was to use sarg to generate a report for upload sizes alongside 
the standard report wich contains only download sizes.

The reports looks ok for regular web browsing (download sizes much 
larger than upload sizes) but after I uploaded some big files to google 
drive the reports still doesn't show a significant increase in upload 
sizes.

I also run darkstat on the server and it shows the expected increase 
for "Out" traffic.

So, why aren't my upload.log showing uploads to google drive? Is this 
supposed to work at all, or do I need some trick for squid?

[]s, Fernando Lozano

Vadim Rogoziansky | 10 Jul 17:27 2014
Picon

fallback to TLS1.0 if server closes TLS1.2?

Hello All.

Do you have any ideas how we can resolve it? I have the same issue.

Peter Smith | 10 Jul 14:53 2014
Picon

Transparent proxying and forwarding loop detected

Hi list,

I'm running Squid 3.3 on Linux as part of a wireless hotspot solution.

The box has two network interfaces: one to the outside world, the
other a private LAN with IP 10.0.0.1. On the LAN I'm using CoovaChilli
as an active portal.

I'd like to transparently intercept and cache web traffic from wifi
clients. Coova has a configuration option for the IP and port of an
optional proxy - all web traffic from wireless clients will be routed
through this. I've set it to 10.0.0.1:3128

Here's my squid config:

acl localnet src 10.0.0.0/255.0.0.0   # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow localnet
http_access deny all
(Continue reading)

Jatin Bhasin | 10 Jul 12:34 2014
Picon

Passing Information up to the eCap adapter

Hello,

As I understand currently squid can send client IP address up to the eCap
adapter using squid configuration directive *adaptation_send_client_ip.*

I needed more information in my eCap adapter so I changed the squid source
code to be able to send *Client Port, Destination Address and Destination
port* to the eCap adapter.

But now my requirement is to be able to pass *source MAC address and
destination MAC address* as well to the eCap adapter. But I am not able to
understand how I can do it.

Can someone please guide me where should I start looking at in squid source
code so that the MAC address can be passed up to the eCap adapter.

Thanks,
Jatin

Andreas Westvik | 10 Jul 09:21 2014
Picon

Blocking spesific url

So this is driving me crazy. Some of my users are playing battlefield 4 and battlefield have this server
browsing page that has webm background.
Turns of this video downloads every few seconds and that adds up to about 8Gb every day. 
Here is the url: http://eaassets-a.akamaihd.net/battlelog/background-videos/naval-mov.webm

Now, I dont want to block http://eaassets-a.akamaihd.net/ since updates and such comes from this CDN, and
I dont want to block the file webm.
And I cant for the life of me figure how to block this spesific url? Google gives me only what I dont want to do.

Any pointers?

-Andreas
babajaga | 9 Jul 23:24 2014
Picon

Re: Waiting for www...

Have a look here for a correct solution:
http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource

(Example: Replace SQUIDIP with the public IP which squid may use for its
listening port and outbound connections. )

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
SQUIDIP:3129

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Waiting-for-www-tp4666774p4666779.html
Sent from the Squid - Users mailing list archive at Nabble.com.


Gmane