[squid-users] Squid v4.45

L.P.H. van Belle belle at bazuin.nl
Mon Aug 23 06:55:23 UTC 2021 

In your windows config. 
Remove the ip adres from the gateway and configure your proxy settings.  
Without proxy and gateway no internet.

Or setup SSL proxy 
Add something like this in your firewall and you catch all. 

# Redirect HTTP on eth0 from LAN_CIDR to locally installed Squid instance using REDIRECT for intercept mode
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 6080 -m comment --comment "Squid-Intercept 80->6080"

# Redirect HTTPS on eth0 from CIDR to locally installed Squid instance using REDIRECT for intercept mode
-A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT --to-port 6433 -m comment --comment "Squid-Intercept 443->6433"

And read : 
https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol


>The NIC status simply says that *somehow* the Internet is available.
No, windows 10 does a DNS querie to an MS server, block that and and you see "no internet" 
Even if you have internet. 

Maybe PiHole is something for you that does most of what you want. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Periko Support
> Verzonden: maandag 23 augustus 2021 7:55
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid v4.45
> 
> On Thu, Aug 19, 2021 at 7:40 PM Amos Jeffries 
> <squid3 at treenet.co.nz> wrote:
> >
> >
> > FYI, there is no such version as Squid 4.45.
> 
> Amos sorry, is 4.15 my mistake.
> >
> > What is the output when you run "squid -v" ?
> >
>  squid -v
> Squid Cache: Version 4.15
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1k-freebsd  25 Mar 2021. For legal
> restrictions on distribution see
> https://www.openssl.org/source/license.html
> 
> configure options:  '--with-default-user=squid'
> '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin'
> '--datadir=/usr/local/etc/squid'
> '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
> '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache' '--without-gnutls'
> '--with-included-ltdl' '--enable-auth' '--enable-zph-qos'
> '--enable-build-info' '--enable-loadable-modules'
> '--enable-removal-policies=lru heap' '--disable-epoll'
> '--disable-linux-netfilter' '--disable-linux-tproxy'
> '--disable-translation' '--disable-arch-native'
> '--disable-strict-error-checking' '--enable-eui'
> '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
> '--disable-esi' '--enable-follow-x-forwarded-for'
> '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe
> -I/usr/local/include -I/usr/local/include -fstack-protector-strong
> -DLDAP_DEPRECATED -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib
> -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib
> -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 '
> 'KRB5CONFIG=/usr/local/bin/krb5-config'
> 'krb5_config=/usr/local/bin/krb5-config' '--enable-htcp'
> '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups'
> '--enable-ipv6' '--enable-kqueue' '--with-large-files'
> '--enable-http-violations' '--without-nettle' '--enable-snmp'
> '--enable-ssl' '--with-openssl=/usr'
> '--enable-security-cert-generators=file'
> 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl'
> '--enable-ssl-crtd' '--disable-stacktraces'
> '--disable-ipf-transparent' '--disable-ipfw-transparent'
> '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db'
> '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=LDAP SASL DB
> SMB_LM NCSA PAM POP3 RADIUS fake getpwnam NIS'
> '--enable-auth-digest=eDirectory LDAP file'
> '--enable-external-acl-helpers=LDAP_group eDirectory_userip
> file_userip unix_group delayer kerberos_ldap_group'
> '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake
> SMB_LM' '--enable-storeio=aufs diskd ufs'
> '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped'
> '--enable-log-daemon-helpers=file DB'
> '--enable-url-rewrite-helpers=fake LFS'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-security-cert-validators=fake' '--prefix=/usr/local'
> '--mandir=/usr/local/man' '--disable-silent-rules'
> '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2'
> 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc'
> 'CPPFLAGS=-I/usr/local/include -I/usr/local/include' 'CXX=c++'
> 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include
> -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing  '
> 'CPP=cpp' --enable-ltdl-convenience
> > On 19/08/21 4:12 am, Periko Support wrote:
> > > Hello guys.
> > >
> > > I have been searching the issue I have with windows 10 
> and the ugly
> > > job he do to put the NIC "Internet access" and went we have squid
> > > behind "no internet".
> > >
> >
> > The NIC status simply says that *somehow* the Internet is available.
> > that means DNS resolution, TCP connectivity, HTTP 
> transactions and HTTPS
> > transactions are all fully working and producing responses.
> 
> Windows 10 if for some reason cannot reach the internet will 
> say "no internet".
> 
> I had sniff the communication and I just found thos 2 sites that looks
> like windows use to check connectivity.
> 
> >
> > Break any one and you will get "no internet". Even when the rest
> > continue working fine. So it can tell you when some sort of failure
> > occurs, but is not reliable when it claims success.
> >
> >
> > Please be aware that using your Squid proxy properly is one 
> way Windows
> > can receive all those services and claim "Internet Access".
> >
> >
> > > I have sniff logs and  I just found this sites went I 
> turn on the computer:
> > >
> > > .msftconnecttest.com
> > > .windows.com
> > >
> > > Some has win over this annoying thing with windows 10?
> > >
> > > No-Trans[parent Proxy WPAD.
> > >
> >
> > Check that your firewall does not permit HTTP(S) 
> connections directly
> > from clients to the Internet.
> 
> I don't allow direct connection to the Internet, all 80/443 must cross
> under squid.
> 
> > When;
> >   * your network gateway firewall(s) block direct connections (other
> > than from Squid) to HTTP(S), and
> >   * your proxy logs show those Win10 connection URLs happening, and
> >   * Win10 NIC says "Interent Access"
> >
> > Then you know that the proxy usage is how "Internet Access" happens,
> > that is what you want so no problem.
> >
> >
> 
> I still haven't found the solution to this little issue.
> 
> Regards!!!
> 
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
>

More information about the squid-users mailing list