<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Do you control the client application? If yes, then perhaps it can be<br>adjusted to support HTTP proxies? In other words, the client will send a<br>plain text HTTP CONNECT request to Squid and, upon receiving a 200<br>(Connection Established) response headers, will start using TLS with the<br>origin server. In this case, you do not need interception.</blockquote><div><br></div><div>Nope, the client application is also used to communicate with other apps in</div><div>other environments. The SNI has to be used as the client/server apps perform</div><div>mutual TLS authentication.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In other words, the client will send a<br>plain text HTTP CONNECT request to Squid and, upon receiving a 200<br>(Connection Established) response headers, will start using TLS with the<br>origin server. In this case, you do not need interception.</blockquote><div><br></div><div>In order to evaluate if we can use Squid for this purpose, I have also created a</div><div>basic TLS client/server app to validate what is happening. Basically my TLS client</div><div>tries to connect directly to Squid IP/Port and I am indicating the SNI so that the </div><div>TLS handshake passes.<br></div><div><br></div><div>Using a reverse I was able to make it reach the TLS server after faking a CONNECT</div><div>request. But without a fake CONNECT or a valid HTTP request it failed.</div><div><br></div><div>When I tried to make it work using a forward proxy with intercept and ssl_bump, I</div><div>could not make Squid peek at the SNI and tunnel the request to the correct destination.</div><div><br></div><div>Fernando</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 29, 2023 at 11:35 AM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-29 09:17, Fernando Giorgetti wrote:<br>
<br>
> Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS<br>
> data, as we have a restricted environment where Squid is currently the<br>
> only way to get out to the internet.<br>
<br>
Yes, Squid can tunnel non-HTTP data, including TLS data.<br>
<br>
<br>
> The idea is that the client application will open a connection to a given<br>
> hostname and port (setting the SNI in the TLS options), considering that<br>
> the given hostname/port is the actual backend they're trying to reach.<br>
<br>
Do you control the client application? If yes, then perhaps it can be <br>
adjusted to support HTTP proxies? In other words, the client will send a <br>
plain text HTTP CONNECT request to Squid and, upon receiving a 200 <br>
(Connection Established) response headers, will start using TLS with the <br>
origin server. In this case, you do not need interception.<br>
<br>
<br>
> We can either try to use a fake hostname (defined in the /etc/hosts of the<br>
> tls client machine) which would actually point to Squid's IP <br>
<br>
AFAICT, faking the IP address will not work without Squid source code <br>
modifications because a non-intercepting Squid https_port will want to <br>
terminate TLS -- such a port does not support blindly tunneling traffic.<br>
<br>
<br>
> or eventually<br>
> redirect traffic to the real destination into Squid using a DNAT rule.<br>
<br>
I am not a DNAT expert, but this sounds like interception to me. Bugs <br>
notwithstanding, Squid supports blind tunneling of intercepted TCP <br>
connections (to their intended destination):<br>
<br>
https_port X intercept ssl-bump ...<br>
ssl_bump splice all<br>
<br>
On a successful tunneling path, the above configuration does not care <br>
whether the intercepted traffic is TLS and will not peek at TLS SNI, but <br>
nothing in your requirements necessitates SNI knowledge AFAICT.<br>
<br>
If Squid fails to establish a TCP connection to the intended destination <br>
of the intercepted connection, then the situation becomes more complex: <br>
Squid (with the above configuration) assumes that the client is speaking <br>
TLS. Squid will attempt to bump the TLS client connection and send a <br>
Squid-generated HTTP error response to the client. AFAIK, this bumping <br>
and error sending attempt cannot be prevented in this case without Squid <br>
source code modifications: Squid used to be able to terminate a <br>
client-Squid connection instead of sending a Squid-generated HTTP error <br>
response (by replacing the corresponding Squid error page contents with <br>
a word "reset"). However, that feature was accidentally(?) dropped in <br>
2002 commit 76cdc28 AFAICT.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
> But overall, it will be a 1:1 relationship, meaning, the https_port on Squid<br>
> would be used exclusively to this purpose of proxying from a given source<br>
> to a given destination.<br>
> <br>
> That is why I was considering a reverse-proxy, but I had no luck with it <br>
> (actually<br>
> I was able to proxy HTTP/HTTPS, but not non-http).<br>
> <br>
> Thank you again,<br>
> Fernando<br>
> <br>
> On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov <br>
> <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a> <br>
> <mailto:<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>>> wrote:<br>
> <br>
> On 2023-09-28 20:35, Fernando Giorgetti wrote:<br>
> <br>
> > Do you have any recommendations on how I could have it done?<br>
> <br>
> I am unable to confirm whether Squid can do what you want or provide<br>
> configuration recommendations because I do not yet know how your Squid<br>
> will receive traffic (e.g., an intercepting proxy or an explicit<br>
> forward<br>
> HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP,<br>
> something else), and what you want Squid to do with that traffic.<br>
> <br>
> To make progress, I recommend describing the above details (for one<br>
> typical use case?) and then answering any followup questions.<br>
> <br>
> <br>
> Cheers,<br>
> <br>
> Alex.<br>
> <br>
> <br>
> > When my tls client tries to reach the target through Squid, using<br>
> > a "ssl_bump splice", it seems like squid is trying to reach<br>
> itself in a<br>
> > loop.<br>
> ><br>
> > I have also tried including a peek first, but no luck.<br>
> ><br>
> > Thanks again for all suggestions.<br>
> ><br>
> > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:<br>
> ><br>
> > On 2023-09-28 15:23, Fernando Giorgetti wrote:<br>
> ><br>
> > > Actually with the suggested blind passthrough, Squid would not<br>
> > handle<br>
> > > the TLS termination.<br>
> ><br>
> > Correct.<br>
> ><br>
> ><br>
> > > how will Squid know what the target is?<br>
> ><br>
> > In many cases, Squid can learn SNI by peeking at TLS ClientHello,<br>
> > without terminating TLS. Bugs notwithstanding, none of the<br>
> > configuration<br>
> > sketches I shared previously will do that though.<br>
> ><br>
> ><br>
> > HTH,<br>
> ><br>
> > Alex.<br>
> ><br>
> ><br>
> ><br>
> > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:<br>
> > ><br>
> > > On 2023-09-28 11:31, Fernando Giorgetti wrote:<br>
> > ><br>
> > > > And what should I do to let Squid use the SNI<br>
> defined by<br>
> > the TLS<br>
> > > client?<br>
> > ><br>
> > > What do you want Squid to use that SNI for?<br>
> > ><br>
> > > Alex.<br>
> > ><br>
> > ><br>
> > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:<br>
> > > ><br>
> > > > On 2023-09-28 09:06, Fernando Giorgetti wrote:<br>
> > > > > Hi Matus, do you mean something like a DNAT<br>
> > (iptables) rule?<br>
> > > > > If so, I would say, it should work as well.<br>
> > > > ><br>
> > > > > But this is an environment I do not control,<br>
> and I have<br>
> > > been told<br>
> > > > to try<br>
> > > > > using an existing squid installation to proxy<br>
> > non-http/TLS<br>
> > > data<br>
> > > > through.<br>
> > > > ><br>
> > > > > I appreciate any guidance or recommendation.<br>
> > > ><br>
> > > ><br>
> > > > Bugs notwithstanding, Squid can blindly tunnel<br>
> intercepted<br>
> > > (at TCP port<br>
> > > > X) TCP traffic to its intended destination:<br>
> > > ><br>
> > > > https_port X intercept ssl-bump ...<br>
> > > > ssl_bump splice all<br>
> > > ><br>
> > > ><br>
> > > > Without interception, then Squid can only<br>
> tunnel stuff<br>
> > inside<br>
> > > HTTP<br>
> > > > CONNECT tunnels (for HTTP CONNECT requests<br>
> received at TCP<br>
> > > port Y):<br>
> > > ><br>
> > > > http_port Y ssl-bump ...<br>
> > > > ssl_bump splice all<br>
> > > ><br>
> > > ><br>
> > > > In both cases, Squid does not care about the<br>
> protocols<br>
> > that<br>
> > > tunneled<br>
> > > > traffic is using. It could be HTTP, HTTPS, TLS, or<br>
> > anything<br>
> > > else on top<br>
> > > > of TCP.<br>
> > > ><br>
> > > > Your ACLs may differ from "all" in the above<br>
> sketches,<br>
> > of course,<br>
> > > > but if<br>
> > > > traffic is not TLS, then you want an "ssl_bump<br>
> splice"<br>
> > rule that<br>
> > > > matches<br>
> > > > during SslBump step1. A rule with an "all" ACLs<br>
> is the<br>
> > > simplest example<br>
> > > > of that.<br>
> > > ><br>
> > > ><br>
> > > > HTH,<br>
> > > ><br>
> > > > Alex.<br>
> > > > P.S. I am getting an "Internal Server Error" when<br>
> > following<br>
> > > the haproxy<br>
> > > > link in the original question, so I cannot map what<br>
> > that page<br>
> > > says to<br>
> > > > the configurations above.<br>
> > > ><br>
> > > ><br>
> > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -<br>
> > fantomas wrote:<br>
> > > > ><br>
> > > > > On 27.09.23 16:48, Fernando Giorgetti wrote:<br>
> > > > > >I would like to know if it is possible<br>
> to set up<br>
> > > Squid to<br>
> > > > perform<br>
> > > > > >TLS passthrough to a given backend,<br>
> relaying TLS<br>
> > > encrypted<br>
> > > > > >traffic to the backend, similarly to<br>
> what HAProxy<br>
> > > does below?<br>
> > > > > ><br>
> > > > ><br>
> > > ><br>
> > ><br>
> > <br>
> ><a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>>>><br>
> > > > > ><br>
> > > > > >I have tried a few different<br>
> configurations using<br>
> > > reverse<br>
> > > > proxy,<br>
> > > > > >or peek and splice, but I could not<br>
> make it<br>
> > work without<br>
> > > > providing<br>
> > > > > >a valid HTTP request or a CONNECT request.<br>
> > > > ><br>
> > > > > what's the difference between TCP<br>
> redirect and<br>
> > this?<br>
> > > > ><br>
> > > > > --<br>
> > > > > Matus UHLAR - fantomas,<br>
> <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
> > > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>><br>
> > > > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>>><br>
> > > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>><br>
> > > > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>>>><br>
> > > > > ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>><br>
> > > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>>><br>
> > > > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>><br>
> > > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>>>><br>
> > > > > Warning: I wish NOT to receive e-mail<br>
> > advertising to this<br>
> > > > address.<br>
> > > > > Varovanie: na tuto adresu chcem NEDOSTAVAT<br>
> > akukolvek<br>
> > > reklamnu<br>
> > > > postu.<br>
> > > > > Depression is merely anger without<br>
> enthusiasm.<br>
> > > > > <br>
> _______________________________________________<br>
> <br>
> <br>
<br>
</blockquote></div>