[squid-users] squid-users Digest, Vol 27, Issue 9

Raju M K mkraju123 at gmail.com
Sat Nov 5 04:18:46 UTC 2016


Here is my squid.conf anf followed by cache.log.

http_port 8000 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/ssl_cert/myCA.pem

auth_param basic program /cygdrive/c/Squid/lib/squid/basic_ldap_auth.exe -v
3 -P -R -b "DC=CONDUIRA,DC=LOCAL" -D
"CN=administrator,CN=Users,DC=CONDUIRA,DC=LOCAL" -w anar_2017 -f
sAMAccountName=%s -h 192.168.100.1
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
acl localnet src 192.168.100.0/24 fc00::/7 fe80::/10

acl SSL_ports port 443
acl Safe_ports port 21 70 80 210 280 443 488 591 777 1025-65535

acl CONNECT method CONNECT
acl CONNECT method CONNECT

cache_dir ufs c:/squid/var/cache/squid/cache 100 16 256
access_log stdio:/cygdrive/c/Squid/var/log/squid/access.log squid

coredump_dir /cygdrive/c/Squid/var/cache/squid
pid_filename /cygdrive/c/Squid/var/run/squid/run/squid/squidsrv.pid

acl denyext url_regex -i \.exe$ \.mp3$ \.mpeg$ \.mpg$ \.rar$ \.asx$ \.wma$
\.wmv$ \.avi$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.wmf$ \.mov$
http_access deny denyext all

request_body_max_size 1024 KB

acl fileupload req_mime_type -i ^multipart/form-data$
http_access deny fileupload


## Full Access Users
acl active_directory_authenticated proxy_auth REQUIRED
acl user_previleged proxy_auth raju.masina
http_access allow active_directory_authenticated user_previleged

## Allowed Domains for ALL_Users
acl domains_all dstdomain "c:/Squid/etc/allowed_domains.txt"
http_access allow active_directory_authenticated domains_all

refresh_pattern -i .*\.(m4f|mp4|txt) 5259487 99% 5259487 override-expire
ignore-reload reload-into-ims ignore-no-cache ignore-private refresh-ims
acl storeid-helper url_regex -i
^https?:\/\/.*\.s3-ap-southeast-1\.amazonaws\.com(.*\.(m4f|mp4))
store_id_access deny all

acl loop_302 http_status 302
acl getmethod method GET

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny localhost manager
http_access deny manager
http_access deny all

always_direct allow all
#ssl_bump splice bypast
#ssl_bump peek bypast
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s
/cygdrive/c/squid/var/run/squid/run/squid/ssl_db/certs -M 4MB
sslcrtd_children 8 startup=1 idle=1

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 8 MB
minimum_object_size 0 KB
maximum_object_size 1 GB
maximum_object_size_in_memory 512 KB
cache_swap_low 90
cache_swap_high 95

store_id_access deny !getmethod
store_id_access allow storeid-helper

dns_nameservers 192.168.100.1
hosts_file /cygdrive/c/windows/system32/drivers/etc/hosts

CACHE.LOG

2016/11/04 17:26:39 kid1| Adding nameserver 192.168.100.1 from squid.conf
2016/11/04 17:26:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:26:39 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:26:39 kid1| helperOpenServers: Starting 0/5
'basic_ldap_auth.exe' processes
2016/11/04 17:26:39 kid1| helperOpenServers: No 'basic_ldap_auth.exe'
processes needed.
2016/11/04 17:26:39 kid1| HTCP Disabled.
2016/11/04 17:26:39 kid1| Finished loading MIME types and icons.
2016/11/04 17:26:39 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:8000 remote=[::] FD 13 flags=9
2016/11/04 17:26:44 kid1| Starting new basicauthenticator helpers...
2016/11/04 17:26:44 kid1| helperOpenServers: Starting 1/5
'basic_ldap_auth.exe' processes
2016/11/04 17:26:44 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:39 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
basic_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP
server'

Regards.

On Fri, Nov 4, 2016 at 8:13 PM, <squid-users-request at lists.squid-cache.org>
wrote:

> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Re: squid warning (Yuri)
>    2. Re: squid warning (Matus UHLAR - fantomas)
>    3. Squid doesn't use domain name as a request URL in access.log
>       when splice at step 3 occurs (Garri Djavadyan)
>    4. Squid doesn't use domain name as a request URL in access.log
>       when splice at step 3 occurs (Garri Djavadyan)
>    5. Re: squid warning (Yuri Voinov)
>    6. Re: Squid doesn't use domain name as a request URL in
>       access.log when splice at step 3 occurs (Amos Jeffries)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 4 Nov 2016 18:23:05 +0600
> From: Yuri <yvoinov at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid warning
> Message-ID: <5e2eaab8-71fb-1908-f93a-acea6e451727 at gmail.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> This warning is irrelevent to your google issue.
>
> Show your config.
>
>
> 04.11.2016 10:34, Raju M K пишет:
> > Hi,
> > I installed squid v3.5.22 on windows and enabled with ssl_bump.
> > Now my issue is.
> > Web page is opening very slowly. For ex. www.google.com
> > <http://www.google.com/> its taking more than 30 seconds.
> > In cache log showing below warning
> > 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
> > processes
> > 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
> > argument
> >
> > Please hepl me..
> > --
> > Regards,
> > M K Raju.
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.squid-cache.org/pipermail/squid-users/
> attachments/20161104/1cd09462/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 4 Nov 2016 13:39:20 +0100
> From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid warning
> Message-ID: <20161104123920.GA5216 at fantomas.sk>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 04.11.16 18:23, Yuri wrote:
> >This warning is irrelevent to your google issue.
>
> are you sure that creating fake google certificate is not the reason of
> delay?
>
> >04.11.2016 10:34, Raju M K пишет:
> >>I installed squid v3.5.22 on windows and enabled with ssl_bump.
> >>Now my issue is.
> >>Web page is opening very slowly. For ex. www.google.com
> >><http://www.google.com/> its taking more than 30 seconds.
> >>In cache log showing below warning
> >>2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8
> >>'ssl_crtd' processes
> >>2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
>
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> M$ Win's are shit, do not use it !
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 04 Nov 2016 17:43:33 +0500
> From: Garri Djavadyan <garryd at comnet.uz>
> To: squid-users at squid-cache.org
> Subject: [squid-users] Squid doesn't use domain name as a request URL
>         in access.log when splice at step 3 occurs
> Message-ID: <1478263413.30442.5.camel at comnet.uz>
> Content-Type: text/plain; charset="UTF-8"
>
> I noticed that Squid doesn't use gathered domain name information for
> %ru in access.log when splice action is performed at step 3 for
> intercepted traffic. The format code ssl::>sni is available at both
> steps. Below are examples used to verify the behavior using Squid
> 3.5.22, but the results are same for Squid 4.0.16.
>
> The request used on client:
>
> $ curl https://www.openssl.org/ > /dev/null
>
>
> The configuration for splice at step 2:
>
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> > acl StepSplice at_step SslBump2
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
> %Sh/%<a %mt %ssl::>sni
>
>
> The result:
>
> 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT
> 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
> 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.opens
> sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
>
> -----
> The configuration for splice at step 3:
>
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> > acl StepSplice at_step SslBump3
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
> %Sh/%<a %mt %ssl::>sni
>
>
> The result:
> 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
>
> Is it a bug or intended behavior? Thanks.
>
> Garri
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 04 Nov 2016 19:06:22 +0500
> From: Garri Djavadyan <garryd at comnet.uz>
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid doesn't use domain name as a request URL
>         in access.log when splice at step 3 occurs
> Message-ID: <1478268382.30442.11.camel at comnet.uz>
> Content-Type: text/plain; charset="UTF-8"
>
> On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
> > I noticed that Squid doesn't use gathered domain name information for
> > %ru in access.log when splice action is performed at step 3 for
> > intercepted traffic. The format code ssl::>sni is available at both
> > steps. Below are examples used to verify the behavior using Squid
> > 3.5.22, but the results are same for Squid 4.0.16.
> >
> > The request used on client:
> >
> > $ curl https://www.openssl.org/ > /dev/null
> >
> >
> > The configuration for splice at step 2:
> >
> > # diff etc/squid.conf.default etc/squid.conf
> > 73a74,78
> > >
> > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> > generate-host-certificates
> > >
> > > acl StepSplice at_step SslBump2
> > > ssl_bump splice StepSplice
> > > ssl_bump peek all
> > > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > > %[un
> > %Sh/%<a %mt %ssl::>sni
> >
> >
> > The result:
> >
> > 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT
> > 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
> > 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.ope
> > ns
> > sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> >
> >
> > -----
> > The configuration for splice at step 3:
> >
> > # diff etc/squid.conf.default etc/squid.conf
> > 73a74,78
> > >
> > > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> > generate-host-certificates
> > >
> > > acl StepSplice at_step SslBump3
> > > ssl_bump splice StepSplice
> > > ssl_bump peek all
> > > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > > %[un
> > %Sh/%<a %mt %ssl::>sni
> >
> >
> > The result:
> > 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> >
> >
> > Is it a bug or intended behavior? Thanks.
> >
> > Garri
>
> It prevents domain name identification when SNI is not provided by a
> client. For example:
>
> Request:
> $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
> s_client -quiet -no_ign_eof -connect www.openssl.org:443
>
> Config:
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> > acl StepSplice at_step SslBump3
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
> %Sh/%<a %mt %ssl::>sni
>
> Result:
> 1478267428.070    347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 4 Nov 2016 20:07:25 +0600
> From: Yuri Voinov <yvoinov at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid warning
> Message-ID: <0840e0bf-597d-5493-3562-bb69390c5f20 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> 04.11.2016 18:39, Matus UHLAR - fantomas пишет:
> > On 04.11.16 18:23, Yuri wrote:
> >> This warning is irrelevent to your google issue.
> >
> > are you sure that creating fake google certificate is not the reason of
> > delay?
> I'm talking about this warning:  WARNING: no_suid: setuid(0): (22) Invalid
>
> Did you see Diladele Win64 Squid by your own eyes? If yes, you
> understand me.
>
> However, I suggests (only, because of I'm not seen squid.conf), that the
> real problem is here:
>
> helperOpenServers: Starting 1/8 'ssl_crtd' processes
>
> It seems at so few ssl_crtd helper processes.
> >
> >> 04.11.2016 10:34, Raju M K пишет:
> >>> I installed squid v3.5.22 on windows and enabled with ssl_bump.
> >>> Now my issue is.
> >>> Web page is opening very slowly. For ex. www.google.com
> <http://www.google.com/> its taking more than 30 seconds.
> >>> In cache log showing below warning
> >>> 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
> processes
> >>> 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
> >
> >
>
> - --
> Cats - delicious. You just do not know how to cook them.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJYHJYcAAoJENNXIZxhPexGJ9oIAJZLwy9Tb3SOkmdLPdrGoi12
> NvkLOBhCVBGWAIuRD/6WO1edhZ7h12v87mvZ10CKVldNe70ZDFNZcpkzfUrx91Lm
> Qk1fA0Of830nNoDp+pQMksByUZKcCvgEQnBLgzenUxcFi7qqVaDzXjbcdoAN51tg
> R6RLftQGomdHcvvLmacZO8B4NG5BBDyl2psA/bXjwbq17dlHvhzYdUxc+OfInwrS
> pRAyPKolo+QnT3euW+2nw0+AjccRiZgQiVHNRu05jhTkAsXaIQEOmgfnIWnIFbM2
> HsJD4M9D2awP8gRyus5Pv7O0uv3F0Wx64mebLOcNjJe9xu6vU47SUa96jGseuHY=
> =PKW2
> -----END PGP SIGNATURE-----
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: 0x613DEC46.asc
> Type: application/pgp-keys
> Size: 2437 bytes
> Desc: not available
> URL: <http://lists.squid-cache.org/pipermail/squid-users/
> attachments/20161104/da43ac97/attachment-0001.key>
>
> ------------------------------
>
> Message: 6
> Date: Sat, 5 Nov 2016 03:42:45 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid doesn't use domain name as a request
>         URL in access.log when splice at step 3 occurs
> Message-ID: <5e50526c-5945-8038-d09e-3c7d56ac2512 at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 5/11/2016 1:43 a.m., Garri Djavadyan wrote:
> > The configuration for splice at step 3:
> >
> > # diff etc/squid.conf.default etc/squid.conf
> > 73a74,78
> >> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> > generate-host-certificates
> >> acl StepSplice at_step SslBump3
> >> ssl_bump splice StepSplice
> >> ssl_bump peek all
> >> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
> > %Sh/%<a %mt %ssl::>sni
> >
> >
> > The result:
> > 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> > 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> >
> >
> > Is it a bug or intended behavior? Thanks.
> >
>
> The person (Christos) who designed that behaviour is not reading this
> mailing list very often.
>
> AFAIK, it depends on what the SubjectAltName field in the certificate
> provided by 104.124.119.14 contains.
>
> Amos
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 27, Issue 9
> ******************************************
>



-- 
Regards,
M K Raju.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161105/cee3c754/attachment-0001.html>


More information about the squid-users mailing list