[squid-users] squid-users Digest, Vol 56, Issue 32

Wegner Michaël m.wegner at hopitaldugier.fr
Fri Apr 19 06:32:00 UTC 2019


Hi,

Please find below access.log, cache.log and syslog.
Do you want a other log

Thanks


root at srv-squid-i2:/var/log/squid# more access.log
1555648138.455  73091 10.5.27.200 TCP_TUNNEL/200 4085 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555648580.052  73447 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555649036.566    160 10.5.27.200 TCP_TUNNEL/200 7558 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/40.112.75.175 -
1555649119.277 125693 10.5.27.200 TCP_TUNNEL/200 4087 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555649138.798 109989 10.5.27.200 TCP_TUNNEL/200 20881 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/152.199.19.161 -
1555649464.161 109997 10.5.27.200 TCP_TUNNEL/200 1712 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.215.46 -
1555649464.161 108037 10.5.27.200 TCP_TUNNEL/200 1197 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/172.217.19.226 -
1555649505.784  31964 10.5.27.200 TCP_TUNNEL_ABORTED/200 3877 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.21 -
1555649509.173    380 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.21 -
1555649680.077  90863 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555649850.998    473 10.5.27.200 TCP_TUNNEL/200 4318 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/52.138.216.83 -
1555650083.397 122117 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555650103.666  64195 10.5.27.200 TCP_TUNNEL/200 7202 CONNECT config.edge.skype.com:443 - HIER_DIRECT/13.107.3.128 -
1555650272.369  60315 10.5.27.200 TCP_TUNNEL_ABORTED/200 8347 CONNECT www.bing.com:443 - HIER_DIRECT/13.107.21.200 -
1555650780.077  92598 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555650836.825    170 10.5.27.200 TCP_TUNNEL/200 7412 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/40.127.128.174 -
1555651108.433  80243 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555651265.123 109984 10.5.27.200 TCP_TUNNEL/200 1716 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.204.142 -
1555651265.123 107990 10.5.27.200 TCP_TUNNEL/200 1315 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/216.58.209.226 -
1555651274.348    486 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.23 -
1555651880.093 109899 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555652318.162 124789 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555652637.037    168 10.5.27.200 TCP_TUNNEL/200 7558 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/137.117.142.136 -
1555652738.982 110004 10.5.27.200 TCP_TUNNEL/200 20880 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/152.199.19.161 -
1555652949.663 125870 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555653066.135 109979 10.5.27.200 TCP_TUNNEL/200 1705 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.209.238 -
1555653066.135 107992 10.5.27.200 TCP_TUNNEL/200 1337 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/216.58.213.162 -
1555653074.079    215 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.75.78 -
1555653418.457  62776 10.5.27.200 TCP_TUNNEL/200 4087 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555653648.118  68460 10.5.27.200 TCP_TUNNEL/200 7202 CONNECT config.edge.skype.com:443 - HIER_DIRECT/13.107.3.128 -
1555654080.060 104160 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 -
1555654437.259    166 10.5.27.200 TCP_TUNNEL/200 7412 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/137.117.142.136 -
1555654475.378   2134 10.5.27.200 TCP_TUNNEL_ABORTED/200 7466 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 -
1555654475.378   2136 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 -
1555654475.379   2135 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 -
1555654475.379   2138 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 -
1555654508.826    840 10.5.27.200 TCP_TUNNEL_ABORTED/200 6667 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 -
1555654589.774    132 10.5.27.200 TCP_TUNNEL/200 4607 CONNECT disc601-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/95.101.16.117 -
1555654640.134  98179 10.5.27.200 TCP_TUNNEL/200 3561 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 -
1555654867.118 109979 10.5.27.200 TCP_TUNNEL/200 1703 CONNECT www.youtube.com:443 - HIER_DIRECT/172.217.18.206 -
1555654867.118 107994 10.5.27.200 TCP_TUNNEL/200 1282 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/172.217.19.226 -
1555654874.900   1004 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.32.7 -
1555654944.756     62 10.5.27.200 TCP_MISS/200 4680 GET http://tile-service.weather.microsoft.com/fr-FR/livetile/preinstall? - HIER_DIRECT/23.36.210.35 text/
Xml

root at srv-squid-i2:/var/log/squid# more cache.log
2019/04/19 06:25:02| Set Current Directory to /var/spool/squid
2019/04/19 06:25:02 kid1| storeDirWriteCleanLogs: Starting...
2019/04/19 06:25:02 kid1|   Finished.  Wrote 0 entries.
2019/04/19 06:25:02 kid1|   Took 0.00 seconds (  0.00 entries/sec).
2019/04/19 06:25:02 kid1| logfileRotate: daemon:/var/log/squid/access.log
2019/04/19 06:25:02 kid1| logfileRotate: daemon:/var/log/squid/access.log
2019/04/19 06:25:02 kid1| assertion failed: comm.cc:428: "!isOpen(conn->fd)"
2019/04/19 06:25:06 kid1| Set Current Directory to /var/spool/squid
2019/04/19 06:25:06 kid1| Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu...
2019/04/19 06:25:06 kid1| Service Name: squid
2019/04/19 06:25:06 kid1| Process ID 26758
2019/04/19 06:25:06 kid1| Process Roles: worker
2019/04/19 06:25:06 kid1| With 1024 file descriptors available
2019/04/19 06:25:06 kid1| Initializing IP Cache...
2019/04/19 06:25:06 kid1| DNS Socket created at [::], FD 5
2019/04/19 06:25:06 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/04/19 06:25:06 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2019/04/19 06:25:06 kid1| Adding domain ifsi.chdupaysdegier.fr from /etc/resolv.conf
2019/04/19 06:25:06 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes
2019/04/19 06:25:06 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2019/04/19 06:25:06 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2019/04/19 06:25:06 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/04/19 06:25:06 kid1| Store logging disabled
2019/04/19 06:25:06 kid1| Swap maxSize 0 + 524288 KB, estimated 40329 objects
2019/04/19 06:25:06 kid1| Target number of buckets: 2016
2019/04/19 06:25:06 kid1| Using 8192 Store buckets
2019/04/19 06:25:06 kid1| Max Mem  size: 524288 KB
2019/04/19 06:25:06 kid1| Max Swap size: 0 KB
2019/04/19 06:25:06 kid1| Using Least Load store dir selection
2019/04/19 06:25:06 kid1| Set Current Directory to /var/spool/squid
2019/04/19 06:25:06 kid1| Finished loading MIME types and icons.
2019/04/19 06:25:06 kid1| HTCP Disabled.
2019/04/19 06:25:06 kid1| Pinger socket opened on FD 26
2019/04/19 06:25:06 kid1| Squid plugin modules loaded: 0
2019/04/19 06:25:06 kid1| Adaptation support is off.
2019/04/19 06:25:06 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9
2019/04/19 06:25:06 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41
2019/04/19 06:25:06| pinger: Initialising ICMP pinger ...
2019/04/19 06:25:06| pinger: ICMP socket opened.
2019/04/19 06:25:06| pinger: ICMPv6 socket opened
2019/04/19 06:25:07 kid1| storeLateRelease: released 0 objects
2019/04/19 06:43:48| SendEcho ERROR: sending to ICMPv6 packet to [2606:2800:133:206e:1315:22a5:2006:24fd]: (101) Network is unreachable
2019/04/19 06:49:14| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:809::200e]: (101) Network is unreachable
2019/04/19 06:49:16| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable
2019/04/19 07:03:32| SendEcho ERROR: sending to ICMPv6 packet to [2620:1ec:c11::200]: (101) Network is unreachable
2019/04/19 07:10:31 kid1| Logfile: opening log stdio:/var/spool/squid/netdb.state
2019/04/19 07:10:31 kid1| Logfile: closing log stdio:/var/spool/squid/netdb.state
2019/04/19 07:10:31 kid1| NETDB state saved; 1 entries, 0 msec
2019/04/19 07:19:15| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:817::200e]: (101) Network is unreachable
2019/04/19 07:19:17| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:812::2002]: (101) Network is unreachable
2019/04/19 07:43:48| SendEcho ERROR: sending to ICMPv6 packet to [2606:2800:133:206e:1315:22a5:2006:24fd]: (101) Network is unreachable
2019/04/19 07:49:16| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:808::200e]: (101) Network is unreachable
2019/04/19 07:49:18| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable
2019/04/19 08:19:17| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:816::200e]: (101) Network is unreachable
2019/04/19 08:19:19| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable
2019/04/19 08:22:24| SendEcho ERROR: sending to ICMPv6 packet to [2a02:26f0:d4:183::611]: (101) Network is unreachable
2019/04/19 08:22:33| SendEcho ERROR: sending to ICMPv6 packet to [2620:1ec:c11::200]: (101) Network is unreachable
2019/04/19 08:22:36| SendEcho ERROR: sending to ICMPv6 packet to [2a03:9180:1:64::e]: (101) Network is unreachable


root at srv-squid-i2:/var/log# more syslog
Apr 19 06:25:02 srv-squid-i2 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="850" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Apr 19 06:25:02 srv-squid-i2 squid[23529]: Closing Pinger socket on FD 26
Apr 19 06:25:02 srv-squid-i2 squid[23529]: storeDirWriteCleanLogs: Starting...
Apr 19 06:25:02 srv-squid-i2 squid[23529]:   Finished.  Wrote 0 entries.
Apr 19 06:25:02 srv-squid-i2 squid[23529]:   Took 0.00 seconds (  0.00 entries/sec).
Apr 19 06:25:02 srv-squid-i2 squid[23529]: logfileRotate: daemon:/var/log/squid/access.log
Apr 19 06:25:02 srv-squid-i2 squid[23529]: logfileRotate: daemon:/var/log/squid/access.log
Apr 19 06:25:02 srv-squid-i2 squid[23529]: assertion failed: comm.cc:428: "!isOpen(conn->fd)"
Apr 19 06:25:06 srv-squid-i2 squid[23527]: Squid Parent: squid-1 process 23529 exited due to signal 6 with status 0
Apr 19 06:25:06 srv-squid-i2 squid[23527]: Squid Parent: (squid-1) process 26758 started
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Set Current Directory to /var/spool/squid
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu...
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Service Name: squid
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Process ID 26758
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Process Roles: worker
Apr 19 06:25:06 srv-squid-i2 squid[26758]: With 1024 file descriptors available
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Initializing IP Cache...
Apr 19 06:25:06 srv-squid-i2 squid[26758]: DNS Socket created at [::], FD 5
Apr 19 06:25:06 srv-squid-i2 squid[26758]: DNS Socket created at 0.0.0.0, FD 10
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adding nameserver 127.0.0.53 from /etc/resolv.conf
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adding domain ifsi.chdupaysdegier.fr from /etc/resolv.conf
Apr 19 06:25:06 srv-squid-i2 squid[26758]: helperOpenServers: Starting 5/32 'security_file_certgen' processes
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Logfile: opening log daemon:/var/log/squid/access.log
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Logfile Daemon: opening log /var/log/squid/access.log
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Store logging disabled
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Swap maxSize 0 + 524288 KB, estimated 40329 objects
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Target number of buckets: 2016
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Using 8192 Store buckets
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Max Mem  size: 524288 KB
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Max Swap size: 0 KB
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Using Least Load store dir selection
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Set Current Directory to /var/spool/squid
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Finished loading MIME types and icons.
Apr 19 06:25:06 srv-squid-i2 squid[26758]: HTCP Disabled.
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Pinger socket opened on FD 26
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Squid plugin modules loaded: 0
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adaptation support is off.
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9
Apr 19 06:25:06 srv-squid-i2 squid[26758]: Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41
Apr 19 06:25:07 srv-squid-i2 squid[26758]: storeLateRelease: released 0 objects
Apr 19 06:36:14 srv-squid-i2 snapd[14282]: storehelpers.go:441: cannot refresh snap "core": snap has no updates available
Apr 19 06:36:14 srv-squid-i2 snapd[14282]: autorefresh.go:379: auto-refresh: all snaps are up-to-date
Apr 19 07:10:31 srv-squid-i2 squid[26758]: Logfile: opening log stdio:/var/spool/squid/netdb.state
Apr 19 07:10:31 srv-squid-i2 squid[26758]: Logfile: closing log stdio:/var/spool/squid/netdb.state
Apr 19 07:10:31 srv-squid-i2 squid[26758]: NETDB state saved; 1 entries, 0 msec
Apr 19 07:17:01 srv-squid-i2 CRON[27013]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Apr 19 08:05:05 srv-squid-i2 systemd[1]: Started ntp-systemd-netif.service.
Apr 19 08:17:01 srv-squid-i2 CRON[27257]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)


-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de squid-users-request at lists.squid-cache.org
Envoyé : vendredi 19 avril 2019 06:00
À : squid-users at lists.squid-cache.org
Objet : squid-users Digest, Vol 56, Issue 32

Send squid-users mailing list submissions to
	squid-users at lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
	squid-users-request at lists.squid-cache.org

You can reach the person managing the list at
	squid-users-owner at lists.squid-cache.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: squid-users Digest, Vol 56, Issue 12 (Wegner Michaël)
   2. Re: Squid 3.5 https facebook caching (Eliezer Croitoru)
   3. Re: Squid 3.5 https facebook caching (Amos Jeffries)
   4. Re: squid-users Digest, Vol 56, Issue 12 (Amos Jeffries)


----------------------------------------------------------------------

Message: 1
Date: Thu, 18 Apr 2019 15:34:00 +0200
From: Wegner Michaël <m.wegner at hopitaldugier.fr>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid-users Digest, Vol 56, Issue 12
Message-ID: <8984823b.1d4f5eb.6cc6cb3c.3b71 at hopitaldugier.fr>
Content-Type: text/plain; charset=utf-8

Hi,

The SSL is OK I always can't play some YouTube video.
Squid in version 4.6
In access.log : TCP_TUNNEL/200 2083 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.206.238 I think the problem comes from heading.

My squid.conf for test is :
visible_hostname squid

acl localnet src 10.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/etc/ssl_cert/myCA.pem

ssl_bump splice localhost
acl 9 at_step SslBump1
acl 10 at_step SslBump2
acl 11 at_step SslBump3
ssl_bump peek 9 all
ssl_bump bump 10 all
ssl_bump bump 11 all

coredump_dir /var/spool/squid


Kind regards,

-----Message d'origine-----
De : Wegner Michaël [mailto:m.wegner at hopitaldugier.fr]
Envoyé : mardi 9 avril 2019 11:18
À : squid-users at lists.squid-cache.org
Objet : RE: squid-users Digest, Vol 56, Issue 12



-----Message d'origine-----
De : Wegner Michaël [mailto:m.wegner at hopitaldugier.fr]
Envoyé : lundi 8 avril 2019 11:15
À : squid-users at lists.squid-cache.org
Objet : RE: squid-users Digest, Vol 56, Issue 12

Hi Antony,

The video is Ok, if i not used squid v3.5.
If on the squid.conf file I disabled rediretion on squidgaurd the problem is the same.
If squid is actived, somme videos are blocked, (the videos in restricted mode) With a old version of squid (2.6) there are no problems

Regards,

Hi,

I install a new serveur squid version 4.6 without squiguard and access allow all.
I set the ssl and i import certificate on the client but without success.

My squid.conf is : 

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # include /etc/squid/conf.d/*

#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy #http_access deny all http_access allow all


http_port 3128 ssl-bump cert=/opt/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /opt/squid/log/squid/ssl_db -M 4MB coredump_dir /opt/squid/var/cache/squid cache_dir ufs /opt/squid/var/cache/squid 1000 16 256 # 1GB as Cache


# Squid normally listens to port 3128

#http_port 3128

# Leave coredumps in the first cache dir coredump_dir /var/spool/squid



refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


regards

Michaël


-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de squid-users-request at lists.squid-cache.org
Envoyé : samedi 6 avril 2019 14:00
À : squid-users at lists.squid-cache.org
Objet : squid-users Digest, Vol 56, Issue 12

Send squid-users mailing list submissions to
	squid-users at lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
	squid-users-request at lists.squid-cache.org

You can reach the person managing the list at
	squid-users-owner at lists.squid-cache.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..."


Today's Topics:

   1. youtube restriction. (Wegner Michaël)
   2. Re: youtube restriction. (Vacheslav Zouhairy)
   3. Re: youtube restriction. (Antony Stone)


----------------------------------------------------------------------

Message: 1
Date: Fri, 05 Apr 2019 15:06:00 +0200
From: Wegner Michaël <m.wegner at hopitaldugier.fr>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] youtube restriction.
Message-ID: <527bfee2.1d4ebb0.29b980e7.db3 at hopitaldugier.fr>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
 
I install squid + squidguard, and I can't play youtube video.
For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; https://m.youtube.com/watch?v=jbBUQ-uvlRU
 
Error : video not available access to this video is limited
 
I have Ubuntu server 18.04 and squid v 3.5.27
 
Can' you help me please
 
Thanks,
 
Kind Regards
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190405/0f1e17cf/attachment-0001.html>

------------------------------

Message: 2
Date: Fri, 05 Apr 2019 16:21:28 +0300
From: Vacheslav Zouhairy <m_zouhairy at skno.by>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] youtube restriction.
Message-ID: <edde432e1f0745413ed6d35d157a6abc025b7d3d.camel at skno.by>
Content-Type: text/plain; charset="utf-8"

time to try ufdbguard, it is very flexible and relatively easy to configure.
On Fri, 2019-04-05 at 15:06 +0200, Wegner Michaël wrote:
> Hi,
>  
> I install squid + squidguard, and I can’t play youtube video.
> For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; 
> https://m.youtube.com/watch?v=jbBUQ-uvlRU
>  
> Error : video not available
> access to this video is limited I have Ubuntu server 18.04 and squid v
> 3.5.27 Can’ you help me please Thanks, Kind Regards 
> _______________________________________________squid-users mailing 
> listsquid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190405/4c512724/attachment-0001.html>

------------------------------

Message: 3
Date: Fri, 5 Apr 2019 15:39:08 +0200
From: Antony Stone <Antony.Stone at squid.open.source.it>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] youtube restriction.
Message-ID: <201904051539.08777.Antony.Stone at squid.open.source.it>
Content-Type: Text/Plain;  charset="iso-8859-15"

On Friday 05 April 2019 at 15:06:00, Wegner Michaël wrote:

> Hi,
> 
> I install squid + squidguard, and I can't play youtube video.
> For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; 
> https://m.youtube.com/watch?v=jbBUQ-uvlRU
> 
> Error : video not available access to this video is limited

1. Does it work if you do not go via Squid and SquidGuard?

2. Can you play any other Youtube videos?

3. Given that this is an HTTPS connection, how are you restricting HTTPS content with SquidGuard?

> I have Ubuntu server 18.04 and squid v 3.5.27
> 
> Can' you help me please

Regards,


Antony.

--
"Measuring average network latency is about as useful as measuring the mean temperature of patients in a hospital."

 - Stéphane Bortzmeyer

                                                   Please reply to the list;
                                                         please *don't* CC me.


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 56, Issue 12
*******************************************



------------------------------

Message: 2
Date: Fri, 19 Apr 2019 00:17:32 +0300
From: Eliezer Croitoru <ngtech1ltd at gmail.com>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.5 https facebook caching
Message-ID: <6f81e912-2c71-b25e-818b-7c16df7298e7 at gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed

Just to add:

Facebook has these headers for many of their videos:

 1.
    Cache-Control:
    max-age=1209600, no-transform


So what happens is that the client browser will save these URLs for a 
very long time and it's good.

It takes of burden from the intermediate proxy.

I wrote some code that works for most of the facebook public videos at:

http://gogs.ngtech.co.il/NgTech-LTD/storeid-helpers/raw/master/facebook--video-2019.rb


Hope it helps.

Eliezer


On 4/18/2019 1:45 PM, Amos Jeffries wrote:
> On 18/04/19 12:03 pm, tester100 wrote:
>> Amos
>>
>> big thxs for all your input
>>
>> it just shows me that i know nothing about squid that i am complete newbie,
>> and that i need to spend my time reading all the manual and config examples.
>>
> I did not mean to imply a lot of reading was needed. Just some in
> relation to the items I mentioned as probably leading to your issue. The
> rest can be long-term goals to fix up.
>
> FYI: The Squid wiki <http://wiki.squid-cache.org/> and config manual
> <http://www.squid-cache.org/Doc/config/> (the v3.5 pages for your Squid
> version) are the most accurate information sources behind reading the
> code itself. But keep in mind that Squid-3 is also outdated nowdays,
> Squid-4 and later have changed some significant feature behaviours.
>
>
> Most of the things I pointed out were useful at some point (eg Squid-2),
> and may still be for some use-cases. But for which Squid behaviour has
> changed since how-tos and tutorials advising them were written.
>
>
>> big thanks i will have some guidance on reading and research for the next
>> couple of days now.
>>
> You are welcome. Any further questions or advice wanted please feel free
> to ask. Helping each other use Squid is a what this mailing list is
> about - for experts and newbies alike.
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-- 

----

Eliezer Croitoru <http://ngtech.co.il/main-en/>
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il>



------------------------------

Message: 3
Date: Fri, 19 Apr 2019 15:35:49 +1200
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.5 https facebook caching
Message-ID: <67347320-3125-f3c4-d706-46820eea5718 at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 19/04/19 9:17 am, Eliezer Croitoru wrote:
> Just to add:
> 
> Facebook has these headers for many of their videos:
> 
> 1.
>    Cache-Control:
>    max-age=1209600, no-transform
> 
> 
> So what happens is that the client browser will save these URLs for a
> very long time and it's good.


As will Squid unless the admin has configured refresh_pattern options
that force expiry earlier.

Amos


------------------------------

Message: 4
Date: Fri, 19 Apr 2019 15:59:23 +1200
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid-users Digest, Vol 56, Issue 12
Message-ID: <a018e0cd-8dc7-02b2-d474-82a202472bfa at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

> -----Message d'origine-----
...
>
> When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."

When you are trying to message the list about issues please change your
subscription settings to deliver you the individual posts so you can
reply to threads instead of digests.


On 19/04/19 1:34 am, Wegner Michaël wrote:
> Hi,
> 
> The SSL is OK I always can't play some YouTube video.
> Squid in version 4.6
> In access.log : TCP_TUNNEL/200 2083 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.206.238
> I think the problem comes from heading.
> 

What are you calling "heading"?


The (incomplete) access.log entry you show has;

 * an unknown client requesting a tunnel to www.youtube.com.

 * Squid is opening a tunnel to the server 216.58.206.238.

 * Squid is informing the client that it was 200/success. The tunnel can
be used.

 * 2083 bytes are sent to the client. Some of those were for the 200
response.

 * the tunnel is closed without any errors having occured.


This line means multiple different things depending on which port your
proxy received it on (if received) or whether Squid generated the
CONNECT pieces for SSL-Bump internal use.


> My squid.conf for test is :
> visible_hostname squid
> 
> acl localnet src 10.0.0.0/8
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> 
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> http_port 3128

Traffic arriving on above port never has SSL-Bump applied to it. Tunnels
are always directly client<->origin with no Squid interaction to the
HTTPS portion.


> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/etc/ssl_cert/myCA.pem
> 
> ssl_bump splice localhost

Traffic NAT intercepted from localhost is always spliced. The TLS and
wrapped HTTPS are always directly client<->origin with no Squid interaction.

> acl 9 at_step SslBump1
> acl 10 at_step SslBump2
> acl 11 at_step SslBump3
> ssl_bump peek 9 all
> ssl_bump bump 10 all

All traffic which is from non-localhost is always bumped at step-2 by
SSL-Bump.

Step-2 has zero details about the actual origin server TLS capabilities
or properties. Bumping at this step is what we call "client-first". It
has *many* problems and should be avoided unless absolutely necessary.


YouTube is a Google domain. Google are particularly strict about their
TLS usage and security. They do a lot of things to absolutely prohibit
things like client-first being possible at all.

Bump not being possible at all is the normal state for Google domains.
It is more surprising that you are reporting "works fine" for parts of
YT than the failure.

More details will be needed to see what is going on. Please start by
providing the whole of that access.log line and the other log entries
from your test transaction. If bumping is happening at all there *will*
be multiple log entries.


> ssl_bump bump 11 all
> 

Above should never happen because everything was already spliced at
step-1 or bumped at step-2.


Amos


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 56, Issue 32
*******************************************



More information about the squid-users mailing list