Here is my squid.conf anf followed by cache.log.
--
http_port 8000 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/ssl_cert/myCA.pem
auth_param basic program /cygdrive/c/Squid/lib/squid/basic_ldap_auth.exe -v 3 -P -R -b "DC=CONDUIRA,DC=LOCAL" -D "CN=administrator,CN=Users,DC=CONDUIRA,DC=LOCAL" -w anar_2017 -f sAMAccountName=%s -h 192.168.100.1
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
acl localnet src 192.168.100.0/24 fc00::/7 fe80::/10
acl SSL_ports port 443
acl Safe_ports port 21 70 80 210 280 443 488 591 777 1025-65535
acl CONNECT method CONNECT
acl CONNECT method CONNECT
cache_dir ufs c:/squid/var/cache/squid/cache 100 16 256
access_log stdio:/cygdrive/c/Squid/var/log/squid/access.log squid
coredump_dir /cygdrive/c/Squid/var/cache/squid
pid_filename /cygdrive/c/Squid/var/run/squid/run/squid/squidsrv.pid
acl denyext url_regex -i \.exe$ \.mp3$ \.mpeg$ \.mpg$ \.rar$ \.asx$ \.wma$ \.wmv$ \.avi$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.wmf$ \.mov$
http_access deny denyext all
request_body_max_size 1024 KB
acl fileupload req_mime_type -i ^multipart/form-data$
http_access deny fileupload
## Full Access Users
acl active_directory_authenticated proxy_auth REQUIRED
acl user_previleged proxy_auth raju.masina
http_access allow active_directory_authenticated user_previleged
## Allowed Domains for ALL_Users
acl domains_all dstdomain "c:/Squid/etc/allowed_domains.txt"
http_access allow active_directory_authenticated domains_all
refresh_pattern -i .*\.(m4f|mp4|txt) 5259487 99% 5259487 override-expire ignore-reload reload-into-ims ignore-no-cache ignore-private refresh-ims
acl storeid-helper url_regex -i ^https?:\/\/.*\.s3-ap-southeast-1\.amazonaws\.com(.*\.(m4f|mp4))
store_id_access deny all
acl loop_302 http_status 302
acl getmethod method GET
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny localhost manager
http_access deny manager
http_access deny all
always_direct allow all
#ssl_bump splice bypast
#ssl_bump peek bypast
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s /cygdrive/c/squid/var/run/squid/run/squid/ssl_db/certs -M 4MB
sslcrtd_children 8 startup=1 idle=1
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 8 MB
minimum_object_size 0 KB
maximum_object_size 1 GB
maximum_object_size_in_memory 512 KB
cache_swap_low 90
cache_swap_high 95
store_id_access deny !getmethod
store_id_access allow storeid-helper
dns_nameservers 192.168.100.1
hosts_file /cygdrive/c/windows/system32/drivers/etc/hosts
CACHE.LOG
2016/11/04 17:26:39 kid1| Adding nameserver 192.168.100.1 from squid.conf
2016/11/04 17:26:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:26:39 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:26:39 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth.exe' processes
2016/11/04 17:26:39 kid1| helperOpenServers: No 'basic_ldap_auth.exe' processes needed.
2016/11/04 17:26:39 kid1| HTCP Disabled.
2016/11/04 17:26:39 kid1| Finished loading MIME types and icons.
2016/11/04 17:26:39 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:8000 remote=[::] FD 13 flags=9
2016/11/04 17:26:44 kid1| Starting new basicauthenticator helpers...
2016/11/04 17:26:44 kid1| helperOpenServers: Starting 1/5 'basic_ldap_auth.exe' processes
2016/11/04 17:26:44 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:39 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:39 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2016/11/04 17:55:40 kid1| Starting new ssl_crtd helpers...
2016/11/04 17:55:40 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
2016/11/04 17:55:40 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
basic_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server'
Regards.
On Fri, Nov 4, 2016 at 8:13 PM, <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
squid-users@lists.squid-cache.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@lists.squid-cache.org
You can reach the person managing the list at
squid-users-owner@lists.squid-cache.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. Re: squid warning (Yuri)
2. Re: squid warning (Matus UHLAR - fantomas)
3. Squid doesn't use domain name as a request URL in access.log
when splice at step 3 occurs (Garri Djavadyan)
4. Squid doesn't use domain name as a request URL in access.log
when splice at step 3 occurs (Garri Djavadyan)
5. Re: squid warning (Yuri Voinov)
6. Re: Squid doesn't use domain name as a request URL in
access.log when splice at step 3 occurs (Amos Jeffries)
------------------------------------------------------------ ----------
Message: 1
Date: Fri, 4 Nov 2016 18:23:05 +0600
From: Yuri <yvoinov@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: squid warning
Message-ID: <5e2eaab8-71fb-1908-f93a-acea6e451727@xxxxxxxxx >
Content-Type: text/plain; charset="utf-8"; Format="flowed"
This warning is irrelevent to your google issue.
Show your config.
04.11.2016 10:34, Raju M K пишет:
> Hi,
> I installed squid v3.5.22 on windows and enabled with ssl_bump.
> Now my issue is.
> Web page is opening very slowly. For ex. www.google.com
> <http://www.google.com/> its taking more than 30 seconds.
> In cache log showing below warning
> 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
> processes
> 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
> argument
>
> Please hepl me..
> --
> Regards,
> M K Raju.
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/ >attachments/20161104/1cd09462/ attachment-0001.html
------------------------------
Message: 2
Date: Fri, 4 Nov 2016 13:39:20 +0100
From: Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: squid warning
Message-ID: <20161104123920.GA5216@fantomas.sk >
Content-Type: text/plain; charset=utf-8; format=flowed
On 04.11.16 18:23, Yuri wrote:
>This warning is irrelevent to your google issue.
are you sure that creating fake google certificate is not the reason of
delay?
>04.11.2016 10:34, Raju M K пишет:
>>I installed squid v3.5.22 on windows and enabled with ssl_bump.
>>Now my issue is.
>>Web page is opening very slowly. For ex. www.google.com
>><http://www.google.com/> its taking more than 30 seconds.
>>In cache log showing below warning
>>2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8
>>'ssl_crtd' processes
>>2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
------------------------------
Message: 3
Date: Fri, 04 Nov 2016 17:43:33 +0500
From: Garri Djavadyan <garryd@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Subject: Squid doesn't use domain name as a request URL
in access.log when splice at step 3 occurs
Message-ID: <1478263413.30442.5.camel@comnet.uz >
Content-Type: text/plain; charset="UTF-8"
I noticed that Squid doesn't use gathered domain name information for
%ru in access.log when splice action is performed at step 3 for
intercepted traffic. The format code ssl::>sni is available at both
steps. Below are examples used to verify the behavior using Squid
3.5.22, but the results are same for Squid 4.0.16.
The request used on client:
$ curl https://www.openssl.org/ > /dev/null
The configuration for splice at step 2:
# diff etc/squid.conf.default etc/squid.conf
73a74,78
> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates
> acl StepSplice at_step SslBump2
> ssl_bump splice StepSplice
> ssl_bump peek all
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::>sni
The result:
1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT
104.124.119.14:443 - HIER_NONE/- - www.openssl.org
1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.opens
sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
-----
The configuration for splice at step 3:
# diff etc/squid.conf.default etc/squid.conf
73a74,78
> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates
> acl StepSplice at_step SslBump3
> ssl_bump splice StepSplice
> ssl_bump peek all
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::>sni
The result:
1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
Is it a bug or intended behavior? Thanks.
Garri
------------------------------
Message: 4
Date: Fri, 04 Nov 2016 19:06:22 +0500
From: Garri Djavadyan <garryd@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Squid doesn't use domain name as a request URL
in access.log when splice at step 3 occurs
Message-ID: <1478268382.30442.11.camel@comnet.uz >
Content-Type: text/plain; charset="UTF-8"
On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
> I noticed that Squid doesn't use gathered domain name information for
> %ru in access.log when splice action is performed at step 3 for
> intercepted traffic. The format code ssl::>sni is available at both
> steps. Below are examples used to verify the behavior using Squid
> 3.5.22, but the results are same for Squid 4.0.16.
>
> The request used on client:
>
> $ curl https://www.openssl.org/ > /dev/null
>
>
> The configuration for splice at step 2:
>
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> >
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> >
> > acl StepSplice at_step SslBump2
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > %[un
> %Sh/%<a %mt %ssl::>sni
>
>
> The result:
>
> 1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT
> 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
> 1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.ope
> ns
> sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
>
> -----
> The configuration for splice at step 3:
>
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> >
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> >
> > acl StepSplice at_step SslBump3
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > %[un
> %Sh/%<a %mt %ssl::>sni
>
>
> The result:
> 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
>
> Is it a bug or intended behavior? Thanks.
>
> Garri
It prevents domain name identification when SNI is not provided by a
client. For example:
Request:
$ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
s_client -quiet -no_ign_eof -connect www.openssl.org:443
Config:
# diff etc/squid.conf.default etc/squid.conf
73a74,78
> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates
> acl StepSplice at_step SslBump3
> ssl_bump splice StepSplice
> ssl_bump peek all
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::>sni
Result:
1478267428.070 347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT
104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -
------------------------------
Message: 5
Date: Fri, 4 Nov 2016 20:07:25 +0600
From: Yuri Voinov <yvoinov@xxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: squid warning
Message-ID: <0840e0bf-597d-5493-3562-bb69390c5f20@xxxxxxxxx >
Content-Type: text/plain; charset="utf-8"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
04.11.2016 18:39, Matus UHLAR - fantomas пишет:
> On 04.11.16 18:23, Yuri wrote:
>> This warning is irrelevent to your google issue.
>
> are you sure that creating fake google certificate is not the reason of
> delay?
I'm talking about this warning: WARNING: no_suid: setuid(0): (22) Invalid
Did you see Diladele Win64 Squid by your own eyes? If yes, you
understand me.
However, I suggests (only, because of I'm not seen squid.conf), that the
real problem is here:
helperOpenServers: Starting 1/8 'ssl_crtd' processes
It seems at so few ssl_crtd helper processes.
>
>> 04.11.2016 10:34, Raju M K пишет:
>>> I installed squid v3.5.22 on windows and enabled with ssl_bump.
>>> Now my issue is.
>>> Web page is opening very slowly. For ex. www.google.com
<http://www.google.com/> its taking more than 30 seconds.
>>> In cache log showing below warning
>>> 2016/11/03 17:45:16 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
>>> 2016/11/03 17:45:16 kid1| WARNING: no_suid: setuid(0): (22) Invalid
>
>
- --
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYHJYcAAoJENNXIZxhPexGJ9oIAJZLwy9Tb3SOkmdLPdrG oi12
NvkLOBhCVBGWAIuRD/6WO1edhZ7h12v87mvZ10CKVldNe70Z DFNZcpkzfUrx91Lm
Qk1fA0Of830nNoDp+pQMksByUZKcCvgEQnBLgzenUxcFi7q qVaDzXjbcdoAN51tg
R6RLftQGomdHcvvLmacZO8B4NG5BBDyl2psA/bXjwbq17dlHvhzYdUxc+ OfInwrS
pRAyPKolo+QnT3euW+2nw0+AjccRiZgQiVHNRu05jhTkAsXaIQEOm gfnIWnIFbM2
HsJD4M9D2awP8gRyus5Pv7O0uv3F0Wx64mebLOcNjJe9xu6vU47SUa96jGse uHY=
=PKW2
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/ >attachments/20161104/da43ac97/ attachment-0001.key
------------------------------
Message: 6
Date: Sat, 5 Nov 2016 03:42:45 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@lists.squid-cache.org
Subject: Re: Squid doesn't use domain name as a request
URL in access.log when splice at step 3 occurs
Message-ID: <5e50526c-5945-8038-d09e-3c7d56ac2512@xxxxxxxxxxxxx >
Content-Type: text/plain; charset=utf-8
On 5/11/2016 1:43 a.m., Garri Djavadyan wrote:
> The configuration for splice at step 3:
>
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
>> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
>> acl StepSplice at_step SslBump3
>> ssl_bump splice StepSplice
>> ssl_bump peek all
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
> %Sh/%<a %mt %ssl::>sni
>
>
> The result:
> 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
>
>
> Is it a bug or intended behavior? Thanks.
>
The person (Christos) who designed that behaviour is not reading this
mailing list very often.
AFAIK, it depends on what the SubjectAltName field in the certificate
provided by 104.124.119.14 contains.
Amos
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 27, Issue 9
******************************************
Regards,
M K Raju.
M K Raju.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
