Hi, Please find below access.log, cache.log and syslog. Do you want a other log Thanks root@srv-squid-i2:/var/log/squid# more access.log 1555648138.455 73091 10.5.27.200 TCP_TUNNEL/200 4085 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555648580.052 73447 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555649036.566 160 10.5.27.200 TCP_TUNNEL/200 7558 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/40.112.75.175 - 1555649119.277 125693 10.5.27.200 TCP_TUNNEL/200 4087 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555649138.798 109989 10.5.27.200 TCP_TUNNEL/200 20881 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/152.199.19.161 - 1555649464.161 109997 10.5.27.200 TCP_TUNNEL/200 1712 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.215.46 - 1555649464.161 108037 10.5.27.200 TCP_TUNNEL/200 1197 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/172.217.19.226 - 1555649505.784 31964 10.5.27.200 TCP_TUNNEL_ABORTED/200 3877 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.21 - 1555649509.173 380 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.21 - 1555649680.077 90863 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555649850.998 473 10.5.27.200 TCP_TUNNEL/200 4318 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/52.138.216.83 - 1555650083.397 122117 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555650103.666 64195 10.5.27.200 TCP_TUNNEL/200 7202 CONNECT config.edge.skype.com:443 - HIER_DIRECT/13.107.3.128 - 1555650272.369 60315 10.5.27.200 TCP_TUNNEL_ABORTED/200 8347 CONNECT www.bing.com:443 - HIER_DIRECT/13.107.21.200 - 1555650780.077 92598 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555650836.825 170 10.5.27.200 TCP_TUNNEL/200 7412 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/40.127.128.174 - 1555651108.433 80243 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555651265.123 109984 10.5.27.200 TCP_TUNNEL/200 1716 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.204.142 - 1555651265.123 107990 10.5.27.200 TCP_TUNNEL/200 1315 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/216.58.209.226 - 1555651274.348 486 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.132.23 - 1555651880.093 109899 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555652318.162 124789 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555652637.037 168 10.5.27.200 TCP_TUNNEL/200 7558 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/137.117.142.136 - 1555652738.982 110004 10.5.27.200 TCP_TUNNEL/200 20880 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/152.199.19.161 - 1555652949.663 125870 10.5.27.200 TCP_TUNNEL/200 4088 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555653066.135 109979 10.5.27.200 TCP_TUNNEL/200 1705 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.209.238 - 1555653066.135 107992 10.5.27.200 TCP_TUNNEL/200 1337 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/216.58.213.162 - 1555653074.079 215 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.75.78 - 1555653418.457 62776 10.5.27.200 TCP_TUNNEL/200 4087 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555653648.118 68460 10.5.27.200 TCP_TUNNEL/200 7202 CONNECT config.edge.skype.com:443 - HIER_DIRECT/13.107.3.128 - 1555654080.060 104160 10.5.27.200 TCP_TUNNEL/200 4086 CONNECT array608-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.221.239 - 1555654437.259 166 10.5.27.200 TCP_TUNNEL/200 7412 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/137.117.142.136 - 1555654475.378 2134 10.5.27.200 TCP_TUNNEL_ABORTED/200 7466 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 - 1555654475.378 2136 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 - 1555654475.379 2135 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 - 1555654475.379 2138 10.5.27.200 TCP_TUNNEL_ABORTED/200 5902 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 - 1555654508.826 840 10.5.27.200 TCP_TUNNEL_ABORTED/200 6667 CONNECT arc.msn.com:443 - HIER_DIRECT/40.112.91.29 - 1555654589.774 132 10.5.27.200 TCP_TUNNEL/200 4607 CONNECT disc601-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/95.101.16.117 - 1555654640.134 98179 10.5.27.200 TCP_TUNNEL/200 3561 CONNECT array615-prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/40.69.219.197 - 1555654867.118 109979 10.5.27.200 TCP_TUNNEL/200 1703 CONNECT www.youtube.com:443 - HIER_DIRECT/172.217.18.206 - 1555654867.118 107994 10.5.27.200 TCP_TUNNEL/200 1282 CONNECT googleads.g.doubleclick.net:443 - HIER_DIRECT/172.217.19.226 - 1555654874.900 1004 10.5.27.200 TCP_TUNNEL/200 4237 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.32.7 - 1555654944.756 62 10.5.27.200 TCP_MISS/200 4680 GET http://tile-service.weather.microsoft.com/fr-FR/livetile/preinstall? - HIER_DIRECT/23.36.210.35 text/ Xml root@srv-squid-i2:/var/log/squid# more cache.log 2019/04/19 06:25:02| Set Current Directory to /var/spool/squid 2019/04/19 06:25:02 kid1| storeDirWriteCleanLogs: Starting... 2019/04/19 06:25:02 kid1| Finished. Wrote 0 entries. 2019/04/19 06:25:02 kid1| Took 0.00 seconds ( 0.00 entries/sec). 2019/04/19 06:25:02 kid1| logfileRotate: daemon:/var/log/squid/access.log 2019/04/19 06:25:02 kid1| logfileRotate: daemon:/var/log/squid/access.log 2019/04/19 06:25:02 kid1| assertion failed: comm.cc:428: "!isOpen(conn->fd)" 2019/04/19 06:25:06 kid1| Set Current Directory to /var/spool/squid 2019/04/19 06:25:06 kid1| Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu... 2019/04/19 06:25:06 kid1| Service Name: squid 2019/04/19 06:25:06 kid1| Process ID 26758 2019/04/19 06:25:06 kid1| Process Roles: worker 2019/04/19 06:25:06 kid1| With 1024 file descriptors available 2019/04/19 06:25:06 kid1| Initializing IP Cache... 2019/04/19 06:25:06 kid1| DNS Socket created at [::], FD 5 2019/04/19 06:25:06 kid1| DNS Socket created at 0.0.0.0, FD 10 2019/04/19 06:25:06 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf 2019/04/19 06:25:06 kid1| Adding domain ifsi.chdupaysdegier.fr from /etc/resolv.conf 2019/04/19 06:25:06 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes 2019/04/19 06:25:06 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2019/04/19 06:25:06 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2019/04/19 06:25:06 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2019/04/19 06:25:06 kid1| Store logging disabled 2019/04/19 06:25:06 kid1| Swap maxSize 0 + 524288 KB, estimated 40329 objects 2019/04/19 06:25:06 kid1| Target number of buckets: 2016 2019/04/19 06:25:06 kid1| Using 8192 Store buckets 2019/04/19 06:25:06 kid1| Max Mem size: 524288 KB 2019/04/19 06:25:06 kid1| Max Swap size: 0 KB 2019/04/19 06:25:06 kid1| Using Least Load store dir selection 2019/04/19 06:25:06 kid1| Set Current Directory to /var/spool/squid 2019/04/19 06:25:06 kid1| Finished loading MIME types and icons. 2019/04/19 06:25:06 kid1| HTCP Disabled. 2019/04/19 06:25:06 kid1| Pinger socket opened on FD 26 2019/04/19 06:25:06 kid1| Squid plugin modules loaded: 0 2019/04/19 06:25:06 kid1| Adaptation support is off. 2019/04/19 06:25:06 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9 2019/04/19 06:25:06 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41 2019/04/19 06:25:06| pinger: Initialising ICMP pinger ... 2019/04/19 06:25:06| pinger: ICMP socket opened. 2019/04/19 06:25:06| pinger: ICMPv6 socket opened 2019/04/19 06:25:07 kid1| storeLateRelease: released 0 objects 2019/04/19 06:43:48| SendEcho ERROR: sending to ICMPv6 packet to [2606:2800:133:206e:1315:22a5:2006:24fd]: (101) Network is unreachable 2019/04/19 06:49:14| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:809::200e]: (101) Network is unreachable 2019/04/19 06:49:16| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable 2019/04/19 07:03:32| SendEcho ERROR: sending to ICMPv6 packet to [2620:1ec:c11::200]: (101) Network is unreachable 2019/04/19 07:10:31 kid1| Logfile: opening log stdio:/var/spool/squid/netdb.state 2019/04/19 07:10:31 kid1| Logfile: closing log stdio:/var/spool/squid/netdb.state 2019/04/19 07:10:31 kid1| NETDB state saved; 1 entries, 0 msec 2019/04/19 07:19:15| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:817::200e]: (101) Network is unreachable 2019/04/19 07:19:17| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:812::2002]: (101) Network is unreachable 2019/04/19 07:43:48| SendEcho ERROR: sending to ICMPv6 packet to [2606:2800:133:206e:1315:22a5:2006:24fd]: (101) Network is unreachable 2019/04/19 07:49:16| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:808::200e]: (101) Network is unreachable 2019/04/19 07:49:18| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable 2019/04/19 08:19:17| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:816::200e]: (101) Network is unreachable 2019/04/19 08:19:19| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4007:805::2002]: (101) Network is unreachable 2019/04/19 08:22:24| SendEcho ERROR: sending to ICMPv6 packet to [2a02:26f0:d4:183::611]: (101) Network is unreachable 2019/04/19 08:22:33| SendEcho ERROR: sending to ICMPv6 packet to [2620:1ec:c11::200]: (101) Network is unreachable 2019/04/19 08:22:36| SendEcho ERROR: sending to ICMPv6 packet to [2a03:9180:1:64::e]: (101) Network is unreachable root@srv-squid-i2:/var/log# more syslog Apr 19 06:25:02 srv-squid-i2 rsyslogd: [origin software="rsyslogd" swVersion="8.32.0" x-pid="850" x-info="http://www.rsyslog.com";] rsyslogd was HUPed Apr 19 06:25:02 srv-squid-i2 squid[23529]: Closing Pinger socket on FD 26 Apr 19 06:25:02 srv-squid-i2 squid[23529]: storeDirWriteCleanLogs: Starting... Apr 19 06:25:02 srv-squid-i2 squid[23529]: Finished. Wrote 0 entries. Apr 19 06:25:02 srv-squid-i2 squid[23529]: Took 0.00 seconds ( 0.00 entries/sec). Apr 19 06:25:02 srv-squid-i2 squid[23529]: logfileRotate: daemon:/var/log/squid/access.log Apr 19 06:25:02 srv-squid-i2 squid[23529]: logfileRotate: daemon:/var/log/squid/access.log Apr 19 06:25:02 srv-squid-i2 squid[23529]: assertion failed: comm.cc:428: "!isOpen(conn->fd)" Apr 19 06:25:06 srv-squid-i2 squid[23527]: Squid Parent: squid-1 process 23529 exited due to signal 6 with status 0 Apr 19 06:25:06 srv-squid-i2 squid[23527]: Squid Parent: (squid-1) process 26758 started Apr 19 06:25:06 srv-squid-i2 squid[26758]: Set Current Directory to /var/spool/squid Apr 19 06:25:06 srv-squid-i2 squid[26758]: Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu... Apr 19 06:25:06 srv-squid-i2 squid[26758]: Service Name: squid Apr 19 06:25:06 srv-squid-i2 squid[26758]: Process ID 26758 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Process Roles: worker Apr 19 06:25:06 srv-squid-i2 squid[26758]: With 1024 file descriptors available Apr 19 06:25:06 srv-squid-i2 squid[26758]: Initializing IP Cache... Apr 19 06:25:06 srv-squid-i2 squid[26758]: DNS Socket created at [::], FD 5 Apr 19 06:25:06 srv-squid-i2 squid[26758]: DNS Socket created at 0.0.0.0, FD 10 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adding nameserver 127.0.0.53 from /etc/resolv.conf Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adding domain ifsi.chdupaysdegier.fr from /etc/resolv.conf Apr 19 06:25:06 srv-squid-i2 squid[26758]: helperOpenServers: Starting 5/32 'security_file_certgen' processes Apr 19 06:25:06 srv-squid-i2 squid[26758]: Logfile: opening log daemon:/var/log/squid/access.log Apr 19 06:25:06 srv-squid-i2 squid[26758]: Logfile Daemon: opening log /var/log/squid/access.log Apr 19 06:25:06 srv-squid-i2 squid[26758]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Apr 19 06:25:06 srv-squid-i2 squid[26758]: Store logging disabled Apr 19 06:25:06 srv-squid-i2 squid[26758]: Swap maxSize 0 + 524288 KB, estimated 40329 objects Apr 19 06:25:06 srv-squid-i2 squid[26758]: Target number of buckets: 2016 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Using 8192 Store buckets Apr 19 06:25:06 srv-squid-i2 squid[26758]: Max Mem size: 524288 KB Apr 19 06:25:06 srv-squid-i2 squid[26758]: Max Swap size: 0 KB Apr 19 06:25:06 srv-squid-i2 squid[26758]: Using Least Load store dir selection Apr 19 06:25:06 srv-squid-i2 squid[26758]: Set Current Directory to /var/spool/squid Apr 19 06:25:06 srv-squid-i2 squid[26758]: Finished loading MIME types and icons. Apr 19 06:25:06 srv-squid-i2 squid[26758]: HTCP Disabled. Apr 19 06:25:06 srv-squid-i2 squid[26758]: Pinger socket opened on FD 26 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Squid plugin modules loaded: 0 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Adaptation support is off. Apr 19 06:25:06 srv-squid-i2 squid[26758]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9 Apr 19 06:25:06 srv-squid-i2 squid[26758]: Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41 Apr 19 06:25:07 srv-squid-i2 squid[26758]: storeLateRelease: released 0 objects Apr 19 06:36:14 srv-squid-i2 snapd[14282]: storehelpers.go:441: cannot refresh snap "core": snap has no updates available Apr 19 06:36:14 srv-squid-i2 snapd[14282]: autorefresh.go:379: auto-refresh: all snaps are up-to-date Apr 19 07:10:31 srv-squid-i2 squid[26758]: Logfile: opening log stdio:/var/spool/squid/netdb.state Apr 19 07:10:31 srv-squid-i2 squid[26758]: Logfile: closing log stdio:/var/spool/squid/netdb.state Apr 19 07:10:31 srv-squid-i2 squid[26758]: NETDB state saved; 1 entries, 0 msec Apr 19 07:17:01 srv-squid-i2 CRON[27013]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Apr 19 08:05:05 srv-squid-i2 systemd[1]: Started ntp-systemd-netif.service. Apr 19 08:17:01 srv-squid-i2 CRON[27257]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) -----Message d'origine----- De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de squid-users-request@xxxxxxxxxxxxxxxxxxxxx Envoyé : vendredi 19 avril 2019 06:00 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : squid-users Digest, Vol 56, Issue 32 Send squid-users mailing list submissions to squid-users@xxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-request@xxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at squid-users-owner@xxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. Re: squid-users Digest, Vol 56, Issue 12 (Wegner Michaël) 2. Re: Squid 3.5 https facebook caching (Eliezer Croitoru) 3. Re: Squid 3.5 https facebook caching (Amos Jeffries) 4. Re: squid-users Digest, Vol 56, Issue 12 (Amos Jeffries) ---------------------------------------------------------------------- Message: 1 Date: Thu, 18 Apr 2019 15:34:00 +0200 From: Wegner Michaël <m.wegner@xxxxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: squid-users Digest, Vol 56, Issue 12 Message-ID: <8984823b.1d4f5eb.6cc6cb3c.3b71@xxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=utf-8 Hi, The SSL is OK I always can't play some YouTube video. Squid in version 4.6 In access.log : TCP_TUNNEL/200 2083 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.206.238 I think the problem comes from heading. My squid.conf for test is : visible_hostname squid acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/etc/ssl_cert/myCA.pem ssl_bump splice localhost acl 9 at_step SslBump1 acl 10 at_step SslBump2 acl 11 at_step SslBump3 ssl_bump peek 9 all ssl_bump bump 10 all ssl_bump bump 11 all coredump_dir /var/spool/squid Kind regards, -----Message d'origine----- De : Wegner Michaël [mailto:m.wegner@xxxxxxxxxxxxxxxx] Envoyé : mardi 9 avril 2019 11:18 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : RE: squid-users Digest, Vol 56, Issue 12 -----Message d'origine----- De : Wegner Michaël [mailto:m.wegner@xxxxxxxxxxxxxxxx] Envoyé : lundi 8 avril 2019 11:15 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : RE: squid-users Digest, Vol 56, Issue 12 Hi Antony, The video is Ok, if i not used squid v3.5. If on the squid.conf file I disabled rediretion on squidgaurd the problem is the same. If squid is actived, somme videos are blocked, (the videos in restricted mode) With a old version of squid (2.6) there are no problems Regards, Hi, I install a new serveur squid version 4.6 without squiguard and access allow all. I set the ssl and i import certificate on the client but without success. My squid.conf is : acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # include /etc/squid/conf.d/* #http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy #http_access deny all http_access allow all http_port 3128 ssl-bump cert=/opt/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /opt/squid/log/squid/ssl_db -M 4MB coredump_dir /opt/squid/var/cache/squid cache_dir ufs /opt/squid/var/cache/squid 1000 16 256 # 1GB as Cache # Squid normally listens to port 3128 #http_port 3128 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 regards Michaël -----Message d'origine----- De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de squid-users-request@xxxxxxxxxxxxxxxxxxxxx Envoyé : samedi 6 avril 2019 14:00 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : squid-users Digest, Vol 56, Issue 12 Send squid-users mailing list submissions to squid-users@xxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-request@xxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at squid-users-owner@xxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. youtube restriction. (Wegner Michaël) 2. Re: youtube restriction. (Vacheslav Zouhairy) 3. Re: youtube restriction. (Antony Stone) ---------------------------------------------------------------------- Message: 1 Date: Fri, 05 Apr 2019 15:06:00 +0200 From: Wegner Michaël <m.wegner@xxxxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: youtube restriction. Message-ID: <527bfee2.1d4ebb0.29b980e7.db3@xxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hi, I install squid + squidguard, and I can't play youtube video. For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; https://m.youtube.com/watch?v=jbBUQ-uvlRU Error : video not available access to this video is limited I have Ubuntu server 18.04 and squid v 3.5.27 Can' you help me please Thanks, Kind Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190405/0f1e17cf/attachment-0001.html> ------------------------------ Message: 2 Date: Fri, 05 Apr 2019 16:21:28 +0300 From: Vacheslav Zouhairy <m_zouhairy@xxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: youtube restriction. Message-ID: <edde432e1f0745413ed6d35d157a6abc025b7d3d.camel@xxxxxxx> Content-Type: text/plain; charset="utf-8" time to try ufdbguard, it is very flexible and relatively easy to configure. On Fri, 2019-04-05 at 15:06 +0200, Wegner Michaël wrote: > Hi, > > I install squid + squidguard, and I can’t play youtube video. > For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; > https://m.youtube.com/watch?v=jbBUQ-uvlRU > > Error : video not available > access to this video is limited I have Ubuntu server 18.04 and squid v > 3.5.27 Can’ you help me please Thanks, Kind Regards > _______________________________________________squid-users mailing > listsquid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190405/4c512724/attachment-0001.html> ------------------------------ Message: 3 Date: Fri, 5 Apr 2019 15:39:08 +0200 From: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: youtube restriction. Message-ID: <201904051539.08777.Antony.Stone@xxxxxxxxxxxxxxxxxxxx> Content-Type: Text/Plain; charset="iso-8859-15" On Friday 05 April 2019 at 15:06:00, Wegner Michaël wrote: > Hi, > > I install squid + squidguard, and I can't play youtube video. > For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ; > https://m.youtube.com/watch?v=jbBUQ-uvlRU > > Error : video not available access to this video is limited 1. Does it work if you do not go via Squid and SquidGuard? 2. Can you play any other Youtube videos? 3. Given that this is an HTTPS connection, how are you restricting HTTPS content with SquidGuard? > I have Ubuntu server 18.04 and squid v 3.5.27 > > Can' you help me please Regards, Antony. -- "Measuring average network latency is about as useful as measuring the mean temperature of patients in a hospital." - Stéphane Bortzmeyer Please reply to the list; please *don't* CC me. ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 56, Issue 12 ******************************************* ------------------------------ Message: 2 Date: Fri, 19 Apr 2019 00:17:32 +0300 From: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid 3.5 https facebook caching Message-ID: <6f81e912-2c71-b25e-818b-7c16df7298e7@xxxxxxxxx> Content-Type: text/plain; charset=utf-8; format=flowed Just to add: Facebook has these headers for many of their videos: 1. Cache-Control: max-age=1209600, no-transform So what happens is that the client browser will save these URLs for a very long time and it's good. It takes of burden from the intermediate proxy. I wrote some code that works for most of the facebook public videos at: http://gogs.ngtech.co.il/NgTech-LTD/storeid-helpers/raw/master/facebook--video-2019.rb Hope it helps. Eliezer On 4/18/2019 1:45 PM, Amos Jeffries wrote: > On 18/04/19 12:03 pm, tester100 wrote: >> Amos >> >> big thxs for all your input >> >> it just shows me that i know nothing about squid that i am complete newbie, >> and that i need to spend my time reading all the manual and config examples. >> > I did not mean to imply a lot of reading was needed. Just some in > relation to the items I mentioned as probably leading to your issue. The > rest can be long-term goals to fix up. > > FYI: The Squid wiki <http://wiki.squid-cache.org/> and config manual > <http://www.squid-cache.org/Doc/config/> (the v3.5 pages for your Squid > version) are the most accurate information sources behind reading the > code itself. But keep in mind that Squid-3 is also outdated nowdays, > Squid-4 and later have changed some significant feature behaviours. > > > Most of the things I pointed out were useful at some point (eg Squid-2), > and may still be for some use-cases. But for which Squid behaviour has > changed since how-tos and tutorials advising them were written. > > >> big thanks i will have some guidance on reading and research for the next >> couple of days now. >> > You are welcome. Any further questions or advice wanted please feel free > to ask. Helping each other use Squid is a what this mailing list is > about - for experts and newbies alike. > > Cheers > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- ---- Eliezer Croitoru <http://ngtech.co.il/main-en/> Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx <mailto:eliezer@xxxxxxxxxxxx> ------------------------------ Message: 3 Date: Fri, 19 Apr 2019 15:35:49 +1200 From: Amos Jeffries <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid 3.5 https facebook caching Message-ID: <67347320-3125-f3c4-d706-46820eea5718@xxxxxxxxxxxxx> Content-Type: text/plain; charset=utf-8 On 19/04/19 9:17 am, Eliezer Croitoru wrote: > Just to add: > > Facebook has these headers for many of their videos: > > 1. > Cache-Control: > max-age=1209600, no-transform > > > So what happens is that the client browser will save these URLs for a > very long time and it's good. As will Squid unless the admin has configured refresh_pattern options that force expiry earlier. Amos ------------------------------ Message: 4 Date: Fri, 19 Apr 2019 15:59:23 +1200 From: Amos Jeffries <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: squid-users Digest, Vol 56, Issue 12 Message-ID: <a018e0cd-8dc7-02b2-d474-82a202472bfa@xxxxxxxxxxxxx> Content-Type: text/plain; charset=utf-8 > -----Message d'origine----- ... > > When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." When you are trying to message the list about issues please change your subscription settings to deliver you the individual posts so you can reply to threads instead of digests. On 19/04/19 1:34 am, Wegner Michaël wrote: > Hi, > > The SSL is OK I always can't play some YouTube video. > Squid in version 4.6 > In access.log : TCP_TUNNEL/200 2083 CONNECT www.youtube.com:443 - HIER_DIRECT/216.58.206.238 > I think the problem comes from heading. > What are you calling "heading"? The (incomplete) access.log entry you show has; * an unknown client requesting a tunnel to www.youtube.com. * Squid is opening a tunnel to the server 216.58.206.238. * Squid is informing the client that it was 200/success. The tunnel can be used. * 2083 bytes are sent to the client. Some of those were for the 200 response. * the tunnel is closed without any errors having occured. This line means multiple different things depending on which port your proxy received it on (if received) or whether Squid generated the CONNECT pieces for SSL-Bump internal use. > My squid.conf for test is : > visible_hostname squid > > acl localnet src 10.0.0.0/8 > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access deny all > > http_port 3128 Traffic arriving on above port never has SSL-Bump applied to it. Tunnels are always directly client<->origin with no Squid interaction to the HTTPS portion. > https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/etc/ssl_cert/myCA.pem > > ssl_bump splice localhost Traffic NAT intercepted from localhost is always spliced. The TLS and wrapped HTTPS are always directly client<->origin with no Squid interaction. > acl 9 at_step SslBump1 > acl 10 at_step SslBump2 > acl 11 at_step SslBump3 > ssl_bump peek 9 all > ssl_bump bump 10 all All traffic which is from non-localhost is always bumped at step-2 by SSL-Bump. Step-2 has zero details about the actual origin server TLS capabilities or properties. Bumping at this step is what we call "client-first". It has *many* problems and should be avoided unless absolutely necessary. YouTube is a Google domain. Google are particularly strict about their TLS usage and security. They do a lot of things to absolutely prohibit things like client-first being possible at all. Bump not being possible at all is the normal state for Google domains. It is more surprising that you are reporting "works fine" for parts of YT than the failure. More details will be needed to see what is going on. Please start by providing the whole of that access.log line and the other log entries from your test transaction. If bumping is happening at all there *will* be multiple log entries. > ssl_bump bump 11 all > Above should never happen because everything was already spliced at step-1 or bumped at step-2. Amos ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 56, Issue 32 ******************************************* _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
