2026-03-03

Author: squidadm

squid-users/2026-March.txt

@@ -63,3 +63,87 @@ Ankor.
 An HTML attachment was scrubbed...
 URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260303/783ffa48/attachment.htm>
 
+From squid3 at treenet.co.nz  Tue Mar  3 13:02:08 2026
+From: squid3 at treenet.co.nz (Amos Jeffries)
+Date: Wed, 4 Mar 2026 02:02:08 +1300
+Subject: [squid-users] Using AD groups from negotiate_kerberos_auth in
+ ssl-bumped connections.
+In-Reply-To: <CADJd0Y0U=9XsygAn0kjkt5OLnAozabqtAfd_nVr-RxXUqVee7g@mail.gmail.com>
+References: <CADJd0Y0U=9XsygAn0kjkt5OLnAozabqtAfd_nVr-RxXUqVee7g@mail.gmail.com>
+Message-ID: <755a6fef-5ca4-495a-a947-e0a2cc085197@treenet.co.nz>
+
+On 04/03/2026 01:06, Andrey K wrote:
+> Hello,
+> 
+> I use?negotiate_kerberos_auth helper and it sets the AD groups list in a 
+> group annotation attribute.
+> It works well, but thisattributeis not availableinthe 
+> subsequentrequestsinan ssl-bumpedconnection (it is available only in the 
+> first CONNECT request).
+> Is it possible to make this attribute persistent in the current SSL 
+> connection? I would like to use groups from this attribute to authorize 
+> users using only "note"-type ACLs, no external helpers involved.
+
+Unfortunately Squid does not yet support ACLs using details directly 
+from the tunnel's "parent" CONNECT transaction.
+
+You can use the annotate_client ACL type to mark the from-client TCP 
+connection instead of the HTTP request. Just be aware these need to be 
+manually configured and thus does not scale to large number of groups.
+
+HTH
+Amos
+
+
+From anthony.pankov at yahoo.com  Tue Mar  3 13:56:34 2026
+From: anthony.pankov at yahoo.com (Anthony Pankov)
+Date: Tue, 3 Mar 2026 16:56:34 +0300
+Subject: [squid-users] peek vs stare on step1
+References: <1286220651.20260303165634.ref@yahoo.com>
+Message-ID: <1286220651.20260303165634@yahoo.com>
+
+Hello,
+
+I wander what action to choose for sslbump on step1.
+
+A documentation (https://wiki.squid-cache.org/Features/SslPeekAndSplice) said the same for both:
+
+"When a stare/peek rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI (if any)."
+
+
+
+
+-- 
+Best regards,
+ Anthony Pankov                         mailto:anthony.pankov at yahoo.com
+
+
+From uhlar at fantomas.sk  Tue Mar  3 14:02:30 2026
+From: uhlar at fantomas.sk (Matus UHLAR - fantomas)
+Date: Tue, 3 Mar 2026 15:02:30 +0100
+Subject: [squid-users] peek vs stare on step1
+In-Reply-To: <1286220651.20260303165634@yahoo.com>
+References: <1286220651.20260303165634.ref@yahoo.com>
+ <1286220651.20260303165634@yahoo.com>
+Message-ID: <aabp9k27Z2gGJxnY@fantomas.sk>
+
+On 03.03.26 16:56, Anthony Pankov wrote:
+>I wander what action to choose for sslbump on step1.
+>
+>A documentation (https://wiki.squid-cache.org/Features/SslPeekAndSplice) said the same for both:
+>
+>"When a stare/peek rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI (if any)."
+
+Alex answered my questions about peek/splice 4 years ago, here's link:
+https://ml-archives.squid-cache.org/squid-users/2022-February/024589.html
+
+I hope it helps you at least a bit.
+
+
+-- 
+Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
+Warning: I wish NOT to receive e-mail advertising to this address.
+Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
+There's a long-standing bug relating to the x86 architecture that
+allows you to install Windows.   -- Matthew D. Fuller
+

squid-users/2026-March/027824.html

@@ -13,7 +13,7 @@
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
    <LINK REL="Previous"  HREF="027823.html">
-   
+   <LINK REL="Next"  HREF="027825.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
    <H1>[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.</H1>
@@ -25,7 +25,8 @@ <H1>[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped con
     <P><UL>
         <LI>Previous message (by thread): <A HREF="027823.html">[squid-users] passing request body in GET requests
 </A></li>
-        
+        <LI>Next message (by thread): <A HREF="027825.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#27824">[ date ]</a>
               <a href="thread.html#27824">[ thread ]</a>
@@ -52,13 +53,15 @@ <H1>[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped con
 URL: &lt;<A HREF="http://lists.squid-cache.org/pipermail/squid-users/attachments/20260303/783ffa48/attachment.htm">http://lists.squid-cache.org/pipermail/squid-users/attachments/20260303/783ffa48/attachment.htm</A>&gt;
 </PRE>
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
 	<LI>Previous message (by thread): <A HREF="027823.html">[squid-users] passing request body in GET requests
 </A></li>
-	
+	<LI>Next message (by thread): <A HREF="027825.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#27824">[ date ]</a>
               <a href="thread.html#27824">[ thread ]</a>

squid-users/2026-March/027825.html

@@ -0,0 +1,83 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20Using%20AD%20groups%20from%20negotiate_kerberos_auth%20in%0A%20ssl-bumped%20connections.&In-Reply-To=%3C755a6fef-5ca4-495a-a947-e0a2cc085197%40treenet.co.nz%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="027824.html">
+   <LINK REL="Next"  HREF="027826.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.</H1>
+    <B>Amos Jeffries</B> 
+    <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20Using%20AD%20groups%20from%20negotiate_kerberos_auth%20in%0A%20ssl-bumped%20connections.&In-Reply-To=%3C755a6fef-5ca4-495a-a947-e0a2cc085197%40treenet.co.nz%3E"
+       TITLE="[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.">squid3 at treenet.co.nz
+       </A><BR>
+    <I>Tue Mar  3 13:02:08 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="027824.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
+        <LI>Next message (by thread): <A HREF="027826.html">[squid-users] peek vs stare on step1
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27825">[ date ]</a>
+              <a href="thread.html#27825">[ thread ]</a>
+              <a href="subject.html#27825">[ subject ]</a>
+              <a href="author.html#27825">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 04/03/2026 01:06, Andrey K wrote:
+&gt;<i> Hello,
+</I>&gt;<i> 
+</I>&gt;<i> I use&#160;negotiate_kerberos_auth helper and it sets the AD groups list in a 
+</I>&gt;<i> group annotation attribute.
+</I>&gt;<i> It works well, but thisattributeis not availableinthe 
+</I>&gt;<i> subsequentrequestsinan ssl-bumpedconnection (it is available only in the 
+</I>&gt;<i> first CONNECT request).
+</I>&gt;<i> Is it possible to make this attribute persistent in the current SSL 
+</I>&gt;<i> connection? I would like to use groups from this attribute to authorize 
+</I>&gt;<i> users using only &quot;note&quot;-type ACLs, no external helpers involved.
+</I>
+Unfortunately Squid does not yet support ACLs using details directly 
+from the tunnel's &quot;parent&quot; CONNECT transaction.
+
+You can use the annotate_client ACL type to mark the from-client TCP 
+connection instead of the HTTP request. Just be aware these need to be 
+manually configured and thus does not scale to large number of groups.
+
+HTH
+Amos
+
+</PRE>
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="027824.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
+	<LI>Next message (by thread): <A HREF="027826.html">[squid-users] peek vs stare on step1
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27825">[ date ]</a>
+              <a href="thread.html#27825">[ thread ]</a>
+              <a href="subject.html#27825">[ subject ]</a>
+              <a href="author.html#27825">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users
+mailing list</a><br>
+</body></html>

squid-users/2026-March/027826.html

@@ -0,0 +1,76 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-users] peek vs stare on step1
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20peek%20vs%20stare%20on%20step1&In-Reply-To=%3C1286220651.20260303165634%40yahoo.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="027825.html">
+   <LINK REL="Next"  HREF="027827.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-users] peek vs stare on step1</H1>
+    <B>Anthony Pankov</B> 
+    <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20peek%20vs%20stare%20on%20step1&In-Reply-To=%3C1286220651.20260303165634%40yahoo.com%3E"
+       TITLE="[squid-users] peek vs stare on step1">anthony.pankov at yahoo.com
+       </A><BR>
+    <I>Tue Mar  3 13:56:34 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="027825.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
+        <LI>Next message (by thread): <A HREF="027827.html">[squid-users] peek vs stare on step1
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27826">[ date ]</a>
+              <a href="thread.html#27826">[ thread ]</a>
+              <a href="subject.html#27826">[ subject ]</a>
+              <a href="author.html#27826">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>Hello,
+
+I wander what action to choose for sslbump on step1.
+
+A documentation (<A HREF="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</A>) said the same for both:
+
+&quot;When a stare/peek rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI (if any).&quot;
+
+
+
+
+-- 
+Best regards,
+ Anthony Pankov                         mailto:<A HREF="https://lists.squid-cache.org/listinfo/squid-users">anthony.pankov at yahoo.com</A>
+
+</PRE>
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="027825.html">[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
+</A></li>
+	<LI>Next message (by thread): <A HREF="027827.html">[squid-users] peek vs stare on step1
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27826">[ date ]</a>
+              <a href="thread.html#27826">[ thread ]</a>
+              <a href="subject.html#27826">[ subject ]</a>
+              <a href="author.html#27826">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users
+mailing list</a><br>
+</body></html>

squid-users/2026-March/027827.html

@@ -0,0 +1,77 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-users] peek vs stare on step1
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20peek%20vs%20stare%20on%20step1&In-Reply-To=%3Caabp9k27Z2gGJxnY%40fantomas.sk%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="027826.html">
+   
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-users] peek vs stare on step1</H1>
+    <B>Matus UHLAR - fantomas</B> 
+    <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20peek%20vs%20stare%20on%20step1&In-Reply-To=%3Caabp9k27Z2gGJxnY%40fantomas.sk%3E"
+       TITLE="[squid-users] peek vs stare on step1">uhlar at fantomas.sk
+       </A><BR>
+    <I>Tue Mar  3 14:02:30 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="027826.html">[squid-users] peek vs stare on step1
+</A></li>
+        
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27827">[ date ]</a>
+              <a href="thread.html#27827">[ thread ]</a>
+              <a href="subject.html#27827">[ subject ]</a>
+              <a href="author.html#27827">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 03.03.26 16:56, Anthony Pankov wrote:
+&gt;<i>I wander what action to choose for sslbump on step1.
+</I>&gt;<i>
+</I>&gt;<i>A documentation (<A HREF="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</A>) said the same for both:
+</I>&gt;<i>
+</I>&gt;<i>&quot;When a stare/peek rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI (if any).&quot;
+</I>
+Alex answered my questions about peek/splice 4 years ago, here's link:
+<A HREF="https://ml-archives.squid-cache.org/squid-users/2022-February/024589.html">https://ml-archives.squid-cache.org/squid-users/2022-February/024589.html</A>
+
+I hope it helps you at least a bit.
+
+
+-- 
+Matus UHLAR - fantomas, <A HREF="https://lists.squid-cache.org/listinfo/squid-users">uhlar at fantomas.sk</A> ; <A HREF="http://www.fantomas.sk/">http://www.fantomas.sk/</A>
+Warning: I wish NOT to receive e-mail advertising to this address.
+Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
+There's a long-standing bug relating to the x86 architecture that
+allows you to install Windows.   -- Matthew D. Fuller
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="027826.html">[squid-users] peek vs stare on step1
+</A></li>
+	
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27827">[ date ]</a>
+              <a href="thread.html#27827">[ thread ]</a>
+              <a href="subject.html#27827">[ subject ]</a>
+              <a href="author.html#27827">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users
+mailing list</a><br>
+</body></html>