[squid-users] Non respect fo Proxy chain
Hello, It's not the first time I ask for this, but I didn't see any answer. I have two proxies. They have Ips 10.105.x.y and 10.105.x.y+1 The outgoing is an upstream proxy. My problem is: They try to reach by themselves URL with: 192.168.*.* instead of forward them to the Upstream proxy. 1139206331.003 179161 10.104.x.* TCP_MISS/504 1490 GET http://192.168.37.10/icons/parent.gif - NONE/- text/html 1139206331.003 179123 10.104.x.* TCP_MISS/504 1492 GET http://192.168.37.10/icons/archive.gif - NONE/- text/html 1139206331.003 179119 10.104.x.* TCP_MISS/504 1486 GET http://192.168.37.10/icons/text.gif - NONE/- text/html 1139206331.003 179119 10.104.x.* TCP_MISS/504 1492 GET http://192.168.37.10/icons/unknown.gif - NONE/- text/html I really need a solution. Thanks. Gix Lilian
Re: [squid-users] Non respect fo Proxy chain
> > Hello, > > It's not the first time I ask for this, but I didn't see any answer. > > I have two proxies. They have Ips 10.105.x.y and 10.105.x.y+1 > The outgoing is an upstream proxy. > > My problem is: They try to reach by themselves URL with: 192.168.*.* > instead of forward them to the Upstream proxy. > > > 1139206331.003 179161 10.104.x.* TCP_MISS/504 1490 GET > http://192.168.37.10/icons/parent.gif - NONE/- text/html > 1139206331.003 179123 10.104.x.* TCP_MISS/504 1492 GET > http://192.168.37.10/icons/archive.gif - NONE/- text/html > 1139206331.003 179119 10.104.x.* TCP_MISS/504 1486 GET > http://192.168.37.10/icons/text.gif - NONE/- text/html > 1139206331.003 179119 10.104.x.* TCP_MISS/504 1492 GET > http://192.168.37.10/icons/unknown.gif - NONE/- text/html > > http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.8 M.
RE: [squid-users] Non respect fo Proxy chain
Thanks for your help: Here is my Configuration regarding direct access: always_direct deny Firm1_Sites_Internet always_direct deny Firm2_Sites_Internet always_direct allow Firm1_Sites_Intranet always_direct allow Firm2_Sites_Intranet always_direct allow Intern always_direct deny all never_direct allow all Gix Lilian -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: Montag, 6. Februar 2006 10:07 To: Gix, Lilian (CI/OSR) * Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Non respect fo Proxy chain > > Hello, > > It's not the first time I ask for this, but I didn't see any answer. > > I have two proxies. They have Ips 10.105.x.y and 10.105.x.y+1 > The outgoing is an upstream proxy. > > My problem is: They try to reach by themselves URL with: 192.168.*.* > instead of forward them to the Upstream proxy. > > > 1139206331.003 179161 10.104.x.* TCP_MISS/504 1490 GET > http://192.168.37.10/icons/parent.gif - NONE/- text/html > 1139206331.003 179123 10.104.x.* TCP_MISS/504 1492 GET > http://192.168.37.10/icons/archive.gif - NONE/- text/html > 1139206331.003 179119 10.104.x.* TCP_MISS/504 1486 GET > http://192.168.37.10/icons/text.gif - NONE/- text/html > 1139206331.003 179119 10.104.x.* TCP_MISS/504 1492 GET > http://192.168.37.10/icons/unknown.gif - NONE/- text/html > > http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.8 M.
[squid-users] Non-blocking redirectors
It's really weird that squid, with all its non-blocking nature, still 'blocks' on redirectors I/O. This effectively prevents us from writing non-blocking or multi-threaded redirectors (well, not without some hardcore apache- style non-portable mess with file descriptors). Is it so hard to send a sernum with each request and have the redirector return it to match against pending redirections?
Re: [squid-users] Non respect fo Proxy chain
> > Here is my Configuration regarding direct access: > > always_direct deny Firm1_Sites_Internet > always_direct deny Firm2_Sites_Internet > always_direct allow Firm1_Sites_Intranet > always_direct allow Firm2_Sites_Intranet > always_direct allow Intern > always_direct deny all > > never_direct allow all > > Try removing : always_direct deny all M.
RE: [squid-users] HTTPS traffic not being forwarded to upstream proxy.
-Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: 01 February 2006 20:19 To: squid-users@squid-cache.org Subject: RE: [squid-users] HTTPS traffic not being forwarded to upstream proxy. > -Original Message- > From: squid user [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 01, 2006 7:27 AM > To: [EMAIL PROTECTED] > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] HTTPS traffic not being forwarded > to upstream > proxy. > > >On 2/1/06, squid user <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > I have a Squid 2.5 stable 11 proxy forwarding traffic to > > > an upstream proxy > > > based on domain. This works fine for HTTP traffic, but > > > HTTPS traffic is > > > flowing directly from the downstream proxy to the internet. > > > > > > Would anyone give me any pointers as to an access list or > > > other strategy I > > > can use to ensure that HTTPS traffic flows to the > > > upstream proxy? Here's > > > what I have at the moment... > > > > > > acl forwardTraffic dstdomain .co.uk > > > cache_peer 172.21.118.118 parent 3128 0 proxy-only no-query > > > cache_peer_access 172.21.118.118 allow forwardTraffic > > > > > >Try changing the above line into : > > > > never_direct allow forwardTraffic > > > > > cache_peer_access 172.21.118.118 deny all > > > Not such a good idea. Now you are saying that .co.uk can't go direct (fine) but that no requests can use the cache_peer (whoops). Hence the problem seen below... > > > > M. > > > Hi Mark, > > Thanks for getting back to me, but unfortunately that didn't work. > > On the browser I see: > > "The following error was encountered: > > * Unable to forward this request at this time. > > This request could not be forwarded to the origin server or > to any parent > caches. The most likely cause for this error is that: > > * The cache administrator does not allow this cache to > make direct > connections to origin servers, and > * All configured parent caches are currently unreachable." > > And in the squid log I see, using ebay.co.uk for example... > > Failed to select source for 'http://www.ebay.co.uk' > always_direct = 0 > never_direct = 1 > timed_out = 0 > > Cheers > > SU > > >I'd say either add the never_direct line to what you have >(cache_peer_access) or get rid of the cache_peer_access lines, and ONLY >have the never_direct. Otherwise, if you want to direct ALL ssl traffic >through your parent cache, "cache_peer_access 172.21.118.118 allow CONNECT" >will do it. >Chris Hi all, Sorry about starting this up again, but I wasn't around my computer for the latter part of last week. Anyway, I tried adding the 'never_direct' line alongside my cache_peer_access configuration and it still failed to work. HTTPS traffic went direct from the first proxy to the outside world. I installed squid STABLE12 and it happened with that release also. As directing all ssl traffic to the upstream proxy isn't an option, any other ideas would be greatly appreciated! Cheers SU smime.p7s Description: S/MIME cryptographic signature
[squid-users] access.log with user from ntlm?
Hi List I have installed the squid with ntlm authentication and everything is working fine. But how can I see the authenticated user in the access.log file. I only see his IP-Address? Best regards Gunnar
RE: [squid-users] Squid and iptables - need help
Hi... > -Original Message- > From: Gregori Parker [mailto:[EMAIL PROTECTED] > Sent: Friday, February 03, 2006 10:25 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Squid and iptables - need help > > > I have just deployed a cluster of squid caching servers in > reverse proxy > mode, and am having trouble with iptables. When iptables is > turned on, > I can hit the caching servers, but squid times out trying to pull from > the origin servers (in our other datacenters). > > I'm thinking that if I add outgoing rules for our other datacenters, > everything should be fine, but they are now in production and I cant > simply test at will...I'm planning on adding these lines, can anyone > tell me if this will fix my timeout problem when squid tries to pull > from the origin servers? I'm green on iptables configuration, so any > advice in general is welcome! Sorry for the long email, and > thank you! > > Lines I plan to add: > > # Allow anything *to* our various datacenters > $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT > Replace. Don't add... > > Or maybe I can just add this instead: > > $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > This would be the same thing as "$IPTABLES --policy OUTPUT ALLOW". > > Here's the current iptables script: > -- > -- > - > #!/bin/sh > > LAN="eth1" > INTERNET="eth0" > IPTABLES="/sbin/iptables" > > # Drop ICMP echo-request messages sent to broadcast or multicast > addresses > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Drop source routed packets > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > > # Enable TCP SYN cookie protection from SYN floods > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > # Don't accept ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > > # Don't send ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects > > # Enable source address spoofing protection > echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter > > # Log packets with impossible source addresses > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > > # Flush all chains > $IPTABLES --flush > > # Allow unlimited traffic on the loopback interface > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > # Set default policies > $IPTABLES --policy INPUT DROP > $IPTABLES --policy OUTPUT DROP > $IPTABLES --policy FORWARD DROP > > # Previously initiated and accepted exchanges bypass rule checking > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > Change these lines... > # Allow anything from our various datacenters > $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT > ...to... # Allow anything from our various datacenters $IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT ... and Squid will be able to query your datacenters. Responses will be allowed by the "--state ESTABLISHED,RELATED" rule. It would probably be a good idea to make this rule a bit more stringent (only allow TCP on port 80, or what-have-you). But it's a good start. > # Allow incoming port 22 (ssh) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 > -m state \ > --state NEW -j ACCEPT > I'd REALLY strongly recommend you limit which hosts can connect to port 22. There are no shortage of SSH scanners in the wild. > # Allow incoming port 4827 (squid-htcp) connections on external > interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port > 4827 -m state > \ > --state NEW -j ACCEPT > > # Allow incoming port 80 (http) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 > -m state \ > --state NEW -j ACCEPT > > # Allow ICMP ECHO REQUESTS > $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j > ACCEPT > $IPTABLES -A INPUT -p icmp -j ACCEPT > $IPTABLES -A OUTPUT -p icmp -j ACCEPT > > > # Allow DNS resolution > $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 > -m state \ > --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 > -m state \ > --state NEW -j ACCEPT > > # Allow ntp synchronization > $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port > 123 -m state > \ > --state NEW -j ACCEPT > > # allow anything on the trusted interface > $IPTABLES -A INPUT -i $LAN -p all -j ACCEPT > $IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT > > # Have these rules take effect when iptables is
Re: [squid-users] access.log with user from ntlm?
On Mon, 2006-02-06 at 17:09 +0100, Gunnar Groetschel wrote: > Hi List > > I have installed the squid with ntlm authentication and everything is > working fine. > > But how can I see the authenticated user in the access.log file. I only > see his IP-Address? You're probably not really authenticating users then, usernames would get logged there otherwise. Can you double-check your acl lines? Kinkie
RE: [squid-users] HTTPS traffic not being forwarded to upstream proxy.
> -Original Message- > From: Paul Murphy [mailto:[EMAIL PROTECTED] > Sent: Monday, February 06, 2006 6:55 AM > To: Chris Robertson; squid-users@squid-cache.org > Subject: RE: [squid-users] HTTPS traffic not being forwarded > to upstream > proxy. > > > Hi all, > > Sorry about starting this up again, but I wasn't around my > computer for > the latter part of last week. > > Anyway, I tried adding the 'never_direct' line alongside my > cache_peer_access configuration and it still failed to work. > HTTPS traffic > went direct from the first proxy to the outside world. I > installed squid > STABLE12 and it happened with that release also. > Then there has to be something wrong with the never_direct line. You might try modifying your debug options (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug) to see if that gives any hints. > As directing all ssl traffic to the upstream proxy isn't an > option, any > other ideas would be greatly appreciated! > > Cheers > > SU > Chris
RE: [squid-users] Squid and iptables - need help
Thanks Chris, I got rid of a lot of redundancy and replaced general rules much more specific ones (e.g. SSH et al have source/destination ip space constraints)...everything seems to be working fine now! -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Monday, February 06, 2006 10:59 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Squid and iptables - need help Hi... > -Original Message- > From: Gregori Parker [mailto:[EMAIL PROTECTED] > Sent: Friday, February 03, 2006 10:25 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Squid and iptables - need help > > > I have just deployed a cluster of squid caching servers in > reverse proxy > mode, and am having trouble with iptables. When iptables is > turned on, > I can hit the caching servers, but squid times out trying to pull from > the origin servers (in our other datacenters). > > I'm thinking that if I add outgoing rules for our other datacenters, > everything should be fine, but they are now in production and I cant > simply test at will...I'm planning on adding these lines, can anyone > tell me if this will fix my timeout problem when squid tries to pull > from the origin servers? I'm green on iptables configuration, so any > advice in general is welcome! Sorry for the long email, and > thank you! > > Lines I plan to add: > > # Allow anything *to* our various datacenters > $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT > Replace. Don't add... > > Or maybe I can just add this instead: > > $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > This would be the same thing as "$IPTABLES --policy OUTPUT ALLOW". > > Here's the current iptables script: > -- > -- > - > #!/bin/sh > > LAN="eth1" > INTERNET="eth0" > IPTABLES="/sbin/iptables" > > # Drop ICMP echo-request messages sent to broadcast or multicast > addresses > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Drop source routed packets > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > > # Enable TCP SYN cookie protection from SYN floods > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > # Don't accept ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > > # Don't send ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects > > # Enable source address spoofing protection > echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter > > # Log packets with impossible source addresses > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > > # Flush all chains > $IPTABLES --flush > > # Allow unlimited traffic on the loopback interface > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > # Set default policies > $IPTABLES --policy INPUT DROP > $IPTABLES --policy OUTPUT DROP > $IPTABLES --policy FORWARD DROP > > # Previously initiated and accepted exchanges bypass rule checking > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > Change these lines... > # Allow anything from our various datacenters > $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT > ...to... # Allow anything from our various datacenters $IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT ... and Squid will be able to query your datacenters. Responses will be allowed by the "--state ESTABLISHED,RELATED" rule. It would probably be a good idea to make this rule a bit more stringent (only allow TCP on port 80, or what-have-you). But it's a good start. > # Allow incoming port 22 (ssh) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 > -m state \ > --state NEW -j ACCEPT > I'd REALLY strongly recommend you limit which hosts can connect to port 22. There are no shortage of SSH scanners in the wild. > # Allow incoming port 4827 (squid-htcp) connections on external > interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port > 4827 -m state > \ > --state NEW -j ACCEPT > > # Allow incoming port 80 (http) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 > -m state \ > --state NEW -j ACCEPT > > # Allow ICMP ECHO REQUESTS > $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j > ACCEPT > $IPTABLES -A INPUT -p icmp -j ACCEPT > $IPTABLES -A OUTPUT -p icmp -j ACCEPT > > > # Allow DNS resolution > $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 > -m state \ > --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -
[squid-users] Custom error to display login name of authenticated user?
Hi all, Is there a way to display the login name of the authenticated user in a custom error? I am using Squid 2.9.17 with Samba authentication. Regards, Steve.
[squid-users] error accessing ftp site
Hi, I have recently installed & configured squid proxy on suse 10. rest all is working fine but whenever i try to open any ftp site, it shows me this error: - "An error occured while opening that folder on the ftp server. make sure you have permission to access that folder. details: 200 switching to ASCII mode 500 illegal port command 500 unknown command" Please guide me and thanks in advance. Amit Ash
Re: [squid-users] error accessing ftp site
> > Hi, > > I have recently installed & configured squid proxy on suse 10. > rest all is working fine but whenever i try to open any ftp site, > it shows me this error: - "An error occured while opening that > folder on the ftp server. make sure you have permission to access > that folder. > details: > 200 switching to ASCII mode > 500 illegal port command > 500 unknown command" > Please guide me and thanks in advance. > - How did you open the ftp site ? M.
