Squid Icons screw-up

[Amos Jeffries]

I have to hang my head in shame right now.

It has come to light that I was working out of an obsolete version of 
the Unix Filesystem Hierarchy Standard (FHS) when making the directory 
updates to the squid-3.2 installed files.


Most of the changes are still correct in compliance with FHS version 2.3 
(if anyone knows of an even newer version please let me know ASAP). 
However the icons/ location should not have been changed. I have now 
reverted that alteration.



There will be some problems for people who have installed with 3.HEAD or 
3.2 code published between 2011-03-30 and 2011-04-12. This includes the 
3.2.0.6 package, repository and daily snapshots through that period.


Those of you affected will have to manually move the icons folder as a 
whole from /var/www/squid/icons to /usr/share/squid/icons (or your OS 
equivalent) when moving on to future releases.



I am deeply sorry for this mixup and hope that this has not caused too 
much trouble.



Amos Jeffries

Build failed in Jenkins: 3.2-matrix » rio.treenet #120

[noc]

See 

--
Started by upstream project "3.2-matrix" build number 120
Building remotely on rio.treenet
$ bzr revision-info -d 

info result: bzr revision-info -d 
 returned 
0. Command output: "11075 squ...@treenet.co.nz-20110406073338-dmdy25pm73qjqccq
" stderr: ""
[rio.treenet] $ bzr pull --overwrite 
http://bzr.squid-cache.org/bzr/squid3/branches/SQUID_3_2/
http://bzr.squid-cache.org/bzr/squid3/branches/SQUID_3_2 is permanently 
redirected to http://bzr.squid-cache.org/bzr/squid3/branches/SQUID_3_2/
bzr: ERROR: Invalid http response for 
http://bzr.squid-cache.org/bzr/squid3/branches/SQUID_3_2/.bzr/branch-format: 
Unable to handle http code 504: Gateway Time-out
ERROR: Failed to pull
Getting local revision...
$ bzr revision-info -d 

info result: bzr revision-info -d 
 returned 
0. Command output: "11075 squ...@treenet.co.nz-20110406073338-dmdy25pm73qjqccq
" stderr: ""
RevisionState revno:11075 
revid:squ...@treenet.co.nz-20110406073338-dmdy25pm73qjqccq

Build failed in Jenkins: 3.2-matrix » vobsd #120

[noc]

See 

--
Started by upstream project "3.2-matrix" build number 120
Building remotely on vobsd
java.io.IOException: Failed to mkdirs: 

at hudson.FilePath.mkdirs(FilePath.java:816)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1172)
at 
hudson.model.AbstractBuild$AbstractRunner.checkout(AbstractBuild.java:523)
at hudson.model.AbstractBuild$AbstractRunner.run(AbstractBuild.java:418)
at hudson.model.Run.run(Run.java:1362)
at hudson.matrix.MatrixRun.run(MatrixRun.java:137)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:145)

Re: broken link on webpage

[Amos Jeffries]

On Wed, 06 Apr 2011 16:25:37 +0200, Christian wrote:

Hi
link to (Copyright)
http://www.squid-cache.org/Versions/v3/3.HEAD/COPYRIGHT.txt

is broken.


Thank you. This is fixed now.

Amos

Re: Problem authenticating with Negotiate-NTLM

[Markus Moeller]

Hi Amos,

 Where is the 3.2 squid code will the Proxy-Authorization:  line be added ? 
I can see that the negotiate-wrapper correctly returns the TT  and  I see in 
the logs:


2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(272) 
HandleReply: helper: '0x84886f0' sent us 'TT 
TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='

2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb4d0
2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(325) 
HandleReply: Need to challenge the client with a server blob 
'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='
2011/04/10 01:07:43.849 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| ACLChecklist::asyncInProgress: 0x84cb4d0 async 
set to 0

2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb3e0
2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x8457df8
2011/04/10 01:07:43.849 kid1| ACLChecklist::preCheck: 0x84cb4d0 checking 
'http_access allow authenticate'

2011/04/10 01:07:43.850 kid1| ACLList::matches: checking authenticate
2011/04/10 01:07:43.850 kid1| ACL::checklistMatches: checking 'authenticate'
2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) 
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(345) authenticate: header 
Negotiate TlRMTVNTUAABBoIIAAA=.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) 
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(201) 
authenticate: need to challenge client 
'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='!




but the client never receives the Proxy-Authorization: line.  I gets lost 
somewhere in the squid code. It works for pure NTLM.




Thank you
Markus

"Markus Moeller"  wrote in message 
news:inn1ro$qnh$2...@dough.gmane.org...


"Markus Moeller"  wrote in message 
news:im5hrq$vbr$1...@dough.gmane.org...

I did some further tests and noticed the following:

1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz)
2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or
pure ntlm) ( See   polygraph-4.3.1-3.0.tgz


I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs 
client code.



3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See
polygraph-4.3.1-3.2.tgz)



3.2 need still further analysis



Markus


"Markus Moeller"  wrote in message
news:im4v3n$374$1...@dough.gmane.org...

Hi,

 I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see
that the helper returns TT ... and squid logs

2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201)
authenticate: need to challenge client
'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='!

but in the wireshark log I don't see a proxy-authenticate header line to
challenge the client.  What could be the reason ?

When I switch to Negotiate-Kerberos everything works.

Attached are the config and log files.

Markus






Markus

[RFC] ssl-bump security bugs

[Amos Jeffries]

It has become clear that ssl-bump opens several nasty security 
vulnerabilities to networks using it.  Even putting aside the detail 
that it starts off life as a man-in-middle in the first place.



 * ssl-bump traffic is marked as "accel". Even though it is not. Which 
causes http_port vhost, vport, defaultsite come into affect. Along with 
MISS and cache-control overrides not available in forward or intercept 
proxy.


 * It is conceivable that the tunnel may be legitimately made to 
another proxy. This proxy will answer the cache_object:// requests 
intended for that remote one.


 * The decrypted requests are not re-encrypted when sent outbound. IIRC 
there were measure attempted to make this happen, but they seem to have 
been unsuccessful.



IMO these all stem from the lack of a distinct sslbump "mode" of 
operation and its leveraging accel mode flags to achieve some 
behaviours. Some of these flaws can be fixed with ssl-bump specific code 
which will be dangerous to accel, and some of the accel behaviours are 
dangerous for intercepted traffic. But the way to identify bumped 
traffic being the accel flag makes this overly difficult.


Alex, Christos:
  can you please point out the reasons for using accel mode? which 
areas need to have (accel|sslbump) tests added when moving to a 
dedicated sslbump mode flag?


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.6

[PATCH] errpage option for proxy listening port

[Amos Jeffries]

Use getMyPort() to insert the forward-proxy listening port into error 
pages and deny_info redirect URLs. This fixes the current port 
hard-coding assumption in ERR_AGENT_CONFIGURE.


The %b option is added for this purpose as a temporary measure until the 
codes are merged with the more flexible log formatting set.


This depends on the getMyPort() alteration presented earlier for its 
accuracy. It may be used separately, but squid.conf then must have a 
particular http_port ordering with the forward-proxy port listed first.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.6
=== modified file 'errors/templates/ERR_AGENT_CONFIGURE'
--- errors/templates/ERR_AGENT_CONFIGURE	2010-03-16 23:53:33 +
+++ errors/templates/ERR_AGENT_CONFIGURE	2011-04-10 07:34:53 +
@@ -27,7 +27,7 @@
 For Firefox browsers go to:
 
 Tools -> Options -> Advanced -> Network -> Connection Settings
-In the HTTP proxy box type the proxy name %h and port 3128.
+In the HTTP proxy box type the proxy name %h and port %b.
 
 
 
@@ -35,7 +35,7 @@
 For Internet Explorer browsers go to:
 
 Tools -> Internet Options -> Connection -> LAN Settings ->Proxy
-In the HTTP proxy box type the proxy name %h and port 3128.
+In the HTTP proxy box type the proxy name %h and port %b.
 
 
 
@@ -43,7 +43,7 @@
 For Opera browsers go to:
 
 Tools -> Preferences -> Advanced -> Network -> Proxy Servers
-In the HTTP proxy box type the proxy name %h and port 3128.
+In the HTTP proxy box type the proxy name %h and port %b.
 
 
 

=== modified file 'src/errorpage.cc'
--- src/errorpage.cc	2011-03-16 09:29:40 +
+++ src/errorpage.cc	2011-04-10 07:33:40 +
@@ -670,6 +670,11 @@
 #endif
 p = "-";
 break;
+
+case 'b':
+mb.Printf("%d", getMyPort());
+break;
+
 case 'B':
 if (building_deny_info_url) break;
 p = request ? ftpUrlWith2f(request) : "[no URL]";

[PATCH] use forward-proxy port for internal URLs

[Amos Jeffries]

This alters the getMyPort() function to skip ports flagged for special 
mode handling (intercept, tproxy, accel) when generating internal URLs.


This allows us to lock down security on these special mode ports and 
still have an arbitrary position for the forward-proxy port. Prior to 
this only the first port was used, forcing an unnecessary configuration 
order.


Since it is now possible to have no port available for these URLs the 
fatal()/crash has been reduced to an annoying cache.log message. Port 0 
will be inserted into the URLs making them invalid.


For now this is only done on http_port entries. https_port has an 
incomplete merge of https_port_list/http_port_list which needs to be 
completed before it is easily done there.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.6
=== modified file 'src/tools.cc'
--- src/tools.cc	2011-04-08 00:12:34 +
+++ src/tools.cc	2011-04-10 07:11:42 +
@@ -1245,19 +1245,22 @@
 int
 getMyPort(void)
 {
-if (Config.Sockaddr.http)
-return Config.Sockaddr.http->s.GetPort();
+if (Config.Sockaddr.http) {
+// skip any special mode ports
+http_port_list *p = Config.Sockaddr.http;
+while(p->intercepted || p->accel || p->spoof_client_ip)
+p = p->next;
+if (p)
+return p->s.GetPort();
+}
 
 #if USE_SSL
-
 if (Config.Sockaddr.https)
 return Config.Sockaddr.https->http.s.GetPort();
-
 #endif
 
-fatal("No port defined");
-
-return 0;			/* NOT REACHED */
+debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
+return 0; // invalid port. This will result in invalid URLs on bad configurations.
 }
 
 /*