Re: [squid-users] 4.0.2: ALE missing URL
On 11/06/2015 04:36 PM, David Touzeau wrote: > > Hi > > I'm testing the new 4.0.2 version.. > Now i'm receive many errors like this in cache.log > > Whats wrong ? > > > 2015/11/07 00:33:16 kid1| ALE missing URL > 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object This may be a regression bug introduced by trunk r14351 (Support logformat %macros in external_acl_type format). AFAIK, those messages were added specifically to catch hard-to-find bugs like that. There is some logic in the code to limit the number of these messages, but, AFAICT, it does not work well for busy Squids: A worker doing 1000 requests per second might log ~100 messages per minute. Future releases may have less aggressive reporting if other developers agree that the current reporting is too aggressive and adjust the code. If you are seeing these messages, some of your ACLs may not work correctly. However, the messages are printed for missing fields that Squid can compute from other sources, so without call stack analysis you may not be able to tell which ACLs are not working, if any. If you want to help fixing this bug, please consider doing the following: 1. Add "assert(false);" line to showDebugWarning() in src/acl/FilledChecklist.cc. Any line within that method should work but placing it last, after the debugs() line, may work the best. This addition will _kill_ your Squid so do not use this in production or at least keep an unpatched binary around for a quick replacement! 2. Post gdb backtrace from the assertion in #1 to Bugzilla. Others may be able to provide you with more detailed instructions if you need them. Thank you, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 4.0.2: ALE missing URL
Hi I'm testing the new 4.0.2 version.. Now i'm receive many errors like this in cache.log Whats wrong ? 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object 2015/11/07 00:33:16 kid1| ALE missing URL 2015/11/07 00:33:22 kid1| ALE missing adapted HttpRequest object best regards ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid3 Support for TLS 1.1 and TLS 1.2
I have been trying to bolster my pfsense systems and found one difficulty with squid3. I cant figure out how to allow for support of tls 1.1 and 1.2. It supports tls 1 of course but the new reports from qualys give a "C" for such. I am wondering if there is a way to add support for the newer TLS 1.1 and 1.2 to Squid3 reverse proxy. Can anyone help? Ben ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid XML message missing in response
Hello All, I'm literally running out of ideas how to troubleshoot the issue i am facing, so i would like to ask for the help of the experts. I'm running Squid Cache: Version 3.5.10 with no blocking of ACL's and is configured with parent proxy to CISCO WSA. When user's send a POST message in XML form to Squid, the destination site will reply with HTTP 200 OK with the XML form filled in with values to my parent proxy(CISCO WSA) and parent proxy also pass the same content to Squid proxy. However, when my squid proxy send the HTTP 200 OK reply to my client, the XML form is missing. Bypassing squid proxy and directly allowing my client to access CISCO WSA works perfectly fine. Bytes on wire for the return traffic shows like below: CISCO_WSA[sent 1214 bytes] --> SQUID_PROXY[received 1214 bytes] --> SQUID_PROXY[sent 490 bytes] --> Client Has anyone face the same issue as mine? Thanks for your help. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] authentication of every GET request from part of URL?
On 7/11/2015 1:33 a.m., Sreenath BH wrote: > Hi > I am very new to Squid, and think have a strange requirement. > We want to serve cached content only if the client has been > authenticated before. > Since we don't expect the client software to send any information in > headers, we embed a token in the URL that we present to the user. > Um, you know how sending username and password in plain-text Basic auth headers is supposed to be the worst form of security around? It's not quite. Sending credentials in the URL is worse. Even if its just an encoded token. Why are you avoiding actual HTTP authentication? Why be so actively hostile to every other cache in existence? > So when the client s/w uses this URL, we want to extract the token > from URL and do a small database query to ensure that the token is > valid. > > This is in accelerator mode. > Is it possible to use something similar to basic_fake_auth and put my > code there that does some database query? The "basic_..._auth" parts of that helpers name mean that it performs HTTP Basic authentication. The "fake" part means that it does not perform any kind of validation. All of the text above has been describing how you want to perform actions which are the direct opposite of everything basic_fake_auth does. > If the query fails, we don't return the cached content? What do you want to be delivered instead? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid3 Authentication Ldap AD
Above all good squid3 version 3.4.8 in the authentication parameter change for basic_ldap_auth and I'm having trouble making queries against Windows Active Directory, please help with this. Thank you very much for your attention. -- Rafael Maleta Fdez Informatico Direccion de Aseguramiento Ingeniero Centro de Isótopos (CENTIS) AEN - TA, CITMA Ave Monumental y Carr. La Rada, km 3½ San José de las Lajas, Mayabeque. Correo: mal...@centis.edu.cu Telf-(+53 7) 682 9563 al 70 (pizarra) Ext:110 "Vivo en la tierra de GNU/Linux, y en noches tranquilas puedo escuchar el sonido de las PC con windows reiniciando" ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Authentication Ldap AD
On 7/11/2015 5:40 a.m., Rafael Maleta Fdez wrote: > Above all good > squid3 version 3.4.8 in the authentication parameter change for > basic_ldap_auth and I'm having trouble making queries against Windows > Active Directory, please help with this. > Thank you very much for your attention. > More details about the problem please. What change are you referring to? What is going wrong exactly? What have you looked at already? and what did that show? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Authentication Ldap AD
The problem is that I want to authenticate the Windows domain users to authenticate to the squid, or reports that leave me with the ips users, so for that I need to authenticate my squid v3.4.8 on Windows Active Directory I'm doing queries to Active Directory and give me error root@debian:/home/rafael# ldapsearch -x -LLL -D "cn=admin2,cn=Users,dc=centis,dc=cu" -W -h 172.16.1.3 -b dc=centis,dc=cu "sAMAccountName=squid" Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece El 06/11/15 a las 11:58, Amos Jeffries escribió: On 7/11/2015 5:40 a.m., Rafael Maleta Fdez wrote: Above all good squid3 version 3.4.8 in the authentication parameter change for basic_ldap_auth and I'm having trouble making queries against Windows Active Directory, please help with this. Thank you very much for your attention. More details about the problem please. What change are you referring to? What is going wrong exactly? What have you looked at already? and what did that show? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Rafael Maleta Fdez Informatico Direccion de Aseguramiento Ingeniero Centro de Isótopos (CENTIS) AEN - TA, CITMA Ave Monumental y Carr. La Rada, km 3½ San José de las Lajas, Mayabeque. Correo: mal...@centis.edu.cu Telf-(+53 7) 682 9563 al 70 (pizarra) Ext:110 "Vivo en la tierra de GNU/Linux, y en noches tranquilas puedo escuchar el sonido de las PC con windows reiniciando" ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid XML message missing in response
[ NP: please start a new thread instead of replying to others posts. It screws up the web archives, and those of us using threads to manage the issues open/solved status. Thank you. ] On 7/11/2015 2:41 a.m., lei X wrote: > > Hello All, > > I'm literally running out of ideas how to troubleshoot the issue i am > facing, so i would like to ask for the help of the experts. > > I'm running Squid Cache: Version 3.5.10 with no blocking of ACL's and > is configured with parent proxy to CISCO WSA. When user's send a > POST message in XML form to Squid, the destination site will reply > with HTTP 200 OK with the XML form filled in with values to my parent > proxy(CISCO WSA) and parent proxy also pass the same content to Squid > proxy. However, when my squid proxy send the HTTP 200 OK reply to my > client, the XML form is missing. > > Bypassing squid proxy and directly allowing my client to access CISCO > WSA works perfectly fine. > Bytes on wire for the return traffic shows like below: > > CISCO_WSA[sent 1214 bytes] --> SQUID_PROXY[received 1214 bytes] --> > SQUID_PROXY[sent 490 bytes] --> Client > > Has anyone face the same issue as mine? > Not for a very long time. Back then it was a server sending responses that said it had no payload attached. You can set "debug_options All,0 11,2" in squid.conf to get a cache.log trace of the HTTP message headers going through Squid. If you can post here the headers titled "HTTP Server REPLY" which are coming in from the Cisco on these transactions it would help us debug with you. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Support for TLS 1.1 and TLS 1.2
Hi, On Fri, Nov 06, Fullyrealized LLC wrote: > I have been trying to bolster my pfsense systems and found one > difficulty with squid3. I cant figure out how to allow for support of > tls 1.1 and 1.2. It supports tls 1 of course but the new reports from > qualys give a "C" for such. I am wondering if there is a way to add > support for the newer TLS 1.1 and 1.2 to Squid3 reverse proxy. Can > anyone help? it depends on you openssl version. If you use an old 0.9.x version tls1.1 and above is not supported. You have to use openssl 1.x.x to get support for it. -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid/NTLM Auth
I ran a couple of packet captures and I seen the 407 from the proxy back to the client and the corresponding NTLMSSP_AUTH from the client back to the proxy with my DOMAIN\USER. After this is some Kerberos traffic and then the 407 pops up again. Thanks, Keith -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, October 26, 2015 4:24 PM To: Keith White; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid/NTLM Auth On 24/10/2015 1:44 a.m., Keith White wrote: > I changed around the DNS servers and still no luck. This also popped > up in the log > > Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper. > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > AuthorizedUsers = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access#3 = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access = -1 async > 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating > user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL > NT_STATUS_UNSUCCESSFUL; }} > 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. > Auth::UserRequest '0x12c1f10'. > IIRC that BH response happens when the helper gets a type-3 token without having been part of the handshake dance that led up to it. The helpers are stateful and the same one needs to be part of the whole handshake. That can happen if the connection is closed for some reasons after the type-2 token is sent, and the client is brokenly continuing on a new connection (Firefox is known to do that, others might too). The connection is allowed to close after the initial 407 challenge. Some clients are broken and require that to happen - which is where the "auth_param ntlm keep_alive off" setting helps. But not once the type-2 token is sent on the second 407. Squid should be enforcing a persistent TCP connection from then onwards. The nextstep is to look at either the HTTP messages or the TCP packet level to find out what (if anything) is closing the connection between the type-2 and type-3 token messages thats probably your problem. Amos This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith. Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] authentication of every GET request from part of URL?
Hi I am very new to Squid, and think have a strange requirement. We want to serve cached content only if the client has been authenticated before. Since we don't expect the client software to send any information in headers, we embed a token in the URL that we present to the user. So when the client s/w uses this URL, we want to extract the token from URL and do a small database query to ensure that the token is valid. This is in accelerator mode. Is it possible to use something similar to basic_fake_auth and put my code there that does some database query? If the query fails, we don't return the cached content? Basically what I am looking for is ability to execute some script for every request. Any tips greatly appreciated. thanks, Sreenath ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid/NTLM Auth
I ran some additional tests with ntlm_auth ntlm_auth --usernameworks ntlm_auth --helper-protocol=squid-2.5-ntlmssp yields BH SPNEGO request invalid prefix Thanks, Keith -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, October 26, 2015 4:24 PM To: Keith White; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid/NTLM Auth On 24/10/2015 1:44 a.m., Keith White wrote: > I changed around the DNS servers and still no luck. This also popped > up in the log > > Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper. > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > AuthorizedUsers = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access#3 = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access = -1 async > 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating > user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL > NT_STATUS_UNSUCCESSFUL; }} > 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. > Auth::UserRequest '0x12c1f10'. > IIRC that BH response happens when the helper gets a type-3 token without having been part of the handshake dance that led up to it. The helpers are stateful and the same one needs to be part of the whole handshake. That can happen if the connection is closed for some reasons after the type-2 token is sent, and the client is brokenly continuing on a new connection (Firefox is known to do that, others might too). The connection is allowed to close after the initial 407 challenge. Some clients are broken and require that to happen - which is where the "auth_param ntlm keep_alive off" setting helps. But not once the type-2 token is sent on the second 407. Squid should be enforcing a persistent TCP connection from then onwards. The nextstep is to look at either the HTTP messages or the TCP packet level to find out what (if anything) is closing the connection between the type-2 and type-3 token messages thats probably your problem. Amos This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith. Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users