Re: [squid-users] 4.0.2: ALE missing URL

2015-11-06 Thread Alex Rousskov 
On 11/06/2015 04:36 PM, David Touzeau wrote:
> 
> Hi
> 
> I'm testing the new 4.0.2 version..
> Now i'm receive many errors like this in cache.log
> 
> Whats wrong ?
> 
> 
> 2015/11/07 00:33:16 kid1| ALE missing URL
> 2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object


This may be a regression bug introduced by trunk r14351 (Support
logformat %macros in external_acl_type format). AFAIK, those messages
were added specifically to catch hard-to-find bugs like that.

There is some logic in the code to limit the number of these messages,
but, AFAICT, it does not work well for busy Squids: A worker doing 1000
requests per second might log ~100 messages per minute. Future releases
may have less aggressive reporting if other developers agree that the
current reporting is too aggressive and adjust the code.


If you are seeing these messages, some of your ACLs may not work
correctly. However, the messages are printed for missing fields that
Squid can compute from other sources, so without call stack analysis you
may not be able to tell which ACLs are not working, if any.


If you want to help fixing this bug, please consider doing the following:

1. Add "assert(false);" line to showDebugWarning() in
src/acl/FilledChecklist.cc. Any line within that method should work but
placing it last, after the debugs() line, may work the best. This
addition will _kill_ your Squid so do not use this in production or at
least keep an unpatched binary around for a quick replacement!

2. Post gdb backtrace from the assertion in #1 to Bugzilla.

Others may be able to provide you with more detailed instructions if you
need them.


Thank you,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 4.0.2: ALE missing URL

2015-11-06 Thread David Touzeau 


Hi

I'm testing the new 4.0.2 version..
Now i'm receive many errors like this in cache.log

Whats wrong ?


2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object
2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object
2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object
2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:16 kid1| ALE missing adapted HttpRequest object
2015/11/07 00:33:16 kid1| ALE missing URL
2015/11/07 00:33:22 kid1| ALE missing adapted HttpRequest object

best regards
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid3 Support for TLS 1.1 and TLS 1.2

2015-11-06 Thread Fullyrealized LLC 
I have been trying to bolster my pfsense systems and found one difficulty with 
squid3. I cant figure out how to allow for support of tls 1.1 and 1.2. It 
supports tls 1 of course but the new reports from qualys give a "C" for such. I 
am wondering if there is a way to add support for the newer TLS 1.1 and 1.2 to 
Squid3 reverse proxy. Can anyone help?


Ben



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid XML message missing in response

2015-11-06 Thread lei X 




Hello All,
 
I'm literally running out of ideas how to troubleshoot the issue i am facing, 
so i would like to ask for the help of the experts.
 
I'm running Squid Cache: Version 3.5.10 with no blocking of ACL's and is 
configured with parent proxy to CISCO WSA.   When user's send a POST message in 
XML form to Squid, the destination site will reply with HTTP 200 OK with the 
XML form filled in with values to my parent proxy(CISCO WSA) and parent proxy 
also pass the same content to Squid proxy.  However, when my squid proxy send 
the HTTP 200 OK reply to my client, the XML form is missing.
 
Bypassing squid proxy and directly allowing my client to access CISCO WSA works 
perfectly fine.
 
Bytes on wire for the return traffic shows like below:
 
CISCO_WSA[sent 1214 bytes] --> SQUID_PROXY[received 1214 bytes] --> 
SQUID_PROXY[sent 490 bytes] --> Client
 
Has anyone face the same issue as mine?
 
Thanks for your help.
 
 
 

  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authentication of every GET request from part of URL?

2015-11-06 Thread Amos Jeffries 
On 7/11/2015 1:33 a.m., Sreenath BH wrote:
> Hi
> I am very new to Squid, and think have a strange requirement.
> We want to serve cached content only if the client has been
> authenticated before.
> Since we don't expect the client software to send any information in
> headers, we embed a token in the URL that we present to the user.
> 

Um, you know how sending username and password in plain-text Basic auth
headers is supposed to be the worst form of security around?

It's not quite. Sending credentials in the URL is worse. Even if its
just an encoded token.

Why are you avoiding actual HTTP authentication?

Why be so actively hostile to every other cache in existence?


> So when the client s/w uses this URL, we want to extract the token
> from URL and do a small database query to ensure that the token is
> valid.
> 
> This is in accelerator mode.
> Is it possible to use something similar to basic_fake_auth and put my
> code there that does some database query?

The "basic_..._auth" parts of that helpers name mean that it performs
HTTP Basic authentication.

The "fake" part means that it does not perform any kind of validation.

All of the text above has been describing how you want to perform
actions which are the direct opposite of everything basic_fake_auth does.


> If the query fails, we don't return the cached content?

What do you want to be delivered instead?


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid3 Authentication Ldap AD

2015-11-06 Thread Rafael Maleta Fdez 

Above all good
squid3 version 3.4.8 in the authentication parameter change for 
basic_ldap_auth and I'm having trouble making queries against Windows 
Active Directory, please help with this.

Thank you very much for your attention.

--
Rafael Maleta Fdez
Informatico
Direccion de Aseguramiento Ingeniero
Centro de Isótopos (CENTIS)
AEN - TA, CITMA
Ave Monumental y Carr. La Rada, km 3½
San José de las Lajas, Mayabeque.
Correo: mal...@centis.edu.cu
Telf-(+53 7) 682 9563 al 70 (pizarra) Ext:110

"Vivo en la tierra de GNU/Linux, y en noches tranquilas puedo escuchar
el sonido de las PC con windows reiniciando"


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid3 Authentication Ldap AD

2015-11-06 Thread Amos Jeffries 
On 7/11/2015 5:40 a.m., Rafael Maleta Fdez wrote:
> Above all good
> squid3 version 3.4.8 in the authentication parameter change for
> basic_ldap_auth and I'm having trouble making queries against Windows
> Active Directory, please help with this.
> Thank you very much for your attention.
> 

More details about the problem please.

What change are you referring to?

What is going wrong exactly?

What have you looked at already? and what did that show?


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid3 Authentication Ldap AD

2015-11-06 Thread Rafael Maleta Fdez 
The problem is that I want to authenticate the Windows domain users to 
authenticate to the squid, or reports that leave me with the ips users, 
so for that I need to authenticate my squid v3.4.8 on Windows Active 
Directory I'm doing queries to Active Directory and give me error



root@debian:/home/rafael# ldapsearch -x -LLL -D 
"cn=admin2,cn=Users,dc=centis,dc=cu" -W -h 172.16.1.3 -b dc=centis,dc=cu 
"sAMAccountName=squid"

Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: 
AcceptSecurityContext error, data 525, vece



El 06/11/15 a las 11:58, Amos Jeffries escribió:

On 7/11/2015 5:40 a.m., Rafael Maleta Fdez wrote:

Above all good
squid3 version 3.4.8 in the authentication parameter change for
basic_ldap_auth and I'm having trouble making queries against Windows
Active Directory, please help with this.
Thank you very much for your attention.


More details about the problem please.

What change are you referring to?

What is going wrong exactly?

What have you looked at already? and what did that show?


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


--
Rafael Maleta Fdez
Informatico
Direccion de Aseguramiento Ingeniero
Centro de Isótopos (CENTIS)
AEN - TA, CITMA
Ave Monumental y Carr. La Rada, km 3½
San José de las Lajas, Mayabeque.
Correo: mal...@centis.edu.cu
Telf-(+53 7) 682 9563 al 70 (pizarra) Ext:110

"Vivo en la tierra de GNU/Linux, y en noches tranquilas puedo escuchar
el sonido de las PC con windows reiniciando"


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid XML message missing in response

2015-11-06 Thread Amos Jeffries 
[ NP: please start a new thread instead of replying to others posts. It
screws up the web archives, and those of us using threads to manage the
issues open/solved status. Thank you. ]

On 7/11/2015 2:41 a.m., lei X wrote:
> 
> Hello All,
> 
> I'm literally running out of ideas how to troubleshoot the issue i am
> facing, so i would like to ask for the help of the experts.
> 
> I'm running Squid Cache: Version 3.5.10 with no blocking of ACL's and
> is configured with parent proxy to CISCO WSA.   When user's send a
> POST message in XML form to Squid, the destination site will reply
> with HTTP 200 OK with the XML form filled in with values to my parent
> proxy(CISCO WSA) and parent proxy also pass the same content to Squid
> proxy.  However, when my squid proxy send the HTTP 200 OK reply to my
> client, the XML form is missing.
> 
> Bypassing squid proxy and directly allowing my client to access CISCO
> WSA works perfectly fine.
> Bytes on wire for the return traffic shows like below:
>  
> CISCO_WSA[sent 1214 bytes] --> SQUID_PROXY[received 1214 bytes] --> 
> SQUID_PROXY[sent 490 bytes] --> Client
>  
> Has anyone face the same issue as mine?
>  

Not for a very long time. Back then it was a server sending responses
that said it had no payload attached.

You can set "debug_options All,0 11,2" in squid.conf to get a cache.log
trace of the HTTP message headers going through Squid. If you can post
here the headers titled "HTTP Server REPLY" which are coming in from the
Cisco on these transactions it would help us debug with you.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid3 Support for TLS 1.1 and TLS 1.2

2015-11-06 Thread Dieter Bloms 
Hi,

On Fri, Nov 06, Fullyrealized LLC wrote:

> I have been trying to bolster my pfsense systems and found one
> difficulty with squid3. I cant figure out how to allow for support of
> tls 1.1 and 1.2. It supports tls 1 of course but the new reports from
> qualys give a "C" for such. I am wondering if there is a way to add
> support for the newer TLS 1.1 and 1.2 to Squid3 reverse proxy. Can
> anyone help?

it depends on you openssl version.
If you use an old 0.9.x version tls1.1 and above is not supported.
You have to use openssl 1.x.x to get support for it.

-- 
regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid/NTLM Auth

2015-11-06 Thread Keith White 
I ran a couple of packet captures and I seen the 407 from the proxy back to the 
client and the corresponding NTLMSSP_AUTH from the client back to the proxy 
with my DOMAIN\USER. After this is some Kerberos traffic and then the 407 pops 
up again.

Thanks,

Keith



-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, October 26, 2015 4:24 PM
To: Keith White ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid/NTLM Auth

On 24/10/2015 1:44 a.m., Keith White wrote:
> I changed around the DNS servers and still no luck.  This also popped
> up in the log
>
> Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> AuthorizedUsers = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#3 = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = -1 async
> 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating
> user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL
> NT_STATUS_UNSUCCESSFUL; }}
> 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. 
> Auth::UserRequest '0x12c1f10'.
>

IIRC that BH response happens when the helper gets a type-3 token without 
having been part of the handshake dance that led up to it. The helpers are 
stateful and the same one needs to be part of the whole handshake.

That can happen if the connection is closed for some reasons after the
type-2 token is sent, and the client is brokenly continuing on a new connection 
(Firefox is known to do that, others might too).

The connection is allowed to close after the initial 407 challenge. Some 
clients are broken and require that to happen - which is where the "auth_param 
ntlm keep_alive off" setting helps.

But not once the type-2 token is sent on the second 407. Squid should be 
enforcing a persistent TCP connection from then onwards.

The nextstep is to look at either the HTTP messages or the TCP packet level to 
find out what (if anything) is closing the connection between the type-2 and 
type-3 token messages thats probably your problem.

Amos



This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, 
Spanish and Portuguese versions of this disclaimer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] authentication of every GET request from part of URL?

2015-11-06 Thread Sreenath BH 
Hi
I am very new to Squid, and think have a strange requirement.
We want to serve cached content only if the client has been
authenticated before.
Since we don't expect the client software to send any information in
headers, we embed a token in the URL that we present to the user.

So when the client s/w uses this URL, we want to extract the token
from URL and do a small database query to ensure that the token is
valid.

This is in accelerator mode.
Is it possible to use something similar to basic_fake_auth and put my
code there that does some database query?
If the query fails, we don't return the cached content?

Basically what I am looking for is ability to execute some script for
every request.

Any tips greatly appreciated.

thanks,
Sreenath
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid/NTLM Auth

2015-11-06 Thread Keith White 
I ran some additional tests with ntlm_auth

ntlm_auth --usernameworks
ntlm_auth --helper-protocol=squid-2.5-ntlmssp

yields BH SPNEGO request invalid prefix

Thanks,

Keith


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, October 26, 2015 4:24 PM
To: Keith White ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid/NTLM Auth

On 24/10/2015 1:44 a.m., Keith White wrote:
> I changed around the DNS servers and still no luck.  This also popped
> up in the log
>
> Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> AuthorizedUsers = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#3 = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = -1 async
> 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating
> user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL
> NT_STATUS_UNSUCCESSFUL; }}
> 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. 
> Auth::UserRequest '0x12c1f10'.
>

IIRC that BH response happens when the helper gets a type-3 token without 
having been part of the handshake dance that led up to it. The helpers are 
stateful and the same one needs to be part of the whole handshake.

That can happen if the connection is closed for some reasons after the
type-2 token is sent, and the client is brokenly continuing on a new connection 
(Firefox is known to do that, others might too).

The connection is allowed to close after the initial 407 challenge. Some 
clients are broken and require that to happen - which is where the "auth_param 
ntlm keep_alive off" setting helps.

But not once the type-2 token is sent on the second 407. Squid should be 
enforcing a persistent TCP connection from then onwards.

The nextstep is to look at either the HTTP messages or the TCP packet level to 
find out what (if anything) is closing the connection between the type-2 and 
type-3 token messages thats probably your problem.

Amos



This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, 
Spanish and Portuguese versions of this disclaimer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users