Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Eugene M. Zheganin 
Hi,

On 16.11.2015 19:51, Matej Kotras wrote:
> Thank you for your response, as this is my first try with Squid, and
> fairly newb in Linux.
> I do not understand at all differences between basic/ntlm/gss-spnego
> auths so I will do my homework and read about them. I've managed to
> get this working after few weeks of "trial and error" method (I know,
> I know, but I gotta start somewhere rite) following multiple guides.
>
The usual issue with all those copy/paste tutorials is that they tend to
teach how to do everything at once, instead of moving from simple things
to more difficult ones. This order of simplicity/difficulty is the
following:

- adding Basic authentication, all authenticated users are authorized to
use proxy
- adding NTLM authentication, all authenticated users are authorized to
use proxy
- adding group-based authorization, authenticated users are authorized
to use proxy basing on the group membership, using simple helper like
squid_group_ldap
- adding GSS-SPNEGO authentication
- adding full-fledged GSS-SPNEGO group authorization helper.

You can try my article,
http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not
perfect and still lacks two last steps, at least it tries to follow that
approach.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay Pools Parameters

2015-11-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


16.11.15 20:49, Tecnología CHARNE.NET пишет:
> Hello!
>
> I'm configuring delay pools on squid 3.5
>
> I don't understand online doc
>
[http://www.squid-cache.org/Versions/v3/3.5/cfgman/delay_parameters.html] about
> delay_parameters
>
> 
> "Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
>   8 x  8000 KByte/sec ->  64Kbit/sec.
>   8 x   600 Byte/sec  -> 4800bit/sec.
> "
> 
>
> It should be
>
> 8 x 32000 KByte/sec -> 256000Kbits/sec
>
> or
>
> 8 x 32KByte/sec -> 256 Kbit/sec
>
>
> What I am missing??
You have forgotten to read fine manuals first.

>
>
> Thanks in advance.
>
>
> Javier.-
>
>
>
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSe1iAAoJENNXIZxhPexGnt0H/0qUVQKkoQGg/JDdP6JG8548
Y1f2S//dB+19PzKm7RZ2wJMndx5PyMI8Mz/tzzeDjinkaU5lhfDq/pj0COOOGygD
NUpcdrP89le28MVlOnDP1/QudfmBDikWX+L0xZkK5OHZFVj0Kd01jsc151RTm9Vj
gHP2NWKSqW6ApbjDKMLXN6sTinfVYyq35CKG+oN4SjkGSF16eXR/jRAo/02cFQkC
ehXWCyo+7MNFORmadjT8WhSUJdIkgbdq3cks5N6jl6VVUNodqH48fagYy1LBbZjw
ev0CZ4nvGHuSnbdaLpihiDpqTkosjwcunc8hIN/0GjXUvl7PXjf5kPIiv4/9QCY=
=8GJN
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slow read for ICAP REQMOD body

2015-11-16 Thread David Smith 
Thanks Alex.

I'd much rather not write my own but for *reasons* I need an implementation 
that runs on .NET and I couldn't find one.
I only need a pretty small subset of the protocol.

Both those bugs are for squid >= 3.5. I'm on 3.3.8

Perhaps I should try a more recent version.

-Original Message-
From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
Sent: 16 November 2015 15:07
To: squid-users@lists.squid-cache.org
Cc: David Smith
Subject: Re: [squid-users] Slow read for ICAP REQMOD body

On 11/16/2015 07:30 AM, David Smith wrote:

> I’m in the middle of writing an ICAP server.

If you are not too far along down this path, consider writing an adapter for 
one of the existing ICAP servers and/or eCAP. ICAP is far more complex than it 
seems, and, in most cases, reinventing that [complex] wheel is a bad idea. I am 
a biased ICAP server seller, and your YMMV, but I have seen too many folks 
suffer through such projects to resist commenting.


> Reading the encapsulated body of a REQMOD message from Squid is taking 
> 300ms. Reading the ICAP headers / HTTP headers is extremely quick.

Could it be Squid bug 4353?

  http://bugs.squid-cache.org/show_bug.cgi?id=4353
  http://bugs.squid-cache.org/show_bug.cgi?id=4206


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Rafael Akchurin 
Hello Matej, Eugene,

Hope our humble tutorial for Squid <-> Active Directory integration with 
Kerberos SSO, Basic(LDAP) auth is also useful - 
http://docs.diladele.com/administrator_guide_4_3/active_directory/index.html 
No NTLM though!!!

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Eugene M. Zheganin
Sent: Monday, November 16, 2015 4:49 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Fwd: NTLM LDAP authentication problem

Hi,

On 16.11.2015 19:51, Matej Kotras wrote:
> Thank you for your response, as this is my first try with Squid, and 
> fairly newb in Linux.
> I do not understand at all differences between basic/ntlm/gss-spnego 
> auths so I will do my homework and read about them. I've managed to 
> get this working after few weeks of "trial and error" method (I know, 
> I know, but I gotta start somewhere rite) following multiple guides.
>
The usual issue with all those copy/paste tutorials is that they tend to teach 
how to do everything at once, instead of moving from simple things to more 
difficult ones. This order of simplicity/difficulty is the
following:

- adding Basic authentication, all authenticated users are authorized to use 
proxy
- adding NTLM authentication, all authenticated users are authorized to use 
proxy
- adding group-based authorization, authenticated users are authorized to use 
proxy basing on the group membership, using simple helper like squid_group_ldap
- adding GSS-SPNEGO authentication
- adding full-fledged GSS-SPNEGO group authorization helper.

You can try my article,
http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not perfect 
and still lacks two last steps, at least it tries to follow that approach.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slow read for ICAP REQMOD body

2015-11-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I think,

better to ask this question in c-icap list, and not squid.

Also take look on typical squid icap-related config:

http://vgy.me/6xrcxK.png

As you can see, this is _always_ uses reqmod_precache. How you think -
why? :)

16.11.15 20:30, David Smith пишет:
> Hi,
>
> I'm in the middle of writing an ICAP server.
> Reading the encapsulated body of a REQMOD message from Squid is taking
300ms. Reading the ICAP headers / HTTP headers is extremely quick.
> When I send a test message to the server it takes under 30ms so I
don't think this is my implementation (obviously wouldn't rule it out)
>
> The squid server is 3.3.8 running in a docker container.
> The request to the squid server is over https and the squid proxy is
setup to for SSL interception.
>
> Does this look suspiciously slow?
> I would guess this is probably my squid configuration or possibly
something to do with the docker container.
> If it is slow any suggestions what to do next?
>
> Thanks,
> Dave.
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSe1BAAoJENNXIZxhPexGKX0H/0ol7ZdU2NMxz8yfHFfViaR8
rwP/yyBg6GjWqwapbIRG/fwx41snmTK9sfLxifL7WfeNyC1fKCfN9GbsRaRqyueW
derZipxTkoEqTjr5lbTDlkGa3pWv2WcMXrywraXLI/xOv2eYezrKSjoDRM4rwbQn
oS7Clsds7hVgZl5B1ok18DfmKt2fCPtwPkx8qgtz8UJj87ViijwCd84lTipR9UvC
miU8eqruFZ1klfCi4JdD0bKDSTLMxdnd4Pk4TxFHLf9gp73p2l2VVx9JHlL3Mp86
r09gar7lpFaMvb3qqbVIqyn4vyydkTdRGkTa5KFBron/xdPKUxUVP4XBix3HRrQ=
=nJ1Y
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Eugene M. Zheganin 
Hi.

On 16.11.2015 18:46, dol...@ihcrc.org wrote:
>
> Squid Version:  Squid 3.4.8
>
> OS Version:  Debian 8 (8.2)
>
>  
>
> I have installed Squid on a server using Debian 8 and seem to have the
> basics operating, at least when I start the squid service, I have am
> no longer getting any error messages.  At this time, the goal is to
> authenticate users from Active Directory and log the user and the
> websites they are accessing.
>
>  
>
> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7
> workstation to use the Squid proxy, I am getting the log in page
> (image below).
>
>  
>
> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>
>  
>
> I have tried entering my user name in various form EXAMPLE/USERID,
> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I
> have not had a successful at this time.
>
>  
>
> I have attached the squid.conf, smb.conf, krb5.conf, and access.log
> files for review.  If you would like to see the cache.log file, please
> contact me as the file is too large to include in this post.
>
>  
>
>
I suggest you first make Basic and NTLM working with active directory,
and only then, having these 2 schemes working, you move to the
GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is overcomplicated
and difficult to debug, as it uses lots of components and can fall apart
easily on any stage.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Eugene M. Zheganin 
On 16.11.2015 14:29, Matej Kotras wrote:
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what
> AD group they are in. I use Squid-Analyzer for doing reports from
> access.log. I've found 2 anomalies with authorization so far. In
> access log, I see that user is authorized based on his PC name(not
> desired) and not on the user account name. I've just enabled debugging
> on negotiate wrapper, so I will monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443  -
> HIER_NONE/- text/html
> 1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443  -
> HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
> clients2.google.com:443  icz800639-03$
> HIER_DIRECT/173.194.116.231  -
>
> *USER NAME AUTH:*
> 1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443  -
> HIER_NONE/- text/html
> 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443  -
> HIER_NONE/- text/html
> 1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
> lyncwebext.inventec.com:443 
> icz800639 HIER_DIRECT/10.8.100.165  -
Does't seem like you have working GSS-SPNEGO scheme. Unless you have
username fields in log with realm set which yyou didn't post here.

>
>
> *Squid.conf*
> #
> #Enable KERBEROS authentication#
> #
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos
> /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #
> #Enable NTLM authentication#
> #
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
So you disable the explicit NTLM authentication. That's bad. This far
you only have GSS-SPNEGO failover to NTLM.
>
>
> #
> # ENABLE LDAP AUTH#
> #
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt
> -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
This is pure basic.
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
The part with http_access is missing, it's hard to tell why you have
TCP_MISS for machine accounts.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Matej Kotras 
Thank you for your response, as this is my first try with Squid, and fairly
newb in Linux.
I do not understand at all differences between basic/ntlm/gss-spnego auths
so I will do my homework and read about them. I've managed to get this
working after few weeks of "trial and error" method (I know, I know, but I
gotta start somewhere rite) following multiple guides.

The commented lines are not supposed to be here, sorry. I've been testing
log outputs and functionality of auth helpers when commenting some. I
attach my squid.conf in email.

Thank you

On Mon, Nov 16, 2015 at 3:19 PM, Eugene M. Zheganin 
wrote:

> On 16.11.2015 14:29, Matej Kotras wrote:
>
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what AD
> group they are in. I use Squid-Analyzer for doing reports from access.log.
> I've found 2 anomalies with authorization so far. In access log, I see that
> user is authorized based on his PC name(not desired) and not on the user
> account name. I've just enabled debugging on negotiate wrapper, so I will
> monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
> clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -
>
> *USER NAME AUTH:*
> 1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
> lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -
>
> Does't seem like you have working GSS-SPNEGO scheme. Unless you have
> username fields in log with realm set which yyou didn't post here.
>
>
>
> *Squid.conf*
> #
> # Enable KERBEROS authentication #
> #
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
> GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #
> # Enable NTLM authentication #
> #
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
>
> So you disable the explicit NTLM authentication. That's bad. This far you
> only have GSS-SPNEGO failover to NTLM.
>
>
>
> #
> # ENABLE LDAP AUTH #
> #
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D squid@icz.inventec -W
> /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
>
> This is pure basic.
>
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
> The part with http_access is missing, it's hard to tell why you have
> TCP_MISS for machine accounts.
>
> Eugene.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


squid.conf
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay Pools Parameters

2015-11-16 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Feel free to read Squid Wiki:

http://wiki.squid-cache.org/Features/DelayPools

16.11.15 20:49, Tecnología CHARNE.NET пишет:
> Hello!
>
> I'm configuring delay pools on squid 3.5
>
> I don't understand online doc
>
[http://www.squid-cache.org/Versions/v3/3.5/cfgman/delay_parameters.html] about
> delay_parameters
>
> 
> "Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
>   8 x  8000 KByte/sec ->  64Kbit/sec.
>   8 x   600 Byte/sec  -> 4800bit/sec.
> "
> 
>
> It should be
>
> 8 x 32000 KByte/sec -> 256000Kbits/sec
>
> or
>
> 8 x 32KByte/sec -> 256 Kbit/sec
>
>
> What I am missing??
>
> Thanks in advance.
>
>
> Javier.-
>
>
>
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSe3MAAoJENNXIZxhPexGqnUH/1DxMlvsy2P5iTCkbKmOcENP
7U3fvchDK6WZ+9vWpQa/YfolCDZhPo3QYaAY+gQTIe6ec6tauVwIzqiyDfP+YiIr
5Wi35rvcSD7/NbzlkKEacCg6TwObyX3aFPkjkq8uOdBal2J1gE3DXU66tSJAmUWl
NZI6FplCLnk5qRgQU9lNF6HDjnTV4tp1E1YokKBGWRkZ51ToX3k5SNQGUNTyx+u4
Rz7W2q9A0e2TqHqExh/HPnWqhIQbO0nagv72MFaSLeHJQ8ZcK25GNxfohJlFMP2d
He9NwKWjd08/rUhDrOd0F/bw4IloI/l2IsUQ6DTuFC6O2z8I/1566OSvKGh23l8=
=6AGf
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Slow read for ICAP REQMOD body

2015-11-16 Thread David Smith 
Hi,

I'm in the middle of writing an ICAP server.
Reading the encapsulated body of a REQMOD message from Squid is taking 300ms. 
Reading the ICAP headers / HTTP headers is extremely quick.
When I send a test message to the server it takes under 30ms so I don't think 
this is my implementation (obviously wouldn't rule it out)

The squid server is 3.3.8 running in a docker container.
The request to the squid server is over https and the squid proxy is setup to 
for SSL interception.

Does this look suspiciously slow?
I would guess this is probably my squid configuration or possibly something to 
do with the docker container.
If it is slow any suggestions what to do next?

Thanks,
Dave.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay Pools Parameters

2015-11-16 Thread Antony Stone 
> 16.11.15 20:49, Tecnología CHARNE.NET пишет:
> > Hello!
> > 
> > I'm configuring delay pools on squid 3.5
> > 
> > I don't understand online doc
> > [http://www.squid-cache.org/Versions/v3/3.5/cfgman/delay_parameters.html]
> > about delay_parameters
> > 
> > 
> > "Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
> >   8 x  8000 KByte/sec ->  64Kbit/sec.
> >   8 x   600 Byte/sec  -> 4800bit/sec.
> > "
> > 
> > 
> > It should be
> > 
> > 8 x 32000 KByte/sec -> 256000Kbits/sec
> > or
> > 8 x 32KByte/sec -> 256 Kbit/sec
> > 
> > What I am missing??

On Monday 16 November 2015 at 15:51:14, Yuri Voinov wrote:

> You have forgotten to read fine manuals first.

On Monday 16 November 2015 at 15:53:00, Yuri Voinov wrote:

> Feel free to read Squid Wiki:
> 
> http://wiki.squid-cache.org/Features/DelayPools



I think this is a little unfair on the original poster.

The arithmetic in the documentation does appear to be incorrect - look at the 
units:

If 8 x 600 bytes per second = 4800 bits per second (which seems reasonable to 
me)

then how can

8 x 8000 kilobytes per second = 64 kilobits per second

and 8 x 32000 kilobytes per second = 256 kilobits per second?

The multiplication by 8 is to convert from bytes to bits.

The units (X per second, or kilo-X per second) should not change.

Therefore I believe the correct calculations should be:

8 x 32000 bytes per second = 256000 bits per second = 256kilobits per second
8 x 8000 bytes per second = 64000 bits per second = 64 kilobits per second
8 x 600 bytes per second = 4800 bits per second

Note the omission of "kilobytes per second" from the first column of numbers.


Regards,


Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slow read for ICAP REQMOD body

2015-11-16 Thread Alex Rousskov 
On 11/16/2015 07:30 AM, David Smith wrote:

> I’m in the middle of writing an ICAP server.

If you are not too far along down this path, consider writing an adapter
for one of the existing ICAP servers and/or eCAP. ICAP is far more
complex than it seems, and, in most cases, reinventing that [complex]
wheel is a bad idea. I am a biased ICAP server seller, and your YMMV,
but I have seen too many folks suffer through such projects to resist
commenting.


> Reading the encapsulated body of a REQMOD message from Squid is taking
> 300ms. Reading the ICAP headers / HTTP headers is extremely quick.

Could it be Squid bug 4353?

  http://bugs.squid-cache.org/show_bug.cgi?id=4353
  http://bugs.squid-cache.org/show_bug.cgi?id=4206


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-16 Thread Alex Rousskov 
On 11/15/2015 11:13 PM, Eugene M. Zheganin wrote:
> On 16.11.2015 00:39, Alex Rousskov wrote:
>> Squid currently supports two kinds of CONNECT tunnels:
>>
>> 1. A regular opaque tunnel, as intended by HTTP specifications.
>>
>> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.
>>
>> Opaque tunnels are the default. Optional SslBump-related features allow
>> the admin to designate admin-selected CONNECT tunnels for HTTPS
>> inspections (of various depth). This distinction explains why and when
>> Squid expects "HTTPS inside".


> Seems like the lack of understanding is my main problem. I read
> Peek/Splice article in wiki on an on, but I just cannot catch it:
> 
> - are the sslBump directives evaluated in order and does the order
> matter (I assume it does) ?

Yes and yes. This is described in squid.conf.documented IIRC.


> - (the most difficult thing to understand) I just cannot understand the
> "step1" approach. I can understand splice/bump thing - it's like we
> splice or we bump. I cannot understand other stepX-related actions, what
> they do and when do I need'em (and when I do not).

The wiki describes what each step and each action does. I understand
that those descriptions may not be sufficient. Better documentation is
welcomed, and you are encouraged to ask specific questions to provide
that "better documentation" to yourself and others. You are in a better
position to improve documentation than I am!


> - I cannot understand what is the relation between http_access and
> sslBump, and I assume there is one.

This is poorly documented indeed. For some additional info, see Squid
bug 4340 summary: http://bugs.squid-cache.org/show_bug.cgi?id=4340


> When I first discovered sslBump I
> thought I will be able to block HTTP objects inside HTTPS session - like
> pictures, or particular scripts, or particular MIME types, and it seems
> like I was able to do that, 

Sure, you can block messages inside a bumped inspected tunnel. Once the
tunnel is bumped (not spliced!), it works almost like a regular HTTP
message stream (but there are exceptions like authentication and peer
selection).

Most difficulties are related to blocking tunnelling attempts
themselves. In other words, blocking CONNECT messages (at various
bumping stages before the tunnel is bumped).


> For example this number of directives is straightforward:
> 
> ===Cut===
> acl foo dst 192.168.0.1
> acl bar dst 192.168.0.2
> 
> sslBump bump foo
> sslBump splice bar
> ===Cut===
> 
> It's one dst we bump and the other we splice.

The above configuration is not as "straightforward" as you might think:

* If you are dealing with real CONNECT requests (not intercepted
tunnels), a real CONNECT request may be for a host name and Squid will
need to look up the IP address. This may affect dst matching.

* You did not tell Squid what to do when neither dst matches. There were
bugs in this area. The latest Squids should splice (but if you add more
ssl_bump rules, they may affect the default action). IIRC, this is
described in squid.conf.documented.

* Bumping (even at step1) requires SSL/TLS validations of various kinds.
Those validations may lead to errors.

* Bumping at step1 may be subject to the following Squid bug:
  http://bugs.squid-cache.org/show_bug.cgi?id=4327


> Can you describe a situation when I need to peek or stare?

You need to peek or stare if you need SSL/TLS handshake information to
make a final bump/splice/terminate/block decision. For example,

* Your ACLs need host names, not IP addresses. Even in a forwarding
environment (i.e., real CONNECT requests), host names may not be
available without peeking or staring (or reverse DNS lookups, but those
are rarely reliable).

* Your ACLs need origin server certificate details.

* You do not want to splice connections to origin servers that have
revoked SSL certificates.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay Pools Parameters

2015-11-16 Thread Tecnologia Charne.Net 
>> Feel free to read Squid Wiki:
>> http://wiki.squid-cache.org/Features/DelayPools
> I think this is a little unfair on the original poster.
>
> The arithmetic in the documentation does appear to be incorrect - look at the 
> units:
>
> [...]

> Therefore I believe the correct calculations should be:
>
> 8 x 32000 bytes per second = 256000 bits per second = 256kilobits per second
> 8 x 8000 bytes per second = 64000 bits per second = 64 kilobits per second
> 8 x 600 bytes per second = 4800 bits per second
>
> Note the omission of "kilobytes per second" from the first column of numbers.
>
>
> Regards,


I arrive to the same conclussion and agree that documentation in
http://www.squid-cache.org/Doc/config/delay_parameters/ has some mistakes.

Thanks for your time, Antony!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay Pools Parameters

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 7:51 a.m., Tecnologia Charne.Net wrote:
>>> Feel free to read Squid Wiki:
>>> http://wiki.squid-cache.org/Features/DelayPools
>> I think this is a little unfair on the original poster.
>>


Yes, the document the original poster was reading *was* the fine manual :-P


>> The arithmetic in the documentation does appear to be incorrect - look at 
>> the 
>> units:
>>
>> [...]
> 
>> Therefore I believe the correct calculations should be:
>>
>> 8 x 32000 bytes per second = 256000 bits per second = 256kilobits per second
>> 8 x 8000 bytes per second = 64000 bits per second = 64 kilobits per second
>> 8 x 600 bytes per second = 4800 bits per second
>>
>> Note the omission of "kilobytes per second" from the first column of numbers.
>>
>>
>> Regards,
> 
> 
> I arrive to the same conclussion and agree that documentation in
> http://www.squid-cache.org/Doc/config/delay_parameters/ has some mistakes.
> 
> Thanks for your time, Antony!
> 

Mea culpa. Fixing that now.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> On 16.11.2015 18:46, dolson wrote:
>>
>> Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8 (8.2)
>>
>> I have installed Squid on a server using Debian 8 and seem to have the 
>> basics 
>> operating, at least when I start the squid service, I have am no longer 
>> getting any error messages.  At this time, the goal is to authenticate users 
>> from Active Directory and log the user and the websites they are accessing.
>>
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image 
>> below).
>>
>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>>
>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>> successful at this time.
>>
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files 
>> for 
>> review.  If you would like to see the cache.log file, please contact me as 
>> the 
>> file is too large to include in this post.
>>
>>
> I suggest you first make Basic and NTLM working with active directory, and 
> only 
> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This 
> is 
> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it 
> uses 
> lots of components and can fall apart easily on any stage.
> 

I suggest also using a current Firefox release. I am finding the 4x's
series work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER@DOMAIN format for user labeling. Sending it
Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything
worse. If you are able to avoid using it at all and to actively turn
NTLM off around your network the Kerberos side of things will work better.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Rafael Akchurin 
Hello all,

If I am not terribly mistaken when you have a Kerberos auth scheme active - you 
are actually using SSO - i.e. when everything is configured normally you should 
*never* see the popup box - the fact that you see it means Kerberos is not 
working.

What I would check first is that you set your browser to use the proxy *by 
FQDN* and not by IP as you seem to (see the proxy address at screenshot). I 
would humbly recommend to check the trouble shooting checklist we have on our 
site - 
http://docs.diladele.com/administrator_guide_4_3/active_directory/troubleshooting.html

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Monday, November 16, 2015 9:18 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the 
browser

On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> On 16.11.2015 18:46, dolson wrote:
>>
>> Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8 (8.2)
>>
>> I have installed Squid on a server using Debian 8 and seem to have 
>> the basics operating, at least when I start the squid service, I have 
>> am no longer getting any error messages.  At this time, the goal is 
>> to authenticate users from Active Directory and log the user and the 
>> websites they are accessing.
>>
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image 
>> below).
>>
>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squi
>> d-users%3E58459?header=quotebody=1.1.2=image001.png
>>
>> I have tried entering my user name in various form EXAMPLE/USERID, 
>> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I 
>> have not had a successful at this time.
>>
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log 
>> files for review.  If you would like to see the cache.log file, 
>> please contact me as the file is too large to include in this post.
>>
>>
> I suggest you first make Basic and NTLM working with active directory, 
> and only then, having these 2 schemes working, you move to the 
> GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is 
> overcomplicated and difficult to debug, as it uses lots of components and can 
> fall apart easily on any stage.
> 

I suggest also using a current Firefox release. I am finding the 4x's series 
work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER@DOMAIN format for user labeling. Sending it Basic 
USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything worse. If 
you are able to avoid using it at all and to actively turn NTLM off around your 
network the Kerberos side of things will work better.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How To Deploy Squid Proxy Connection For External Use?

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 10:10 a.m., Casey Stellar wrote:
> Hello,
> 
> I've managed to get Squid working on my PC using localhost:8080. I'm now
> trying to learn setting it up for deployment for external clients. The only
> tutorials I could find demonstrate setting up for local network..
> 

Please explain what you actually want to do and display what your
squid.conf currently contains.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How To Deploy Squid Proxy Connection For External Use?

2015-11-16 Thread Casey Stellar 
Hello,

I've managed to get Squid working on my PC using localhost:8080. I'm now
trying to learn setting it up for deployment for external clients. The only
tutorials I could find demonstrate setting up for local network..
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Amos Jeffries 
On 16/11/2015 10:29 p.m., Matej Kotras wrote:
> Hi guys
> 
> I've managed squid to work with AD, and authorize users based on what AD
> group they are in. I use Squid-Analyzer for doing reports from access.log.
> I've found 2 anomalies with authorization so far. In access log, I see that
> user is authorized based on his PC name(not desired) and not on the user
> account name. I've just enabled debugging on negotiate wrapper, so I will
> monitor these logs also.
> 
> But in the meantime, have you got any idea why could this happen ?

Not everything is about users. Machines use the network too.

This is why we are very careful to use the term "client" to describe the
entity making an HTTP request of Squid.

Sometimes a client is a user, sometimes it is a machine acting on a
users instructions, sometimes it is a machine acting for itself.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 4:48 a.m., Eugene M. Zheganin wrote:
> Hi,
> 
> On 16.11.2015 19:51, Matej Kotras wrote:
>> Thank you for your response, as this is my first try with Squid, and
>> fairly newb in Linux.
>> I do not understand at all differences between basic/ntlm/gss-spnego
>> auths so I will do my homework and read about them. I've managed to
>> get this working after few weeks of "trial and error" method (I know,
>> I know, but I gotta start somewhere rite) following multiple guides.
>>
> The usual issue with all those copy/paste tutorials is that they tend to
> teach how to do everything at once, instead of moving from simple things
> to more difficult ones. This order of simplicity/difficulty is the
> following:
> 
> - adding Basic authentication, all authenticated users are authorized to
> use proxy
> - adding NTLM authentication, all authenticated users are authorized to
> use proxy
> - adding group-based authorization, authenticated users are authorized
> to use proxy basing on the group membership, using simple helper like
> squid_group_ldap
> - adding GSS-SPNEGO authentication
> - adding full-fledged GSS-SPNEGO group authorization helper.
> 
> You can try my article,
> http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not
> perfect and still lacks two last steps, at least it tries to follow that
> approach.

Unfortunately it is not quite as simple as that.

The difference between the PC-NAME vs USER-LABEL logins is whether the
particular client software has access to the Windows Integrated
Authentication credentials or not. Whether that machine is registered to
the DOMAIN, or the User account is logged in specifically under their
own name, or a service account on the machine. And whether the software
is actually being used by a "user".

Notice how I avoid the word "username" - since that is not applicable.
Only the account label as passed in the auth tokens is seen by Squids
part of the authentication. As you have noticed machines do traffic too,
users are not always involved.


One might also want to follow the simple Config examples provided in the
Squid wiki. They are carefully restricted to only documenting one thing
task at a time. Not going into unrelated features configuration that the
author was interested in.

Negotiate/Kerberos only:


NTLM (with Basic backup for non-NTLM clients):


Full Windows AD integration. (Negotiate/Kerberos, Negotiate/NTLM, NTLM,
and Basic):



PS. Eugene, your section on "Add remaining permissions" is wrong and
suggests a very broken configuration be done. Squid needs *read*
permission and that is done with unix group membership not by editing
the pipe itself. Please have a read of our NTLM+Basic examples' section
on Winbind privileges. Doing it the right way allows Samba to manage its
pipe properly.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 18:46, dolson wrote:
>>>
>>> Squid Version:  Squid 3.4.8
>>>
>>> OS Version:  Debian 8 (8.2)
>>>
>>> I have installed Squid on a server using Debian 8 and seem to have the 
>>> basics 
>>> operating, at least when I start the squid service, I have am no longer 
>>> getting any error messages.  At this time, the goal is to authenticate 
>>> users 
>>> from Active Directory and log the user and the websites they are accessing.
>>>
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>>> workstation to use the Squid proxy, I am getting the log in page (image 
>>> below).
>>>
>>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>>>
>>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>>> successful at this time.
>>>
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files 
>>> for 
>>> review.  If you would like to see the cache.log file, please contact me as 
>>> the 
>>> file is too large to include in this post.
>>>
>>>
>> I suggest you first make Basic and NTLM working with active directory, and 
>> only 
>> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. 
>> This is 
>> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it 
>> uses 
>> lots of components and can fall apart easily on any stage.
>>
> 
> I suggest also using a current Firefox release. I am finding the 4x's
> series work a lot better than the earlier 3x's did on Windows 7.
> 
> Kerberos also uses the USER@DOMAIN format for user labeling. Sending it
> Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> 
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything
> worse. If you are able to avoid using it at all and to actively turn
> NTLM off around your network the Kerberos side of things will work better.
> 

Also, since you are using what looks to be an outdated copy-n-paste of
the Squid official wiki article on Windows AD integration. Not the
living-document original itself you missed seeing one critical detail
about winbind bugs on Debian that have come to light a few months back.


or


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] affinity session load balancing

2015-11-16 Thread Antony Stone 
On Monday 16 November 2015 at 12:17:49, Patrick Chemla wrote:

> Hi,
> 
> This is exactly the problem.
> 
> When users connect to the application, they go through the squid, then
> reach a login page where they enter login/passwd.
> 
> The application creates cookies including a PHPSESSION cookie.
> 
> Can squid use such cookie?

I do not believe Squid can do session-affinity load balancing based on cookies 
(but I'm happy to be corrected by anyone who knows better).

You may be better off using Apache in proxy/balancing mode: 
https://httpd.apache.org/docs/trunk/mod/mod_proxy_balancer.html

https://opensourcehacker.com/2011/04/15/sticky/


Regards,


Antony.

> On 16/11/2015 12:49, Antony Stone wrote:
> > On Monday 16 November 2015 at 11:32:31, Patrick Chemla wrote:
> >> I am doing load balancing as sourcehash, so on IP source.
> >> 
> >> The problem is that about 80% of clients come from the same IP, so I
> >> have a highly loaded backend, while other are sleeping.
> >> 
> >> So whatever you call it, on haproxy they call it session affinity LB,
> >> my need is to use a round-robin load balancing, but, very important,
> >> each user should always directed to the same backend.
> > 
> > So, the question remains "how do you identify a session?" (or maybe you
> > could rephrase it as "how do you identify a user?").
> > 
> >> Can we do that with squid? avoiding user login on squid (userhash is not
> >> convenient)?
> > 
> > You've already said that source IP is not a reliable indication of the
> > user (and this is very often true anyway), so what additional
> > information exists in the requests to identify a session / user?
> > 
> > Without knowing what application you're dealing with, we can't guess this
> > for ourselves.
> > 
> > Regards,
> > 
> > 
> > Antony.
> > 
> >> On 16/11/2015 11:41, Antony Stone wrote:
> >>> On Monday 16 November 2015 at 10:35:39, Patrick Chemla wrote:
>  Hi,
>  
>  I am using squid for years, maybe with basic features, and I have a
>  problem today with an app where I need to manage multiple backends, be
>  sure that a user is always sent to the same one because the app writes
>  on local disk, and I have 80% users coming from same IP.
> >>> 
> >>> Is this Squid operating in accelerator mode (in front of the server/s)
> >>> or in proxying mode (being used by the clients)?
> >>> 
>  So I need to load balance, not on the soucre IP, and I can't have a
>  login on squid to identify each user, because it will create a double
>  connexion procedure with the application login.
> >>> 
> >>> How does the app distinguish between different clients *without* Squid
> >>> being involved?
> >>> 
>  Is there a way that squid will recognize a new connexion, maybe same
>  IP, and load balnace it to any backend using round-robin? some
>  affinity session load balancing?
> >>> 
> >>> The first thing needed to answer that is a definition of "session".
> >>> 
> >>> 
> >>> Regards,
> >>> 
> >>> Antony.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
I own three Windows books, published by O'Reilly.   They are "Windows 
Annoyances", "Office 97 Annoyances" and "Windows 98 Annoyances".   That pretty 
much sums it up for me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slow read for ICAP REQMOD body

2015-11-16 Thread Eliezer Croitoru 

On 16/11/2015 17:13, David Smith wrote:

Thanks Alex.

I'd much rather not write my own but for*reasons*  I need an implementation 
that runs on .NET and I couldn't find one.
I only need a pretty small subset of the protocol.

Both those bugs are for squid >= 3.5. I'm on 3.3.8

Perhaps I should try a more recent version.


This is a good starter.
But just be aware that bugs 4353 exists on the most recent squid 3.5.11.

All The Bests,
Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] affinity session load balancing

2015-11-16 Thread Antony Stone 
On Monday 16 November 2015 at 10:35:39, Patrick Chemla wrote:

> Hi,
> 
> I am using squid for years, maybe with basic features, and I have a
> problem today with an app where I need to manage multiple backends, be
> sure that a user is always sent to the same one because the app writes
> on local disk, and I have 80% users coming from same IP.

Is this Squid operating in accelerator mode (in front of the server/s) or in 
proxying mode (being used by the clients)?

> So I need to load balance, not on the soucre IP, and I can't have a
> login on squid to identify each user, because it will create a double
> connexion procedure with the application login.

How does the app distinguish between different clients *without* Squid being 
involved?

> Is there a way that squid will recognize a new connexion, maybe same IP,
> and load balnace it to any backend using round-robin? some affinity
> session load balancing?

The first thing needed to answer that is a definition of "session".


Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] affinity session load balancing

2015-11-16 Thread Patrick Chemla 

Hi Antony,

Thanks for your answer.

Actually, I am doing load balancing as sourceash, so on IP source.

The problem is that about 80% of clients come from the same IP, so I 
have a highly loaded backend, while other are sleeping.


So whatever you call it, on haproxy they call it session affinity LB,  
my need is to use a round-robin load balancing, but, very important, 
each user should always directed to the same backend.


Can we do that with squid? avoiding user login on squid (userhash is not 
convenient)?


Patrick

On 16/11/2015 11:41, Antony Stone wrote:

On Monday 16 November 2015 at 10:35:39, Patrick Chemla wrote:


Hi,

I am using squid for years, maybe with basic features, and I have a
problem today with an app where I need to manage multiple backends, be
sure that a user is always sent to the same one because the app writes
on local disk, and I have 80% users coming from same IP.

Is this Squid operating in accelerator mode (in front of the server/s) or in
proxying mode (being used by the clients)?


So I need to load balance, not on the soucre IP, and I can't have a
login on squid to identify each user, because it will create a double
connexion procedure with the application login.

How does the app distinguish between different clients *without* Squid being
involved?


Is there a way that squid will recognize a new connexion, maybe same IP,
and load balnace it to any backend using round-robin? some affinity
session load balancing?

The first thing needed to answer that is a definition of "session".


Regards,

Antony.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-16 Thread Yuri Voinov 



16.11.15 12:00, Eugene M. Zheganin пишет:

Hi.

On 16.11.2015 00:14, Yuri Voinov wrote:


It's common knowledge. Squid is unable to pass an unknown protocol on
the standard port. Consequently, the ability to proxy this protocol does
not exist.

If it was simply a tunneling ... It is not https. And not just
HTTP-over-443. This is more complicated and very marginal protocol.


I'm really sorry to tell you that, but you are perfectly wrong. These
non-HTTPS tunnels have been working for years. And this isn't JTTPS
because of:
Eugene, you don't understand me. I told, that this is 
non-HTTPS-over-443-port. And this is well-known information.


The problem is: Now Squid don't know, how to operate this tunnels.


# openssl s_client -connect login.icq.com:443
CONNECTED(0003)
34379270680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Matej Kotras 
Hi guys

I've managed squid to work with AD, and authorize users based on what AD
group they are in. I use Squid-Analyzer for doing reports from access.log.
I've found 2 anomalies with authorization so far. In access log, I see that
user is authorized based on his PC name(not desired) and not on the user
account name. I've just enabled debugging on negotiate wrapper, so I will
monitor these logs also.

But in the meantime, have you got any idea why could this happen ?

*PC NAME AUTH:*
1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
clients2.google.com:443 - HIER_NONE/- text/html
1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
clients2.google.com:443 - HIER_NONE/- text/html
1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -

*USER NAME AUTH:*
1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
lyncwebext.inventec.com:443 - HIER_NONE/- text/html
1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
lyncwebext.inventec.com:443 - HIER_NONE/- text/html
1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -


*Squid.conf*
#
# Enable KERBEROS authentication #
#

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off


#
# Enable NTLM authentication #
#

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ
#auth_param ntlm children 10
#auth_param ntlm keep_alive off


#
# ENABLE LDAP AUTH #
#

auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt -f
sAMAccountName=%s -h icz-dc-1.icz.inventec
auth_param basic children 10
auth_param basic realm Please enter user name to access the internet
auth_param basic credentialsttl 1 hour

external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl



Thank you
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] affinity session load balancing

2015-11-16 Thread Patrick Chemla 

Hi,

I am using squid for years, maybe with basic features, and I have a 
problem today with an app where I need to manage multiple backends, be 
sure that a user is always sent to the same one because the app writes 
on local disk, and I have 80% users coming from same IP.


So I need to load balance, not on the soucre IP, and I can't have a 
login on squid to identify each user, because it will create a double 
connexion procedure with the application login.


Is there a way that squid will recognize a new connexion, maybe same IP, 
and load balnace it to any backend using round-robin? some affinity 
session load balancing?


Thanks
Patrick

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] affinity session load balancing

2015-11-16 Thread Antony Stone 
On Monday 16 November 2015 at 11:32:31, Patrick Chemla wrote:

> I am doing load balancing as sourcehash, so on IP source.
> 
> The problem is that about 80% of clients come from the same IP, so I
> have a highly loaded backend, while other are sleeping.
> 
> So whatever you call it, on haproxy they call it session affinity LB,
> my need is to use a round-robin load balancing, but, very important,
> each user should always directed to the same backend.

So, the question remains "how do you identify a session?" (or maybe you could 
rephrase it as "how do you identify a user?").

> Can we do that with squid? avoiding user login on squid (userhash is not
> convenient)?

You've already said that source IP is not a reliable indication of the user 
(and this is very often true anyway), so what additional information exists in 
the requests to identify a session / user?

Without knowing what application you're dealing with, we can't guess this for 
ourselves.

Regards,


Antony.

> On 16/11/2015 11:41, Antony Stone wrote:
> > On Monday 16 November 2015 at 10:35:39, Patrick Chemla wrote:
> >> Hi,
> >> 
> >> I am using squid for years, maybe with basic features, and I have a
> >> problem today with an app where I need to manage multiple backends, be
> >> sure that a user is always sent to the same one because the app writes
> >> on local disk, and I have 80% users coming from same IP.
> > 
> > Is this Squid operating in accelerator mode (in front of the server/s) or
> > in proxying mode (being used by the clients)?
> > 
> >> So I need to load balance, not on the soucre IP, and I can't have a
> >> login on squid to identify each user, because it will create a double
> >> connexion procedure with the application login.
> > 
> > How does the app distinguish between different clients *without* Squid
> > being involved?
> > 
> >> Is there a way that squid will recognize a new connexion, maybe same IP,
> >> and load balnace it to any backend using round-robin? some affinity
> >> session load balancing?
> > 
> > The first thing needed to answer that is a definition of "session".
> > 
> > 
> > Regards,
> > 
> > Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users