Re: [squid-users] problem with squidGuard redirect page after upgrading squid

[Jason Haar]

On 08/01/16 18:36, Amos Jeffries wrote:
> But you do want to block all of http://good.site/bad\.url.* right?
>
> Otherwise the malware can get around the protection trivially just by
> adding a meaningless suffix to it.

You are totally right - good catch :-)

>
> With all the scraping are you also filtering for duplicates and reducing
> multiple URLs in one doman down to fewer entries?

Yeah  - no dupes - but no manually reading to figure out patterns
either. That would take a human eye - and I want set-and-forget automation

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

[Amos Jeffries]

On 8/01/2016 9:48 a.m., Jason Haar wrote:
> On 08/01/16 01:56, Marcus Kool wrote:
>> Can you explain what the huge number of regexes is used for ? 
> malware urls. I'm scraping them from publicly available sources like
> phishtank, malwaredomains.com. Ironically, they don't need to be regexes
> - but squid only has a "url_regex" acl type - so regex it is (can't use
> dstdomain because we want to block "http://good.site/bad.url"; - not all
> of "good.site")
> 

But you do want to block all of http://good.site/bad\.url.* right?

Otherwise the malware can get around the protection trivially just by
adding a meaningless suffix to it.

With all the scraping are you also filtering for duplicates and reducing
multiple URLs in one doman down to fewer entries?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How large cacheable object with Rock store now?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Hi gents,

did anybody know:

How large cacheable object with Rock store now?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWjuLkAAoJENNXIZxhPexG3CEH/3EM1sVFvDa8LV40AG4FWT5H
64hTdbdI2Kahfb4DpfW820+aTQNzYAvGsDsHT+yVnLDBu5A95/JaQx/Nd1teACEP
EtsYcZjoGB90E1MvVAoYQIC0RA0wH69+yuUrIOqApPwJ4Q0LjDXVx6+bB7WqGiLF
ts4cc1C/0+peFFDvFHSDIHfS8iLd4R1w6lQeQ+JP9YntH/HVRvnwa0cTqiECTz2K
gEqyon2+oHYzXyDv+ToO8WtUCYhVdi8qWGZ0HOJ+P+Zg4S4B/mhA+oO3U0bSFeak
9vTYc0WkG1l8kzz/aqBFxcdaEQ1DUFPEMRAIT0zzkQ2M0+Ae8f/dgQ8rMdtrG74=
=XLnZ
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

[Jason Haar]

On 08/01/16 01:56, Marcus Kool wrote:
> Can you explain what the huge number of regexes is used for ? 
malware urls. I'm scraping them from publicly available sources like
phishtank, malwaredomains.com. Ironically, they don't need to be regexes
- but squid only has a "url_regex" acl type - so regex it is (can't use
dstdomain because we want to block "http://good.site/bad.url"; - not all
of "good.site")

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Queries on safe_ports

[Amos Jeffries]

On 8/01/2016 4:32 a.m., Anonymous cross wrote:
> Hi All,
> 
> I have basic queries on an usage of safe and SSL_ports in squid.
> 
> Since squid proxies only HTTP packets then why do we need to add different
> protocols in safe ports?

Some protocols particularly the older text based ones that ports 0-1024
were regiestered for can be smuggled through as crafted HTTP headers or
payload. Allowing clients to request proxying to them causes dangerous
problems.

> 
> Our box is configured to redirect only port 80 packets to 3129? Do we need
> to have safe and SSL ports in such a case?

Yes. The ACLs are not about what ports are used to contact Squid but
what ports are permitted to be used in the URLs served by Squid.

> 
> I am trying to understand the need for safe ports in SQUID proxy. Because I
> don't see any use-case for this.



Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Queries on safe_ports

[Anonymous cross]

Hi All,

I have basic queries on an usage of safe and SSL_ports in squid.

Since squid proxies only HTTP packets then why do we need to add different
protocols in safe ports?


Our box is configured to redirect only port 80 packets to 3129? Do we need
to have safe and SSL ports in such a case?

I am trying to understand the need for safe ports in SQUID proxy. Because I
don't see any use-case for this.

- Kay
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

[Fabio Bucci]

Hi Amos,
just configured squid.conf as:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-d -s HTTP/myproxy.domain
auth_param negotiate children 100
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth

but it doesn't work and browser requires me credentials popup and even
if i put them it asks me again

Thanks,
Fabio

2015-12-31 6:30 GMT+01:00 Amos Jeffries :
> On 2015-12-31 03:42, Fabio Bucci wrote:
>>
>> Could you help me in kerberos configuration only? I don't want a fallback
>
>
> That should be blindingly obvious ... just use the Kerberos helper directly
> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
> helper parts.
>
> Amos
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.12 RPMs update for CentOS 7.

[Eliezer Croitoru]

I have just updated the CentOS 7 build due to an error in the the build 
process of the RPM auto dependencies identification.


Details:
When the RED-HAT rpm build tools sets the dependencies for a script it 
sets the "shbang" binary location as a static dependency requirement.
In this specific case when squid is being configured it fills the PERL 
variable with "/bin/perl" which is a hard link to "/usr/bin/perl".
This results in a situation which perl cannot be upgraded since as the 
part of the update path it supplies only "/usr/bin/perl" and there for 
the RPM tools identify in this situation an issue and wont allow to 
update squid-helpers package.

The fix is to statically declare the PERL variable in the build environment.

Currently 3.5.12-2 for CentOS 7 fixed this issue.

Eliezer

On 21/12/2015 12:57, Eliezer Croitoru wrote:

Published at: http://www1.ngtech.co.il/wpe/?p=166

I am happy to release the new RPMs of squid 3.5.12 for Centos 6 64bit,
32bit and CentOS 7 64bit.

The new release includes couple bug fixes and improvements.
I have also took the time to build the latest beta 4.0.3 RPM for CentOS 7.
The details about the the RPMs repository are at
squid-wiki[http://wiki.squid-cache.org/KnowledgeBase/CentOS].


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with squidGuard redirect page after upgrading squid

[Marcus Kool]

On 01/07/2016 12:31 AM, Jason Haar wrote:

On 06/01/16 00:04, Amos Jeffries wrote:

Yes. Squid always has been able to given enough RAM. Squid stores most
ACLs in memory as Splay trees, so entries are sorted by frequency of use
which is dynamically adapted over time. Regex are pre-parsed and
aggregated together for reduced matching instead of re-interpreted and
parsed per-request.

Great to hear. I've got some 600,000+ domain lists (ie dstdomain) and
60,000+ url lists (ie url_regex) acls, and there are a couple of
"gotchas" I've picked up during testing


Squid has regex optimisation that was donated by me and is essentially a
copy of what was already working a long time in ufdbGuard.
regexes are unlimited by the POSIX standard so you can have an
"unlimited" (limited by hardware resources) number of regexes.


1. at startup squid reports "WARNING: there are more than 100 regular
expressions. Consider using less REs". Is that now legacy and ignorable?
(should that be removed?). Obviously I have over 60,000 REs
2. making any change to squid and restarting/reconfiguring it now means
I'm seeing a 12sec outage as squid reads those acls off SSD
drives/parses them/etc. With squidguard that outage is hidden because
squidguard uses indexed files instead of the raw files and that
parsing/etc can be done offline. That behavioral change is pretty
dramatic: making a minor, unrelated change to squid now involves a
10+sec outage (instead of <1sec). I'd say "outsourcing" this kind of
function to another process (such as url_rewriter or ICAP) still has
it's advantages ;-)


ufdbGuard is 98% compatible with squidGuard, is free open source
software with regular updates.
ufdbGuard is also very fast due to a new database format optimised
for URLs.

As with squidGuard, when a new config is loaded by ufdbGuard, the web proxy
keeps on working without any interruption for the end user.

Can you explain what the huge number of regexes is used for ?

Marcus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with a machine account doesn't work

[L . P . H . van Belle]

Hai, 

 

First whats your OS/squid and samba version, handy to know. 

And post your smb.conf please. 

 

Few things to check. 

/etc/krb5.keytab should have rights 600 (root:root) 

Run : klist -e -k /etc/krb5.keytab  post the output.

 

Your SPN for squid must be HTTP/fqdn 

And not http/fqdn CAPS do matter here. 

 

Put the HTTP/fqdn spn in a separated file and put it in the squid dir. 

Chown and chmod it root:squid-user 440 

 

Add it in your squid init script ( for debian i added it in /etc/default/squid  
( squid for 3.5.12 ) (squid3 for 3.4.8 )

KRB5_KTNAME=/etc/squid/keytab.PROXY1-HTTP

export KRB5_KTNAME

 

 

The squid keytab should be like (manualy added on a different user in the AD, 
special user for squid services.):

KVNO Principal

 ---

   1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-crc)

   1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-md5)

   1 HTTP/host.internal.domain.tld@YOUR_REALM (arcfour-hmac)

 

This is my default ( /etc/krb5.keytab ) (from the join of samba.) 

   1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-crc)

   1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-md5)

   1 host/host.internal.domain.tld@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 host/host.internal.domain.tld@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 host/host.internal.domain.tld@YOUR_REALM (arcfour-hmac)

   1 host/host@YOUR_REALM (des-cbc-crc)

   1 host/host@YOUR_REALM (des-cbc-md5)

   1 host/host@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 host/host@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 host/host@YOUR_REALM (arcfour-hmac)

   1 HOST$@YOUR_REALM (des-cbc-crc)

   1 HOST$@YOUR_REALM (des-cbc-md5)

   1 HOST$@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 HOST$@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 HOST$@YOUR_REALM (arcfour-hmac)

 

 

The needed krb5.conf

cat /etc/krb5.conf

[libdefaults]

    default_realm = YOUR_REALM

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

    forwardable = true

    proxiable = true

 

 

install ntp and point it to you AD so time is always in sync. 

 

Now you have 2 options to setup and you choose  based on you SPN setup. 

Seperated keytab for squid HTTP service. 

Use: 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ 
host.internal.domain.tld@YOUR_REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

Or with everyting in one keytab file and make sure squid can read this keytab 
file 640 root:squid !! :  

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--domain=NTDOMAIN

 

I have a setup with a separated keytab file, i tested above and these work. 

( tested on debian jessie, samba 4.1, squid 3.4.8, 3.5.10 and 3.5.12. ) 

 

Above i told about how i did setup. 

A big advantave with the squid-service user. You kan add all you squid 
hosts/services in that user.

I have 1 user for this and 3 proxy servers. 

 

So where did you go wrong. 

> net ads keytab add HTTP

And rights on the /etc/krb5.keytab file are the first things to check. 

 

Optionaly, start the auth progrom on command line, with the debugging enabled. 

 

Greetz, 

 

Louis

 

 

 

> -Oorspronkelijk bericht-

> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens

> LYMN

> Verzonden: donderdag 7 januari 2016 5:23

> Aan: squid-us...@squid-cache.org

> Onderwerp: [squid-users] kerberos authentication with a machine account

> doesn't work

> 

> 

> Hi,

> 

> We have been using kerberos authentication against Active Directory here

> for a long time by using a SPN attached to a user account and exporting

> the keytab.  The issue we have is that security policy mandates that

> the password on the user account be changed which means we have to go

> and regenerate keytabs every time this happens.  Not exactly difficult

> but tedious nonetheless.

> 

> To avoid the password change I thought it may be an idea to use the

> machine account and add a SPN (http/fqdn.is.here) to that.  I added:

> 

> kerberos method = secrets and keytab

> dedicated keytab file = /etc/krb5.keytab

> 

> to the smb.conf so samba will manage the keytab for me then did:

> 

> net ads join

> net ads keytab add http

> 

> klist -k shows me the principals that should be there and AD agrees they

> exist.  I can get a TGT using:

> 

> kinit -k

> 

> without error (setting the UPN to host/fqdn.is.here@KERBEROS.REALM may

> have helped this).  Doing a

> 

> kinit -kS http/fqdn.is.here

> 

> works without error too.  So, I think kerberos is ok but with a squid

> 3.5.12 configured with negotiate_kerberos_auth I see the dreaded