[squid-users] host header forgery false positives
Hi there I am finding squid-3.5.13 is false positive-ing on ssl-bump way too often. I'm just using "peek-and-splice" on intercepted port 443 to create better squid logfiles (ie I'm not actually bump-ing) but that enables enough of the code to cause the Host forgery code to kick in - but it doesn't work well in a real network As you can see below, here's a handful of sites that we're seeing this trigger on, and as it's my home network I can guarantee there's no odd DNS setups or forgery going on. This is just real-world websites doing what they do (ie are totally outside our control or influence) I don't know how the forgery-checking code works, but I guess what's happened is the DNS lookups the squid server does doesn't contain the same IP addresses the client resolved the same DNS name to. I must say that is odd because all our home computers use the squid server as their DNS server - just as the squid service does - so there shouldn't be any such conflict - but I imagine caching could be to blame (maybe the clients cache old values longer/shorter timeframes than squid does). This is a bit of a show-stopper to ever using bump: having perfectly good websites being unavailable really isn't an option (in the case of "peek-and-splice" over intercepted they seem to hang forever when this error occurs). Perhaps an option to change it's behaviour would be better? eg enable/disable and maybe "ignore client and use the IP addresses squid thinks are best" could work? Jason 2016/01/12 06:04:10.303 kid1| SECURITY ALERT: Host header forgery detected on local=121.254.166.35:443 remote=192.168.0.8:55203 FD 95 flags=33 (local IP does not match any domain IP) 2016/01/12 06:04:10.303 kid1| SECURITY ALERT: on URL: nydus.battle.net:443 2016/01/12 06:11:47.146 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.112.120:443 remote=192.168.0.8:56072 FD 273 flags=33 (local IP does not match any domain IP) 2016/01/12 06:11:47.146 kid1| SECURITY ALERT: on URL: redditstatic.s3.amazonaws.com:443 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.2.145:443 remote=192.168.0.8:56304 FD 286 flags=33 (local IP does not match any domain IP) 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: on URL: adzerk-www.s3.amazonaws.com:443 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.2.145:443 remote=192.168.0.8:56305 FD 287 flags=33 (local IP does not match any domain IP) 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: on URL: adzerk-www.s3.amazonaws.com:443 2016/01/12 06:37:52.737 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.114.114:443 remote=192.168.0.8:58411 FD 309 flags=33 (local IP does not match any domain IP) 2016/01/12 06:37:52.737 kid1| SECURITY ALERT: on URL: redditstatic.s3.amazonaws.com:443 2016/01/12 06:37:57.127 kid1| SECURITY ALERT: Host header forgery detected on local=23.21.91.58:443 remote=192.168.0.8:58421 FD 298 flags=33 (local IP does not match any domain IP) 2016/01/12 06:37:57.127 kid1| SECURITY ALERT: on URL: pixel.redditmedia.com:443 2016/01/12 06:37:58.158 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.49.32:443 remote=192.168.0.8:58422 FD 299 flags=33 (local IP does not match any domain IP) 2016/01/12 06:37:58.158 kid1| SECURITY ALERT: on URL: redditstatic.s3.amazonaws.com:443 2016/01/12 07:59:46.480 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.82.178:443 remote=192.168.0.8:64203 FD 17 flags=33 (local IP does not match any domain IP) 2016/01/12 07:59:46.480 kid1| SECURITY ALERT: on URL: redditstatic.s3.amazonaws.com:443 2016/01/12 10:42:07.376 kid1| SECURITY ALERT: Host header forgery detected on local=192.30.252.129:443 remote=192.168.0.7:50212 FD 13 flags=33 (local IP does not match any domain IP) 2016/01/12 10:42:07.376 kid1| SECURITY ALERT: on URL: github.com:443 2016/01/12 10:49:52.696 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.13.169:443 remote=192.168.0.7:40358 FD 21 flags=33 (local IP does not match any domain IP) 2016/01/12 10:49:52.696 kid1| SECURITY ALERT: on URL: adzerk-www.s3.amazonaws.com:443 2016/01/12 12:19:00.374 kid1| SECURITY ALERT: Host header forgery detected on local=54.149.175.172:443 remote=192.168.0.7:57686 FD 53 flags=33 (local IP does not match any domain IP) 2016/01/12 12:19:00.374 kid1| SECURITY ALERT: on URL: shavar.services.mozilla.com:443 2016/01/12 12:38:33.666 kid1| SECURITY ALERT: Host header forgery detected on local=54.231.114.60:443 remote=192.168.0.7:60694 FD 240 flags=33 (local IP does not match any domain IP) 2016/01/12 12:38:33.666 kid1| SECURITY ALERT: on URL: s3.amazonaws.com:443 2016/01/12 12:45:24.356 kid1| SECURITY ALERT: Host header forgery detected on local=52.35.143.137:443 remote=192.168.0.7:53313 FD 54 flags=33 (local IP does not match any domain IP) 2016/01/12 12:45:24.356 kid1| SECURITY ALERT: on URL: events.redditmedia.com:443 2016/01/12 12:45:30.568 kid1| SECURITY ALERT: Host he
[squid-users] cache_mem differs from output in mgr:config
My squid's cache_mem in squid.conf differs from output in mgr:config. [root@squid-cache ~]# /usr/local/squid/bin/squidclient -h 127.0.0.1 -p 80 -w aa mgr:config |grep cache_mem Sending HTTP request ... done. cache_mem 0 bytes [root@squid-cache ~]# /usr/local/squid/sbin/squid -v Squid Cache: Version 3.4.14 configure options: '--prefix=/usr/local/squid' '--disable-icap-client' '--disable-wccp' '--disable-wccpv2' '--disable-htcp' '--disable-ident-lookups' '--disable-auto-locale' --enable-ltdl-convenience [root@squid-cache ~]# cat /usr/local/squid/etc/squid.conf unique_hostname squid-cache.xufeng.info visible_hostname squid-cache.xufeng.info http_port 80 accel cache_mem 4096 MB cache_dir ufs /app/cache 8096 32 5120 cache_log /usr/local/squid/var/logs/cache.log access_log /usr/local/squid/var/logs/access.log acl PURGE method PURGE cachemgr_passwd aa config reconfigure shutdown http_access allow manager localhost http_access deny manager http_access allow PURGE localhost http_access deny PURGE cache_mgr xufeng...@163.com cache_effective_user squid cache_effective_group squid cache_peer 10.1.6.38 parent 80 0 no-query originserver round-robin name=server_xufeng_info acl sites_xufeng_info dstdomain .xufeng.info cache_peer_access server_xufeng_info allow sites_xufeng_info [root@squid-cache ~]# cat /etc/issue CentOS release 5.11 (Final) Kernel \r on an \m [root@squid-cache ~]# uname -a Linux squid-cache.xufeng.info 2.6.18-407.el5 #1 SMP Wed Nov 11 08:12:41 EST 2015 x86_64 x86_64 x86_64 GNU/Linux Anything wrong? Thank you for your help. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] guideline on limiting users per IP
On 12/01/2016 7:54 a.m., 3 wrote: > > The version on Debian is 3.5.12 and but still max_user_ip does not work at > all and squid in verbose mode does not reject it but go through it > correctly, so I m bit confused. The authentication is against AD win 2008. > > I will send the more details later on but If somebody could confirm > regarding the compatibility between the version and the max_user_ip/ AD > authentication. All versions of Squid since 2.4 support the max_user_ip ACL. It does only apply to username based authentication (eg Basic) though. Token based authentication, particularly ones where the token changes per TCP connection (eg NTLM, Kerberos) or per message (eg Digest) do not. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] kerberos authentication with a machine account doesn't work
On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote: > On 11/01/2016 2:48 p.m., LYMN wrote: > > > > I did manage to get this working, you did mention the correct solution > > right down the end of your message. > > > > Correct for you yes. That can happen when making half-blind guesses at > what the problem actually is based on partial information. It might have > been any of the issues mentioned or any of the solutions mentioned. > Others in future may find differently depending on what they have mucked > up or payed around with before asking. > Yes, correct for me. It indeed could be one or more of the suggestions that were made. Kerberos errors are such fun to debug made more so by multiple problems causing the same error message. I have had a situation where I had a few different problems and it wasn't until I had sorted them all that the error message went away but it is so unsettling to get the same error after you have made a change that you are sure makes things correct. > > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote: > >> Hai, > >> > >> > >> Few things to check. > >> > >> /etc/krb5.keytab should have rights 600 (root:root) > >> > > > > And this was the problem but it should not, in my case, be as you > > stated. In fact, /etc/krb5.keytab needed to have rights 640 with > > ownership root:nobody. This is because the kerberos authenticator runs > > as the user nobody and needs access to the keytab. I am not so sure I > > like this situation because this does mean the nobody user now has > > access to the machine kerberos keys not just the ones for the http SPN. > > "nobody" is the default low-privileged user account unless you build > Squid with the --with-default-user=X - in which cases it will default to > the "X" account. > > You can also configure "cache_effective_user X" in squid.conf to > override the default if your Squid was built with one you dont want to use. > Yes. I think you have clarified the point that I was trying to make which was the user/group used may depend on your configuration or squid build. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] guideline on limiting users per IP
Dear all, I hope you all doing fine ! I know that this question has already been asked multiple times, and I already checked the logs (old mailing list) but I didn't find there my answers ... By the way, I am suspecting that this might have something to do with the squid version itself. In fact, I am running squid on two different servers: CentOS 6 and Debian sid (testing)! I implemented the last one as a backup, but I would like to perform a hot swap now since the version in CentOS does not support the max_user_ip policy. The version on Debian is 3.5.12 and but still max_user_ip does not work at all and squid in verbose mode does not reject it but go through it correctly, so I m bit confused. The authentication is against AD win 2008. I will send the more details later on but If somebody could confirm regarding the compatibility between the version and the max_user_ip/ AD authentication. Thank you in advance, Ken ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] MS Update
On 11/01/2016 11:18 p.m., Alex Samad wrote: > Hi > > On 11 January 2016 at 18:54, Amos Jeffries wrote: >>> guessing I have to bump up the 200M max to 800mb. >> >> Maybe. But IMHO use the ACLs tat range_offset_limit can take. > > your suggesting to limit the offset limit to just the windows update sites Just the site(s), or may even just the URLs where service packs are put. The /svcpk/ part of the URL looks interesting in that way, though you would need to research. > >> >>> are the other values still okay ? >> >> Yes. > > so if I bump it up to 800Mb it will start to work okay again ? "work okay" is a matter of perspective and bandwidth. It will enable the larger items to cache and HIT. But you will still spend more bandwidth than than you miht like. > > so using http://wiki.squid-cache.org/SquidFaq/WindowsUpdate which i > used to get the rules > the special way to make this work is > > turn off all the client pc. then do a single download of the file - > this will place all of it in the cache > > then I can turn the other clients back on .. > Yes. But, "turn off" could be ACLs in Squid that reject the download from everyone but you rather than going around every client machine manually twice. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL-bump and Ciphersuite?
On 11/01/2016 11:51 p.m., Walter H. wrote: > > Ok, because the strange in connection with this: > > I had > > http_port 3128 ... dhparam=./dhparam.pem > > and before installing Kaspersky Anti-Virus there was not any error; but in > connection with the SSL-Interception of Kaspersky Anti-Virus, I got an SSL > error in Mozilla Firefox like "invalid server hello" > removing dhparam=... from http_port resolves this "issue"; dhparam enables state necessary for Diffie-Hellman ciphers (DH/DHE/EDH) to work. Without it they would be broken and not negotiated. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NotePairs, SSL and Cert Validation memory leaks
On 12/01/2016 4:12 a.m., William Lima wrote: > Hi all, > > I have identified those memory leaks in the latest version of Squid 3.5: > ... > > Does anyone have a clue about the NotePairs leaks? This is a users list. squid-dev is where the developers hangs out. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] 500 Unsupported "Surrogate-Capability" errors with ssl-bump.
I have tested couple times with couple sites and it seems that they don't like the "Surrogate-Capability" headers and specially in SSL, they return a 500 internal error. One url that I have tried to access is: https://www.brighttalk.com/webcast/10903/183623?utm_campaign=webcasts-search-results-feed&utm_content=preventing+cyberattacks+in+healthcare&utm_source=brighttalk-portal&utm_medium=web I dumped a ALL,9 and found that the only difference between the request of squid to the original one(which works) is the "Surrogate-Capability". I have tested more then once using curl and couple other clients and the site just doesn't like to see these request headers. I tried to look at the docs and the bugzilla but have not found a report on it so I will post it here. I do not know if the issue is because they have some internal surrogates or their parser\policy is to deny such requests. I have tried to use: request_header_access Surrogate-Capability deny all and it seems to work fine for now and also solves squid bug 4253 for more then one site. Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] NotePairs, SSL and Cert Validation memory leaks
Hi all, I have identified those memory leaks in the latest version of Squid 3.5: 128 (48 direct, 80 indirect) bytes in 1 blocks are definitely lost in loss record 1,875 of 3,225 at 0x4C267BB: calloc (vg_replace_malloc.c:593) by 0x642906: xcalloc (xalloc.cc:83) by 0x63CEB2: MemPoolMalloc::allocate() (MemPoolMalloc.cc:39) by 0x3A59D1: NotePairs::add(char const*, char const*) (Notes.h:211) by 0x563C63: Helper::Reply::parse(char*, unsigned long) (Reply.cc:106) by 0x563D6E: Helper::Reply::Reply(char*, unsigned long) (Reply.cc:23) by 0x33DC72: helperStatefulHandleRead(RefCount const&, char*, unsigned long, Comm::Flag, int, void*) (helper.cc:1000) by 0x4B419F: AsyncCall::make() (AsyncCall.cc:40) by 0x4B7862: AsyncCallQueue::fireNext() (AsyncCallQueue.cc:56) by 0x4B7BEF: AsyncCallQueue::fire() (AsyncCallQueue.cc:42) by 0x31CD0B: EventLoop::runOnce() (EventLoop.cc:120) by 0x31CED7: EventLoop::run() (EventLoop.cc:82) by 0x39088D: SquidMain(int, char**) (main.cc:1539) by 0x391647: main (main.cc:1263) 128 (48 direct, 80 indirect) bytes in 1 blocks are definitely lost in loss record 1,876 of 3,225 at 0x4C267BB: calloc (vg_replace_malloc.c:593) by 0x642906: xcalloc (xalloc.cc:83) by 0x63CEB2: MemPoolMalloc::allocate() (MemPoolMalloc.cc:39) by 0x3A59D1: NotePairs::add(char const*, char const*) (Notes.h:211) by 0x562F01: Helper::Reply::parseResponseKeys() (Reply.cc:182) by 0x5635AA: Helper::Reply::parse(char*, unsigned long) (Reply.cc:127) by 0x563D6E: Helper::Reply::Reply(char*, unsigned long) (Reply.cc:23) by 0x33F178: helperHandleRead(RefCount const&, char*, unsigned long, Comm::Flag, int, void*) (helper.cc:817) by 0x4B419F: AsyncCall::make() (AsyncCall.cc:40) by 0x4B7862: AsyncCallQueue::fireNext() (AsyncCallQueue.cc:56) by 0x4B7BEF: AsyncCallQueue::fire() (AsyncCallQueue.cc:42) by 0x31CD0B: EventLoop::runOnce() (EventLoop.cc:120) by 0x31CED7: EventLoop::run() (EventLoop.cc:82) by 0x39088D: SquidMain(int, char**) (main.cc:1539) by 0x391647: main (main.cc:1263) 144 (96 direct, 48 indirect) bytes in 2 blocks are definitely lost in loss record 1,917 of 3,225 at 0x4C267BB: calloc (vg_replace_malloc.c:593) by 0x642906: xcalloc (xalloc.cc:83) by 0x63CEB2: MemPoolMalloc::allocate() (MemPoolMalloc.cc:39) by 0x29AB25: cbdataInternalAlloc(int) (cbdata.cc:281) by 0x4F9220: ssl_verify_cb(int, x509_store_ctx_st*) (CbDataList.h:37) by 0x5B85EB1: X509_verify_cert (x509_vfy.c:349) by 0x5843087: ssl_verify_cert_chain (ssl_cert.c:554) by 0x58221C2: ssl3_get_server_certificate (s3_clnt.c:1161) by 0x5824831: ssl3_connect (s3_clnt.c:334) by 0x582D676: ssl23_connect (s23_clnt.c:776) by 0x4ED7DB: Ssl::PeerConnector::negotiateSsl() (PeerConnector.cc:248) by 0x4EDF9A: JobDialer::dial(AsyncCall&) (AsyncJobCalls.h:174) by 0x4B419F: AsyncCall::make() (AsyncCall.cc:40) by 0x4B7862: AsyncCallQueue::fireNext() (AsyncCallQueue.cc:56) by 0x4B7BEF: AsyncCallQueue::fire() (AsyncCallQueue.cc:42) by 0x31CD0B: EventLoop::runOnce() (EventLoop.cc:120) by 0x31CED7: EventLoop::run() (EventLoop.cc:82) by 0x39088D: SquidMain(int, char**) (main.cc:1539) by 0x391647: main (main.cc:1263) 192 (144 direct, 48 indirect) bytes in 3 blocks are definitely lost in loss record 2,046 of 3,225 at 0x4C267BB: calloc (vg_replace_malloc.c:593) by 0x642906: xcalloc (xalloc.cc:83) by 0x63CEB2: MemPoolMalloc::allocate() (MemPoolMalloc.cc:39) by 0x29AB25: cbdataInternalAlloc(int) (cbdata.cc:281) by 0x4F902A: ssl_verify_cb(int, x509_store_ctx_st*) (CbDataList.h:37) by 0x5B865CD: X509_verify_cert (x509_vfy.c:679) by 0x5843087: ssl_verify_cert_chain (ssl_cert.c:554) by 0x58221C2: ssl3_get_server_certificate (s3_clnt.c:1161) by 0x5824831: ssl3_connect (s3_clnt.c:334) by 0x582D676: ssl23_connect (s23_clnt.c:776) by 0x4ED7DB: Ssl::PeerConnector::negotiateSsl() (PeerConnector.cc:248) by 0x4EDF9A: JobDialer::dial(AsyncCall&) (AsyncJobCalls.h:174) by 0x4B419F: AsyncCall::make() (AsyncCall.cc:40) by 0x4B7862: AsyncCallQueue::fireNext() (AsyncCallQueue.cc:56) by 0x4B7BEF: AsyncCallQueue::fire() (AsyncCallQueue.cc:42) by 0x31CD0B: EventLoop::runOnce() (EventLoop.cc:120) by 0x31CED7: EventLoop::run() (EventLoop.cc:82) by 0x39088D: SquidMain(int, char**) (main.cc:1539) by 0x391647: main (main.cc:1263) 5,000 (1,776 direct, 3,224 indirect) bytes in 37 blocks are definitely lost in loss record 3,060 of 3,225 at 0x4C267BB: calloc (vg_replace_malloc.c:593) by 0x642906: xcalloc (xalloc.cc:83) by 0x63CEB2: MemPoolMalloc::allocate() (MemPoolMalloc.cc:39) by 0x3A5AF7: NotePairs::append(NotePairs const*) (Notes.h:211) by 0x327345: ExternalACLEntry::update(ExternalACLEntryData const&) (ExternalACLEntry.cc:41) by 0x322A3D: external_acl_cache_add(external_acl*, char const*, ExternalACLEntryData const
Re: [squid-users] Running configuration
On 10/01/2016 2:29 p.m., Roman Gelfand wrote: I accidentally deleted the squid.conf while squid has been running. The squid is still running. Is there a way to retrieve a running configuration? If you can remember the cachemgr passwrd: squidclient mgr:config On 10.01.16 18:10, Amos Jeffries wrote: NP: there may be some output bugs in the dumper and it produces a config with a lot of default values explicitly set. So you definitely want to clean it up manually afterwards. I recommend copying default squid configuration file and put parameters that are different. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Could you kindly write me what i need to post in order to review? 2016-01-11 11:53 GMT+01:00 Amos Jeffries : > On 11/01/2016 11:26 p.m., Fabio Bucci wrote: >> Yes of course. But i'm wondering if all the configuration are right. >> > > The Squid part of it looks okay to me. The issue is somewhere in the AD, > keytab or client setup I think. > > Amos > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
On 11/01/2016 11:26 p.m., Fabio Bucci wrote: > Yes of course. But i'm wondering if all the configuration are right. > The Squid part of it looks okay to me. The issue is somewhere in the AD, keytab or client setup I think. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL-bump and Ciphersuite?
Hello Amos, On Mon, January 11, 2016 11:13, Amos Jeffries wrote: > On 11/01/2016 10:50 p.m., Walter H. wrote: >> Hello, >> >> I'd restrict the client by using a less resource consuming TLS >> encryption; >> >> I though doing just this >> >> e.g. >> http_port 3128 ... cipher=3DES ... >> (for restricting clients connecting to 3DES) >> >> or what would be less resource consuming? >> AES128? > > Depends on the specific TLS library implementation, what other hashes > etc are used alongside, and any crypto hardware support in the machine > running it. > there is no crypto hardware support as far as I know, my squid box is just a VM, and I guess squid (I'm using 3.4.10) is using OpenSSL als TLS library (latest of CentOS 6) >> the reason why I'm asking this: >> >> I'm using Kaspersky Anti-Virus on client side, this does a 2nd >> SSL-interception, and there the browsers show different Ciphersuites; >> >> e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256 >> >> or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, >> the >> Anti-Virus itself uses 3DES to the proxy server? >> (the proxy server matches another Ciphersuite to the web host) > > Yes it is like that. TLS is point-to-point encryption. Ok, because the strange in connection with this: I had http_port 3128 ... dhparam=./dhparam.pem and before installing Kaspersky Anti-Virus there was not any error; but in connection with the SSL-Interception of Kaspersky Anti-Virus, I got an SSL error in Mozilla Firefox like "invalid server hello" removing dhparam=... from http_port resolves this "issue"; Thanks, Walter ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Yes of course. But i'm wondering if all the configuration are right. 2016-01-11 9:43 GMT+01:00 Amos Jeffries : > On 11/01/2016 9:34 p.m., Fabio Bucci wrote: >> Hi, >> could you help me in looking for what it's wrong? >> > > The client / browser thinks the credentials are wrong for some reason. > > You need to run through all the troubleshooting checks to see if any > reason shows up. The recent posts "kerberos authentication with a > machine account doesn't work" might help there. > > Amos > > >> Regar,ds >> Fabio >> >> 2016-01-07 14:26 GMT+01:00 Fabio Bucci: >>> Hi Amos, >>> just configured squid.conf as: >>> >>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth >>> -d -s HTTP/myproxy.domain >>> auth_param negotiate children 100 >>> auth_param negotiate keep_alive on >>> >>> acl auth proxy_auth REQUIRED >>> >>> http_access allow auth >>> >>> but it doesn't work and browser requires me credentials popup and even >>> if i put them it asks me again >>> >>> Thanks, >>> Fabio >>> >>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries: On 2015-12-31 03:42, Fabio Bucci wrote: > > Could you help me in kerberos configuration only? I don't want a fallback That should be blindingly obvious ... just use the Kerberos helper directly as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth helper parts. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Yes of course. But i'm wondering if all the configuration are right. Thanks, Fabio 2016-01-11 9:43 GMT+01:00 Amos Jeffries : > On 11/01/2016 9:34 p.m., Fabio Bucci wrote: >> Hi, >> could you help me in looking for what it's wrong? >> > > The client / browser thinks the credentials are wrong for some reason. > > You need to run through all the troubleshooting checks to see if any > reason shows up. The recent posts "kerberos authentication with a > machine account doesn't work" might help there. > > Amos > > >> Regar,ds >> Fabio >> >> 2016-01-07 14:26 GMT+01:00 Fabio Bucci: >>> Hi Amos, >>> just configured squid.conf as: >>> >>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth >>> -d -s HTTP/myproxy.domain >>> auth_param negotiate children 100 >>> auth_param negotiate keep_alive on >>> >>> acl auth proxy_auth REQUIRED >>> >>> http_access allow auth >>> >>> but it doesn't work and browser requires me credentials popup and even >>> if i put them it asks me again >>> >>> Thanks, >>> Fabio >>> >>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries: On 2015-12-31 03:42, Fabio Bucci wrote: > > Could you help me in kerberos configuration only? I don't want a fallback That should be blindingly obvious ... just use the Kerberos helper directly as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth helper parts. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] MS Update
Hi On 11 January 2016 at 18:54, Amos Jeffries wrote: >> guessing I have to bump up the 200M max to 800mb. > > Maybe. But IMHO use the ACLs tat range_offset_limit can take. your suggesting to limit the offset limit to just the windows update sites > >> are the other values still okay ? > > Yes. so if I bump it up to 800Mb it will start to work okay again ? so using http://wiki.squid-cache.org/SquidFaq/WindowsUpdate which i used to get the rules the special way to make this work is turn off all the client pc. then do a single download of the file - this will place all of it in the cache then I can turn the other clients back on .. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL-bump and Ciphersuite?
On 11/01/2016 10:50 p.m., Walter H. wrote: > Hello, > > I'd restrict the client by using a less resource consuming TLS encryption; > > I though doing just this > > e.g. > http_port 3128 ... cipher=3DES ... > (for restricting clients connecting to 3DES) > > or what would be less resource consuming? > AES128? Depends on the specific TLS library implementation, what other hashes etc are used alongside, and any crypto hardware support in the machine running it. > > but where can I see, which ciphersuite is really used? > (which log shows this? is it /var/squid/cache.log?) For that you need the new 'negotiated_cipher' logformat codes in the latest Squid-4.0.4 (note some more build errors found the past few days). > > the reason why I'm asking this: > > I'm using Kaspersky Anti-Virus on client side, this does a 2nd > SSL-interception, and there the browsers show different Ciphersuites; > > e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256 > > or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, the > Anti-Virus itself uses 3DES to the proxy server? > (the proxy server matches another Ciphersuite to the web host) Yes it is like that. TLS is point-to-point encryption. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL-bump and Ciphersuite?
Hello, I'd restrict the client by using a less resource consuming TLS encryption; I though doing just this e.g. http_port 3128 ... cipher=3DES ... (for restricting clients connecting to 3DES) or what would be less resource consuming? AES128? but where can I see, which ciphersuite is really used? (which log shows this? is it /var/squid/cache.log?) the reason why I'm asking this: I'm using Kaspersky Anti-Virus on client side, this does a 2nd SSL-interception, and there the browsers show different Ciphersuites; e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256 or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, the Anti-Virus itself uses 3DES to the proxy server? (the proxy server matches another Ciphersuite to the web host) Kaspersky Anti-Virus installed its own Root certificate into the Certstore of my Windows and of Mozilla Firefox; for sites the Antivirus does no SSL-intercept, I see the Root certificate of my proxy and for sites the Antivirus does SSL-Intercept I see the Kaspersky's Antivirus Root certificate; Thanks, Walter ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Digest LDAP authentication
I've deleted the quotes in the realm declaration but I still have to use quotes with the command line : echo ':' | /usr/lib/squid3/digest_ldap_auth -b ou= -u uid -A l -W /etc/digestreader_cred -e -v 3 BH message="Invalid line received" echo '"":""' | /usr/lib/squid3/digest_ldap_auth -b ou= -u uid -A l -W /etc/digestreader_cred -e -v 3 OK ha1="..." And I still don't know what to do with the browser popup. Le 10/01/2016 05:08, Amos Jeffries a écrit : On 9/01/2016 3:50 a.m., Olivier Desport wrote: Hello, I'm trying to implement digest LDAP authentication with digest_ldap_auth on Squid 3.4. When I try to connect with command line, It succeeds : echo '"":""' | /usr/lib/squid3/digest_ldap_auth -b ou= -u uid -A l -W /etc/digestreader_cred -e -v 3 OK ha1="..." In squid.conf auth_param digest program /usr/lib/squid3/digest_ldap_auth -b 'ou=' -u uid -A l -W /etc/digestreader_cred -e -v 3 -h auth_param digest children 5 auth_param digest realm "" auth_param digest casesensitive off When I test with a browser, the authentication popup with username and password appears. But I don't know what credentials to give. I've tried with "":"" for username and the clear password but It doesn't work. The popup appears again and nothing is written in access.log. Could you help me ? Perhapse it is that Squid has been told your realm string contains quotation marks. I've always though is very strange that people would have realms like: ""Foo"" Try with just: auth_param digest realm REALM Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
On 11/01/2016 9:34 p.m., Fabio Bucci wrote: > Hi, > could you help me in looking for what it's wrong? > The client / browser thinks the credentials are wrong for some reason. You need to run through all the troubleshooting checks to see if any reason shows up. The recent posts "kerberos authentication with a machine account doesn't work" might help there. Amos > Regar,ds > Fabio > > 2016-01-07 14:26 GMT+01:00 Fabio Bucci: >> Hi Amos, >> just configured squid.conf as: >> >> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth >> -d -s HTTP/myproxy.domain >> auth_param negotiate children 100 >> auth_param negotiate keep_alive on >> >> acl auth proxy_auth REQUIRED >> >> http_access allow auth >> >> but it doesn't work and browser requires me credentials popup and even >> if i put them it asks me again >> >> Thanks, >> Fabio >> >> 2015-12-31 6:30 GMT+01:00 Amos Jeffries: >>> On 2015-12-31 03:42, Fabio Bucci wrote: Could you help me in kerberos configuration only? I don't want a fallback >>> >>> >>> That should be blindingly obvious ... just use the Kerberos helper directly >>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth >>> helper parts. >>> >>> Amos >>> >>> >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Hi, could you help me in looking for what it's wrong? Regar,ds Fabio 2016-01-07 14:26 GMT+01:00 Fabio Bucci : > Hi Amos, > just configured squid.conf as: > > auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth > -d -s HTTP/myproxy.domain > auth_param negotiate children 100 > auth_param negotiate keep_alive on > > acl auth proxy_auth REQUIRED > > http_access allow auth > > but it doesn't work and browser requires me credentials popup and even > if i put them it asks me again > > Thanks, > Fabio > > 2015-12-31 6:30 GMT+01:00 Amos Jeffries : >> On 2015-12-31 03:42, Fabio Bucci wrote: >>> >>> Could you help me in kerberos configuration only? I don't want a fallback >> >> >> That should be blindingly obvious ... just use the Kerberos helper directly >> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth >> helper parts. >> >> Amos >> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSLBUMP Issue
On 11/01/2016 10:54 a.m., Roman Gelfand wrote: > I am getting the following error. Would anyone know the reason? > > Error negotiating SSL connection on FD 37: error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number > Please supply the rquired details: * Squid version (squid -v output) If it is older than 3.5.10 please upgrade. * OpenSSL version If it is older than 1.0.0 please (try to) upgrade. > > My sslbump config is > > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem > > ssl_bump server-first all At this point all the following directives about bumping are useless and will not happen. > ssl_bump peek all > ssl_bump terminate all > *DO NOT* mix deprecated and current bumping actions together. "Does not support peeking, which causes various problems. When used for intercepted traffic SNI is not available and the server raw-IP will be used in certificates. " One of those "various problems" is probably what you are encountering. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] kerberos authentication with a machine account doesn't work
On 11/01/2016 2:48 p.m., LYMN wrote: > > I did manage to get this working, you did mention the correct solution > right down the end of your message. > Correct for you yes. That can happen when making half-blind guesses at what the problem actually is based on partial information. It might have been any of the issues mentioned or any of the solutions mentioned. Others in future may find differently depending on what they have mucked up or payed around with before asking. > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote: >> Hai, >> >> >> Few things to check. >> >> /etc/krb5.keytab should have rights 600 (root:root) >> > > And this was the problem but it should not, in my case, be as you > stated. In fact, /etc/krb5.keytab needed to have rights 640 with > ownership root:nobody. This is because the kerberos authenticator runs > as the user nobody and needs access to the keytab. I am not so sure I > like this situation because this does mean the nobody user now has > access to the machine kerberos keys not just the ones for the http SPN. "nobody" is the default low-privileged user account unless you build Squid with the --with-default-user=X - in which cases it will default to the "X" account. You can also configure "cache_effective_user X" in squid.conf to override the default if your Squid was built with one you dont want to use. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
