[squid-users] How to setup a secure(!) squid proxy

[startrekfan]

Hello

I need to setup a squid 3 proxy with https bumping. Unfortunately I'm not
very familiar with squid and https in general.

I already perfomed the following steps:

*1.) compile from source*
./configure --with-openssl   --enable-ssl-crtd
make
make install

*2.) configuration (http)*
I used this guide: https://help.ubuntu.com/community/Squid

*3.) configuration (https)*
I used this guide: http://wiki.squid-cache.org/ConfigExamp ... mpExplicit


The server is now working for http and https, but is the server secure, too?

Is the default config already secure or do I need to configure additional
security features? (e.g. things like cert validation, cert pinning, [dont
know what's importend], ...)

Thank you

Diese
E-Mail wurde von einem virenfreien Computer gesendet, der von Avast
geschützt wird.
www.avast.com

<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[zw963]

So the problem is: Why configure not detect out my system missing g++
until I run make,  it told me `g++: command not found' ?

Yuri Voinov writes:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> Squid now completely written on C++ ;)
>
> 13.01.16 1:34, Billy.Zheng (zw963) пишет:
>>

 Or, just tell me, this worked, it is fine, and I will very happy to use.

 btw: When I first install, ./configure is passed, but make is failed.
 because I am not install gcc-c++. I have to install gcc-c++, reconfigure
 again, make is passed. I thought if ./configure could detect gcc-c++
 is not installed, will more good.
>>
>>> What C++ compiler did you have installed instead of gcc-c++ ?
>>
>> I use CentOS 7.0 in VPS.
>>
>> I just follow squid document from here:
> http://wiki.squid-cache.org/SquidFaq/CompilingSquid
>>
>> with following operation:
>>
>> [root@vultr squid-3.5.12]# yum install -y perl gcc autoconf automake
> make sudo wget
>> [root@vultr squid-3.5.12]# yum install openssl-devel
>> [root@vultr squid-3.5.12]# g++
>> -bash: g++: command not found
>>
>> and then run my new config, Thanks for guide.
>>
>> ./configure --build=x86_64-linux-gnu \
>> --prefix=/usr \
>> --exec-prefix=/usr \
>> '--bindir=${prefix}/bin' \
>> '--sbindir=${prefix}/sbin' \
>> '--libdir=${prefix}/lib64' \
>> '--libexecdir=${prefix}/lib64/squid' \
>> '--includedir=${prefix}/include' \
>> '--datadir=${prefix}/share/squid' \
>> '--mandir=${prefix}/share/man' \
>> '--infodir=${prefix}/share/info' \
>> --localstatedir=/var \
>> '--with-logdir=${localstatedir}/log/squid' \
>> '--with-pidfile=${localstatedir}/run/squid.pid' \
>> '--with-swapdir=${localstatedir}/spool/squid' \
>> --sysconfdir=/etc/squid \
>> --with-openssl \
>> --with-default-user=squid \
>> --with-filedescriptors=16384
>>
>> it worked. and end with Makefile created.
>>
>> It seem like not c++ compile included initially, ./configure is not
> detect out
>> for it for this OS, so no any error occur.
>>
>> when I run make, it told me `g++: command not found'
>>
>> [root@vultr squid-3.5.12]# make
>> Making all in compat
>> make[1]: Entering directory `/root/squid-3.5.12/compat'
>> source='assert.cc' object='assert.lo' libtool=yes \
>> DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \
>> /bin/sh ../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H  
> -I.. -I../include -I../lib -I../src -I../include   -I../libltdl-c -o
> assert.lo assert.cc
>> libtool: compile:  g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
> -I../src -I../include -I../libltdl -c assert.cc  -o .libs/assert.o
>> ../libtool: line 1125: g++: command not found
>> make[1]: *** [assert.lo] Error 1
>> make[1]: Leaving directory `/root/squid-3.5.12/compat'
>> make: *** [all-recursive] Error 1
>>
>> following is a part of ./configure output:
>>
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking whether build environment is sane... yes
>> checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
>> checking for gawk... gawk
>> checking whether make sets $(MAKE)... yes
>> checking whether make supports nested variables... yes
>> checking whether UID '0' is supported by ustar format... yes
>> checking whether GID '0' is supported by ustar format... yes
>> checking how to create a ustar tar archive... gnutar
>> checking whether to enable maintainer-specific portions of Makefiles... no
>> checking for gcc... gcc
>> checking whether the C compiler works... yes
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables...
>> checking whether we are cross compiling... no
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether gcc accepts -g... yes
>> checking for gcc option to accept ISO C89... none needed
>> checking whether gcc understands -c and -o together... yes
>> checking for style of include used by make... GNU
>> checking dependency style of gcc... gcc3
>> checking for g++... no
>> checking for c++... no
>> checking for gpp... no
>> checking for aCC... no
>> checking for CC... no
>> checking for cxx... no
>> checking for cc++... no
>> checking for cl.exe... no
>> checking for FCC... no
>> checking for KCC... no
>> checking for RCC... no
>> checking for xlC_r... no
>> checking for xlC... no
>> checking whether we are using the GNU C++ compiler... no
>> checking whether g++ accepts -g... no
>> checking dependency style of g++... none
>> checking build system type... x86_64-pc-linux-gnu
>> checking host system type... x86_64-pc-linux-gnu
>> configure: CPU arch native optimization enabled: auto
>> checking whether compiler accepts -march=native... no
>> checking simplified host os... linux (version )
>> checking what kind of compiler we're using... none
>> checking whether g++ supports C++11 features by 

Re: [squid-users] Compile install Squid, configure default options.

[Yuri Voinov]

BTW, it must not detect and explain, this is your responsibility ;)

13.01.16 15:40, Billy.Zheng (zw963) пишет:

Why configure not detect ot my gcc-c++ package missing?

sure if i install gcc-c++,  it worked now.

maybe we need update Wiki document here
http://wiki.squid-cache.org/SquidFaq/CompilingSquid
to add new gcc-c++ package as dependency.

Yuri Voinov writes:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
  
That's it.


You installed gcc but not g++.

Simple.

13.01.16 1:34, Billy.Zheng (zw963) пишет:

checking for cc++... no

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
  
iQEcBAEBCAAGBQJWlV63AAoJENNXIZxhPexGv2EIAIeL/q5cQBHLVhxFyqZoZZCn

vCfaHslQsrjQqolHHYZUv0yWSXAWwc0H5kDlPXSQLD7g8UZU5rntMNlScYVvDr/9
5al0QMw98YVh84vrl4RxuWtnQlSeVSsTd1ZqWTNcZp2GYWJVNPFsAeksqH0EykCT
FSFoXGvaCZpc59+KcZpJ4h3tcQk2floNxlrRlwFno7txBI9Aa1FfKqZsDeGsmWnN
IeEjGW4CaiY6TUZ22MtcyRIDJbS+noN9tu3948puImedWzanQXMn2KeOTHHI5Ldb
1UvYX68XW9WL6rNjscmvOsy2ulOT4gUPszZvP17rDcRgH6Uqzz4mVrLphjH4SFo=
=amAA
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[zw963]

I will investigate your's config options carefully, Thank!
Mike writes:

> When I used CentOS 7 (a variation of it), this is what I had to use:
>
>
>   • yum -y install perl gcc gcc-c++ autoconf automake make
>
>   • yum -y install epel-release
>
>   □ (has a few packages we need below)
>
>   • yum -y install libxml2-devel libcap-devel avr-gcc-c++
>
>   • yum -y install libtool-ltdl-devel openssl-devel
>
>   • yum -y install ksh perl-Crypt-OpenSSL-X509
>
> I prefer separate lines with only a few to be installed since if theres a
> problem with one, it is more likely to show an error rather than be buried.
>
>
> With 3.5.5 they made some changes so for 3.5.5 and newer, certain configure
> options no longer work that previously did as far back as 3.1.x. This is for
> 64bit, there are a few small differences for 32 bit OS.
>
>   • ./configure '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/
> usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' 
> '--libexecdir=
> /usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/
> squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/
> etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$
> (localstatedir)/run/squid.pid' '--disable-dependency-tracking'
> '--enable-follow-x-forwarded-for' '--enable-cache-digests'
> '--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
> '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
> '--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
> '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2'
> '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp'
> '--with-aio' '--with-default-user=squid' '--with-filedescriptors=1024'
> '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl'
> '--disable-arch-native' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=
> generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
> 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>
>
>
> There are small variations in CentOS that make it different from other linux
> operating systems, so when I've had issues with missing configure options, I
> installed the available version from yum, then went through one by one and
> found what I needed, mirrored it to an extent for building from source. I also
> added my ssl based options.
> I have 2 different CentOS 7 based systems running squid with no problems using
> this setup.
>
> Mike
>
>
>
>
>
> On 1/12/2016 13:34 PM, Billy.Zheng(zw963) wrote:
>
> Or, just tell me, this worked, it is fine, and I will very happy 
> to use.
>
> btw: When I first install, ./configure is passed, but make is 
> failed.
> because I am not install gcc-c++. I have to install gcc-c++, 
> reconfigure
> again, make is passed. I thought if ./configure could detect 
> gcc-c++
> is not installed, will more good.
>
> What C++ compiler did you have installed instead of gcc-c++ ?
>
> I use CentOS 7.0 in VPS.
>
> I just follow squid document from here: 
> http://wiki.squid-cache.org/SquidFaq/CompilingSquid
>
> with following operation:
>
> [root@vultr squid-3.5.12]# yum install -y perl gcc autoconf automake make 
> sudo wget
> [root@vultr squid-3.5.12]# yum install openssl-devel
> [root@vultr squid-3.5.12]# g++
> -bash: g++: command not found
>
> and then run my new config, Thanks for guide.
>
> ./configure --build=x86_64-linux-gnu \
> --prefix=/usr \
> --exec-prefix=/usr \
> '--bindir=${prefix}/bin' \
> '--sbindir=${prefix}/sbin' \
> '--libdir=${prefix}/lib64' \
> '--libexecdir=${prefix}/lib64/squid' \
> '--includedir=${prefix}/include' \
> '--datadir=${prefix}/share/squid' \
> '--mandir=${prefix}/share/man' \
> '--infodir=${prefix}/share/info' \
> --localstatedir=/var \
> '--with-logdir=${localstatedir}/log/squid' \
> '--with-pidfile=${localstatedir}/run/squid.pid' \
> '--with-swapdir=${localstatedir}/spool/squid' \
> --sysconfdir=/etc/squid \
> --with-openssl \
> --with-default-user=squid \
> --with-filedescriptors=16384
>
> it worked. and end with Makefile created.
>
> It seem like not c++ compile included initially, ./configure is not 
> detect out
> for it for this OS, so no any error occur.
>
> when I run make, it told me `g++: command not found'
>
> 

Re: [squid-users] How to setup a secure(!) squid proxy

[Amos Jeffries]

On 13/01/2016 10:16 p.m., startrekfan wrote:
> Hello
> 
> I need to setup a squid 3 proxy with https bumping. Unfortunately I'm not
> very familiar with squid and https in general.
> 
> I already perfomed the following steps:
> 
> *1.) compile from source*
> ./configure --with-openssl   --enable-ssl-crtd
> make
> make install

You now have Squid pieces installed in the BSD default locations.

> 
> *2.) configuration (http)*
> I used this guide: https://help.ubuntu.com/community/Squid
> 

Is this an Ubuntu system? if not the Ubuntu advice will be wrong.

At the very least the advice to start installing Squid with "apt-get
install apache2" is wrong.



> *3.) configuration (https)*
> I used this guide: http://wiki.squid-cache.org/ConfigExamp ... mpExplicit

huh? what URL was that supposed to be?

> 
> The server is now working for http and https, but is the server secure, too?
> 
> Is the default config already secure or do I need to configure additional
> security features? (e.g. things like cert validation, cert pinning, [dont
> know what's importend], ...)
> 

The default squid.conf perfoms HTTP securely. Without HTTPS. What your
config does nobody can say without seeing what it is.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[Yuri Voinov]

If g++ installed, it can be not visible via PATH environment variable.

13.01.16 15:36, Billy.Zheng (zw963) пишет:

So the problem is: Why configure not detect out my system missing g++
until I run make,  it told me `g++: command not found' ?

Yuri Voinov writes:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
  
Squid now completely written on C++ ;)


13.01.16 1:34, Billy.Zheng (zw963) пишет:

Or, just tell me, this worked, it is fine, and I will very happy to use.

btw: When I first install, ./configure is passed, but make is failed.
because I am not install gcc-c++. I have to install gcc-c++, reconfigure
again, make is passed. I thought if ./configure could detect gcc-c++
is not installed, will more good.

What C++ compiler did you have installed instead of gcc-c++ ?

I use CentOS 7.0 in VPS.

I just follow squid document from here:

http://wiki.squid-cache.org/SquidFaq/CompilingSquid

with following operation:

[root@vultr squid-3.5.12]# yum install -y perl gcc autoconf automake

make sudo wget

[root@vultr squid-3.5.12]# yum install openssl-devel
[root@vultr squid-3.5.12]# g++
-bash: g++: command not found

and then run my new config, Thanks for guide.

 ./configure --build=x86_64-linux-gnu \
 --prefix=/usr \
 --exec-prefix=/usr \
 '--bindir=${prefix}/bin' \
 '--sbindir=${prefix}/sbin' \
 '--libdir=${prefix}/lib64' \
 '--libexecdir=${prefix}/lib64/squid' \
 '--includedir=${prefix}/include' \
 '--datadir=${prefix}/share/squid' \
 '--mandir=${prefix}/share/man' \
 '--infodir=${prefix}/share/info' \
 --localstatedir=/var \
 '--with-logdir=${localstatedir}/log/squid' \
 '--with-pidfile=${localstatedir}/run/squid.pid' \
 '--with-swapdir=${localstatedir}/spool/squid' \
 --sysconfdir=/etc/squid \
 --with-openssl \
 --with-default-user=squid \
 --with-filedescriptors=16384

it worked. and end with Makefile created.

It seem like not c++ compile included initially, ./configure is not

detect out

for it for this OS, so no any error occur.

when I run make, it told me `g++: command not found'

[root@vultr squid-3.5.12]# make
Making all in compat
make[1]: Entering directory `/root/squid-3.5.12/compat'
source='assert.cc' object='assert.lo' libtool=yes \
DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \
/bin/sh ../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H

-I.. -I../include -I../lib -I../src -I../include   -I../libltdl-c -o
assert.lo assert.cc

libtool: compile:  g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib

-I../src -I../include -I../libltdl -c assert.cc  -o .libs/assert.o

../libtool: line 1125: g++: command not found
make[1]: *** [assert.lo] Error 1
make[1]: Leaving directory `/root/squid-3.5.12/compat'
make: *** [all-recursive] Error 1

following is a part of ./configure output:

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '0' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether we are using the GNU C++ compiler... no
checking whether g++ accepts -g... no
checking dependency style of g++... none
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
configure: CPU arch native optimization enabled: auto
checking whether compiler accepts -march=native... no
checking simplified host os... linux (version )
checking what kind of compiler we're using... none
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... no
checking whether g++ supports C++11 features with -std=c++0x... no
configure: No compiler with C++11 support was found
checking 

Re: [squid-users] Compile install Squid, configure default options.

[zw963]

Why configure not detect ot my gcc-c++ package missing?

sure if i install gcc-c++,  it worked now.

maybe we need update Wiki document here
http://wiki.squid-cache.org/SquidFaq/CompilingSquid
to add new gcc-c++ package as dependency.

Yuri Voinov writes:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> That's it.
>
> You installed gcc but not g++.
>
> Simple.
>
> 13.01.16 1:34, Billy.Zheng (zw963) пишет:
>> checking for cc++... no
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>  
> iQEcBAEBCAAGBQJWlV63AAoJENNXIZxhPexGv2EIAIeL/q5cQBHLVhxFyqZoZZCn
> vCfaHslQsrjQqolHHYZUv0yWSXAWwc0H5kDlPXSQLD7g8UZU5rntMNlScYVvDr/9
> 5al0QMw98YVh84vrl4RxuWtnQlSeVSsTd1ZqWTNcZp2GYWJVNPFsAeksqH0EykCT
> FSFoXGvaCZpc59+KcZpJ4h3tcQk2floNxlrRlwFno7txBI9Aa1FfKqZsDeGsmWnN
> IeEjGW4CaiY6TUZ22MtcyRIDJbS+noN9tu3948puImedWzanQXMn2KeOTHHI5Ldb
> 1UvYX68XW9WL6rNjscmvOsy2ulOT4gUPszZvP17rDcRgH6Uqzz4mVrLphjH4SFo=
> =amAA
> -END PGP SIGNATURE-
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[zw963]

surely, I can resolved this problem with Google, although I hope WIKI
can told me gcc-c++ is needed on CentOS.

Thanks.

Yuri Voinov writes:

> BTW, it must not detect and explain, this is your responsibility ;)
>
> 13.01.16 15:40, Billy.Zheng (zw963) пишет:
>> Why configure not detect ot my gcc-c++ package missing?
>>
>> sure if i install gcc-c++,  it worked now.
>>
>> maybe we need update Wiki document here
>> http://wiki.squid-cache.org/SquidFaq/CompilingSquid
>> to add new gcc-c++ package as dependency.
>>
>> Yuri Voinov writes:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>   
>>> That's it.
>>>
>>> You installed gcc but not g++.
>>>
>>> Simple.
>>>
>>> 13.01.16 1:34, Billy.Zheng (zw963) пишет:
 checking for cc++... no
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2
>>>   
>>> iQEcBAEBCAAGBQJWlV63AAoJENNXIZxhPexGv2EIAIeL/q5cQBHLVhxFyqZoZZCn
>>> vCfaHslQsrjQqolHHYZUv0yWSXAWwc0H5kDlPXSQLD7g8UZU5rntMNlScYVvDr/9
>>> 5al0QMw98YVh84vrl4RxuWtnQlSeVSsTd1ZqWTNcZp2GYWJVNPFsAeksqH0EykCT
>>> FSFoXGvaCZpc59+KcZpJ4h3tcQk2floNxlrRlwFno7txBI9Aa1FfKqZsDeGsmWnN
>>> IeEjGW4CaiY6TUZ22MtcyRIDJbS+noN9tu3948puImedWzanQXMn2KeOTHHI5Ldb
>>> 1UvYX68XW9WL6rNjscmvOsy2ulOT4gUPszZvP17rDcRgH6Uqzz4mVrLphjH4SFo=
>>> =amAA
>>> -END PGP SIGNATURE-
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with a machine account doesn't work

[Fabio Bucci]

Hi All,
i want to terminate a previous job did by ex colleague is changed
company. Now there is a cluster of 2 nodes of squid with NTLM
transparent authentication and one spare node i'm using as test and
configured with kerberos instead. Reading a lot of info i understood
kerberos is more stable than NTLM and my plan is to migrate the
production cluster to this kind of authentication. Configurations
(squid and kerberos) seem to be ok but everytime with browser i point
to squid i'm unable to go to internet, popup requires me credentials
but even i put the right ones it doesn't work. Coudl you help me?

2016-01-12 0:28 GMT+01:00 LYMN :
> On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
>> On 11/01/2016 2:48 p.m., LYMN wrote:
>> >
>> > I did manage to get this working, you did mention the correct solution
>> > right down the end of your message.
>> >
>>
>> Correct for you yes. That can happen when making half-blind guesses at
>> what the problem actually is based on partial information. It might have
>> been any of the issues mentioned or any of the solutions mentioned.
>> Others in future may find differently depending on what they have mucked
>> up or payed around with before asking.
>>
>
> Yes, correct for me.  It indeed could be one or more of the suggestions
> that were made.  Kerberos errors are such fun to debug made more so by
> multiple problems causing the same error message.  I have had a
> situation where I had a few different problems and it wasn't until I had
> sorted them all that the error message went away but it is so unsettling
> to get the same error after you have made a change that you are sure
> makes things correct.
>
>> > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote:
>> >> Hai,
>> >>
>> >>
>> >> Few things to check.
>> >>
>> >> /etc/krb5.keytab should have rights 600 (root:root)
>> >>
>> >
>> > And this was the problem but it should not, in my case, be as you
>> > stated. In fact, /etc/krb5.keytab needed to have rights 640 with
>> > ownership root:nobody.  This is because the kerberos authenticator runs
>> > as the user nobody and needs access to the keytab.  I am not so sure I
>> > like this situation because this does mean the nobody user now has
>> > access to the machine kerberos keys not just the ones for the http SPN.
>>
>> "nobody" is the default low-privileged user account unless you build
>> Squid with the --with-default-user=X - in which cases it will default to
>> the "X" account.
>>
>> You can also configure "cache_effective_user X" in squid.conf to
>> override the default if your Squid was built with one you dont want to use.
>>
>
> Yes.  I think you have clarified the point that I was trying to make
> which was the user/group used may depend on your configuration or squid
> build.
>
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies within 
> the BAE Systems Australia group of companies:
>
> BAE Systems Australia Limited - Australian Company Number 008 423 005
> BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
> 870 846
> BAE Systems Australia Logistics Pty Limited - Australian Company Number 
> 086 228 864
>
> Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
> Edinburgh, South Australia, 5111. If the identity of the sending company is
> not clear from the content of this email please contact the sender.
>
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do not copy or
> disclose its content, but please reply to this email immediately and highlight
> the error to the sender and then immediately delete the message.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[Amos Jeffries]

On 13/01/2016 10:43 p.m., Yuri Voinov wrote:
> BTW, it must not detect and explain, this is your responsibility ;)
> 
> 13.01.16 15:40, Billy.Zheng (zw963) пишет:
>> Why configure not detect ot my gcc-c++ package missing?
>>
>> sure if i install gcc-c++,  it worked now.
>>
>> maybe we need update Wiki document here
>> http://wiki.squid-cache.org/SquidFaq/CompilingSquid
>> to add new gcc-c++ package as dependency.

gcc-c++ is not a dependency. That is just the name of a package on your
OS where g++ comes from.

The g++ dependency is documented in section 1.3.1 of that page:


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile install Squid, configure default options.

[Eliezer Croitoru]

On 13/01/2016 11:36, Billy.Zheng (zw963) wrote:

So the problem is: Why configure not detect out my system missing g++
until I run make,  it told me `g++: command not found' ?


There might be something wrong in the configure script as far as I can 
tell since your configure shows the next:

checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether we are using the GNU C++ compiler... no
checking whether g++ accepts -g... no
checking dependency style of g++... none

Which should somehow understand that there is no g++, then why it tries 
to run it?

I can install a new CentOS 7 VM and see this issue.
Can you file a bugzilla report so I can test the issue and report there? 
fill your details there..

http://bugs.squid-cache.org/

Thanks,
Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] V3.5.12 SSL Bumping Issue with one Website

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I seen the same - just no lough! - with https://instagram.com

:)

Yes, I know, selfie is evil :)

13.01.16 23:10, sq...@data-core.org пишет:
>
> Hello together,
>
> I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV
on Debian Jessie.
>
> My Proxy is working very nice, but now I've found an issue with just
one SSL Website.
>
> It would be nice to know if others can reproduce this Issue.
>
> Target website is: https://www.shop-fonic-mobile.de/
>
> While trying to access this website, a blank page is displayed without
any source code in it.
>
> Cache Log says on each attempt:
> Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)
>
> Access Log for each attempt:
> 1452703599.547  0 10.0.0.4 TCP_DENIED/407 4189 CONNECT
www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html
> 1452703599.832272 10.0.0.4 TAG_NONE/200 0 CONNECT
www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- -
> 1452703599.888 52 10.0.0.4 TCP_MISS/503 402 GET
https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195 text/html
>
> SSL Bumping generated a valid certificate for this site using my
internal CA.
>
> I can reproduce the error only on this website everything else is
working nicely and if Squid can't validate an external SSL Certificate
it display an error of course.
>
> I currently fixed it by adding it to my SSL_TrustedSites ACL.
>
>
> This is my Bump config:
>
> http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem
> ssl_bump splice localhost
> ssl_bump bump all
> sslproxy_cert_error allow SSL_TrustedSites
> sslproxy_cert_error deny all
>
>
> Expected behavior of Squid: If Squid can't validate an SSL Certificate
then an error should be displayed as it does on all other sites with
invalid certificates.
> But it seems that the first check of squid recognizes the Certificate
as valid otherwise it would display an error and squid generates a valid
cert for the client and then squid seems to no beeing able to validate
it at this point again.
>
> The Target Website SSL Chain is as follows:
> CA  <- Part of the Ca certificates
> -- Intermediate <- not a part of the ca-certificates
> -website
>
> So I believe somehow on the initial request squid can validate the
full chain and as soon as the client receives the generated cert it
can't look up the whole chain because it trys to validate against the
intermediate CA only and lost the path to the Root CA and fails of
course. Again only the Root CA is known by the system (ca-certificates).
>
> Please let me know if someone can reproduce this Issue.
>
> BTW:
> Found another Issue in Squid 3.5.12 regarding Error Messages,
"mailto:; links which are generating an error mail do not work anymore.
Maybe this is related to Kerberos Authentication which maybe makes the
url encoded string longer than before. I've found out that somewhere at
the last part of the urlencoded link the error is in. Couldn't pin point it.
>
> Best regards,
>
> Enrico
>
>
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWlpUYAAoJENNXIZxhPexGpHAH/0T20R7PapqhQMYethDrnntK
eWpKSIyASFs0dHErJ7YLdvqsY/JXkLH2WLO6B8v16JqaizLzELQZNu8sENCF92nG
1F68GFyWEtqgD5yynOHsxVwY2wrNInV1FeC3Ll+iwP5tZKcU4dN/GZotzUZdvkMr
FNLNjzp03bXCq9kM+mvOqD0iaYi+kZjliwKQ6LiuzF0ItFsJlOL/eR5y9oAdgU5N
HE7jTEt3DU1oXZp48QKKOLDj2LfQuQbhCcZJ/XmAL9mZePvJeEf9JaRka2Qz6M1U
0Nl/Mh2oDplZhobmVRSNLGa+iyb/pbCtwX7cUbLkpiagb9aZwaHWc8Jv+kv40dw=
=2ClN
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid config is failing to cache data

[Amos Jeffries]

On 14/01/2016 6:16 a.m., Hardik Dangar wrote:
> Hi all,
> 
> I handle small network and we have 40 systems ( most having Ubuntu 14.04
> and couple of system have windows ). We use squid to cache. Due to the
> country where i live there is huge data charges so i am using squid to
> cache things like Ubuntu updates and certain applications.
> 
> Issue i have is, My squid configuration is either failing to cache Ubuntu
> updates mostly Debian packages. I see following status codes frequently in
> my squid log file.
> TCP_REFRESH_UNMODIFIED/304
> TCP_REFRESH_UNMODIFIED/200
> TCP_REFRESH_MODIFIED/200
> 
> which confuses me. as i know only few options like
> TCP_HIT/TCP_MEM_HIT/TCP_MISS.

Please start by reading this



> and searching about them explains that i
> might have my squid_patterns wrong or data might be changing but the
> problem is i have setup schedule so two system update on tuesday and then
> on wednesday all system updates. yet i see lots of data with status
>  TCP_REFRESH_UNMODIFIED/200  or  TCP_REFRESH_UNMODIFIED/304. Most clients
> get about 40% to 50% cache. I could totally understand the updates are
> there but i get stumped when TCP_REFRESH_UNMODIFIED/200 happens.

Welcome to HTTP/1.1. Those are all HTTP/1.1 revalidation requests
updating the cached content before delivery to the client. While saving
bandwidth in ways that HIT and MISS cannot.

Squid is a cache, not an archive. It self-updates the cache content as
needed.

 - the UNMODIFIED are when the copy the Squid already has cached is not
changed. No payload object is fetched from the server.

 - the MODIFIED are where both the Squid cached object is outdated. A
replacment object is delivered by the server.

- the 304 are when the client copy has not changed. So no payload is
delivered from Squid to client.

- the 200 are when the client copy is outdated. A replacment object is
delivered by Squid.


> 
> I also noticed TCP_REFRESH_UNMODIFIED/200 happens for google chrome debian
> package reguarly even though same file is downloaded previous day by some
> clients. i see entries of TCP_REFRESH_UNMODIFIED/200 or TCP_MISS/200  or
> TCP_REFRESH_MODIFIED/200. i have the entry in my configuration file for
> deb.google url like "refresh_pattern dl.google.com/.*\.(deb)
>    129600 100% 129600 reload-into-ims
>  ignore-reload  override-expire override-lastmod ignore-no-store
> ignore-private ignore-must-revalidate ".

Blindly turning off performance and bandwidth saving mechanisms simply
because you cant understand the log is not a great idea.

FYI: almost all tutorials you will find online are from people working
with old HTTP/1.0 Squid versions or only understanding HTTP/1.0
behaviour (like you and your HIT/MISS focus).


* reload-into-ims is fine, that changes the forced-MISS Chrome is trying
to make happen into these nicer refresh/revalidation that save some
bandwidth but still deliver the full-sized 200 status reply Chrome demands.

* ignore-reload cancels the effect of the above (if it works).

* override-expire is also fine. It only forces content to stay in cache
longer than Expires/max-age header says it should. Old content cached by
this will lead to MISS/200 becoming MODIFIED/200 in your logs - if you
are lucky it might become UNMODIFIED.

The other options do more harm than good.

You heard about how Steam recently had a big issue about showing gamers
each others account details? that was a cache somewhere in their system
doing its equivalent of "ignore-no-store ignore-private
ignore-must-revalidate".


> 
> Can any one help me with this issue? is this normal? Or there is an issue
> in my squid config?  I have attached my squid config and some sample log
> which confuses me.

So far as I can tell from your description what is happening is both
normal and Good. So dont panic.

> 
> My squid version is : 3.3.8 for detail options and squid config file i have
> pasted the content of both at, ( Operating system is Ubuntu 14.04.3 LTS
> "trusty" )
> http://pastebin.com/raw/mEjZ24KT

It is fine to just add "refresh-into-ims" to the end of the
"refresh_pattern ." line. Then you can remove all those special
PackagesSources/Release/Translations patterns.

The udeb$ pattern is not doing anything because the deb$ pattern already
matches all those URLs. So you can remove the "refresh_pattern udeb$" line.

I suspect the "dl.google.com/.*\.(deb)" line is not doing anything for
the same reason. But it does not require the end of URL to be "deb", so
may be randomly matching URLs with query-strings.


I'm not sure what will change if you remove the deb$ pattern as well. I
found repository servers vary by mirror software what HTTP headers they
produce - which affects whether Squid default patterns cache them nicely
or MISS a lot.
 Up to you, the rule as-is should be harmless at worst.

> 
> 
> My squid access.log file sample is available at,
> 

Re: [squid-users] Squid config is failing to cache data

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


13.01.16 23:16, Hardik Dangar пишет:
> Hi all,
>
> I handle small network and we have 40 systems ( most having Ubuntu 14.04
> and couple of system have windows ). We use squid to cache. Due to the
> country where i live there is huge data charges so i am using squid to
> cache things like Ubuntu updates and certain applications.
>
> Issue i have is, My squid configuration is either failing to cache Ubuntu
> updates mostly Debian packages. I see following status codes frequently in
> my squid log file.
> TCP_REFRESH_UNMODIFIED/304
> TCP_REFRESH_UNMODIFIED/200
This is hit also.
>
> TCP_REFRESH_MODIFIED/200
>
> which confuses me. as i know only few options like
> TCP_HIT/TCP_MEM_HIT/TCP_MISS. and searching about them explains that i
> might have my squid_patterns wrong or data might be changing but the
> problem is i have setup schedule so two system update on tuesday and then
> on wednesday all system updates. yet i see lots of data with status
>  TCP_REFRESH_UNMODIFIED/200  or  TCP_REFRESH_UNMODIFIED/304. Most clients
> get about 40% to 50% cache. I could totally understand the updates are
> there but i get stumped when TCP_REFRESH_UNMODIFIED/200 happens.
>
> I also noticed TCP_REFRESH_UNMODIFIED/200 happens for google chrome debian
> package reguarly even though same file is downloaded previous day by some
> clients. i see entries of TCP_REFRESH_UNMODIFIED/200 or TCP_MISS/200  or
> TCP_REFRESH_MODIFIED/200. i have the entry in my configuration file for
> deb.google url like "refresh_pattern dl.google.com/.*\.(deb)
>    129600 100% 129600
reload-into-ims
>  ignore-reload  override-expire override-lastmod ignore-no-store
> ignore-private ignore-must-revalidate ".
>
> Can any one help me with this issue? is this normal? Or there is an issue
> in my squid config?  I have attached my squid config and some sample log
> which confuses me.
Issue in your head ;) This is not an issue - just normal cache behaviour.
>
>
> My squid version is : 3.3.8 for detail options and squid config file i
have
> pasted the content of both at, ( Operating system is Ubuntu 14.04.3 LTS
> "trusty" )
> http://pastebin.com/raw/mEjZ24KT
Squid so antique. Updrade it.
>
>
>
> My squid access.log file sample is available at,
> http://pastebin.com/raw/A6kyksY8
>
>
> Thanks.
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWlpWcAAoJENNXIZxhPexG+DIH/iwk4cVSgVRmmFJQhnyQILIe
7FBIxEnCWuB+t7qwknUtKG7G73CSaXgBp8FKtnGJVvH95fHCdzzSb8ZzzVyWwScO
1zdMkm66AH6sWTKGJJxcS5iRj0T3FUTHfUhsq3sOjNqWHZSrfWRt0quBuSecuAqZ
+2wx6dDNV2fqMAtxS85c14DvBbkyGO8cOSLC4ZqnrqgWjxy5XVvBsy/3tTzrNvuQ
X8noTKeWEtpPP0kcb0uOZUz02FULjwOKqqZwUqJycovWlSuJZP3cn3aQWuHgeDyf
+V9aI2JYBAD3ILKUKL7yPw0UVcY6Z1eK0U8BJT/xByYZtzP0Wam11zr1SyxM6Jw=
=4V0Q
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authorization in a different way

[Amos Jeffries]

On 14/01/2016 6:50 a.m., Christian Kunkel wrote:
> hey amos,
> 
> maybe my english is too bad or maybe i am just not getting it. i can
> not use any kind of ip as authentication or authorization. first of
> all because of nat and second would be that the ip of a user changes
> regarding his location (mobile network).

The only mention I made of IPs was how your iptables rules need to be
more restrictive to reduce the abuse that is possible.

> 
> my understanding of ext_session_acl is or was that it uses an ip to
> create the session?! so if ip changes the session is dropped (can
> happen every 5min or when i am lucky the ip does not change for a
> couple of hours).
> 

Both session helpers we provide use the external_acl directives 'format'
field as the session key. The basic session helper only accepts one
parameter value in the format, the SQL-session helper accepts any number.

Online tutorials tend to use %SRC (IP address), our man page actually
uses %LOGIN (auth username). You will just need to use something else.
The helper does not care, its just needing a unique per-session piece of
text.

If you need more than one token to make up the key use the sql_session
helper. It also fits in better with the splash page doing "login", since
that splash page script will need to be the part doing session creation
in the DB.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authorization in a different way

[Eliezer Croitoru]

I do not know if an old idea of mine will be good for you but... I will 
write it anyway.
The basic way to do what you want is to use some kind of authentication 
in the session level and not the IP but..
You can use some "keep-alive" page which will use some JS to 
re-authenticate every couple seconds or minutes.
The service like in TCP will assume that the connection is available as 
long as the client JS ran in the last couple seconds\minutes.
It can help you to allow a specific user to use a specific IP address as 
long as the JS runs.
And if the user was not authenticated to the other service (which can 
run in https) for a period of time the session helper will not allow any 
other new session to pass in.


Hope it will help you.
Eliezer

On 13/01/2016 18:35, Christian Kunkel wrote:

Hey guys,

i need a way to autheticate or authorize users to my squid server so i can 
create some kind of a session and drop users after x hours they have been using 
my proxy. important thing would be to create only one session per user. i do 
not have access to users network. they are connecting from the internet and 
they also have nated ips. i thought about the classic way with http headers but 
i run into problems with some devices. so thats useless for me. to use the ip 
adress is also not possible because it would authorize a lot of ppl at once if 
they are behind a nat. thats not what i want. i only can add a proxy adress and 
a port to the devices which are connecting. right now i am using a unique port 
for every user. then redirect the port to a splash screen with a login form. 
when login is is successfull it triggers an iptables-script which redirects 
that port to squid. but that means every one can actually use that port after 
someone successfully logged in.

i am using squid 3.5.13 on debian 8.

some hints would be awesome. thanks in advance guys :)

Kind regards,

Chris
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with a machine account doesn't work

[LYMN]

On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
> Hi All,
> i want to terminate a previous job did by ex colleague is changed
> company. Now there is a cluster of 2 nodes of squid with NTLM
> transparent authentication and one spare node i'm using as test and
> configured with kerberos instead. Reading a lot of info i understood
> kerberos is more stable than NTLM and my plan is to migrate the
> production cluster to this kind of authentication. Configurations
> (squid and kerberos) seem to be ok but everytime with browser i point
> to squid i'm unable to go to internet, popup requires me credentials
> but even i put the right ones it doesn't work. Coudl you help me?
> 

Firstly, please don't hijack someone elses thread, that makes things
confusing.  Post a new message of your own so people can follow the
thread.  Secondly, you need to provide answers to all the questions that
L.P.H. van Belle asked, this will give people a good picture of what
your set up is like and where the problem may be.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
870 846
BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 
228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

[startrekfan]

It's a debian. But an ubuntu howto will also work with debian.
Here is the broken link:

I combined this two instructions:
http://wiki.squid-cache.org/Features/SslBump
http://wiki.squid-cache.org/Features/DynamicSslCert

(The latest stable squid on ubuntu is 3.4)


Message: 5
> Date: Wed, 13 Jan 2016 23:19:21 +1300
> From: Amos Jeffries 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] How to setup a secure(!) squid proxy
> Message-ID: <569624a9@treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 13/01/2016 10:16 p.m., startrekfan wrote:
> > Hello
> >
> > I need to setup a squid 3 proxy with https bumping. Unfortunately I'm not
> > very familiar with squid and https in general.
> >
> > I already perfomed the following steps:
> >
> > *1.) compile from source*
> > ./configure --with-openssl   --enable-ssl-crtd
> > make
> > make install
>
> You now have Squid pieces installed in the BSD default locations.
>
> >
> > *2.) configuration (http)*
> > I used this guide: https://help.ubuntu.com/community/Squid
> >
>
> Is this an Ubuntu system? if not the Ubuntu advice will be wrong.
>
> At the very least the advice to start installing Squid with "apt-get
> install apache2" is wrong.
>
>
>
> > *3.) configuration (https)*
> > I used this guide: http://wiki.squid-cache.org/ConfigExamp ...
> mpExplicit
>
> huh? what URL was that supposed to be?
>
> >
> > The server is now working for http and https, but is the server secure,
> too?
> >
> > Is the default config already secure or do I need to configure additional
> > security features? (e.g. things like cert validation, cert pinning, [dont
> > know what's importend], ...)
> >
>
> The default squid.conf perfoms HTTP securely. Without HTTPS. What your
> config does nobody can say without seeing what it is.
>
> Amos
>
>
>
> --
>
> Subject: Digest Footer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
>
> End of squid-users Digest, Vol 17, Issue 43
> ***
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Testing Kerberos and LDAP connections

[dolson]

Is there a way to test the following lines from my squid.conf file to make sure 
the connections are working correctly?

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
/usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos 
/usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=IHCRC
auth_param ntlm children 10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via 
kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
"dc=ihcrc,dc=org" -D sq...@ihcrc.org -W /etc/squid3/ldappass.txt -f 
sAMAccountName=%s -h srv-dataserver2.ihcrc.org
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

When I run them at the command lines, minus the statements from Children down, 
I just get a huge print out of some man pages.  I'm trying to identify why I 
can't get AD authentication to work correctly on my Squid server, so I'm trying 
to test each area of the squid.conf file independently.

Thank you,

Dan Olson
Indian Health Care Resource Center
Network Support Specialist
Main: 918.588.1900 Ext. 2212
Direct: 918.382.1212
www.ihcrc.org


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-4.0.4 on FreeBSD

[Odhiambo Washington]

[root@mail /usr/home/wash/ILI/Squid/4.x/squid-4.0.4]# make
Making all in compat
depbase=`echo eui64_aton.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh
../libtool  --tag=CC--mode=compile gcc -DHAVE_CONFIG_H-I..
-I../include  -I../lib -I../src  -I../include  -I/usr/include
 -I/usr/include  -I../libltdl -I/usr/include -I/usr/local/include/libxml2
 -Werror -Qunused-arguments  -D_REENTRANT  -MT eui64_aton.lo -MD -MP -MF
$depbase.Tpo -c -o eui64_aton.lo eui64_aton.c && mv -f $depbase.Tpo
$depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
-I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
-I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
eui64_aton.lo -MD -MP -MF .deps/eui64_aton.Tpo -c eui64_aton.c  -fPIC -DPIC
-o .libs/eui64_aton.o
gcc: error: unrecognized command line option '-Qunused-arguments'
*** Error code 1

Stop.
make[1]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.4/compat
*** Error code 1

Stop.
make: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.4



On 13 January 2016 at 18:28, Kinkie  wrote:

> Hi,
>I see that there is no -I/usr/local/include option to the compiler.
>
> Add that as a CPPLAGS when calling configure
> (e.g.
> CPPFLAGS=-I/usr/local/include ./configure
> )
> this should fix the build for you.
>
>
> On Wed, Jan 13, 2016 at 4:25 PM, Odhiambo Washington 
> wrote:
> > I am trying to compile on FreeBSD 10.1-RELEASE-amd64
> >
> >
> > 
> > /bin/sh ../libtool  --tag=CC   --mode=compile clang -DHAVE_CONFIG_H
>  -I..
> > -I../include -I../lib -I../src -I../include  -I/usr/include
> -I/usr/include
> > -I../libltdl -I/usr/include -I/usr/local/include/libxml2  -Werror
> > -Qunused-arguments  -D_REENTRANT  -MT md5.lo -MD -MP -MF $depbase.Tpo -c
> -o
> > md5.lo md5.c &&\
> > mv -f $depbase.Tpo $depbase.Plo
> > libtool: compile:  clang -DHAVE_CONFIG_H -I.. -I../include -I../lib
> -I../src
> > -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
> > -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
> > md5.lo -MD -MP -MF .deps/md5.Tpo -c md5.c  -fPIC -DPIC -o .libs/md5.o
> > In file included from md5.c:41:
> > ../include/md5.h:13:10: fatal error: 'nettle/md5.h' file not found
> > #include 
> >  ^
> > 1 error generated.
> > Makefile:956: recipe for target 'md5.lo' failed
> > gmake[2]: *** [md5.lo] Error 1
> > gmake[2]: Leaving directory
> '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> > Makefile:1001: recipe for target 'all-recursive' failed
> > gmake[1]: *** [all-recursive] Error 1
> > gmake[1]: Leaving directory
> '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> > Makefile:579: recipe for target 'all-recursive' failed
> > gmake: *** [all-recursive] Error 1
> >
> > 
> >
> >
> >
> > But the file is there ...
> >
> >
> > wash@mail:~/ILI/Squid/4.x/squid-4.0.4$ ls -al
> > /usr/local/include/nettle/md5.h
> > -rw-r--r--  1 root  wheel  2023 Jan  7  2015
> /usr/local/include/nettle/md5.h
> >
> >
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft."
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
>
> --
> Francesco
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-4.0.4 on FreeBSD

[Kinkie]

Hi,
   I see that there is no -I/usr/local/include option to the compiler.

Add that as a CPPLAGS when calling configure
(e.g.
CPPFLAGS=-I/usr/local/include ./configure
)
this should fix the build for you.


On Wed, Jan 13, 2016 at 4:25 PM, Odhiambo Washington  wrote:
> I am trying to compile on FreeBSD 10.1-RELEASE-amd64
>
>
> 
> /bin/sh ../libtool  --tag=CC   --mode=compile clang -DHAVE_CONFIG_H   -I..
> -I../include -I../lib -I../src -I../include  -I/usr/include  -I/usr/include
> -I../libltdl -I/usr/include -I/usr/local/include/libxml2  -Werror
> -Qunused-arguments  -D_REENTRANT  -MT md5.lo -MD -MP -MF $depbase.Tpo -c -o
> md5.lo md5.c &&\
> mv -f $depbase.Tpo $depbase.Plo
> libtool: compile:  clang -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
> -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
> md5.lo -MD -MP -MF .deps/md5.Tpo -c md5.c  -fPIC -DPIC -o .libs/md5.o
> In file included from md5.c:41:
> ../include/md5.h:13:10: fatal error: 'nettle/md5.h' file not found
> #include 
>  ^
> 1 error generated.
> Makefile:956: recipe for target 'md5.lo' failed
> gmake[2]: *** [md5.lo] Error 1
> gmake[2]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> Makefile:1001: recipe for target 'all-recursive' failed
> gmake[1]: *** [all-recursive] Error 1
> gmake[1]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> Makefile:579: recipe for target 'all-recursive' failed
> gmake: *** [all-recursive] Error 1
>
> 
>
>
>
> But the file is there ...
>
>
> wash@mail:~/ILI/Squid/4.x/squid-4.0.4$ ls -al
> /usr/local/include/nettle/md5.h
> -rw-r--r--  1 root  wheel  2023 Jan  7  2015 /usr/local/include/nettle/md5.h
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[zw963]

It seem like i missing so many reply, Sorry for all.

I try to reproduce everything about what I did in this reply.

Currently, I use newer compile version Squid (3.5.12), see wiki, it
should support arp acl originally, following is copy from WIKI.

> The arp ACL requires the special configure option --enable-arp-acl in
> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
> support is enabled by default. Furthermore, the ARP / EUI-48 code is
> not portable to all operating systems. It works on Linux, Solaris,
> and some *BSD variants.

So, I think squid arp acl support is not the key.

following is my whole config worked for CentOS 7, my need is connection
to Squid server with my own laptop(with MAC address), no password is need.

following is my network info, hope can help.

my laptop is connection to internet through a old WIFI router.
when I run traceroute in my laptop with WIFI conn, can not found any useful 
info.

traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
 1  localhost (192.168.1.1)  2.017 ms  3.294 ms  3.549 mspp
 2  MY_VPS_IP (MY_VPS_IP)  101.182 ms !X  101.965 ms !X  104.812 ms !p

unless I connection my laptop directly to router with wired conn,
can output meaningful route infomation.

- config begin --

debug_options 11,2

auth_param basic program /usr/lib64/squid/basic_ncsa_auth 
/etc/squid/squid.passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl proxy_ports localport 8087   # http proxy port

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl advance_users arp MY_LAPTOP_MAC_ADDRESS
http_access allow advance_users proxy_ports

acl superuser proxy_auth zw963
http_access allow superuser proxy_ports

acl authorized_users proxy_auth REQUIRED
acl over_conn_limit maxconn 3

http_access deny over_conn_limit authorized_users
http_access allow authorized_users proxy_ports

http_access allow localnet
http_access allow localhost
http_access deny all

https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

cache_effective_user squid
cache_effective_group squid
visible_hostname squid.proxy
cache_mgr MY_EMAIL_ADDRESS
cache_mem 64 MB
cache_dir ufs /var/spool/squid 256 16 256
coredump_dir /var/spool/squid
maximum_object_size 512 KB
maximum_object_size_in_memory 64 KB
cache_swap_high 95
cache_swap_low 80

cache_store_log none
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
forwarded_for off

logfile_rotate 60

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

-- config end -

When I use w3m connection to google, w3m tell me user/password is need.

following is squid log:

 log begin 
=

==> /var/log/squid/cache.log <==
2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP 
Client local=*** remote=*** FD 14 flags=1
2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2346) parseHttpRequest: HTTP 
Client REQUEST:
-
GET http://www.google.com/ HTTP/1.0
User-Agent: w3m/0.5.3+debian-15
Accept: text/html, text/*;q=0.5, image/*, application/*, video/*, audio/*, 
x-scheme-handler/*, x-content/*, misc/*, inode/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: www.google.com


--
2016/01/13 14:19:07.953 kid1| 11,2| client_side.cc(1391) sendStartOfMessage: 
HTTP Client local=* remote=* FD 14 flags=1
2016/01/13 14:19:07.953 kid1| 11,2| client_side.cc(1392) sendStartOfMessage: 
HTTP Client REPLY:
-
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.5.12
Mime-Version: 1.0

[squid-users] Squid-4.0.4 on FreeBSD

[Odhiambo Washington]

I am trying to compile on FreeBSD 10.1-RELEASE-amd64



/bin/sh ../libtool  --tag=CC   --mode=compile clang -DHAVE_CONFIG_H   -I..
-I../include -I../lib -I../src -I../include  -I/usr/include  -I/usr/include
 -I../libltdl -I/usr/include -I/usr/local/include/libxml2  -Werror
-Qunused-arguments  -D_REENTRANT  -MT md5.lo -MD -MP -MF $depbase.Tpo -c -o
md5.lo md5.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  clang -DHAVE_CONFIG_H -I.. -I../include -I../lib
-I../src -I../include -I/usr/include -I/usr/include -I../libltdl
-I/usr/include -I/usr/local/include/libxml2 -Werror -Qunused-arguments
-D_REENTRANT -MT md5.lo -MD -MP -MF .deps/md5.Tpo -c md5.c  -fPIC -DPIC -o
.libs/md5.o
In file included from md5.c:41:
../include/md5.h:13:10: fatal error: 'nettle/md5.h' file not found
#include 
 ^
1 error generated.
Makefile:956: recipe for target 'md5.lo' failed
gmake[2]: *** [md5.lo] Error 1
gmake[2]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
Makefile:1001: recipe for target 'all-recursive' failed
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
Makefile:579: recipe for target 'all-recursive' failed
gmake: *** [all-recursive] Error 1





But the file is there ...


wash@mail:~/ILI/Squid/4.x/squid-4.0.4$ ls -al
/usr/local/include/nettle/md5.h
-rw-r--r--  1 root  wheel  2023 Jan  7  2015 /usr/local/include/nettle/md5.h


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

[Amos Jeffries]

On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote:
> 
> It seem like i missing so many reply, Sorry for all.
> 
> I try to reproduce everything about what I did in this reply.
> 
> Currently, I use newer compile version Squid (3.5.12), see wiki, it
> should support arp acl originally, following is copy from WIKI.
> 
>> The arp ACL requires the special configure option --enable-arp-acl in
>> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
>> support is enabled by default. Furthermore, the ARP / EUI-48 code is
>> not portable to all operating systems. It works on Linux, Solaris,
>> and some *BSD variants.
> 
> So, I think squid arp acl support is not the key.

If you mean that you think it will not work, you are correct.

> 
> following is my whole config worked for CentOS 7, my need is connection
> to Squid server with my own laptop(with MAC address), no password is need.

Why that requirement?

> 
> following is my network info, hope can help.
> 
> my laptop is connection to internet through a old WIFI router.
> when I run traceroute in my laptop with WIFI conn, can not found any useful 
> info.
> 
> traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
>  1  localhost (192.168.1.1)  2.017 ms  3.294 ms  3.549 mspp
>  2  MY_VPS_IP (MY_VPS_IP)  101.182 ms !X  101.965 ms !X  104.812 ms !p
> 
> unless I connection my laptop directly to router with wired conn,
> can output meaningful route infomation.
> 
> - config begin --
> 
> debug_options 11,2
> 
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth 
> /etc/squid/squid.passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive on
> 
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
> machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> acl proxy_ports localport 8087   # http proxy port
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost manager
> http_access deny manager
> 
> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
> http_access allow advance_users proxy_ports
> 
> acl superuser proxy_auth zw963
> http_access allow superuser proxy_ports
> 
> acl authorized_users proxy_auth REQUIRED
> acl over_conn_limit maxconn 3
> 
> http_access deny over_conn_limit authorized_users
> http_access allow authorized_users proxy_ports
> 
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

This port receives TLS (HTTPS) connections. You need special browser
configuration to connect to a proxy using TLS. The only browser that
supports this is Chrome when configured with a PAC file or when run
manually with special command line options.


> -- config end -
> 
> When I use w3m connection to google, w3m tell me user/password is need.
> 
> following is squid log:
> 
>  log begin 
> =
> 
> ==> /var/log/squid/cache.log <==
> 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: 
> HTTP Client local=*** remote=*** FD 14 flags=1

Your rules are al IP and port based. You elided the IP:port information
with "***"
> 
> ==> /var/log/squid/access.log <==
> 1452694747.953  1 60.221.132.137 TCP_DENIED/407 4130 GET 
> http://www.google.com/ - HIER_NONE/- text/html
> ** - - [13/Jan/2016:14:19:07 +] "GET http://www.google.com/
> HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE

?? you have both Squid format and Apache format log records being put
into the same log?


> 
> === log end 
> 
> 
> I have no idea why squid  Auth is need when I connection from my laptop.
> this situation is same as when no following acl is used.
> 
>>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
>>> http_access allow advance_users proxy_ports
> 

The access.log says the request came from a remote Internet IP 

[squid-users] Authorization in a different way

[Christian Kunkel]

Hey guys,

i need a way to autheticate or authorize users to my squid server so i can 
create some kind of a session and drop users after x hours they have been using 
my proxy. important thing would be to create only one session per user. i do 
not have access to users network. they are connecting from the internet and 
they also have nated ips. i thought about the classic way with http headers but 
i run into problems with some devices. so thats useless for me. to use the ip 
adress is also not possible because it would authorize a lot of ppl at once if 
they are behind a nat. thats not what i want. i only can add a proxy adress and 
a port to the devices which are connecting. right now i am using a unique port 
for every user. then redirect the port to a splash screen with a login form. 
when login is is successfull it triggers an iptables-script which redirects 
that port to squid. but that means every one can actually use that port after 
someone successfully logged in.

i am using squid 3.5.13 on debian 8.

some hints would be awesome. thanks in advance guys :)

Kind regards,

Chris
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-4.0.4 on FreeBSD

[Amos Jeffries]

On 14/01/2016 4:28 a.m., Kinkie wrote:
> Hi,
>I see that there is no -I/usr/local/include option to the compiler.
> 
> Add that as a CPPLAGS when calling configure
> (e.g.
> CPPFLAGS=-I/usr/local/include ./configure
> )
> this should fix the build for you.

ITYM: --with-nettle=/usr/local/include

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-4.0.4 on FreeBSD

[Amos Jeffries]

On 14/01/2016 5:23 a.m., Odhiambo Washington wrote:
> [root@mail /usr/home/wash/ILI/Squid/4.x/squid-4.0.4]# make
> Making all in compat
> depbase=`echo eui64_aton.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh
> ../libtool  --tag=CC--mode=compile gcc -DHAVE_CONFIG_H-I..
> -I../include  -I../lib -I../src  -I../include  -I/usr/include
>  -I/usr/include  -I../libltdl -I/usr/include -I/usr/local/include/libxml2
>  -Werror -Qunused-arguments  -D_REENTRANT  -MT eui64_aton.lo -MD -MP -MF
> $depbase.Tpo -c -o eui64_aton.lo eui64_aton.c && mv -f $depbase.Tpo
> $depbase.Plo
> libtool: compile:  gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
> -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
> eui64_aton.lo -MD -MP -MF .deps/eui64_aton.Tpo -c eui64_aton.c  -fPIC -DPIC
> -o .libs/eui64_aton.o
> gcc: error: unrecognized command line option '-Qunused-arguments'
> *** Error code 1

Thats building C code with GCC all of a sudden with the clang option
set. It was doing C++ code with clang in your earlier trace. The
compilers for FreeBSD should be (clang and clang++) as a pair or (gcc
and g++) as a pair. They cannot be cross-paired like (gcc and clang++).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Testing Kerberos and LDAP connections

[Amos Jeffries]

On 14/01/2016 4:36 a.m., dol...@ihcrc.org wrote:
> Is there a way to test the following lines from my squid.conf file to make 
> sure the connections are working correctly?
> 
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
> /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos 
> /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not authenticated via 
> kerberos/ntlm
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
> "dc=ihcrc,dc=org" -D sq...@ihcrc.org -W /etc/squid3/ldappass.txt -f 
> sAMAccountName=%s -h srv-dataserver2.ihcrc.org
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> 
> When I run them at the command lines, minus the statements from Children 
> down, I just get a huge print out of some man pages.  I'm trying to identify 
> why I can't get AD authentication to work correctly on my Squid server, so 
> I'm trying to test each area of the squid.conf file independently.
> 

They do not work. The --* parameters you are passing to ntlm_smb_lm_auth
are actually parameters for the Samba ntlm_auth helper. If you need NTLM
then you should install that Samba helper and use it instead.


FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan
authentication. Thats a form of auth for Microsoft Network (circa
1970-1980's) with terrible encryption.
SMB LM crypto is so weak/bad that the Squid helper is actually
decrypting it in realtime to extract the user:password and translating
them into Basic auth queries against your AD servers. Ironically Basic
auth is more secure.
 *** Any software which works with this helper is *very* insecure.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid config is failing to cache data

[Hardik Dangar]

Hi all,

I handle small network and we have 40 systems ( most having Ubuntu 14.04
and couple of system have windows ). We use squid to cache. Due to the
country where i live there is huge data charges so i am using squid to
cache things like Ubuntu updates and certain applications.

Issue i have is, My squid configuration is either failing to cache Ubuntu
updates mostly Debian packages. I see following status codes frequently in
my squid log file.
TCP_REFRESH_UNMODIFIED/304
TCP_REFRESH_UNMODIFIED/200
TCP_REFRESH_MODIFIED/200

which confuses me. as i know only few options like
TCP_HIT/TCP_MEM_HIT/TCP_MISS. and searching about them explains that i
might have my squid_patterns wrong or data might be changing but the
problem is i have setup schedule so two system update on tuesday and then
on wednesday all system updates. yet i see lots of data with status
 TCP_REFRESH_UNMODIFIED/200  or  TCP_REFRESH_UNMODIFIED/304. Most clients
get about 40% to 50% cache. I could totally understand the updates are
there but i get stumped when TCP_REFRESH_UNMODIFIED/200 happens.

I also noticed TCP_REFRESH_UNMODIFIED/200 happens for google chrome debian
package reguarly even though same file is downloaded previous day by some
clients. i see entries of TCP_REFRESH_UNMODIFIED/200 or TCP_MISS/200  or
TCP_REFRESH_MODIFIED/200. i have the entry in my configuration file for
deb.google url like "refresh_pattern dl.google.com/.*\.(deb)
   129600 100% 129600 reload-into-ims
 ignore-reload  override-expire override-lastmod ignore-no-store
ignore-private ignore-must-revalidate ".

Can any one help me with this issue? is this normal? Or there is an issue
in my squid config?  I have attached my squid config and some sample log
which confuses me.

My squid version is : 3.3.8 for detail options and squid config file i have
pasted the content of both at, ( Operating system is Ubuntu 14.04.3 LTS
"trusty" )
http://pastebin.com/raw/mEjZ24KT


My squid access.log file sample is available at,
http://pastebin.com/raw/A6kyksY8


Thanks.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authorization in a different way

[Amos Jeffries]

On 14/01/2016 5:35 a.m., Christian Kunkel wrote:
> Hey guys,
> 
> i need a way to autheticate or authorize users to my squid server so
> i can create some kind of a session and drop users after x hours they
> have been using my proxy. important thing would be to create only one
> session per user. i do not have access to users network. they are
> connecting from the internet and they also have nated ips. i thought
> about the classic way with http headers but i run into problems with
> some devices. so thats useless for me. to use the ip adress is also
> not possible because it would authorize a lot of ppl at once if they
> are behind a nat. thats not what i want. i only can add a proxy
> adress and a port to the devices which are connecting. right now i am
> using a unique port for every user. then redirect the port to a
> splash screen with a login form. when login is is successfull it
> triggers an iptables-script which redirects that port to squid. but
> that means every one can actually use that port after someone
> successfully logged in.

Then your iptables script is redirecting wrong. It should only add rules
to redirect a specific src-IP / dst-port pair.

> 
> i am using squid 3.5.13 on debian 8.
> 
> some hints would be awesome. thanks in advance guys :)
> 

Use the ext_session_acl helper or ext_session_sql_acl helper with "user"
login as the session key / helper format.

If you were using HTTP authentication the key would be %LOGIN. Since you
are not it will be whatever you are using to identify the "user" within
Squid.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Testing Kerberos and LDAP connections

[dolson]

If I remove the NTLM and Kerberos authentication, is there a way to test the 
basic LDAP authentication in the script from the command line?

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, January 13, 2016 11:05 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Testing Kerberos and LDAP connections

On 14/01/2016 4:36 a.m., dol...@ihcrc.org wrote:
> Is there a way to test the following lines from my squid.conf file to make 
> sure the connections are working correctly?
> 
> ### negotiate kerberos and ntlm authentication auth_param negotiate 
> program /usr/local/bin/negotiate_wrapper -d --ntlm 
> /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos 
> /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param 
> negotiate children 10 auth_param negotiate keep_alive off
> 
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC auth_param ntlm 
> children 10 auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not 
> authenticated via kerberos/ntlm auth_param basic program 
> /usr/lib/squid3/basic_ldap_auth -R -b "dc=ihcrc,dc=org" -D 
> sq...@ihcrc.org -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h 
> srv-dataserver2.ihcrc.org auth_param basic children 10 auth_param 
> basic realm Internet Proxy auth_param basic credentialsttl 1 minute
> 
> When I run them at the command lines, minus the statements from Children 
> down, I just get a huge print out of some man pages.  I'm trying to identify 
> why I can't get AD authentication to work correctly on my Squid server, so 
> I'm trying to test each area of the squid.conf file independently.
> 

They do not work. The --* parameters you are passing to ntlm_smb_lm_auth are 
actually parameters for the Samba ntlm_auth helper. If you need NTLM then you 
should install that Samba helper and use it instead.


FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan 
authentication. Thats a form of auth for Microsoft Network (circa
1970-1980's) with terrible encryption.
SMB LM crypto is so weak/bad that the Squid helper is actually decrypting it in 
realtime to extract the user:password and translating them into Basic auth 
queries against your AD servers. Ironically Basic auth is more secure.
 *** Any software which works with this helper is *very* insecure.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] V3.5.12 SSL Bumping Issue with one Website

[squid]

Hello together,

I am using Squid 3.5.12 with Kerberos Authentication only and ClamAV  
on Debian Jessie.


My Proxy is working very nice, but now I've found an issue with just  
one SSL Website.


It would be nice to know if others can reproduce this Issue.

Target website is: https://www.shop-fonic-mobile.de/

While trying to access this website, a blank page is displayed without  
any source code in it.


Cache Log says on each attempt:
Squid 2016/01/13 17:43:43 kid1| Error negotiating SSL on FD 22:  
error:14090086:SSL routines:ssl3_get_server_certificate:certificate  
verify failed (1/-1/0)


Access Log for each attempt:
1452703599.547  0 10.0.0.4 TCP_DENIED/407 4189 CONNECT  
www.shop-fonic-mobile.de:443 - HIER_NONE/- text/html
1452703599.832272 10.0.0.4 TAG_NONE/200 0 CONNECT  
www.shop-fonic-mobile.de:443 MYUSER HIER_NONE/- -
1452703599.888 52 10.0.0.4 TCP_MISS/503 402 GET  
https://www.shop-fonic-mobile.de/ MYUSER HIER_DIRECT/85.158.6.195  
text/html


SSL Bumping generated a valid certificate for this site using my internal CA.

I can reproduce the error only on this website everything else is  
working nicely and if Squid can't validate an external SSL Certificate  
it display an error of course.


I currently fixed it by adding it to my SSL_TrustedSites ACL.


This is my Bump config:

http_port 8080 ssl-bump generate-host-certificates=on  
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/myca.pem

ssl_bump splice localhost
ssl_bump bump all
sslproxy_cert_error allow SSL_TrustedSites
sslproxy_cert_error deny all


Expected behavior of Squid: If Squid can't validate an SSL Certificate  
then an error should be displayed as it does on all other sites with  
invalid certificates.
But it seems that the first check of squid recognizes the Certificate  
as valid otherwise it would display an error and squid generates a  
valid cert for the client and then squid seems to no beeing able to  
validate it at this point again.


The Target Website SSL Chain is as follows:
CA  <- Part of the Ca certificates
-- Intermediate <- not a part of the ca-certificates
-website

So I believe somehow on the initial request squid can validate the  
full chain and as soon as the client receives the generated cert it  
can't look up the whole chain because it trys to validate against the  
intermediate CA only and lost the path to the Root CA and fails of  
course. Again only the Root CA is known by the system (ca-certificates).


Please let me know if someone can reproduce this Issue.

BTW:
Found another Issue in Squid 3.5.12 regarding Error Messages,  
"mailto:; links which are generating an error mail do not work  
anymore. Maybe this is related to Kerberos Authentication which maybe  
makes the url encoded string longer than before. I've found out that  
somewhere at the last part of the urlencoded link the error is in.  
Couldn't pin point it.


Best regards,

Enrico






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

[Amos Jeffries]

On 14/01/2016 5:10 a.m., startrekfan wrote:
> It's a debian. But an ubuntu howto will also work with debian.
> Here is the broken link:
> 
> I combined this two instructions:
> http://wiki.squid-cache.org/Features/SslBump
> http://wiki.squid-cache.org/Features/DynamicSslCert
> 
> (The latest stable squid on ubuntu is 3.4)

Nope, the latest Squid on Ubuntu is 3.3. I'm still trying to locate who
to push along to get it back in sync with Debian.

The latest Squid on Debian is 3.5.12 and has undergone a renaming
transition differently from Ubuntu.


To build a useful package for Debian:

* Alter your apt sources.list to point at the stretch or testing
repository. (keep a backup)

* Run:
 + apt-get update
 + apt-get install squid-langpack libssl-dev
 + apt-get build-dep squid
 + apt-get --build source squid

* Replace apt sources.list with your original one

* Run apt-get update

* Edit the debian/rules file in the folder created to add your
--with-openssl rule amongst the other --* build options.

* Edit debian/changelog to alter the version number from "3.5.12-1" to
"3.5.12-1foo1"


* Run dpkg-buildpackage

* Run "dpkg --install ..." for the *foo1 squid-common and squid packages
produced.
 - listing them in that order for dpkg command line is important.

Squid should now be installed with OpenSSL support and all appropriate
Debian integration.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Testing Kerberos and LDAP connections

[Amos Jeffries]

On 14/01/2016 6:11 a.m., dolson wrote:
> If I remove the NTLM and Kerberos authentication, is there a way to test the 
> basic LDAP authentication in the script from the command line?
> 

Huh? none of these are scripts.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authorization in a different way

[Christian Kunkel]

hey amos,

maybe my english is too bad or maybe i am just not getting it. i can not use 
any kind of ip as authentication or authorization. first of all because of nat 
and second would be that the ip of a user changes regarding his location 
(mobile network).

my understanding of ext_session_acl is or was that it uses an ip to create the 
session?! so if ip changes the session is dropped (can happen every 5min or 
when i am lucky the ip does not change for a couple of hours).

> Am 13.01.2016 um 17:53 schrieb Amos Jeffries :
> 
>> On 14/01/2016 5:35 a.m., Christian Kunkel wrote:
>> Hey guys,
>> 
>> i need a way to autheticate or authorize users to my squid server so
>> i can create some kind of a session and drop users after x hours they
>> have been using my proxy. important thing would be to create only one
>> session per user. i do not have access to users network. they are
>> connecting from the internet and they also have nated ips. i thought
>> about the classic way with http headers but i run into problems with
>> some devices. so thats useless for me. to use the ip adress is also
>> not possible because it would authorize a lot of ppl at once if they
>> are behind a nat. thats not what i want. i only can add a proxy
>> adress and a port to the devices which are connecting. right now i am
>> using a unique port for every user. then redirect the port to a
>> splash screen with a login form. when login is is successfull it
>> triggers an iptables-script which redirects that port to squid. but
>> that means every one can actually use that port after someone
>> successfully logged in.
> 
> Then your iptables script is redirecting wrong. It should only add rules
> to redirect a specific src-IP / dst-port pair.
> 
>> 
>> i am using squid 3.5.13 on debian 8.
>> 
>> some hints would be awesome. thanks in advance guys :)
> 
> Use the ext_session_acl helper or ext_session_sql_acl helper with "user"
> login as the session key / helper format.
> 
> If you were using HTTP authentication the key would be %LOGIN. Since you
> are not it will be whatever you are using to identify the "user" within
> Squid.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users