Re: [squid-users] ICAP and Allow 204 Header
On 01/25/2016 10:28 AM, Gilles Bardouillet wrote: > I'm using SQUID with CAS ICAP Server but I have one issue : > > * for some images, squid receive icap error as ICAP_ERR_OTHER It may be useful to know more details about that ICAP error. What ICAP response, if any, does Squid receive when it generates ICAP_ERR_OTHER? > * I noticed that for all these errors, Squid dont send the HTTP header >Allows 204 Allow:204 is not an HTTP header field. It is an ICAP header field. > * I read the code and find the Allow 204 header _is only set when >preview is enabled_. Are you sure? Several factors affect ICAP Allow:204 request header presence. Preview availability should not be one of them because Allow:204 is about 204 responses _outside_ of Preview. See RFC 3507 Section 4.6. > My icap conf activated preview and preview size as follow : > icap_preview_enable on > icap_preview_size 1024 IIRC, Squid ignores icap_preview_size in squid.conf (a bug). The ICAP service OPTIONS response determines the Preview size (subject to an internal limit of 64KB). > I read that the preview size value can be overwritten by OPTIONS > requests, so can give me some details, hints in order to find why some > pictures dont offer preview and then fails ? See RFC 3507 Section 4.5 for details on how Preview is negotiated. If you think Squid violates the ICAP protocol, please file a bug report with the corresponding capture of ICAP messages (from and to Squid). As for ICAP 204 outside of Preview, I believe Squid can offer to support that ICAP response if all of the checks below are successful: * the origin server OPTIONS response includes Allow:204; * the message content length is known at the ICAP request time; and * the message content length does not exceed 64KB. If you prefer to analyze the code, see Adaptation::Icap::ModXact::shouldAllow204() and Adaptation::Icap::ModXact::canBackupEverything(). HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ICAP and Allow 204 Header
Hi, I'm using SQUID with CAS ICAP Server but I have one issue : * for some images, squid receive icap error as ICAP_ERR_OTHER * I noticed that for all these errors, Squid dont send the HTTP header Allows 204 * I read the code and find the Allow 204 header _is only set when preview is enabled_. My icap conf activated preview and preview size as follow : icap_preview_enable on icap_preview_size 1024 I read that the preview size value can be overwritten by OPTIONS requests, so can give me some details, hints in order to find why some pictures dont offer preview and then fails ? Thanks, Gilles. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.1 ldap authentication
Hi All, I'm running squid 3.5.12, i'm using ldap for authentication. When trying to browse the internet from clients it takes up to 10 minutes for the website to load. Can you please assist me in troubleshooting what the issue is? Below is my squid.conf file. cache_mem 1048 MB cache_log /usr/local/squid1/var/logs/cache.log cache_swap_high 95 cache_swap_low 90 dns_nameservers x.x.x.x #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8# RFC1918 possible internal network #acl localnet src x.x.x.x.0/24 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16# RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines ## Ports to allow: acl Safe_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 8080 #acl Safe_ports port 21 # ftp #acl Safe_ports port 70 # gopher #acl Safe_ports port 210# wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280# http-mgmt #acl Safe_ports port 488# gss-http #acl Safe_ports port 591# filemaker #acl Safe_ports port 777# multiling http ## CONNECT method: #acl CONNECT method CONNECT ## LDAP Authentication ## auth_param basic program /usr/local/squid1/libexec/basic_ldap_auth -b "dc=ldap,dc=corp,dc=domain,dc=com" -f "uid=%s" ldapserv.corp.domain.com auth_param basic children 5 #auth_param basic realm Web-Proxy auth_param basic credentialsttl 30 minutes acl ldap-auth proxy_auth REQUIRED ## Visible Hostname ## visible_hostname proxy-01 external_acl_type ldap_group %LOGIN /usr/local/squid1/libexec/ext_ldap_group_acl -R -b "ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D "cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f "(&(memberuid=%u) (cn=%a))" -w password -h ldap.corp.domain.com #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "ou=groups,dc=mydomain,dc=net" -D "cn=root,dc=mydomain,dc=net" -f "(&(sn=%u) (cn=%a))" -w password -h localhost #http_access allow ldap-auth ## ACL's for group checking ## acl yumrepo external ldap_group yumrepo acl winupdate external ldap_group winupdate acl network-update external ldap_group network-update ## ACL's for url domains ## acl rule1 url_regex -i "/usr/local/squid1/etc/allowed/yumrepo/domains" acl rule2 url_regex -i "/usr/local/squid1/etc/allowed/winupdate/domains" acl rule3 url_regex -i "/usr/local/squid1/etc/allowed/network-update/domains" # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet #http_access allow localhost http_access allow rule1 ldap-auth yumrepo http_access allow rule2 ldap-auth winupdate http_access allow rule3 ldap-auth network-update # And finally deny all other access to this proxy #http_access deny all # Squid normally listens to port 3128 http_port 8080 # Uncomment and adjust the following to add a disk cache directory. maximum_object_size 1000 MB cache_dir ufs /var/spool/squid 1000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. #refresh_pattern ^ftp: 144020% 10080 #refresh_pattern ^gopher: 14400% 1440 #refresh_pattern -i (/cgi-bin/|\?) 00% 0 #refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire override-lastmod ignore-no-cache ignore-no-store ignore-private #refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin)$ 129600 100% 129600 override-expire ignore-no-cache ignore-no-store refresh_pattern . 0 20% 4320 debug_options ALL,1 33,2 28,9 On Wed, Oct 7, 2015 at 12:18 PM, nando mendonca wrote: > Hi, > > I have squid 3.1 installed using ldap authent
Re: [squid-users] external acl helpers working with deny_info
Hi Amos, Thanks for detailed explanation. For the case #1 in my original post, is it a bug that will get fixed some time? I was able to get the behavior I want by adding a dummy ACL as follows (after the external ACL line): acl myacl src all deny_info ERR_X myacl http_access deny myacl http_access deny all myall is same as all, but now even after retaining "http_access deny all", it works correctly. With the above, even the "message" that was set in the external acl helper was also properly used in the error page. I am just not sure it is the right way to do it. Thanks, Sreenath On 1/25/16, Amos Jeffries wrote: > On 25/01/2016 5:18 a.m., Sreenath BH wrote: >> Hi All, >> >> I am trying to validate my understanding of external acl, deny_info >> and http_access deny all" interaction. >> >> My squid conf has just two rules. First is external ACL helper and >> then the "deny all" as follows: >> >> Case (1) >> --- >> external_acl_type my_helper ttl=0 negative_ttl=0 children-max=2 %PATH >> /usr/local/bin/acl >> acl AclName external my_helper >> deny_info 404:ERR_MY_ACL AclName >> http_access allow AclName >> >> http_access deny all >> >> >> I want a default error code of 404 to be returned, along with a custom >> error message file being sent. >> My observations are as follows: >> >> 1. If my external ACL prints OK, it proceeds with processing. >> 2. If it prints ERR, instead of using the custom message, it proceeds >> to next access rule, which is "http_access deny all" >> >> When that fails it prints a default 403 message. >> >> If I remove "deny all" line it works well. > > That is a bug. It should act the same as if the deny all was still there. > > >> >> Case (2) >> I tried changing "http_access allow" to "http_access deny" follows: >> >> >> external_acl_type my_helper ttl=0 negative_ttl=0 children-max=2 %PATH >> /usr/local/bin/acl >> acl AclName external my_helper >> deny_info 404:ERR_MY_ACLAclName >> http_access deny !AclName >> >> http_access deny all >> -- >> >> In this case, whenever the acl helpers send "ERR", it prints the >> correct error message. >> But now, if it succeeds (prints OK), it goes to next line and fails >> there, instead of proceeding with further processing. >> >> Even in this case, removing the next "deny all" will work correctly. >> >> I find is strange that even when external ACL Helper matches and >> prints OK, because of the way >> the http_access line worded, it does not take it as a pass and goes to >> check next http_access line. > > You seem to be confusing the OK/ERR helepr protocol codes with HTTP > pass/reject actions. > > * OK is not a "pass" it is a "match" > > * the "!" means inversion of the match/mismatch value > > So the !AclName means ERR is now a match and OK is a non-match. > > > When the !AclName is a match the request is denied as per your rule and > using the deny_info details in the rejection message. > > When the !AclName is a mis-match it skips and the "deny all" line denies > the request. > > When you remove the "deny all" line the default action for this case #2 > becomes "allow all". > >> >> Is this expected behavior? Or am I missing something? > > > deny_info is the directive tying some specific output to an ACL name. > Which is to be sent if (and only if) that ACL was used on a "deny" line. > > The bug in case #1 is that the last tested ACL is considered to be the > reason for denial and its action performed when a deny happens. But > without that explicit "deny all" the last tested was actually your ACL > test on the "allow" line. > > case #2 is expected behaviour. > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] MS update woes
Hi Sorry I had redacted some " auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid auth_param negotiate children 20 startup=0 idle=3 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile /etc/samba/smb.conf-squid auth_param ntlm children 20 startup=0 idle=3 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --configfile /etc/samba/smb.conf-squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl" acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl" acl localnet src 10.32.80.0/24 acl localnet_auth src 10.32.0.0/14 acl localnet_auth src 10.172.0.0/16 acl localnet_auth src 10.43.200.51/32 acl localnet_guest src 10.172.202.0/24 acl localnet_appproxy src 10.172.203.30/32 acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl" acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst" acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst" acl FTP proto FTP acl DMZSRV src 10.32.20.110 acl DMZSRV src 10.32.20.111 acl DirectExceptions url_regex -i ^http://(www.|)smh.com.au/business/markets-live/.* acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT acl SQUIDSPECIAL urlpath_regex ^/squid-internal-static/ acl AuthorizedUsers proxy_auth REQUIRED acl icp_allowed src 10.32.20.110/32 acl icp_allowed src 10.32.20.111/32 acl icp_allowed src 10.172.203.30/32 acl icp_allowed src 10.172.203.34/32 acl windowsupdate_url url_regex -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] acl windowsupdate_url url_regex -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] acl windowsupdate_url url_regex -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] acl notwindowsupdate_url dstdomain ctldl.windowsupdate.com http_access allow manager localhost http_access allow manager icp_allowed http_access deny manager http_access allow icp_allowed http_access allow SQUIDSPECIAL http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow localnet_appproxy http_access deny !localnet_auth http_access allow localnet_guest sblYBOveride http_access deny localnet_guest sblMal http_access deny localnet_guest sblPorn http_access allow localnet_guest http_access allow nonAuthSrc http_access allow nonAuthDom http_access allow sblYBOveride FTP http_access allow sblYBOveride AuthorizedUsers http_access deny sblMal http_access deny sblPorn http_access allow FTP http_access allow AuthorizedUsers http_access deny all http_port 3128 http_port 8080 cache_mem 40960 MB cache_mgr operations.mana...@abc.com cachemgr_passwd abc all cache_dir aufs /var/spool/squid 55 16 256 always_direct allow FTP always_direct allow DMZSRV always_direct allow DirectExceptions never_direct deny notwindowsupdate_url never_direct allow !DMZSRV windowsupdate_url ftp_passive off ftp_epsv_all off miss_access allow notwindowsupdate_url miss_access deny !DMZSRV windowsupdate_url coredump_dir /var/spool/squid range_offset_limit 800 MB maximum_object_size 800 MB quick_abort_min -1 refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320 80% 129600 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320 80% 129600 reload-into-ims refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query no-delay icp_port 0 icp_access allow icp_allowed icp_access deny all htcp_port 4827 htcp_access allow icp_allowed htcp_access deny all acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst" cache deny nonCacheDom acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$ cache deny nonCacheURL icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_resp allow all ipcache_size 10240 forwarded_for delete cache_swap_low 90 cache_swap_high 95 log_icp_queries off icap_preview_enable on icap_preview_size 1024 httpd_suppress_version_string on max_filedesc 8192 delay_pools 1 delay_class 1 1 delay_parameters 1 1310720/26
