date:20160321

Re: [squid-users] caching js/css references with parameters, possible squid bug

2016-03-21 Thread Amos Jeffries

On 20/03/2016 12:50 a.m., Waitman Gobble wrote:
> 
> 
> On 2016-03-18 01:00, Amos Jeffries wrote:
> 
>> On 18/03/2016 3:46 a.m., Waitman Gobble wrote:
>>
>>> When a script reference on an HTML page includes a parameter, the script
>>> does not appear to be cached when using squid in accel mode (https).
>>>
>>> For example,
>>> >> src='/wp-includes/js/jquery/jquery.js?ver=1.1.13'>
>>>
>>> jquery.js does not appear to be cached in that case, each page request
>>> hits the originserver with a request for jquery.js. (also seems browser
>>> does not cache, either).
>>
>> How are you determining that?
>>
>> Dynamic content (as signalled by the '?query-string') is expected to
>> revalidate on each use unless that origin has sent explicit cacheability
>> headers. In HTTP/1.1 contact with the origin server is not always a full
>> fetch.
> 
> 
> I was watching HTTP logs on origin server, every page request was also
> creating request for css, js, etc.
> 
> waitman.net - [19/Mar/2016:03:47:04 -0700] "GET
> /wp-content/themes/mh-magazine-lite/style.css?ver=2.1.2 HTTP/1.1" 200
> 38550 "-"
> 
> After removing ?ver from html page, there was initial request:
> 
> waitman.net - [19/Mar/2016:03:50:15 -0700] "GET
> /wp-content/themes/mh-magazine-lite/style.css HTTP/1.1" 200 38550 "-"
> 
> but after that it was served from cache and no more hits on origin.
> 
> Perhaps it was not doing a "full request", but I was looking at the
> content length in the logs, 38550
> 

What you describe appears to be the visible behaviour when the URL
contains a "?" and the reply lacks explicit expiry information.
The requirement that Squid is obeying and its reason for existence is
documented in  paragraph 2.

The current RFC 7230 document lifted that restriction, making it
OPTIONAL simply because the Internet has not broken too badly with very
few implementations (other than Squid) following that requirement.

Current Squid implement it in the form of the default "refresh_pattern
-i (/cgibin/|\?) 0 0% 0" rule - which is only used on replies lacking
Expires or Cache-Control headers. You can add a previous rule to handle
WP responses caching times if you like, or comment out that pattern if
you are certain that the situation documented by RFC 2616 is not going
to occur on *any* URL served by your Squid.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-21 Thread Markus Moeller

Hi,

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you 
use –r  the @DOMAIN will be removed. 

 2) The client in EXTERNAL.COM needs to know where to find the 
HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You 
should see some cross domain TGTs.  

Cross Domain SPN Lookups with Active Directory
When Domains are within the same forest, the KDC should consult the GC (Global 
Catalog) and provide a referral if the account is in a different domain.  If 
the account is not in the same forest you would need to define Host Mapping for 
the account, unless you are using a forest trust.  Then you could define a 
Kerberos Forest Search Order


Markus


"akn ab"  wrote in message 
news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...
Hello Markus,

firt of all thank you for your reply, today i'm having a strange issue.
KID1 and KID2 started to autenticate with kerberos correclty without any 
modification ...
This is so strange, but i'm very happy, so i started others configurations, but 
i have 2 more problems:

1)
On my squid logs, i can see users authenticated correctly, but not the domain 
users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in us...@kid1.father.com or 
KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to my 
proxy peers.
Is it possible with kerberos?

2)
I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, 
so i added it in my krb5.conf like KID1, but kerberos auth fail.
Using your instructions, i captured port 88 during handshake and i get:

eRR-C-PRINCIPAL-UNKNOWN

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

Best Regards.
  
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,

Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 Can you get a wireshark capture on your client on port 88  ?  You should 
see some TGS –REQs in the capture and I assume also TGS-REPs  with error 
messages.  Can you share these error messages ?

Regards
Markus


"akn ab"  wrote in message 
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos 
authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only 
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a 
definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit u...@father.com
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn 
HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth 
-r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using 
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not 
work).

Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct 
configuration to support my forest.
1) Som

Re: [squid-users] not all lines of access.log containsthe username

2016-03-21 Thread Amos Jeffries

On 21/03/2016 11:27 p.m., IT HIA service wrote:
>  Hi Amos,
> 
>  Some lines of the squid.conf,else which lines can be interesting to
> provide?
> 
> thanks
> 
> 
> ---
> # CONFIG SQUID.CONF V3
> #
> 
> -
> cache_dir ufs /cache 10240 16 256
> 
> access_log /var/log/squid3/access.log
> 
> cache_log /var/log/squid3/cache.log
> 
> debug_options ALL,1 33,2
> ..
> #  TAG: auth_param
> 
> auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
> 
> auth_param basic children 20
> auth_param basic realm PROXYV2013
> auth_param basic credentialsttl 50 second
> 
> #   ACCESS CONTROLS
> #
> 
> -
> 
> acl acl1 proxy_auth REQUIRED
> 
> 
> acl CONNECT method CONNECT
> 
> http_access allow acl1


Any other http_access lines?
Particularly ones above this with "allow" action.

If not, then you will need to change this to:

  http_access deny !acl1

> 
> log_access allow aclname

"log_access" is deprecated. Use ACLs on the access_log directive instead.


> 
> 
> # header_access From deny all
> # header_access Referer deny all
> # header_access Server deny all
> # header_access Link deny all
> 
> logformat squid  %ul %ui %un %ts.%03tu %6tr %>a %Ss/%03Hs % %Sh/% 
> ignore_expect_100 off

If you have a Squid older than 3.2 please upgrade. For newer Squid this
directive is unused.


> coredump_dir /var/spool/squid3
> 
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 10
> 
> store_avg_object_size 10 GB

Um. You only have 10GB of cache_dir total size.
So this means you are storing just one object. That right?

For anything like normal proxy traffic the _avg_ object size does not
need tuning.

> redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

Remove the "redirect_program". It is an alias for url_rewrite_program
and that can only be used once.



Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Vito A. Smaldino

Many thanks, ASAP i will try.

V

2016-03-21 20:01 GMT+01:00 Jason Haar :

> It's really not much more than what I first posted (I can't send my config
> - it's pretty specific to our site - you'll have to figure out the standard
> stuff yourself)
>
> So this will make a squid-3.5 server capable of doing "transparent HTTPS"
> without any fiddling with the transactions. Of course it assumes you
> already know how to redirect port 443 traffic onto your proxy, and know how
> to reconfigure the OS to support that too (ie same as transparent HTTP on
> port 80)
>
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
>  cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
>
>
> On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
> vitoantonio.smald...@istruzione.it> wrote:
>
>> Hi all,
>> great, i'm just searching for this. Jason can you kindly post the whole
>> squid.conf?
>> Thanks
>> V
>>
>> 2016-03-20 22:29 GMT+01:00 Jason Haar :
>>
>>> Hi there
>>>
>>> I'm wanting to use tls intercept to just log (well OK, and potentially
>>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>>> intercept that traffic, log it, block on IP addresses if need be, and don't
>>> use ssl-bump beyond that.
>>>
>>> So far the following seems to work perfectly, can someone confirm this
>>> is "supported" - ie that I'm not relying on some bug that might get fixed
>>> later? ;-)
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>>> 256MB
>>> sslcrtd_children 32 startup=15 idle=5
>>> acl SSL_https port 443
>>> ssl_bump splice SSL_https
>>> acl BlacklistedHTTPSsites dstdomain
>>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>>> http_access deny BlacklistedHTTPSsites
>>>
>>> The "bug" comment comes down to how acl seems to work. I half-expected
>>> the above not to work - but it does. It would appear squid will treat an
>>> intercept's dst IP as the "dns name" as that's all it's got - so
>>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>>> IP addresses
>>>
>>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>>> running a https_port, and for it to support "intercept", and to do that
>>> squid insists on "ssl-bump" too - although that seems likely was a
>>> programmer assumption that didn't include people like me doing mad things
>>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>>> suffice as it's never used?
>>>
>>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic
>>> is supported via the proxy, with all TLS security decisions residing on the
>>> client. I get my logs, and if I want to block some known bad IP address, I
>>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>>> the tcp/443 connection - which is as good as it gets without getting into
>>> the wonderful world of real "bump"
>>>
>>> --
>>> Cheers
>>>
>>> Jason Haar
>>> Information Security Manager, Trimble Navigation Ltd.
>>> Phone: +1 408 481 8171
>>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> --
>>> Vito A. Smaldino
>>>
>>> 
>>
>>
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> --
> Vito A. Smaldino
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar

It's really not much more than what I first posted (I can't send my config
- it's pretty specific to our site - you'll have to figure out the standard
stuff yourself)

So this will make a squid-3.5 server capable of doing "transparent HTTPS"
without any fiddling with the transactions. Of course it assumes you
already know how to redirect port 443 traffic onto your proxy, and know how
to reconfigure the OS to support that too (ie same as transparent HTTP on
port 80)

acl BlacklistedHTTPSsites dstdomain
"/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
 cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https


On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
vitoantonio.smald...@istruzione.it> wrote:

> Hi all,
> great, i'm just searching for this. Jason can you kindly post the whole
> squid.conf?
> Thanks
> V
>
> 2016-03-20 22:29 GMT+01:00 Jason Haar :
>
>> Hi there
>>
>> I'm wanting to use tls intercept to just log (well OK, and potentially
>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>> intercept that traffic, log it, block on IP addresses if need be, and don't
>> use ssl-bump beyond that.
>>
>> So far the following seems to work perfectly, can someone confirm this is
>> "supported" - ie that I'm not relying on some bug that might get fixed
>> later? ;-)
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>> 256MB
>> sslcrtd_children 32 startup=15 idle=5
>> acl SSL_https port 443
>> ssl_bump splice SSL_https
>> acl BlacklistedHTTPSsites dstdomain
>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>> http_access deny BlacklistedHTTPSsites
>>
>> The "bug" comment comes down to how acl seems to work. I half-expected
>> the above not to work - but it does. It would appear squid will treat an
>> intercept's dst IP as the "dns name" as that's all it's got - so
>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>> IP addresses
>>
>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>> running a https_port, and for it to support "intercept", and to do that
>> squid insists on "ssl-bump" too - although that seems likely was a
>> programmer assumption that didn't include people like me doing mad things
>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>> suffice as it's never used?
>>
>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
>> supported via the proxy, with all TLS security decisions residing on the
>> client. I get my logs, and if I want to block some known bad IP address, I
>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>> the tcp/443 connection - which is as good as it gets without getting into
>> the wonderful world of real "bump"
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> --
>> Vito A. Smaldino
>>
>> 
>
>


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Vito A. Smaldino

Hi all,
great, i'm just searching for this. Jason can you kindly post the whole
squid.conf?
Thanks
V

2016-03-20 22:29 GMT+01:00 Jason Haar :

> Hi there
>
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
>
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
>
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses
>
> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
> running a https_port, and for it to support "intercept", and to do that
> squid insists on "ssl-bump" too - although that seems likely was a
> programmer assumption that didn't include people like me doing mad things
> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
> suffice as it's never used?
>
> So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
> supported via the proxy, with all TLS security decisions residing on the
> client. I get my logs, and if I want to block some known bad IP address, I
> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
> the tcp/443 connection - which is as good as it gets without getting into
> the wonderful world of real "bump"
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> --
> Vito A. Smaldino
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar

Yeah I know that, but there are issues with invoking peek: like the host
forgery checks suddenly kick in, and squid starts seeing SSL errors
(probably due to CentOS6 not supporting the newest standards that Chrome
uses) and then squid starts blocking things. That's why I'm sticking to
this simplest case for the moment and avoid the "peek" call


Thanks!

Jason

On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries  wrote:

> On 21/03/2016 10:29 a.m., Jason Haar wrote:
> > Hi there
> >
> > I'm wanting to use tls intercept to just log (well OK, and potentially
> > block) HTTPS sites based on hostnames (from SNI), but have had problems
> > even in peek-and-splice mode. So I'm willing to compromise and instead
> just
> > intercept that traffic, log it, block on IP addresses if need be, and
> don't
> > use ssl-bump beyond that.
> >
> > So far the following seems to work perfectly, can someone confirm this is
> > "supported" - ie that I'm not relying on some bug that might get fixed
> > later? ;-)
> >
>
> It is supporteed.
>
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
> 256MB
> > sslcrtd_children 32 startup=15 idle=5
> > acl SSL_https port 443
> > ssl_bump splice SSL_https
> > acl BlacklistedHTTPSsites dstdomain
> > "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> > http_access deny BlacklistedHTTPSsites
> >
> > The "bug" comment comes down to how acl seems to work. I half-expected
> the
> > above not to work - but it does. It would appear squid will treat an
> > intercept's dst IP as the "dns name" as that's all it's got - so
> > "dstdomain" works fine for both CONNECT and intercept IFF the acl
> contains
> > IP addresses
>
> This is because the ssl_bump rules are saying to splice immediately when
> only the pseudo-CONNECT with an IP address is known.
>
> If you use this:
>  ssl_bump peek all
>  ssl_bump splice all
>
> it will peek at the client SNI and server public cert details before
> dropping back to a transparent pass-tru. Then it will have that domain
> and any other non-encrypted details available for logging.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] not all lines of access.log contains the username

2016-03-21 Thread Amos Jeffries

On 21/03/2016 9:33 p.m., IT HIA service wrote:
>  
>  
> Hi everybody,
> We make authentification with ncsa (username and password). But in
> access.log, we don't see on each line the username. The Ip adress of the
> computer is present. But the username appears only with CONNECT ...:443.
> For a GET, the username is not written. In this example, "dupont" is a
> username.
> Is it possible to have the username present for each line in the file
> access.log ?

There will always be some messages arriving without credentials. But if
you configure the proxy correctly those will always be responded to with
a 407.

What does your squid.conf contain?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-21 Thread akn ab


Hello Markus,

 

firt of all thank you for your reply, today i'm having a strange issue.

KID1 and KID2 started to autenticate with kerberos correclty without any modification ...

This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:

 

1)

On my squid logs, i can see users authenticated correctly, but not the domain users came from.

For example:

FATHER.COM\user1

KID1.FATHER.COM\user1

KID2.FATHER.COM\user1

are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example)

I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.

Is it possible with kerberos?

 

2)

I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.

Using your instructions, i captured port 88 during handshake and i get:

 

eRR-C-PRINCIPAL-UNKNOWN

 

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

 

Best Regards.

 

Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 

 Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ?

 

Regards

Markus

 

 



"akn ab"  wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...






Dear all,

 

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

 

My FATHER.COM is a forest with 2 children: KID1 and KID2.

Like this: FATHER.COM -> KID1.FATHER.COM

    -> KID2.FATHER.COM

 

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.

I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

 

My krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FATHER.COM = {
  kdc = dc1.father.com:88

  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}

KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}

[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM

.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM

[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}

KID2.FATHER.COM = {
   FATHER.COM = .
}

 

To join kerberous auth with FATHER.COM i did:

# kinit u...@father.com

# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

 

On squid config i have:

auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

 

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).

 

Now i'm trying to add KID1 and KID2 users to krb auth.

As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.

1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:

- kinit u...@father.com

- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N

but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:

- kinit u...@kid1.father.com

but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

 

After many, many and many hours, i need some advices to complete my configuration.

Is there anyone that could help me?

 

Many thanks in advance.



___
s

[squid-users] not all lines of access.log contains the username

2016-03-21 Thread IT HIA service

 
 
Hi everybody,
We make authentification with ncsa (username and password). But in
access.log, we don't see on each line the username. The Ip adress of the
computer is present. But the username appears only with CONNECT ...:443.
For a GET, the username is not written. In this example, "dupont" is a
username.
Is it possible to have the username present for each line in the file
access.log ?
 
Thanks for your help
 
1458317105.668233 192.168.x.x  TCP_MISS/200 34859 CONNECT
static.xx.fbcdn.net:443 dupont DIRECT/179.60.192.7 -
1458317105.788322 192.168.x..x TCP_MISS/200 18150 GET
http://www.microsoft.com/favicon.ico - DIRECT/23.3.226.30 image/x-icon
1458317104.468 43 192.168.x..x TCP_MISS/200 2089 GET
http://c.s-microsoft.com/fr-fr/CMSImages/yellow-arrow.png? -
DIRECT/23.215.29.134 image/png
1458317104.476 51 192.168.x.x TCP_MISS/200 3662 GET
http://c.s-microsoft.com/fr-fr/CMSImages/Bing.png? - DIRECT/23.215.29.134
image/png
1458317104.477183 192.168.x.x TCP_MISS/302 606 GET
http://www.facebook.com/plugins/like.php? - DIRECT/179.60.192.36 text/html
1458317104.482 55 192.168.x.x TCP_MISS/200 3672 GET
http://c.s-microsoft.com/fr-fr/CMSImages/windowsupdate.png? -
DIRECT/23.215.29.134 image/png
1458317104.546117 192.168.x.x TCP_MISS/200 4276 GET
http://c.s-microsoft.com/fr-fr/CMSImages/ie.png? - DIRECT/23.215.29.134
image/png



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Amos Jeffries

On 21/03/2016 10:29 a.m., Jason Haar wrote:
> Hi there
> 
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
> 
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
> 

It is supporteed.

> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> 
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses

This is because the ssl_bump rules are saying to splice immediately when
only the pseudo-CONNECT with an IP address is known.

If you use this:
 ssl_bump peek all
 ssl_bump splice all

it will peek at the client SNI and server public cert details before
dropping back to a transparent pass-tru. Then it will have that domain
and any other non-encrypted details available for logging.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] caching js/css references with parameters, possible squid bug

Re: [squid-users] NEGOTIATE Kerberos Auth

Re: [squid-users] not all lines of access.log containsthe username

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] not all lines of access.log contains the username

Re: [squid-users] NEGOTIATE Kerberos Auth

[squid-users] not all lines of access.log contains the username

Re: [squid-users] intercepting tcp/443 purely for logging purposes

11 matches

Site Navigation

Mail list logo

Footer information