Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-29 Thread akn ab 

Many thanks Markus, i solved everythings!

 



 

Sent: Tuesday, March 22, 2016 at 1:25 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you use –r  the @DOMAIN will be removed.

 

 2) The client in EXTERNAL.COM needs to know where to find the HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You should see some cross domain TGTs. 

 

Cross Domain SPN Lookups with Active Directory

When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain.  If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust.  Then you could define a Kerberos Forest Search Order

 

Markus

 

 



"akn ab"  wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...







Hello Markus,

 

firt of all thank you for your reply, today i'm having a strange issue.

KID1 and KID2 started to autenticate with kerberos correclty without any modification ...

This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:

 

1)

On my squid logs, i can see users authenticated correctly, but not the domain users came from.

For example:

FATHER.COM\user1

KID1.FATHER.COM\user1

KID2.FATHER.COM\user1

are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example)

I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.

Is it possible with kerberos?

 

2)

I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.

Using your instructions, i captured port 88 during handshake and i get:

 

eRR-C-PRINCIPAL-UNKNOWN

 

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

 

Best Regards.

 

Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 

 Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ?

 

Regards

Markus

 

 



"akn ab"  wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...






Dear all,

 

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

 

My FATHER.COM is a forest with 2 children: KID1 and KID2.

Like this: FATHER.COM -> KID1.FATHER.COM

    -> KID2.FATHER.COM

 

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.

I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

 

My krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FATHER.COM = {
  kdc = dc1.father.com:88

  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}

KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}

[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM

.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM

[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}

KID2.FATHER.COM = {
   FATHER.COM = .
}

 

To join kerberous auth with FATHER.COM i did:

# kinit u...@father.com

# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

 

On squid config i have:

auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

 

Doing so, all my users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
sorry
it seems that http://squid-web-proxy-cache.1019090.n4.nabble.com doesnt
remove posts

Yuri Voinov wrote
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> I said exactly: "Cache peer cannot use re-crypting right now".
> 
> No matter what do you have behind cache_peer.
> 
> 30.03.16 2:40, Baselsayeh пишет:
>> is there a workaround that i can use cache peer and squid sslbump?
>> isnt stunnel is using ssl that squid dont need to re-crypting?
>>
>> Yuri Voinov wrote
>> He means something like privoxy.
>>
>> It possible tunnel https.
>>
>> The similar config often uses for tunnel some proxied connections to Tor
>> or another ISP or something.
>>
>> But the thing he required is not possible. Cache peers does not support
>> re-crypting right now and, ergo, only splice is possible for cache_peer.
>>
>> 30.03.16 2:57, Antony Stone пишет:
>> >>> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
>> >>>
>>  my setup is
>>  my pc with squid(as stunnel client) -> stunnel and
> proxy(normal non
>>  https)
>> >>>
>>  ive got these errors:
>>  2-i cant surf any https site
>> >>>
>> >>> What do you mean by the remote proxy being "normal non https"?
>> >>>
>> >>> Is that perhaps the reason you can't connect to HTTPS sites?
>> >>>
>> >>>
>> >>> Antony.
>> >>>
>>
>>>
>>>
>>> ___
>>> squid-users mailing list
>>
>>> squid-users@.squid-cache
>>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> 0x613DEC46.asc (2K)
>>>
> ;
>>
>>
>>
>>
>>
>> --
>> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676851.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>> ___
>> squid-users mailing list
>> 

> squid-users@.squid-cache

>> http://lists.squid-cache.org/listinfo/squid-users
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>  
> iQEcBAEBCAAGBQJW+u/GAAoJENNXIZxhPexGpEEH/0wiqdR6K/pM3tzpNZJU+nyV
> Rf0UqIidYXCZ9DB8AMYUBdpzH9NKFA+pZkGPOS/4x26jwTS5+YfZR2DkxRlKujEY
> Nr3RvjS0r9JEWobp8Sr0yQnz3IMltr5NhR8TAAzKyfqPnaCbzYHf0eLKk/rmO8D4
> xI3IgPzJF3F5iXq8skOWqrgrk67kIQY/Y2QTvA1O9I58Xp9+FhoKXjrkufqNvE/6
> ulPNjEpUUQJy4bLP+OmHcSgAakVzYiJ4zNyhczS5YdyM1kzGz7+gQxxw56ev65Qu
> vP5IGGfHH/TaDCU7l5J3zkypSf5/Ga5WnYLypqtE1J+phRYgnn8+P3rKUe47QgA=
> =D5+r
> -END PGP SIGNATURE-
> 
> 
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 0x613DEC46.asc (2K)
> ;





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676854.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I said exactly: "Cache peer cannot use re-crypting right now".

No matter what do you have behind cache_peer.

30.03.16 2:40, Baselsayeh пишет:
> is there a workaround that i can use cache peer and squid sslbump?
> isnt stunnel is using ssl that squid dont need to re-crypting?
>
> Yuri Voinov wrote
> He means something like privoxy.
>
> It possible tunnel https.
>
> The similar config often uses for tunnel some proxied connections to Tor
> or another ISP or something.
>
> But the thing he required is not possible. Cache peers does not support
> re-crypting right now and, ergo, only splice is possible for cache_peer.
>
> 30.03.16 2:57, Antony Stone пишет:
> >>> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
> >>>
>  my setup is
>  my pc with squid(as stunnel client) -> stunnel and
proxy(normal non
>  https)
> >>>
>  ive got these errors:
>  2-i cant surf any https site
> >>>
> >>> What do you mean by the remote proxy being "normal non https"?
> >>>
> >>> Is that perhaps the reason you can't connect to HTTPS sites?
> >>>
> >>>
> >>> Antony.
> >>>
>
>>
>>
>> ___
>> squid-users mailing list
>
>> squid-users@.squid-cache
>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> 0x613DEC46.asc (2K)
>>
;
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676851.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW+u/GAAoJENNXIZxhPexGpEEH/0wiqdR6K/pM3tzpNZJU+nyV
Rf0UqIidYXCZ9DB8AMYUBdpzH9NKFA+pZkGPOS/4x26jwTS5+YfZR2DkxRlKujEY
Nr3RvjS0r9JEWobp8Sr0yQnz3IMltr5NhR8TAAzKyfqPnaCbzYHf0eLKk/rmO8D4
xI3IgPzJF3F5iXq8skOWqrgrk67kIQY/Y2QTvA1O9I58Xp9+FhoKXjrkufqNvE/6
ulPNjEpUUQJy4bLP+OmHcSgAakVzYiJ4zNyhczS5YdyM1kzGz7+gQxxw56ev65Qu
vP5IGGfHH/TaDCU7l5J3zkypSf5/Ga5WnYLypqtE1J+phRYgnn8+P3rKUe47QgA=
=D5+r
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
sorry
it seems that http://squid-web-proxy-cache.1019090.n4.nabble.com doesnt
remove posts



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676852.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
is there a workaround that i can use cache peer and squid sslbump?
isnt stunnel is using ssl that squid dont need to re-crypting?

Yuri Voinov wrote
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> He means something like privoxy.
> 
> It possible tunnel https.
> 
> The similar config often uses for tunnel some proxied connections to Tor
> or another ISP or something.
> 
> But the thing he required is not possible. Cache peers does not support
> re-crypting right now and, ergo, only splice is possible for cache_peer.
> 
> 30.03.16 2:57, Antony Stone пишет:
>> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
>>
>>> my setup is
>>> my pc with squid(as stunnel client) -> stunnel and proxy(normal non
>>> https)
>>
>>> ive got these errors:
>>> 2-i cant surf any https site
>>
>> What do you mean by the remote proxy being "normal non https"?
>>
>> Is that perhaps the reason you can't connect to HTTPS sites?
>>
>>
>> Antony.
>>
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>  
> iQEcBAEBCAAGBQJW+u0NAAoJENNXIZxhPexG1P0H/0PUughenu1eNsZcoUTd+Sx5
> 1j5ve/2xa4bq98dDque9/b1RNugFDTMvuyXwwMuVuQs1YfkskfN9QMjOZsSZSQli
> ItUWmcqrCbbDGk01F/9oyp3DhWn22qyLBsE9Zp/ktolSy5DoT6QBzgqfmy8j6wk0
> EvnO8xnZKHQ3aU1jrUzysw+91l06iMtAaf7c3jsLh0tiJTJhf/ESr5J5Ca+ezgp9
> axZAZ7BFemnUnRMxRiy46AGMSmH5sa77FnMWxJPhiIyk6i823yCA7NkA9YU+cSLt
> 2BzwCMSuCYBwQJi65VSr2jmi3hd2uozOtfymGReJ2K2CocMM8sjRsxjdiXOhvs4=
> =DTBT
> -END PGP SIGNATURE-
> 
> 
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 0x613DEC46.asc (2K)
> ;





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676851.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
There is no workaround.

30.03.16 2:38, Baselsayeh пишет:
> is there a workaround that i can use ssl bump with cache peer?
>
>
> Yuri Voinov wrote
> He means something like privoxy.
>
> It possible tunnel https.
>
> The similar config often uses for tunnel some proxied connections to Tor
> or another ISP or something.
>
> But the thing he required is not possible. Cache peers does not support
> re-crypting right now and, ergo, only splice is possible for cache_peer.
>
> 30.03.16 2:57, Antony Stone пишет:
> >>> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
> >>>
>  my setup is
>  my pc with squid(as stunnel client) -> stunnel and
proxy(normal non
>  https)
> >>>
>  ive got these errors:
>  2-i cant surf any https site
> >>>
> >>> What do you mean by the remote proxy being "normal non https"?
> >>>
> >>> Is that perhaps the reason you can't connect to HTTPS sites?
> >>>
> >>>
> >>> Antony.
> >>>
>
>>
>>
>> ___
>> squid-users mailing list
>
>> squid-users@.squid-cache
>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> 0x613DEC46.asc (2K)
>>
;
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676848.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW+u8hAAoJENNXIZxhPexGBQgIAJyTU9sg9tH7HQgvMsmqf6fg
r2NeDU/tY4pvDwo/1nDVepFOxmNxMC9y+gsuRiM8AxUCiCx1oDg6DUeWrIT2JiOE
eq7hcj+6RlOH3+/p2Nam8dt5Ywaf5+UBvaGVGE/3soBxWZqgrclaxfyJJzhFvjz6
JBJT1tB79NYE5ijgT7KOFDxgTHgeXqsBdi07ZLLK9fNo7DleB+39QqILuIlXeuK2
sqx2Ztvsy0aOxAJ61FGgBJ/eSI4+zXna6unhUkwXlO8s3jjsUkc8VRPRz8KVlKDs
+wHIRDH0nAFSM4+b+uU3+T3gRA1YBOqXTK+4VaWnX3IzGXtTur3CWk5R5jbmQmg=
=5cKP
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
is there a workaround that i can use ssl bump with cache peer?


Yuri Voinov wrote
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> He means something like privoxy.
> 
> It possible tunnel https.
> 
> The similar config often uses for tunnel some proxied connections to Tor
> or another ISP or something.
> 
> But the thing he required is not possible. Cache peers does not support
> re-crypting right now and, ergo, only splice is possible for cache_peer.
> 
> 30.03.16 2:57, Antony Stone пишет:
>> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
>>
>>> my setup is
>>> my pc with squid(as stunnel client) -> stunnel and proxy(normal non
>>> https)
>>
>>> ive got these errors:
>>> 2-i cant surf any https site
>>
>> What do you mean by the remote proxy being "normal non https"?
>>
>> Is that perhaps the reason you can't connect to HTTPS sites?
>>
>>
>> Antony.
>>
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>  
> iQEcBAEBCAAGBQJW+u0NAAoJENNXIZxhPexG1P0H/0PUughenu1eNsZcoUTd+Sx5
> 1j5ve/2xa4bq98dDque9/b1RNugFDTMvuyXwwMuVuQs1YfkskfN9QMjOZsSZSQli
> ItUWmcqrCbbDGk01F/9oyp3DhWn22qyLBsE9Zp/ktolSy5DoT6QBzgqfmy8j6wk0
> EvnO8xnZKHQ3aU1jrUzysw+91l06iMtAaf7c3jsLh0tiJTJhf/ESr5J5Ca+ezgp9
> axZAZ7BFemnUnRMxRiy46AGMSmH5sa77FnMWxJPhiIyk6i823yCA7NkA9YU+cSLt
> 2BzwCMSuCYBwQJi65VSr2jmi3hd2uozOtfymGReJ2K2CocMM8sjRsxjdiXOhvs4=
> =DTBT
> -END PGP SIGNATURE-
> 
> 
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 0x613DEC46.asc (2K)
> ;





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676848.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
He means something like privoxy.

It possible tunnel https.

The similar config often uses for tunnel some proxied connections to Tor
or another ISP or something.

But the thing he required is not possible. Cache peers does not support
re-crypting right now and, ergo, only splice is possible for cache_peer.

30.03.16 2:57, Antony Stone пишет:
> On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:
>
>> my setup is
>> my pc with squid(as stunnel client) -> stunnel and proxy(normal non
>> https)
>
>> ive got these errors:
>> 2-i cant surf any https site
>
> What do you mean by the remote proxy being "normal non https"?
>
> Is that perhaps the reason you can't connect to HTTPS sites?
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW+u0NAAoJENNXIZxhPexG1P0H/0PUughenu1eNsZcoUTd+Sx5
1j5ve/2xa4bq98dDque9/b1RNugFDTMvuyXwwMuVuQs1YfkskfN9QMjOZsSZSQli
ItUWmcqrCbbDGk01F/9oyp3DhWn22qyLBsE9Zp/ktolSy5DoT6QBzgqfmy8j6wk0
EvnO8xnZKHQ3aU1jrUzysw+91l06iMtAaf7c3jsLh0tiJTJhf/ESr5J5Ca+ezgp9
axZAZ7BFemnUnRMxRiy46AGMSmH5sa77FnMWxJPhiIyk6i823yCA7NkA9YU+cSLt
2BzwCMSuCYBwQJi65VSr2jmi3hd2uozOtfymGReJ2K2CocMM8sjRsxjdiXOhvs4=
=DTBT
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Antony Stone 
On Tuesday 29 Mar 2016 at 20:11, Baselsayeh wrote:

> my setup is
> my pc with squid(as stunnel client) -> stunnel and proxy(normal non
> https)

> ive got these errors:
> 2-i cant surf any https site

What do you mean by the remote proxy being "normal non https"?

Is that perhaps the reason you can't connect to HTTPS sites?


Antony.

-- 
"It would appear we have reached the limits of what it is possible to achieve 
with computer technology, although one should be careful with such statements; 
they tend to sound pretty silly in five years."

 - John von Neumann (1949)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
And note that i need ssl bumping not splicing


Baselsayeh wrote
> hello
> im trying to get squid + stunnel working
> my setup is
> 
> my pc with squid(as stunnel client) -> stunnel and proxy(normal non
> https)
> squid should be bumping the connection
> 
> my config:
> 
> https_port 3429 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=200MB cert=/tmp/rootpem.pem key=/rootkey.key
> ssl_bump stare step1 all
> ssl_bump bump all
> sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M 200MB
> #editback
> sslcrtd_children 3 startup=1 idle=1
> 
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
> cache_peer 192.168.10.101 parent 1238 0 no-query no-digest ssl
> sslcert=/home/basel/stunnel.pem sslflags=DONT_VERIFY_PEER
> never_direct deny step1 step2
> never_direct allow all
> 
> if ive connecting to http host then its fine but
> ive got these errors:
> 1-squid isnt replacing the cert with the one in https_port
> 2-i cant surf any https site





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844p4676845.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ssl + stunnel and cache peer

2016-03-29 Thread Baselsayeh 
hello
im trying to get squid + stunnel working
my setup is

my pc with squid(as stunnel client) -> stunnel and proxy(normal non
https)
squid should be bumping the connection

my config:

https_port 3429 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=200MB cert=/tmp/rootpem.pem key=/rootkey.key
ssl_bump stare step1 all
ssl_bump bump all
sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid/ssl_db/ -M 200MB
#editback
sslcrtd_children 3 startup=1 idle=1

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
cache_peer 192.168.10.101 parent 1238 0 no-query no-digest ssl
sslcert=/home/basel/stunnel.pem sslflags=DONT_VERIFY_PEER
never_direct deny step1 step2
never_direct allow all

if ive connecting to http host then its fine but
ive got these errors:
1-squid isnt replacing the cert with the one in https_port
2-i cant surf any https site




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-stunnel-and-cache-peer-tp4676844.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

2016-03-29 Thread Rafael Akchurin 
Hello Olivier,

I really do not know. This also is of great interest to me.
Hopefully knowledgeable people on the list will be able to explain.

Best regards,
Rafael

From: Olivier CALVANO [mailto:o.calv...@gmail.com]
Sent: Tuesday, March 29, 2016 7:32 PM
To: Rafael Akchurin 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

hi

thanks for your answer, i have a entry into generic information.
it must remove? but this will not happen again?

regards
olivier

2016-03-29 18:33 GMT+02:00 Rafael Akchurin 
mailto:rafael.akchu...@diladele.com>>:
Hello Olivier,

See if you have credentials cached in the credentials manager in windows.

Best regards,
Rafael

From: squid-users 
[mailto:squid-users-boun...@lists.squid-cache.org]
 On Behalf Of Olivier CALVANO
Sent: Tuesday, March 29, 2016 6:23 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

Hi

we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory 
Authentification (tested in negotiate_wrapper but same
problems with ntlm_auth) .

That's work's very good a time but without reason, a limited user can't access 
to internet and i don't know why.

In the logs, we have:

1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
 olivier HIER_NONE/- -
1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/ 
olivier HIER_NONE/- -
1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET 
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD 
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -


I don't know why but all logs have "NONE_ABORTED/000"
anyone know this errors ?


If, on the same PC, i change the username, that's work ! reconnect with the old 
username and the problems start

regards
Olivier

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

2016-03-29 Thread Olivier CALVANO 
hi

thanks for your answer, i have a entry into generic information.
it must remove? but this will not happen again?

regards
olivier

2016-03-29 18:33 GMT+02:00 Rafael Akchurin :

> Hello Olivier,
>
>
>
> See if you have credentials cached in the credentials manager in windows.
>
>
>
> Best regards,
>
> Rafael
>
>
>
> *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On
> Behalf Of *Olivier CALVANO
> *Sent:* Tuesday, March 29, 2016 6:23 PM
> *To:* squid-users@lists.squid-cache.org
> *Subject:* [squid-users] We have a big problems with Squid 3.3.8, it's a
> bug ?
>
>
>
> Hi
>
>
>
> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
> Authentification (tested in negotiate_wrapper but same
>
> problems with ntlm_auth) .
>
>
>
> That's work's very good a time but without reason, a limited user can't
> access to internet and i don't know why.
>
>
>
> In the logs, we have:
>
>
>
> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
> olivier HIER_NONE/- -
>
> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/
> olivier HIER_NONE/- -
>
> 1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>
> 1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>
>
>
>
>
> I don't know why but all logs have "NONE_ABORTED/000"
>
> anyone know this errors ?
>
>
>
>
>
> If, on the same PC, i change the username, that's work ! reconnect with
> the old username and the problems start
>
>
>
> regards
>
> Olivier
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

2016-03-29 Thread Rafael Akchurin 
Hello Olivier,

See if you have credentials cached in the credentials manager in windows.

Best regards,
Rafael

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Olivier CALVANO
Sent: Tuesday, March 29, 2016 6:23 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

Hi

we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory 
Authentification (tested in negotiate_wrapper but same
problems with ntlm_auth) .

That's work's very good a time but without reason, a limited user can't access 
to internet and i don't know why.

In the logs, we have:

1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
 olivier HIER_NONE/- -
1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/ 
olivier HIER_NONE/- -
1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET 
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD 
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -


I don't know why but all logs have "NONE_ABORTED/000"
anyone know this errors ?


If, on the same PC, i change the username, that's work ! reconnect with the old 
username and the problems start

regards
Olivier
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

2016-03-29 Thread Olivier CALVANO 
Hi

we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
Authentification (tested in negotiate_wrapper but same
problems with ntlm_auth) .

That's work's very good a time but without reason, a limited user can't
access to internet and i don't know why.

In the logs, we have:

1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
olivier HIER_NONE/- -
1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/
olivier HIER_NONE/- -
1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -


I don't know why but all logs have "NONE_ABORTED/000"
anyone know this errors ?


If, on the same PC, i change the username, that's work ! reconnect with the
old username and the problems start

regards
Olivier
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-29 Thread FredB 

> 
> auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f
> "uid=%s"
> -s sub -h 192.168.1.1 acl password
> auth_param basic children 10
> auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK:
> Bitte mit
> den Daten aus diesem Netzwerk anmelden!
> acl password proxy_auth REQUIRED
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off

> http_access allow password -->  http_access allow password !my acl 
> should be here, with the right acl just before

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-29 Thread Verwaiser 
Hello Fred,
thank you for your help!

Ok, I tried to insert a the acl in auth_param block as you described:

acl pdfdoc dstdomain webgate.ec.europa.eu
http_access allow password !pdfdoc
http_access allow pdfdoc

but no success was shown using the pdf-doc.
Then: Testing access to webgate.ec.europa.eu in browser squid asked me for a
password as usual.




Here my squid.conf in actual state (the file w7akt has some adresses for
novell and for w7-activation):

## Start

acl alle src 0.0.0.0/0.0.0.0
acl w7aktivierung dstdomain "/etc/squid/w7akt"
http_access allow w7aktivierung alle

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain novell.com
acl wuCONNECT dstdomain docs.live.net
acl wuCONNECT dstdomain d.docs.live.net

acl port_443 port 443
http_access allow CONNECT port_443

http_access allow CONNECT wuCONNECT

auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f "uid=%s"
-s sub -h 192.168.1.1 acl password
auth_param basic children 10
auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK: Bitte mit
den Daten aus diesem Netzwerk anmelden!
acl password proxy_auth REQUIRED
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
http_access allow password

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 192.168.1.0/23 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl QUERY urlpath_regex cgi-bin \?
no_cache deny query
acl FILE_MP3 urlpath_regex -i \.mp3$
http_access deny FILE_MP3

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 192.168.1.7:8080

hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
cache_dir ufs /var/cache/squid 100 16 256
logformat combined %>a %ul %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
log_fqdn on
ftp_user sq...@my-domainname.de
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr adm...@my-domainname.de
visible_hostname proxy.my-domainname.de
coredump_dir /var/cache/squid

## End 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676838.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Log

2016-03-29 Thread Marc Mapplebeck 
I'll give that regex a try, funny though, that's just built on the code
from lightparser.pl, must be a problem with the stock code as well, the
original 4 entries that were shipped with it are exactly like the one I
posted.

Thanks,


- Marc

-_-_-_-_-_-_-_-_-_-_-_-
Marc A. Mapplebeck, MCP/MCDST/MCTS/MCSE/MCDBA/MOS/A+/N+/CNA/CCNA/VCP6-DCV
ProCom Data
T: 800-408-3313 x242
F: 709-256-3031
E: marc.mappleb...@townsuite.com

On Mon, Mar 28, 2016 at 11:27 PM, Amos Jeffries 
wrote:

> On 29/03/2016 2:53 a.m., Marc Mapplebeck wrote:
> > I am currently using squid for our proxy, and recently decided to use
> > WPAD/PAC to also capture HTTPS traffic.  I am having one very annoying
> > issue with lightsquid, and wondering if anybody has any insight.
> >
> > All my lightsquid information looks like the attached image.  It also
> does
> > not consolidate the first part of the domain name(even this would be
> fine,
> > so that I can differentiate HTTPS traffic, as long as subdomains are
> > combined)
> >
> > I have been modifying my lightparser.pl file to consolidate subdomains,
> > however, this is only working for HTTP traffic, as all HTTPS sites are
> > showing the port number like mail.google.ca:443
>
> That is the correct URL for those requests. And no they are not "HTTPS".
> They are tunnels through the proxy to the server and port indicated,
> which may or may not have HTTPS inside them.
> In fact if that is Google software contacting Google servers it is far
> more likely to be SPDY or WebSockets protocol.
>
>
> > The code I am using is:
> > $url =~ s/([a-z]+:\/\/)??.*\.(google\.*)/$2/o;
> >
> > Has anybody found a way around this or even thought about this?  I was
> > thinking of telling squid to not include the port, however, it seems to
> not
> > be working.  Any other suggestions/thoughts?
>
> I suggest you double-check your regex. That pattern contains several
> major mistakes. "??" and "\.*" for starters.
>  
>
> The pattern for matching "google.*" in the domain is:
>   s/^([a-z\-\+]+:\/\/)?([^\/?#:]+)?(google\.[^\/?#:]+)/$3/o
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users