Re: [squid-users] TCP Outgoing Address ACL Problem
On 2016-11-12 07:55, Amos Jeffries wrote: On 12/11/2016 7:44 a.m., Garri Djavadyan wrote: 2. I added second http_port, ACL for the second http_port and the rule to use second IP address if connection is for second http_port. # diff -u etc/squid.conf.default etc/squid.conf --- etc/squid.conf.default2016-10-28 15:54:53.851704360 +0500 +++ etc/squid.conf2016-11-11 23:18:48.654385840 +0500 @@ -23,6 +23,7 @@ acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT +acl port3129 localport 3129 FYI Garri, "localport" value varies depending on the traffic mode. It is not necessarily the Squid receiving port. Yes, you are right. I used it for simplicity's sake and the configuration permits it. 'jarret+squid-users' is already using "myportname" ACL which is the better one to use for this. I thought the string 'acl ipv4-1 myportname 3128 src 10.99.0.0/24' was interpreted as: acl ipv4-1 myportname "3128 src 10.99.0.0/24" So, I wrongly assumed that the ACL was not matched. If fact it is matches. Thanks for pointing out my mistake! Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NCSA-auth don't work for file contain too many passswords
Hi Amos,
Thanks for the comments!
On 2016-11-12 07:48, Amos Jeffries wrote:
I can't reproduce the problem using Squid 3.5.22. I used following
method to verify the case:
Unfortunately your test uses the 'openssl' tool below instead of
htpasswd to create the password file. There are some big differences in
security algorithms each uses to reate the password file.
My primary task was to confirm that 20k passwords DB file is not an
issue for Squid.
I used htpasswd-compatible MD5 algorighm (-apr1), it is equivalent to
'htpasswd -m'.
The openssl key -crypt is equivalent to 'htpasswd -d'.
You are right, I missed the specified '-d' flag.
2. Create ncsa passwords db for 20k users.
# for i in {1..2}; do echo "user${i}:$(openssl passwd -apr1
pass${i})" >> /usr/local/squid35/etc/passwd; done
This test *will* fail when "htpasswd -db" is used to generate the
password file from those password strings. Notice that the test 'i'
values of 1+ create passwords like "pass1" which are 9
characters long.
The htpasswd -d uses DES encryption which has an 8 character limit on
password length. It will *silently* truncate the password to the first
8
characters.
Recent basic_ncsa_auth helper versions will detect and reject
authentication using DES algorithm when password is longer than 8
characters.
Thanks. I found the relevant commit 11632 [1] and the associated bug
report 3107 [2] discussion.
I have a question, maybe there should be an optional argument which
could be used to permit old behavior? For example, Apache HTTP server
still permits passwords longer then 8 characters.
[1] http://bazaar.launchpad.net/~squid/squid/5/revision/11632
[2] http://bugs.squid-cache.org/show_bug.cgi?id=3107
Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication for squid
On 11/11/2016 7:50 p.m., Tevfik Ceydeliler wrote: > Here is the problem, > > When I set my browser proxy configuration as "squiddc1.DOMAIN.grp " and > then start to browse, I cant see "usern...@domain.grp" log entry in > access.log. > > I think, It means that kerberos not work. > > Have you any idea about that? > The first thing that comes to mind is: So, what DO you see? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP Outgoing Address ACL Problem
On 12/11/2016 5:51 a.m., jarrett+squid-users wrote: > Can anyone point out what I'm doing wrong in my config? > > Squid config: > > > acl ipv4-1 myportname 3128 src 10.99.0.0/24 > acl ipv4-2 myportname 3129 src 10.99.0.0/24 > acl ipv4-3 myportname 3130 src 10.99.0.0/24 > acl ipv4-4 myportname 3131 src 10.99.0.0/24 > acl ipv4-5 myportname 3132 src 10.99.0.0/24 > acl ipv4-6 myportname 3133 src 10.99.0.0/24 > acl ipv4-7 myportname 3134 src 10.99.0.0/24 > acl ipv4-8 myportname 3135 src 10.99.0.0/24 > acl ipv4-9 myportname 3136 src 10.99.0.0/24 > acl ipv4-10 myportname 3137 src 10.99.0.0/24 As Garri said these ACLs contain garbage. There is no http_port line with a name "src" or name "10.99.0.0/24". So those values are meaningless / useless. They may also be confusing you about what the ACL matches. The 31xx values (first) value entry in each ACL will match > forwarded_for delete Not great. "forwarded_for transparent" is better. But this is pointless anyway since your request_header_access "All deny all" line below will delete the X-Forwarded-For and Forwarded headers anyway. > http_access allow ipv4-1 > http_access allow ipv4-2 > http_access allow ipv4-3 > http_access allow ipv4-4 > http_access allow ipv4-5 > http_access allow ipv4-6 > http_access allow ipv4-7 > http_access allow ipv4-8 > http_access allow ipv4-9 > http_access allow ipv4-10 Due to the mistake mentioned already in the ipv4-* definitions the above access controls are equivalent to a single line: http_access allow all So none of the below http_access lines do anything. You have an open proxy. > http_access allow localhost manager > http_access allow localhost > http_access allow localnet > http_access deny all IMPORTANT: The *below* lines are the basic minimal security rules a proxy needs. Your custom rules which are curently configured *above* should be placed ... > http_access deny CONNECT !SSL_ports > http_access deny manager > http_access deny !Safe_ports > http_access deny to_localhost ... down here. > http_port 10.99.0.1:3128 name=3128 > http_port 10.99.0.1:3129 name=3129 > http_port 10.99.0.1:3130 name=3130 > http_port 10.99.0.1:3131 name=3131 > http_port 10.99.0.1:3132 name=3132 > http_port 10.99.0.1:3133 name=3133 > http_port 10.99.0.1:3134 name=3134 > http_port 10.99.0.1:3135 name=3135 > http_port 10.99.0.1:3136 name=3136 > http_port 10.99.0.1:3137 name=3137 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > request_header_access Accept allow all > request_header_access Accept-Charset allow all > request_header_access Accept-Encoding allow all > request_header_access Accept-Language allow all > request_header_access All deny all NP: "All" is not a header name. It is a special *_header_access value meaning do this action for *all* headers which do not have their own named entry here in your config file. I suggest it is a good idea to put that line last in the config sequence of request_header_access with a comment to say thats the default action applied to *all* headers not listed above. Just so its clear what and why Squid is doing when strange things happen in your traffic... ... such as logging in with WWW-Authorization and WWW-Authentication-Info credentials. > request_header_access Allow allow all > request_header_access Authorization allow all > request_header_access Cache-Control allow all > request_header_access Connection allow all > request_header_access Content-Encoding allow all > request_header_access Content-Language allow all > request_header_access Content-Length allow all > request_header_access Content-Type allow all > request_header_access Cookie deny all > request_header_access Date allow all > request_header_access Expires allow all > request_header_access Host allow all > request_header_access If-Modified-Since allow all You should also allow these headers: If-Unmodified-Since If-None-Match If-Match If > request_header_access Last-Modified allow all > request_header_access Location allow all > request_header_access Mime-Version allow all > request_header_access Retry-After allow all > request_header_access Title allow all > request_header_access Pragma allow all > request_header_access Proxy-Authorization allow all > request_header_access Proxy-Authenticate allow all > request_header_access Proxy-Connection allow all "Proxy-Connection" is an invalid and obsolete header. Squid deletes it already. You can remove the above line. > request_header_access User-Agent deny all > request_header_access WWW-Authenticate allow all > tcp_outgoing_address 45.2.xxx.155 ipv4-1 > tcp_outgoing_address 45.2.xxx.156 ipv4-2 > tcp_outgoing_address 45.2.xxx.157 ipv4-3 > tcp_outgoing_address 45.2.xxx.158 ipv4-4 > tcp_outgoing_address 45.2.xxx.159 ipv4-5 > tcp_outgoing_address 45.2.xxx.160 ipv4-6 > tcp_outgoing_address 45.2.xxx.161 ipv4-7 > tcp_outgoing_address 45.2.xxx.162 ipv4-8 > tcp_outgoing_address 45.2.xxx.163 ipv4-9 >
Re: [squid-users] TCP Outgoing Address ACL Problem
On 12/11/2016 7:44 a.m., Garri Djavadyan wrote: > > 2. I added second http_port, ACL for the second http_port and the rule > to use second IP address if connection is for second http_port. > # diff -u etc/squid.conf.default etc/squid.conf > --- etc/squid.conf.default2016-10-28 15:54:53.851704360 +0500 > +++ etc/squid.conf2016-11-11 23:18:48.654385840 +0500 > @@ -23,6 +23,7 @@ > acl Safe_ports port 591# filemaker > acl Safe_ports port 777# multiling http > acl CONNECT method CONNECT > +acl port3129 localport 3129 > FYI Garri, "localport" value varies depending on the traffic mode. It is not necessarily the Squid receiving port. 'jarret+squid-users' is already using "myportname" ACL which is the better one to use for this. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NCSA-auth don't work for file contain too many passswords
On 12/11/2016 6:29 a.m., Garri Djavadyan wrote:
> On 2016-11-11 21:05, --Ahmad-- wrote:
>> hi squid users .
>> i have problem when i use basic_ncsa auth
>>
>> the auth work when i have few passwords in the file of auth .
>> as example
>>
>>
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> auth_param basic children 100
>> http_access allow ncsa_users
>>
>>
>>
>> user like 30 in the file /etc/squid/squid_user is ok
>>
>> but when i use like 20K password ….. squid always give me wrong pwd .
>>
>> is there any turning i need ?
>>
>> I’m using squid 3.5.2
>>
>> BTW i use the cmd as ex ——> htpasswd -db /etc/squid/squid_user
>> user1 user1
Ahmad, what do you think "-db" means?
Hint: htpasswd tells you what the 'd' and the 'b' mean.
>
> Hi Ahmad,
>
> I can't reproduce the problem using Squid 3.5.22. I used following
> method to verify the case:
>
Unfortunately your test uses the 'openssl' tool below instead of
htpasswd to create the password file. There are some big differences in
security algorithms each uses to reate the password file.
>
> 2. Create ncsa passwords db for 20k users.
> # for i in {1..2}; do echo "user${i}:$(openssl passwd -apr1
> pass${i})" >> /usr/local/squid35/etc/passwd; done
>
This test *will* fail when "htpasswd -db" is used to generate the
password file from those password strings. Notice that the test 'i'
values of 1+ create passwords like "pass1" which are 9
characters long.
The htpasswd -d uses DES encryption which has an 8 character limit on
password length. It will *silently* truncate the password to the first 8
characters.
Recent basic_ncsa_auth helper versions will detect and reject
authentication using DES algorithm when password is longer than 8
characters.
NP: users can still log into Squid which were configured with that DES
file, but must only type in the first 8 characters of their password
when doing so.
You need to use the htpasswd -m (MD5) or -s (SHA) options to hash the
passwords. Avoid DES (-d) as much as you can.
>
> Can you try the method using Squid 3.5.2? If it would fail, can you try
> Squid 3.5.22?
>
Please do the Squid upgrade anyway since there are many serious security
issues fixed in 3.5 since the .2 release.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP Outgoing Address ACL Problem
On 2016-11-11 22:28, Antony Stone wrote: On Friday 11 November 2016 at 17:51:04, jarrett+squid-us...@jarrettgraham.com wrote: I'm trying to use ACLs to direct incoming traffic on assigned ports to assigned outgoing addresses. But, squid uses the first IP address assigned to the interface not listed in the config instead. See http://lists.squid-cache.org/pipermail/squid-users/2016- October/013270.html Specifically "IP addressing on the outgoing connections is an operating system choice. Squid does not have any direct control over outgoing connections besides their destination IP:port." Hi, The following configuration works for me on Linux. 1. I set second /32 IP address for Internet facing interface. # ip addr show wlp3s0 | fgrep 'inet ' inet 192.168.2.102/24 brd 192.168.2.255 scope global dynamic wlp3s0 inet 192.168.2.108/32 scope global wlp3s0 2. I added second http_port, ACL for the second http_port and the rule to use second IP address if connection is for second http_port. # diff -u etc/squid.conf.default etc/squid.conf --- etc/squid.conf.default 2016-10-28 15:54:53.851704360 +0500 +++ etc/squid.conf 2016-11-11 23:18:48.654385840 +0500 @@ -23,6 +23,7 @@ acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT +acl port3129 localport 3129 # # Recommended minimum Access Permission configuration: @@ -57,6 +58,7 @@ # Squid normally listens to port 3128 http_port 3128 +http_port 3129 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid35/var/cache/squid 100 16 256 @@ -71,3 +73,4 @@ refresh_pattern ^gopher: 14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 00% 0 refresh_pattern . 0 20% 4320 +tcp_outgoing_address 192.168.2.108 port3129 3. I initiated two requests on different http ports: $ curl -x http://127.0.0.1:3128 -H 'Cache-Control: no-cache' http://mirror.comnet.uz/centos/2/readme.txt > /dev/null $ curl -x http://127.0.0.1:3129 -H 'Cache-Control: no-cache' http://mirror.comnet.uz/centos/2/readme.txt > /dev/null 4. Using tcpdump I confirmed that the rule is working. # tcpdump -i wlp3s0 dst host mirror.comnet.uz ... 23:42:02.230713 IP 192.168.2.102.40506 > mirror.comnet.uz.http: Flags [P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845937144 ecr 1281004287], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1 ... 23:42:15.166311 IP 192.168.2.108.48575 > mirror.comnet.uz.http: Flags [P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845950080 ecr 1281016928], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1 ... Thanks for attention! Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP Outgoing Address ACL Problem
On 2016-11-11 21:51, jarrett+squid-us...@jarrettgraham.com wrote:
Can anyone point out what I'm doing wrong in my config?
Squid config:
https://bpaste.net/show/796dda70860d
I'm trying to use ACLs to direct incoming traffic on assigned ports to
assigned outgoing addresses. But, squid uses the first IP address
assigned to the interface not listed in the config instead.
IP/Ethernet Interface Assignment:
https://bpaste.net/show/5cf068a4ce9a
Hi,
Your ACLs ipv4-{1..10} are invalid, you combined ACL types 'myportname'
and 'src' together. I believe you want:
acl ipv4-1 localport 3128
acl ipv4-2 localport 3129
acl ipv4-3 localport 3130
acl ipv4-4 localport 3131
acl ipv4-5 localport 3132
acl ipv4-6 localport 3133
acl ipv4-7 localport 3134
acl ipv4-8 localport 3135
acl ipv4-9 localport 3136
acl ipv4-10 localport 3137
HTH
Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP Outgoing Address ACL Problem
On Friday 11 November 2016 at 17:51:04, jarrett+squid-us...@jarrettgraham.com wrote: > I'm trying to use ACLs to direct incoming traffic on assigned ports to > assigned outgoing addresses. But, squid uses the first IP address > assigned to the interface not listed in the config instead. See http://lists.squid-cache.org/pipermail/squid-users/2016- October/013270.html Specifically "IP addressing on the outgoing connections is an operating system choice. Squid does not have any direct control over outgoing connections besides their destination IP:port." Antony. -- I thought I had type A blood, but it turned out to be a typo. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TCP Outgoing Address ACL Problem
Can anyone point out what I'm doing wrong in my config? Squid config: https://bpaste.net/show/796dda70860d I'm trying to use ACLs to direct incoming traffic on assigned ports to assigned outgoing addresses. But, squid uses the first IP address assigned to the interface not listed in the config instead. IP/Ethernet Interface Assignment: https://bpaste.net/show/5cf068a4ce9a Thanks! P.S. Sorry for that last message. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TCP Outgoing Address ACL Problem
You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at squid-users-ow...@lists.squid-cache.org. --- Begin Message --- Can anyone point out what I'm doing wrong in my config? Squid config: https://bpaste.net/show/796dda70860d I'm trying to use ACLs to direct incoming traffic on assigned ports to assigned outgoing addresses. But, squid uses the first IP address assigned to the interface not listed in the config instead. IP/Ethernet Interface Assignment: https://bpaste.net/show/5cf068a4ce9a Thanks! --- End Message --- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] NCSA-auth don't work for file contain too many passswords
hi squid users . i have problem when i use basic_ncsa auth the auth work when i have few passwords in the file of auth . as example auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user acl ncsa_users proxy_auth REQUIRED auth_param basic children 100 http_access allow ncsa_users user like 30 in the file /etc/squid/squid_user is ok but when i use like 20K password ….. squid always give me wrong pwd . is there any turning i need ? I’m using squid 3.5.2 BTW i use the cmd as ex ——> htpasswd -db /etc/squid/squid_user user1 user1 cheers ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
