Re: [squid-users] access_log acls
On 27.11.18 15:04, Marcus Kool wrote: 4.5 would be nice. 4.6 would also be nice. OK, I will rephrase my question: which squid version do you find this in? On 27/11/2018 14:47, Matus UHLAR - fantomas wrote: On 11/27/18 5:21 AM, Marcus Kool wrote: logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %ha acl src_lb src 10.2.2.254/32 acl src_lb src 10.2.2.107/32 access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb access_log stdio:/local/squid4/logs/access.log combha !src_lb The logging is almost as expected: all HTTP(S) traffic from 10.2.2.107 goes to lbaccess.log and all other traffic to access.log, *but* imitating the TCP probe of the LB with a telnet session from 10.2.2.107 to the squid server which is immediately terminated or sends garbage, is logged with transaction-end-before-headers to access.log, not lbaccess.log. Should the above acls send the errors to lbaccess.log? On 27/11/2018 13:58, Alex Rousskov wrote: Yes, src ACLs should work for all transactions associated with to-Squid connections, including transaction-end-before-headers errors. If they do not work, it is a Squid bug. On 27.11.18 14:42, Marcus Kool wrote: Thanks, I filed bug 4906: https://bugs.squid-cache.org/show_bug.cgi?id=4906 Is it serious enough to get a fix in Squid 4? which "squid 4" exactly? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck & Porky Pig ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NCSA Auth doesn't recognize usernames with capital letters
On 28/11/18 10:28 am, Schokobecher wrote: > Hello, > > I'm facing a really weird problem at the moment. > I'm using Squid 4.2 using the default Ubuntu compile options > (self-compiled) together with the NCSA Basic Auth helper and a passwd > file generated using "httpasswd -m". > > If I add a user to it that starts with a capital letter (for example > "Bob") the auth always fails - until "Bob" becomes "bob" inside the > file, then the auth instantly works... and also for "Bob" since I use an > ACL like: > > acl bob proxy_auth_regex -i bob > > But the other way around is a no-go. > > Did I miss something here? Usernames are case sensitive. Your regex may accept insensitive values, but the rest of the system is mandatory case sensitive. [ IME the systems doing UI tend to lower case inputs in order to avoid security issues and headaches that come with with having two logins "bob" and "Bob" for different users. ] You can double-check what is going on with a cache.log trace from "debug_options 11,2 28,8 29,9". The helper itself does not (yet) have debug output unfortunately so if the issue is inside the OS crypt() implementation it can be hard to see. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] access_log acls
On Wed, Nov 28, 2018 at 12:24:30PM +0100, Matus UHLAR - fantomas wrote: > On 27.11.18 15:04, Marcus Kool wrote: > > 4.5 would be nice. 4.6 would also be nice. > > OK, I will rephrase my question: which squid version do you find this in? This issue was found in Squid 4.3 > > > On 27/11/2018 14:47, Matus UHLAR - fantomas wrote: > > > > > On 11/27/18 5:21 AM, Marcus Kool wrote: > > > > > > logformat combha %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs % > > > > > %Ss:%Sh %>ha > > > > > > acl src_lb src 10.2.2.254/32 > > > > > > acl src_lb src 10.2.2.107/32 > > > > > > access_log stdio:/local/squid4/logs/lbaccess.log combha src_lb > > > > > > access_log stdio:/local/squid4/logs/access.log combha !src_lb > > > > > > The logging is almost as expected: all HTTP(S) traffic from > > > > > > 10.2.2.107 > > > > > > goes to lbaccess.log and all other traffic to access.log, > > > > > > *but* imitating the TCP probe of the LB with a telnet session from > > > > > > 10.2.2.107 to the squid server which is immediately terminated or > > > > > > sends > > > > > > garbage, is logged with transaction-end-before-headers to > > > > > > access.log, > > > > > > not lbaccess.log. > > > > > > Should the above acls send the errors to lbaccess.log? > > > > > > > On 27/11/2018 13:58, Alex Rousskov wrote: > > > > > Yes, src ACLs should work for all transactions associated with > > > > > to-Squid > > > > > connections, including transaction-end-before-headers errors. If they > > > > > do > > > > > not work, it is a Squid bug. > > > > > > On 27.11.18 14:42, Marcus Kool wrote: > > > > Thanks, I filed bug 4906: > > > > https://bugs.squid-cache.org/show_bug.cgi?id=4906 > > > > > > > > Is it serious enough to get a fix in Squid 4? > > > > > > which "squid 4" exactly? > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > - Holmes, what kind of school did you study to be a detective? > - Elementary, Watson. -- Daffy Duck & Porky Pig > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] need help with cachemgr
On 11/28/18 4:59 AM, jmperrote wrote: > This is the new error that I have when I tried to squidclint via https + > certicicate. You have many different problems. Problem 0: You are not responding on the mailing list. Please keep this thread on the mailing list so that others can benefit from this triage and so that others can help you. Problem 1: You seem to ignore errors and warnings that you can fix on your own. Please fix the ones you can fix before asking for help with the remaining problems. When asking for help, explain what you think each remaining warning/error means, and why you cannot fix that problem. This approach shows that you invest serious effort into making this work rather than simply abusing the mailing list as a free replacement for a system administrator. Problem 2: > squidclient -vvv --https --cert /soporte/ssl/educacion.crt -h 10.0.0.4 -p > 1084 mgr:info The --cert option specifies a TLS client certificate. Your reverse proxy, AFAICT, does not use client certificates. Remove that option. See "man squidclient" for details about each option you use. Problem 3: > WARNING: Failed to load Certificate from /soporte/ssl/educacion.crt I do not know what went wrong here because you have not provided any relevant information like whether the file is actually there and can be read by the user squidclient runs as. Problem 4: > X.509 TLS handshake ... > VERIFY DATUM: The certificate is NOT trusted. The certificate issuer is > unknown. The name in the certificate does not match the expected. > WARNING: Insecure Connection Looks self-explanatory to me: Your squidclient does not trust the server certificate used by your reverse proxy. You may need to either * use a --trusted-ca option or * configure your TLS library environment to always trust the CA that signed the https_port certificate of your reverse proxy. Problem 5: > HTTP/1.1 401 Unauthorized > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > WWW-Authenticate: Basic realm=... Your reverse proxy requires HTTP client authentication. Depending on your needs, you should either * adjust your Squid http_access rules to disable authentication for cache manager requests or * give a valid username and password to squidclient (search "man squidclient" manual page for "authentication" and "WWW" to discover the right options). Potential problem 6: This may not be relevant to you, but please note that Squid Cache Manager does not yet support secure queries when Squid is running in SMP mode. For details, please see https://wiki.squid-cache.org/Features/CacheManager#Secure_SMP_reports HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
