[squid-users] R: Problem with Squid 3.4.4 and NTLM authentication
Hello Amos and thank you! >> sinec i upgraded two Squid proxy servers to the Squid-3.4.4 versions, we >> have some huges bottleneck with ahtenticated ntlm (old style!) users. >> If i disable authentication and enable per-ip surf, it works fine. >From what earlier version? I did upgrade from the 3.1.8 version (in that ntlm worked fine for us). >3.4.4 is very outdated version of Squid. Current release is 3.5.12 or >3.4.14. OK, we will upgrade to latest 3.4.x! But why n 3.1.8 NTLM (with the same squid.conf) worked fine? Thank you again! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with Squid 3.4.4 and NTLM authentication
Hello, sinec i upgraded two Squid proxy servers to the Squid-3.4.4 versions, we have some huges bottleneck with ahtenticated ntlm (old style!) users. If i disable authentication and enable per-ip surf, it works fine. Plesae note that squid process raise up to 100%. Here is my auth ntlm configuration: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 200 auth_param basic credentialsttl 2 hours Perhaps have i to change something? Thank you, Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Strange problem with italian educational website
Hello, i am writing because, with Squid 3.4.4 (i use it in production), i cannot use a website (used in Schools!): http://bandidgstudente.it/it/home-page/ I have lots of server-side error, and i thought it was a problem with remote webserver. If i disable transparent proxy and i nat connection, the website works fine! These are the errors: Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'indirizzo_ip' cannot be null in /htdocs/public/www/_servizi/database/database_class.php on line 253 Warning: PDOStatement::execute(): SQLSTATE[23000]: Integrity constraint
[squid-users] R: Squid 100% CPU and possible attack
Hello to everybody and thank you! By upgrading to squid 3.4.4 thje problem solves! I think there is something on Squid 3.1.8, in conjunction with Dansguardian, that creates some loops the telnettting firewall's LAN ethernet to the 8080 (Dansguardian) port! Francesco Da: Job Inviato: lunedì 26 ottobre 2015 13.49 A: Amos Jeffries; squid-users@lists.squid-cache.org Oggetto: R: [squid-users] Squid 100% CPU and possible attack Hello Amos! >Something that would cause a machine to make lots of HTTP requests. >You have provided almost no information about the network, it >configuration, or uses etc. Having eliminated the usual problem(s) it is >a waste of time to guess. I have investigate better about the problem that brings up CPU and Squid process over 100%! We have this situation: Dansguardian on port 8080 and Squid on port 3128. The The problem appear when telnetting, from LAN, to: :8080 Squid process raise up, in few seconds, to 100% and nobody can surf.. I disabled NAT, to make sure it was not a loop of iptables-transparent proxying redirection. Have you good some suggestions for us? Thank you again! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: Squid 100% CPU and possible attack
Hello Amos! >Something that would cause a machine to make lots of HTTP requests. >You have provided almost no information about the network, it >configuration, or uses etc. Having eliminated the usual problem(s) it is >a waste of time to guess. I have investigate better about the problem that brings up CPU and Squid process over 100%! We have this situation: Dansguardian on port 8080 and Squid on port 3128. The The problem appear when telnetting, from LAN, to: :8080 Squid process raise up, in few seconds, to 100% and nobody can surf.. I disabled NAT, to make sure it was not a loop of iptables-transparent proxying redirection. Have you good some suggestions for us? Thank you again! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: Squid 100% CPU and possible attack
Hello Eliezer, i use Linux CentOS; i think i will study fail2ban. It seems very very interesting, thank you for the suggestion! Francesco Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Eliezer Croitoru [elie...@ngtech.co.il] Inviato: venerdì 23 ottobre 2015 1.00 A: squid-users@lists.squid-cache.org Oggetto: Re: [squid-users] Squid 100% CPU and possible attack The simplest way is to use fail2ban. What OS are you using? it is possible an attack but it's not 100%. What you can do is to also disable access using the proxy to this destination IP and address. 100% CPU in many cases is not something odd but you can try fail2ban with a special rule to block this client in the iptables of the machine (if this is a linux..) Eliezer On 23/10/2015 00:43, Job wrote: > Hello, > > sometimes, for about half an hour, tour Squid becomes unstable and, by typing > "top -s", Squid is taking the 100% of the CPU. > > In Squid's access.log, i see lots of entry like this: > > "Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > "Thu";"Oct";"22";"11:45:18";"2015";"19153";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > "Thu";"Oct";"22";"11:45:18";"2015";"20346";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > "Thu";"Oct";"22";"11:45:21";"2015";"20391";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > "Thu";"Oct";"22";"11:45:21";"2015";"19142";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > "Thu";"Oct";"22";"11:45:22";"2015";"19075";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; > > There seem be a possible attack/exploit from an internal machine? It is the > 192.168.1.250 in the example. > > Is there a patch or something to not spread up Squid to the 100% cpu limit > for these "Attacks"? > > Thank you! > Francesco > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: Squid 100% CPU and possible attack
>>That looks like the side effects of a forwarding loop DoS. Look for the >>following line in your squid.conf and remove it: >> via off Hello Amos! I do not have via off in my squid.conf, so i think it is set to on, default value. Otherwise, i redirect outbount http/80 to the internal 8080 on firewall/squid machine. It seems from a specific client someone try to pass an exploit to the 8080 port... What else should i consider? Thank you again! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 100% CPU and possible attack
Hello, sometimes, for about half an hour, tour Squid becomes unstable and, by typing "top -s", Squid is taking the 100% of the CPU. In Squid's access.log, i see lots of entry like this: "Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; "Thu";"Oct";"22";"11:45:18";"2015";"19153";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; "Thu";"Oct";"22";"11:45:18";"2015";"20346";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; "Thu";"Oct";"22";"11:45:21";"2015";"20391";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; "Thu";"Oct";"22";"11:45:21";"2015";"19142";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; "Thu";"Oct";"22";"11:45:22";"2015";"19075";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-; There seem be a possible attack/exploit from an internal machine? It is the 192.168.1.250 in the example. Is there a patch or something to not spread up Squid to the 100% cpu limit for these "Attacks"? Thank you! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Bump and error 14090086
Hello, i have only this problem actually, finally interception works. But in logs, when i access a Https website, i see: fwdNegotiateSSL: Error negotiating SSL connection on FD 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) WARNING: ssl_crtd #Hlpr0 exited 2015/10/08 15:42:53 kid1| Too few ssl_crtd processes are running (need 5/100) 2015/10/08 15:42:53 kid1| Starting new helpers 2015/10/08 15:42:53 kid1| helperOpenServers: Starting 5/100 'ssl_crtd' processes 2015/10/08 15:42:53 kid1| "ssl_crtd" helper returned reply. Grateful for any helps! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Error on negotiating SSL connection
Hello, i can intercept SSL Bumped connection actually. But in squid logs i have this error, and clients disolay a squid error page. These are the logs: fwdNegotiateSSL: Error negotiating SSL connection on FD 20: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm (1/- 2015/10/07 12:12:48 kid1| WARNING: ssl_crtd #Hlpr0 exited 2015/10/07 12:12:48 kid1| Too few ssl_crtd processes are running (need 5/100) 2015/10/07 12:12:48 kid1| Starting new helpers 2015/10/07 12:12:48 kid1| helperOpenServers: Starting 5/100 'ssl_crtd' processes How can i resolve this? Thank you Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: R: SSL Bump and NF getsockopt failed
Hi Amos! Resolved: in squid.conf i have to write ip:port instead of :port. As example, 192.168.10.254:3129 works with interception. Only with :3129 it does not works! Francesco Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Job [j...@colliniconsulting.it] Inviato: lunedì 5 ottobre 2015 14.06 A: Amos Jeffries; squid-users@lists.squid-cache.org Oggetto: [squid-users] R: SSL Bump and NF getsockopt failed Hello Amos! >The connection arriving at Squid does not have any NAT records in the >Squid machine kernel. >It is mandatory that NAT be done on the Squid machine. Not on some >remote router (aka CPE "port-forwarding"). The iptables gateway is in the same machine where Squid+SSL bump run. Our transparent proxy for 80/HTTP works perfectly, but users cannot access do https pages. By consolle, if i telnet localhost 3129 (https intecept port), i have no connections, even though in netstat -avn | grep 3129 i have active and listening connections. Please note i use the REDIRECT --to-port command in iptables. Where am i wrong? Thank you! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: Cache_dir NULL
Hello Amos! >> i was trying the "null" storage module in Squid 3.4.x. >It does not exist. excuse me for my misunderstood: i was referring to this for the "null module". Is it right? Can I make Squid proxy only, without caching anything? Sure, there are few things you can do. You can use the cache access list to make Squid never cache any response: cache deny all With Squid-2.7, Squid-3.1 and later you can also remove all 'cache_dir' options from your squid.conf to avoid having a cache directory. With Squid-2.4, 2.5, 2.6, and 3.0 you need to use the "null" storage module: cache_dir null /tmp Note: a null cache_dir does not disable caching, but it does save you from creating a cache structure if you have disabled caching with cache. The directory (e.g., /tmp) must exist so that squid can chdir to it, unless you also use the coredump_dir option. To configure Squid for the "null" storage module, specify it on the configure command line: --enable-storeio=null,... Thank you!Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Bump and NF getsockopt failed
Hello, i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 port of my Squid server but https sites are not accessible anymore and i can see these errors in logs: ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx The section regardings SSL Bump in squid.conf if the following: http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB sslcrtd_children 50 startup=5 idle=1 ssl_bump server-first all And https traffic, with NAT, goes out with any problems. Where am i wrong? Thank you! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: SSL Peek and Splice
Thank Yuri! By opening your png image the accessed domain is visible. So it is possible to block it in https peek and splice mode? Thank you again! Francesco Da: squid-users [squid-users-boun...@lists.squid-cache.org] per conto di Yuri Voinov [yvoi...@gmail.com] Inviato: giovedì 1 ottobre 2015 13.29 A: squid-users@lists.squid-cache.org Oggetto: Re: [squid-users] SSL Peek and Splice 01.10.15 17:26, Job пишет: > Hello, > > by reading the 3.5 Squid verson "Peek and splice" features: > http://wiki.squid-cache.org/Features/SslPeekAndSplice > > i would like to ask you two questions, please: > > 1. in this implementations, i have to install the selfmade Certification > Authority as for SSL Bump? Yes. > 2. how can i block domain (dstdomain with squid) with Peek and Splice? It > seems not possible by reading the document Not only by dstdomain, but also with external redirectors: http://i.imgur.com/nXOtDPX.png > > Thank you for your patience and many thanks! > > Francesco > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Peek and Splice
Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] R: Blocking hotshield vpn
Hello Yuri! Only before Squid - using Cisco or something like. Either Cisco acl's, or NBAR protocol discovery. is there a way to implement a sort of layer 7 for hotshield vpn (or ultrasurf) working on Linux? Thank you again! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Blocking hotshield vpn
Hello, is there a way to block Hot Shield VPN with Squid, maybe in conjunction with something else? I made some tries but is seems very difficult to block with Squid+Iptables. Thank you, best best regards! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with Squid 3.4 and transparent SSL proxy
Hello, i initialize correctly SSL Bump with Squid 3.4.4, following some guides. In iptables i redirect 80 and 443 ports to squid ports. Squid starts with no error, lines involving SSL bump are the following: http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key But no request arrives to squid. If i telnet, from Linux machine, this: telnet localhost 3128 or telnet localhost 3129, even though the socket is open (netstat -avn | grep 3128 and 3129), connection close immediately. I see no errors in cache.log, access.log and messages. Thank you Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid in captive portal and reconfigure
Hello, integrating squid in a captive portal environment, i have to setup different profiles in order to apply restrictions dinamically. The squid -k reconfigure kill active sessione/connections? I tried when downloading a file, it stops for one/two seconds and then continues download, but i am not sure if sessiones are dropped/renewed. Thank you, Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users