[squid-users] Squid typo fixes for 4.12

[L . P . H . van Belle]

Hai, 
 
Sorry for not pushing this through git.
If you want some typo fixed, here you go.


Fixed typo's found by Lintian on Debian Buster.
--- a/src/ssl/crtd_message.cc
+++ b/src/ssl/crtd_message.cc
@@ -206,7 +206,7 @@
 i = map.find(Ssl::CrtdMessage::param_Sign);
 if (i != map.end()) {
 if ((certProperties.signAlgorithm = 
Ssl::certSignAlgorithmId(i->second.c_str())) == Ssl::algSignEnd) {
-error = "Wrong signing algoritm: ";
+error = "Wrong signing algorithm: ";
 error += i->second;
 return false;
 }
--- a/CREDITS
+++ b/CREDITS
@@ -1631,7 +1631,7 @@
  * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd
  * Released under GPL, see COPYING-2.0 for details.

- * Released under GNU Public License
+ * Released under GNU General Public License
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
--- a/compat/getaddrinfo.cc
+++ b/compat/getaddrinfo.cc
@@ -8,7 +8,7 @@

 /*
  *  Shamelessly duplicated from the fetchmail public sources
- *  for use by the Squid Project under GNU Public License.
+ *  for use by the Squid Project under GNU General Public License.
  *
  * Update/Maintenance History:
  *
--- a/compat/getaddrinfo.h
+++ b/compat/getaddrinfo.h
@@ -11,7 +11,7 @@

 /*
  *  Shamelessly duplicated from the fetchmail public sources
- *  for use by the Squid Project under GNU Public License.
+ *  for use by the Squid Project under GNU General Public License.
  *
  * Update/Maintenance History:
  *
--- a/compat/getnameinfo.cc
+++ b/compat/getnameinfo.cc
@@ -8,7 +8,7 @@

 /*
  *  Shamelessly duplicated from the fetchmail public sources
- *  for use by the Squid Project under GNU Public License.
+ *  for use by the Squid Project under GNU General Public License.
  *
  * Update/Maintenance History:
  *
--- a/compat/strnstr.cc
+++ b/compat/strnstr.cc
@@ -11,7 +11,7 @@

 /*
  *  Shamelessly duplicated from the FreeBSD public sources
- *  for use by the Squid Project under GNU Public License.
+ *  for use by the Squid Project under GNU General Public License.
  *
  * Update/Maintenance History:
  *
--- a/compat/xstrto.cc
+++ b/compat/xstrto.cc
@@ -11,7 +11,7 @@

 /*
  *  Shamelessly duplicated from the netfilter iptables sources
- *  for use by the Squid Project under GNU Public License.
+ *  for use by the Squid Project under GNU General Public License.
  *
  * Reason for use as explained by Luciano Coelho:
  * "I found that there is a bug in strtoul (and strtoull for
--- a/src/auth/basic/SMB_LM/msntauth.cc
+++ b/src/auth/basic/SMB_LM/msntauth.cc
@@ -21,7 +21,7 @@
  * Bill Welliver 1999
  * Duane Wessels 2000 (wess...@squid-cache.org)
  *
- * Released under GNU Public License
+ * Released under GNU General Public License
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -3247,7 +3247,7 @@
concurrency=

The number of requests each certificate validator helper can handle in
-   parallel. A value of 0 indicates the certficate validator does not
+   parallel. A value of 0 indicates the certificate validator does not
support concurrency. Defaults to 1.

When this directive is set to a value >= 1 then the protocol
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -215,7 +215,7 @@
 if (certs.size() > 1) {
 // NOTE: calling SSL_CTX_use_certificate() repeatedly _replaces_ 
the previous cert details.
 //   so we cannot use it and support multiple server 
certificates with OpenSSL.
-debugs(83, DBG_CRITICAL, "ERROR: OpenSSL does not support multiple 
server certificates. Ignoring addional cert= parameters.");
+debugs(83, DBG_CRITICAL, "ERROR: OpenSSL does not support multiple 
server certificates. Ignoring additional cert= parameters.");
 }

 const auto &keys = certs.front();
--- a/src/security/cert_generators/file/certificate_db.cc
+++ b/src/security/cert_generators/file/certificate_db.cc
@@ -537,7 +537,7 @@
 subSize(filename);
 int ret = remove(filename.c_str());
 if (ret < 0 && errno != ENOENT)
-throw std::runtime_error("Failed to remove certficate file " + 
filename + " from db");
+throw std::runtime_error("Failed to remove certificate file " + 
filename + " from db");
 }

 bool Ssl::CertificateDb::deleteInvalidCertificate() {
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -353,7 +353,7 @@
 filledCheck->serverCert.reset();
 }
 // If the certificate validator is used then we need to allow all 
errors and
-// pass them to certficate validator for more processing
+// pass them to certificate validator for more processing
 else if (Ssl::TheConfig.ssl_crt_validator) {
 

Re: [squid-users] Squid typo fixes for 4.12

[L . P . H . van Belle]

Hai, 

Thanks for the info Amos. 

Ok so i need to reverse the Licence/Credits due to the licencing.
I'll reverse these and add these in the lintian overrides then. 

On the error messages translation text part, should think in squid langpack? 
For now i just used the debian supplied package with my own build, because i 
dont really need error messages.
But, i'll go through these also when we hit the next update if its needed. 

And thankyou for the review and pointers, most welkom. :-) 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: woensdag 22 juli 2020 5:58
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid typo fixes for 4.12
> 
> On 30/06/20 7:38 pm, L.P.H. van Belle wrote:
> > Hai, 
> >  
> > Sorry for not pushing this through git.
> > If you want some typo fixed, here you go.
> > 
> > 
> > Fixed typo's found by Lintian on Debian Buster.
> > --- a/src/ssl/crtd_message.cc
> > +++ b/src/ssl/crtd_message.cc
> > @@ -206,7 +206,7 @@
> >  i = map.find(Ssl::CrtdMessage::param_Sign);
> >  if (i != map.end()) {
> >  if ((certProperties.signAlgorithm = 
> Ssl::certSignAlgorithmId(i->second.c_str())) == Ssl::algSignEnd) {
> > -error = "Wrong signing algoritm: ";
> > +error = "Wrong signing algorithm: ";
> >  error += i->second;
> >  return false;
> >  }
> > --- a/CREDITS
> > +++ b/CREDITS
> > @@ -1631,7 +1631,7 @@
> >   * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd
> >   * Released under GPL, see COPYING-2.0 for details.
> > 
> > - * Released under GNU Public License
> > + * Released under GNU General Public License
> >   *
> >   * This program is free software; you can redistribute it 
> and/or modify
> >   * it under the terms of the GNU General Public License as 
> published by
> 
> 
> FTR; License text is not subject to trivial re-writing. The 
> third-party
> code being used by Squid was supplied with that particular wording for
> their license description and we must not change it without 
> permission.
> ("GNU Public License" was an actual license back in the dawn of time).
> 
> In absence of contact with the copyright holder we may only 
> replace the
> code wholesale with an updated version from that author where they
> provide a different license text, or a cleanroom implementation from
> someone else.
> 
> 
> The rest of the patch is fine. Though please be aware that some of the
> error messages have translation texts which will be prevented from
> appearing when changed.
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind). 
 
needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
#ntlm auth = mschapv2-and-ntlmv2-only


apt install winbind krb5-user should be sufficient. 

samba joins the domain. 
/etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

And for squid its keytab. 

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN 

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

Point to think about. 


server IP's needs A + PTR 
use CNAMEs in the DNS. 
and make sure the resolving is setup correctly. 

Add a caching DNS to the proxy. ( and let squid use it also ) 

I had this working (without HAproxy) but with keepalived. 

As far i can tel, your problem is in how the hostnames and ip are used. 
but above might give you ideas. 


Greetz, 


Louis


 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user 
HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which 
by redundancy I configured a virtual IP with the keepalived service. When I 
point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- 
text/


In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is the 
physical IP of my VM, instead of the virtual IP configured in HAProxy, which is 
the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help me to 
find where my configuration error is.

keepalived.conf   global_defs {
     notification_email {
       some.user@mydomain.local
     }
     notification_email_from balancer1@mydomain.local
     smtp_server smtp. mydomain.local 
     smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      }
      virtual_ipaddress {
          10.10.8.213
      }
  }




haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often 
malicious: 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

### statistics
listen stats
bind MailScanner warning: numerical links are often malicious: 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123

### balancer
listen squid
bind MailScanner warning: numerical links are often malicious: 10.10.8.213:3128
  mode h

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

forgot 1 thing. (sorry) 
# 
adduser proxyuser winbind_priv 

or things might not work. 

 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
L.P.H. van Belle
Verzonden: vrijdag 24 juli 2020 10:46
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind). 
 
needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
#ntlm auth = mschapv2-and-ntlmv2-only


apt install winbind krb5-user should be sufficient. 

samba joins the domain. 
/etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

And for squid its keytab. 

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN 

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

Point to think about. 


server IP's needs A + PTR 
use CNAMEs in the DNS. 
and make sure the resolving is setup correctly. 

Add a caching DNS to the proxy. ( and let squid use it also ) 

I had this working (without HAproxy) but with keepalived. 

As far i can tel, your problem is in how the hostnames and ip are used. 
but above might give you ideas. 


Greetz, 


Louis


 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user 
HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: MailScanner warning: 
numerical links are often malicious: 172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which 
by redundancy I configured a virtual IP with the keepalived service. When I 
point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- 
text/


In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is the 
physical IP of my VM, instead of the virtual IP configured in HAProxy, which is 
the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help me to 
find where my configuration error is.

keepalived.conf   global_defs {
     notification_email {
       some.user@mydomain.local
     }
     notification_email_from balancer1@mydomain.local
     smtp_server smtp. mydomain.local 
     smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      }
      virtual_ipaddress {
          10.10.8.213
      }
  }




haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often 
malicious: MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/hapr

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

Hai Rafael,

First, thank you for maintaining diladele, each time i read them,
i learned something :-) As usual, your manuals look great. 

I have a few suggestion if i may point these out, just small update for the 
site. 

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
This part, The krb5.conf should be updated it with. 

; for Windows 2008+ with AES support ( you might want to remove rc4 and des, 
its there for compatibility)
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5


https://docs.diladele.com/administrator_guide_stable/active_directory/create_user/index.html
/quote: 
Some tutorials describing integration of Squid with Active Directory rely on 
creating special computer account in AD for the same goal. Unfortunately it 
ties the proxy machine to Active Directory and prevents us from making and 
restoring VM snapshots because the restored snapshot loses the AD join state 
and needs to be rejoined manually.
/quote.

Well, all i can say here is, this works fine for me, but i understand where its 
coming from. 
As your pointing out, yes, i did use a "user" account also in the past.
But if samba/winbind is setup correcty with its hostName, and you use CNAMES 
for the proxy it's serviceName, 
after a backup/restore of a VM and samba/winbind starts, winbind handles the 
"computername" keytab and its password.
Squid has its own keytab file and CNAME and is untouched. 

Resulting in, you can restore a VM. I do this on XenServers, i suggest, give it 
a try. 
But note, i dont have HAProxy running (yet), so i cant say anyting about that 
part,
The logical parts should be the same (hostname A - PTR and CNAMES for serices) 

The COMPUTER needs A and PTR (this is the real hostname) 
Now you can setup any CNAME SPN for the proxy it's "ServiceName" 
You can use or the computer account or a separated account for the Squid 
CNAME-ed SPN's. 
Als long these are somewhere to findable in AD. 

You might want to test this, this setup removed the need of ktpass in windows, 
which was always giving problems at my side. 

And last, if winbind is use and you want to add a automounted homedir with NFS 
or CIFS.
Then half of the work is already done. 
It basicly only needs : nfs-common nfs4-acl-tools 
And : 
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
And/or 
net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator

In the Haproxy setup, well, thats next on my list, 
i saw something i liked and dont have it running yet.  
Learning a lot here. :-) 

Main difference between your setups, i dont have any windows servers. 
I running fully on Samba AD-DC's and member servers and my client PC's are 
windows 10. 

I hope I could give you someone ideas here and people can use them. 
If you have questions, just ask. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Rafael Akchurin
> Verzonden: vrijdag 24 juli 2020 11:39
> Aan: Brett Lymn; Klaus Brandl
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 
> 4.11 + Kerberos authentication
> 
> Hello Klaus, Brett, all list members,
> 
> This is the scheme with haproxy and Squid we use all the time 
> in our test lab for Web Safety - we need to constantly 
> add/remove test nodes to the cluster without 
> breaking/changing anything in Kerberos settings for the 
> constantly running client pool - 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory_extra/redundancy/haproxy_proxy_protocol.html
> 
> And yes we do *not* use computer account, we use *user* 
> account instead.
> See the reasoning  in the tutorial.
> 
> Best regards,
> Rafael Akchurin
> Diladele B.V.
> 
>   
> 
> -Original Message-
> From: squid-users  
> On Behalf Of Brett Lymn
> Sent: Friday, July 24, 2020 2:23 AM
> To: Klaus Brandl 
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 
> + Kerberos authentication
> 
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > 
> > But if anyone knows a solution, i will spread my ears :)
> > 
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA 
> front end, set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user 
> created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address 
> to the user created in 1
> 
> The SPN (service principal name) tells kerberos to use the 
> user details set up in step 1 to authenticate http requests.  
> This works for us, has be

Re: [squid-users] Squid authentication issues

[L . P . H . van Belle]

I use this : 

You need this in smb.conf 
# Added for freeradius or squid proxy support
# Obligated to set on both AD-DC and Member server.
ntlm auth = mschapv2-and-ntlmv2-only 

And this or something like that, i have more working auth setups for squid, 
But i use this primarly. 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab 
\
-s HTTP/proxy1.internal.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Still not working try/change above line to : 
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego 
--domain=NTDOM

But should not be needed. 

And dont forget to add the HTTP spn on the member server.
net ads keytab add_update_ads HTTP/proxy1.internal.domain.tld -UAdministrator

Also, A+PTR records are a must for the proxy with kerberos auth, 


And do remove from smb.conf : 
> winbind enum users = yes
> winbind enum groups = yes
Or set these to no. 

I use that on Debian 10 with now squid 4.12. (ssl enabled)
(since debian 8 and squid 3.x ) 
There are more options here, but start with above.

My setup does, in this order. 
Negotiated Kerberos/NTLM auth with LDAP auth as fall back.

Beside these few small point, your setup looks great to me. 


Greetz, 

Louis




Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
Namens Marcio Demetrio Bacci
Verzonden: donderdag 30 juli 2020 19:37
Aan: Squid Users
Onderwerp: [squid-users] Squid authentication issues


Hi,

I set up Squid 4.6 on Debian 10 and I'm having problems with browser 
authentication on a Windows station.

I did the tests on the command line and apparently it's OK.

root@proxy:/etc/squid/acls# /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
(16384)
Processing section "[global]"
EMPRESA+mane X
NT_STATUS_OK: The operation completed successfully. (0x0)
OK

Here are my configuration files:

#/ETC/SAMBA/SMB.CONF
[global]
netbios name = PROXY
workgroup = EMPRESA
security = ADS
realm = EMPRESA.COM.BR
encrypt passwords = yes
username map = /etc/samba/user.map

log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 1-99
idmap config EMPRESA:unix_nss_info = yes
idmap config EMPRESA:unix_primary_group = yes

winbind refresh tickets = Yes
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

template shell = /bin/bash
template homedir = /home/%U

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#ETC/NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, 
try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind 
group:  compat winbind 
shadow: compat
gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

#/ETC/KRB5.CONF
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR

#/ETC/SQUID/SQUID.CONF

http_port 3128

cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90

maximum_object_size 512 MB
minimum_object_size 0 KB

maximum_object_size_in_memory 4096 KB

cache_re

Re: [squid-users] error:transaction-end-before-headers

[L . P . H . van Belle]

Hai, 

Just something i noticed.. 

> auth_param basic program 
> /usr/local/libexec/squid/basic_ldap_auth -P -R 
> -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f 
> "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389

Change that to:  
auth_param basic program 
 /usr/local/libexec/squid/basic_ldap_auth -P -R 
 -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local  -W 
/etc/squid/ldap-bind-pwdfile
 -f "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389

-w squid is changed to 
-W path/2//etc/squid/ldap-bind-pwdfile_containing_your_password. 

Only add your password in there and only give squid read rights. 

Why, if someone runs ps, they might catch the squid password your using.. 

On your question, see also. 
https://www.mail-archive.com/squid-users@lists.squid-cache.org/msg19734.html 

I cant answer it myself, i dont know. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Eric F.
> Verzonden: woensdag 26 augustus 2020 13:53
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] error:transaction-end-before-headers
> 
> Hi,
> 
> I use squid 4.12 with LDAP (Active Directory).
> All works great except sometimes I have the following errors in my 
> access.log file :
> 
> 1598438527.315  0 192.168.0.50 NONE/000 0 NONE 
> error:transaction-end-before-headers - HIER_NONE/- -
> 
> How can i correct that ? Any suggestions ?
> 
> Below my squid.conf file :
> 
>--8<--
> 
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" 
> network (LAN)
> acl localnet src 10.0.0.0/8 # RFC 1918 local 
> private network 
> (LAN)
> acl localnet src 100.64.0.0/10  # RFC 6598 shared 
> address space 
> (CGN)
> acl localnet src 169.254.0.0/16 # RFC 3927 link-local 
> (directly 
> plugged) machines
> acl localnet src 172.16.0.0/12  # RFC 1918 local 
> private network 
> (LAN)
> acl localnet src 192.168.0.0/16 # RFC 1918 local 
> private network 
> (LAN)
> acl localnet src fc00::/7   # RFC 4193 local 
> private network 
> range
> acl localnet src fe80::/10  # RFC 4291 link-local 
> (directly 
> plugged) machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> 
> 
> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost manager
> http_access deny manager
> 
> acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
> acl bad_domains dstdomain "/etc/squid/bad_domains"
> 
> http_access deny bad_urls
> http_access deny bad_domains
> 
> auth_param basic program 
> /usr/local/libexec/squid/basic_ldap_auth -P -R 
> -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f 
> "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389
> 
> acl ldap-auth proxy_auth REQUIRED
> http_access allow ldap-auth
> 
> http_access allow localnet
> http_access allow localhost
> 
> http_access deny all
> 
> http_port 3128
> 
> coredump_dir /var/squid/cache
> 
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
> 
> cache_mgr informatique@lab.local
> 
>-->8--
> 
> Thank you very much !
> 
> Cheers,
> 
> Eric F.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compilation error

[L . P . H . van Belle]

Hai Amos, 

Just a small question. If i may hop in this thread. 

Based on TP starter, i also took a 5.0.4 to build on debian, i build in 
pbuilder/cowbuilder env. 

I first attempted to build and that errored on time_quote. 
I found that i had to add libtdb-dev to the build depends in debian/control 
And now its building, only Im ending with this eror. (ideas?)


x86_64-linux-gnu-g++ -DHAVE_CONFIG_H 
-DDEFAULT_CONFIG_FILE=\"/etc/squid/squid.conf\" 
-DDEFAULT_SQUID_DATA_DIR=\"/usr/share/squid\" 
-DDEFAULT_SQUID_CONFIG_DIR=\"/etc/squid\"   -I../.. -I../../include -I../../lib 
-I../../src -I../../include  -isystem /usr/include/mit-krb5  -Wdate-time 
-D_FORTIFY_SOURCE=2 -I/usr/include/libxml2 -Wall -Wpointer-arith 
-Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe 
-D_REENTRANT -I/usr/include/libxml2 -I/usr/include/p11-kit-1 -g -O2 
-fdebug-prefix-map=/build/squid-5.0.4=. -fstack-protector-strong -Wformat 
-Werror=format-security -c -o Transport.o Transport.cc
cp ../../src/tests/stub_debug.cc tests/stub_debug.cc
cp: cannot create regular file 'tests/stub_debug.cc': No such file or directory
make[4]: *** [Makefile:1518: tests/stub_debug.cc] Error 1
make[4]: *** Waiting for unfinished jobs
make[4]: Leaving directory '/build/squid-5.0.4/tools/squidclient'
make[3]: *** [Makefile:1049: all-recursive] Error 1
make[3]: Leaving directory '/build/squid-5.0.4/tools/squidclient'
make[2]: *** [Makefile:1191: all-recursive] Error 1
make[2]: Leaving directory '/build/squid-5.0.4/tools'
make[1]: *** [Makefile:591: all-recursive] Error 1
make[1]: Leaving directory '/build/squid-5.0.4'
make: *** [/usr/share/cdbs/1/class/makefile.mk:77: debian/stamp-makefile-build] 
Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
I: copying local configuration

This part, 
cp ../../src/tests/stub_debug.cc tests/stub_debug.cc
cp: cannot create regular file 'tests/stub_debug.cc'

I checked for : tests/stub_debug.cc its there.. 
So why this is, i dont know. (yet)

How i make the packages. 
I get the sid sources, get latest squid-caches sources.
Copy the debian folder in the new, update where needed,refreshed patches,
and mostl of the time, i hardly need to change things.
Squid 4.13 runs great, and was done in the same way. 

Only thing i miss/dont know is, how can i find which packages are needed,to 
build squid,
based on the new sources.tar.gz of squid. I think i still miss a package but im 
not sure here.

Thanks in advance, Amos. 
Great work on squid on debian you doing. 
Its a long time ago squid errored in building and im doing this since 3.x.x :-) 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: maandag 14 september 2020 23:38
> Aan: Service MV
> CC: Squid Users
> Onderwerp: Re: [squid-users] compilation error
> 
> On 15/09/20 9:04 am, Service MV wrote:
> > Fresh download of source code in a fresh server.
> > 
> 
> Thanks. Looks like I've got some more digging to do on this issue.
> 
> 
> It should work okay if you use "make -j1" for the build stage.
> 
> Amos
> 
> > 
> > El lun., 14 sep. 2020 18:02, Amos Jeffries escribió:
> > 
> > On 15/09/20 6:34 am, Service MV wrote:
> > > Hi everyone, I don't know if you can help me with 
> this. I´m trying to
> > > compile SQUID beta 5.0.4 on Debian 10 but I get an error:
> > >
> > 
> > Is this ocurring in a fresh download of the sources 
> tarball? or fetched
> > via some other method?
> > 
> > Amos
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > 
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Anyone has experience with Windows clients DNS timeout

[L . P . H . van Belle]

Hai Elizer

Sorry, im not fully agreeing with Amos here.. 

If you DNS is taking 7-10 sec, i would investigate why the dns is that slow.
Something is off, that simple. 


A small example of my dns resolving to internet and my lan dnsservers. 

time dig a www.google.nl @8.8.8.8  @internet dns
real0m0.115s

real0m0.031s@lan dns, lookup 1. 
real0m0.016s@lan dns, lookup 2. (cached one) 

So, in my opinion 7-10 seconds timeout is really off. 
In the last we.. 

Is the lan dns set as an authoritive server.
Are the pc's correctly registering in the dns with there primary DNS domain. 

in resolv.conf make sure the primaryDns domain is first in resolv.conf
primary.dnsdomain.tld = output of $(hostname -d)

search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld 
dnsdomain.tld ) 
nameserver 192.168.1.1
nameserver 192.168.1.2
nameserver 192.168.1.3
nameserver 192.168.1.4
nameserver 192.168.1.5

# these are the options to look into also. ( in this order ) 
options edns0   # allowed 4096 byte packages. 
options rotate  # if you have more then 1 dns server this can help. 
options timeout:3   
options no-check-names  # dont check for invalid characters such as underscore 
(_), non-ASCII, or control characters.


Check the following. 
- the DNS server tries to query first to the internet. 
fix might be, resolving (search line) in /etc/resolv.conf

ipv4 / ipv6, try disableing ipv6 on the windows clients.
Dns is Non authoritive where it might be needed to set it to Authoritive.
Dns server is missing forwaring to the authoritive server. 
Routing and routing orders
Are EDNS (4096bytes) big packages allowed
And is the firewall allowing UDP and TCP packages on port 53

I run 3 samba-AD dns servers with Bind9_DLZ
My proxy runs a Bind9 caching and forwarding setup. 
The primay DNS domain is forwarded to the Samba-AD dns server. 
These are the Authoritive servers. 

This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns ) 
i checked the last year in my monitoring. 
Normal is 0.03-0.01 sec 

If there are problems in samba these days its 80% of all cases a resolving 
setup problem. 

I hope this gave you some ideas. 


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> NgTech LTD
> Verzonden: dinsdag 29 december 2020 21:02
> Aan: Squid Users
> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> timeout
> 
> I have seen this issue on Windows clients over the past.
> Windows nslookup shows that the query has timed out after 2 seconds.
> On Linux and xBSD I have researched this issue and have seen that:
> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> seconds sometimes.
> When I pre-warn the DNS cache and the results are cached it takes
> lower then 500 ms for a response to be on the client side and then
> everything works fine.
> 
> I understand that Windows DNS client times out..
> When using froward proxy with squid or any other it works as expected
> since the DNS resolution is done on the proxy server.
> However for this issue I believe that this timeout should be increased
> instead of moving to DNS over HTTPS.
> 
> I would like to hear if anyone has any resolution for this issue on
> the Windows clients side.
> 
> Thanks,
> Eliezer
> 
> 
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Anyone has experience with Windows clients DNS timeout

[L . P . H . van Belle]

And, yes i agree, DNS over TLS might be slower, but really, if you have to wait 
seconds for a DNS reply... imagine.. 
Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a 
website, well, im gone already then.

Thats why i also showed the direct tests my internal Authoritive DNS servers. ( 
and i can pick any host, will show the same results ). 

All im saying is, before you are going to hunt for "possible" problems.
Make sure the resolving is perfectly setup. 
It will fix at least a lot of problems.

I just dont like Dns over HTTPS.. 
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
 

https://www.samknows.com/blog/dns-over-https-performance

Good articles to read. 

Enjoy. 

Greetz,

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Klaus Westkamp
> Verzonden: woensdag 30 december 2020 10:57
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
> 
> 
> Hi,
> 
> i fully agree with Amos. I experience several seconds delay these days
> in resolving names.
> 
> Using google, which is having a very fast and heavily caching dns,
> is not a good example for recreating this effect.
> 
> I could imagine that the seveal DNS encryption methods,
> DNS-over-TLS and -over-HTTPS, that are only supported by some
> adding to that delay, as they require more overhead
> and also the client has to find out which method is supported and which
> not
> 
> Cheers,
> 
> Klaus Westkamp
> 
> 
> On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > Hai Elizer
> >
> > Sorry, im not fully agreeing with Amos here..
> >
> > If you DNS is taking 7-10 sec, i would investigate why the dns is that
> slow.
> > Something is off, that simple.
> >
> >
> > A small example of my dns resolving to internet and my lan dnsservers.
> >
> > time dig a www.google.nl @8.8.8.8  @internet dns
> > real0m0.115s
> >
> > real0m0.031s@lan dns, lookup 1.
> > real0m0.016s@lan dns, lookup 2. (cached one)
> >
> > So, in my opinion 7-10 seconds timeout is really off.
> > In the last we..
> >
> > Is the lan dns set as an authoritive server.
> > Are the pc's correctly registering in the dns with there primary DNS
> domain.
> >
> > in resolv.conf make sure the primaryDns domain is first in resolv.conf
> > primary.dnsdomain.tld = output of $(hostname -d)
> >
> > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> dnsdomain.tld )
> > nameserver 192.168.1.1
> > nameserver 192.168.1.2
> > nameserver 192.168.1.3
> > nameserver 192.168.1.4
> > nameserver 192.168.1.5
> >
> > # these are the options to look into also. ( in this order )
> > options edns0   # allowed 4096 byte packages.
> > options rotate  # if you have more then 1 dns server this can
> help.
> > options timeout:3
> > options no-check-names  # dont check for invalid characters such as
> underscore (_), non-ASCII, or control characters.
> >
> >
> > Check the following.
> > - the DNS server tries to query first to the internet.
> > fix might be, resolving (search line) in /etc/resolv.conf
> >
> > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > Dns is Non authoritive where it might be needed to set it to
> Authoritive.
> > Dns server is missing forwaring to the authoritive server.
> > Routing and routing orders
> > Are EDNS (4096bytes) big packages allowed
> > And is the firewall allowing UDP and TCP packages on port 53
> >
> > I run 3 samba-AD dns servers with Bind9_DLZ
> > My proxy runs a Bind9 caching and forwarding setup.
> > The primay DNS domain is forwarded to the Samba-AD dns server.
> > These are the Authoritive servers.
> >
> > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> > i checked the last year in my monitoring.
> > Normal is 0.03-0.01 sec
> >
> > If there are problems in samba these days its 80% of all cases a
> resolving setup problem.
> >
> > I hope this gave you some ideas.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >> -Oorspronkelijk bericht-
> >> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> Namens
> >> NgTech LTD
> >> Verzonden: dinsdag 29 december 2020 21:02
> >> Aan: Squid Users
> >> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> >> timeout
> >>
> >> I have seen this issue on Windows clients over the past.
> >> Windows nslookup shows that the query has timed out after 2 seconds.
> >> On Linux and xBSD I have researched this issue and have seen that:
> >> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> >> seconds sometimes.
> >> When I pre-warn the DNS cache and the results are cached it takes
> >> lower then 500 ms for a response to be on the client side and then
> >> everything works fine.
> >>
> >> I understand that Windows DNS client times out..
> >> When using froward proxy with squid or any other i

Re: [squid-users] Anyone has experience with Windows clients DNS timeout

[L . P . H . van Belle]

Hai Elizer,

> -Oorspronkelijk bericht-
> Van: NgTech LTD [mailto:ngtech1...@gmail.com]
> Verzonden: woensdag 30 december 2020 13:37
> Aan: L.P.H. van Belle
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
> 
> Hey Louis,
> Thanks For the feedback.
> 
> Indeed I do understand if someone want to have a fast DNS resolution.
> However there are things which are not under our domain and control.

> For example the root DNS servers can be unreachable for a second or
> more sometimes to specific areas.
Now this im having here also, took me 6 months but my internet provider 
is now finaly going to fix it. Often its out of bandwith.. 
in my case this was a change they did in the background. 
In the netherlands i know lots of fiber providers dont monitor there bandwith, 
i builded some monitoring servers for one of them, thats how i know. They dont 
care because the just say, ah.. fiber sufficient bandwith..
:-/ 

> I cannot change the way how optic communication cables are managed but
> I can control my windows or proxy.
> Since the proxy can be tuned easily compared to the root servers
> themselves or any other lower level DNS services I might choose to use
> a proxy.
Test agains other dns servers and track the route there are using.. 
in my above problem i tracked this from 5 different providers to find the 
problem point. 

> In the ISP world the provider have two or more DNS servers which
> sometimes can respond slower then expected.
> It's a fact that we need two or more DNS servers but when you manage a
> DNS server or start a BIND recursive server you will able to see this
> issue.
> On the first recursive request for a link with 20-80+ ms delay it is
> possible that either a packet lost on the way or that the overall
> response is higher then 10 seconds.
Also here, if you can monitor your devices, check if you see UDP loss/reject. 

> The only reasonable solution I can see is to set the clients or the
> proxy according to the environment.
both will and should work.. 

> 
> For example a local on premise DNS caching service(dnsmasq, unbound,
> bind) should help a bit to some cases.
> The next level is to pre-warm the cache for the root servers.
> If this doesn't help fix the Clients windows timeout from 2 seconds to
> more..(10-15).

Thats still in my opinion the first one you need to track and find where 
The delay is happening. 

> If the above seems to not resolve the issues then and only then it's
> the proxy time.
> 
> I think I found the basic way to define this in The Windows registry
> but not sure.
> These documents can describe this issue at:
> 
> https://docs.microsoft.com/en-us/previous-
> versions//cc977482(v=technet.10)?redirectedfrom=MSDN
> https://serverfault.com/questions/431207/adjust-windows-dns-timeout-
> similar-to-the-linux-resolv-conf
> https://thehotery.name/windows/network/dns
> https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.brow
> ser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J
> 
> The default registry key is not present but the value is:
> ## START of text file
> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,
> 38,00,00,00,00,00
> ## END of text file
> 
> A modified one is:
> ## START of text file
> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,
> 00,00,33,00,32,00,00,00,00,00
> ## END of text file
> 

Beware, you can change that, but i know some parts in windows use some 
windowsDNS, and if you disable/change that, you MS Store might also stop 
working. fingered that out the hard way. :-( 

> 
> I have not tested it yet but if it does but in Windows nslookup you
> can change the timeout using:
> set timeout=10
> 
> and test the server for timeout issues.
> This is common to see in windows that the first lookup would fail
> after 2 seconds but the next one will get a result.
> If the client will wait enough he will receive the packet and the
> resolution fast compared to a fully recursive one every time.
> 
> I think that this timeout deserve a wiki page.
> 
> Thanks,
> Eliezer
> 
> 
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
> On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle  wrote:
> >
> > And, yes i agree, DNS over TLS might be slower, but really, if you have
> to wait seconds for a DNS reply... imagine..
> > Lots of websites have 10-20 hosts in them, if you have to wait 10 sec
> for a website, well, im gone already then.
> >
> > Thats why i also showed the direct tests my internal Authoritive DNS
> servers. ( and i can pick any host, will show the same results ).
> >
> > All im saying is, before you are going to hunt for "possible" problems.
> > Mak

Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

[L . P . H . van Belle]

Your firewall rules seems off. 



192.168.1.32??? is your client, as i seen in 
the log. 



But your showing 10.3.141.0/24 so.. 

?

Try/look at this. Change interfaces where needed offcourse. 



iptables ? -p tcp \

--dport 80 -j REDIRECT --to-port 3128 -m comment --comment "Squid-Intercept 
80->3128"



iptables -p tcp \

--dport 443 -j REDIRECT --to-ports 3129 -m comment --comment "Squid-Intercept 
443->3129"



iptables ? -o INTERNET_INTERFACE \

-j MASQUERADE -m comment --comment "IP-Masq allow internet"

?


Greetz, 

?

Louis

?



Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens jean 
francois hasson

Verzonden: zondag 3 januari 2021 19:15

Aan: squid-users@lists.squid-cache.org

Onderwerp: Re: [squid-users] Setting up a transparent http and https proxy 
server using squid 4.6

?

Hi,

After reading more information on this kind of error I captured a few 
transactions with Wireshark running on the raspberry pi hosting squid 4.6 and 
opensll 1.1.1d. I captured some transactions when trying to access ebay.fr 
which is currently not successful with the setup I have with the error of 
inappropriate fallback mentioned below.

I am not familiar with TLS transactions so I will try to present a high level 
view of the transactions between the raspberry pi and the ebay.fr server. I 
hope you can guide me as to what I should focus on to understand, if possible, 
the issue I have.

A bird's eye view of the transactions from Wireshark over time is :

 23 0.175795327??? 192.168.1.32? 192.168.1.1?? DNS? 
71 Standard query 0x057e A www.ebay.fr

 24 0.214678299??? 192.168.1.1?? 192.168.1.32? DNS? 
165??? Standard query response 0x057e A www.ebay.fr CNAME 
slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166

 25 0.301067317??? 192.168.1.32? 23.57.6.166?? TCP? 
74 53934 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186690 TSecr=0 WS=128

 26 0.302488046??? 192.168.1.32? 23.57.6.166?? TCP? 
74 53936 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186691 TSecr=0 WS=128

 27 0.328959454??? 23.57.6.166?? 192.168.1.32? TCP? 
74 443 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 
TSval=3470404062 TSecr=365186690 WS=128

 28 0.329115340??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 
TSecr=3470404062

 29 0.329752684??? 192.168.1.32? 23.57.6.166?? TLSv1.2? 
583??? Client Hello

 30 0.330530288??? 23.57.6.166?? 192.168.1.32? TCP? 
74 443 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 
TSval=3470404064 TSecr=365186691 WS=128

 31 0.330644819??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53936 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 
TSecr=3470404064

 32 0.331192579??? 192.168.1.32? 23.57.6.166?? TLSv1.2? 
583??? Client Hello

 35 0.351054404??? 192.168.1.32? 192.168.1.98? TCP? 
54 5900 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0

 36 0.363323884??? 23.57.6.166?? 192.168.1.32? TCP? 
66 443 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 
TSecr=365186719

 37 0.364291801??? 23.57.6.166?? 192.168.1.32? TLSv1.2? 
1514?? Server Hello

 38 0.364347270??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186753 
TSecr=3470404096

 39 0.365482999??? 23.57.6.166?? 192.168.1.32? TCP? 
1514?? 443 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]

 40 0.365535030??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186754 
TSecr=3470404096

 41 0.366217999??? 23.57.6.166?? 192.168.1.32? TCP? 
1266?? 443 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]

 42 0.366279041??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186755 
TSecr=3470404096

 43 0.366321697??? 23.57.6.166?? 192.168.1.32? TCP? 
74 [TCP Retransmission] 443 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 
MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128

 44 0.366410135??? 192.168.1.32? 23.57.6.166?? TCP? 
66 [TCP Dup ACK 31#1] 53936 443 [ACK] Seq=518 Ack=1 Win=64256 Len=0 
TSval=365186755 TSecr=3470404064

 45 0.366709770??? 23.57.6.166?? 192.168.1.32? TLSv1.2? 
991??? Certificate, Certific

Re: [squid-users] wildcard for numbers in url whitelisting

[L . P . H . van Belle]

post a few lines from  "/usr/local/squid/etc/urlwhite.txt"


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
robert k Wild
Verzonden: donderdag 15 juli 2021 14:09
Aan: Amos Jeffries
CC: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] wildcard for numbers in url whitelisting



is anything wrong with this as it doesnt work


#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"

#HTTP_HTTPS whitelist websites regex
#acl whitelistreg ssl::server_name_regex "/usr/local/squid/etc/urlwhitereg.txt"

http_access allow activation whitelist whitelistreg
http_access deny all


time being ive hashed out acl regex and deleted whitelistregon my http access 
allow as it doesnt work


can you see anything wrong with it?



On Thu, 15 Jul 2021 at 12:17, robert k Wild  wrote:

i think i get you, so have two acl lists, like


acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhitereg.txt"


On Thu, 15 Jul 2021 at 11:59, robert k Wild  wrote:

Thanks Amos, if I change to that acl, I imagine I will need to redo all my 
whitelist files 

Ie


.Google.com


Will be


.\google\.com


Is that correct?


On Thu, 15 Jul 2021, 11:53 Amos Jeffries ,  wrote:

You will need to change to ssl::server_name_regex ACL type to use regex 
patterns. 

Also, take care that all values are valid regex pattern and characters which 
are special in regex are properly escaped. Eg the dots. 
Amos






-- 
Regards, 

Robert K Wild.





-- 
Regards, 

Robert K Wild.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [Samba] Two questions about cache for squid authentication

[L . P . H . van Belle]

> 
> Small Addon here. 
> 
> NTLM V1 and V2.. 
> Most uses still NTLMv1 but thats being disabled in windows 
> and samba these days. 
> 
> 
> To make sure you do use NTLMv2. 
> With Samba 4.2.x and up, use the following setting on the 
> Squid and/or Freeradius
> and on all the Samba AD-DC's and involved members that use ntlm_auth
> 
> Per example :
> Add to the [global] section of smb.conf 
> 
> ntlm auth = mschapv2-and-ntlmv2-only
> 
> And add in the client commands : "/path/to/ntlm_auth 
> --allow-mschapv2 "
> 
> But, personaly i would recommend to move to kerberos auth. 
> 
> Greetz, 
> 
> Louis
> 
>  
> 
> > -Oorspronkelijk bericht-
> > Van: squid-users 
> > [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> > Amos Jeffries
> > Verzonden: dinsdag 17 augustus 2021 9:40
> > Aan: squid-users@lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Two questions about cache for 
> > squid authentication
> > 
> > On 17/08/21 6:25 pm, ?? wrote:
> > > Dear all,
> > > 
> > > I have two questions about cache for squid authentication.
> > > 
> > > 1. Can I skip authentication for a certain period of time 
> > after I've 
> > > authenticated once?
> > > 
> > > When I do the following, the authentication screen appears.
> > > 
> > > Start browser -> access site after authentication (Kerberos 
> > > authentication) -> close browser -> start another 
> application (LDAP 
> > > authentication)
> > > 
> > 
> > Negotiate/Kerberos authentication authenticates the TCP 
> > connection. All 
> > messages on that connection require the Kerberos tokens to 
> > prove it is 
> > valid on that connection.
> > 
> > 
> > > So, even using Kerberos and LDAP auth at the same time, I 
> > want to skip 
> > > the authentication process by clientIPaddress, etc.
> > > 
> > 
> > This is authorization *not* authentication.
> > 
> > 
> > > 2. About authentication data passing in NTLM authentication 
> > on website.
> > > 
> > 
> > NTLM, just like Negotiate/Kerberos authenticates the TCP 
> > connection and 
> > requires all messages to have teh appropriate tokens.
> > 
> > 
> > > SingleSignOn is not working for some sites with NTLM 
> authentication.
> > > 
> > 
> > That is a Browser issue. "single sign-on" is a behaviour of 
> clients, 
> > where they choose to send the same credentials to all 
> > services. It has 
> > nothing to do with the service like Squid.
> > 
> > 
> > > For example, when the authentication pop-up message 
> > appears, you can 
> > > enter the auth information to access the page, but if you visit a 
> > > different URL, you will be prompted to authenticate again.
> > > 
> > > Can someone give me some advice?
> > > 
> > 
> > The client doing that is broken or confused.
> > 
> > Maybe the confusion happened because of your mixed up squid config 
> > rules. Or maybe not. You have not provided any information 
> about your 
> > squid.conf, network topology, or how the clients are using 
> > the proxy - 
> > so we cannot tell.
> > 
> > Amos
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid v4.45

[L . P . H . van Belle]

In your windows config. 
Remove the ip adres from the gateway and configure your proxy settings.  
Without proxy and gateway no internet.

Or setup SSL proxy 
Add something like this in your firewall and you catch all. 

# Redirect HTTP on eth0 from LAN_CIDR to locally installed Squid instance using 
REDIRECT for intercept mode
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j 
REDIRECT --to-port 6080 -m comment --comment "Squid-Intercept 80->6080"

# Redirect HTTPS on eth0 from CIDR to locally installed Squid instance using 
REDIRECT for intercept mode
-A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT 
--to-port 6433 -m comment --comment "Squid-Intercept 443->6433"

And read : 
https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol


>The NIC status simply says that *somehow* the Internet is available.
No, windows 10 does a DNS querie to an MS server, block that and and you see 
"no internet" 
Even if you have internet. 

Maybe PiHole is something for you that does most of what you want. 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Periko Support
> Verzonden: maandag 23 augustus 2021 7:55
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid v4.45
> 
> On Thu, Aug 19, 2021 at 7:40 PM Amos Jeffries 
>  wrote:
> >
> >
> > FYI, there is no such version as Squid 4.45.
> 
> Amos sorry, is 4.15 my mistake.
> >
> > What is the output when you run "squid -v" ?
> >
>  squid -v
> Squid Cache: Version 4.15
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1k-freebsd  25 Mar 2021. For legal
> restrictions on distribution see
> https://www.openssl.org/source/license.html
> 
> configure options:  '--with-default-user=squid'
> '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin'
> '--datadir=/usr/local/etc/squid'
> '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
> '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache' '--without-gnutls'
> '--with-included-ltdl' '--enable-auth' '--enable-zph-qos'
> '--enable-build-info' '--enable-loadable-modules'
> '--enable-removal-policies=lru heap' '--disable-epoll'
> '--disable-linux-netfilter' '--disable-linux-tproxy'
> '--disable-translation' '--disable-arch-native'
> '--disable-strict-error-checking' '--enable-eui'
> '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
> '--disable-esi' '--enable-follow-x-forwarded-for'
> '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe
> -I/usr/local/include -I/usr/local/include -fstack-protector-strong
> -DLDAP_DEPRECATED -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib
> -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib
> -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 '
> 'KRB5CONFIG=/usr/local/bin/krb5-config'
> 'krb5_config=/usr/local/bin/krb5-config' '--enable-htcp'
> '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups'
> '--enable-ipv6' '--enable-kqueue' '--with-large-files'
> '--enable-http-violations' '--without-nettle' '--enable-snmp'
> '--enable-ssl' '--with-openssl=/usr'
> '--enable-security-cert-generators=file'
> 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl'
> '--enable-ssl-crtd' '--disable-stacktraces'
> '--disable-ipf-transparent' '--disable-ipfw-transparent'
> '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db'
> '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=LDAP SASL DB
> SMB_LM NCSA PAM POP3 RADIUS fake getpwnam NIS'
> '--enable-auth-digest=eDirectory LDAP file'
> '--enable-external-acl-helpers=LDAP_group eDirectory_userip
> file_userip unix_group delayer kerberos_ldap_group'
> '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake
> SMB_LM' '--enable-storeio=aufs diskd ufs'
> '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped'
> '--enable-log-daemon-helpers=file DB'
> '--enable-url-rewrite-helpers=fake LFS'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-security-cert-validators=fake' '--prefix=/usr/local'
> '--mandir=/usr/local/man' '--disable-silent-rules'
> '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2'
> 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc'
> 'CPPFLAGS=-I/usr/local/include -I/usr/local/include' 'CXX=c++'
> 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include
> -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing  '
> 'CPP=cpp' --enable-ltdl-convenience
> > On 19/08/21 4:12 am, Periko Support wrote:
> > > Hello guys.
> > >
> > > I have been searching the issue I have with windows 10 
> and the ugly
> > > job he do to put the NIC "Internet access" and went we have squid
> > > behind "no internet".
> > >
> >
> > The NIC status simply says that *somehow* the Internet is available.
> > th

Re: [squid-users] Squid performance issues

[L . P . H . van Belle]

He Marco, 

You better upgrade to debian bullseye and see if it happens there also. 
If you dont want that, try this. 

systemctl edit squid.service 
Add : 

[Service]
LimitNOFILE=65535
 
 
Save and run : systemctl restart squid

But i would recommend to use Debian Bullseye. 


Greetz, 

Louis
 
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
NgTech LTD
Verzonden: dinsdag 31 augustus 2021 17:11
Aan: Marcio B.
CC: Squid Users
Onderwerp: Re: [squid-users] Squid performance issues



Hey Marcio, 

You will need to add a systemd service file that extends the current one with 
more FileDescriptors.


I cannot guide now I do hope to be able to write later.


If anyone is able to help faster go ahead.


Eliezer




, 31 2021, 18:05, Marcio B. :

Hi,

I implemented a Squid server in version 4.6 on Debian and tested it for about 
40 days. However I put it into production today and Internet browsing was 
extremely slow.

In /var/log/syslog I'm getting the following messages:

Aug 31 11:29:19 srvproxy squid[4041]: WARNING! Your cache is running out of 
filedescriptors

Aug 31 11:29:35 srvproxy squid[4041]: WARNING! Your cache is running out of 
filedescriptors

Aug 31 11:29:51 srvproxy squid[4041]: WARNING! Your cache is running out of 
filedescriptors


I searched the Internet, but I only found very old information and referring 
files that don't exist on my Squid Server.

The only thing I did was add the following value to the 
/etc/security/limits.conf file:

*-nofile 65535

however this did not solve.

Does anyone have any idea how I could solve this problem?


Regards,


Márcio Bacci

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compiling squid 5.1

[L . P . H . van Belle]

Try this. 

For now, removing these build options works:

 --srcdir=. --disable-dependency-tracking

( Amos posted this on 5 augustus ) 
https://www.spinics.net/lists//squid/msg94409.html

Greetz, 

Louis
yeah, the same one.  ;-)  

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Meike Stone
> Verzonden: maandag 6 september 2021 15:04
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] compiling squid 5.1
> 
> Hello dear list,
> 
> I try to compile the current version 5.1 on openSuSE Leap 15.2. After
> compiling, it seems, that it like to run a few tests, but that fails
> with following errors:
> 
> cp ../../src/tests/stub_debug.cc tests/stub_debug.cc
> cp: cannot create regular file 'tests/stub_debug.cc': No such 
> file or directory
> make[3]: *** [Makefile:1489: tests/stub_debug.cc] Error 1
> make[3]: Leaving directory 
> '/home/ingo/Downloads/squid-5.1/tools/squidclient'
> make[2]: *** [Makefile:1038: all-recursive] Error 1
> make[2]: Leaving directory 
> '/home/ingo/Downloads/squid-5.1/tools/squidclient'
> make[1]: *** [Makefile:1176: all-recursive] Error 1
> make[1]: Leaving directory '/home/ingo/Downloads/squid-5.1/tools'
> make: *** [Makefile:590: all-recursive] Error 1
> 
> The file is found under:
> ~/squid-5.1 # find . -name stub_debug.cc
> ./src/tests/stub_debug.cc
> 
> Can someone guide me to solve the problem?
> 
> Thanks Meike
> PS: @Squid-Cache Website maintainers: The link (provided on
> http://www.squid-cache.org/Support/mailing-lists.html) to mailing list
> search (http://www.squid-cache.org/cgi-bin/swish-query.cgi) is broken.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Compile/Rebuilding on debian bullseye (or buster)

[L . P . H . van Belle]

Hai Amos, 

Im attempting to make a squid 5.1 build based on the bullseye squid/debian 
folder. 
( ps. Im building with sbuilder ) 

Now, this "normaly" worked since squid 3.2 for me, copy the debian folder, make 
minor adjustments if needed, 
Just with latest adjustments, well, i cant make it work. 

This was my last adjustmated.. 

  * Used build : squid-5.1-20210804-r1f9e52827 of 04 Aug 2021
  * Refreshed patches, removed patches already included.
  * d/control lower debhelper to 12 to allow building


Changed d/rules, added. -srcdir=. --disable-dependency-tracking 
Any suggestions what i can do here? 
If you want/need, i have the complete build log available. 

The confirgure part and error. 

configure: exit 1
dh_auto_configure: ./configure --build=x86_64-linux-gnu --prefix=/usr 
--includedir=\${prefix}/include --mandir=\${prefix}/share/man 
--infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var 
--disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu 
--runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking 
"BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/<>=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now " BUILDCXX=g\+\+ 
--with-build-environment=default "--enable-build-info=Debian linux" 
--datadir=/usr/share/squid --sysconfdir=/etc/squid --libexecdir=/usr/lib/squid 
--mandir=/usr/share/man --enable-inline --disable-arch-native 
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock 
--enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests 
--enable-icap-client --enable-follow-x-forwarded-for --enable-au
 th-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB 
--enable-auth-digest=file,LDAP --enable-auth-negotiate=kerberos,wrapper 
--enable-auth-ntlm=fake,SMB_LM 
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group
 --enable-security-cert-validators=fake --enable-storeid-rewrite-helpers=file 
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi --enable-icmp 
--enable-zph-qos --enable-ecap --disable-translation 
--with-swapdir=/var/spool/squid --with-logdir=/var/log/squid 
--with-pidfile=/run/squid.pid --with-filedescriptors=65536 --with-large-files 
--with-default-user=proxy --srcdir=. --disable-dependency-tracking 
--enable-linux-netfilter --with-systemd --with-gnutls returned exit code 1
make[1]: *** [debian/rules:79: override_dh_auto_configure] Error 2
make[1]: Leaving directory '/<>'
make: *** [debian/rules:71: build] Error 2


And i tested also with my last settings from my backport to Debian buster and 
squid 4.16(ssl enabled) 

Resulting in : 
configure: Samba TrivialDB library support: no
configure: error: external acl helper time_quota ... found but cannot be built
make: *** [/usr/share/cdbs/1/class/autotools.mk:46: debian/stamp-autotools] 
Error 1
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2



So im a bit stuck here..
And yes, a ./configure does configure it all without problems.. 

Any tips on this ? 

Greetz, 

Louis


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.1/Debian WARNING: no_suid: setuid(0): (1) Operation not permitted

[L . P . H . van Belle]

How do you build and start it, init.d/squid or systemd start squid

In case of last, what i suspect, I seen more if these messages on previous 
version.. 
But all my version dont show this on Debian 10. 
 
This is my latest startup for systemd 

# /lib/systemd/system/squid.service
## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##
 
[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
 
[Service]
Type=notify
PIDFile=/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid --foreground -sYC
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all
 
[Install]
WantedBy=multi-user.target


--- 
these are the settings from a debian (own) build setup with squid 4.16. ( with 
ssl enabled) 

squid -v
Squid Cache: Version 4.16
Service Name: squid
Debian linux
 
This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html
 
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 
-fdebug-prefix-map=/build/squid-4.16=. -fstack-protector-strong -Wformat 
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now 
-Wl,--as-needed' 'BUILDCXX=x86_64-linux-gnu-g++' 
'--with-build-environment=default' '--enable-build-info=Debian linux' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' 
'--disable-arch-native' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-ica
 p-client' '--enable-follow-x-forwarded-for' 
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' 
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-auth-ntlm=fake,SMB_LM' 
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
 '--enable-security-cert-validators=fake' 
'--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' 
'--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' 
'--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' 
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' 
'--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' 
'--with-gnutls' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' 
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 
'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/buil
 d/squid-4.16=. -fstack-protector-strong -Wformat -Werror=format-security 
-Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time 
-D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gnu-g++' 'CXXFLAGS=-g -O2 
-fdebug-prefix-map=/build/squid-4.16=. -fstack-protector-strong -Wformat 
-Werror=format-security'


look if you also see : '--with-default-user=proxy'  
and if its self compiled. 
sudo adduser --system proxy 
And when thats done verify the needed folders and there rights/ownerships. 
 
The "debian" folder if you want it have a look of what i use currently in 
production. 

https://apt.van-belle.nl/debian/pool/main/s/squid/squid_4.16-0.1ssl1buster1.debian.tar.xz
 

  
 
As soon i can make debian packages of 5.1, im making a buster and bullseye 
version. 

I hope this helps you a bit. 

Greetz, 

Louis

 






Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
Namens David Touzeau
Verzonden: woensdag 15 september 2021 12:40
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] squid 5.1/Debian WARNING: no_suid: setuid(0): 
(1) Operation not permitted


On Debian 10 64bits  with squid 5.1 we have thousand warning as this:

2021/09/15 08:00:18 kid1| WARNING: no_suid: setuid(0): (1) Operation 
not permitted
2021/09/15 08:00:18 kid2| WARNING: no_suid: setuid(0): (1) Operation 
not permitted
2021/09/15 08:00:18 kid1| WARNING: no_suid: setuid(0): (1) Operation 
not permitted
2021/09/15 08:00:18 kid2| WARNING: no_suid: setuid(0): (1) Operation 
not permitted
2021/09/15 08:00:18 kid1| WARNING: no_suid: setuid(0): (1) Operation 
not permitted
  

Re: [squid-users] Compile/Rebuilding on debian bullseye (or buster)

[L . P . H . van Belle]

Hai Amos, 

Thanks on the reply, ive missed the change from db to tdb, thanks on that. 

What i notice in the builds is, 

I see this one.. 

config.status: creating test-suite/Makefile

And then i see these, then it failes. 

cp ../../src/tests/stub_fd.cc tests/stub_fd.cc
cp: cannot create regular file 'tests/stub_fd.cc': No such file or directory
make[4]: *** [Makefile:1445: tests/stub_fd.cc] Error 1


Is it possible that the "tests" folder (keep in mind above uses the old /debian 
setup),
is changed to "test-suite"..  

Im not really that into the code but, it "looks" like there is a folder missing 
"tests"  
Based on above, if can disable all tests, it should build. 

Suggestion on disabling the tests? 


Greetz, 

Louis

 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: woensdag 15 september 2021 1:14
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Compile/Rebuilding on debian 
> bullseye (or buster)
> 
> On 14/09/21 9:22 pm, L.P.H. van Belle wrote:
> > Hai Amos,
> > 
> > Im attempting to make a squid 5.1 build based on the 
> bullseye squid/debian folder.
> > ( ps. Im building with sbuilder )
> > 
> > Now, this "normaly" worked since squid 3.2 for me, copy the 
> debian folder, make minor adjustments if needed,
> > Just with latest adjustments, well, i cant make it work.
> > 
> > This was my last adjustmated..
> > 
> >* Used build : squid-5.1-20210804-r1f9e52827 of 04 Aug 2021
> >* Refreshed patches, removed patches already included.
> >* d/control lower debhelper to 12 to allow building
> > 
> > 
> > Changed d/rules, added. -srcdir=. --disable-dependency-tracking
> > Any suggestions what i can do here?
> 
> I am a bit stuck here myself with this build style, that is 
> part of why 
> the package is not already updated. The Debian auto-build system adds 
> those options and AFAICT does not provide an easy way to avoid.
> 
> 
> > 
> > And i tested also with my last settings from my backport to 
> Debian buster and squid 4.16(ssl enabled)
> > 
> > Resulting in :
> > configure: Samba TrivialDB library support: no
> > configure: error: external acl helper time_quota ... found 
> but cannot be built
> > make: *** [/usr/share/cdbs/1/class/autotools.mk:46: 
> debian/stamp-autotools] Error 1
> > dpkg-buildpackage: error: debian/rules build subprocess 
> returned exit status 2
> > 
> --
> --
> 
> Debian used to use the BerkeleyDB, so the normal Squid build 
> dependencies pulls the library in for that.
> 
> If libdb-dev is no longer available you will need to install 
> libtdb-dev 
> package.
> 
> Also, (for now) if you are using the ext_time_quote_acl or 
> ext_session_acl helpers you will need to manually purge their 
> databases 
> on install/upgrade.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile/Rebuilding on debian bullseye (or buster)

[L . P . H . van Belle]

Good Morning. 


> > 
> 
> I have spent a while working on it today and have pushed an update to 
> Debian packaging repo. Please pull a new copy of that latest. 
> It should  fix all the issues you have.

Wow, Thank you very very much Amos.. 
Im on it now :-) ?¾

I'll post the results later today.

Greetz, 
Louis



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Compile/Rebuilding on debian bullseye (or buster)

[L . P . H . van Belle]

Good Afernoon Amos, (and others offcourse), 

A small update on this. 
Short version, i can make bullseye package ready for production but not for 
buster (yet).

Long version.. 

If i pull in the debian salsa git, the build fails on bullseye. 
( thats more me, because i lack knowledge on git use ). 
So i took the "debian" folder from git and add it to the 
extracted 5.1 source from 4 aug. (squid-5.1-20210804-r1f9e52827) 
Then i can build the packages for debian bullseye. 

Lintian shows some messages but no show stoppers. 

Currently the salsa debian/changelog contains, 5.1-2 but since its not release 
yet, 
I'll change this to 0.1 in my package builds, but i think, when you update it 
into debian
You should have 5.1-1 (for unstable).

Now i try to build again buster.. And these keep failing on this part. ( see 
below ). 
What i dont get is, why are there below in the output "suddenly" files misses, 
thats one i dont get. 
I think is build standards or debhelper where this is coming from, i dont know 
(yet).. 

The only changes i made where these. :
  * Build from upstream release : squid-5.1-20210804-r1f9e52827
  * d/watch, changed http to https
  * d/control, changed build depend : debhelper 12.8 to 13
  * d/patches, added fix-typos.patch #(typos found by lintian)
  * changed versioning in d/changelog 5.1-2 back to 5.1-1

Note, debhelper the bullseye build worked, only we need 13 and up, 
i did lower it to 12 to allow building for buster. 

# fix-typos.patch included in this mail.

I'll revert the debhelper compat back to 13 and will do 
a new buster build attempt with debhelper 13 from buster-backports

(error part on buster, maybe someone can use it) 
make[1]: Entering directory '/<>'
dh_install -psquid -psquid-common -psquidclient -psquid-cgi -psquid-purge \
--sourcedir=/<>/debian/tmp
dh_install: Cannot find (any matches for) "etc/squid/conf.d" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/squid/conf.d
dh_install: Cannot find (any matches for) "etc/logrotate.d" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/logrotate.d
dh_install: Cannot find (any matches for) "etc/resolvconf" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/resolvconf
dh_install: Cannot find (any matches for) "etc/ufw" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/ufw
dh_install: Cannot find (any matches for) "etc/apparmor.d/disable" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/apparmor.d/disable
dh_install: Cannot find (any matches for) "etc/apparmor.d/force-complain" 
(tried in /<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/apparmor.d/force-complain
dh_install: Cannot find (any matches for) "etc/apparmor.d/usr.sbin.squid" 
(tried in /<>/debian/tmp, debian/tmp)

dh_install: squid missing files: etc/apparmor.d/usr.sbin.squid
dh_install: Cannot find (any matches for) "usr/lib/cgi-bin/cachemgr.cgi" (tried 
in /<>/debian/tmp, debian/tmp)

dh_install: squid-cgi missing files: usr/lib/cgi-bin/cachemgr.cgi
dh_install: Cannot find (any matches for) "usr/bin/squid-purge" (tried in 
/<>/debian/tmp, debian/tmp)

dh_install: squid-purge missing files: usr/bin/squid-purge
dh_install: Cannot find (any matches for) "usr/share/man/man1/squid-purge.1" 
(tried in /<>/debian/tmp, debian/tmp)

dh_install: squid-purge missing files: usr/share/man/man1/squid-purge.1
dh_install: missing files, aborting
make[1]: *** [debian/rules:154: override_dh_install] Error 25
make[1]: Leaving directory '/<>'
make: *** [debian/rules:70: binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit 
status 2



So far,

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> L.P.H. van Belle
> Verzonden: donderdag 16 september 2021 8:51
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Compile/Rebuilding on debian 
> bullseye (or buster)
> 
> Good Morning. 
> 
> 
> > > 
> > 
> > I have spent a while working on it today and have pushed an 
> update to 
> > Debian packaging repo. Please pull a new copy of that latest. 
> > It should  fix all the issues you have.
> 
> Wow, Thank you very very much Amos.. 
> Im on it now :-) ?¾
> 
> I'll post the results later today.
> 
> Greetz, 
> Louis
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


fix-typos.patch
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 5.1 for Debian Bullseye (amd64/i386/sources)

[L . P . H . van Belle]

And i have the Debian Bullseye packages also online. 

My changelog compaired to the Debian Unstable. 

 squid (5.1-1.1bullseye1) bullseye; urgency=medium

   * Non-maintainer upload.
   * Used sources from squid-cache.org build : squid-5.1-20210804-r1f9e52827
   * Lowered previous version 5.1-2 back to 5.1-1
   * d/patches, added fix-typos.patch found by Lintian.
   * d/watch, change http to https
   * d/*.tmp-file to *.tmp-files, Linitian predicated warnings on tmp-file
   * d/rules switched lines 160-161, made the build more consistent.
 - lowered this line: dh_installsystemd -psquid-openssl --name=squid


Setting up my repo.
wget -O- https://apt.van-belle.nl/louis-van-belle.gpg-key.asc |\
gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/louis-van-belle.gpg > 
/dev/null

# set your arch , options amd64 or i386

deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/louis-van-belle.gpg] 
http://apt.van-belle.nl/debian/ bullseye-squid51 main" \
 | sudo tee -a /etc/apt/sources.list.d/van-belle.list


Enjoy people and thank you Amos for these fast changes.


Louis

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

[L . P . H . van Belle]

in your smb.conf add
# Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed 
members. 
# This is used in combination with ntlm_auth --allow-mschapv2 
ntlm auth = mschapv2-and-ntlmv2-only

In squid use: 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/krb5-squid-HTTP.keytab \
-s HTTP/proxy.fq.dn@my.realm.tld \
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego 
--domain=ADDOM

 
If you connecting for ldap.. Dont use -h 192.168.90.10 
Uses -H ldaps://host.name.fq.dn 

Also push the root-CA off the domain to pc's with GPO for example 
And in that GPO you can set the parts you need to enable for the users/pcs to 
make it all work. 

But your close, your almost there.. 

On thing i have not looked at myself yet, ext_kerberos_ldap_group_acl 
https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8
 
Thats one i'll be using with squid 5.1, im still compiling everyting i need, 
but then im setting
It up, i'll document it and make and howto of it. 

Greetz, 

Louis





Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
Namens David Touzeau
Verzonden: dinsdag 21 september 2021 1:49
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] squid 5.1: Kerberos: Unable to switch to basic 
auth with Edge - IE - Chrome


Hi all

i have setup Kerberos authentication with Windows 2019 domain using 
Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
In some cases, some computers are not joined to the domain and ween 
need to allow authenticate on Squid

To allow this,  Basic Authentication is defined in Squid  and we expect 
that browsers prompt a login to be authenticated and access to Internet

But the behavior is strange.

On a computer outside the windows domain:
Firefox is be able to be successfully authenticated to squid using 
basic auth.
Edge, Chrome and IE still try ujsing NTLM method and are allways 
rejected with a 407

When edge, chrome and IE try to establish a session, Squid claim 

2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating 
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

This let us understanding that these 3 browsers try NTLM instead of a 
Basic Authentication.

I did not know why these browsers using NTLM as they did not connected 
to the Windows domain 
Why squid never get the Basic Authentication credentials. ?

Did i miss something ?

Here it is my configuration.

auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s 
GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
auth_param negotiate children 20 startup=5 idle=1 concurrency=0 
queue-size=80 on-persistent-overload=ERR
auth_param negotiate keep_alive on

auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b 
"DC=articatech,DC=int" -D "administra...@articatech.int" 
  -W /etc/squid3/ldappass.txt -f 
sAMAccountName=%s -v 3 -h 192.168.90.10
auth_param basic children 3
auth_param basic realm Active Directory articatech.int
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds

acl AUTHENTICATED proxy_auth REQUIRED




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

[L . P . H . van Belle]

What i showed used kerberos, if that fails it used ntlm.. and you can add.. if 
that fails use LDAP (basic auth) .. 
This way, you support all of them. 

if you going only for kerberos, that make sure you setup your krb5.conf 
correctly.. 
A + PTR records, SPN/UPNs and yes, then you can run it fully without samba  ( 
if your not haveing PTR, set rdns = no in krb5.conf ) 

Also, if you dont want the NTLM part, just remove the line : 
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego 
--domain=ADDOM


on firefox, did you set this In Firefox, you have to go to the about:config 
page and set the parameters
network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris

As far i can tell, what i see, is you didnt configure the browsers to use 
kerberos. 


Greetz,

Louis

 

 

Van: David Touzeau [mailto:da...@articatech.com] 
Verzonden: dinsdag 21 september 2021 10:18
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] squid 5.1: Kerberos: Unable to switch to basic 
auth with Edge - IE - Chrome



Thanks Louis for this tips but we did not want to use NTLM as it is an old way.
It requires a samba on the Squid Box 

As Amos said, this is most a browser (that using Microsoft API ) issue 

The best way is to make these browsers replicating the correct Firefox 
behavior. 
Means swith to basic auth instead of trying this stupid NTLM method

Le 21/09/2021 à 09:38, L.P.H. van Belle a écrit :


in your smb.conf add # Added to enforced NTLM 2, must be set on all Samba 
AD-DC's and the needed members. # This is used in combination with ntlm_auth 
--allow-mschapv2 ntlm auth = mschapv2-and-ntlmv2-only In squid use: auth_param 
negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos 
/usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP.keytab \ 
-s HTTP/proxy.fq.dn@my.realm.tld \ --ntlm /usr/bin/ntlm_auth 
--allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM If you connecting 
for ldap.. Dont use -h 192.168.90.10 Uses -H ldaps://host.name.fq.dn Also push 
the root-CA off the domain to pc's with GPO for example And in that GPO you can 
set the parts you need to enable for the users/pcs to make it all work. But 
your close, your almost there.. On thing i have not looked at myself yet, 
ext_kerberos_ldap_group_acl 
https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8
 Thats one i'll be using with squid 5.1, im still compiling everyting i need, 
but then im setting It up, i'll document it and make and howto of it. Greetz, 
Louis  Van: squid-users [ MailScanner heeft een 
e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" 
mailto:squid-users-boun...@lists.squid-cache.org] Namens David Touzeau 
Verzonden: dinsdag 21 september 2021 1:49 Aan: 
squid-users@lists.squid-cache.org Onderwerp: [squid-users] squid 5.1: Kerberos: 
Unable to switch to basic auth with Edge - IE - Chrome Hi all i have setup 
Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid 
version did not fix the issue - Tested 4.x and 5.x) In some cases, some 
computers are not joined to the domain and ween need to allow authenticate on 
Squid To allow this, Basic Authentication is defined in Squid and we expect 
that browsers prompt a login to be authenticated and access to Internet But the 
behavior is strange. On a computer outside the windows domain: Firefox is be 
able to be successfully authenticated to squid using basic auth. Edge, Chrome 
and IE still try ujsing NTLM method and are allways rejected with a 407 When 
edge, chrome and IE try to establish a session, Squid claim 2021/09/21 01:17:27 
kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, 
notes={message: received type 1 NTLM token; }} This let us understanding that 
these 3 browsers try NTLM instead of a Basic Authentication. I did not know why 
these browsers using NTLM as they did not connected to the Windows domain Why 
squid never get the Basic Authentication credentials. ? Did i miss something ? 
Here it is my configuration. auth_param negotiate program 
/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k 
/etc/squid3/PROXY.keytab auth_param negotiate children 20 startup=5 idle=1 
concurrency=0 queue-size=80 on-persistent-overload=ERR auth_param negotiate 
keep_alive on auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b 
"DC=articatech,DC=int" -D "administra...@articatech.int" 
 -W /etc/squid3/ldappass.txt -f 
sAMAccountName=%s -v 3 -h 192.168.90.10 auth_param basic children 3 auth_param 
basic realm Active Directory articatech.int auth_param basic credentialsttl 
7200 seconds authenticate_ttl 3600 seconds authenticate_ip_ttl 1 seconds 
authenticate_cache_garbage_interval 3600 seconds acl AUTHENTICATED proxy_auth 
REQUIRED ___ squid-users mail

Re: [squid-users] Squid 5.1 for Debian Bullseye (amd64/i386/sources)

[L . P . H . van Belle]

 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: maandag 20 september 2021 23:48
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 5.1 for Debian Bullseye 
> (amd64/i386/sources)
> 
> On 21/09/21 1:03 am, L.P.H. van Belle wrote:
> > And i have the Debian Bullseye packages also online.
> > 
> > My changelog compaired to the Debian Unstable.
> > 
> >   squid (5.1-1.1bullseye1) bullseye; urgency=medium
> > 
> > * Non-maintainer upload.
> > * Used sources from squid-cache.org build : 
> squid-5.1-20210804-r1f9e52827
> > * Lowered previous version 5.1-2 back to 5.1-1
> > * d/patches, added fix-typos.patch found by Lintian.
> > * d/watch, change http to https
> 
> What URI are you using here exactly?
>   The www.squid-cache.org website does not provide https:// URLs.

Ai, thats an "assumption" there was https .. (oeps).. 
And it does have it but gives : *.spd.co.il :-/ 
I'll revert that on next update. 

> 
> 
> > * d/*.tmp-file to *.tmp-files, Linitian predicated 
> warnings on tmp-file
> > * d/rules switched lines 160-161, made the build more 
> consistent.
> >   - lowered this line: dh_installsystemd 
> -psquid-openssl --name=squid
> > 
> 
> Would you be able to send me a copy of the diff/patch for 
> these please? 
> I will see how much can be pulled into Debian official fr the 
> v5.2 packages.

Sure, i'll do that tomorrow. 


Greetz, 

Louis

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] net err cert validity too long - chrome/safari

[L . P . H . van Belle]

sadly yes.. 

https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/certificate_lifetimes.md


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
robert k Wild
Verzonden: donderdag 23 september 2021 14:53
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] net err cert validity too long - chrome/safari



hi all,


i get this error on chrome and safari, when i access the same website on 
firefox i get the proxy error page as i havnt whitelisted this site, when i 
whitelist it, i can get on the website on all three diff browsers and when i 
take it off the whitelist exactly the same before


i have googled and its because my cert is too long age, i made it 999 days and 
i find out now it should be longer than 397 days


is this correct?


thanks,
rob


-- 
Regards, 

Robert K Wild.




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.23 release in Debian

[L . P . H . van Belle]

Hi, 

If you want a squid 3.5.27 for debian stretch. (amd64 only builded) 
Have a look here :  http://downloads.van-belle.nl/squid/
The tar.gz contains, build log, sources used and debs.

My changelog.
squid3 (3.5.27-0.1) stretch; urgency=medium

  * Non-maintainer upload.
  * Builded from squid-cache.org sources.
  * base 3.5.23 from buster.
  * No changes.

The exact version is : 
Squid Cache: Version 3.5.27-20171101-re69e56c

So nothing fancy, just the debian standards. If you want a bit newer. 
Go here: http://www.squid-cache.org/Versions/v3/3.5
And look if there is any intersting you want and add the patches or get a daily 
tar.gz.
And replace the source.tar.gz. 


Greetz, 

Louis

 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Flashdown
> Verzonden: woensdag 7 februari 2018 10:23
> Aan: Eliezer Croitoru
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] 4.0.23 release in Debian
> 
> FYI:
> There is already progress on Squid 4.0.23 over here: 
> https://packages.debian.org/source/experimental/squid
> 
> BTW: Hope I may get a response this time from anybody over 
> there, then I 
> would package 3.5.27..
> 
> Am 2018-02-05 10:21, schrieb Flashdown:
> > Well, I've forwarded my old mail just now after subcribing to this
> > list which I did sent directly to luigi and manty because I was
> > unaware of these mailing lists. Thank you Amos!
> > 
> > Am 2018-02-05 04:00, schrieb Eliezer Croitoru:
> >> It seems they are not even trying to block spam...
> >> 
> >> Eliezer
> >> 
> >> 
> >> Eliezer Croitoru
> >> Linux System Administrator
> >> Mobile: +972-5-28704261
> >> Email: elie...@ngtech.co.il
> >> 
> >> 
> >> 
> >> -Original Message-
> >> From: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org]
> >> On Behalf Of Amos Jeffries
> >> Sent: Sunday, February 4, 2018 20:40
> >> To: Enrico Heine ; 
> >> squid-users@lists.squid-cache.org
> >> Subject: Re: [squid-users] 4.0.23 release in Debian
> >> 
> >> On 05/02/18 00:06, Enrico Heine wrote:
> >>> Already asked the responsible guys, if I can support them by 
> >>> packaging
> >>> squid for debian since this is what I already do for my 
> company and
> >>> there is no reason for not sharing it or building it in 
> my spare time 
> >>> at
> >>> home. Unfortunately I never got an answer so I thought 
> ok, I can't 
> >>> force
> >>> them to allow me to contribute something back. I would 
> also have been
> >>> gratefull for just becoming an uploader to experimental only. Saad
> >>> story, I guess they are to busy to even listening for 
> people trying 
> >>> to help.
> >>> 
> >> 
> >> Who did you contact? The Debian 'squid' and 'squid3' packages are 
> >> being
> >> maintained by a team these days. I have not seen any 
> messages from you
> >> going to that mailing list:
> >> 
> >> 
> >> 
> >> Amos
> >> ___
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Your cache is running out of filedescriptors

[L . P . H . van Belle]

Is squid starting with a systemd service startup>? 

If so try: 
systemctl edit squid.service

Add at the Service section: 
[Service]
LimitNOFILE=8192:65535



Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Matus UHLAR - fantomas
> Verzonden: dinsdag 29 mei 2018 8:58
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Your cache is running out of 
> filedescriptors
> 
> On 28.05.18 15:54, Rejaine Monteiro wrote:
> >Solved putting the following configuration in 
> /etc/security/limits.conf file:
> >
> >squid   hardnofile  4096
> >squid   softnofile  4096
> 
> was there anything like that before? (including "*" in first column)
> 
> It's usually better not to put any limits there.
> 
> >2018-05-28 13:45 GMT-03:00 Rejaine Monteiro 
> :
> >> Hello everyone.
> >>
> >> My squid is running normally, but after a while it stops 
> working and I
> >> have to restart every time. The message that appears in the log is
> >>
> >>  "Your cache is running out of filedescriptors"
> >>
> >> I already configured the fs.file-max = 65535 parameter in 
> /etc/sysctl.conf.
> >>
> >> I am running openSuse 13.2 and also configured in the
> >> /etc/sysconfig/squid to SQUID_DEFAULT_ULIMT = "65535" and  in the
> >> startup script /etc/rc.d/squid  SQUID_ULIMIT 
> =${SQUID_DEFAULT_ULIMT: =
> >> "65535"}
> >>
> >> Nothing solved !!! Any tips?
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "One World. One Web. One Program." - Microsoft promotional 
> advertisement
> "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

[L . P . H . van Belle]

Hai, 

I would say facebook protected there certificates with TSLA. 
Then you cant use ssl bump if im correct. 

Greetz, 

Louis 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Julian Perconti
> Verzonden: dinsdag 12 juni 2018 21:55
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] SSL errors with Squid 3.5.27
> 
> >Interesting.
> >
> >The main issue was that you configured only params for the 
> Diffi-Helman (DH and DHE) ciphers - no >curve name. That 
> meant your specified EEC* ciphers were disabled since they 
> require a curve name as >well.
> >
> >Removing this option completely disables both DH and ECDH 
> cipher types.
> >Leaving your proxy with only the RSA based ciphers.
> >
> >Amos
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> Hi Amos,
> 
> I still have no look to connect with WhatsApp from iOS.
> 
> How do I can track this error?:
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> I mean examine the FD, ...or.. what? How? Because from iOS i 
> cant see any error, it just tries to connect indefinitely.
> 
> Some whatsapp/Facebook server with the command:
> 
> Openssl s_client -connect -showcerts x.x.x.x:443 
> 
> Does not shows any cert and establishes a connection with TLS 1.2...
> 
> Any idea?
> 
> Thank You
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] Squid 4.1 is available

[L . P . H . van Belle]

Hai, 

If people want, i've create debian stretch packages for squid 4.1 yesterday. 

I am testing them today and if you want to test them, you can find them here: 
https://downloads.van-belle.nl 

Drop me a note how they are working, if they are ok, i'll put them on my repo.

I took the Debian Unstable sources for this rebuild. 
Build logs etc are avaible through the link. 


Greetz, 

Louis
 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> TarotApprentice
> Verzonden: dinsdag 24 juli 2018 6:45
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] [squid-announce] Squid 4.1 is available
> 
> I’ve emailed the packaging team. The more people that ask the 
> more likely they are to act on it so if anyone else is 
> interested please drop them an email.
> 
> MarkJ
> 
> > On 6 Jul 2018, at 3:52 pm, Amos Jeffries 
>  wrote:
> > 
> >> On 06/07/18 14:27, TarotApprentice wrote:
> >> Hopefully the Debian guys will push this through to 
> Stretch-backports
> >> this time. 3.5.27 only made it as far as buster (testing).
> >> Unfortunately libc 2.27 is in there and that meant it wanted to
> >> update many other packages.
> >> 
> > 
> > You can post a request to sq...@packages.debian.org, or 
> file a bug. One
> > of the uploaders in the team may act earlier if they are 
> aware of interest.
> > 
> > Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid as wpad server?

[L . P . H . van Belle]

Read :
https://findproxyforurl.com/official-toolset/ 
That one helped me a lot, all you want to know is there imo. 

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens L A Walsh
> Verzonden: dinsdag 31 juli 2018 8:02
> Aan: squid-us...@squid-cache.org
> Onderwerp: [squid-users] squid as wpad server?
> 
> I seem to remember reading that one way to improve 
> reliability is to have
> your proxy software be able to double as a web-server for WPAD.dat.
> 
> Is there a published means for doing this w/squid or would 
> something need
> to be cobbled together?
> 
> I'm currently running a small internal-only webs-server 
> (lighttpd) which
> is still slowly suffering from creeping featurism and takes 
> re-en-lightening
> myself with new SW updates and just thinking some way to do the same
> in squid might make for 1 less piece of SW to think about 
> configuring and
> keeping alive (not that it needs to do much).
> 
> Of course, in addition to updates, there's always the temptation to do
> more with it, internally, and probably mangling my wpad server in the
> process (at least until I caught it).
> 
> Anyway, given the advice in the wiki regarding WPAD and the 
> reliability of
> having it in your proxy, it seemed like it might be something 
> that's come
> up before...(?)  Would seem to be just a matter of listening for
> requests on port 80 (wpad+proxy at same IP) and serving up the
> wpad.dat static file. 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] assertion failed

[L . P . H . van Belle]

Hai, 
 
Im testing squid 4.1 on Debian Stretch, i've rebuilded the Debian Sid 4.1 to 
Stretch. 
Everything looks good, i only see one failed line in cache.log ( see below. ) 
this is the default configuration, only 1 change made. 
in debian we have : /etc/squid/conf.d/debian.conf 
# Squid configuration settings for Debian
#
 
# Logs are managed by logrotate on Debian
logfile_rotate 0
 
# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
http_access allow localnet    << i enable only the localnet. 

 
If i google for "assertion failed: comm.cc:428: "!isOpen(conn->fd)" 
i get only 3 hits, is someone knows what this is, because i cant figure this 
out. 
 
 
The is the content.
2018/08/02 06:25:01| Set Current Directory to /var/spool/squid
2018/08/02 06:25:01 kid1| storeDirWriteCleanLogs: Starting...
2018/08/02 06:25:01 kid1|   Finished.  Wrote 0 entries.
2018/08/02 06:25:01 kid1|   Took 0.00 seconds (  0.00 entries/sec).
2018/08/02 06:25:01 kid1| logfileRotate: daemon:/var/log/squid/access.log
2018/08/02 06:25:01 kid1| logfileRotate: daemon:/var/log/squid/access.log
2018/08/02 06:25:01 kid1| assertion failed: comm.cc:428: "!isOpen(conn->fd)"
    <<< This one ? 
2018/08/02 06:25:01 kid1| Set Current Directory to /var/spool/squid
2018/08/02 06:25:01 kid1| Starting Squid Cache version 4.1 for 
x86_64-pc-linux-gnu...
2018/08/02 06:25:01 kid1| Service Name: squid
2018/08/02 06:25:01 kid1| Process ID 26222
2018/08/02 06:25:01 kid1| Process Roles: worker
2018/08/02 06:25:01 kid1| With 1024 file descriptors available
2018/08/02 06:25:01 kid1| Initializing IP Cache...
2018/08/02 06:25:01 kid1| DNS Socket created at [::], FD 5
2018/08/02 06:25:01 kid1| DNS Socket created at 0.0.0.0, FD 9
2018/08/02 06:25:01 kid1| Adding domain internal.domain.tld from 
/etc/resolv.conf
2018/08/02 06:25:01 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2018/08/02 06:25:01 kid1| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2018/08/02 06:25:01 kid1| Adding nameserver 192.168.0.2 from /etc/resolv.conf
2018/08/02 06:25:01 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2018/08/02 06:25:01 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2018/08/02 06:25:01 kid1| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2018/08/02 06:25:01 kid1| Store logging disabled
2018/08/02 06:25:01 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2018/08/02 06:25:01 kid1| Target number of buckets: 1008
2018/08/02 06:25:01 kid1| Using 8192 Store buckets
2018/08/02 06:25:01 kid1| Max Mem  size: 262144 KB
2018/08/02 06:25:01 kid1| Max Swap size: 0 KB
2018/08/02 06:25:01 kid1| Using Least Load store dir selection
2018/08/02 06:25:01 kid1| Set Current Directory to /var/spool/squid
2018/08/02 06:25:01 kid1| Finished loading MIME types and icons.
2018/08/02 06:25:01 kid1| HTCP Disabled.
2018/08/02 06:25:01 kid1| Pinger socket opened on FD 14
2018/08/02 06:25:01 kid1| Squid plugin modules loaded: 0
2018/08/02 06:25:01 kid1| Adaptation support is off.
2018/08/02 06:25:01 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 12 flags=9
2018/08/02 06:25:01| pinger: Initialising ICMP pinger ...
2018/08/02 06:25:01| pinger: ICMP socket opened.
2018/08/02 06:25:01| pinger: ICMPv6 socket opened
2018/08/02 06:25:02 kid1| storeLateRelease: released 0 objects
2018/08/02 07:10:26 kid1| Logfile: opening log 
stdio:/var/spool/squid/netdb.state
2018/08/02 07:10:26 kid1| netdbSaveState stdio:/var/spool/squid/netdb.state: 
(0) No error.

 
 
Best regards, 
 
Louis
 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] assertion failed

[L . P . H . van Belle]

Hello Alex, 

Thank you for the reply and the bug report link. 
Totaly forgot to check the bugzilla, sorry for that. 

I did read it and that exact what it is. 

I also can confirm that the assertion only happens with the logrotate. 
Squid does not crash so that looks all ok to me, i just dont like the messages 
in my logs. 
So for now i changed the logrotate, which eliminated the message. 
From the default debian logrotate, and yes, i would preffer squid -k rotate 
also. 
But for now, i'll restart. 

I changed logrotate to: 

prerotate
   test ! -x /usr/sbin/sarg-reports || /usr/sbin/sarg-reports daily
Endscript

postrotate
if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl 
is-active --quiet squid.service; then
   systemctl restart squid.service
elif [ -f /var/run/squid.pid ]; then
   test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid 
-k rotate
fi
endscript

Best regards, 

Louis



> -Oorspronkelijk bericht-
> Van: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Verzonden: donderdag 2 augustus 2018 17:43
> Aan: L.P.H. van Belle; squid-us...@squid-cache.org
> Onderwerp: Re: [squid-users] assertion failed
> 
> On 08/02/2018 07:46 AM, L.P.H. van Belle wrote:
>   
> > If i google for "assertion failed: comm.cc:428: "!isOpen(conn->fd)" 
> > i get only 3 hits, is someone knows what this is, because i 
> cant figure
> > this out.
> 
> When facing an assertion, one should check Squid bugzilla:
> https://bugs.squid-cache.org/show_bug.cgi?id=4796
> 
> Alex.
>  
> > 2018/08/02 06:25:01 kid1| storeDirWriteCleanLogs: Starting...
> > 2018/08/02 06:25:01 kid1| logfileRotate: 
> daemon:/var/log/squid/access.log
> > 2018/08/02 06:25:01 kid1| logfileRotate: 
> daemon:/var/log/squid/access.log
> > 2018/08/02 06:25:01 kid1| assertion failed: comm.cc:428: 
> "!isOpen(conn->fd)"
> 
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid File descriptors warning

[L . P . H . van Belle]

I do know there is/was a bug the systemd isnt picking up the filedescriptors 
with systemd, you might have hit it. 
Im suspecting your start script is a sysv script invoked by systemd. 
 
Try to set the limits within the start script (sysv) so the correct users ( 
running squid ) gets the filedescriptors.
 
I run Debian 9, with a recompiled squid from debian sid and that work fine for 
me atm. 
If you use the 4.1 from sid, add the following changes also. 

/etc/logrotate.d/squid 
    postrotate
    if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 
&& systemctl is-active --quiet squid.service; then
    systemctl restart squid.service
    elif [ -f /var/run/squid.pid ]; then
    test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || 
/usr/sbin/squid -k rotate
    fi
    endscript
 

Try the following and the below the command created the file 
/etc/systemd/system/squid.service.d/override.conf 
Add there the following. 
 
systemctl edit squid
[Unit]
After=network.target network-online.target nss-lookup.target
Wants=network-online.target
 
[Service]
LimitNOFILE=8192:65535
User=proxy
Group=proxy
 
 
Greetz, 
 
Louis
 
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Alex 
K
Verzonden: dinsdag 7 augustus 2018 9:46
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Squid File descriptors warning



Hi all, 



I observed the following warning at squid cache logs: 



WARNING! Your cache is running out of filedescriptors


Googling around I tried to increase the default file descriptors of the system 
(I am runnign Debian9 x64 bit), by setting at /etc/sysctl.conf: 



fs.file-max=802762


Restarted system. Still was receiving the warnings. 



When checking further I observed that I have the following default limits: 





ulimit -a
core file size  (blocks, -c) 0
data seg size   (kbytes, -d) unlimited
scheduling priority (-e) 0
file size   (blocks, -f) unlimited
pending signals (-i) 15338
max locked memory   (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files  (-n) 1024
pipe size    (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority  (-r) 0
stack size  (kbytes, -s) 8192
cpu time   (seconds, -t) unlimited
max user processes  (-u) 15338
virtual memory  (kbytes, -v) unlimited
file locks  (-x) unlimited





Where the "open files" seems to be the related one. 



I set also the following at squid conf: 



max_filedescriptors 65535


I am running a compiled version 3.5.23. 



I am not sure I have done the correct steps or if I need to tweak the ulimits 
also.

Any experience from your side?


Thanx, 

alex




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid File descriptors warning

[L . P . H . van Belle]

Hai Amos, 

Yes, true, but if systemd-sysv is installed, and it probley is, you might hit 
this bug. 
Systemd is calling the sysv script. 

I tried to find it, the bug report but ive to much things here trown at my head 
atm, sorry.

My production squid = 3.5.27 and no problems.  ( also rebuilded from sid at the 
time.)
The squid 4.1 from debian sid runs fine also. 

My best advice, checkout that 4.1 example for systemd and start using that. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: dinsdag 7 augustus 2018 11:05
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid File descriptors warning
> 
> On 07/08/18 20:44, L.P.H. van Belle wrote:
> > I do know there is/was a bug the systemd isnt picking up the
> > filedescriptors with systemd, you might have hit it.
> > Im suspecting your start script is a sysv script invoked by systemd.
> >  
> 
> squid-3.5 builds are using sysV init.d scripts.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.2 is available ( debian stretch )

[L . P . H . van Belle]

Hai, 

Thank you for the new release.

If people want to test against Debian, i've create Debian Stretch packages for 
Squid 4.2 today. 
I am testing them as we speak and if you want to test them, you can find them 
here: 
https://downloads.van-belle.nl 

I took the Debian squid GIT sources for this rebuild against Debian Stretch.
Build logs are avaible through the dowloads link.
Drop me a note how they are working, if they are ok, i'll put them on my repo.
I've keept all settings the default in these tests. Only enabled the "localnet" 

Im using the following systemd service settings. 

The defaults, +  ( systemctl edit squid.service ) 
# /etc/systemd/system/squid.service.d/override.conf
[Service]
# The default is 1024, increase this if needed.
LimitNOFILE=4096

For squid 4.1, i changed the logrotate file a bit. 
I added systemd part and changed reload to restart, due to assertion fail. 

A part of : /etc/logrotate.d/squid
postrotate
if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 
&& systemctl is-active --quiet squid.service; then
systemctl reload squid.service
elif [ -f /var/run/squid.pid ]; then
test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || 
/usr/sbin/squid -k rotate
fi
endscript

After the upgrade to 4.2, i change the restart back to reload, and no assertion 
failed anymore in 4.2 :-).  

My questions for 4.2 is: 
Anyone any idea why we see 2x "2018/08/13 16:30:57| Created PID file 
(/var/run/squid.pid)"  in the start up process?  
I notice this in the cache.log, i tested this with a normal start/stop and 
restart and reboot.

The Log part. ( from a restart ) 
2018/08/13 16:30:26 kid1| Preparing for shutdown after 0 requests
2018/08/13 16:30:26 kid1| Waiting 30 seconds for active connections to finish
2018/08/13 16:30:26 kid1| Closing HTTP(S) port [::]:3128
2018/08/13 16:30:26 kid1| Closing Pinger socket on FD 14
2018/08/13 16:30:33| Pinger exiting.
2018/08/13 16:30:57 kid1| Shutdown: NTLM authentication.
2018/08/13 16:30:57 kid1| Shutdown: Negotiate authentication.
2018/08/13 16:30:57 kid1| Shutdown: Digest authentication.
2018/08/13 16:30:57 kid1| Shutdown: Basic authentication.
2018/08/13 16:30:57 kid1| Shutting down...
2018/08/13 16:30:57 kid1| storeDirWriteCleanLogs: Starting...
2018/08/13 16:30:57 kid1|   Finished.  Wrote 0 entries.
2018/08/13 16:30:57 kid1|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.044 seconds = 0.044 user + 0.000 sys
Maximum Resident Size: 94112 KB
Page faults with physical i/o: 0
2018/08/13 16:30:57 kid1| Logfile: closing log daemon:/var/log/squid/access.log
2018/08/13 16:30:57 kid1| Logfile Daemon: closing log 
daemon:/var/log/squid/access.log
2018/08/13 16:30:57 kid1| Open FD UNSTARTED10 IPC UNIX STREAM Parent
2018/08/13 16:30:57 kid1| Squid Cache (Version 4.2): Exiting normally.
2018/08/13 16:30:57| Removing PID file (/var/run/squid.pid)
2018/08/13 16:30:57| Created PID file (/var/run/squid.pid)
2018/08/13 16:30:57 kid1| Set Current Directory to /var/spool/squid
2018/08/13 16:30:57 kid1| Creating missing swap directories
2018/08/13 16:30:57 kid1| No cache_dir stores are configured.
2018/08/13 16:30:57| Removing PID file (/var/run/squid.pid)
2018/08/13 16:30:57| Created PID file (/var/run/squid.pid)
2018/08/13 16:30:57 kid1| Set Current Directory to /var/spool/squid
2018/08/13 16:30:57 kid1| Starting Squid Cache version 4.2 for 
x86_64-pc-linux-gnu...
2018/08/13 16:30:57 kid1| Service Name: squid
2018/08/13 16:30:57 kid1| Process ID 1658
2018/08/13 16:30:57 kid1| Process Roles: worker
2018/08/13 16:30:57 kid1| With 4096 file descriptors available
2018/08/13 16:30:57 kid1| Initializing IP Cache...


Greetz, 

Louis


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.2 is available ( debian stretch )

[L . P . H . van Belle]

Hai Alex, 

Ah, yes, your totaly right. 
Just checked the systemd service file again and it shows. 

ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid -sYC

Sorry for the stupic question. Should have seen that. 
But thank you for the reply. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Verzonden: maandag 13 augustus 2018 18:02
> Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 4.2 is available ( debian stretch )
> 
> On 08/13/2018 08:58 AM, L.P.H. van Belle wrote:
> 
> > My questions for 4.2 is: 
> > Anyone any idea why we see 2x "2018/08/13 16:30:57| Created 
> PID file (/var/run/squid.pid)"  in the start up process?  
> 
> Your scripts are probably starting Squid twice, first with 
> the -z option
> (to create cache_dir directories if they are missing and 
> exit) and then
> once again without that option (to serve traffic).
> 
> IIRC, older Squids did not create the PID file while creating 
> cache_dir
> directories, leading to nasty conflicts between concurrent Squid
> instances. Future Squids should create missing directories 
> automatically
> (in most cases), but I am not aware of anybody sponsoring 
> that feature.
> 
> HTH,
> 
> Alex.
> 
> 
> > 2018/08/13 16:30:57| Created PID file (/var/run/squid.pid)
> > 2018/08/13 16:30:57 kid1| Set Current Directory to /var/spool/squid
> > 2018/08/13 16:30:57 kid1| Creating missing swap directories
> > 2018/08/13 16:30:57 kid1| No cache_dir stores are configured.
> > 2018/08/13 16:30:57| Removing PID file (/var/run/squid.pid)
> > 2018/08/13 16:30:57| Created PID file (/var/run/squid.pid)
> > 2018/08/13 16:30:57 kid1| Set Current Directory to /var/spool/squid
> > 2018/08/13 16:30:57 kid1| Starting Squid Cache version 4.2 
> for x86_64-pc-linux-gnu...
> > 2018/08/13 16:30:57 kid1| Service Name: squid
> > 2018/08/13 16:30:57 kid1| Process ID 1658
> > 2018/08/13 16:30:57 kid1| Process Roles: worker
> > 2018/08/13 16:30:57 kid1| With 4096 file descriptors available
> > 2018/08/13 16:30:57 kid1| Initializing IP Cache...
> 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication / Centos 7

[L . P . H . van Belle]

> Also, what then do the other lines in your config then say to do with
> the NTLM type-1 requests (no credentials) and failed-login requests?

No this happend after the last security update of samba. 

This is due to a samba update.
SECURITY UPDATE: Weak authentication protocol allowed 
CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1

You can easily test this, add 'ntlm auth = yes' to smb.conf and
restart. If this cures your problem, then you have two choices, leave
it alone and put up with a possibly insecure server, or fix your
clients to only use NTLMv2 and remove the line from smb.conf.

Greetz, 

Louis

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication / Centos 7

[L . P . H . van Belle]

Ah, sorry Amos, 

I was understanding you ment the Question was about the NTLM auth itself not 
the token. 
My mis understanding.  :-/ 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: dinsdag 21 augustus 2018 16:21
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] NTLM Authentication / Centos 7
> 
> On 21/08/18 7:09 PM, L.P.H. van Belle wrote:
> >> Also, what then do the other lines in your config then say 
> to do with
> >> the NTLM type-1 requests (no credentials) and failed-login 
> requests?
> > 
> > No this happend after the last security update of samba.
> > 
> 
> "No" to what ? My Q above was in regards to the omitted http_access
> behaviour.
> 
> 
> The 'type-1' I am speaking of is the initial NTLM credentials 
> token. Not
> the version number. All LanManager based exchanges (LM 1.0, LM4, LM
> 32-bit, SMB LM, NTLMv1 NTLMv2, NTLMv2 extended) begin with a 
> type-1 token.
> 
> 
> > This is due to a samba update.
> > SECURITY UPDATE: Weak authentication protocol allowed 
> > CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
> > 
> > You can easily test this, add 'ntlm auth = yes' to smb.conf and
> > restart. If this cures your problem, then you have two 
> choices, leave
> > it alone and put up with a possibly insecure server, or fix your
> > clients to only use NTLMv2 and remove the line from smb.conf.
> > 
> 
> Yes, that is worth testing for.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent squid configuration problem.

[L . P . H . van Belle]

i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.   3600    IN  CAA 0 iodef "mailto:io...@habr.com";
habr.com.   3600    IN  CAA 0 issue "comodoca.com"

So you cant bump this site, its protecting its certificates with a CAA/DANE dns 
record. 
 
Greetz, 
 
Louis
 
 
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
??? ? ?
Verzonden: donderdag 23 augustus 2018 15:22
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Transparent squid configuration problem.




Hi! I have some problems with configuration of squid.

 

What I need:

http/https transparent proxy server based on Debian Stretch with some 
blacklisted and whitelisted domains

 

I?ve used many tutorials and squid.wiki through installation process and it 
almost work! But I have the last problem.

 

When I tried to connect to some websites like a https://habr.com I have  got 
HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I 
know the answer is simple and its here but cannt find it by myself.

 

Here is my squid.conf, cache.log, access.log and iptables script.

 

Please help! J

 

Squid.conf:

 

dns_v4_first on

 

acl network src 10.84.0.0/16

 

acl SSL_ports port 443

acl Safe_ports port 80    # http

acl Safe_ports port 21    # ftp

acl Safe_ports port 443    # https

acl Safe_ports port 70    # gopher

acl Safe_ports port 210    # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280    # http-mgmt

acl Safe_ports port 488    # gss-http

acl Safe_ports port 591    # filemaker

acl Safe_ports port 777    # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked 
websites here

acl CONNECT method CONNECT

 

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow all

 

http_port 3130

 

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem 
key=/etc/squid/ssl_cert/vproxy2.pem

 

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

 

coredump_dir /var/spool/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .    0    20%    4320

 

shutdown_lifetime 1 second

 

cache.log:

 

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log 
daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED 6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for 
x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation suppor

Re: [squid-users] Transparent squid configuration problem.

[L . P . H . van Belle]

If i may suggest.. 
 
Use the squid version from debian sid. 
Rebuilding these to stretch isnt that hard. 
 
add  the sid sources, run : apt-get update
apt-get build-dep squid
apt-get source squid -b 
then create a file repo ( or http repo ) and install squid. 

or, if you dont want to rebuild them. you can get them here. 
http://downloads.van-belle.nl/squid/ 
A squid 4.1 and 4.2 are available for Stretch im using now the 4.2 version. 
 
If thats no option then have a look at 
https://wiki.squid-cache.org/Features/SslPeekAndSplice  
See the configuration example, that a good example.  
Change "bank" in habr.com   ;-)  
 
 
Greetz, 
 
Louis
 
Van: ??? ? ? [mailto:a.zuba...@generium.ru] 
Verzonden: donderdag 23 augustus 2018 15:42
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] Transparent squid configuration problem.




Thank you, Louis! 

Is there some workaround? May be I can to put that?s kind of sites without 
filtering?



From: squid-users  On Behalf Of 
L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Transparent squid configuration problem.





i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.   3600    IN  CAA 0 iodef "mailto:io...@habr.com";
habr.com.   3600    IN  CAA 0 issue "comodoca.com"


So you cant bump this site, its protecting its certificates with a CAA/DANE dns 
record. 



Greetz, 



Louis










Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
??? ? ?
Verzonden: donderdag 23 augustus 2018 15:22
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.



What I need:

http/https transparent proxy server based on Debian Stretch with some 
blacklisted and whitelisted domains



I?ve used many tutorials and squid.wiki through installation process and it 
almost work! But I have the last problem.



When I tried to connect to some websites like a https://habr.com I have  got 
HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I 
know the answer is simple and its here but cannt find it by myself.



Here is my squid.conf, cache.log, access.log and iptables script.



Please help! J



Squid.conf:



dns_v4_first on



acl network src 10.84.0.0/16



acl SSL_ports port 443

acl Safe_ports port 80    # http

acl Safe_ports port 21    # ftp

acl Safe_ports port 443    # https

acl Safe_ports port 70    # gopher

acl Safe_ports port 210    # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280    # http-mgmt

acl Safe_ports port 488    # gss-http

acl Safe_ports port 591    # filemaker

acl Safe_ports port 777    # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked 
websites here

acl CONNECT method CONNECT



http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports



http_access allow all



http_port 3130



http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem 
key=/etc/squid/ssl_cert/vproxy2.pem



#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER



sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1



coredump_dir /var/spool/squid



# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .    0    20%    4320



shutdown_lifetime 1 second



cache.log:



Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log 
daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED 6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for 
x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain 

Re: [squid-users] TCP_MISS/502 - audio stream - none default http ports

[L . P . H . van Belle]

Hai, 

You missed a few points in your config. 
And thank you for the music link, something different then the radio here. ;-) 

Ive installed a debian stretch server. 
This is the debian default config with 2 modifications. 

## Squid 3.5.23 
## First enable the acl for YOUR localnet ( here i enable all 5) 
: acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
: acl localnet src 172.16.0.0/12# RFC1918 possible internal network
: acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
: acl localnet src fc00::/7   # RFC 4193 local private network range
: acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines
: acl SSL_ports port 443
## PS in your config you did miss to add the extra SSL_Ports also to the 
Safe_port. 
: acl Safe_ports port 80# http
: acl Safe_ports port 21# ftp
: acl Safe_ports port 443   # https
: acl Safe_ports port 70# gopher
: acl Safe_ports port 210   # wais
: acl Safe_ports port 1025-65535# unregistered ports
: acl Safe_ports port 280   # http-mgmt
: acl Safe_ports port 488   # gss-http
: acl Safe_ports port 591   # filemaker
: acl Safe_ports port 777   # multiling http

: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: http_access allow localnet
## And here you missed the "allow localnet" 
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp: 144020% 10080
: refresh_pattern ^gopher:  14400%  1440
: refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
: refresh_pattern . 0   20% 4320


As extra test. 
I've installed squid 4.2 rebuilded from debian sid. 
This is the exact config used, the used script is below the email. 
I made 2 modifications. 
Configuration File: /etc/squid/conf.d/debian.conf (depth 1) : enabled localnet
Configuration File: /etc/squid/conf.d/headers.conf (depth 1): added your 
headers.

: acl localnet src 0.0.0.1-0.255.255.255# RFC 1122 "this" network (LAN)
: acl localnet src 10.0.0.0/8   # RFC 1918 local private network (LAN)
: acl localnet src 100.64.0.0/10# RFC 6598 shared address space 
(CGN)
: acl localnet src 169.254.0.0/16   # RFC 3927 link-local (directly 
plugged) machines
: acl localnet src 172.16.0.0/12# RFC 1918 local private 
network (LAN)
: acl localnet src 192.168.0.0/16   # RFC 1918 local private 
network (LAN)
: acl localnet src fc00::/7 # RFC 4193 local private network range
: acl localnet src fe80::/10# RFC 4291 link-local (directly 
plugged) machines
: acl SSL_ports port 443
: acl Safe_ports port 80# http
: acl Safe_ports port 21# ftp
: acl Safe_ports port 443   # https
: acl Safe_ports port 70# gopher
: acl Safe_ports port 210   # wais
: acl Safe_ports port 1025-65535# unregistered ports
: acl Safe_ports port 280   # http-mgmt
: acl Safe_ports port 488   # gss-http
: acl Safe_ports port 591   # filemaker
: acl Safe_ports port 777   # multiling http
: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: include /etc/squid/conf.d/*
 Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
: logfile_rotate 0
: http_access allow localnet
 Configuration File: /etc/squid/conf.d/headers.conf (depth 1)
: request_header_access From deny all
: request_header_access Referer deny all
: request_header_access Server deny all
: request_header_access WWW-Authenticate deny all
: request_header_access Link deny all
: forwarded_for delete
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp: 144020% 10080
: refresh_pattern ^gopher:  14400%  1440
: refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
: refresh_pattern . 0   20% 4320

If you want the 4.2 for stretch, you can find it here : 
https://downloads.van-belle.nl/squid/squid4.2/ 
Buildlogs are all included, or rebuild it yourself from sid/testing. 
Its a pretty easy rebuild imo. 

Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Dörfler, Andreas
> Verzonden: dinsdag 18 september 2018 14:07
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] TCP_MISS/502 - audio stream - none 
> default http ports
> 
> hello there,
> 
> i try to get mp3/audio streams working on a "kinda default" debian
> stretch installation.
> 
> after i failed with the default debi

Re: [squid-users] proxy ntlm-auth problems

[L . P . H . van Belle]

i suggest you try: 
 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s s GSS_C_NO_NAME \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=MYDOMAIN

Greetz, 
 
Louis
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Silvester Langen
Verzonden: donderdag 17 januari 2019 10:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] proxy ntlm-auth problems




Hello squid users.
 
I have configured squid for ntlm authentication and it seems to work well. All 
needed browsers (ff, ie, chrome) work and programs like teamviewer or "heise 
register" do work too. But now I notice, that other programs like Sage HR, 
Dakota, Sfirm and Elster have problems with authentication.
 
With wireshark I see the following:
 
(Stage1) Browsers, Teamviewer, etc starting request to squid and squid returns 
"407 Proxy Authentication Required". 
(Stage2) After that the client begins a new request for negotiation and sends 
the credentials. The connection works.
 
But...
 
(Stage1) Sage HR, Sfirm, etc. starts request to squid and squid returns "407 
Proxy Authentication Required". 
After that the client begins a new request but the same without credentials and 
negotiation. Of course, the proxy refuses the connection again.
 
I have no idea why the client software doesn´t start stage2 and no idea to find 
out why.
 
Here is my configuration for ntlm-auth:
 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
--domain=mydomain --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
acl auth proxy_auth REQUIRED
http_access allow auth
 
Thank you for helping me!#

Silvester
Silvester Langen
Fachinformatiker - Systemintegration
Auf dem Leuchtenberg 78

41517 Grevenbroich 
Mobil: 0170 69 66 580
Tel: 02181 21 555 01
Web: silvesterlangen.de

Zertifizierter MCSA, MCSE, LPIC-1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] daily releases

[L . P . H . van Belle]

Hai, 
 
I use this for the latest 4.xx release
mkdir squid && curl -q -L $(lynx -listonly -nonumbers -dump 
http://www.squid-cache.org/Versions/v4/  | grep squid-4.5 | grep ".tar.gz") | 
tar -xz -C squid  --strip-components 1 -f -  
 
and this one for the daily
mkdir squid-$(date +%F) && curl -q -L $(lynx -listonly -nonumbers -dump 
http://www.squid-cache.org/Versions/v4/  | grep "squid-4.5-" | grep ".tar.gz") 
| tar -xz -C squid-$(date +%F)  --strip-components 1 -f -
 
maybe is possible in another way but this works for me. 
 
greetz, 
 
Louis
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Vieri
Verzonden: woensdag 30 januari 2019 15:11
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] daily releases



Hi,

Does anyone know of a convenient one-liner to get the latest daily release 
tarball, eg. 
http://www.squid-cache.org/Versions/v4/squid-4.5-20190128-r568e66b7c.tar.gz, 
without having to search for it manually on the web?

Either that or a symlink that would always point to the "latest daily".

Thanks,

Vieri










___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] using clang to compile squid 4-5

[L . P . H . van Belle]

Hai, 

Good to hear there are more then Luigi :-) 

I builded debian packages yesterday for squid 4.5 
Which was pretty simple and worked fine in the end. 

Get the source of 4.4  ( apt-get source -t unstable squid  )
Copy the debian folder from 4.4 into the 4.5 folder.

And changed in the changelog the squid version, builded fine. 
Test build failed, my change was. 

diff squid-4.4/debian/rules squid-4.5/debian/rules
22c22
< DEB_INSTALL_DOCS_squid-common := debian/copyright CONTRIBUTORS CREDITS 
QUICKSTART RELEASENOTES.html SPONSORS
---
> DEB_INSTALL_DOCS_squid-common := debian/copyright CONTRIBUTORS CREDITS 
> QUICKSTART SPONSORS

4.5 was missing : RELEASENOTES.html 
Uhm must say, i builded the "squid-4.5-20190128-r568e66b7c" version. 

Working now on a backport for debian stretch. 

Thank for all the good work Amos. ( and Luigi ) ! 

@Amos, any chance to upload 4.5 to unstable or experimental? 
I was hoping that 4.5 would get into buster, im guessing thats not going to 
happen? 


Greetz, 

Louis





> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: woensdag 30 januari 2019 14:08
> Aan: graf huy; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] using clang to compile squid 4-5
> 
> On 30/01/19 9:38 pm, graf huy wrote:
> > Hi,
> > 
> > Using update-alternatives to set clang++ was a success, and export
> > CC=/usr/bin/clang does the job (trying two differents 
> methods). Debian
> > project recommended to use export (CC,CCX) for versioning and only
> > update-alternatives for alternative as it says.
> > Anyway compilation with clang was as quick as gcc can do.
> > 
> 
> Great to know. Nothing to fix on that front for us then.
> 
> > 
> >>Seconded. With both my Squid Project and Debian pkg-squid 
> Team hat's on
> >>I'd like to know why you feel any need to force the compiler?
> > 
> > There were errors to patch with memcpy because of the gcc version 
> > 8.2.0-14 Debian wich considers some warnings as errors, besides some
> > targets are BSD's.
> > 
> 
> I'm not sure I follow that. Are you building with patched GCC? or a
> patched libc? or something else?
> 
> I build with the Debian Sid GCC version myself and have not seen these
> in any test builds with that or similar GCC versions. Am trying your
> build options now just to be sure.
> 
> 
> On the matter of BSD's, since they provide clang as the 
> default compiler
> they (FreeBSD at least) build with clan/clang++ without any need for
> CC/CXX setting. We have Jenkins tests for that.
> 
> 
> > 
> > Great to known you are on this package, I thought there was 
> only Luigi
> > Gangitano (lu...@debian.org) for ages...
> > 
> 
> Welcome. There are several of us, with Luigi as team lead.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] The issue NTLM_AUTH with --require-membership-of

[L . P . H . van Belle]

I think you problem has todo NT1. 

I assum you already tried the setting in smb.conf :  
ntlm auth =  ntlmv1-permitted 
(which is the alias for yes) 


And which samba/ntlm_auth version it this? Standard centos? 
I must say i noob in Centos, so i'll shown you what i know from debian. 
And it might be better to switch to kerberos auth. 

I know there are problems with the groups in ntlm_auth and its detection.
If i recall right, a patch passed recently, so waiting for that on the next 
samba version. 

I use the following.

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/$(hostname 
-f)@MY_REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

With ldap fallback
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Office,dc=some,dc=domain,dc=tld" \
-D ldap-bind@MY_REALM \
-W /etc/squid/private/ldap-bind \
-f sAMAccountName=%s \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN

The ldap-bind account, needs, no pre-check on kerberos auth and disable passwd 
expire. 

The group part, now im not using it myself but per example. Should be something 
like this. 

Basicly its : 
Search for %LOGIN from this point : DC=office,DC=some,DC=domain,DC=tld  And get 
person-%a from group Proxygroups

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b 
DC=office,DC=some,DC=domain,DC=tld \
-f 
(&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld))
 \
-D ldap-bind@MY_REALM \
-W /etc/squid/private/ldap-bind \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN


external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -b 
DC=office,DC=some,DC=domain,DC=tld \
-s sub \
-R -v3 \
-D ldap-bind@MY_REALM \
-W /etc/squid/private/ldap-bind \
-f 
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld))"
 \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN

I Hope this helps a bit. 

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 21 februari 2019 10:18
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] The issue NTLM_AUTH with 
> --require-membership-of
> 
> On 21/02/19 9:35 pm, WANG TOM wrote:
> > 
> --
> 
> > And I have tested run ntlm_auth directly, it looks successfully.
> > "ntlm_auth --require-membership-of='IBM\Domain Users'
> > --username=Administrators --password=123456
> > NT_STATUS_OK: The operation completed successfully. (0x0)"
> > 
> --
> 
> > I have no idea what I have missed or made mistake, could 
> someone can help.
> > 
> 
> Very likely that whitespace in the parameter string. Squid does not
> support double-quote encoding of most parameters.
> 
> That means the helper will be passed two different environment
> arguments.  One being "--require-membership-of='IBM\Domain".
> The second being "Users'"
> 
> IIRC you can probably %-encode that (as "IBM\Domain%20Users").
> 
> 
> If not that then you are going to have to debug what the 
> helper is doing.
> 
> 
> NP: This helper is provided by Samba, it is not part of Squid. So
> questions about its abilities and encodings supported are a 
> question for
> their help channels. Someone here _might_ know, but do not 
> count on that.
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compiling squid 4

[L . P . H . van Belle]

Its pretty simple.. 

Enable the debian sid source in your ubuntu 18
apt install -y software-properties-common debian-archive-keyring dirmngr
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010

add-apt-repository "deb-src http://ftp.nl.debian.org/debian sid main contrib 
non-free"
apt-get update

I dont enable the deb line from sid because that prevents possible unwanted 
upgrades/replacements of files. 

# get build-depends
apt-get build-dep squid3

# get source and build squid
apt-get source squid3 -B

And wait. 
Thats what im doing now ;-) .. 15 min later done. 

 dpkg-genbuildinfo --build=binary
 dpkg-genchanges --build=binary >../squid_4.6-1_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
 dpkg-source --after-build squid-4.6
dpkg-buildpackage: info: binary-only upload (no source included)

This results in a some debs, setup a file/web repo to use them so you can 
apt-get install them. 
Move all .deb files in a folder 

mkdir amd64
mv *.deb amd64/
apt-ftparchive packages amd64/ > amd64/Packages

And add a line like this in your /etc/apt/sources.list.d/squid-local.list
echo "deb [trusted=yes] file:/home/build/squid/ amd64/" > 
/etc/apt/sources.list.d/squid-local.list
# NOTE , dont forget to change the path here^^ 
You can move this to any place as long amd64/ exitst. 
You can change this to a webserver, then it looks like : #deb [trusted=yes] 
http://localhost/ amd64/"
And document root and webserver setup, if you move amd64 to /var/www/html/ 
Then it should work directly after you install a webserver. 

Results. 
apt-get update
apt-cache policy squid
squid:
  Installed: (none)
  Candidate: 4.6-1
  Version table:
 4.6-1 500
500 file:/root amd64/ Packages
 3.5.27-1ubuntu1.1 500
500 http://nl.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
 3.5.27-1ubuntu1 500
500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


apt-get install squid
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libdbi-perl squid-common squid-langpack
Suggested packages:
  libmldbm-perl libnet-daemon-perl libsql-statement-perl squidclient squid-cgi 
squid-purge resolvconf smbclient ufw
The following NEW packages will be installed:
  libdbi-perl squid squid-common squid-langpack
0 upgraded, 4 newly installed, 0 to remove and 35 not upgraded.
Need to get 861 kB/3,752 kB of archives.
After this operation, 13.4 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 file:/root amd64/ squid-common 4.6-1 [309 kB]
Get:2 file:/root amd64/ squid 4.6-1 [2,582 kB]
Get:3 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 squid-langpack all 
20170901-1 [137 kB]
Get:4 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 libdbi-perl amd64 
1.640-1 [724 kB]


Now you ;-) 

And why above works... 
Because of the fantastic work of the squid devs! 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Alex Gutiérrez Martínez
> Verzonden: donderdag 28 februari 2019 22:03
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] compiling squid 4
> 
> Hello again community, I still have problems compiling squid 
> 4. This is 
> what i did this time
> 
> Soporte básico necesario:
> 
> # apt install arj bzip2 xz-utils cabextract cpio file lzma lhasa lzop 
> rpm2cpio gzip nomarch pax lzop rar unrar unzip zoo unace razor pyzor 
> tnef ripole zip p7zip-full mc multitail ccze libcppunit-dev 
> libsasl2-dev 
> libxml2-dev libkrb5-dev libdb-dev libnetfilter-conntrack-dev 
> libexpat1-dev libcap2-dev libldap2-dev libpam0g-dev libgnutls28-dev 
> libssl-dev libdbi-perl libecap3 libecap3-dev libntlm0-dev 
> libkf5kiontlm5 
> samba-dev ldap-utils
> 
> Instalar binarios necesarios para compilar Squid4, the system 
> retunr a 
> error whe in start the service:
> 
> sudo apt install logrotate acl attr autoconf bison nettle-dev 
> build-essential libacl1-dev libaio-dev libattr1-dev libblkid-dev 
> libbsd-dev libcap2-dev libcppunit-dev libldap2-dev pkg-config 
> libxml2-dev libdb-dev libgnutls28-dev openssl devscripts fakeroot 
> libdbi-perl libssl1.0-dev libcppunit-dev libecap3-dev libkrb5-dev 
> comerr-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev
> 
>   sudo groupadd -g 13 proxy
>   sudo mkdir -p /var/spool/squid
>   sudo mkdir -p /var/log/squid
>   sudo useradd --system -g proxy -u 13 -d /var/spool/squid -M -s 
> /usr/sbin/nologin proxy
>   sudo chown proxy:proxy /var/spool/squid
>   sudo chown proxy:proxy /var/log/squid
> 
> cd /opt
> wget -c http://www.squid-cache.org/Versions/v4/squid-4.6.tar.xz
>   tar xfv squid-4.6.tar.xz
> 
> Configuramos las opciones básicas que podamos necesitar:
> 
> ./configure --srcdir=. --prefix=/usr --localstatedir=/var/lib/

Re: [squid-users] compiling squid 4

[L . P . H . van Belle]

Hai Alex, 

Ahh.. You wanted with ssl, sorry missed that. 
Here you go. 

apt-get source squid

cd squid-4.6/debian/

Edit rules, after the line, --with-gnutls
Add these: --enable-ssl --enable-ssl-crtd --with-openssl
Save.

Edit changelog
Change the version 4.6-1 to 4.6-1ssl
Save 

Install libgnutls28-dev openssl 

cd ../..

apt-get source squid3 -b

And resulting in squid 4.6 with ssl. 

This is the most simple way to compile squid and get it working. 
Its not the best way, for that setup a builder environment. 

This works! Try it. 

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Alex Gutiérrez Martínez
> Verzonden: vrijdag 1 maart 2019 14:13
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] compiling squid 4
> 
> Hello again community, I still have problems compiling squid 
> 4. This is 
> what i did this time:
> 
> 
> Basic support:
> 
> sudo apt install logrotate acl attr autoconf bison nettle-dev 
> build-essential libacl1-dev libaio-dev libattr1-dev libblkid-dev 
> libbsd-dev libcap2-dev libcppunit-dev libldap2-dev pkg-config 
> libxml2-dev libdb-dev libgnutls28-dev openssl devscripts fakeroot 
> libdbi-perl libssl1.0-dev libcppunit-dev libecap3-dev libkrb5-dev 
> comerr-dev libnetfilter-conntrack-dev libpam0g-dev 
> libsasl2-dev rj bzip2 
> xz-utils cabextract cpio file lzma lhasa lzop rpm2cpio gzip 
> nomarch pax 
> lzop rar unrar unzip zoo unace razor pyzor tnef ripole zip 
> p7zip-full mc 
> multitail ccze libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
> libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev 
> libldap2-dev libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl 
> libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils
> 
>   sudo groupadd -g 13 proxy
>   sudo mkdir -p /var/spool/squid
>   sudo mkdir -p /var/log/squid
>   sudo useradd --system -g proxy -u 13 -d /var/spool/squid -M -s 
> /usr/sbin/nologin proxy
>   sudo chown proxy:proxy /var/spool/squid
>   sudo chown proxy:proxy /var/log/squid
> 
> cd /opt
> wget -c http://www.squid-cache.org/Versions/v4/squid-4.6.tar.xz
>   tar xfv squid-4.6.tar.xz
> 
> Configuramos las opciones básicas que podamos necesitar:
> 
> ./configure --srcdir=. --prefix=/usr --localstatedir=/var/lib/squid 
> --libexecdir=/usr/lib/squid --datadir=/usr/share/squid 
> --sysconfdir=/etc/squid --with-default-user=proxy 
> --with-logdir=/var/log/squid --with-open-ssl=/etc/ssl/openssl.cnf 
> --with-openssl --enable-ssl --enable-ssl-crtd 
> --build=x86_64-linux-gnu 
> --with-pidfile=/var/run/squid.pid --enable-removal-policies=lru,heap 
> --enable-delay-pools --enable-cache-digests --enable-icap-client 
> --enable-ecap --enable-follow-x-forwarded-for --with-large-files 
> --with-filedescriptors=65536 
> --enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RA
DIUS,SASL,SMB 
> --enable-auth-digest=file,LDAP 
> --enable-auth-negotiate=kerberos,wrapper 
> --enable-auth-ntlm=fake --enable-linux-netfilter 
> --with-swapdir=/var/spool/squid --enable-useragent-log --enable-htpc 
> --infodir=/usr/share/info --mandir=/usr/share/man 
> --includedir=/usr/include --disable-maintainer-mode 
> --disable-dependency-tracking --disable-silent-rules --enable-inline 
> --enable-async-io --enable-storeio=ufs,aufs,diskd,rock --enable-eui 
> --enable-esi --enable-icmp --enable-zph-qos 
> --enable-external-acl-helpers=file_userip,kerberos_ldap_group,
time_quota,LDAP_group,session,SQL_session,unix_group,wbinfo_group 
> --enable-url-rewrite-helpers=fake --enable-translation --enable-epoll 
> --enable-snmp --enable-wccpv2 --with-aio --with-pthreads
> 
> Compiling with  4 cores:
> 
> make -j 4
> 
> Installing:
> 
> sudo  make install
> 
> create initi script:
> 
> sudo nano /etc/init.d/squid
> 
> initi content:
> 
> ##
> 
> ##
> 
> ##
> 
> # squid4 Startup script for the SQUID HTTP proxy-cache.
> #
> # Version:   @(#)squid4 init script  1.0  20-Feb-2019 
> lesli...@nauta.cu
> ##
> ##
> 
> ### BEGIN INIT INFO
> # Provides:  squid
> # Required-Start:    $network $remote_fs $syslog
> # Required-Stop: $network $remote_fs $syslog
> # Should-Start:  $named
> # Should-Stop:   $named
> # Default-Start: 2 3 4 5
> # Default-Stop:  0 1 6
> # Short-Description: Squid HTTP Proxy version 4.x
> ### END INIT INFO
> 
> NAME=squid
> DESC="Squid HTTP Proxy 4.x"
> DAEMON=/usr/sbin/squid
> PIDFILE=/var/run/$NAME.pid
> CONFIG=/etc/squid/squid.conf
> SQUID_ARGS="-YC -f $CONFIG"
> 
> [ ! -f /etc/default/squid ] || . /etc/default/squid
> 
> . /lib/lsb/init-functions
> 
> PATH=/bin:/

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

[L . P . H . van Belle]

I suggest start compairing the logs you posted, the builds are really 
different. 

Differences in 
- kernel
- needed packages
- build paramaters due to missing or different packages.
Etc. 

Just diff you logs and you will see it. 

Greetz, 

Louis


 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> David Touzeau
> Verzonden: dinsdag 2 april 2019 9:24
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Why Squid on CentOS is faster 
> than Debian ?
> 
> 
> Le 02/04/2019 à 07:43, L A Walsh a écrit :
> > On 4/1/2019 2:17 AM, David Touzeau wrote:
> >> We have recompiled same squid version on 2 systems
> >> 
> https://github.com/dtouzeau/1.6.x/blob/Tempfiles/centos7-confi
> g.log?raw=true
> >>
> >> ---
> >> Result was CentOS 44% faster on TCP_MEM_HITS
> >> ---
> >>
> > What kernels are the two systems running?
> >
> > Are the config options exactly the same?
> >
> > Just a WAG, but but are the settings for
> > CONFIG_TRANSPARENT_HUGEPAGE the same for both?
> 
> Yes it the same : always [madvise] never
> 
> >
> >
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Why Squid on CentOS is faster than Debian ?

[L . P . H . van Belle]

And what if you test on debian stretch. 
Rebuilding squid 4.6 for stretch is pretty easy. 

Add buster src to repo. 
apt-get build-dep squid3
apt-get source squid3 -b

And now you wait. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> David Touzeau
> Verzonden: dinsdag 16 april 2019 12:32
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Why Squid on CentOS is faster 
> than Debian ?
> 
> 
> Le 02/04/2019 à 10:39, Amos Jeffries a écrit :
> > On 2/04/19 8:53 pm, L.P.H. van Belle wrote:
> >> I suggest start compairing the logs you posted, the builds 
> are really different.
> >>
> >> Differences in
> >> - kernel
> >> - needed packages
> >> - build paramaters due to missing or different packages.
> >> Etc.
> >>
> >> Just diff you logs and you will see it.
> >>
> > The biggest there is C++11 support being enabled on CentOS. 
> That alone
> > enables quite a few performance optimizations in the stdlib 
> template code.
> >
> > Amos
> > ___
> 
> Hi,
> 
> 
> We have tested squid in Debian 10 and performance are now the same as 
> CentOS 7
> 
> So Debian 10 should be the best choice but it is not released yet...
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

[L . P . H . van Belle]

This is related to samba and MS disabling NTLM (smb1)
What is the samba version in question and the running OS? 

But first thing you can try is set in smb.conf 

ntlm auth = yes


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 16 mei 2019 11:13
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid V 3.5.23 authenticating in 
> AD: User names not showing in log
> 
> On 16/05/19 5:45 am, Rafael Silva Daniel wrote:
> > Helo! im in need of serious help, in my company we need the 
> access logs by
> > user name, is the only reason the proxy is setted to 
> authenticate. but it
> > just dont show it, the relevant parts of the .conf is 
> looking like this:
> > 
> > (...)
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp --domain=X(domain name)
> > auth_param ntlm children 100
> > auth_param ntlm keep_alive off
> > 
> > external_acl_type NT_global_group %LOGIN 
> /usr/lib/squid/ext_wbinfo_group_acl
> > acl users external NT_global_group "/etc/squid/fapgrp"
> > (...)
> > 
> > (...)
> > http_access deny !users
> > http_access allow users
> > http_access deny !auth
> > (...)
> > 
> 
> There is no natural reason why those CONNECT should be exempt from
> authenticating.
> 
> I usually find situations like what you describe happen where someone
> has misunderstood the default security rules and "customized" them a
> bit. They are finely tuned rules, so vast changes to proxy behaviour
> (like complete bypass of auth) can result if updates to them are not
> done correctly.
> 
> Can you please show more of your http_access rules? all of 
> them would be
> best. At minimum all of the ones above that "http_access deny !auth"
> line, and the definition lines for any ACLs used in those 
> rules (include
> that "auth" ACL definition too please).
> 
> 
> 
> > ***("/etc/squid/fapgrp" is a text file with the text 
> "Usuários do dóminio",
> > its "Domain Users" in portuguese)
> > 
> > when i test the helper:
> > 
> > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> > --domain=X
> > user password
> > BH SPNEGO request invalid prefix
> > 
> > i read somewhere that ntlmssp can be tested like this, 
> because we are
> > sending the credentials as plain text, so i tested with 
> basic and the result
> > is this:
> > 
> > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic
> > --domain=X
> > user password
> > OK
> > user password
> > ERR
> > 
> > so, im assuming that the way squid is processing the 
> challenges are fine, is
> > it right?
> 
> That is a test that the helper is talking to the AD service okay. It
> cannot tell you whether the client and Squid are 
> communicating the NTLM
> credentials.
> 
> 
> The NTLM protocol does not deliver passwords across the network. NTLM
> uses (weak) encrypted tokens instead. All Squid does is pass the token
> as-is to the helper. The helper then informs Squid what 
> username to log
> for that token (if any).
>  So to test that part you need to locate a valid token and 
> pass that to
> the helper instead of username/password.
> 
> However, before you go to any trouble over that. I do not think the
> helper or auth are the problem here. Something is clearly letting the
> CONNECT happen without even going near the auth process.
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] LDAP authentication from android and iphones

[L . P . H . van Belle]

Hai, 
 
You are probely missing in you smb.conf: 
 
ntlm auth = yes 
 
 
Greetz, 
 
Louis
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Ilias Clifton
Verzonden: woensdag 29 mei 2019 6:42
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] LDAP authentication from android and iphones



Hi All,
 
I have Squid 3.5.27 running on Ubuntu 18.04.2, and have been unsuccesfull in 
being able to authenticate users via ldap (kerberos is working well)
 
Currently it's iphone and android users that are having the issue - all other 
users are authenticating via kerberos.
 
In squid.conf, I have:
auth_param basic program /usr/lib/squid/basic_ldap_auth -d -R -b 
"OU=users,DC=domain,DC=com" -D sq...@domain.com -W /etc/squid/ldappass.txt -f 
sAMAccountName=%s -h dc.domain.com
 
When a user attempts to browse via the proxy, I see in access.log:
 
1559096820.116      0 10.99.88.77 TCP_DENIED/407 2248 GET http://www.google.com 
- HIER_NONE/- text/html
 
And the user is prompted for a username and password..
 
I then see in cache.log:
 
basic_ldap_auth.cc(691): pid=32625 :user filter 'sAMAccountName=username', 
searchbase 'OU=users,DC=domain,DC=com'
basic_ldap_auth.cc(746): pid=32625 :attempting to authenticate user 'CN=Users 
Fullname,OU=users,DC=domain,DC=com'
 
But the user just keeps getting prompted for username and password over and 
over, and I continue to see:
 
1559096820.116      0 10.99.88.77 TCP_DENIED/407 2248 GET http://www.google.com 
- HIER_NONE/- text/html
 
 
If I run the following on the command line, it appears to authenticate 
correctly:
 
/usr/lib/squid/basic_ldap_auth -d -R -b "OU=users,DC=domain,DC=com" -D 
sq...@domain.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h 
dc.domain.com
username password
 
basic_ldap_auth.cc(691): pid=32625 :user filter 'sAMAccountName=username', 
searchbase 'OU=users,DC=domain,DC=com'
basic_ldap_auth.cc(746): pid=32625 :attempting to authenticate user 'CN=Users 
Fullname,OU=users,DC=domain,DC=com'
OK
 
 
What else can I do for troubleshooting?
 
 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

[L . P . H . van Belle]

the SSL3_GET_MESSAGE ? 
 
Maybe because the only support TLSv1.2 ? 
Its long ago i seen a site good configured for ones with its TLS settings. 
 
So most probely, your downgrading the connection within the proxy settings to 
sslv3 
 
And sharing you config might help to see that. 
 
Greetz, 
 
Louis
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Walter H.
Verzonden: vrijdag 28 juni 2019 16:21
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] SQUID_ERR_SSL_HANDSHAKE



Hello,

at some specific hosts
this is shown in cache.log
2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17: error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)

and this is the error page I get

Failed to establish a secure connection to ...

 (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
 Handshake with SSL server failed: error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message

what is causing this?

in case some want to try:   https://www.3bg.at/
(when disabling SSL-bump no problem)

Thanks,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] FW: AD user Login + Squid Proxy + Automatic Authentication

[L . P . H . van Belle]

 




The most simple way to add SSO. 
 
Install winbind krb5-user, then your smb.conf,  update this config : 
[global]
    # Auth-Only setup with winbind. ( no Shares )
log level = 1
    workgroup = NTDOM
    security = ADS
    realm = YOUR-REALM
    netbios name = HOSTNAME
 
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes
 
    interfaces = eth0 lo
    bind interfaces only = yes
 
    #Add and Update TLS Key
 # Add the root cert and clients certs here, add the rootCA with GPO to the 
pc's. 
    tls enabled = yes
    tls keyfile = /etc/ssl/private/HOSTNAME.key.pem
    tls certfile = /etc/ssl/certs/HOSTNAME.cert.pem
    tls cafile = /etc/ssl/certs/ROOT-ca.crt
 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = rid
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 1-399
 
 # Samba 4.6+ ( get primary group from AD ) ( Samba AD-Backend )
    #idmap config NTDOM : unix_nss_info = yes
 # Samba 4.6+ ( get primary group from unix primary group )
    #idmap config NTDOM : unix_primary_group = yes
###
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes
 
    # We strip the domain (NTDOM\username) to username
    winbind use default domain = yes
 
    # enable offline logins
    winbind offline logon = yes
 
    # check depth of nested groups, ! slows down you samba, if to much groups 
depth
    # Not needed on the VPN server.
    #winbind expand groups = 2
 
    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
 
    # disable usershares creating
    usershare path =
 
    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
 
    # For ACL support on member servers with shares, OBLIGATES
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
 
 SHARE DEFINITIONS 

 
# Next TODO.  Join the AD-DC domain. 
kinit Administrator
net ads join 
 
# setup keytab for squid. 
 
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME
 
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
 
and use this for auth in squid. 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
  -s HTTP/hostname.fqdn@REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on

If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal 
per realm to
   the HTTP.keytab file and use the -s GSS_C_NO_NAME option with 
negotiate_kerberos_auth.  
Greetz, 
 
Louis
 
 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Randi Indrawan
Verzonden: vrijdag 23 augustus 2019 3:28
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] AD user Login + Squid Proxy + Automatic Authentication




So I have setup a squid proxy on a CentOS 7 Server and now the authentication 
system uses ldap and it works, I can set which groups get access through a proxy

The problem is ... can we setup the proxy read the domain id that is being 
logged, so the proxy no longer asks for a username and password. All the 
tutorials I've seen are pop-up messages asking for the username and password. I 
would like this to happen automatically so when the user logs in they 
automatically authenticate

Best Regards

Randi Indrawan

DISCLAIMER : The information contained in this communication (including any 
attachments) is privileged and confidential, and may be legally exempt from 
disclosure under applicable law. It is intended only for the specific purpose 
of being used by the individual or entity to whom it is addressed. If you are 
not the addressee indicated in this message (or are responsible for delivery of 
the message to such person), you must not disclose, disseminate, distribute, 
deliver, copy, circulate, rely on or use any of the information contained in 
this transmission. We apologize if you have received this communication in 
error; kindly inform the sender accordingly. Please also ensure that this 
original message and any record of it is permanently deleted from your computer 
system. We do not give or endorse any opinions, conclusions and other 
information in this me

Re: [squid-users] Kerberos nad keytab problem

[L . P . H . van Belle]

I also had problems with msktutil.. so i suggest you try this, see below.. 
Im using it for few years and it always works (for me offcourse).. 
 
It should be pretty simple, but the site squid-cache (wiki) is in my opinion a 
bit outdated. 
And its for Amos to adapt it on the site.
 
Amos or Alex, please review below, you might want to add it. 
And add your parts to it, like running this without a correct spn. 
 
Its tested in use and and working since squid 3.1 upto 4.8. 
Tested on debian Wheezy (7) upto Buster (10)
 
Below assumes the server your setting up, does have an A and PTR record. 

(note, which should be added at the domain join of winbind, as of samba4.x )
 
This is my howto. 
A Debian based, with Kerberos Auth against an Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory. 
But since i dont have any, im not testing it. 
 
 
# Install a minimal OS, at install only choose base + ssh server. 
# Setup these variable for a copy/past, might be handy, and then "it just 
works"  
 
# Obligated to set.  # ADDOM; 
# This should match the netbios (NT4) domain name in caps, per example from a 
login: NTDOM\username 
ADDOM="NTDOM" 
 
# These should be fine, but if you have multiple ipnumbers and hostnames, you 
might want to adjust these. 
FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"

# Requirements before you start installing the sofrware like: squid winbind 
krb5-user
 
# Login, sudo to root.
# /etc/resolv.conf, set as followed. 
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC
 
# Verify it: 
grep search /etc/resolv.conf
grep nameserver /etc/resolv.conf

 
# If ok, then run : 
apt update 
apt install squid winbind krb5-user -y
 
# Just hit enter on every question, the defaults are fine. (verified in Debian).
 
# And now verify /etc/krb5.conf
less /etc/krb5.conf
 
 
# It should look like this :  
#[libdefaults]
#    default_realm = YOUR.Detected_REALM.TLD 
#
# The following krb5.conf variables are only for MIT Kerberos.
#   kdc_timesync = 1
#    ccache_type = 4
#    forwardable = true
#    proxiable = true
 
# ... and more.. 

#  >>  P.s.  i never touch krb5.conf, never needed, it "just works" << 
 
# Set REALM Variable now, default should be ok. dont touch it. 
REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) "
# It's used for smb.conf and the auth part of squid. 
 

# then stop squid and samba and configure it.
systemctl stop squid winbind
 
# flush the log, so if you start it you start with a clean log.  
> /var/log/squid/cache.log
 
# Configure smb.conf and join the AD domain,  the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}
 
echo "# Auth-Only setup with winbind. ( no Shares )
 
    workgroup = ${ADDOM}
    security = ADS
    realm = ${REALM}
    netbios name = $(echo ${HOSTN^^})
 
    ## make sure the below number never overlap system ranges, see 
/etc/adduser.conf 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config ${ADDOM} : backend = rid
    idmap config ${ADDOM} : range = 1-399
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes
" > /etc/samba/smb.conf
 
# And verify it.
less /etc/samba/smb.conf
 
# Next step, join the AD domain. 
# Login/auth with kerberos. 
kinit Administrator
 
# and join the domain.
net ads join -k
 
# Creating the squid keytab file.
 
export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab ADD HTTP/${FQDN}

#Verify the keytab file : 
klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab
 
# destroy you authentication ticket for Administrator. 
kdestroy 
 
# set correct rights. 
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here. 
 
# and setup you squid auth. 
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
    --kerberos /usr/lib/squid/negotiate_kerberos_auth \\
  -k etc/squid/squid-HTTP-${HOSTN}.keytab" \\
  -s HTTP/"${FQDN}"@"${REALM}"  \\
    --ntlm /usr/bin/ntlm_auth \\
  --helper-protocol=gss-spnego --domain="${ADDOM}"
 
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf
 
systemctl start winbind squid 
 
# Done 
# And check squid log how it started. 
cat /var/log/squid/cache.log

Now go configure the other parts you need of squid. 

And enjoy..  :-) 
 
 
Greetz, 
 
Louis
 
 
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Kerberos nad keytab problem



Hi, I try to use

Re: [squid-users] Kerberos nad keytab problem

[L . P . H . van Belle]

Hai Rafael, 
 
Yes, i did that in an older setup, with you site guidance.. 
That works also very good .. 
 
Once i have time i'll see if i can update the squid wiki. 
 
 
Greetz, 
 
Louis
 

Van: Rafael Akchurin [mailto:rafael.akchu...@diladele.com] 
Verzonden: woensdag 25 september 2019 17:27
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] Kerberos nad keytab problem




Hello everyone,

 

Just my two cents too. Note you can map the *user* to the Kerberos SPN – this 
lets you have your squid proxy live outside of the AD.

Just setup the dedicated user in the AD, map SPN to it and export the keytab to 
your squid.

 

See 
https://docs.diladele.com/administrator_guide_stable/active_directory/index.html

 

Downside – the password for that designated user needs to be non expiring or 
you’d be regenerating keytabs everytime the password changes. Which is not 
difficult anyway too.

 

Best regards,

Rafael Akchurin

Diladele B.V.

 

 

 

From: squid-users  On Behalf Of 
L.P.H. van Belle
Sent: Wednesday, 25 September 2019 17:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos nad keytab problem



 

I also had problems with msktutil.. so i suggest you try this, see below.. 

Im using it for few years and it always works (for me offcourse).. 

 

It should be pretty simple, but the site squid-cache (wiki) is in my opinion a 
bit outdated. 

And its for Amos to adapt it on the site.

 

Amos or Alex, please review below, you might want to add it. 

And add your parts to it, like running this without a correct spn. 

 

Its tested in use and and working since squid 3.1 upto 4.8. 

Tested on debian Wheezy (7) upto Buster (10)

 

Below assumes the server your setting up, does have an A and PTR record. 

(note, which should be added at the domain join of winbind, as of samba4.x )

 


This is my howto. 

A Debian based, with Kerberos Auth against an Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory. 

But since i dont have any, im not testing it. 

 


 


# Install a minimal OS, at install only choose base + ssh server. 

# Setup these variable for a copy/past, might be handy, and then "it just 
works"  


 


# Obligated to set.  # ADDOM; 


# This should match the netbios (NT4) domain name in caps, per example from a 
login: NTDOM\username 


ADDOM="NTDOM" 


 


# These should be fine, but if you have multiple ipnumbers and hostnames, you 
might want to adjust these. 


FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"

# Requirements before you start installing the sofrware like: squid winbind 
krb5-user


 


# Login, sudo to root.


# /etc/resolv.conf, set as followed. 
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC

 

# Verify it: 

grep search /etc/resolv.conf

grep nameserver /etc/resolv.conf

 


# If ok, then run : 


apt update 


apt install squid winbind krb5-user -y


 


# Just hit enter on every question, the defaults are fine. (verified in Debian).


 


# And now verify /etc/krb5.conf
less /etc/krb5.conf

 


 


# It should look like this :  
#[libdefaults]
#    default_realm = YOUR.Detected_REALM.TLD 

#


# The following krb5.conf variables are only for MIT Kerberos.
#   kdc_timesync = 1
#    ccache_type = 4
#    forwardable = true
#    proxiable = true

 


# ... and more.. 


#  >>  P.s.  i never touch krb5.conf, never needed, it "just works" << 

 

# Set REALM Variable now, default should be ok. dont touch it. 


REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) "


# It's used for smb.conf and the auth part of squid. 


 


# then stop squid and samba and configure it.
systemctl stop squid winbind

 

# flush the log, so if you start it you start with a clean log.  

> /var/log/squid/cache.log


 


# Configure smb.conf and join the AD domain,  the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}

 


echo "# Auth-Only setup with winbind. ( no Shares )

 


    workgroup = ${ADDOM}
    security = ADS
    realm = ${REALM}
    netbios name = $(echo ${HOSTN^^})

 


    ## make sure the below number never overlap system ranges, see 
/etc/adduser.conf 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-

 


    ## map ids from the domain and (*) the range may not overlap !
    idmap config ${ADDOM} : backend = rid
    idmap config ${ADDOM} : range = 1-399

 


    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

 


    # renew the kerberos ticket
    winbind refresh tickets = yes
" > /etc/samba/smb.conf

 


# And verify it.
less /etc/samba/smb.conf

 


# Next step, join the AD domain. 

# Login/auth with kerberos. 
kinit Administrator

 

# and join the domain.

net ads join -k

 


# Creating the squid keytab file.

 

export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab AD

Re: [squid-users] cant activate office365 through proxy

[L . P . H . van Belle]

What are your squid logs saying? 
 
Tip, close office, clear your squid logs, start office then look at the logs. 
And are you for example blocking login.microsoft.com or something like that. 
 
Greetz, 
 
Louis
 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
robert k Wild
Verzonden: maandag 16 december 2019 16:06
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] cant activate office365 through proxy



hi all,


when i set my system proxy using squid i can open up IE and i can access 
websites fine, no problem



but when i open up my office365 app client ie word/excel/outlook etc i cant 
activate it as it says im not online


i have no idea why this is happening (i attach a screenshot in the link below)


i have even hashed out the http deny all line so it can go to any website



https://i.postimg.cc/xdcy2d5d/IMG-20191216-143812.jpg


thanks,
rob

-- 
Regards, 

Robert K Wild.




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is Squid 4.9 gone?

[L . P . H . van Belle]

Ah.. it shows Amos is human also..  :-) 

If you need squid 4.9 in debian Buster (10) package. 

These are the package i currently provide on/for Debian Buster. 
Squid 4.9 with ssl enabled settings.

Package list:  
https://apt.van-belle.nl/current-packages-in-buster-squid49-apt.txt 
(included also, squidclamav, packaged into : c-icap-module-squidclamav )

My repo setup. 
1) Choose http or https for you apt, both work, for https you need to :
apt-get install apt-transport-https

2) Import my public key
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

3) setup the repo. 
echo "deb http://apt.van-belle.nl/debian buster-squid49 main contrib non-free" 
| sudo tee -a /etc/apt/sources.list.d/van-belle.list

General info, :  https://apt.van-belle.nl 

Thank Amos and the squid dev team. 
I wish you guys the best, happy, healty and successfull year(s) to come. 

Greetz, 

Louis 


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Dmitry Melekhov
> Verzonden: vrijdag 20 december 2019 10:11
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Is Squid 4.9 gone?
> 
> 20.12.2019 12:35, Amos Jeffries ??:
> > On 20/12/19 9:03 pm, netadmin wrote:
> >> At the address:
> >> http://www.squid-cache.org/Versions/
> >> the latest version appears as 4.8 although I am running 4.9!
> >> What happened to version 4.9?
> >
> > I'm not entirely certain what happened there. I suspect it 
> was just an
> > oversight on my part not copying the files from the release 
> directory to
> > the web server. That has now been corrected.
> >
> > As to why you could be running a version not available on 
> the www site;
> > Vendors pull their release code from any one (or several) different
> > sources we provide them - our public git repository, FTP servers, or
> > rsync servers.
> 
> No, 4.9 was available on squid-cache.org some time ago :-)
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 4.10 for Debian Buster on my Repo.

[L . P . H . van Belle]

Thanks Amos for the notify.

For the people on debian Buster.
I have Debian Buster squid 4.10 SSL enable and squidclamav on my repo. 
The debs and sources are available in amd64 andi386

--- THE REPO SETUP ---
1) Choose http or https for you apt, both work, for https you need to :
apt-get install apt-transport-https

2) Import my public key
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

3) (optional) setup a header line for the repo file.
echo "# AptVanBelle repo for samba." | sudo tee 
/etc/apt/sources.list.d/van-belle.list

4) In the line below, change the OS and/or samba version to what you want. 
Shown is debian stretch with samba 4.10.
echo "deb http://apt.van-belle.nl/debian buster-squid410 main contrib non-free" 
| sudo tee -a /etc/apt/sources.list.d/van-belle.list

If you like my work, I appriciate a small donation. 
Even with 1$ your helping me to keep my server running.

https://www.paypal.me/LouisVanBelle
Bitcoin (BTC) : 3BMEXFUrncjVKByryNU1fcVLBLKE8i9TpX 
Etherium (ETH): 0x2Baf9dd82DA17C6762D8bB30B3C1294713c516fc
You can send you "shit" coins also, if you need an address pm me. 
;-)


Greetz, 

Louis

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid configuration cache_peer does not take effect?

[L . P . H . van Belle]

Hai, 

Most probely the ssl options are not correct enabled or missing while you 
compiled squid. 
So check if ssl is enabled. 
 
Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens yohan83942
> Verzonden: maandag 3 februari 2020 15:27
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid configuration cache_peer 
> does not take effect?
> 
> I upgraded Squid to 5.0, prompt`Unknown http_port option 'ssl-bump'.`
> 
> [root@localhost ~]# /usr/local/squid/sbin/squid -z
> 2020/02/03 22:20:56| FATAL: Unknown http_port option 'ssl-bump'.
> 2020/02/03 22:20:56| FATAL: Bungled 
> /usr/local/squid/etc/squid.conf line 68:
> http_port 3128 ssl-bump cert=/etc/squid/squid.pem 
> key=/etc/squid/squid.pem
> generate-host-certificates=on options=NO_SSLv2
> 2020/02/03 22:20:56| Squid Cache (Version 5.0.1): Terminated 
> abnormally.
> CPU Usage: 0.016 seconds = 0.009 user + 0.007 sys
> Maximum Resident Size: 17632 KB
> Page faults with physical i/o: 0
> 
> Did it change to something?
> 
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid and iptables

[L . P . H . van Belle]

Hai, 
 
I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw 
firewall (iptables) 
Most is running fine but i still see some error and i somehow miss here what im 
doing wrong. 

So if someone has suggestions that would be great. I see for example these 
lines in the UFW log. 

Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762249] [UFW AUDIT INVALID] IN=eth0 
OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP 
SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762308] [UFW BLOCK] IN=eth0 OUT= 
MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 
LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 
WINDOW=0 RES=0x00 ACK RST URGP=0

Now, strange thing here is im allowing my traffic on my lan interface fully, so 
i dont see/get why i get these INVALID/BLOCK.
Im out of ideas, i looked to much at it, i done see it anymore..  :-( 

The needed parts of my squid and iptables (ufw) setup. 
ETH0 = LAN  192.168.0.1.0/24(ip: 192.168.0.1.1/24  )
ETH1 = WAN  1.2.4.4/32  
  
The squid part 
# From squid cache.log the needed lines from a start of squid with the lines 
from squid.conf 

# http_port localhost:3128 connection-auth=off
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=[::1]:3128 
remote=[::] FD 17 flags=1 
# all requests for and on loclhost are trusted, so fully allowed withouth 
authenticationn. 

# http_port 192.168.249.221:3128 intercept  ( no-authentication possbible on 
intercept ) 
2020/02/10 11:44:13 kid1| Accepting NAT intercepted HTTP Socket connections at 
local=192.168.0.1.1:3128 remote=[::] FD 21 flags=33

# https_port 192.168.249.221:3129 intercept ssl-bump \ .. (plus the cert - key 
parts, not relevant this works ). 
2020/02/10 11:44:13 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
connections at local=192.168.0.1.1:3129 remote=[::] FD 25 flags=33

# Non-proxy aware  (with authentication)
# http_port 192.168.249.221:8080
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at 
local=192.168.0.1.1:8080 remote=[::] FD 29 flags=1

# http_port 192.168.249.221:8081 ssl-bump \ .. (plus the cert - key parts, not 
relevant this works ). 
2020/02/10 11:44:13 kid1| Accepting SSL bumped HTTP Socket connections at 
local=192.168.0.1.1:8081 remote=[::] FD 37 flags=1


# Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
*filter
:INPUT DROP [213:54000]
:FORWARD ACCEPT [704:28436]
:OUTPUT ACCEPT [57:19155]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -s 10.1.2.00/24 -d 192.168.0.1.0/24 -i eth1 -m policy --dir in --pol 
ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.1.0/24 -d 10.1.2.00/24 -o eth1 -m policy --dir out 
--pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[L . P . H . van Belle]

Hai, 

This is the most stable way to run with kerberos, or at least for me. 
* below works for me since with samba 3.x-4.11.x and squid 3.2 upto 4.10

Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 ) 
( all packaged in own repo.) 

1) Setup samba and join the domain. this asumes an auth only setup. 
Install winbind : and setup smb.conf

#Example auth only smb.conf 
[global]
workgroup = NTDOM_IN_CAPS
security = ads
realm = YOUR.REALM.TLD_IN_CAPS

netbios name = HOSTNAME_IN_CAPS
preferred master = no
domain master = no
host msdfs = no

interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes

#Add and Update TLS Key
# Consider useing Certificates for samba also, you can re-use them in 
squid.
tls enabled = yes
tls keyfile = /etc/ssl/local/proxy1.key.pem
tls certfile = /etc/ssl/local/proxy1.cert.pem
tls cafile = /etc/ssl/certs/ca.pem

## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-

## map ids from the domain  the range may not overlap !
# BACKEND RID, assuming no windows use expect proxy/auth.
idmap config NTDOM : backend = rid
idmap config NTDOM : range = 1-399

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# renew the kerberos ticket ! MUSE USE THIS
winbind refresh tickets = yes

# Optional use. 
winbind use default domain = yes

# enable offline logins
winbind offline logon = yes

# Added for freeradius support, if needed.
#ntlm auth = mschapv2-and-ntlmv2-only

# disable usershares creating, when set empty no error log messages.
usershare path =

# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# 

And start winbind

Now create the squid keytab file. 
KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP -U Administrator
chown proxy:proxy /root/squid.keytab
chmod 640 /root/squid.keytab

And your done, move the keytab to where you need it. 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Rafael Silva Daniel
> Verzonden: zondag 16 februari 2020 20:16
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with 
> the negotiate kerberos?
> 
> Hey guys! im still testing it, but i think i found my 
> mistake, so i will let
> it here for future reference
> 
> i compared the way i arranged things in my test enviroment between the
> production enviroment, e noticed some differences in the 
> keytab, i still
> dont know if its obligatory, im still testing it, but when i 
> deleted the
> keytab, the account for the keytab in ad, the account for the 
> machine in the
> active directory, and created another one, i used a different 
> name for HTTP/
> 
> like, the way i did that dont worked:
> 
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn 
> HTTP/squid2.domain.local
> --server dc01.domain.local --verbose --enctypes 28
> 
> the way i did that worked:
> 
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squidproxy.domain.local --server dc01.domain.local 
> --verbose --enctypes
> 28
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[L . P . H . van Belle]

Ps., forgot to say, 

After installing winbind and setting up smb.conf

Join the domain offcourse. 
net ads join -U Adminsitrator

or, 
kinit Administrator
net ads join -k yes

In debian, there is not need to change any files except the smb.conf as shown. 
All other defaults, should work out of the box. 


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> L.P.H. van Belle
> Verzonden: maandag 17 februari 2020 10:00
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with 
> the negotiate kerberos?
> 
> Hai, 
> 
> This is the most stable way to run with kerberos, or at least for me. 
> * below works for me since with samba 3.x-4.11.x and squid 
> 3.2 upto 4.10
> 
> Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 ) 
> ( all packaged in own repo.) 
> 
> 1) Setup samba and join the domain. this asumes an auth only setup. 
> Install winbind : and setup smb.conf
> 
> #Example auth only smb.conf 
> [global]
> workgroup = NTDOM_IN_CAPS
> security = ads
> realm = YOUR.REALM.TLD_IN_CAPS
> 
> netbios name = HOSTNAME_IN_CAPS
> preferred master = no
> domain master = no
> host msdfs = no
> 
> interfaces = 192.168.0.1 127.0.0.1
> bind interfaces only = yes
> dns proxy = yes
> 
> #Add and Update TLS Key
>   # Consider useing Certificates for samba also, you can 
> re-use them in squid.
> tls enabled = yes
> tls keyfile = /etc/ssl/local/proxy1.key.pem
> tls certfile = /etc/ssl/local/proxy1.cert.pem
> tls cafile = /etc/ssl/certs/ca.pem
> 
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-
> 
> ## map ids from the domain  the range may not overlap !
>   # BACKEND RID, assuming no windows use expect proxy/auth.
> idmap config NTDOM : backend = rid
> idmap config NTDOM : range = 1-399
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> # renew the kerberos ticket ! MUSE USE THIS
> winbind refresh tickets = yes
> 
> # Optional use. 
> winbind use default domain = yes
> 
> # enable offline logins
> winbind offline logon = yes
>   
> # Added for freeradius support, if needed.
> #ntlm auth = mschapv2-and-ntlmv2-only
> 
> # disable usershares creating, when set empty no error 
> log messages.
> usershare path =
> 
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> # 
> 
> And start winbind
> 
> Now create the squid keytab file. 
> KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP 
> -U Administrator
> chown proxy:proxy /root/squid.keytab
> chmod 640 /root/squid.keytab
> 
> And your done, move the keytab to where you need it. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -Oorspronkelijk bericht-
> > Van: squid-users 
> > [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> > Rafael Silva Daniel
> > Verzonden: zondag 16 februari 2020 20:16
> > Aan: squid-users@lists.squid-cache.org
> > Onderwerp: Re: [squid-users] please, can someone help me with 
> > the negotiate kerberos?
> > 
> > Hey guys! im still testing it, but i think i found my 
> > mistake, so i will let
> > it here for future reference
> > 
> > i compared the way i arranged things in my test enviroment 
> between the
> > production enviroment, e noticed some differences in the 
> > keytab, i still
> > dont know if its obligatory, im still testing it, but when i 
> > deleted the
> > keytab, the account for the keytab in ad, the account for the 
> > machine in the
> > active directory, and created another one, i used a different 
> > name for HTTP/
> > 
> > like, the way i did that dont worked:
> > 
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn 
> > HTTP/squid2.domain.local
> > --server dc01.domain.local --verbose --enctypes 28
> > 
> > the way i did that worked:
> > 
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn
> > HTTP/squidproxy.domain.local --server dc01.domain.local 
> > --verbose --enctypes
> > 28
> > 
> > 
> > 
> > --
> > Sent from: 
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> > -f1019091.html
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[L . P . H . van Belle]

Hai Rafeal, 

Yes, i agree, this is the other most simple way, but i suggest, you 
remove/change on this page:

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
 
The generated Kerberos configuration file will usually look like:

[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 

These are really outdated. ;-) 


To ( just the default )

[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_kdc = true
dns_lookup_realm = false


Keytabs and samba, read: 
https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Keytab_Extraction 



Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Rafael Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with 
> the negotiate kerberos?
> 
> Hello Rafael,
> 
> There is an easier option *without* joining the Squid machine 
> to the domain,
> See tutorial at 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without 
> our UI - just you would need to do more manual steps).
> 
> Raf
> 
> -Original Message-
> From: squid-users  
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] please, can someone help me with the 
> negotiate kerberos?
> 
> Helo! i think i did almost everything right, firstly i made 
> it in a test enviroment with debian stretch running squid 3.5 
> and a windows server 2008 based domain controller, and it worked!
> 
> but when i tried to deploy it in the production enviroment 
> running debian stretch, squid 3.5 and windows server 2012 as 
> the domain controller the authentication never works, the 
> file /var/log/squid/cache.log shows this:
> 
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication 
> validating user.
> Result: {result=BH, notes={message: gss_acquire_cred() 
> failed: Unspecified GSS failure.  Minor code may provide more 
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND 
> NUMBERS)' from squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND 
> NUMBERS)' (decoded
> length: 1826).
> 
> Obs1:I replaced a big string with letters and numbers by 
> "(LETTERS AND NUMBERS)"
> Obs2: i posted more of the file in this link 
> https://pastebin.com/Z2fe98dB
> 
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/squid2.domain.local@DOMAIN.LOCAL:
> root@SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/squid2.domain.local@DOMAIN.LOCAL
> 
> Valid starting   Expires  Service principal
> 02/15/2020 10:55:32  02/15/2020 20:55:32  
> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> renew until 02/16/2020 09:55:32
> 
> 
> 
> The results of running:klist -kte /etc/squid/HTTP.keytab
> 
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp   Principal
>  ---
> --
>1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL 
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL 
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL 
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL 
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (arcfour-hmac)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL 
> (aes128-cts-hmac-sha1-96)
>1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL 
> (aes256-cts-hmac-sha1-96)
>3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL 
> (aes128-cts-hmac-sha1-96)
>3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL 
> (aes256-cts-hmac-sha1-96)
>3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL 
> (aes128-cts-hmac-sha1-96)
>3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL 
> (aes256-cts-hmac-sha1-96)
>3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (arcfour-hmac)
>3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
> (aes128-cts

Re: [squid-users] please, can someone help me with the negotiate kerberos?

[L . P . H . van Belle]

Yeah, if you know how it is pretty simple ;-) 
And thank for the reply back and nice words.. 

And your welkom..  :-) 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Rafael Silva Daniel
> Verzonden: vrijdag 21 februari 2020 14:30
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with 
> the negotiate kerberos?
> 
> Just to close the case and concluding, Louis tip worked flawlessly, it
> combined well with the settings i already was using and the 
> authentication
> is working rock solid and stable, and the documentation 
> Rafael provided
> clarificate a lot of the ins and outs of kerberos 
> authentication with squid
> so i recomended to everyone who is having difficulties 
> learning how to set
> up kerberos authentication with squid to combine the official 
> config example
> from squid with their tips and information, you will get it 
> totally covered
> 
> Thanks for the help!
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - Kerberos - update keytab issue

[L . P . H . van Belle]

Hai, 
 
Use winbind and never have this problem again.
 
* install winbind only is sufficient, below works since squid 3.2 up to 4.10
 
An example of a minimal smb.conf for it. 
 
[global]
    # Auth-Only setup with winbind. ( no Shares )
 
    workgroup = NTDOM
    security = ADS
    realm = YOUR.REALM.TLD
    netbios name = PROXY1
 
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes
    interfaces = IP_OR_INTERFACENAME 127.0.0.1
    bind interfaces only = yes
 
    ### OBLIGATED PART begin 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM: backend = rid
    idmap config NTDOM: range = 10-399
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes
 
    ### OBLIGATED PART end
 
    # Disable usershares create.. ( removes  (unneeded ) error from the logs ) 
    usershare path =
 
    # Disable printing completely ( removes also (unneeded ) error from the 
logs. )
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
 
-- --- 
 
and join the Windows domain. 
kinit administrator
net ads join -k
 
Allow the server in the AD to Delegate Kerberos for Squid. ( or all services ). 
thats up to you. 
After thats done, then 
 
Create Squid keytab: 
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)  
Verify it : klist -ke /etc/squid/HTTP-$(hostname -s).keytab 
unset KRB5_KTNAME
 
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
 
 
! Optional krb5.conf ( most of the time the default should be sufficient. 
 
[libdefaults]
    default_realm = YOUR.REALM.TLD

## below her is optional.
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true
    proxiable = true

    ;https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
    ignore_k5login = true

and the squid auth part. 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/krb5-squid-HTTP-proxy1.keytab \
    -s HTTP/proxy1.your.dnsdomain@your.realm.tld \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Good luck. 
 
Greetz, 
 
Louis
 
 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Sébastien Genesta
Verzonden: maandag 23 maart 2020 16:01
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Squid - Kerberos - update keytab issue




Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, 
my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k 
/etc/squid/squid.keytab

Below log I have every run (when everything is ok):

samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer 
password structure -- generate_new_password: Generating a new, random password 
for the computer account -- generate_new_password: Characters read from 
/dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use 
via DNS SRV record in domain XX.LOCAL for procotol tcp -- get_dc_host: 
Found DC: x.x.local -- get_dc_host: Canonicalizing DC through 
forward/reverse lookup... -- get_dc_host: Found Domain Controller: 
.xx.local -- create_fake_krb5_conf: Created a fake krb5.conf 
file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- 
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: 
Trying to authenticate for KRB-PROX$ from local keytab... -- 
switch_default_ccache: Using the local credential cache: 
FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 
1 -- LDAPConnection: Connecting to LDAP server: xx.x.local 
-- ldap_get_base_dn: Determining default LDAP base: dc=x,dc=LOCAL 
-- get_default_ou: Determining default OU: 
CN=Computers,DC=xxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 
132267790228776214 -- execute: Password last set 28 days ago. -- execute: 
Exiting because password was changed recently. -- ~KRB5Context: Destroying 
Kerberos Context

Below logs when things gone bad:

lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer 
password structure -- generate_new_password: Generating a new, random password 
for the computer account -- generate_new_password: Characters read from 
/dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use 
via DNS SRV record in doma

Re: [squid-users] sometimes intermediate certificates were not downloaded when using sslbump

[L . P . H . van Belle]

This is a simple one. 

The certificate chain of that website is incorrect. 
As shown here : 
https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest 

Check you webserver first and correct you ciphers in your apache webserver. 

Greetz, 

Louis
 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Dieter Bloms
> Verzonden: woensdag 8 april 2020 13:37
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] sometimes intermediate certificates 
> were not downloaded when using sslbump
> 
> Hello,
> 
> I use a self compiled squid 4.10 compiled as follow:
> 
> ~# squid --version
> Squid Cache: Version 4.10
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal 
> restrictions on distribution see 
> https://www.openssl.org/source/license.html
> 
> configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' 
> '--bindir=/usr/sbin' '--sbindir=/usr/sbin' 
> '--localstatedir=/var' '--libexecdir=/usr/sbin' 
> '--datadir=/usr/share/squid' '--mandir=/usr/share/man' 
> '--with-default-user=squid' '--with-filedescriptors=131072' 
> '--with-logdir=/var/log/squid' '--disable-auto-locale' 
> '--disable-auth-negotiate' '--disable-auth-ntlm' 
> '--disable-eui' '--disable-carp' '--disable-htcp' 
> '--disable-ident-lookups' '--disable-loadable-modules' 
> '--disable-translation' '--disable-wccp' '--disable-wccpv2' 
> '--enable-async-io=128' '--enable-auth' 
> '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP 
> file' '--enable-epoll' '--enable-log-daemon-helpers=file' 
> '--enable-icap-client' '--enable-inline' '--enable-snmp' 
> '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' 
> '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' 
> '--enable-useragent-log' '--enable-large-cache-files' 
> '--enable-removal-policies=lru,heap' 
> '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
> 
> in squid.conf I set following acl at the very benning of acl section:
> 
> # allow fetching of missing intermediate certificates
> acl fetch_intermediate_certificate transaction_initiator 
> certificate-fetching
> cache allow fetch_intermediate_certificate
> cache deny all
> http_access allow fetch_intermediate_certificate
> 
> and squid fetches intermediate certificates for websites 
> like: https://incomplete-chain.badssl.com/
> But squid doesn't fetch the intermediate certificates for the 
> site https://www.formulare-bfinv.de/
> and I don't know why.
> 
> I checked all AiA entries in the certificates and it looks good to me.
> 
> Can anybody try the site https://www.formulare-bfinv.de/ with 
> enabled sslbump,
> so I can see whether my installation is broken or the 
> webserver configuration isn't correct ?
> 
> Thank you very much.
> 
> -- 
> Best regards
> 
>   Dieter Bloms
> 
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my 
> address in the
> From field.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.11 not building with ssl enable on Buster

[L . P . H . van Belle]

Hai, 

Im currently building squid 411 on debian buster. Cowbuilder setup. 
I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. 
Which i have done since squid 3.2, first time it fails. 
but only AMD64 fails to build, while i386 build fine. 
That a part im not familiar with, any suggestions?  

part of the logs with the errors. of the amd64 build. 

x86_64-linux-gnu-g++ -DHAVE_CONFIG_H 
-DDEFAULT_CONFIG_FILE=\"/etc/squid/squid.conf\" 
-DDEFAULT_SQUID_DATA_DIR=\"/usr/share/squid\" 
-DDEFAULT_SQUID_CONFIG_DIR=\"/etc/squid\"   -I.. -I../include -I../lib -I../src 
-I../include  -isystem /usr/include/mit-krb5  -I../src  -isystem 
/usr/include/mit-krb5 -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/libxml2 
-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual 
-Werror -pipe -D_REENTRANT -I/usr/include/libxml2 -I/usr/include/p11-kit-1 -g 
-O2 -fdebug-prefix-map=/build/squid-4.11=. -fstack-protector-strong -Wformat 
-Werror=format-security -c -o CommandLine.o CommandLine.cc
In file included from ../src/sbuf/SBuf.h:16,
 from ../src/anyp/PortCfg.h:16,
 from ../src/AccessLogEntry.h:12,
 from acl/FilledChecklist.h:12,
 from client_side.cc:61:
client_side.cc: In function 'void 
clientListenerConnectionOpened(AnyP::PortCfgPointer&, Ipc::FdNoteId, const 
Pointer&)':
client_side.cc:3663:27: error: 'Extra' is not a member of 'Debug'
Debug::Extra << "sd_notify() error: " << xstrerr(-result));
   ^
../src/Debug.h:133:21: note: in definition of macro 'debugs'
 _dbo << CONTENT; \
 ^~~
make[4]: *** [Makefile:7011: client_side.o] Error 1
make[4]: *** Waiting for unfinished jobs
make[4]: Leaving directory '/build/squid-4.11/src'
make[3]: *** [Makefile:7128: all-recursive] Error 1
make[3]: Leaving directory '/build/squid-4.11/src'
make[2]: *** [Makefile:6138: all] Error 2
make[2]: Leaving directory '/build/squid-4.11/src'
make[1]: *** [Makefile:586: all-recursive] Error 1
make[1]: Leaving directory '/build/squid-4.11'
make: *** [/usr/share/cdbs/1/class/makefile.mk:77: debian/stamp-makefile-build] 
Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2



Best regards, 

Louis





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.11 not building with ssl enable on Buster

[L . P . H . van Belle]

I'll report as some as i know.
I'll add it to the build, thats for the very quick reply! 

You guys are the best. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 23 april 2020 14:28
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 4.11 not building with ssl 
> enable on Buster
> 
> On 24/04/20 12:00 am, L.P.H. van Belle wrote:
> > Hai, 
> > 
> > Im currently building squid 411 on debian buster. Cowbuilder setup. 
> > I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. 
> > Which i have done since squid 3.2, first time it fails. 
> > but only AMD64 fails to build, while i386 build fine. 
> > That a part im not familiar with, any suggestions?  
> > 
> ...
> > client_side.cc: In function 'void 
> clientListenerConnectionOpened(AnyP::PortCfgPointer&, 
> Ipc::FdNoteId, const Pointer&)':
> > client_side.cc:3663:27: error: 'Extra' is not a member of 'Debug'
> 
> You will need to add this patch:
> 
>  
>  ef13c00e82576d3bfeb2e30>
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] FW: Squid 4.11 not building with ssl enable on Buster

[L . P . H . van Belle]

Hai, 
 
The folder test-suite/buildtests/ 
Is an not exiting folder in current 4.11 tar.gz  
 
Can you verify that? I thinks thats also from 5.x
 

Greetz, 

Louis

> 
> 
> > -Oorspronkelijk bericht-
> > Van: squid-users 
> > [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> > Amos Jeffries
> > Verzonden: donderdag 23 april 2020 14:28
> > Aan: squid-users@lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Squid 4.11 not building with ssl 
> > enable on Buster
> > 
> > On 24/04/20 12:00 am, L.P.H. van Belle wrote:
> > > Hai, 
> > > 
> > > Im currently building squid 411 on debian buster. 
> Cowbuilder setup. 
> > > I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. 
> > > Which i have done since squid 3.2, first time it fails. 
> > > but only AMD64 fails to build, while i386 build fine. 
> > > That a part im not familiar with, any suggestions?  
> > > 
> > ...
> > > client_side.cc: In function 'void 
> > clientListenerConnectionOpened(AnyP::PortCfgPointer&, 
> > Ipc::FdNoteId, const Pointer&)':
> > > client_side.cc:3663:27: error: 'Extra' is not a member of 'Debug'
> > 
> > You will need to add this patch:
> > 
> >  
> >  > ef13c00e82576d3bfeb2e30>
> > 
> > 
> > Amos
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.11 not building with ssl enable on Buster

[L . P . H . van Belle]

Hai Amos

Thank you for all the help, it nicely builded now..
:-) 

My used changes 

0004-fix-var-run.patch
From: Louis van Belle 
Date Thu, 23 Apr 2020 15:22:00 +0200
Subject : fix-var-run location to debian standards /run
--- a/tools/systemd/squid.service
+++ b/tools/systemd/squid.service
@@ -12,7 +12,7 @@

 [Service]
 Type=notify
-PIDFile=/var/run/squid.pid
+PIDFile=/run/squid.pid
 ExecStartPre=/usr/sbin/squid --foreground -z
 ExecStart=/usr/sbin/squid --foreground -sYC
 ExecReload=/bin/kill -HUP $MAINPID


0005-fix-missing-debug-break-bz5041.patch
commit c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30 (HEAD, refs/remotes/origin/v4, 
refs/heads/v4)
Author: Alex Rousskov 
Date:   2020-04-23 05:56:35 -0600
Subject: Bug 5041: Missing Debug::Extra breaks build on hosts with systemd 
(#611)

--- a/configure.ac
+++ b/configure.ac
@@ -2162,6 +2162,7 @@
   fi
   if test "x$SYSTEMD_LIBS" != "x" ; then
 CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
+LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
 AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
   else
 with_systemd=no
--- a/src/Debug.h
+++ b/src/Debug.h
@@ -99,6 +99,10 @@

 /// configures the active debugging context to write syslog ALERT
 static void ForceAlert();
+
+/// prefixes each grouped debugs() line after the first one in the group
+static std::ostream& Extra(std::ostream &os) { return os << "\n"; }
+
 private:
 static Context *Current; ///< deepest active context; nil outside debugs()
 };
 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 23 april 2020 14:52
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 4.11 not building with ssl 
> enable on Buster
> 
> On 24/04/20 12:28 am, Amos Jeffries wrote:
> > On 24/04/20 12:00 am, L.P.H. van Belle wrote:
> >> Hai, 
> >>
> >> Im currently building squid 411 on debian buster. 
> Cowbuilder setup. 
> >> I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid. 
> >> Which i have done since squid 3.2, first time it fails. 
> >> but only AMD64 fails to build, while i386 build fine. 
> >> That a part im not familiar with, any suggestions?  
> >>
> > ...
> >> client_side.cc: In function 'void 
> clientListenerConnectionOpened(AnyP::PortCfgPointer&, 
> Ipc::FdNoteId, const Pointer&)':
> >> client_side.cc:3663:27: error: 'Extra' is not a member of 'Debug'
> > 
> > You will need to add this patch:
> > 
> >  
>  ef13c00e82576d3bfeb2e30>
> > 
> 
> Or for a more easily used plain-text link:
>  
>  c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30.patch>
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[L . P . H . van Belle]

I think you forgot in your test, that you may need to modify the default 
kerberos ticket used. 

 

 

I suggest you change you config a bit to something like 

 

external_acl_type internet-win-allowed %LOGIN 
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \

-D YOUR.REALM.TLD \

-g allowed-inter...@your.realm.tld \

-N ntdom...@your.realm.tld \

-S dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld \

 

Now test it.  start like this :   

/usr/local/libexec/squid/negotiate_kerberos_auth \

-D YOUR.REALM.TLD \

-g allowed-inter...@your.realm.tld \

-N ntdom...@your.realm.tld \

-S dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld \

-d 

(-d = debug ) 

Test with –S and point to your server, does it work? 

Test again with –S , does it works, no? Change the default keytab for te test.

KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP

export KRB5_KTNAME

 

Type a username belonging to you group your testing with, hit enter. 

 

And in the end you should see : 

support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: 
INFO: User testuser is member of group@domain allowed-inter...@your.realm.tld

OK

kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| 
kerberos_ldap_group: DEBUG: OK

 

with search for the kdc in krb5.conf 

 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

and now when it works adjust you parameters to your needs.  

( like the : children-max=1 ttl=3600 negative_ttl=3600 ) 

 

 

 

Greetz, 

 

Louis

 

 

> 

> squid.conf:

> auth_param negotiate program

> /usr/local/libexec/squid/negotiate_kerberos_auth -di -s

> HTTP/proxy.example.com

> auth_param negotiate children 1

> auth_param negotiate keep_alive on

> 

> external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 
> %LOGIN

> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g

> linux@

> acl ldap_group_check external squid_kerb_ldap

> http_access deny !ldap_group_check

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[L . P . H . van Belle]

Well thats strange. 
No i cant speak about openBSD, but below is pretty general. 

When you test, did you set this before the test. 
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also. 
After that change the 
I just tested again to make my groups more flexible. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
-D YOUR.REALM.TLD \
-N ntdom...@your.realm.tld \
- S dc1.your.dnsdomain@your.realm.tld \
-i -d 
This one is without the -g so we can use more group names, 
but test with -g first.

from this example like. But i change the ldap group to kerberos group here.
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy 


When i now put in "username groupname" after staring with the line above to 
testout im getting. 

support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: 
INFO: User username is member of group@domain groupn...@your.realm.tld
OK
kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| 
kerberos_ldap_group: DEBUG: OK

this is all i have in krb5.conf
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true

and the ad dc lookup works, if you set the SPN in the UPN, at least works for 
me. 
I have my systems keytab as default keytab and  
KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME

TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE

Is set in the /etc/default/squid3 

So im thinking review the keytab setup and the variable. 

And:
>The AD is reachable from the proxy machine but DNS is not done by the AD
>but on the proxy machine itself.

Same here, but i do have a forward zone in the dns for my ad domain.


Hope this helps a bit. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 13:35
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> On 16.09.2016 10:52, L.P.H. van Belle wrote:
> > I think you forgot in your test, that you may need to modify the default
> > kerberos ticket used.
> >
> >
> >
> >
> >
> > I suggest you change you config a bit to something like
> >
> >
> >
> > external_acl_type internet-win-allowed %LOGIN
> > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> >
> > -D YOUR.REALM.TLD \
> >
> > -g allowed-inter...@your.realm.tld \
> >
> > -N ntdom...@your.realm.tld \
> >
> > -S
> >
> dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tl
> D
> 
> Hello,
> 
> Tried your suggestions but that doesn't change anything.
> Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
> iterating over all the entries for the keytab...
> Any further ideas?
> 
> -- Matthias
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[L . P . H . van Belle]

Yes, 

You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN 
I had that too, changed it and it is working perfect now. 

See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe ) 

Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 14:20
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> 
> On 19.09.2016 14:08, L.P.H. van Belle wrote:
> > Well thats strange.
> > No i cant speak about openBSD, but below is pretty general.
> >
> > When you test, did you set this before the test.
> > KRB5_KTNAME=/etc/squid/proxy.keytab
> > And does that keytab contain the HTTP/SPN
> > And test/check if you see http/SPN in the UPN, if not try that also.
> > After that change the
> > I just tested again to make my groups more flexible.
> >
> > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
> > -D YOUR.REALM.TLD \
> > -N ntdom...@your.realm.tld \
> > - S dc1.your.dnsdomain@your.realm.tld \
> > -i -d
> > This one is without the -g so we can use more group names,
> > but test with -g first.
> >
> > from this example like. But i change the ldap group to kerberos group
> here.
> >
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> y
> 
> That's all there, environment is correctly set up. Keytab looks good.
> As said before, the negotiate_kerberos_auth part works like a charm.
> All I get is a bunch of messages complaining about not being able to
> reach any KDC in realm while initializing the credentials of the keytab...
> Thought that it might be a DNS issue but even configuring DNS so that
> the AD server does all the DNS stuff did not change a bit :(
> 
> -- Matthias
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] question about : NOTICE: Authentication not applicable onintercepted requests.

[L . P . H . van Belle]

Hai, 

 

In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )  c-icap 
squidclamav and winbind 4.5.5 for kerberos keytab refresing. 

 

Now, im at the point of reducing my logs and i nocited : 

NOTICE: Authentication not applicable on intercepted requests. 

Messages in squid/cache.log 

 

I know this is some misconfiguration somewhere but im having a hardtime to 
finding/understanding it. 

Where and why, so is anyone can help me finding and understanding it, that 
would be very nice. 

 

I cant see my error and everything else is working fine, execept i havent 
tested the kerberos group acl yet. 

So i didnt set that http_access yet. 

 

Im having the following firewall rules 

 

# Not authenticated web traffice, redirected to squid in intercept mode.

-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 
192.168.0.2:3128

-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 
192.168.0.2:3129

Port 8080 is also open. 

 

Web traffic for pc’s which are domain joint have set the proxy by GPO to 
hostname.domain.tld port 8080 

Web traffic for other devices dont need to authenticate. 

WPAD and DNS wpad is also set. 

 

Below is mostly from the updated wiki pages. 

A big thank you to Amos Victor and others who changed the pages, looks good.

I have some small changed for a pure debian based setup with samba4 as addc and 
winbind for the squid member server. 

 

 

This is my squid config. 

# Created from a running squid version : 3.5.24

# Running os : Debian GNU/Linux 8 (jessie)

# Creation date: 2017-02-15

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos 
/usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/proxy2.internal.domain@internal.domain.tld --ntlm /usr/bin/ntlm_auth 
--helper-protocol=gss-spnego --domain=NTDOM

auth_param negotiate children 10 startup=5 idle=5

auth_param negotiate keep_alive on

external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN 
/usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g 
internet-allo...@internal.domain.tld -N nt...@internal.domain.tld -S 
dc1.internal.domain@internal.domain.tld -D INTERNAL.DOMAIN.TLD

acl authenticated proxy_auth REQUIRED

 

acl certificates rep_mime_type -i ^application/pkix-crl$

 

acl windows-updates dstdomain "/etc/squid/lists/updates-windows"

acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"

acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl localnet src 192.168.249.0/24    # Company-1

acl localnet src 10.249.2.0/24   # Company-2

acl localnet src 10.249.3.0/24   # Company-3

acl localnet src 10.249.4.0/24   # Company-4

acl localnet src 10.249.5.0/24   # Company-5

 

acl SSL_ports port 443  # https

acl SSL_ports port 3952 # CIC client

acl SSL_ports port 10443    # https Cisco 5506x

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 3952    # CIC client

acl Safe_ports port 10443   # https Cisco 5506x

acl CONNECT method CONNECT

 

## Added : Advertising Server Block List merge from YoYo.org and Host-file.net

acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"

http_access deny block-asbl

 

acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js

http_access allow google_recaptcha

 

acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"

no_cache deny NO-CACHE-SITES

always_direct allow NO-CACHE-SITES

cache deny NO-CACHE-SITES

 

# 

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

 

## allow before auth so all pc's get the needed updates

http_access allow windows-updates

http_access allow antivirus-updates

 

http_access allow authenticated

http_access allow localnet

http_access allow localhost

http_access deny all

 

http_port 192.168.249.222:3128 intercept connection-auth=off

https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem

 

http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 
key=/etc/ssl/local/CAkey.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

sslpro

Re: [squid-users] question about : NOTICE: Authentication not applicable onintercepted requests. ( SOLVED )

[L . P . H . van Belle]

If this one arived in the list. 

 

This is solved, the wpad.dat was guiding my to the other proxy while my gateway 
was set to me new proxy. 

This happend at the policy refresh and did not notice it. 

Sorry for the noice. 

 

But if you see anything that incorrect, or can have a better setup, please let 
me know. 

I always like improvements. 

 

Thanks

 

Louis

 

 


Van: L.P.H. van Belle [mailto:be...@bazuin.nl] 
Verzonden: woensdag 15 februari 2017 10:54
Aan: 'squid-us...@squid-cache.org'
Onderwerp: question about : NOTICE: Authentication not applicable on 
intercepted requests. 


 

Hai, 

 

In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )  c-icap 
squidclamav and winbind 4.5.5 for kerberos keytab refresing. 

 

Now, im at the point of reducing my logs and i nocited : 

NOTICE: Authentication not applicable on intercepted requests. 

Messages in squid/cache.log 

 

I know this is some misconfiguration somewhere but im having a hardtime to 
finding/understanding it. 

Where and why, so is anyone can help me finding and understanding it, that 
would be very nice. 

 

I cant see my error and everything else is working fine, execept i havent 
tested the kerberos group acl yet. 

So i didnt set that http_access yet. 

 

Im having the following firewall rules 

 

# Not authenticated web traffice, redirected to squid in intercept mode.

-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 
192.168.0.2:3128

-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 
192.168.0.2:3129

Port 8080 is also open. 

 

Web traffic for pc’s which are domain joint have set the proxy by GPO to 
hostname.domain.tld port 8080 

Web traffic for other devices dont need to authenticate. 

WPAD and DNS wpad is also set. 

 

Below is mostly from the updated wiki pages. 

A big thank you to Amos Victor and others who changed the pages, looks good.

I have some small changed for a pure debian based setup with samba4 as addc and 
winbind for the squid member server. 

 

 

This is my squid config. 

# Created from a running squid version : 3.5.24

# Running os : Debian GNU/Linux 8 (jessie)

# Creation date: 2017-02-15

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos 
/usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/proxy2.internal.domain@internal.domain.tld --ntlm /usr/bin/ntlm_auth 
--helper-protocol=gss-spnego --domain=NTDOM

auth_param negotiate children 10 startup=5 idle=5

auth_param negotiate keep_alive on

external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN 
/usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g 
internet-allo...@internal.domain.tld -N nt...@internal.domain.tld -S 
dc1.internal.domain@internal.domain.tld -D INTERNAL.DOMAIN.TLD

acl authenticated proxy_auth REQUIRED

 

acl certificates rep_mime_type -i ^application/pkix-crl$

 

acl windows-updates dstdomain "/etc/squid/lists/updates-windows"

acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"

acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl localnet src 192.168.249.0/24    # Company-1

acl localnet src 10.249.2.0/24   # Company-2

acl localnet src 10.249.3.0/24   # Company-3

acl localnet src 10.249.4.0/24   # Company-4

acl localnet src 10.249.5.0/24   # Company-5

 

acl SSL_ports port 443  # https

acl SSL_ports port 3952 # CIC client

acl SSL_ports port 10443    # https Cisco 5506x

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 3952    # CIC client

acl Safe_ports port 10443   # https Cisco 5506x

acl CONNECT method CONNECT

 

## Added : Advertising Server Block List merge from YoYo.org and Host-file.net

acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"

http_access deny block-asbl

 

acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js

http_access allow google_recaptcha

 

acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"

no_cache deny NO-CACHE-SITES

always_direct allow NO-CACHE-SITES

cache deny NO-CACHE-SITES

 

# 

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

 

## allow before auth so all pc's get the needed updates

http_access allow windows-updates

http_access allow antivirus-updates

 

http_access allow authenticated

http_access allow localnet

http_access allow localhost

http_access deny all

[squid-users] unable to get squid kerberos group working.

[L . P . H . van Belle]

Hai,

 

I noticed a problem in the kerberos_ldap_group and im unable to get it working. 

I reported the bug here also : https://github.com/squid-cache/squid/issues/17 

 

Environment: Debian Jessie, Squid 3.5.24 debian rebuild from debian stretch.

kerberos_ldap_group: INFO: Starting version 1.3.1sq

 

first :  The kerberos group goes wrong with the SRV record detection. 

A and PTR records are in place and tested.

 

And a check on the SRV records shows.

 

dig SRV _ldap._tcp.internal.domain.tld.

;; ANSWER SECTION:

_ldap._tcp.internal.domain.tld. 900 IN SRV 5 100 636 dc1.internal.domain.tld.

_ldap._tcp.internal.domain.tld. 900 IN SRV 5 100 636 dc2.internal.domain.tld.

_ldap._tcp.internal.domain.tld. 900 IN SRV 10 100 389 dc1.internal.domain.tld.

_ldap._tcp.internal.domain.tld. 900 IN SRV 10 100 389 dc2.internal.domain.tld.

;; AUTHORITY SECTION:

 

dig SRV _ldaps._tcp.internal.domain.tld.

;; ANSWER SECTION:

_ldaps._tcp.internal.domain.tld. 900 IN SRV 0 100 636 dc1.internal.domain.tld.

_ldaps._tcp.internal.domain.tld. 900 IN SRV 0 100 636 dc2.internal.domain.tld.

;; AUTHORITY SECTION:

 

 

but debug logs shows. ( cache.log ) 

support_resolv.cc(407): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Adding internal.domain.tld to list

support_resolv.cc(443): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Sorted ldap server names for domain INTERNAL.DOMAIN.TLD:

support_resolv.cc(445): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Host: dc1.internal.domain.tld Port: 636 Priority: 5 Weight: 100 

support_resolv.cc(445): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Host: dc2.internal.domain.tld Port: 389 Priority: 5 Weight: 100

support_resolv.cc(445): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Host: dc1.internal.domain.tld Port: 636 Priority: 10 Weight: 100

support_resolv.cc(445): pid=15718 :2017/02/20 08:24:03| kerberos_ldap_group: 
DEBUG: Host: dc2.internal.domain.tld Port: 389 Priority: 10 Weight: 100

Wrong order in the debug output.

 

The hostnames and priority changes, and this changes randomly at every startup. 

I dont know it this is the cause of my problem, thats why im asking here. 

 

So Im trying to get my kerberos group checks working, but still no go and i 
just dont see what the problem is.

 

The Kerberos auth i use, which works fine.

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/proxy2.internal.domain.tld@REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

 

The kerberos_ldap_group line which im trying to get working. 

external_acl_type memberof-test-group ipv4 %LOGIN  
/usr/lib/squid/ext_kerberos_ldap_group_acl -d -i -m 4

 -g test-group \

    -N NTDOM@REALM \

    -D REALM \

    -S dc1.internal.domain.tld@REALM:dc2.internal.domain.tld@REALM 

acl test-group external memberof-test-group

and im my config im having als test. 

http_access deny test-group

 

I tried also with the –g test-group@ and –g test-group@@REALM

 

 

This is the debug part of the kerberos group auth when starting squid. 

 

kerberos_ldap_group.cc(376): pid=3420 :2017/02/21 10:24:35| 
kerberos_ldap_group: INFO: Got User: testuser Domain: REALM

support_member.cc(63): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain test-group@NULL

support_member.cc(91): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Default domain loop: group@domain test-group@NULL

support_member.cc(119): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Default group loop: group@domain test-group@NULL

support_member.cc(121): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Found group@domain test-group@NULL

support_ldap.cc(898): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_3420

support_krb5.cc(138): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Get default keytab file name

support_krb5.cc(144): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Got default keytab file name /etc/squid/keytab.PROXY2-HTTP

support_krb5.cc(158): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Get principal name from keytab /etc/squid/keytab.PROXY2-HTTP

support_krb5.cc(169): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: REALM

support_krb5.cc(181): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Found principal name: HTTP/proxy2.internal.domain.tld@REALM

support_krb5.cc(196): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Got principal name HTTP/proxy2.internal.domain.tld@REALM

support_krb5.cc(260): pid=3420 :2017/02/21 10:24:35| kerberos_ldap_group: 
DEBUG: Stored credentials

support_ldap.c

Re: [squid-users] Build errors with Squid 3.5.24 under Debian

[L . P . H . van Belle]

Hai, 

>I am trying to build Squid 3.5.24 release under a Debian Testing
Debian testing already has 3.5.23 so this should be very easy... 

# check if you have all dependecies.
apt-get build-deb squid

# Install you missing files if you did not see them. 
apt-get install libssl-dev libcrypto++-dev

apt-get source squid

#extract the 3.5.24 from squid-cache. 
#Copy the debian folder from 3.5.23 to 3.5.24

Now change : 
debian/rules 
( add --enable-ssl --with-openssl ) to the DEB_CONFIGURE_EXTRA_FLAGS
Change the  debian/changelog. 

cd squid-3.5.24
dpkg-buildpackage -us -uc -b

Something like that, if you need more info, just mail me. 

Im runnig 3.5.24-ssl in jessie. 
If you want these packages (source and debs), same.. just mail me. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> C. L. Martinez
> Verzonden: woensdag 1 maart 2017 14:45
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] Build errors with Squid 3.5.24 under Debian
> 
> Hi all
> 
>  I am trying to build Squid 3.5.24 release under a Debian Testing and
> returns the following errors:
> 
> depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
> /bin/bash ../../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H
> -I../.. -I../../include -I../../lib -I../../src -I../../include  -isystem
> /usr/include/mit-krb5  -I/usr/include/libxml2  -I/usr/include/libxml2 -
> Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-
> virtual -Werror -pipe -D_REENTRANT -m64  -g -O2 -MT PortCfg.lo -MD -MP -MF
> $depbase.Tpo -c -o PortCfg.lo PortCfg.cc &&\
> mv -f $depbase.Tpo $depbase.Plo
> libtool: compile:  g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib
> -I../../src -I../../include -isystem /usr/include/mit-krb5 -
> I/usr/include/libxml2 -I/usr/include/libxml2 -Wall -Wpointer-arith -
> Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -
> D_REENTRANT -m64 -g -O2 -MT PortCfg.lo -MD -MP -MF .deps/PortCfg.Tpo -c
> PortCfg.cc  -fPIC -DPIC -o .libs/PortCfg.o
> In file included from ../../src/anyp/PortCfg.h:18:0,
>  from PortCfg.cc:10:
> ../../src/ssl/gadgets.h:83:45: error: ‘CRYPTO_LOCK_X509’ was not declared
> in this scope
>  typedef LockingPointer
> X509_Pointer;
>  ^~~~
> ../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid
>  typedef LockingPointer
> X509_Pointer;
>  ^
> ../../src/ssl/gadgets.h:89:53: error: ‘CRYPTO_LOCK_EVP_PKEY’ was not
> declared in this scope
>  typedef LockingPointer
> EVP_PKEY_Pointer;
>  ^~~~
> ../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid
>  typedef LockingPointer
> EVP_PKEY_Pointer;
>  ^
> ../../src/ssl/gadgets.h:116:43: error: ‘CRYPTO_LOCK_SSL’ was not declared
> in this scope
>  typedef LockingPointer SSL_Pointer;
>^~~
> ../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid
>  typedef LockingPointer SSL_Pointer;
>   ^
> Makefile:791: recipe for target 'PortCfg.lo' failed
> make[3]: *** [PortCfg.lo] Error 1
> make[3]: Leaving directory '/tmp/o/squid-3.5.24/src/anyp'
> Makefile:7296: recipe for target 'all-recursive' failed
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory '/tmp/o/squid-3.5.24/src'
> Makefile:6157: recipe for target 'all' failed
> make[1]: *** [all] Error 2
> make[1]: Leaving directory '/tmp/o/squid-3.5.24/src'
> Makefile:581: recipe for target 'all-recursive' failed
> make: *** [all-recursive] Error 1
> 
>  I have installed the following packages:
> 
>  build-essential autoconf automake libtool flex bison autoconf-archive
> gnu-standards libecap3-dev libssl-dev libcurl4-openssl-dev pkg-config
> libsasl2-dev libxml2-dev libkrb5-dev libnetfilter-conntrack-dev
> libcppunit-dev libcap-dev libevent-dev nettle-dev
> 
>  And my configure options are:
> 
>  ./configure --prefix=/opt/squid --sysconfdir=/etc/squid --enable-inline -
> -disable-arch-native --enable-async-io=8 --enable-
> storeio="ufs,aufs,diskd,rock" --enable-removal-policies="lru,heap" --
> enable-delay-pools --enable-cache-digests --enable-icap-client --enable-
> follow-x-forwarded-for --enable-eui --enable-esi --enable-icmp --enable-
> zph-qos --enable-ecap --disable-translation --with-
> swapdir=/var/spool/squid --with-logdir=/var/log/squid --with-
> pidfile=/var/run/squid.pid --with-filedescriptors=65536 --with-large-files
> --with-default-user=proxy --enable-ssl-crtd  --enable-linux-netfilter --
> with-openssl
> 
>  Where am I doing the mistake??
> 
> --
> Greetings,
> C. L. Martinez
> ___
> squid-users maili

Re: [squid-users] Build errors with Squid 3.5.24 under Debian

[L . P . H . van Belle]

Hai Amos, 

Thank you for that info, i didnt know that.
Will this be fixed for 3.5 or is squid4 going to enter debian? 
I know i'll stay a bit longer on Debian Jessie to avoid this. 


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: woensdag 1 maart 2017 17:31
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Build errors with Squid 3.5.24 under Debian
> 
> On 2/03/2017 3:42 a.m., L.P.H. van Belle wrote:
> > Hai,
> >
> >> I am trying to build Squid 3.5.24 release under a Debian Testing
> > Debian testing already has 3.5.23 so this should be very easy...
> >
> 
> Debian Testing/sretch and sid contain OpenSSL v1.1. BUt Squid-3 only
> supports OpenSSL v1.0.
> 
> You need to install libssl1.0-dev there instead of libssl-dev.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Build errors with Squid 3.5.24 under Debian

[L . P . H . van Belle]

Hai Amos, 

Now im bit confused. ( sorry english is not my native language ) 

In my situation. 
1) i (normaly) only use debian packages. 
2) if i build newer that supplied by debian, like squid, 
i use the debian packages as base for the setup then i build a debian package 
and install that. 

Now with debian stretch i see libssl1.0-dev and libssl1.1 in the tree.
I can still use libssl1.0-dev to build squid with ssl support? 
Even when debian stretch installs openssl 1.1.0? 

And thank you for clarifing in advanced. 
And now i understand at least why i had problems building on stretch. :-) 

Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 2 maart 2017 8:17
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Build errors with Squid 3.5.24 under Debian
> 
> On 2/03/2017 8:00 p.m., L.P.H. van Belle wrote:
> > Hai Amos,
> >
> > Thank you for that info, i didnt know that.
> > Will this be fixed for 3.5 or is squid4 going to enter debian?
> > I know i'll stay a bit longer on Debian Jessie to avoid this.
> 
> This is just a matter of what *-dev package you install for your custom
> build requirements. There is nothing in relevant for Debian to do.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS woes

[L . P . H . van Belle]

Hai, 

Im guess, squid is starting to soon, or there is not /dev/shm 

Check/Try adding, if not already in /etc/fstab 

none  /dev/shmtmpfs   defaults0 0 

And reboot the server. 


Or, i dont know and someone else can tell you. ;-) 
But on my jessie with squid 3.5.24+ssl i dont see this problem. 

A small tip about the certificates on debian or ubuntu. 
Install ca-certificates ( apt-get install ca-certificates ) 
And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 



Greetz, 

Louis





 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens Olly Lennox
> Verzonden: woensdag 19 april 2017 11:22
> Aan: Amos Jeffries; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] HTTPS woes
> 
> Thanks Amos, I'll install this. One last question if I may! 
> Squid is working fine now with both HTTP and HTTPS but for 
> some reason it is refusing to launch on boot. 
> 
> It works perfectly when started with "service squid start" 
> but not boot. The error is:
> squid.service - LSB: Squid HTTP Proxy version 3.x
>Loaded: loaded (/etc/init.d/squid; generated; vendor 
> preset: enabled)
>Active: failed (Result: resources) since Wed 2017-04-19 
> 10:19:18 BST; 53s ago
>  Docs: man:systemd-sysv-generator(8)
>   Process: 598 ExecStart=/etc/init.d/squid start 
> (code=exited, status=0/SUCCESS)
> 
> Apr 19 10:19:13 raspberrypi (squid-1)[1606]: 
> Ipc::Mem::Segment::open failed to 
> shm_open(/squid-ssl_session_cache.shm): (2) No such file or 
> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent: 
> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16 
> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 
> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid 
> Parent: (squid-1) process 1633 exited with status 1 Apr 19 
> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) 
> process 1633 will not be restarted due to repeated, frequent 
> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due 
> to repeated, frequent failures Apr 19 10:19:18 raspberrypi 
> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.
> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB: 
> Squid HTTP Proxy version 3.x.
> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit 
> entered failed state.
> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed 
> with result 'resources'.
> 
> Any ideas?
> 
> 
> 
> 
> From: Amos Jeffries 
> To: squid-users@lists.squid-cache.org
> Sent: Wednesday, 19 April 2017, 5:22
> Subject: Re: [squid-users] HTTPS woes
> 
> 
> 
> Olly,  Debian provides a ca-certificates package containing 
> the Mozilla CA list. It is updated whenever the CA set 
> changes. Though of course you should have apt connected to 
> the relevant security repository (jesse-security?) for 
> regular updates.
> 
> 
> Amos
> 
> 
> On 19/04/17 03:10, Olly Lennox wrote:
> 
> Would you mind sharing the script you use?
> > 
> >oli...@lennox-it.uk
> >lennox-it.uk
> >tel: 07900 648 252
> >
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Authentication ( after sambaupgrades )

[L . P . H . van Belle]

Hi Amos and others. 

Its not a "samba" thing or a squid thing.   
Maybe in the end yes, but this is a configuration thing. 

For you guys to know, samba AD DC setup this parameter as default : 
 ldap server require strong auth = yes 
Which obligates the use of TLS. 

Next, users dont configure /etc/ldap/ldap.conf when they use TLS. 
Squid and samba may need the CA root if you use TLS. 
Which should to in ldap.conf 
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

Samba sets these days: 
ntlm auth = no
Laman auth = no

Which disables NTLMv1 and last, users dont know kerberos and the need of A/PTR 
records. 

For others, i've posted a example auth setup and smb.conf setup for squid on 
Debian Jessie.
Tested as of squid 3.4.8 upto 3.5.24. ( with and without ssl bumping ) 
Google for : Problems with Samba 4.6.3 Authentication  
Post date 23-may 2017

When upgrading samba/winbind as of 4.2 upto 4.5 or 4.6. 
You MUST read the change logs at least for every samba 4.X.0 version. \
At least 4.2.0 4.3.0 4.4.0 4.5.0 and 4.6.0 

https://www.samba.org/samba/history/ 
Look a the smb.conf changes. 
Like this one for 4.5 : 
smb.conf changes


  Parameter NameDescription Default
  ----- ---
  kccsrv:samba_kcc  Changed default yes
  ntlm auth Changed default no
  only user Removed
  password hash gpg key ids New
  shadow:snapprefix New
  shadow:delimiter  New _GMT
  smb2 leases   Changed default yes
  username  Removed



Greetz, 

Louis



 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: maandag 22 mei 2017 22:46
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Squid3 Authentication
> 
> On 23/05/17 02:15, Marcio Demetrio Bacci wrote:
> > I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but 
> now my Squid 
> > authentication doesn't work.
> >
> > In samba 4.2.1 is working properly.
> >
> > This is my authentication block:
> >
> >
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
> > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f 
> "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored auth_param basic 
> > credentialsttl 8 hours auth_param basic casesensitive off
> >
> > I'm using Squid 3.4.8
> >
> > Can anybody help me ?
> 
> If the only thing that changed was Samba its clearly an issue 
> with that end of the system.
> 
> I suggest you compare those LDAP parameters with what the new 
> Samba version needs, and if there is no issue there please 
> contact your vendor or the Samba help channels.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Negotiate Kerberos Auth - BH Invalid request

[L . P . H . van Belle]

First, it very handy to know your os and samba and squid versions used. 
?
Second, 
Squid/radius etc anything that uses NTLMv1 with samba stopped working after 
4.5.0 
I think your main problem can be explained by this extract from the release 
notes for 4.5.0:
?

NTLMv1 authentication disabled by default

-

　

In order to improve security we have changed the default value for the "ntlm 
auth" option from "yes" to "no".?
This may have impact on very old clients which doesn't support NTLMv2 yet.

　

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

　

By default, Samba will only allow NTLMv2 via NTLMSSP now, 
as we have the following default "lanman auth = no", "ntlm auth = no" and "raw 
NTLMv2 auth = no".

?

?

Greetz, 

?

Louis

?

?

?

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Kevin M???hlparzer
Verzonden: dinsdag 13 juni 2017 14:00
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Negotiate Kerberos Auth - BH Invalid request




Hello list,




I asked about a problem with NTLM-Authentication before. (BH SPNEGO request 
invalid prefix; thats the error of the helper protocol 
"helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)

A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.

Now here's my new problem:





root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s 
HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Changed keytab to 
MEMORY:negotiate_kerberos_auth_5305
testuser xxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: DEBUG: Got 'testuser xx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: ERROR: Invalid request [testuser xxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know 
where to search, or what works for sure. I tried many tutorials on krb5 and 
samba. Every form of testing I tried works fine except indeed using the 
required kerberos authentication of my squid-proxy.






Tests that come to my mind:

kinit a user

Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST










klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@X-XXX.LOCAL

Valid starting?? Expires? Service principal
2017-06-13 13:38:37? 2017-06-13 23:38:37? krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
?? ?renew until 2017-06-14 13:38:34





klist -k on my HTTP.keytab



Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
 --
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL





basic-auth using ntlm


root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic --username=testuser --password=
testuser xx
OK
testuser@x-xxx.local 
OK

wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...

wbinfo --krb5auth=testuser%xxx
plaintext kerberos password authentication for [testuser%xxx] succeeded 
(requesting cctype: FILE)

wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded

wbinfo --authenticate=testuser%
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token: 
YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4

Re: [squid-users] Error Compiling squid-3.5.26 with libecap-1.0.1 on CentOS Linux release 7.3.1611

[L . P . H . van Belle]

Looks the same like.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Compiling-squid-3-5-4-with-ecap-enabled-td4671325.html
 

Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Norbert Naveen
> Verzonden: dinsdag 13 juni 2017 16:46
> Aan: 'Alex Rousskov'; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Error Compiling squid-3.5.26 
> with libecap-1.0.1 on CentOS Linux release 7.3.1611
> 
> Hello
>   The Make output can be found at
>   https://drive.google.com/open?id=0B_dDVNpzSGEKcFlMSlBVZWs5c2c
> 
> 
>  And the output of # grep 'EXT_LIBECAP_.*=' 
> src/adaptation/ecap/Makefile EXT_LIBECAP_CFLAGS = 
> /usr/local/lib EXT_LIBECAP_LIBS = /usr/local/lib
> 
> 
>  I did the below to no effect
> make -k clean;
> ./configure  --enable-ecap
>  make > /tmp/build.log 2>&1
> 
> Build Log is available at
> https://drive.google.com/open?id=0B_dDVNpzSGEKM3JSUHNJLWJlWjA
> 
> Thanks
> Naveen
> 
> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com]
> Sent: Tuesday, June 13, 2017 2:12 AM
> To: norbert.nav...@tayana.in; squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Error Compiling squid-3.5.26 with 
> libecap-1.0.1 on CentOS Linux release 7.3.1611
> 
> On 06/12/2017 11:29 AM, Norbert Naveen wrote:
> 
> > I have attached Outputs of both Configure and Make And  libecap.pc 
> > contents are as below
> 
> Your ./configure output and libecap.pc contents look good to 
> me, but there is no sign of the eCAP library (-lecap) being 
> linked with Squid during "make". If running "make clean; 
> ./configure ...; make" does not fix this, then please find a 
> way to post a link to the _entire_ build log. Something along 
> these lines should be able to capture it:
> 
>   $ make -k clean; (./configure ...; make) > /tmp/build.log 2>&1
> 
> You may want to compress /tmp/build.log. Please post a link 
> to some public file sharing site here instead of the file 
> itself. Even compressed, it may be too big to email.
> 
> Also, what does the following command output?
> 
>   $ grep 'EXT_LIBECAP_.*=' src/adaptation/ecap/Makefile
> 
> (adjust the Makefile path if necessary if you are not 
> building Squid its source directory)
> 
> 
> Cheers,
> 
> Alex.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.5.10 samba4 kerberos few questions (debain Jessie)

[L . P . H . van Belle]

Hai, 

 

Im having the following running. 

Debian Jessie, squid 3.5.10 (recompiled from sid)  with icap and authorisation 
agains a samba 4 AD DC. 

I begin with, this works great !.. so now my questions and the conf part for 
this. 

 

I am using the following authentications. 

First Kerberos:

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/hostname.domain.tld@KERB.REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

And this works also

#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= 
NTDOMAIN \

 

I use as fallback  basic auth.

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \

    -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \

    -D ldap-bind@ KERB.REALM  -W /etc/squid/private/ldap-bind \

    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \

    -h samba4-dc2.internal.domain.tld \

    -h samba4-dc1.internal.domain.tld

 

I know the following: 

## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN 
JOINED pc's.

##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.

##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in 
always user popup for auth.

##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.

## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated 
Windows PC's Not domain Joined.

 

When people access websites a see a lot of : TCP_DENIED/407 

Sometimes about 10-12 times the TCP_DENIED/407, even when the user already 
access the website and it authenticated. 

Is this because of pc’s auth, or user auth, or by design as i did read here : 

 

http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html

acl AuthRequest http_status 407 
access_log ... !AuthRequest ...

 

 

is this the only solution to reduce the 407, or am i missing some setting here? 

If you need more info, just ask.. 

 

 

Greetz, 

 

Louis

 

 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unable to access websites through Squid

[L . P . H . van Belle]

Hai, 

 

I had troubles also with the squid config files, so i created 
“squid-conf-split” 

 

Basicly this small piece of code blow. 

 

 

## code starts here. 

#!/bin/sh

 

DATE_NOW=$(date +%Y-%m-%d)

 

if [ -d /etc/squid/conf.d ]; then

    cp -R /etc/squid/conf.d-${DATE_NOW}

else

    mkdir /etc/squid/conf.d

fi

 

cd /etc/squid/conf.d

if [ ! -e /etc/squid/squid.conf.debian ]; then

    if [ -e /etc/squid/squid.conf.dpkg-dist ]; then

cp /etc/squid/squid.conf.dpkg-dist /etc/squid/squid.conf.debian

    else

    cp /etc/squid/squid.conf /etc/squid/squid.conf.debian

    fi

fi

 

csplit -f squid- -n2 /etc/squid/squid.conf.debian '/# 
-/-1'
 '{*}' > /dev/null

 

for x in `ls squid-*` ; do NAME=`cat $x | head -n1 | tr -s ' ' | tr "[ ]" 
"[\-]"| cut -c3-100` ; mv $x $x-00-$NAME.conf  ; done



 

cat << EOF > /etc/squid/squid.conf

"

## Debian Squid splitted based config

## edit the files in /etc/squid/conf.d/

include /etc/squid/conf.d/*.conf"

EOF

 

## code ends here. 

 

 

You end up with a layout like this. 

All files starting with squid-XX-00 are the default settings of squid. 

All squid-XX-01-custom are my changes. 

Only 1 file with an exeption.    squid-03-00-ACCESS-CONTROLS.conf . since order 
is a big thing in this file, i make a copy of it. 

And add my entries there. All other see below. 

 

squid-00-00-WELCOME-TO-SQUID-3.5.12.conf    
squid-12-01-custom.conf  
squid-27-00-SNMP-OPTIONS.conf

squid-01-00-OPTIONS-FOR-SMP.conf    
squid-13-00-OPTIONS-FOR-EXTERNAL-SUPPORT-PROGRAMS.conf   
squid-27-01-custom.conf

squid-02-00-OPTIONS-FOR-AUTHENTICATION.conf 
squid-13-01-custom.conf  
squid-28-00-ICP-OPTIONS.conf

squid-02-01-auth-negotiate-both.conf    
squid-14-00-OPTIONS-FOR-URL-REWRITING.conf   
squid-28-01-custom.conf

squid-02-04-auth-ldap-AD.conf       
squid-15-00-OPTIONS-FOR-STORE-ID.conf    
squid-29-00-MULTICAST-ICP-OPTIONS.conf

squid-02-99-auth-acl.conf   
squid-16-00-OPTIONS-FOR-TUNING-THE-CACHE.conf    
squid-30-00-INTERNAL-ICON-OPTIONS.conf

squid-03-00-ACCESS-CONTROLS.conf    
squid-16-01-custom.conf  
squid-31-00-ERROR-PAGE-OPTIONS.conf

squid-04-00-NETWORK-OPTIONS.conf    
squid-17-00-HTTP-OPTIONS.conf    
squid-31-01-custom.conf

squid-05-00-SSL-OPTIONS.conf    
squid-17-01-custom.conf  
squid-32-00-OPTIONS-INFLUENCING-REQUEST-FORWARDING-.conf

squid-06-00-OPTIONS-RELATING-TO-EXTERNAL-SSL_CRTD-.conf 
squid-18-00-TIMEOUTS.conf    
squid-32-01-custom.conf

squid-07-00-OPTIONS-WHICH-AFFECT-THE-NEIGHBOR-SELECTION-ALGORITHM.conf  
squid-18-01-custom.conf  
squid-33-00-ADVANCED-NETWORKING-OPTIONS.conf

squid-08-00-MEMORY-CACHE-OPTIONS.conf   
squid-19-00-ADMINISTRATIVE-PARAMETERS.conf   
squid-34-00-ICAP-OPTIONS.conf

squid-08-01-custom.conf 
squid-19-01-custom.conf  
squid-34-01-icap-squidclamav.conf

squid-09-00-DISK-CACHE-OPTIONS.conf 
squid-20-00-OPTIONS-FOR-THE-CACHE-REGISTRATION-SERVICE.conf  
squid-35-00-eCAP-OPTIONS.conf

squid-09-01-custom.conf 
squid-21-00-HTTPD-ACCELERATOR-OPTIONS.conf   
squid-36-00-MESSAGE-ADAPTATION-OPTIONS.conf

squid-10-00-LOGFILE-OPTIONS.conf    
squid-22-00-DELAY-POOL-PARAMETERS.conf   
squid-37-00-DNS-OPTIONS.conf

squid-10-01-custom.conf 
squid-23-00-CLIENT-DELAY-POOL-PARAMETERS.conf    
squid-37-01-custom.conf

squid-11-00-OPTIONS-FOR-TROUBLESHOOTING.conf    
squid-24-00-WCCPv1-AND-WCCPv2-CONFIGURATION-OPTIONS.conf 
squid-38-00-MISCELLANEOUS.conf

squid-11-01-custom.conf 
squid-25-00-PERSISTENT-CONNECTION-HANDLING.conf  
squid-38-01-custom.conf

squid-12-00-OPTIONS-FOR-FTP-GATEWAYING.conf 
squid-26-00-CACHE-DIGEST-OPTIONS.conf

 

 

If you use kerberos authentication. You can use a setup like this., i’ve tested 
both, and both works as of 3.4.8  -> 3.5.12 ( i recomiled 3.5 from sid ) 

## this line needs a good working Pricipal names.

[squid-users] FW: [Samba] Squid with NTLM auth behind netscaler

[L . P . H . van Belle]

Hai, 

> i read "Do not use this method if you run winbindd or other samba 
> services as samba will reset the machine password every x days and 
> thereby makes the keytab invalid

Seems wrong to me. 

If you use samba 4. ( dont know if its the same for samba 3 ) 

Make sure you have this in smb.conf

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind refresh tickets = yes
   winbind offline logon = yes

refresh tickets refreshed the machine pass in the keytab. 
Offline logon is handy if you dc is down. 

Steps to follow

Install samba and join the domain. 
Check the SPNs of the hostname, if you missing things, add them. 
Remove /etc/krb5.keytab
Recreate it again ( now it has al the needed SPN's ) with : 
net ads keytab create -U administrator

restart samba. 

Now go configure squid. 


Greetz, 

Louis> Louis
> 
> > -Oorspronkelijk bericht-
> > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> Namens
> > Fabio Bucci
> > Verzonden: dinsdag 29 december 2015 15:30
> > Aan: Amos Jeffries
> > CC: squid-users@lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> >
> > Hi Amos,
> > i'm trying to implement kerberos as you suggested me. But following
> > the guide i read "Do not use this method if you run winbindd or other
> > samba services as samba will reset the machine password every x days
> > and thereby makes the keytab invalid !!" and my system guy told me we
> > use winbindd method.
> >
> > How can i implement so?
> > Thanks
> >
> > 2015-12-16 21:12 GMT+01:00 Amos Jeffries :
> > > On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> > >> i'm planning to migrate to kerberos instead NTLM.i got a question
> > for
> > >> you Amos: sometimes a client reports issue in navigation and
> searching
> > into
> > >> log file i cannot see "username" and all the request are 407
> > >>
> > >> In these cases is there a way to reset a user session or it's a
> > completely
> > >> client issue?
> > >
> > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> > > some reason. Some old Firefox, most Safari, and older IE can all get
> > > stuck trying those credentials and ignoring the offers of Basic.
> > >
> > > It might be possible to figure out some LmCompatibility settings
> change
> > > that makes the problem just go away (eg, forcing NTLM of all versions
> to
> > > disabled on the client).
> > >
> > > Other than that Squid does have some workaround responses it can be
> made
> > > to send back that might help the client reach the right conclusion:
> > >
> > > a) list Basic auth first in the config. Any properly working client
> will
> > > re-sort the auth types by security level and do theKerberos anyway.
> But
> > > the broken ones (particularly IE7 and older) will have more chance of
> > > using Basic.
> > >
> > > b) sending 407 response with no auth headers. Such as a deny 407
> status
> > > generated by external ACL deny, or a URL-redirector. These tell the
> > > client that auth failed, but there is no acceptible fallback.
> > >
> > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> > > the client prematurely attaching the credentials to the connection and
> > > re-using them. That is supposed to have been fixed recently, but I've
> > > not confirmed.
> > >
> > > d) sending 403 status response. To just flat-out block the client once
> > > it enters the looping state. Hoping that later requests will start to
> > > work again.
> > >
> > >
> > > HTH
> > > Amos
> > >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

[L . P . H . van Belle]

Hai, 

> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed

Thats good, but if you want fallback and make NTLM work 
( for only kerberos its not needed ) 

You want something like : 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
--domain=NTDOMAIN 
Or

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth \ 
 -s HTTP/proxy.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN


For the --ntlm you MUST install samba, since its suplied by samba. 

And a basic fallback if above fails, then this one will give a popup to auth

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=Users,dc=internal,dc=domain,dc=tld" \
-D bind2ad@User_domain -W /etc/squid/private/secretfile \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld 

Above is all tested and running in my production env. 
Few very important pointers. 
1) make sure your proxy has A and PTR record ( needed for kerberos ) 
2) make sure you have the HTTP/ spn for the hostnames of your proxy servers 
3) make sure you time is in sync on all servers and clients. 


In samba 4 i did it like this. Login with ssh on a DC. 
kinit Administrator 

samba-tool user create squid-proxy --description="Unprivileged user for 
SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy --noexpiry
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1. internal.domain.tld@REALM squid-proxy

# export the keytab. 
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. 
/root/keytabs/proxy1.keytab

check if your hostname has all the SPNs. 
samba-tool spn list proxy1$ 
proxy1 is the name in smb.conf 
you must have:
 HOST/PROXY1
 HOST/proxy1.internal.domain.tld.

And make your you have :
/etc/default/squid
KRB5_KTNAME=/etc/squid/proxy1.keytab
export KRB5_KTNAME


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 16:21
> Aan: Eliezer Croitoru
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> 
> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed
> 
> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru :
> > Hey Fabio,
> >
> > If you do want to use kerberos you do not need to use winbindd there are
> > other options.
> > (I have not tried them both yet)
> >
> > Eliezer
> >
> > On 29/12/2015 16:30, Fabio Bucci wrote:
> >>
> >> Hi Amos,
> >> i'm trying to implement kerberos as you suggested me. But following
> >> the guide i read "Do not use this method if you run winbindd or other
> >> samba services as samba will reset the machine password every x days
> >> and thereby makes the keytab invalid !!" and my system guy told me we
> >> use winbindd method.
> >>
> >> How can i implement so?
> >> Thanks
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3 / debian stable / please update to 3.4.14

[L . P . H . van Belle]

Hai, 

You can very easy upgrade to 3.5.12 on Jessie. 
Add sid to your sources.list, or better in :
/etc/apt/sources.list.d/debian-sid.list 

Only the deb-src line is needed. 

Now apt-get update

# install dependecies.
apt-get build-dep squid

# get and build source. 
apt-get source squid -b

if you missing something, get that package first, build it, install it and do 
above again. 

!! thing to know when using the higher versions this way. 

/etc/squid3
Changed to
/etc/squid 

all squid3 changed to squid in debian testing/sid

and one thing. Backup first ! 

Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> massimo.s...@asl.bergamo.it
> Verzonden: dinsdag 29 december 2015 15:26
> Aan: lu...@debian.org
> CC: squid-users@lists.squid-cache.org
> Onderwerp: [squid-users] squid3 / debian stable / please update to 3.4.14
> 
> ciao Luigi
> 
> I ask to update the distro to squid 3.4.14, the last stable version,
> released in august.
> 
> Rationale :
> 1) various bugs and memory leaks fixed;
> 2) security fix for CVE 2015 5400;
> 3) support for Alternate-Protocol HTTP header.
> 
> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache
> videos.
> 
> References :
> https://packages.debian.org/jessie/squid3
> 
> ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt
> http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol
> 
> 
> Best regards, Massimo
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is not worked in OpenVZ VPS.

[L . P . H . van Belle]

A simple test, and quick fix. 

ping6 ipv6.google.com 
No reply. 
Add in your interfaces : 

auto 6to4
iface 6to4 inet6 6to4
local YOUR_EXTERNAL_IP

ifup 6to4 

and ping6 ipv6.google.com again. 
Not the most elegant solution but works here for me. 


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Eliezer Croitoru
> Verzonden: woensdag 30 december 2015 19:39
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid is not worked in OpenVZ VPS.
> 
> On 30/12/2015 19:29, Billy.Zheng (zw963) wrote:
> > I can acess `www.google.com' in side my VPS with W3M.
> >
> > But, can not accesswww.google.com  across my Squid server.
> >
> > I don't what happen here, those VPS provider guys work on this two days,
> > not resolved.
> 
> Hey Billy,
> 
>  From the information page it is clear that your server tries to access
> some IPV6 host and doesn't succeeded.
> If you can run couple tests, try to contact my web server at:
> http://ngtech.co.il/
> 
> And see if it works.
> Also does this VPS machine has ipv6 access at all? ping6 .. other tools?
> 
> There is also another option that you can try to add  "dns_v4_first on"
> (http://www.squid-cache.org/Doc/config/dns_v4_first/)
> 
> into the squid.conf and only then try to access http://www.google.com/ .
> It will clear many doubts and very fast.
> 
> Eliezer
> 
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3 / debian stable / please update to 3.4.14

[L . P . H . van Belle]

> you are better off building the more up to date 3.5 version available 
> from Stretch/Testing repository.

I disagree with this one, use SID and not testing, testing has a longer delay 
in security updates and is updated after unstable.
See :  https://www.debian.org/security/faq


Greetz, 

Louis

> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 31 december 2015 10:43
> Aan: massimo.s...@asl.bergamo.it
> CC: lu...@debian.org; squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] squid3 / debian stable / please update to
> 3.4.14
> 
> On 2015-12-30 03:26, massimo.s...@asl.bergamo.it wrote:
> > ciao Luigi
> >
> > I ask to update the distro to squid 3.4.14, the last stable version,
> > released in august.
> >
> > Rationale :
> > 1) various bugs and memory leaks fixed;
> > 2) security fix for CVE 2015 5400;
> > 3) support for Alternate-Protocol HTTP header.
> >
> > I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache
> > videos.
> >
> 
> 
> Hi Massimo, why cc'ing squid-users? nothing this list can do about it.
> 
> Anyhow, the Debian 3.4.8-6 package has already been patched to contain
> the important fixes from later upstream 3.4 releases.
>  master.debian.org/changelogs/main/s/squid3/squid3_3.4.8-
> 6+deb8u1_changelog>
> 
> (that covers your #1 and #2 items)
> 
> All it lacks is the minor changes which AFAIK do not meet the criteria
> required for acceptance into the Debian stable distro.
> 
> If you need custom build with other features (such as HTTPS support),
> you are better off building the more up to date 3.5 version available
> from Stretch/Testing repository.
> 
> 
> As for #3, the Alternate-Protocol header patch is just automating these
> squid.conf settings, which you can use explicitly in any Squid version:
> 
>   acl AP rep_header_regex Alternate-Protocol .
>   reply_header_access deny AP
> 
> 
> HTH
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with a machine account doesn't work

[L . P . H . van Belle]

Hai, 

 

First whats your OS/squid and samba version, handy to know. 

And post your smb.conf please. 

 

Few things to check. 

/etc/krb5.keytab should have rights 600 (root:root) 

Run : klist -e -k /etc/krb5.keytab  post the output.

 

Your SPN for squid must be HTTP/fqdn 

And not http/fqdn CAPS do matter here. 

 

Put the HTTP/fqdn spn in a separated file and put it in the squid dir. 

Chown and chmod it root:squid-user 440 

 

Add it in your squid init script ( for debian i added it in /etc/default/squid  
( squid for 3.5.12 ) (squid3 for 3.4.8 )

KRB5_KTNAME=/etc/squid/keytab.PROXY1-HTTP

export KRB5_KTNAME

 

 

The squid keytab should be like (manualy added on a different user in the AD, 
special user for squid services.):

KVNO Principal

 ---

   1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-crc)

   1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-md5)

   1 HTTP/host.internal.domain.tld@YOUR_REALM (arcfour-hmac)

 

This is my default ( /etc/krb5.keytab ) (from the join of samba.) 

   1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-crc)

   1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-md5)

   1 host/host.internal.domain.tld@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 host/host.internal.domain.tld@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 host/host.internal.domain.tld@YOUR_REALM (arcfour-hmac)

   1 host/host@YOUR_REALM (des-cbc-crc)

   1 host/host@YOUR_REALM (des-cbc-md5)

   1 host/host@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 host/host@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 host/host@YOUR_REALM (arcfour-hmac)

   1 HOST$@YOUR_REALM (des-cbc-crc)

   1 HOST$@YOUR_REALM (des-cbc-md5)

   1 HOST$@YOUR_REALM (aes128-cts-hmac-sha1-96)

   1 HOST$@YOUR_REALM (aes256-cts-hmac-sha1-96)

   1 HOST$@YOUR_REALM (arcfour-hmac)

 

 

The needed krb5.conf

cat /etc/krb5.conf

[libdefaults]

    default_realm = YOUR_REALM

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

    forwardable = true

    proxiable = true

 

 

install ntp and point it to you AD so time is always in sync. 

 

Now you have 2 options to setup and you choose  based on you SPN setup. 

Seperated keytab for squid HTTP service. 

Use: 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ 
host.internal.domain.tld@YOUR_REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

Or with everyting in one keytab file and make sure squid can read this keytab 
file 640 root:squid !! :  

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--domain=NTDOMAIN

 

I have a setup with a separated keytab file, i tested above and these work. 

( tested on debian jessie, samba 4.1, squid 3.4.8, 3.5.10 and 3.5.12. ) 

 

Above i told about how i did setup. 

A big advantave with the squid-service user. You kan add all you squid 
hosts/services in that user.

I have 1 user for this and 3 proxy servers. 

 

So where did you go wrong. 

> net ads keytab add HTTP

And rights on the /etc/krb5.keytab file are the first things to check. 

 

Optionaly, start the auth progrom on command line, with the debugging enabled. 

 

Greetz, 

 

Louis

 

 

 

> -Oorspronkelijk bericht-

> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens

> LYMN

> Verzonden: donderdag 7 januari 2016 5:23

> Aan: squid-us...@squid-cache.org

> Onderwerp: [squid-users] kerberos authentication with a machine account

> doesn't work

> 

> 

> Hi,

> 

> We have been using kerberos authentication against Active Directory here

> for a long time by using a SPN attached to a user account and exporting

> the keytab.  The issue we have is that security policy mandates that

> the password on the user account be changed which means we have to go

> and regenerate keytabs every time this happens.  Not exactly difficult

> but tedious nonetheless.

> 

> To avoid the password change I thought it may be an idea to use the

> machine account and add a SPN (http/fqdn.is.here) to that.  I added:

> 

> kerberos method = secrets and keytab

> dedicated keytab file = /etc/krb5.keytab

> 

> to the smb.conf so samba will manage the keytab for me then did:

> 

> net ads join

> net ads keytab add http

> 

> klist -k shows me the principals that should be there and AD agrees they

> exist.  I can get a TGT using:

> 

> kinit -k

> 

> without error (setting the UPN to host/fqdn.is.here@KERBEROS.REALM may

> have helped this).  Doing a

> 

> kinit -kS http/fqdn.is.here

> 

> works without error too.  So, I think kerberos is ok but with a squid

> 3.5.12 configured with negotiate_kerberos_auth I see the dreaded

Re: [squid-users] How to setup a secure(!) squid proxy

[L . P . H . van Belle]

Hai, 

 

> I just checked it. It'll work at the moment. But only because the 
> dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. 
> So there's is no guarantee that it will work > with further releases.

Yes and if depencies change, you can do the same for these packages, and/or you 
can change the dependies in the control file for example.

That is what i do, if needed, i change the control file, so least packages are 
from sid. 

And yes, there is always a risk on errors with future releases, but that risk 
is always there. 

 

> On the other hand: Installing unstable software is not the way the state 
> system works/should work. I talked to the debian guys. That's exactly the 
> reason why they don't release squid 3.5 > for jessie but writing patches to 
> solve critical issues on their own.

I do rebuild from sid, i dont install from sid, that will give a big mess and 
we dont want that. 

Since the build also uses configure for the packages, i dont see the problem 
here, maybe im missing something, 

but i do this for years now with squid, and never had any problems. 

 

 

I use squid 3.5.12 rebuild from sid in debian Jessie without any problem, and 
works better for me then 3.4.8. ( I need the ssl part from 3.5.12+ ) 

 

The following is needed to get squid 3.5.12 in Jessie with least changes of the 
stable packages. 

squid 

libecap 

c-icap 

 

and i really dont know why there isnt any jessie-backported package of this 
(jet).. since 3.5.12 is in testing since 15 dec 2015. 

 

I could not wait for that, so I changed in debain/rules the following.

 

Added 

    --enable-ssl \

    --with-open-ssl=/etc/ssl/openssl.cnf \

    --enable-linux-netfilter

 

And changed the changelog.

I changed it to the following to keep track of the debian packages also. 

 

squid3 (3.5.12-1lvb1-ssl) unstable; urgency=medium

I only added lvb1-ssl so it can use the debian packages and/or my own packages.

 

 

> Then I have to move every software to unstable state (because of the 
> security) I can install an unstable debian directly.

Really, NEVER use sid for production, if you want to get into troubles, this is 
the way.. 

Sid can change rapidly, and put your server in an un-usable stated, i learned 
the hard way.  Years ago. 

 

And for the security, subscribe to the debian and squid list ( .. done ) and 
keep track of messages. 

 

 

Greetz, 

 

Louis

 

 

 

 


Van: startrekfan [mailto:startrekfa...@freenet.de] 
Verzonden: maandag 18 januari 2016 10:25
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 

I just checked it. It'll work at the moment. But only because the dependencies 
(and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is 
no guarantee that it will work with further releases.


 


On the other hand: Installing unstable software is not the way the state system 
works/should work. I talked to the debian guys. That's exactly the reason why 
they don't release squid 3.5 for jessie but writing patches to solve critical 
issues on their own.


 


Then I have to move every software to unstable state (because of the security) 
I can install an unstable debian directly.


 

L.P.H. van Belle  schrieb am Mo., 18. Jan. 2016 um 09:07 Uhr:


Really this is an easy thing to do. 

 

Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb ) 

Run apt-get update. 

 

apt-get source squid 

apt-get build-dep squid 

 make changes if needed, in debian/rules and debian/changelog IF you changed 
something.

 

Build it

apt-get source squid –b 

it errors, thats ok, get the 2 or 3 extra packages, the same way, after 
installing them you can build squid again. 

 

put the debs in a repo you can access and your done. 

Did it here, works fine. 

 

 

Greetz, 

 

Louis

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
startrekfan
Verzonden: maandag 18 januari 2016 8:07
Aan: squid-users@lists.squid-cache.org; squ...@treenet.co.nz
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 




Just talked to the debian guys. They won't upgrade squid to 3.5 in debian 
jessi. It's also hard for me, to implement unstable components in a productive 
system. 

But the debian guys told me, that they will build own patches for 3.4.8 to fix 
critical problems if you report them properly to

https://packages.qa.debian.org/s/squid3.html or 

secur...@debian.org 









I hope/think you already do. So I think 3.4.8 should work for me as well.

 

> Hello

> 

> I`m sorry. I'm not a native speaker so I maybe don't find the right words.

> 

> I'd like to setup a proxy that can scan the incoming traffic for virus 

> (squidclamav). To do that for a https/ssl connection I need the squid 

> ssl-bump feature or is there an other solution?

> 

> Now I want to setup the ssl-bump feature as safe

Re: [squid-users] How to setup a secure(!) squid proxy

[L . P . H . van Belle]

Yes, give me few min, i’ll send something nice. 

 

Greetz, 

 

Louis

 

 

 


Van: startrekfan [mailto:startrekfa...@freenet.de] 
Verzonden: vrijdag 22 januari 2016 15:45
Aan: squid-users@lists.squid-cache.org; L.P.H. van Belle
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 

I tried to compile squid from sid repo. It fails, but I'm not sure why. 

 


When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was not 
found and fails.(Im not sure why it`s needed. libecap3-dev is not listed in the 
dependencies. https://packages.debian.org/sid/squid3)


 

When I add deb and deb-src apt-get build-dep squid3  wants to update/install  
adwaita-icon that is not compatible with gnome.


 


So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?

L.P.H. van Belle  schrieb am Mo., 18. Jan. 2016 um

09:07 Uhr:

 

> Really this is an easy thing to do.

> 

> 

> 

> Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )

> 

> Run apt-get update.

> 

> 

> 

> apt-get source squid

> 

> apt-get build-dep squid

> 

>  make changes if needed, in debian/rules and debian/changelog IF you

> changed something.

> 

> 

> 

> Build it

> 

> apt-get source squid –b

> 

> it errors, thats ok, get the 2 or 3 extra packages, the same way, after

> installing them you can build squid again.

> 

> 

> 

> put the debs in a repo you can access and your done.

> 

> Did it here, works fine.

> 

> 

> 

> 

> 

> Greetz,

> 

> 

> 

> Louis

> 

> 

> 






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] simple script to get squid 3.5.12 from Debian sid on Jessie.

[L . P . H . van Belle]

No, this is NOT a problem at all. 
You need 4 ! files and no other sid depends, just debian Jessie. 
Its a quick write, but should be error free, tested until the squid compile. 

I use a separated VM for this and all my created debs are available throuh 
webaccess, like normal, below is based on "local install" if you want to have 
is network available, look het het apt/sources.list.d/lcoalrepo.list,
change to needed hostname for your webserver etc.. not explained here.. 
but should be easy to do.

Create a file, add content below ( sed CODE ),
chmod +x and run it. (as root) 

In the end you have a compiled squid 3.5.12, ready to instal with ssl enabled. 
Which is just a apt-get install squid then. 
And !! all squid3 is now changed to squid !! 

Enjoy, and have a nice weekend,  

Greetz, 

Louis


### CODE, run as root, can be beter, but a quicky for you. 
#!/bin/bash 

SETPATH=`pwd` 
if [ ! -e /etc/apt/sources.list.d/sid.list ]; then
# adding sid repo
cat << EOF >> /etc/apt/sources.list.d/sid.list
#
#deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
deb-src http://ftp.nl.debian.org/debian/ sid main non-free contrib
EOF
fi

if [ ! -e /etc/apt/sources.list.d/localrepo.list ]; then
# adding local repo ( webserver based )
cat << EOF >> /etc/apt/sources.list.d/localrepo.list
#
# change if you done have a webserver.
#file:/var/www/mydebs ./ 
deb http://localhost/mydebs/ ./
EOF

fi

if [ ! -e /var/www/mydebs ]; then 
# get dependes, sources and build sources, setup local apt. 
mkdir -p  /var/www/mydebs 
apt-get install dpkg-dev -y
fi

for x in c-icap c-icap-modules libecap squid ; do 
apt-get build-dep $x
apt-get source $x
if [ $x = squid ]; then 
sed -i 's/--with-default-user=proxy/--with-default-user=proxy \\/g' 
squid3-3.5.12/debian/rules
sed -i '/with-default-user=proxy/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 
--enable-ssl \\'  squid3-3.5.12/debian/rules
sed -i '/enable-ssl/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 
--with-open-ssl=/etc/ssl/openssl.cnf \\'  squid3-3.5.12/debian/rules
sed -i '/with-open-ssl/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 
--enable-linux-netfilter'  squid3-3.5.12/debian/rules
fi
apt-get source $x -b 

cp *.deb /var/www/mydebs
cd /var/www/mydebs
dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
cd $SETPATH
echo "Running apt-get update, please wait."
apt-get update 2> /dev/null
sleep 1
done

## CODE ENDS,.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] simple script to get squid 3.5.12 from Debian sid on Jessie.

[L . P . H . van Belle]

Reply to myself, check the code on the list.. 


I saw > apt-get source $x -b 

Missed an enter, make sure this line is on a new line. 

Greetz, 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

[L . P . H . van Belle]

Hai, 

 

Ok, good is its working now, i was pulling my hair out for you ;-) 

 

This : sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control

Is not any problem, because squid is reconfigured and recompiled with G++ 4.9. 

 

If you want a more secure set, you can change this to : 

sed -i 's/g++ (>= 4:5.2)/g++ (>= 4:4.9)/g' libecap-1.0.1/debian/control

This way its “locked”  to minimal g++ 4.9. 

 

And i cant think of any other restriction.  

Maybe Amos knows, but i dont know that. 

 

 

Greetz. 

 

 

 

 


Van: startrekfan [mailto:startrekfa...@freenet.de] 
Verzonden: dinsdag 26 januari 2016 10:14
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 

Hi,

 


the script is working and I have a running squid 3.5. Thank you.


 


But I still think things like this:


 


echo "change GCC 5.2 to Jessie G++ 4.9 in libecap-1.0.1/debian/control"


sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control


 


isn't a good practice. I'm pretty sure that the >=5.2 restriction has a purpose 
and is not only there to annoy admins. 

In this case every thing seems to work. But modifications like this can always 
lead to unforeseen situations.


 


But thank you again. It's working atm :)


 

L.P.H. van Belle  schrieb am Mo., 25. Jan. 2016 um 17:14 Uhr:



Hai,

Ok, i missed few of my modifications i did, they arent big changes.
Sorry about that.

This script is tested on a clean debian jessie, with only ssh installed.
Have a look at the script.

The files with modifactions get the extention custom1 to so they wont mixup
Or messup original debian files.
Like :
libecap3_1.0.1-2-custom1_amd64.deb
libecap3-dev_1.0.1-2-custom1_amd64.deb

Files without modifactions keep the original debian name, when updateing to 
newer debian dist, its automatily upgraded.

And again this should work fine, i doing this already as of debian squeeze..
And Debian wheezy was running 3.4.8 for me, my jessie now is running 3.5.12.


Greetz,

Louis





Van: startrekfan [mailto:startrekfa...@freenet.de]
Verzonden: vrijdag 22 januari 2016 16:15
Aan: squid-users@lists.squid-cache.org; L.P.H. van Belle
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy

Found the problem:

The dependencies has changed: https://packages.debian.org/sid/squid (not sure 
why there is also a https://packages.debian.org/sid/squid3 entry)

Thats excactly the problem with unstable sources. squid3 3.5 requires libecap3 
instead of libecap2 (squid3 version 3.4). I can't install libecap3 because it 
has further dependencies.
I also can't even compile libecap3 without installing n more dependencies.

So I have to use squid 3.4 with the unsafe sha1 furthermore. 

startrekfan  schrieb am Fr., 22. Jan. 2016 um 15:45 
Uhr:
I tried to compile squid from sid repo. It fails, but I'm not sure why. 

When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was not 
found and fails.(Im not sure why it`s needed. libecap3-dev is not listed in the 
dependencies. https://packages.debian.org/sid/squid3)

When I add deb and deb-src apt-get build-dep squid3  wants to update/install  
adwaita-icon that is not compatible with gnome.

So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
L.P.H. van Belle  schrieb am Mo., 18. Jan. 2016 um
09:07 Uhr:

> Really this is an easy thing to do.
>
>
>
> Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )
>
> Run apt-get update.
>
>
>
> apt-get source squid
>
> apt-get build-dep squid
>
>  make changes if needed, in debian/rules and debian/changelog IF you
> changed something.
>
>
>
> Build it
>
> apt-get source squid ?b
>
> it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> installing them you can build squid again.
>
>
>
> put the debs in a repo you can access and your done.
>
> Did it here, works fine.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

[L . P . H . van Belle]

Thanks your Amos, 

I made sure everything is rebuild with 4.9 G++ and no 5.2. 
I already took precautions for the upgrades, all my packages have different 
names. So im safe.. 

Thanks for clarifying this. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: woensdag 27 januari 2016 7:46
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy
> 
> On 26/01/2016 11:22 p.m., L.P.H. van Belle wrote:
> > Hai,
> >
> >
> >
> > Ok, good is its working now, i was pulling my hair out for you ;-)
> >
> >
> >
> > This : sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control
> >
> > Is not any problem, because squid is reconfigured and recompiled with
> G++ 4.9.
> >
> >
> >
> > If you want a more secure set, you can change this to :
> >
> > sed -i 's/g++ (>= 4:5.2)/g++ (>= 4:4.9)/g' libecap-1.0.1/debian/control
> >
> > This way its “locked”  to minimal g++ 4.9.
> >
> >
> >
> > And i cant think of any other restriction.
> >
> > Maybe Amos knows, but i dont know that.
> 
> 
> It is to do with the Debian GCC 5 transition. If a binary and library
> are built with different GCC 4.9 and GCC 5 versions there can be some
> very strange behaviours from memory corruption on the stack.
> 
> That condition is there to ensure the new ecap library is only ever
> built with GCC 5, and thus the Squid which depend on it need to be as
> well.
> 
> If you don't need eCAP I recommend removing it entirely from your
> backport build. That will make future upgrades easier.
> 
> If you do need eCAP then you should backport the libecap package to use
> a different package name than the one used by Debian and adjust your
> Squid dependency to that new name. The above stack issues could appear
> if squid auto-upgrades later and the libecap does not.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] forwarded_for problems log client ip apache 2.4

[L . P . H . van Belle]

Hai, 

 

I having some troubles to get my client ip (and/or hostname) logged in my 
apache webserver. 

I do think this is something in my squid setup, but i can find it..  

So if anyone can help me out a bit, would be great. 

 

I’ve tested with the forwarded_for options tried all options here.

http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html 

 

im using Debian Jessie, Apache 2.4 with mod_remoteip 

http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader 

 

My settings for remoteip   ( and yes the modules is enabled ) 

a2query -m | grep remote

remoteip (enabled by site administrator)

 



    # for remote proxy setup

    RemoteIPHeader X-Forwarded-For

    # for cluster setup

    #RemoteIPHeader X-Real-IP

 

    RemoteIPTrustedProxy 127.0.0.1/8

    RemoteIPTrustedProxy 192.168.x.x/24

    RemoteIPTrustedProxy 192.168.x.x/24

    RemoteIPTrustedProxy prxy1.internal.domain.tld

    RemoteIPTrustedProxy prxy2.internal.domain.tld

 

#original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" 
\"%{User-Agent}i\"" combined

LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" 
combined

 



 

 

any tips on howto debug this, i did find lots of things with google, but none 
worked for me. 

 

This is my (sanitized)  squid config, default values are not shown. 

Any improvement tips are welkom  ;-) but my bigest problem now is getting the 
ip of the client in my webserver logs. 

 

Greetz, 

 

Louis 

 

 

# squid 3.5.12 config

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/prxy1.internal.domain.tld@REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

auth_param negotiate children 50 startup=10 idle=1

auth_param negotiate keep_alive on

 

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \

    -b "ou=domain,dc=internal,dc=domain,dc=tld" \

    -D changed_to_protect_mys...@internal.domain.tld -W 
/etc/squid/private/ldap-bind \

    -f (sAMAccountName=%s) \

    -h dc2.internal.domain.tld \

    -h dc1.internal.domain.tld

auth_param basic children 5 startup=5 idle=1

auth_param basic realm Internet Proxy Autorisation

auth_param basic credentialsttl 2 hours

 

authenticate_cache_garbage_interval 2 hour

authenticate_ttl 2 hour

authenticate_ip_ttl 2 hour

 

# ACCESS CONTROLS

# -

acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

 

## PC Networks

acl localnet src 192.168.XXX.0/24

acl localnet src 10.XXX.0.0/24

acl localnet src 10.XXX.1.0/24

acl localnet src 10.XXX.2.0/24

acl localnet src 10.XXX.3.0/24

acl localnet src 10.XXX.4.0/24

 

## Per location/function networks

acl localnet-funct1 src 192.168.XXX.0/24

acl localnet-funct2 src 10.XXX.0.0/24

acl localnet-funct3 src 10.XXX.1.0/24

acl localnet-funct4 src 10.XXX.2.0/24

acl localnet-funct5 src 10.XXX.3.0/24

acl localnet-funct6 src 10.XXX.4.0/24

acl localnet-funct7 src 10.XXX.210.0/24

acl localnet-funct8 src 172.20.XXX.0/24

 

acl localnet-funct1-server-range src 192.168.XXX.XXX-192.168.XXX.XXX

acl localnet-funct1-mailhopper src 192.168.XXX.XXX

acl localnet-funct1-antivirus src 192.168.XXX.XXX

acl localnet-funct1-xen1 src 192.168.XXX.XXX

acl localnet-funct1-gateway src 192.168.XXX.XXX

acl localnet-funct1-mail1 src 192.168.XXX.XXX

acl localnet-funct1-lin-228 src 192.168.XXX.XXX

acl localnet-funct1-lin-009 src 192.168.XXX.XXX

acl localnet-funct1-monitoring src 192.168.XXX.XXX

acl localnet-funct1-lin-003 src 192.168.XXX.XXX

 

## acl time frames.

acl work-ochtend time MTWHF 08:15-11:59

acl work-pauze time MTWHF 12:00-13:30

acl work-middag time MTWHF 13:31-17:00

acl after-work-hours time MTWHF 17:01-23:59

acl before-work-hours time MTWHF 00:00-08:14

 

##Block Video Streaming##

acl media rep_mime_type video/flv video/x-flv

acl media rep_mime_type -i ^video/

acl media rep_mime_type -i ^video\/

acl media rep_mime_type ^application/x-shockwave-flash

acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1

acl media rep_mime_type ^application/x-fcs

acl media rep_mime_type ^application/x-mms-framed

acl media rep_mime_type ^video/x-ms-asf

acl media rep_mime_type ^audio/mpeg

acl media rep_mime_type ^audio/x-scpls

acl media rep_mime_type ^video/x-flv

acl media rep_mime_type ^video/mp2t

acl media rep_mime_type ^video/mpeg4

acl media rep_mime_type ms-hdr

acl media rep_mime_type x-fcs

 

acl mediapr urlpath_regex \.flv(\?.*)?$

acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$

acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb|ts|)(\?.*)?$

 

acl whitelistsites url_regex -i "/etc/squid/acl/domain-customer-sites.txt"

acl whitelistsites url_regex -i "/etc/squid/acl/allowed-sites.txt"

ac