Re: [squid-users] Too many ldap tryes
Le vendredi 25 septembre 2009 19:02:41, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Hi there, it's me again > > Well as many of you knows, I have a squid+ldap+digest_auth > > implementation. However I've realize that there are an excess of this > > logs: > > > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > digest_pw_auth(LDAP_backend) WARNING, LDAP error 'No such object' > > > > I know that this means that someone is trying to authenticate with an > > user that it does not exists in ldap. However they are so many and I > > afraid that this could be a cause that slows internet surfering because > > squid wates its time looking for something it does not exists. > > > > I dont know usernames users try. I just wonder if there is a way to tell > > squid to ignore usernames that they doesnt exists. > > > > Maybe an external ACL with 2 days cache? > > > > LD > > Not sure if it will help. You probably want to find out where all these > bad requests are coming from and handle the problem. Adding a TTL is > just a bandaid. > > If you are using external_acl_type directive as part of your ath you can > add some efficiency with the ttl= and negative_ttl= options (the number > of seconds to cache the results). > > Amos > Thanx Amos
Re: [squid-users] transparent integration with proxy on router
On Mon, 28 Sep 2009 16:21:16 +1300, Todd Nine wrote: > Hi all, > I'm using squid on a pfSense router we've built. We have 2 > connections, one we pay for usage (DSL) and one we do not (Wireless). > We use Amazon S3 extensively at work. We've been attempting to route > all traffic over the wireless via an IP range, but as S3 can change IPs, > this doesn't work and we end up with a large bill for our DSL. Is it > possible to have squid route connections via a specific interface if a > hostname such as "amazonaws.com" is in the HTTP request header? > > Thanks, > Todd Yes you can. Find an IP assigned to the interface you want traffic to go out. Use the tcp_outgoing_addr directive and ACLs that match the requests to make sure all the requests to that domain are assigned that outgoing address. Then make sure the OS sends traffic from that IP out the right interface. Amos
[squid-users] transparent integration with proxy on router
Hi all, I'm using squid on a pfSense router we've built. We have 2 connections, one we pay for usage (DSL) and one we do not (Wireless). We use Amazon S3 extensively at work. We've been attempting to route all traffic over the wireless via an IP range, but as S3 can change IPs, this doesn't work and we end up with a large bill for our DSL. Is it possible to have squid route connections via a specific interface if a hostname such as "amazonaws.com" is in the HTTP request header? Thanks, Todd
[squid-users] Re: Re: Re: Re: squid_kerb_auth.... Key Version number?
Andrew, I added more details to the wiki for cases where Samba is used too. I hope this helps. Regards Markus "Mrvka Andreas" wrote in message news:200909250845.48301@tuv.at... Agreed. So if I read your mail correctly you want to say: - net ads join uses _computer-name_ to identify the authentication scheme - msktutil (kerberos) only watches at the _service_ (http,cifs,...) The HowTo should look like: 1. use net ads join to talk via computer-name with AD 2 use msktutil _with a non-existend computer-name_ so that the associated HOST/ can not correlate with net ads join Only the sericePrincipal HTTP/ is important for squid/kerberos. Have I understood you in the right way? And will it work to use a non-existend hostname, or will msktutil fail? :-) The best way would be - the client sends an NTLM token and squid_kerb_auth does the rest. :-) Thanks for support. I can imagine lots of other squid-users use net ads join and want to implement kerberos too. Regards Andrew Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller: "Henrik Nordstrom" wrote in message news:1253822657.5592.1.ca...@localhost.localdomain... > tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas: >> You are right - I have to use NTLM too because there are many IE 6 >> around. >> But I use the same name for kerberos_auth and ntlm_auth >> (kerberos - samba/winbind) >> How should I configure a browser setting then? I want to set only one >> proxy >> server. > > Hmm.. I then suspect the HTTP ticket will get mismatch again in some > time when the computer account is renewed by Samba. I think so too. Let me try to explain. Each entry in AD has a key associated with it. For a user account the key is based on the user password and for a computer it is based on a random password. As you may have seen each entry in AD has also a serviceprincipalname attribute. This attribute is used to associate a Kerberos principal with a key. You will see a computer account has usually a HOST/ host/fqdn serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for fileshares. net ads join creates an entry in AD with a random password with CN=hostname. If you use msktutil with --computer-name hostname the same AD entry will be used and since both commands will set a random password you will get conflicts. For Kerberos the computer name doesn't matter (only the serviceprinciplname attribute is important) why you should use msktutil with any computer name (e.g. -http) to avoid the conflict. Additionally msktutil sets the userprincipalname when you use --upn. The userprincipalname is used to authenticate a principal (user or other e.g. HTTP/) via kinit. So if you use msktutil as described kinit -kt HTTP/ will authenticate HTTP/ with the key (= encrypted random password) stored in the keytab. > If that's the case then I also guess you should be able to > automatically > renew the HTTP ticket using the Samba keytab however. But Kerberos is > not my main field of expertise.. > > Regards > Henrik Regards Markus
Re: [squid-users] POST NONE://
Hi Amos, Thanks for your reply. You mean the length is less then what is required? When you pass the below SOAP message I get the error, But when it is passed directly to the jboss applications server the request is served correctly. What is wrong the Header settings in the soap message or do i need to do some config changes in squid.conf file === SOAP MESSAGE == http://schemas.xmlsoap.org/soap/envelope/"; xmlns:env="http://schemas.xmlsoap.org/soap/envelop/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>WSUSERpass43http://www.opentravel.org/OTA/2003/05"; EchoToken="WWW0909271406222" PrimaryLangID="en-us" SequenceNmbr="1" TimeStamp="2009-09-27T02:06:22" TransactionIdentifier="">2009-10-30T00:00:00http://www.isaaviation.com/thinair/webservices/OTA/Extensions/2003/05";>truetruetruetrue //Remy Amos Jeffries wrote: > Mario Remy Almeida wrote: >> Hi All, >> >> would like to know what is the reason that i get NONE:// in the >> access.log file as below >> >> 1254046127.530 0 195.229.115.202 TCP_DENIED/411 1757 POST NONE:// - >> NONE/- text/html >> >> my squid proxy acts like a reverse proxy. >> >> A valid request is sent from the above IP > > 411 status code is failure to pass a basic validity test. > This one was a test for Content-Length: header on POST requests. > >> >> >> Could some one help be in solving the problem. >> >> >> My setup >> >> Request from Internet -> Squid Reverse proxy(A) -> Squid reverse >> proxy(B) -> Jboss Applications Server. >> > > The NONE:// means no the request did not complete, it did not even get > far enough to determine if it was a HIT or MISS on the URL. > This is due to the required header making Squid abort its processing > immediately. > > Amos -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.
Re: [squid-users] POST NONE://
Mario Remy Almeida wrote: Hi Amos, Thanks for your reply. You mean the length is less then what is required? No there is an HTTP header "Content-Length:" which is missing from the POST request. When you pass the below SOAP message I get the error, But when it is passed directly to the jboss applications server the request is served correctly. What is wrong the Header settings in the soap message or do i need to do some config changes in squid.conf file The SOAP message below looks like data inside the body. The missing bit is in the wrapping HTTP headers. They are generated by the client software. Amos === SOAP MESSAGE == http://schemas.xmlsoap.org/soap/envelope/"; xmlns:env="http://schemas.xmlsoap.org/soap/envelop/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>WSUSERpass43http://www.opentravel.org/OTA/2003/05"; EchoToken="WWW0909271406222" PrimaryLangID="en-us" SequenceNmbr="1" TimeStamp="2009-09-27T02:06:22" TransactionIdentifier="">2009-10-30T00:00:00http://www.isaaviation.com/thinair/webservices/OTA/Extensions/2003/05";>truetruetruetrue //Remy Amos Jeffries wrote: Mario Remy Almeida wrote: Hi All, would like to know what is the reason that i get NONE:// in the access.log file as below 1254046127.530 0 195.229.115.202 TCP_DENIED/411 1757 POST NONE:// - NONE/- text/html my squid proxy acts like a reverse proxy. A valid request is sent from the above IP 411 status code is failure to pass a basic validity test. This one was a test for Content-Length: header on POST requests. Could some one help be in solving the problem. My setup Request from Internet -> Squid Reverse proxy(A) -> Squid reverse proxy(B) -> Jboss Applications Server. The NONE:// means no the request did not complete, it did not even get far enough to determine if it was a HIT or MISS on the URL. This is due to the required header making Squid abort its processing immediately. Amos Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] XML files Squid2.6
vikas rawat escreveu: thanks for support. well... in access.log entries are : TCP_DENIED/407 1926 http://devel.springer.de/A++/V2.4/DTD/A++V2.4JobSheetV2.4.1.dtd - NONE/- text/html DENIED/407 is requesting for authentication. You should see some MISS or HIT, 200 or 30x (like 304) after that which would be the file being download in a correctly authenticated request. if you dont see the 200/30x, then your client isnt correctly authenticating the request, which makes squid does not allow that (which is probably correct by your ACLs) maybe you need a bypass ACL (some url_regex with http_access allow rule) for allowing that without requesting authentication credentials ??? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
[squid-users] Exchange.ASMX errors
I am using squid as an reverse proxy and I am getting the following in my logs: store.log.6:1253495009.640 RELEASE -1 E7E0AF4D003D42533E0E91F0728B28CE 401 1253495015-1-1 unknown 0/0 POST https://webmail.x.com/EWS/Exchange.asmx 2009/09/20 22:34:00| ctx: exit level 0 2009/09/20 22:34:00| statusIfComplete: Request not yet fully sent "POST https://webmail.x.com/EWS/Exchange.asmx"; 2009/09/20 22:34:00| ctx: enter level 0: 'https://webmail.xx.com/ exchange/cm/Inbox' 2009/09/20 22:34:00| http.cc(573) HttpStateData::cacheableReply: unexpected http status code 207 I am using a mac mail client to connect to exchange (which seems to work once I vpn in). squid.conf: cache_mem 8 MB cache_dir ufs /var/squid 2000 16 256 https_port 443 key=/etc/squid3/key2.crt cert=/etc/squid3/ssl2.key accel vhost #OWA group cache_peer 192.168.50.25 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=webmail.xx.com acl OWA dstdomain webmail.xx.com cache_peer_access webmail.xx.com allow OWA never_direct allow OWA http_access allow OWA # lock down access to only query the OWA server! #http_access allow OWA #http_access deny all #miss_access allow OWA #miss_access deny all # #EV group cache_peer 192.168.6.128 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=ev.x.com acl EV dstdomain ev.xxx.com cache_peer_access ev..com allow EV http_access allow EV http_access deny all #miss_access allow OWA #miss_access deny all maximum_object_size 0 KB minimum_object_size 0 KB extension_methods SEARCH SUBSCRIBE PROPFIND PROPATCH MKCOL RPC_IN_DATA RPC_OUT_DATA X-MS-ENUMATTS MKCOL MOVE BMOVE DELETE BDELETE BPROPFIND BPROPATCH REPORT POST #debug_options ALL,5
Re: [squid-users] POST NONE://
Mario Remy Almeida wrote: Hi All, would like to know what is the reason that i get NONE:// in the access.log file as below 1254046127.530 0 195.229.115.202 TCP_DENIED/411 1757 POST NONE:// - NONE/- text/html my squid proxy acts like a reverse proxy. A valid request is sent from the above IP 411 status code is failure to pass a basic validity test. This one was a test for Content-Length: header on POST requests. Could some one help be in solving the problem. My setup Request from Internet -> Squid Reverse proxy(A) -> Squid reverse proxy(B) -> Jboss Applications Server. The NONE:// means no the request did not complete, it did not even get far enough to determine if it was a HIT or MISS on the URL. This is due to the required header making Squid abort its processing immediately. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
RE: [squid-users] Squid 3.1, Tproxy 4.1, WCCP, cache_peer sibling
> -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > This is the first I've heard of the problem. Thank you for pointing it > out along with the fix. > http://www.squid-cache.org/Versions/v3/HEAD/changesets/squid-3- > 10004.patch Thanks Amos, I've patched our servers and they are working well. Michael.
[squid-users] POST NONE://
Hi All, would like to know what is the reason that i get NONE:// in the access.log file as below 1254046127.530 0 195.229.115.202 TCP_DENIED/411 1757 POST NONE:// - NONE/- text/html my squid proxy acts like a reverse proxy. A valid request is sent from the above IP Could some one help be in solving the problem. My setup Request from Internet -> Squid Reverse proxy(A) -> Squid reverse proxy(B) -> Jboss Applications Server. -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.