Re: [squid-users] Can't figure out this one - need a pointer
Kurt Buff wrote: On Fri, Aug 27, 2010 at 20:04, Amos Jeffries squ...@treenet.co.nz wrote: Kurt Buff wrote: snip Dang - completely missed the NTLM. That's just sick and wrong. I'm going to have to do some hard thinking about what I want to do about this. If I proceed with persistent connections, I'm guessing that I need to use pconn_timeout to control them? If so, what might be a reasonable threshold to set? Will I also have to use persistent_request_timeout, and with a similar period specified? They are self-regulating most of the time. They are one of the cornerstones of HTTP/1.1 performance gains so nothing to be worried about. Squid have a preference for closing them early rather than leaving them open if anything unusual happens. If you must reduce their lifetimes the pconn_timeout can shrink their idle times down. I forgot to mention pinning as a requirement earlier. That means 2.6, 2.7 or 3.1 are the only versions that will pass-thru NTLM. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...
Tom, Just to say what I think (since you have almost the same setup as me I think): you will always get that 407 at the moment. Squid requires an authenticated user before allowing the page but you can't authenticate every method (at least that is what I have found) in my setup. Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS because you're just disallowing the CONNECT method (not the same as the GET method) using non-ssl ports otherwise. There's nothing talking about allowing it. I think that's right Nick On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote: Hi Amos Thanks a lot for this informations. Is it usual/normal, that all https-requests have this error? 1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html As I already mentioned: The sites, which are denied in the access.log, are normal accessible and appears correctly (this is, what I don't understandmmmh). I think, that I don't have rules, which explicitly require another authentication instead of kerberos. Here is an extract of my squid.conf: The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Block invalid Users http_access deny !INTERNET_ACCESS http_access allow INTERNET_ACCESS http_access deny all When I trace the http/https-traffic with httpfox (firefox-addon), then I got also no errors or denies back. Thanks a lot for all helps. Tom 2010/8/27 Amos Jeffries squ...@treenet.co.nz: Tom Tux wrote: Hi For every HTTPS-Site I have the following tcp_denied/407-entry in the access.log: 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT secure-www.novell.com:443 - NONE/- text/html The sites, which are denied in the access.log, are though accessible, but I have this errors. For me it seems, that squid needs a user authentication. But this should be given with kerberos-authentication, which works fine. I have the following directives configured (as default): acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports Can someone explain me this behaviour? CONNECT requests to SSL ports (aka HTTPS) will get past that security barrier and move on to checkig your other rules. One of those other rules involves proxy authentication. All requests which require authentication but do not provide it get a 407 or 401 response challenging the browser to provided some credentials. This is true for all authentication types. Working browsers with access to the required credentials will send them on a followup request and get past that challenge. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] is squid 3.1.x is multiple chained ICAP server compliance ?
On 28/08/2010 05:34, Amos Jeffries wrote: adaptation_access AV_scan deny MULTIMEDIA adaptation_access AV_scan allow all Amos, your are the king of squid specialists !!! It's working like a charm ! SquidGard is supported by C-ICAP so you can provide URL filtering using ICAP protocol that provides better performances. Here it is my final configuration for others guys that requesting using multiple ICAP servers in chain mode : Amos, if you found some tips to tweaks this config, let me know... acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|application\/ogg)$ # - ICAP Services.(2 service(s)) # - icap_service C-ICAP mode 3.1.x # - icap_service C-ICAP + SquidGuard icap_service service_url_check reqmod_precache routing=on bypass=on icap://127.0.0.1:1345/url_check icap_service service_antivir respmod_precache routing=on bypass=on icap://127.0.0.1:1345/srv_clamav # - icap_service KASPERSKY mode 3.1.1 icap_service is_kav_resp respmod_precache routing=on bypass=on icap://127.0.0.1:1344/av/respmod icap_service is_kav_req reqmod_precache routing=on bypass=on icap://127.0.0.1:1344/av/reqmod # - adaptation chain services. adaptation_service_chain ANTIVIRUS_CHAINS service_antivir is_kav_resp adaptation_access ANTIVIRUS_CHAINS deny MULTIMEDIA adaptation_access ANTIVIRUS_CHAINS allow all adaptation_service_chain REQ_CHAINS service_url_check is_kav_req adaptation_access REQ_CHAINS allow all icap_enable on icap_preview_size 128 icap_service_failure_limit -1 icap_preview_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on
[squid-users] squid as a reverse proxy and exchange 2007- Mandating access with the certificate
Hi, I'm using squid as a reverse proxy to allow the users to connect to exchange 2007 from the outside. All is ok(OWA and RPC overs https) but I would like to know if we can secure the connections with a certificate. I would like that the users must have inevitably the certificate to connect to the Outlook web access. For the moment if I have not the certificate I have a warning from the internet browser (because it 's a self signed certificate ) but I can continue and finally catch the owa interface ... With apache I can use SSLVerifyClient but I don't know if it's possible with squid as a reverse proxy. Otherwise I can enable the option client certificate require in the ssl settings for the folder owa in IIS 7 but I would like to connect to outlook web access from the internal network without certificate. Below my squid configuration : visible_hostname hostname debug_options ALL,1 extension_methods RPC_IN_DATA RPC_OUT_DATA https_port 443 cert=/path/certif.crt key=/path/certif.key cafile=/path/ca.crt \ defaultsite=hostname cache_peer exchange_internal_ip parent 443 0 no-query proxy-only originserver \ login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=exchange_hostname acl all src 0.0.0.0/0.0.0.0 acl owa dstdomain hostname cache_peer_access exchange_hostname allow owa never_direct allow owa http_access allow owa http_access deny all miss_access allow owa miss_access deny all access_log /var/log/squid3/access.log squid Sorry for my english.. Thanks in advance. Regards.
[squid-users] performance question, 1 or 2 NIC's?
This is a general Squid question. If you have experience with medium sized networks (300+ users) and Squid, this question is for you. I'm setting up a transparent Squid box for 300 users. All requests from the router are sent to the Squid box. Squid box has one NIC, eth0. This box receives requests (from clients) and catches content from the web using this one NIC on its one WAN port, eth0. Question: would it improve performance of the Squid box if I was receiving requests (from the clients) on eth0 and caching content on eth1? In other words, is there a benefit of using two NIC's vs. one? This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN (public IP) address. Current (working setup) Clients - Router - (eth0/WAN1) Squid - (eth0/WAN1) www Would this be (performance wise) better? Clients - Router - (eth0/WAN1) Squid (eth1/WAN2) - www I'm on a 12Mb line.
[squid-users] squid no longer aborts bad request?
In 2.6.STALBE21, squid immediately responds with 400 when I enter 'a'; while in 3.1.6 the connection expects more characters, although it will definitively not get a good request. [r...@squid1 root]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. a HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE21 ... Some aspect of the HTTP Request is invalid. Possible problems: Missing or unknown request method Missing URL Missing HTTP Identifier (HTTP/1.0) Request is too large (more...) ... [r...@dev ~]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. a b (can type in anything, and Ctrl-C will not abort connection. It just hang there) Is there a configuration directive that controls it? Thanks, kc
Re: [squid-users] performance question, 1 or 2 NIC's?
Em 28/08/2010 12:29, Andrei escreveu: I'm setting up a transparent Squid box for 300 users. All requests from the router are sent to the Squid box. Squid box has one NIC, eth0. This box receives requests (from clients) and catches content from the web using this one NIC on its one WAN port, eth0. Question: would it improve performance of the Squid box if I was receiving requests (from the clients) on eth0 and caching content on eth1? In other words, is there a benefit of using two NIC's vs. one? This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN (public IP) address. I'm on a 12Mb line. Your limitation is your 12Mb line any decent hardware can handle that with no problem at all. ANY 100Mbit NIC, even onboard and cheapers/generics one, can handle 12Mbit with no problem at all. i really dont think adding another NIC will improve your performance, given your 12Mbit WAN limitation. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] squid as a reverse proxy and exchange 2007- Mandating access with the certificate
Erwan Le Du wrote: Hi, I'm using squid as a reverse proxy to allow the users to connect to exchange 2007 from the outside. All is ok(OWA and RPC overs https) but I would like to know if we can secure the connections with a certificate. I would like that the users must have inevitably the certificate to connect to the Outlook web access. For the moment if I have not the certificate I have a warning from the internet browser (because it 's a self signed certificate ) but I can continue and finally catch the owa interface ... With apache I can use SSLVerifyClient but I don't know if it's possible with squid as a reverse proxy. Otherwise I can enable the option client certificate require in the ssl settings for the folder owa in IIS 7 but I would like to connect to outlook web access from the internal network without certificate. Sure you can. These three things can be done to strengthen the certificate security chain: * Remove the sslflags=DONT_VERIFY_PEER and Squid will check that the certificate provided by OWA is valid and trustworthy. Rejecting connections to the peer if not. * Setting a client certificate which OWA trusts into the squid cache_peer line. Will strengthen the link between Squid and OWA and permit OWA to check that it is Squid doing the contact. (NP: says nothing about clients using Squid though, only the particular Squid-OWA link) * Having the certificate presented by https_port signed properly by a CA which the clients trust. Will resolve that self-signed warning. OR * Having the certificate presented by https_port signed properly by a CA which the clients trust. Will resolve that self-signed warning. * Specifying clientca= option on https_port can set the list of trusted CA used to verify the visiting clients' certificate. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
Re: [squid-users] performance question, 1 or 2 NIC's?
Leonardo Rodrigues wrote: Em 28/08/2010 12:29, Andrei escreveu: I'm setting up a transparent Squid box for 300 users. All requests from the router are sent to the Squid box. Squid box has one NIC, eth0. This box receives requests (from clients) and catches content from the web using this one NIC on its one WAN port, eth0. Question: would it improve performance of the Squid box if I was receiving requests (from the clients) on eth0 and caching content on eth1? In other words, is there a benefit of using two NIC's vs. one? This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN (public IP) address. I'm on a 12Mb line. Your limitation is your 12Mb line any decent hardware can handle that with no problem at all. ANY 100Mbit NIC, even onboard and cheapers/generics one, can handle 12Mbit with no problem at all. i really dont think adding another NIC will improve your performance, given your 12Mbit WAN limitation. Indeed. Andrei escreveu: Whether anything can be done by Squid depends on whether the clients using Squid are on the outside of that 12Mb line or on some faster connection between them and Squid. For a faster internal connection and slower Internet connection you can look towards raising the Hit Ratio' probably the byte hits specifically. That will drop the load on the Internet line and make the whole network appear faster to users. The holy grail for forward proxies seems to be 50%, with reality coming in between 20% and 45% depending on your clients and storage space. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
Re: [squid-users] squid no longer aborts bad request?
Kaiwang Chen wrote: In 2.6.STALBE21, squid immediately responds with 400 when I enter 'a'; while in 3.1.6 the connection expects more characters, although it will definitively not get a good request. [r...@squid1 root]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. a HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE21 ... Some aspect of the HTTP Request is invalid. Possible problems: Missing or unknown request method Missing URL Missing HTTP Identifier (HTTP/1.0) Request is too large (more...) ... [r...@dev ~]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. a b (can type in anything, and Ctrl-C will not abort connection. It just hang there) Ctrl-C will not terminate telnet (Ctrl-] is needed for that) but yes I see the problem. Is there a configuration directive that controls it? No, just some sanity checks. Looks like you have hit a bug in the HTTP/1.1 persistent connections when dealing with HTTP/0.9 ambiguous traffic. I've reproduced that in the latest code and am working on it now, but could you please report it in bugzilla anyway so it doesn't get lost. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
Re: [squid-users] performance question, 1 or 2 NIC's?
Ooo... the line between Squid and the clients is 1000 MB. My internet connection is 12MB. Not sure if that changes things. Does it? Would it make a difference in that situation if clients (from 1000Mb) come on one line, eth0 and get cached on eth1 which is only 12MB. Sorry if I wasn't clear before On Sat, Aug 28, 2010 at 5:12 PM, Amos Jeffries squ...@treenet.co.nz wrote: Leonardo Rodrigues wrote: Em 28/08/2010 12:29, Andrei escreveu: I'm setting up a transparent Squid box for 300 users. All requests from the router are sent to the Squid box. Squid box has one NIC, eth0. This box receives requests (from clients) and catches content from the web using this one NIC on its one WAN port, eth0. Question: would it improve performance of the Squid box if I was receiving requests (from the clients) on eth0 and caching content on eth1? In other words, is there a benefit of using two NIC's vs. one? This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN (public IP) address. I'm on a 12Mb line. Your limitation is your 12Mb line any decent hardware can handle that with no problem at all. ANY 100Mbit NIC, even onboard and cheapers/generics one, can handle 12Mbit with no problem at all. i really dont think adding another NIC will improve your performance, given your 12Mbit WAN limitation. Indeed. Andrei escreveu: Whether anything can be done by Squid depends on whether the clients using Squid are on the outside of that 12Mb line or on some faster connection between them and Squid. For a faster internal connection and slower Internet connection you can look towards raising the Hit Ratio' probably the byte hits specifically. That will drop the load on the Internet line and make the whole network appear faster to users. The holy grail for forward proxies seems to be 50%, with reality coming in between 20% and 45% depending on your clients and storage space. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
[squid-users] Kerberos authentication against AD 2003 server
Hi all, I've been trying to get my squid 2.7 S9 to work with kerberos authentication against AD 2003 server for a couple weeks now but still failed. I've read through lots of posts in the list and different tutorials following them 1 at a time but still no go. I've been following tuts by Klaubert (http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/) and the wiki too.. I've tried using the squid_kerb_auth both from the squid dist and sourceforge v1.0.5. here is what i did: = configure squid with these options: ./configure --prefix=/usr/local/squid --with-maxfd=16384 --enable-storeio=aufs,coss --enable-removal-policies=lru,heap --enable-delay-pools --disable-wccp --disable-wccpv2 --enable-arp-acl --enable-coss-aio-ops --disable-ident-lookups --enable-auth=ntlm,basic,negotiate --enable-ntlm-auth-helpers=SMB --enable-negotiate-auth-helpers=squid_kerb_auth --enable-basic-auth-helpers=LDAP --enable-external-acl-helpers=ldap_group --with-large-files = created a user proxy.domain in AD server = created keytab in AD server: ktpass -princ HTTP/proxy.dom...@mydomain.com -mapuser proxy.domain -crypto rc4-hmac-nt pass password -ptype KRB5_NT_SRV_HST -out proxy.domain.keytab and transfered to squid server in /etc/proxy.domain.keytab chmod 400 /etc/proxy.domain.keytab chown nobody /etc/proxy.domain.keytab = /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = dc1.mydomain.com:88 kdc = dc2.mydomain.com:88 kdc = dc3.mydomain.com:88 admin_server = dc1.mydomain.com:749 admin_server = dc2.mydomain.com:749 admin_server = dc3.mydomain.com:749 default_domain = mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM ;[kdc] ; profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } = tested the keytab file [r...@proxy ~]# kinit -V -k -t /etc/proxy.domain.keytab HTTP/proxy.domain Authenticated to Kerberos v5 = squid startup script #!/bin/bash export KRB5_KTNAME=/etc/proxy.domain.keytab /usr/sbin/squid -D = squid.conf file auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all = after starting squid, ps ax output 7040 ?Ss 0:00 /usr/sbin/squid -D 7042 ?Sl 0:00 (squid) -D 7043 ?S 0:00 (squid_kerb_auth) -d 7044 ?S 0:00 (squid_kerb_auth) -d 7045 ?S 0:00 (squid_kerb_auth) -d 7046 ?S 0:00 (squid_kerb_auth) -d 7047 ?S 0:00 (squid_kerb_auth) -d 7048 ?S 0:00 (squid_kerb_auth) -d 7049 ?S 0:00 (squid_kerb_auth) -d 7050 ?S 0:00 (squid_kerb_auth) -d 7051 ?S 0:00 (squid_kerb_auth) -d 7052 ?S 0:00 (squid_kerb_auth) -d 7053 ?S 0:00 (unlinkd) = proxy has A and PTR records for its fqdn in AD Server(DNS) and resolves find. IE7 in client machine(windows XP) is setup with fqdn in the proxy address. when trying to access the internet, login prompt comes up repeatedly and dies with denied message after 3 attempts. =when using squid_kerb_auth v1.0.5 from sourceforge: 2010/08/29 10:59:00| Parser: retval 1: from 0-41: method 0-2; url 4-30; version 32-40 (1/1) 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 10:59:00| Parser: retval 1: from 0-41: method 0-2; url 4-30; version 32-40 (1/1) 2010/08/29 10:59:00| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/08/29 10:59:00| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/08/29 10:59:00| squid_kerb_auth: received type 1 NTLM token 2010/08/29 10:59:00| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:03:49| Parser: retval 1: from 0-41: method 0-2; url 4-30; version 32-40 (1/1) 2010/08/29 11:03:49| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/08/29 11:03:49|