Re: [squid-users] Can't figure out this one - need a pointer

[Amos Jeffries]

Kurt Buff wrote:

On Fri, Aug 27, 2010 at 20:04, Amos Jeffries squ...@treenet.co.nz wrote:

Kurt Buff wrote:

snip


Dang - completely missed the NTLM. That's just sick and wrong. I'm
going to have to do some hard thinking about what I want to do about
this.

If I proceed with persistent connections, I'm guessing that I need to
use pconn_timeout to control them? If so, what might be a reasonable
threshold to set? Will I also have to use persistent_request_timeout,
and with a similar period specified?


They are self-regulating most of the time. They are one of the 
cornerstones of HTTP/1.1 performance gains so nothing to be worried 
about. Squid have a preference for closing them early rather than 
leaving them open if anything unusual happens.


If you must reduce their lifetimes the pconn_timeout can shrink their 
idle times down.


I forgot to mention pinning as a requirement earlier. That means 2.6, 
2.7 or 3.1 are the only versions that will pass-thru NTLM.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

[Nick Cairncross]

Tom,

Just to say what I think (since you have almost the same setup as me I think): 
you will always get that 407 at the moment. Squid requires an authenticated 
user before allowing the page but you can't authenticate every method (at least 
that is what I have found) in my setup. 

Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I 
think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS because 
you're just disallowing the CONNECT method (not the same as the GET method) 
using non-ssl ports otherwise. There's nothing talking about allowing it. 
 


I think that's right
Nick 



On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote:

 Hi Amos
 
 Thanks a lot for this informations.
 
 Is it usual/normal, that all https-requests have this error?
 1282899033.246  0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 
 As I already mentioned: The sites, which are denied in the access.log,
 are normal accessible and appears correctly (this is, what I don't
 understandmmmh).
 I think, that I don't have rules, which explicitly require another
 authentication instead of kerberos. Here is an extract of my
 squid.conf:
 
 The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 
 # Block invalid Users
 http_access deny !INTERNET_ACCESS
 http_access allow INTERNET_ACCESS
 http_access deny all
 
 When I trace the http/https-traffic with httpfox (firefox-addon), then
 I got also no errors or denies back.
 
 Thanks a lot for all helps.
 Tom
 
 
 2010/8/27 Amos Jeffries squ...@treenet.co.nz:
 Tom Tux wrote:
 
 Hi
 
 For every HTTPS-Site I have the following tcp_denied/407-entry in the
 access.log:
 282895826.492  1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
 mail.google.com:443 - NONE/- text/html
 1282896033.320  1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
 secure-www.novell.com:443 - NONE/- text/html
 
 The sites, which are denied in the access.log, are though accessible,
 but I have this errors. For me it seems, that squid needs a user
 authentication. But this should be given with kerberos-authentication,
 which works fine.
 
 I have the following directives configured (as default):
 acl SSL_ports port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_ports
 
 
 Can someone explain me this behaviour?
 
 CONNECT requests to SSL ports (aka HTTPS) will get past that security
 barrier and move on to checkig your other rules. One of those other rules
 involves proxy authentication.
 
 All requests which require authentication but do not provide it get a 407 or
 401 response challenging the browser to provided some credentials. This is
 true for all authentication types.
 
 Working browsers with access to the required credentials will send them on a
 followup request and get past that challenge.
 
 Amos
 --
 Please be using
 Current Stable Squid 2.7.STABLE9 or 3.1.7
 Beta testers wanted for 3.2.0.1
 


The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
London W1S 1JU

Re: [squid-users] is squid 3.1.x is multiple chained ICAP server compliance ?

[David Touzeau]

On 28/08/2010 05:34, Amos Jeffries wrote:

adaptation_access AV_scan deny MULTIMEDIA
adaptation_access AV_scan allow all




Amos, your are the king of squid specialists !!!
It's working like a charm !

SquidGard is supported by C-ICAP so you can provide URL filtering using 
ICAP protocol that provides better performances.


Here it is my final configuration for others guys that requesting using 
multiple ICAP servers in chain mode :

Amos, if you found some tips to tweaks this config, let me know...



acl MULTIMEDIA rep_mime_type -i 
^(audio\/x-mpegurl|audio\/mpeg|video\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|application\/ogg)$


# - ICAP Services.(2 service(s))
# - icap_service C-ICAP mode 3.1.x
# - icap_service C-ICAP + SquidGuard
icap_service	service_url_check reqmod_precache routing=on bypass=on 
icap://127.0.0.1:1345/url_check
icap_service  service_antivir respmod_precache routing=on bypass=on 
icap://127.0.0.1:1345/srv_clamav


# - icap_service KASPERSKY mode 3.1.1

icap_service	is_kav_resp respmod_precache routing=on bypass=on 
icap://127.0.0.1:1344/av/respmod
icap_service	is_kav_req reqmod_precache routing=on bypass=on 
icap://127.0.0.1:1344/av/reqmod


# - adaptation chain services.
adaptation_service_chain ANTIVIRUS_CHAINS service_antivir is_kav_resp
adaptation_access ANTIVIRUS_CHAINS deny MULTIMEDIA
adaptation_access ANTIVIRUS_CHAINS allow all

adaptation_service_chain REQ_CHAINS service_url_check is_kav_req
adaptation_access REQ_CHAINS allow all

icap_enable on
icap_preview_size 128
icap_service_failure_limit -1
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on

[squid-users] squid as a reverse proxy and exchange 2007- Mandating access with the certificate

[Erwan Le Du]

Hi,
I'm using squid as a reverse proxy to allow the users to connect to
exchange 2007 from the outside. All is ok(OWA and RPC overs https) but
I would like to know if we can secure the connections with a
certificate. I would like that the users must have inevitably the
certificate to connect to the Outlook web access. For the moment if I
have not the certificate I have a warning from the internet browser
(because it 's a self signed certificate ) but I can continue and
finally catch the owa interface ... With apache I can use
SSLVerifyClient but I don't know if it's possible with squid as a
reverse proxy. Otherwise I can enable the option client certificate
require in the ssl settings for the folder owa in IIS 7 but I would
like to connect to outlook web access from the internal network
without certificate.

Below my squid configuration :

visible_hostname hostname
debug_options ALL,1
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 443  cert=/path/certif.crt key=/path/certif.key cafile=/path/ca.crt \
defaultsite=hostname
cache_peer exchange_internal_ip parent 443 0 no-query proxy-only
originserver \
login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on
name=exchange_hostname
acl all src 0.0.0.0/0.0.0.0
acl owa dstdomain hostname
cache_peer_access exchange_hostname allow owa
never_direct allow owa
http_access allow owa
http_access deny all
miss_access allow owa
miss_access deny all
access_log /var/log/squid3/access.log squid

Sorry for my english..
Thanks in advance.

Regards.

[squid-users] performance question, 1 or 2 NIC's?

[Andrei]

This is a general Squid question. If you have experience with medium
sized networks (300+ users) and Squid, this question is for you.

I'm setting up a transparent Squid box for 300 users. All requests
from the router are sent to the Squid box. Squid box has one NIC,
eth0. This box receives requests (from clients) and catches content
from the web using this one NIC on its one WAN port, eth0.

Question: would it improve performance of the Squid box if I was
receiving requests (from the clients) on eth0 and caching content on
eth1? In other words, is there a benefit of using two NIC's vs. one?
This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN
(public IP) address.

Current (working setup)
Clients - Router - (eth0/WAN1) Squid - (eth0/WAN1) www

Would this be (performance wise) better?
Clients - Router - (eth0/WAN1) Squid (eth1/WAN2) - www

I'm on a 12Mb line.

[squid-users] squid no longer aborts bad request?

[Kaiwang Chen]

In 2.6.STALBE21,  squid immediately responds with 400 when I enter
'a'; while in 3.1.6 the connection expects more characters, although
it will definitively not get a good request.

[r...@squid1 root]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
a
HTTP/1.0 400 Bad Request
Server: squid/2.6.STABLE21
...
Some aspect of the HTTP Request is invalid.  Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
(more...)
...


[r...@dev ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
a

b
(can type in anything, and Ctrl-C will not abort connection. It just hang there)


Is there a configuration directive that controls it?

Thanks,
kc

Re: [squid-users] performance question, 1 or 2 NIC's?

[Leonardo Rodrigues]

Em 28/08/2010 12:29, Andrei escreveu:


I'm setting up a transparent Squid box for 300 users. All requests
from the router are sent to the Squid box. Squid box has one NIC,
eth0. This box receives requests (from clients) and catches content
from the web using this one NIC on its one WAN port, eth0.

Question: would it improve performance of the Squid box if I was
receiving requests (from the clients) on eth0 and caching content on
eth1? In other words, is there a benefit of using two NIC's vs. one?
This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN
(public IP) address.


I'm on a 12Mb line.
   



Your limitation is your 12Mb line  any decent hardware can 
handle that with no problem at all. ANY 100Mbit NIC, even onboard and 
cheapers/generics one, can handle 12Mbit with no problem at all.


i really dont think adding another NIC will improve your 
performance, given your 12Mbit WAN limitation.



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: [squid-users] squid as a reverse proxy and exchange 2007- Mandating access with the certificate

[Amos Jeffries]

Erwan Le Du wrote:

Hi,
I'm using squid as a reverse proxy to allow the users to connect to
exchange 2007 from the outside. All is ok(OWA and RPC overs https) but
I would like to know if we can secure the connections with a
certificate. I would like that the users must have inevitably the
certificate to connect to the Outlook web access. For the moment if I
have not the certificate I have a warning from the internet browser
(because it 's a self signed certificate ) but I can continue and
finally catch the owa interface ... With apache I can use
SSLVerifyClient but I don't know if it's possible with squid as a
reverse proxy. Otherwise I can enable the option client certificate
require in the ssl settings for the folder owa in IIS 7 but I would
like to connect to outlook web access from the internal network
without certificate.


Sure you can. These three things can be done to strengthen the 
certificate security chain:


 * Remove the sslflags=DONT_VERIFY_PEER and Squid will check that the 
certificate provided by OWA is valid and trustworthy. Rejecting 
connections to the peer if not.


 * Setting a client certificate which OWA trusts into the squid 
cache_peer line. Will strengthen the link between Squid and OWA and 
permit OWA to check that it is Squid doing the contact.
  (NP: says nothing about clients using Squid though, only the 
particular Squid-OWA link)


 * Having the certificate presented by https_port signed properly by a 
CA which the clients trust. Will resolve that self-signed warning.


OR

 * Having the certificate presented by https_port signed properly by a 
CA which the clients trust. Will resolve that self-signed warning.


 * Specifying clientca= option on https_port can set the list of 
trusted CA used to verify the visiting clients' certificate.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] performance question, 1 or 2 NIC's?

[Amos Jeffries]

Leonardo Rodrigues wrote:

Em 28/08/2010 12:29, Andrei escreveu:


I'm setting up a transparent Squid box for 300 users. All requests
from the router are sent to the Squid box. Squid box has one NIC,
eth0. This box receives requests (from clients) and catches content
from the web using this one NIC on its one WAN port, eth0.

Question: would it improve performance of the Squid box if I was
receiving requests (from the clients) on eth0 and caching content on
eth1? In other words, is there a benefit of using two NIC's vs. one?
This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN
(public IP) address.


I'm on a 12Mb line.
   



Your limitation is your 12Mb line  any decent hardware can 
handle that with no problem at all. ANY 100Mbit NIC, even onboard and 
cheapers/generics one, can handle 12Mbit with no problem at all.


i really dont think adding another NIC will improve your 
performance, given your 12Mbit WAN limitation.





Indeed.

Andrei escreveu:
  Whether anything can be done by Squid depends on whether the clients 
using Squid are on the outside of that 12Mb line or on some faster 
connection between them and Squid.


 For a faster internal connection and slower Internet connection you 
can look towards raising the Hit Ratio' probably the byte hits 
specifically. That will drop the load on the Internet line and make the 
whole network appear faster to users. The holy grail for forward proxies 
seems to be 50%, with reality coming in between 20% and 45% depending on 
your clients and storage space.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] squid no longer aborts bad request?

[Amos Jeffries]

Kaiwang Chen wrote:

In 2.6.STALBE21,  squid immediately responds with 400 when I enter
'a'; while in 3.1.6 the connection expects more characters, although
it will definitively not get a good request.

[r...@squid1 root]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
a
HTTP/1.0 400 Bad Request
Server: squid/2.6.STABLE21
...
Some aspect of the HTTP Request is invalid.  Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
(more...)
...


[r...@dev ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
a

b
(can type in anything, and Ctrl-C will not abort connection. It just hang there)


Ctrl-C will not terminate telnet (Ctrl-] is needed for that) but yes I 
see the problem.





Is there a configuration directive that controls it?


No, just some sanity checks.


Looks like you have hit a bug in the HTTP/1.1 persistent connections 
when dealing with HTTP/0.9 ambiguous traffic.


I've reproduced that in the latest code and am working on it now, but 
could you please report it in bugzilla anyway so it doesn't get lost.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] performance question, 1 or 2 NIC's?

[Andrei]

Ooo... the line between Squid and the clients is 1000 MB. My internet
connection is 12MB. Not sure if that changes things. Does it? Would it
make a difference in that situation if clients (from 1000Mb) come on
one line, eth0 and get cached on eth1 which is only 12MB.

Sorry if I wasn't clear before




On Sat, Aug 28, 2010 at 5:12 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 Leonardo Rodrigues wrote:

 Em 28/08/2010 12:29, Andrei escreveu:

 I'm setting up a transparent Squid box for 300 users. All requests
 from the router are sent to the Squid box. Squid box has one NIC,
 eth0. This box receives requests (from clients) and catches content
 from the web using this one NIC on its one WAN port, eth0.

 Question: would it improve performance of the Squid box if I was
 receiving requests (from the clients) on eth0 and caching content on
 eth1? In other words, is there a benefit of using two NIC's vs. one?
 This is a public IP/WAN Squid box. Both eth0 and eth1 would have a WAN
 (public IP) address.


 I'm on a 12Mb line.



    Your limitation is your 12Mb line  any decent hardware can handle
 that with no problem at all. ANY 100Mbit NIC, even onboard and
 cheapers/generics one, can handle 12Mbit with no problem at all.

    i really dont think adding another NIC will improve your performance,
 given your 12Mbit WAN limitation.



 Indeed.

 Andrei escreveu:
  Whether anything can be done by Squid depends on whether the clients using
 Squid are on the outside of that 12Mb line or on some faster connection
 between them and Squid.

  For a faster internal connection and slower Internet connection you can
 look towards raising the Hit Ratio' probably the byte hits specifically.
 That will drop the load on the Internet line and make the whole network
 appear faster to users. The holy grail for forward proxies seems to be 50%,
 with reality coming in between 20% and 45% depending on your clients and
 storage space.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

[squid-users] Kerberos authentication against AD 2003 server

[Manoj Rajkarnikar]

Hi all,

I've been trying to get my squid 2.7 S9 to work with kerberos
authentication against AD 2003 server for a couple weeks now but still
failed. I've read through lots of posts in the list and different
tutorials following them 1 at a time but still no go. I've been
following tuts by Klaubert
(http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/)
and the wiki too.. I've tried using the squid_kerb_auth both from the
squid dist and sourceforge v1.0.5. here is what i did:

= configure squid with these options:
./configure --prefix=/usr/local/squid --with-maxfd=16384
--enable-storeio=aufs,coss --enable-removal-policies=lru,heap
--enable-delay-pools --disable-wccp --disable-wccpv2  --enable-arp-acl
--enable-coss-aio-ops --disable-ident-lookups
--enable-auth=ntlm,basic,negotiate --enable-ntlm-auth-helpers=SMB
--enable-negotiate-auth-helpers=squid_kerb_auth
--enable-basic-auth-helpers=LDAP
--enable-external-acl-helpers=ldap_group --with-large-files

= created a user proxy.domain in AD server

= created keytab in AD server:
ktpass -princ HTTP/proxy.dom...@mydomain.com -mapuser proxy.domain
-crypto rc4-hmac-nt pass password -ptype KRB5_NT_SRV_HST -out
proxy.domain.keytab

and transfered to squid server in /etc/proxy.domain.keytab
chmod 400 /etc/proxy.domain.keytab
chown nobody /etc/proxy.domain.keytab

= /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MYDOMAIN.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
kdc = dc3.mydomain.com:88
admin_server = dc1.mydomain.com:749
admin_server = dc2.mydomain.com:749
admin_server = dc3.mydomain.com:749
default_domain = mydomain.com
}

[domain_realm]
  .mydomain.com = MYDOMAIN.COM
  mydomain.com = MYDOMAIN.COM

;[kdc]
;  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
  }

= tested the keytab file
[r...@proxy ~]# kinit -V -k -t /etc/proxy.domain.keytab HTTP/proxy.domain
Authenticated to Kerberos v5

= squid startup script
#!/bin/bash
export KRB5_KTNAME=/etc/proxy.domain.keytab
/usr/sbin/squid -D

= squid.conf file
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

= after starting squid, ps ax output
7040 ?Ss 0:00 /usr/sbin/squid -D
 7042 ?Sl 0:00 (squid) -D
 7043 ?S  0:00 (squid_kerb_auth) -d
 7044 ?S  0:00 (squid_kerb_auth) -d
 7045 ?S  0:00 (squid_kerb_auth) -d
 7046 ?S  0:00 (squid_kerb_auth) -d
 7047 ?S  0:00 (squid_kerb_auth) -d
 7048 ?S  0:00 (squid_kerb_auth) -d
 7049 ?S  0:00 (squid_kerb_auth) -d
 7050 ?S  0:00 (squid_kerb_auth) -d
 7051 ?S  0:00 (squid_kerb_auth) -d
 7052 ?S  0:00 (squid_kerb_auth) -d
 7053 ?S  0:00 (unlinkd)

= proxy has A and PTR records for its fqdn in AD Server(DNS) and
resolves find. IE7 in client machine(windows XP) is setup with fqdn in
the proxy address. when trying to access the internet, login prompt
comes up repeatedly and dies with denied message after 3 attempts.

=when using squid_kerb_auth v1.0.5 from sourceforge:

2010/08/29 10:59:00| Parser: retval 1: from 0-41: method 0-2; url
4-30; version 32-40 (1/1)
2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 10:59:00| Parser: retval 1: from 0-41: method 0-2; url
4-30; version 32-40 (1/1)
2010/08/29 10:59:00| squid_kerb_auth: Got 'YR
TlRMTVNTUAABB4IIogAFASgKDw==' from squid
(length: 59).
2010/08/29 10:59:00| squid_kerb_auth: Decode
'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded
length: 40).
2010/08/29 10:59:00| squid_kerb_auth: received type 1 NTLM token
2010/08/29 10:59:00| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:03:49| Parser: retval 1: from 0-41: method 0-2; url
4-30; version 32-40 (1/1)
2010/08/29 11:03:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABB4IIogAFASgKDw==' from squid
(length: 59).
2010/08/29 11:03:49|