[squid-users] Re: Always direct ?
Hi i use actually into my squid server: acl symantec dst 92.123.68.0/24 always_direct allow symantec All request to a 92.123.68.x are "always direct" Do you know if it's possible that change by : acl symantec "url http://*.symantec.com"; always_direct allow symantec Not based on IP but on url thanks for your help
Re: [squid-users] Re: Re: Re: Squid 3.1.6, Kerberos and strange browser auth behavior
ok, I will add timers to corelate log events with wireshark output, all machines sync to AD NTP. According to this, situation is clear (if one can say so). If I acknowledge the pass prompt fast 3x in a row (that is 3 GET's get sent), I get all 3x(DEBUG: Got / Decode / AF) lines in the cache.log the very moment and an OK for last GET. In second test, with pause after 2 acks, on first 2 acks of pass prompt (each dispatches a GET request with valid kerb token) I get no reaction in log ... so I waited about 10 secs for 3rd ack, did it and got all 3x(DEBUG: Got / Decode / AF) lines at the same time according to log. Unlike the situation detailed below where I only got one (DEBUG: Got / Decode / AF). Point is that 3rd GET seems to trigger processing the auth momentarily, any less won't do. The time doesn't seem to matter. When same desktop client (I tried several just to make sure) is logged in with a valid domain username, none of this happens. After 1st 407 it goes through TGS-REQ/TGS-REP and sends GET with GSSAPI (doesn't even try NTLM) and receives OK. I don't know how to resolve this or what to troubleshoot further. (beside scrapping the Gentoo machine and trying with CentOS or Ubuntu server) desktop_wireshark: 12:58:24.377414 1. GET google 12:58:24.379208 2. 407, Proxy-Authenticate: Negotiate\r\n 12:58:24.404808 3. GET google, Proxy-Authorization: Negotiate , NTLMSSP 12:58:24.406647 4. 407, Proxy-Authenticate: Negotiate\r\n (no token) 5. Ack. the pass prompt 12:58:36.936887-943069 6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server) 12:58:37.033969 7. GET google, Proxy-Authorization: Negotiate , GSS-API (SPNEGO) 12:58:37.036221 8. 407, Proxy-Authenticate: Negotiate\r\n (no token) 9. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays filled in) 12:58:43.258456-263817 10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server) 12:58:43.264872 11. GET google, Proxy-Authorization: Negotiate , GSS-API (SPNEGO) 12:58:43.267059 12. 407, Proxy-Authenticate: Negotiate\r\n (no token) 13. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays filled in) 12:58:50.390082-395554 14. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server) 12:58:50.396739 15. GET google, Proxy-Authorization: Negotiate , GSS-API (SPNEGO) 12:58:50DEBUG: Got / Decode / AF (squid cache log) 12:58:50.575546 16. 200 OK, Proxy-Authentication-Info: Negotiate (token) P.S. I used pause cause I lack microseconds in squid cache.log --- On Wed, 9/22/10, Markus Moeller wrote: > From: Markus Moeller > Subject: [squid-users] Re: Re: Re: Squid 3.1.6, Kerberos and strange browser > auth behavior > To: squid-users@squid-cache.org > Date: Wednesday, September 22, 2010, 11:46 AM > > >"Aleksandar Ciric" > wrote in message > >news:375975.43025...@web114214.mail.gq1.yahoo.com... > >Gentoo Squid, IE browser > > > >1. GET google > >2. 407, Proxy-Authenticate: Negotiate\r\n(beside scrapping the whole Gentoo > >thing and going for some CentOS) > >3. GET google, Proxy-Authorization: Negotiate > , NTLMSSP > >4. 407, Proxy-Authenticate: Negotiate\r\n > > Interesting. I thought Negotiate will use Kerberos first > and then NTLM. > > >5. Pass Prompt (stays on after ack) > >6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD > server) > >7. GET google, Proxy-Authorization: Negotiate > , GSS-API (SPNEGO) > > What does squid say here in the logfile ? If the token is > complete it should > already return 200 OK > > If not 8. should return also a token after Negotiate. > Can you confirm that > 8. does not contain a GSSAPI token ? > > >8. 407, Proxy-Authenticate: Negotiate\r\n > >pause (here I waited about a minute to type all this) > >9. Ack the pass prompt again (same user/pass, it stays > filled in) > >10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD > server) > >11. GET google, Proxy-Authorization: Negotiate > , GSS-API (SPNEGO) > >12. 200 OK, Proxy-Authentication-Info: Negotiate > > > >token in 7 & 11 is exactly the same, same pvno, as > are kerberos ticket > >version numbers in 6 and 10. > > > >There is no difference in 2, 4, 8 headerwise. > > > >Apparently that pause removed the need for third time, > however you can > >blitz through the entire process by acknowledging pass > prompt 3x in a row, > >which would only add steps 6,7&8 once more. > > > >Interesting is that a rather long pause (tried 30secs, > needs about a > >minute) made all the difference. > > > > Regards > Markus > > >
RE: [squid-users] One slow Website Through Proxy
Thanks Amos, guess I learned something simple that I should have already known when troubleshooting these things always capture packets on both sides of squid. I was only looking at the data between the client PC and squid. Had I looked at the packets on the other side of squid I more than likely would have caught this one. Thanks, Dean Weimer Network Administrator Orscheln Management Co > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, September 22, 2010 10:31 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] One slow Website Through Proxy > > On Wed, 22 Sep 2010 16:00:32 -0400, "Chad Naugle" > > wrote: > > I am not sure what is causing the issue, but in my own test, IE8 > performed > > SLOOO by far (Using the PROD Proxy), where under Firefox 3.5.13 > (Using > > my DEV Proxy), the site was almost instantly available while the IE8 was > > STILL loading the same page. After the first load, my PROD Proxy under > IE8 > > loaded considerably faster, but not anywhere close to as fast as with > > Firefox 3.5.13, for the first attempt. > > > > > > - > > Chad E. Naugle > > Tech Support II, x. 7981 > > Travel Impressions, Ltd. > > > > > > > "Dean Weimer" 9/22/2010 3:13 PM >>> > > I am running squid 3.1.8, and have one website that pauses for about 1 > to > > 2 minutes before loading. The website is www.pb.com (PitneyBowes). > There > > are no errors logged in the cache.log file, and nothing unusual in the > > access.log file. I have even done network packet captures and don't see > > anything unusual. The website responds fine when bypassing the proxy > and > > every other website appears to be fine through the proxy server. > > > > I have tested with both IE and Firefox, using my default wpad.dat script > > with auto detect and manually specifying the proxy server with no > change. > > And even tried turning HTTP/1.1 through proxy servers on and off at the > > browser, nothing seems to affect its behavior. > > > > Can any of you confirm whether or not this website is slow through your > > setups, or have any idea what could be causing this issue? > > > > The www.pb.com domain times out while resolving DNS records instead > of returning NXDOMAIN or SERVFAIL response. Default DNS timeout is 2 > minutes. After which Squid will use the A results to fetch the page. > > Amos
RE: [squid-users] Utorrrent through squid
Could you please help me out that why such errors are happening? 1285227117.990 0 10.1.97.27 TCP_DENIED/403 1480 GET http://tracker.thepiratebay.org/announce? - NONE/- text/html [Host: tracker.thepiratebay.org\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 403 Forbidden\r\nServer: squid\r\nDate: Thu, 23 Sep 2010 07:31:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 1129\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nX-Cache: MISS from squid.local\r\nX-Cache-Lookup: NONE from squid.local:8080\r\nVia: 1.0 squid.local:8080 (squid)\r\nConnection: close\r\n\r] still not able to use torrent..is it related to CONNECT method which is currently allowed for SSL(443) if http supported Torrent clients make http tunnel to work then which are the ports that required to be open? regards, Bilal > Date: Thu, 23 Sep 2010 03:49:06 +1200 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Utorrrent through squid > > On 22/09/10 22:43, GIGO . wrote: >> >> So Amos does this means that downloading of torrents with earlier version of >> squid is not possible at all? > > No, its perfectly possible with IPv4 trackers. > > His specific problem was with IPv6-only trackers. > >> >>> Date: Wed, 22 Sep 2010 20:27:29 +1200 >>> Subject: Re: [squid-users] Utorrrent through squid >>> >>> On 22/09/10 19:56, GIGO . wrote: Hi all, I am unable to run utorrent software through squid proxy due to ipv6 tracker failure.I am unable to connect to an ipv 6 tracker. 1285141356.609 152 10.1.97.27 TCP_MISS/504 1587 GET http://ipv6.torrent.ubuntu.com:6969/announce? - DIRECT/ipv6.torrent.ubuntu.com text/html [Host: ipv6.torrent.ubuntu.com:6969\r\nUser-Agent: uTorrent/2040(21586)\r\nAccept-Encoding: gzip\r\n] [HTTP/1.0 504 Gateway Time-out\r\nServer: squid\r\nDate: Wed, 22 Sep 2010 07:42:36 GMT\r\nContent-Type: text/html\r\nContent-Length: 1234\r\nX-Squid-Error: ERR_DNS_FAIL 0\r\nX-Cache: MISS from xyz.com\r\nX-Cache-Lookup: MISS from xyz.com:8080\r\nVia: 1.0 xyz.com:8080 (squid)\r\nConnection: close\r\n\r] I am using squid 2.7 Stable 9 release. >>> >>> Squid-3.1 is required for IPv4/IPv6 gateway. >>> For doing this is there a special configuration required on the Operating system(RHEL 5 ) or squid itself. Please guide. >>> >>> http://wiki.squid-cache.org/KnowledgeBase/RedHat >>> > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.8 > Beta testers wanted for 3.2.0.2
Re: [squid-users] client identifier in squid logs
ons 2010-09-22 klockan 09:03 -0400 skrev Shoebottom, Bryan: > I have an interception proxy configuration using WCCP and a Cisco > router. PAT/NAT happens on a device before the proxy, so my logs show > only the public IPs. That's because your firewall throws away the source IP without recording it anywhere outside of the firewall logs.. > Without changing the placement of the proxy or moving away from > the interception configuration, am I able to get the internal IP of the > clients added to my logs? No. You need to change how traffic gets directed to the proxy so that the traffic is NOT NAT:ed. Regards Henrik
Re: [squid-users] Re: squid client authentication against AD computer account
Hi Matus. On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas wrote: > On 15.09.10 12:59, Manoj Rajkarnikar wrote: >> Thanks for the quick response Marcus. >> >> The reason I need to limit computer account and not user account is >> that people here move out to distant branches and the internet access >> policy is to allow to the position they hold, and thus the computer >> they will use. > > I somehow don't understand this. Maybe it's my english. > Do you need to control access for the user+computer combination? I need to control access based on computer account as registered in the AD server. > >> I've successfully setup the kerberos authentication but I don't see >> how squid will fetch the computer information from client request and >> authorize it based on the group membership in AD. What I wish to >> accomplish is: >> >> 1. create a security group in AD >> 2. add computer accounts to this security group >> 3. squid checks if the computer trying to access internet is member of >> this security group. >> 4. if not, don't allow access to internet or request of AD user login >> that is allowed. > > This seems that you want to allow access from some computers to the net, no > matter which user is logged in. Why not use ip-based or maybe > hardware_address-based authentication then? That is correct. We have dhcp all over our network so ip-based is a bad idea. For hardware_address-based auth, will have to maintain a very large list of hardware addresses.. not a good idea but considerable (if computer account based auth don't work).. Also to be noted that computer account based authentication would be more secure as only a handful of admins have domain administrator level access, so it will be hard to spoof. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Quantum mechanics: The dreams stuff is made of. >
[squid-users] Problem with Https and NTLM on AD domain
Dear all: I have a problem with HTTPS and NTLM authenticate on the original server. The web server is using microsoft iis and using "integrated windows authentication" with AD domain and with https. My test squid version is 3.1.4 on Redhat AS 5 and web server is Microsoft 2003 Enterprise. Using squid, only NTLM is ok when protocol is http. but failed on https. I decrypted the packet on wireshark, and found out that the Domain name, User name and Host name is truncated to one word, such as : the packet from client to squid is "GET / HTTP/1.1, NTLMSSP_AUTH, User:192.168.0.3\jack" the packet from squid to web server became "GET / HTTP/1.1, NTLMSSP_AUTH, User:1\j" I'm not sure it is reated. because after i login with "A\j", it also couldn't login in successfully. when running squid with "-Nd1", some special message outputed , and I also couldn't understood it's means. "fwdNegotiateSSL: Error negotiating SSL connection on FD 10: error::lib(0):func(0):reason(0) (5/0/0) TCP connection to 192.168.0.3/443 failed " I also tried with TPROXY mode, it also failed. I'm looking forward to your reply. Yours sincerely
