Re: [squid-users] Squid proxy setup on home network (Telus Optik internet/tv)
On Mon, 6 Jun 2011 10:12:23 -0600, me wrote: Hi guys, Looking for a little bit of advice. Trying to setup a Squid Proxy server on Ubuntu 10 server at home. Would like to keep the Squid box on the same network as the computer on the LAN are on1 network. (192.168.1.x) Internet => Actiontec (v1000h wifi router, DHCP) => wired set top boxes for TV/desktop/laptops(wifi)/ Grandstream HT 502 for voip 1) What is the best way to setup this? 2) I cannot forward ALL my LAN traffic to the Squid box currently as the actiontec does not have that feature. Would like the desktops/laptops to use the Squid proxy and also to be able to bypass proxy if playing adhoc. Was able to setup squid proxy (2 NICS) by installing a switch on one of the router ports and using another network segment (192.168.2.x) but that only covered the wired computers attached to the switch. Test setup was as follows Internet => Actiontec (v1000h wifi router, DHCP) => laptops(wifi)/Grandstream HT 502 for voip Actiontec router (same router as above) => switch => desktop Thanks. The Actiontec datasheet indicates "full bridge control". So if you are lucky it will be able to bridge the wifi packets to an internal box (ie Squid box) instead of just out the WAN uplink. This is the killer problem with most wifi+router integrated boxes. I've usually had to get a second box and physically wire Squid between the uplink gateway box and the wifi device. The key points are getting both wired LAN and wifi packets to the Squid box without using NAT/NAPT on the router device, and then getting the Squid packets past that out to the uplink. Thats my /3c worth. Sorry it could not be more helpful. If you DO have any kind of success, we would like to hear about it. Amos
Re: [squid-users] trouble with www address not resolving
On Mon, 6 Jun 2011 10:54:29 -0500, William Bakken wrote: * Site-specific to allow access to all the working v6-only sites (1% of the Internet now). I am a little foggy on the details of how this is done. Could you explain the steps I need to take. Sorry I wasn't clear. That was just a list of the reasons why the method Eliezer outlined is better. Amos Thanks On Sat, Jun 4, 2011 at 3:18 AM, Amos Jeffries wrote: On 03/06/2011 19:24, William Bakken wrote: Amos, is there a way to tell Squid to stop asking for records/IPv6? We are having problems with other sites not working in the same way. On 04/06/11 16:37, Eliezer Croitoru wrote: The answer is to disable IPV6 on squid and on the linux machine and software. but we do not know that this is the case.. Correct. If you have IPv6 _properly_ disabled in the OS. Such that applications attempting to open IPv6 sockets for use get denied. Squid 3.1.10+ will pick that up next restart and not try to perform IPv6 again until next restart. There is the small matter of a lot of garbage tutorials about how to disable IPv6 in the OS though. It has to be done in a way where a program opening a IPv6 socket gets an error message back. Not letting the app open and use the socket, (spewing errors out all over the place) or to hanging (frowning mostly at some RHEL user blogs there). Re-building Squid with --disable-ipv6 is another more extreme option. do you have a local DNS server on the machine for caching and forwarding? you can setup on the squid to use the local dns server and on the dns server setup specific forwarding zone for this domain NS this will result a much more efficient way to get it done and to make your system more reliable by any case. I recommend this way. * Site-specific to allow access to all the working v6-only sites (1% of the Internet now). * Easily reversible once the site starts working. Best best way is to get the site fixed ASAP. From the other post by Rick from Carfax it looks like they are on the issue now. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2
Re: [squid-users] 3.2.0.8 - SSLBump+Dynamic SSL + NTLM: browser prompts for username/password for every https connection
On 06/06/11 19:19, Alex Crow wrote: http_access deny CONNECT !SSL_ports Apologies, I mispasted. SSL does not work at all unless I add before this above line http_access allow CONNECT Cheers Alex
[squid-users] 3.2.0.8 - SSLBump+Dynamic SSL + NTLM: browser prompts for username/password for every https connection
Hi all, I've got the following config: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm keep_alive off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 30 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=20 children=40 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow AuthorizedUsers http_access deny all http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/www.sample.com.pem ssl_bump allow all sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 32 startup=5 idle=1 hierarchy_stoplist cgi-bin ? cache_mem 2048 MB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir diskd /var/spool/squid3 36 64 512 coredump_dir /var/cache refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 always_direct allow all And firefox asks for a username and password for *every* SSL connection, eg "Enter username and password for https://bugzilla.redhat.com";. If I enter a valid windows DOMAIN\username and password it works, but NTLM is obviously not working here and it's dropping back to basic. What am I doing wrong? Is the order of my directives incorrect? Cheers Alex
[squid-users] Squid proxy setup on home network (Telus Optik internet/tv)
Hi guys, Looking for a little bit of advice. Trying to setup a Squid Proxy server on Ubuntu 10 server at home. Would like to keep the Squid box on the same network as the computer on the LAN are on1 network. (192.168.1.x) Internet => Actiontec (v1000h wifi router, DHCP) => wired set top boxes for TV/desktop/laptops(wifi)/ Grandstream HT 502 for voip 1) What is the best way to setup this? 2) I cannot forward ALL my LAN traffic to the Squid box currently as the actiontec does not have that feature. Would like the desktops/laptops to use the Squid proxy and also to be able to bypass proxy if playing adhoc. Was able to setup squid proxy (2 NICS) by installing a switch on one of the router ports and using another network segment (192.168.2.x) but that only covered the wired computers attached to the switch. Test setup was as follows Internet => Actiontec (v1000h wifi router, DHCP) => laptops(wifi)/Grandstream HT 502 for voip Actiontec router (same router as above) => switch => desktop Thanks.
Re: [squid-users] trouble with www address not resolving
>* Site-specific to allow access to all the working v6-only sites (1% of the >Internet now). I am a little foggy on the details of how this is done. Could you explain the steps I need to take. Thanks On Sat, Jun 4, 2011 at 3:18 AM, Amos Jeffries wrote: >> On 03/06/2011 19:24, William Bakken wrote: >> >>> Amos, is there a way to tell Squid to stop asking for records/IPv6? >>> We are having problems with other sites not working in the same way. >>> > On 04/06/11 16:37, Eliezer Croitoru wrote: >> >> The answer is to disable IPV6 on squid and on the linux machine and >> software. >> >> but we do not know that this is the case.. > > Correct. If you have IPv6 _properly_ disabled in the OS. Such that > applications attempting to open IPv6 sockets for use get denied. Squid > 3.1.10+ will pick that up next restart and not try to perform IPv6 again > until next restart. > > There is the small matter of a lot of garbage tutorials about how to disable > IPv6 in the OS though. It has to be done in a way where a program opening a > IPv6 socket gets an error message back. > Not letting the app open and use the socket, (spewing errors out all over > the place) or to hanging (frowning mostly at some RHEL user blogs there). > > > Re-building Squid with --disable-ipv6 is another more extreme option. > >> >> do you have a local DNS server on the machine for caching and forwarding? >> >> you can setup on the squid to use the local dns server and on the dns >> server setup specific forwarding zone for this domain NS >> >> this will result a much more efficient way to get it done and to make >> your system more reliable by any case. > > I recommend this way. > * Site-specific to allow access to all the working v6-only sites (1% of the > Internet now). > * Easily reversible once the site starts working. > > > Best best way is to get the site fixed ASAP. From the other post by Rick > from Carfax it looks like they are on the issue now. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.8 and 3.1.12.2 >
Re: [squid-users] lots of UDP connections
Also if you can capture the actual data of those packets, that could shed some light upon their origin. They only appear to be around 30 bytes normally, so for me, that could provide a clue. >>> Amos Jeffries 6/5/2011 3:55 AM >>> On 05/06/11 16:55, Bal Krishna Adhikari wrote: > On 06/04/2011 12:59 PM, Amos Jeffries wrote: >> Bal Krishna Adhikari 6/3/2011 6:13 AM >> >>> Hello, >>> >>> I found a lot of UDP connections that is coming to my proxy servers. >>> I don't find the cause of such one-way traffics to my servers. >>> The sample UDP traffic is as :- >>> >>> 14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30 >>> 14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length >>> 30 >>> 14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length >>> 30 >>> 14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30 >>> 14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30 >>> 14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length >>> 33 >>> 14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30 >>> 14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30 >>> 14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30 >>> 14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length >>> 30 >>> 14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30 >>> 14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30 >>> 14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length >>> 30 >>> 14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30 >>> 14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length >>> 30 >>> 14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30 >>> 14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67 >>> 14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30 >>> 14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67 >>> 14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30 >>> 14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30 >>> 14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30 >>> 14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length >>> 30 >>> 14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length >>> 30 >>> 14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length >>> 67 >>> 14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length >>> 30 >>> 14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length >>> 30 >>> >>> Anyone has any idea if the traffic is genuine or some kind of attack ? >>> x.x.x.x is my proxy server. >>> >>> --- Bal Krishna >>> >> >> On 04/06/11 01:16, Chad Naugle wrote: >> > Check the hostname of these IP addresses. They could be DNS replies, >> > using random ports for source/destinations. Squid can generate tons of >> > DNS traffic. >> >> >> I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a >> fixed well-known port at one end and a rarely changing port at the other. >> >> It could be anything else on the box though. >> >> There are a few CVE attacks this could be, two using DNS and one HTCP. >> If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe >> from those. They are just annoying. >> >> If you have a Squid-3.1+ with an IPv6 address publicly advertised this >> could be a sign of v6 connection attempts. Several IP tunnel protocols >> involve UDP handshakes. >> >> Amos > > I'm currently using 2.7 STABLE9. > And the connection seems increased then earlier. > Blocking the UDP other then DNS and SNMP from outside can solve the > problem ? We can't answer that. It may not be a problem. You need to find out what it actually is. Blocking it will stop it doing anything, but until you know what it is that may just be creating a different problem. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2 Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
Re: [squid-users] Squid TProxy Problem
Amos, Sorry, the packet counter increments, I made a mistake, but still no logs either in access.log nor in cache.log. Warm Regards, Ali Majdzadeh Kohbanani 2011/6/6 Ali Majdzadeh : > Amos, > Hi > The packet counter on -j TPROXY does not increment. So, why clients > are able to surf the web? > > Warm Regards, > Ali Majdzadeh Kohbanani > > 2011/6/6 Ali Majdzadeh >> >> Amos, >> Hi >> Thanks for your reply. Ragarding the documentation, I have inserted >> the following routing rules: >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> Now, access.log is populated with proper logs, but clients can not >> surf the web, I mean the proxy server is unable to forward http >> responses to clients' browsers. When the client enters for example >> www.google.com, the connection to the http server is established but >> the process halts at Waiting for www.google.com and after a while >> Squid reports the unablility to retreive the requested URL. >> By the way, we have disabled selinux. >> Any ideas? >> >> Warm Regards, >> Ali Majdzadeh Kohbanani >> >> 2011/6/6 Amos Jeffries : >> > On 06/06/11 06:32, Ali Majdzadeh wrote: >> >> >> >> Hello All, >> >> I have setup the following configuration: >> >> Squid (3.1.12) (--enable-linux-netfilter passed as the one and only >> >> configure option) >> >> Kernel (2.6.38.3) >> >> iptables (1.4.11) >> >> >> >> I have added the following two directives in squid.conf: >> >> http_port 3128 >> >> http_port 3129 tproxy >> >> >> >> Also, I have configured iptables with the following rules: >> >> iptables -t mangle -N DIVERT >> >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> >> iptables -t mangle -A DIVERT -j ACCEPT >> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> >> --tproxy-mark 0x1/0x1 --on-port 3129 >> >> >> >> Everything work as expected, I mean, the users can surf the web and >> >> the proxy server is transparent. The problem is that actually there is >> >> no caching. I mean, both cache.log and access.log files are empty. On >> > >> > That would be transparency to the point of not going through the proxy. >> > access.log should have entries for each request. >> > >> >> the other hand, if I manually set the proxy configuration in clients' >> >> browsers (the IP address of the squid server and port number 3128) >> >> everything is OK; the log files are incremented and objects are >> >> cached. >> >> >> >> Have anyone faced the same issue? >> > >> > Some. Its usually boiled down to missing out some details omitted. building >> > against libcap2 or routing packets to the squid box for example. >> > >> > Are the packet counters on that -j TPROXY rule showing captures? >> > >> > Did you follow the rest of the feature config? >> > ie the special sub-routing table? OS packet filtering toggles? selinux >> > updated to allow tproxy? >> > >> > Is this box even routing or bridging port 80 traffic for the network? >> > >> > Amos >> > -- >> > Please be using >> > Current Stable Squid 2.7.STABLE9 or 3.1.12 >> > Beta testers wanted for 3.2.0.8 and 3.1.12.2 >> > >
Re: [squid-users] Squid TProxy Problem
Amos, Hi The packet counter on -j TPROXY does not increment. So, why clients are able to surf the web? Warm Regards, Ali Majdzadeh Kohbanani 2011/6/6 Ali Majdzadeh > > Amos, > Hi > Thanks for your reply. Ragarding the documentation, I have inserted > the following routing rules: > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > Now, access.log is populated with proper logs, but clients can not > surf the web, I mean the proxy server is unable to forward http > responses to clients' browsers. When the client enters for example > www.google.com, the connection to the http server is established but > the process halts at Waiting for www.google.com and after a while > Squid reports the unablility to retreive the requested URL. > By the way, we have disabled selinux. > Any ideas? > > Warm Regards, > Ali Majdzadeh Kohbanani > > 2011/6/6 Amos Jeffries : > > On 06/06/11 06:32, Ali Majdzadeh wrote: > >> > >> Hello All, > >> I have setup the following configuration: > >> Squid (3.1.12) (--enable-linux-netfilter passed as the one and only > >> configure option) > >> Kernel (2.6.38.3) > >> iptables (1.4.11) > >> > >> I have added the following two directives in squid.conf: > >> http_port 3128 > >> http_port 3129 tproxy > >> > >> Also, I have configured iptables with the following rules: > >> iptables -t mangle -N DIVERT > >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 > >> iptables -t mangle -A DIVERT -j ACCEPT > >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > >> --tproxy-mark 0x1/0x1 --on-port 3129 > >> > >> Everything work as expected, I mean, the users can surf the web and > >> the proxy server is transparent. The problem is that actually there is > >> no caching. I mean, both cache.log and access.log files are empty. On > > > > That would be transparency to the point of not going through the proxy. > > access.log should have entries for each request. > > > >> the other hand, if I manually set the proxy configuration in clients' > >> browsers (the IP address of the squid server and port number 3128) > >> everything is OK; the log files are incremented and objects are > >> cached. > >> > >> Have anyone faced the same issue? > > > > Some. Its usually boiled down to missing out some details omitted. building > > against libcap2 or routing packets to the squid box for example. > > > > Are the packet counters on that -j TPROXY rule showing captures? > > > > Did you follow the rest of the feature config? > > ie the special sub-routing table? OS packet filtering toggles? selinux > > updated to allow tproxy? > > > > Is this box even routing or bridging port 80 traffic for the network? > > > > Amos > > -- > > Please be using > > Current Stable Squid 2.7.STABLE9 or 3.1.12 > > Beta testers wanted for 3.2.0.8 and 3.1.12.2 > >
[squid-users] void
unsubscribe
Re: [squid-users] need a simple transparent caching conf
On 06/06/11 16:37, MrNicholsB wrote: I build the latest 3.1 and its working fine now Hooray. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2
