[squid-users] problem compiling squid-3.2.0.16-20120308-r11536 on OS X 10.4.11
Back on OS X 10.4.11, squid-3.2.0.16-20120308-r11536 fails to compile with either gcc 4.0.1 or 4.2.1, but squid-3.2.0.16 from March 6th compiles fine with the same ./configure flags: ./configure --prefix=/usr/local/squid --build =i686-apple-darwin --mandir=/usr/local/share/man --with-large-files --disable-ident-lookups --disable-dependency-tracki ng --enable-filters --enable-removal-policies=heap,lru --enable-delay-pools --enable-multicast-miss --enable-default-er r-language=templates --enable-fd-config --with-filedescriptors=16384 --with-dl --enable-ltdl-convenience --enable-http- violations --enable-build-info --enable-log-daemon-helpers --enable-auth-basic=PAM,NCSA,LDAP,NCSA --enable-auth-digest= password --enable-external-acl-helpers=ip_user,ldap_group --enable-ssl --disable-eui Making all in snmp make[3]: Nothing to be done for `all'. g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/usr/local/squid/etc/squid.conf\" -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/squid/share\" -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/squid/etc\" -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I../src -I../libltdl -I/usr/include -I/usr/include -I/usr/include -I/usr/include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -c -o DiskIO/IpcIo/IpcIoFile.o DiskIO/IpcIo/IpcIoFile.cc ../src/ipc/AtomicWord.h: In member function 'bool Ipc::Atomic::WordT::swap_if(ValueType, ValueType) [with ValueType = int]': ../src/ipc/Queue.h:32: instantiated from here ../src/ipc/AtomicWord.h:38: error: '__sync_bool_compare_and_swap' was not declared in this scope ../src/ipc/AtomicWord.h: In member function 'ValueType Ipc::Atomic::WordT::operator+=(int) [with ValueType = int]': DiskIO/IpcIo/IpcIoFile.cc:713: instantiated from here ../src/ipc/AtomicWord.h:31: error: '__sync_add_and_fetch' was not declared in this scope ../src/ipc/AtomicWord.h: In member function 'ValueType Ipc::Atomic::WordT::get() const [with ValueType = int]': ../src/ipc/AtomicWord.h:48: instantiated from 'Ipc::Atomic::WordT::operator ValueType() const [with ValueType = int]' ../src/ipc/Queue.h:29: instantiated from here ../src/ipc/AtomicWord.h:47: error: '__sync_fetch_and_add' was not declared in this scope ../src/ipc/AtomicWord.h: In member function 'ValueType Ipc::Atomic::WordT::operator-=(int) [with ValueType = int]': ../src/ipc/AtomicWord.h:34: instantiated from 'ValueType Ipc::Atomic::WordT::operator--() [with ValueType = int]' ../src/ipc/Queue.h:280: instantiated from 'bool Ipc::OneToOneUniQueue::pop(Value&, Ipc::QueueReader*) [with Value = IpcIoMsg]' ../src/ipc/Queue.h:349: instantiated from 'bool Ipc::FewToFewBiQueue::pop(int&, Value&) [with Value = IpcIoMsg]' DiskIO/IpcIo/IpcIoFile.cc:419: instantiated from here ../src/ipc/AtomicWord.h:32: error: '__sync_sub_and_fetch' was not declared in this scope make[3]: *** [DiskIO/IpcIo/IpcIoFile.o] Error 1 make[2]: *** [all-recursive] Error 1 make[1]: *** [all] Error 2 make: *** [all-recursive] Error 1 -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
[squid-users] Re: access.log issues with squid 3.2.0.15
Original-Nachricht > Datum: Wed, 07 Mar 2012 07:24:53 +0100 > Betreff: access.log issues with squid 3.2.0.15 > I had "access_log stdio:/Applications/oss/logs/access.log squid" which > worked fine. > > Today, I switched to: > > logformat customfmt %tl > access_log stdio:/Applications/oss/logs/access-customfmt.log customfmt > > based on the suggestion in > http://squid-web-proxy-cache.1019090.n4.nabble.com/Date-time-format-in-access-log-td1458569.html. > > This doesn't seem to have any effect. In fact, squid continues to log to > /Applications/oss/logs/access.log in the squid native format. I've tried > with or without the "stdio:" part. I did restart or "-k reconfigure" squid. Am > I missing something obvious? > > Another issue is I had experimented before with "access_log > syslog:kern.info squid", hoping to redirect access.log to the Mac OS X > /var/log/system.log. That didn't seem to work either. Of course, it didn't > seem like a > terribly good idea to begin with, so I didn't pursue further. > Bump. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Re: [squid-users] enabling X-Authenticated-user
On Thu, Mar 08, 2012 at 10:37:01AM +1030, Brett Lymn wrote: > > 1) The credentials being passed to the upstream are not rewritten - if I > decode the basic auth it has my real password going to the upstream. > And scratch this one too... if I use: cache_peer upstream.proxy parent 8080 7 login=*:password no-query default along with the external acl the username rewrite happens[1] so now the silly upstream logging actually works for both basic & kerberos authentication. [1] see line 1628 in http.cc - there is a check for peer_login == * and then it checks if there is an external ecl rewrite for the login details. Thanks for the patience & help Amos - I got there in the end. -- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
[squid-users] Re: Squid 3.1.x and detect/disable http tunneling over proxe web sites
I use "squidGuard" with its database p.e. for porn and/or proxies. It's simple to use it under "squid". Also if you believe ICAP is the way to follow I'd recomment qlproxy (as ICAP companion server for Squid). Best regards, sich
[squid-users] requests per second
Hi , This is Liley ,,, can anyone tell me what requests per second can squid3 serves , especially if we run it on the top of a hardware with OCZ RevoDrive 3 X2 (200,000 Random Write 4K IOPS) Thanks in advance .
RE: [squid-users] Kerberos TCP/DENIED 407
Thank you Amos, will upgrade to 3.1.19 auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib/squid3/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc=local" -D squidu...@example.com -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h exch01.example.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute acl password proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 192.168.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !password http_access allow password http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid3 -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 08 March 2012 02:44 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Kerberos TCP/DENIED 407 On 9/03/2012 1:07 a.m., JC Putter wrote: > Amos, > > Thank you for the reply. > > Sorry I meant 3.0 STABLE 19. Please at minimum upgrade to 3.0.STABLE26 then, if possible 3.1.19. There are a handful of major security vulnerabilities in between. >The Zimbra Desktop client connects via port 443 and I have the > standard ACL; > > http_access deny !Safe_ports > http_access deny !SSL_ports > > however when I change the ACL to (very insecure) > > http_access allow CONNECT (without the exception of !SSL_ports) the zimbra > client connects... > > no too sure if my ACL is incorrect or if a need to add additional ports in > the ACL however according to Zimbra 443 is the only one required. The ACL you list above is not the defaults. The correct default is: http_access deny CONNECT !SSL_ports SSL_Ports should only contain the HTTPS ports you permit requests to. > I ran wireshark trace I can confirm that the proxy offers all configured > authentication schemes and the client responds with a Kerberos ticket. Okay. It would seem to be some other part of the configuration. If you want a proper analysis please post your whole config (without the comments and empty lines though). Amos
TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Ok Amos so we go back to same issues, as I said you I have tested all I could with the latest 3.2 beta versions before. So I'm going back to the type-1 ntlm message issue (see my last messages with this subject) And my last question was : > I think the link SQUID -> IIS6 RPC PROXY is represented by the > cache_peer line on my squid.conf, and I don't know if > client_persistent_connections and > server_persistent_connections parameters affect cache_peer too ? > > Dunno what to do now ... -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : jeudi 8 mars 2012 13:54 À : squid-users@squid-cache.org Objet : Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 9/03/2012 1:21 a.m., Clem wrote: > Back to send my feed back after testing proxy rpc via ntlm and squid 3.1.19, > the main problem is I can't force sauid to use http1.1, in https analyzer I > can see squid is http1.0. > > How can I force squid 3.1.19 to use http1.1 ? 3.1 series still sends HTTP/1.0 when communicating to clients because there are some critical HTTP features that are not supported in the 3.1 code (1xx status code handling being the major one). It is very likely the RPC software will attempt to use these features to work around NTLM issues if 1.1 is advertised by Squid. If that happens things go bad fast. If that 1.1 is the blocker requirement for RPC + HTTPS , then the only answer is to use 3.2 series. 3.2.0.16 is looking very good so far despite its beta status. So you might be able to use it. Amos
Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
On 9/03/2012 1:21 a.m., Clem wrote: Back to send my feed back after testing proxy rpc via ntlm and squid 3.1.19, the main problem is I can't force sauid to use http1.1, in https analyzer I can see squid is http1.0. How can I force squid 3.1.19 to use http1.1 ? 3.1 series still sends HTTP/1.0 when communicating to clients because there are some critical HTTP features that are not supported in the 3.1 code (1xx status code handling being the major one). It is very likely the RPC software will attempt to use these features to work around NTLM issues if 1.1 is advertised by Squid. If that happens things go bad fast. If that 1.1 is the blocker requirement for RPC + HTTPS , then the only answer is to use 3.2 series. 3.2.0.16 is looking very good so far despite its beta status. So you might be able to use it. Amos
Re: [squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites
Hallo, Josef, Du meintest am 08.03.12: >is it able to detect somehow (and disable) tunneling http regular > web thru proxy web sites ? For example porn web site thru > "hidemyass.com". There are a lot of web proxies, couldn't locate > everyone and disable it :). How do you solve it ? I use "squidGuard" with its database p.e. for porn and/or proxies. It's simple to use it under "squid". Viele Gruesse! Helmut
Re: [squid-users] Kerberos TCP/DENIED 407
On 9/03/2012 1:07 a.m., JC Putter wrote: Amos, Thank you for the reply. Sorry I meant 3.0 STABLE 19. Please at minimum upgrade to 3.0.STABLE26 then, if possible 3.1.19. There are a handful of major security vulnerabilities in between. The Zimbra Desktop client connects via port 443 and I have the standard ACL; http_access deny !Safe_ports http_access deny !SSL_ports however when I change the ACL to (very insecure) http_access allow CONNECT (without the exception of !SSL_ports) the zimbra client connects... no too sure if my ACL is incorrect or if a need to add additional ports in the ACL however according to Zimbra 443 is the only one required. The ACL you list above is not the defaults. The correct default is: http_access deny CONNECT !SSL_ports SSL_Ports should only contain the HTTPS ports you permit requests to. I ran wireshark trace I can confirm that the proxy offers all configured authentication schemes and the client responds with a Kerberos ticket. Okay. It would seem to be some other part of the configuration. If you want a proper analysis please post your whole config (without the comments and empty lines though). Amos
Re: [squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites
On 9/03/2012 1:01 a.m., Josef Karliak wrote: Good afternoon, is it able to detect somehow (and disable) tunneling http regular web thru proxy web sites ? For example porn web site thru "hidemyass.com". There are a lot of web proxies, couldn't locate everyone and disable it :). How do you solve it ? Thanks and best regards J.K. It is not possible to get them all. You can look for public lists and/or commercial lists. Even so it is a full time job or more just to stay updated. The better solution is to work out policies that the users can agree to and willing to work within. Educate where possible about why you do the things you need to do and what the benefits are for the users in following along. And get management on-side to assist with enforcing restrictions when people are caught going against the agreement. A policy without teeth is just so much hot air. Compare your network setup against http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Recommended_network_configuration to see if you have missed a useful layer. Amos
TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Back to send my feed back after testing proxy rpc via ntlm and squid 3.1.19, the main problem is I can't force sauid to use http1.1, in https analyzer I can see squid is http1.0. How can I force squid 3.1.19 to use http1.1 ? -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : mercredi 7 mars 2012 13:05 À : squid-users@squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm I use only the last 3.2 releases, but I can try with 3.1.19... -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : mercredi 7 mars 2012 12:08 À : squid-users@squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 7/03/2012 11:27 p.m., Clem wrote: > Thx for your reply Amos, > > So the issue is squid doesn't pass through the type-1 message ... > > I've check the http version, check this on IIS6 logs, it's 1v1 and same with > squid. > For keepalive, I've used the only squid parameters I know (u gave me them > later) as : > client_persistent_connections > and > server_persistent_connections > > I think the link SQUID -> IIS6 RPC PROXY is represented by the cache_peer > line on my squid.conf, and I don't know if client_persistent_connections and > server_persistent_connections parameters affect cache_peer too ? > > Dunno what to do now ... My interpretation of your report so far is that the client is not even sending type-1 message when using Squid. Instead it appears that they are trying to use Kerberos, with NTLM label. Or possibly that you overlooked some earlier connection(s) with the other LM message types. If this is not 3.1.19 you can give it a try with that Squid version. Amos
Re: AW: [squid-users] Disabling client-initiated renegotiation on https_port
On 9/03/2012 12:47 a.m., Marcus Zoller wrote: Hi Amos, Many thanks for your fast answer. Did I understand you correctly... all it takes is initializing options with 0 instead of SSL_OP_ALL? Wouldn't this be the same as setting options=!ALL on the https_port config (doing this had no effect)? Marcus As far as I know. I'm not sure why though, you are correct in that it was what !ALL should have done. Amos
RE: [squid-users] Kerberos TCP/DENIED 407
Amos, Thank you for the reply. Sorry I meant 3.0 STABLE 19. The Zimbra Desktop client connects via port 443 and I have the standard ACL; http_access deny !Safe_ports http_access deny !SSL_ports however when I change the ACL to (very insecure) http_access allow CONNECT (without the exception of !SSL_ports) the zimbra client connects... no too sure if my ACL is incorrect or if a need to add additional ports in the ACL however according to Zimbra 443 is the only one required. I ran wireshark trace I can confirm that the proxy offers all configured authentication schemes and the client responds with a Kerberos ticket. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 08 March 2012 01:55 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Kerberos TCP/DENIED 407 On 8/03/2012 9:17 p.m., JC Putter wrote: > Hi > > I followed > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveD > irectory > > I can see the cache.log the the client is authenticating with a Kerberos > ticket however for every connection get a TCP/DENIED 407 and then the > connection is made. Is this not what NTLM does? I thought that with Kerberos > this does not happen? One 407 is normal for all HTTP authentications. NTLM requires two. > I have a very strange issue we are using Zimbra Desktop client and with the > proxy settings the Zimbra Desktop client fails to connect.. > > TCP_DENIED/407 2173 CONNECT cluster01.zimbra.com:443 - NONE/- > text/html > > but all the other browsers (IE,FF,Chrome) everything works but the log is > full of TCP/DENIED 407. > > Any help should be appreciated > > SQUID3 Stable19 > I assume you mean 3.1.19 and not 3.0.STABLE19 ? CONNECT + auth should not have been a problem since 3.1.15. Is that desktop client app sending the credentials ticket? Amos
[squid-users] Squid 3.1.x and detect/disable http tunneling over proxe web sites
Good afternoon, is it able to detect somehow (and disable) tunneling http regular web thru proxy web sites ? For example porn web site thru "hidemyass.com". There are a lot of web proxies, couldn't locate everyone and disable it :). How do you solve it ? Thanks and best regards J.K. -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and check. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you. This message was sent using IMP, the Internet Messaging Program. binF6si6Z1q7C.bin Description: Veřejný PGP klíč
Re: [squid-users] Kerberos TCP/DENIED 407
On 8/03/2012 9:17 p.m., JC Putter wrote: Hi I followed http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I can see the cache.log the the client is authenticating with a Kerberos ticket however for every connection get a TCP/DENIED 407 and then the connection is made. Is this not what NTLM does? I thought that with Kerberos this does not happen? One 407 is normal for all HTTP authentications. NTLM requires two. I have a very strange issue we are using Zimbra Desktop client and with the proxy settings the Zimbra Desktop client fails to connect.. TCP_DENIED/407 2173 CONNECT cluster01.zimbra.com:443 - NONE/- text/html but all the other browsers (IE,FF,Chrome) everything works but the log is full of TCP/DENIED 407. Any help should be appreciated SQUID3 Stable19 I assume you mean 3.1.19 and not 3.0.STABLE19 ? CONNECT + auth should not have been a problem since 3.1.15. Is that desktop client app sending the credentials ticket? Amos
AW: [squid-users] Disabling client-initiated renegotiation on https_port
Hi Amos, Many thanks for your fast answer. Did I understand you correctly... all it takes is initializing options with 0 instead of SSL_OP_ALL? Wouldn't this be the same as setting options=!ALL on the https_port config (doing this had no effect)? Marcus -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Donnerstag, 8. März 2012 12:41 An: squid-users@squid-cache.org Betreff: Re: [squid-users] Disabling client-initiated renegotiation on https_port On 8/03/2012 8:34 p.m., Marcus Zoller wrote: > Hello guys, > > I am running squid as an reverse proxy and can't find a way to disable the > support for client initiated renegotiation. I have tested this using > > echo "R" | openssl s_client -connect :443 > > which returns > > RENEGOTIATING > . > I have found in src/ssl_support.cc that options is initialized with > SSL_OP_ALL. The changelog from the openssl package says: > > I was unable to find anything like this within squids source but from other > posts I've seen that someone else already fixed this problem but > unfortunately it is not clear how. > > So now I am wondering what I am doing wrong or if there is no support for > disabling this functionality available? We have it disabled by default starting with 3.2, but it was kept out of 3.1 so as not to break existing installations which may be depending on it. Since you are self-building you can change that SSL_OP_ALL to a "0". Amos
Re: [squid-users] How to order the configuration?
On 8/03/2012 11:35 p.m., tangyi wrote: cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1 cache_peer_domain server_1 www.a.com .b.com cache_peer ip.of.server2 parent 80 0 no-query originserver name=server_2 cache_peer_domain server_2 www.b.com .a.com If configure like this,www.b.com will be forwarded to the server1 originserver. A bug or how to resolve this? With cache_peer_access which allows boolean logic decisions in ACL form. eg.. acl Awww dstdomain www.a.example.com acl Bwww dstdomain www.b.example.com acl B dstdomain .b.example.com cache_peer_access server_1 allow Awww cache_peer_access server_1 allow B !Bwww Amos
Re: [squid-users] Disabling client-initiated renegotiation on https_port
On 8/03/2012 8:34 p.m., Marcus Zoller wrote: Hello guys, I am running squid as an reverse proxy and can't find a way to disable the support for client initiated renegotiation. I have tested this using echo "R" | openssl s_client -connect :443 which returns RENEGOTIATING . I have found in src/ssl_support.cc that options is initialized with SSL_OP_ALL. The changelog from the openssl package says: I was unable to find anything like this within squids source but from other posts I've seen that someone else already fixed this problem but unfortunately it is not clear how. So now I am wondering what I am doing wrong or if there is no support for disabling this functionality available? We have it disabled by default starting with 3.2, but it was kept out of 3.1 so as not to break existing installations which may be depending on it. Since you are self-building you can change that SSL_OP_ALL to a "0". Amos
Re: [squid-users] NTLM passthru authentication
On 8/03/2012 8:18 p.m., kimi ge(巍俊葛) wrote: Hi, Can someone take a look at it the following issue which I ran into? Here is the details: Outline: squid 2.6 as the reverse-proxy for IIS (SharePoint) site. IIS uses the NTLM authentication. Regarding the squid document, squid 2.6+ or squid 3.1+ support NTLM passthru authentication by Connection Pinning. My problem is it always shows the 404 error code. No NTLM prompt window is shown. 404 means URL does not exist. Nothing to do with authentication at all. There is something funky happening though. 16.178.121.18 my desktop IP 192.57.84.244 squid reverse proxy IP 16.173.232.237 IIS(SharePoint) site. Red Hat Enterprise Linux Server release 5.7 (Tikanga) (64bit) /usr/sbin/squid -v Squid Cache: Version 2.6.STABLE21 The following packets are captured by tshark. Hint: next time use "follow TCP stream" to obtain a human-readable trace of the packets. As you can clearly see the connections are persistent but there is no NTLM involved below... Client makes a request (no credentials at all) 4 0.260075 16.178.121.18 -> 192.57.84.244 HTTP GET /SitePages/Square.aspx HT TP/1.1 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV"..E. 0010 02 63 3a 5b 40 00 76 06 29 48 10 b2 79 12 c0 39 .c:[@.v.)H..y..9 0020 54 f4 fd 41 00 50 e8 0d e1 a6 eb ce 13 68 50 18 T..A.P...hP. 0030 40 b0 01 21 00 00 47 45 54 20 2f 53 69 74 65 50 @..!..GET /SiteP 0040 61 67 65 73 2f 53 71 75 61 72 65 2e 61 73 70 78 ages/Square.aspx 0050 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70HTTP/1.1..Accep 0060 74 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 t: application/x 0070 2d 6d 73 2d 61 70 70 6c 69 63 61 74 69 6f 6e 2c -ms-application, 0080 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 61 70 70image/jpeg, app 0090 6c 69 63 61 74 69 6f 6e 2f 78 61 6d 6c 2b 78 6d lication/xaml+xm 00a0 6c 2c 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d l, image/gif, im 00b0 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 6c 69 age/pjpeg, appli 00c0 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 78 62 61 70 cation/x-ms-xbap 00d0 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e , application/vn 00e0 64 2e 6d 73 2d 65 78 63 65 6c 2c 20 61 70 70 6c d.ms-excel, appl 00f0 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 70 ication/vnd.ms-p 0100 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c 69 owerpoint, appli 0110 63 61 74 69 6f 6e 2f 6d 73 77 6f 72 64 2c 20 2a cation/msword, * 0120 2f 2a 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 /*..Accept-Langu 0130 61 67 65 3a 20 65 6e 2d 55 53 0d 0a 55 73 65 72 age: en-US..User 0140 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f -Agent: Mozilla/ 0150 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 4.0 (compatible; 0160 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6fMSIE 7.0; Windo 0170 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 ws NT 6.1; WOW64 0180 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 3b 20 53 ; Trident/4.0; S 0190 4c 43 43 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 LCC2; .NET CLR 2 01a0 2e 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 .0.50727; .NET C 01b0 4c 52 20 33 2e 35 2e 33 30 37 32 39 3b 20 2e 4e LR 3.5.30729; .N 01c0 45 54 20 43 4c 52 20 33 2e 30 2e 33 30 37 32 39 ET CLR 3.0.30729 01d0 3b 20 4d 65 64 69 61 20 43 65 6e 74 65 72 20 50 ; Media Center P 01e0 43 20 36 2e 30 3b 20 49 6e 66 6f 50 61 74 68 2e C 6.0; InfoPath. 01f0 32 3b 20 2e 4e 45 54 34 2e 30 43 3b 20 41 73 6b 2; .NET4.0C; Ask 0200 54 62 50 54 56 2f 35 2e 31 34 2e 31 2e 32 30 30 TbPTV/5.14.1.200 0210 30 37 29 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 07)..Accept-Enco 0220 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c ding: gzip, defl 0230 61 74 65 0d 0a 48 6f 73 74 3a 20 75 6b 77 74 73 ate..Host: ukwts 0240 76 75 6c 78 33 38 30 2e 65 6c 61 62 73 2e 65 64 vulx380.elabs.ed 0250 73 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f s.com..Connectio 0260 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d n: Keep-Alive... 0270 0a. I guess you configured cache_peer with the new login=PASSTHRU setting from squid-3.2 Squid obediently attaches Basic authentication username "PASSTHRU" and passes on the request ... 9 0.535519 192.57.84.244 -> 16.173.232.237 HTTP GET /SitePages/Square.aspx H TTP/1.0 00 22 0c d5 bc 00 00 50 56 ac 00 c6 08 00 45 00 .".PV.E. 0010 03 1f 2b 09 40 00 40 06 fe 07 c0 39 54 f4 10 ad ..+.@.@9T... 0020 e8 ed ab ef 00 50 85 f2 0a aa 8e d3 03 b1 80 18 .P.. 0030 00 2e c2 8a 00 00 01 01 08 0a 79 b6 22 c6 0a 26 ..y."..& 0040 cb c0 47 45 54 20 2f 53 69 74 65 50 61 67 65 73 ..GET /SitePages 0050 2f 53 71 75 61 72 65 2e 61 73 70 78 20 48 54 54 /Square.aspx HTT 0060 50 2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 61 P/1.0..Accept: a 0070 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d pplication/x-ms- 0080 61 70 70 6c 69 63 61 74 69 6f 6e 2c 20 69 6d 61 applic
[squid-users] How to order the configuration?
cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1 cache_peer_domain server_1 www.a.com .b.com cache_peer ip.of.server2 parent 80 0 no-query originserver name=server_2 cache_peer_domain server_2 www.b.com .a.com If configure like this,www.b.com will be forwarded to the server1 originserver. A bug or how to resolve this? Thanks for help. 2012-03-08
Re: [squid-users] Roadmap Squid 3.2
On 8/03/2012 10:38 p.m., Jose-Marcio Martins da Cruz wrote:
Amos Jeffries wrote:
On 08.03.2012 06:35, Alex Rousskov wrote:
On 03/05/2012 03:15 PM, Amos Jeffries wrote:
The LDAP special-characters and escaping bugs for instance, just need
someone with a real LDAP server (not a test script) to configure a dummy
account and see if login works now. A real server is important there
because it is the servers interpretation of helper calls which is the
bug.
I'm not aware of this issue.
Are you talking about squid_ldap_auth ? If yes, maybe I can experiment
with it. What special-characters are you talking about ?
I have a pre-production machine where I usually reproduce squid
production environnement before upgrading.
Yes, squid_ldap_auth and squid_ldap_group. Or rather their 3.2 equivalents.
It all seems to focus around whether and how escaping is done for the
username, password, group, and filter parameters.
http://bugs.squid-cache.org/show_bug.cgi?id=3204
- UTF-8 letters in non-ASCII range
* (I have vague recollections of fixing a version of this already, but
cant seem to find the bug now)
http://bugs.squid-cache.org/show_bug.cgi?id=1879
- '|' (pipe) and unspecified others
http://bugs.squid-cache.org/show_bug.cgi?id=2529
- '\' and '#'
http://bugs.squid-cache.org/show_bug.cgi?id=3481
- '(' and ')'
Amos
Re: [squid-users] Roadmap Squid 3.2
Amos Jeffries wrote: On 08.03.2012 06:35, Alex Rousskov wrote: On 03/05/2012 03:15 PM, Amos Jeffries wrote: The LDAP special-characters and escaping bugs for instance, just need someone with a real LDAP server (not a test script) to configure a dummy account and see if login works now. A real server is important there because it is the servers interpretation of helper calls which is the bug. I'm not aware of this issue. Are you talking about squid_ldap_auth ? If yes, maybe I can experiment with it. What special-characters are you talking about ? I have a pre-production machine where I usually reproduce squid production environnement before upgrading.
Re: [squid-users] Roadmap Squid 3.2
> De: "Alex Rousskov" > > >> I had reported some problems with rock store but maybe it can be > >> consider like an experimental feature for the moment ? > > > > It is experimental until there has been at least one stable cycle > > of > > wide use to wrinkle out any minor bugs and edge cases. If the bug > > you > > have reported can be considered normal or lower then it will not > > block > > the stable release. Keeping in mind that the shared memory change > > is a > > feature affecting everybody, so the precise location of the bug > > impacts > > its importance a lot. > > FWIW, there are currently no open major+ bugs for Rock Store AFAICT. > Yes, but there are somes bugs like slow rebuild who are (was ?) big problems in production But it's old now, If I can I will try again and post the result Fred
RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Ok just ignore this message, I had to install libssl-dev ! -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 8 mars 2012 09:52 À : squid-users@squid-cache.org Objet : TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Amos I'm trying to install squid-3.1.19-20120306-r10434, with all other versions I can install it with --enable-ssl options but with this one I have errors on "make all" command relative to SSL ... ---> ERRORS OF MAKE ALL In file included from ../../src/squid.h:272, from AsyncCall.cc:5: ../../src/ssl_support.h:62: error: expected constructor, destructor, or type con version before '*' token ../../src/ssl_support.h:75: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:75: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:78: error: typedef 'SSLGETATTRIBUTE' is initialized (use decltype instead) ../../src/ssl_support.h:78: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:78: error: expected primary-expression before ',' token ../../src/ssl_support.h:78: error: expected primary-expression before 'const' ../../src/ssl_support.h:81: error: 'SSLGETATTRIBUTE' does not name a type ../../src/ssl_support.h:84: error: 'SSLGETATTRIBUTE' does not name a type ../../src/ssl_support.h:87: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:87: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:90: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:90: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:98: error: expected constructor, destructor, or type con version before '*' token ../../src/ssl_support.h:105: error: 'SSL_CTX' was not declared in this scope ../../src/ssl_support.h:105: error: 'sslContext' was not declared in this scope ../../src/ssl_support.h:112: error: expected constructor, destructor, or type co nversion before '*' token ../../src/ssl_support.h:123: error: 'X509' was not declared in this scope ../../src/ssl_support.h:123: error: 'peer_cert' was not declared in this scope ../../src/ssl_support.h:123: error: expected primary-expression before 'void' ../../src/ssl_support.h:123: error: 'check_func' was not declared in this scope ../../src/ssl_support.h:123: error: expected primary-expression before 'void' ../../src/ssl_support.h:123: error: 'ASN1_STRING' was not declared in this scope ../../src/ssl_support.h:123: error: 'cn_data' was not declared in this scope ../../src/ssl_support.h:123: error: initializer expression list treated as compo und expression ../../src/ssl_support.h:133: error: 'ASN1_TIME' was not declared in this scope ../../src/ssl_support.h:133: error: expected primary-expression before ',' token ../../src/ssl_support.h:133: error: expected primary-expression before 'char' ../../src/ssl_support.h:133: error: expected primary-expression before 'int' ../../src/ssl_support.h:133: error: initializer expression list treated as compo und expression In file included from ../../src/squid.h:318, from AsyncCall.cc:5: ../../src/structs.h:618: error: ISO C++ forbids declaration of 'SSL_CTX' with no type ../../src/structs.h:618: error: expected ';' before '*' token ../../src/structs.h:968: error: ISO C++ forbids declaration of 'SSL_CTX' with no type ../../src/structs.h:968: error: expected ';' before '*' token ../../src/structs.h:969: error: ISO C++ forbids declaration of 'SSL_SESSION' wit h no type ../../src/structs.h:969: error: expected ';' before '*' token ../../src/structs.h:969: error: ISO C++ forbids declaration of 'SSL_SESSION' wit h no type ../../src/structs.h:969: error: expected ';' before '*' token make[3]: *** [AsyncCall.lo] Erreur 1 make[3]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src/base » make[2]: *** [all-recursive] Erreur 1 make[2]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src » make[1]: *** [all] Erreur 2 make[1]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src » make: *** [all-recursive] Erreur 1 > How I can install this version with ssl ? Or I 've downloaded the wrong version I've to download this one 3.1.19.tar.gz? Thx, Clem -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : mercredi 7 mars 2012 13:05 À : squid-users@squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm I use only the last 3.2 releases, but I can try with 3.1.19... -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : mercredi 7 mars 2012 12:08 À : squid-users@squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 7/03/2012 11:27 p.m., Clem wrote: > Thx for your reply Amos, > > So the i
Re: [squid-users] Squid 3.2: segfault at 0 ip (null) sp bfa8e03c using iptables + transparent mode
- Mail original - > De: "Amos Jeffries" > À: squid-users@squid-cache.org > Envoyé: Jeudi 8 Mars 2012 03:11:40 > Objet: Re: [squid-users] Squid 3.2: segfault at 0 ip (null) sp bfa8e03c > using iptables + transparent mode > > On 08.03.2012 12:51, David Touzeau wrote: > > Dear, > > > > I'm using Squid Cache: Version 3.2.0.15-20120306-r11529 in i386 on > > Ubuntu 10.04 > > iptables v1.4.4 and kernel 2.6.32-38-generic-pae #83-Ubuntu SMP > > In transparent mode with iptables. > > > > Each 10 Minutes we are unable to access to Internet and there is a > > squid crash. > > Restart squid service solve the issue. > > > > Is there a tip/trick to fix it ? > > > > [ 14.445583] [drm] Initialized radeon 2.0.0 20080528 for > > :04:00.0 on minor 0 > > [ 14.694306] vga16fb: initializing > > [ 14.694309] vga16fb: mapped to 0xc00a > > [ 14.694312] vga16fb: not registering due to another framebuffer > > present > > [ 14.883342] Console: switching to colour frame buffer device > > 128x48 > > [ 16.883375] Loading iSCSI transport class v2.0-870. > > [ 17.722963] iscsi: registered transport (tcp) > > [ 18.491243] iscsi: registered transport (iser) > > [ 25.208015] eth0: no IPv6 routers present > > [ 44.602329] ip_tables: (C) 2000-2006 Netfilter Core Team > > [ 44.676368] nf_conntrack version 0.5.0 (16384 buckets, 65536 > > max) > > [ 44.676699] CONFIG_NF_CT_ACCT is deprecated and will be removed > > soon. Please use > > [ 44.676701] nf_conntrack.acct=1 kernel parameter, acct=1 > > nf_conntrack module option or > > [ 44.676702] sysctl net.netfilter.nf_conntrack_acct=1 to enable > > it. > > [ 392.296569] squid[7663]: segfault at 0 ip (null) sp bfa8e03c > > error > > 14 in squid[8048000+415000] > > [ 658.532544] squid[8352]: segfault at 0 ip (null) sp bfa52cdc > > error > > 14 in squid[8048000+415000] > > [ 740.928753] squid[8429]: segfault at 0 ip (null) sp bfe9f12c > > error > > 14 in squid[8048000+415000] > > [ 760.620663] squid[8377]: segfault at 0 ip (null) sp bfc02e2c > > error > > 14 in squid[8048000+415000] > > [199121.864727] squid[32681]: segfault at 49 ip 082ab397 sp > > bfd39740 > > error 4 in squid[8048000+415000] > > > > Any core backtrace info as to what line of code "[8048000+415000]" > is? > > > Please try the .16 package too. Several more important bug fixes went > in there. Yes, Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3490
TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Amos I'm trying to install squid-3.1.19-20120306-r10434, with all other versions I can install it with --enable-ssl options but with this one I have errors on "make all" command relative to SSL ... ---> ERRORS OF MAKE ALL In file included from ../../src/squid.h:272, from AsyncCall.cc:5: ../../src/ssl_support.h:62: error: expected constructor, destructor, or type con version before '*' token ../../src/ssl_support.h:75: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:75: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:78: error: typedef 'SSLGETATTRIBUTE' is initialized (use decltype instead) ../../src/ssl_support.h:78: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:78: error: expected primary-expression before ',' token ../../src/ssl_support.h:78: error: expected primary-expression before 'const' ../../src/ssl_support.h:81: error: 'SSLGETATTRIBUTE' does not name a type ../../src/ssl_support.h:84: error: 'SSLGETATTRIBUTE' does not name a type ../../src/ssl_support.h:87: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:87: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:90: error: 'SSL' was not declared in this scope ../../src/ssl_support.h:90: error: 'ssl' was not declared in this scope ../../src/ssl_support.h:98: error: expected constructor, destructor, or type con version before '*' token ../../src/ssl_support.h:105: error: 'SSL_CTX' was not declared in this scope ../../src/ssl_support.h:105: error: 'sslContext' was not declared in this scope ../../src/ssl_support.h:112: error: expected constructor, destructor, or type co nversion before '*' token ../../src/ssl_support.h:123: error: 'X509' was not declared in this scope ../../src/ssl_support.h:123: error: 'peer_cert' was not declared in this scope ../../src/ssl_support.h:123: error: expected primary-expression before 'void' ../../src/ssl_support.h:123: error: 'check_func' was not declared in this scope ../../src/ssl_support.h:123: error: expected primary-expression before 'void' ../../src/ssl_support.h:123: error: 'ASN1_STRING' was not declared in this scope ../../src/ssl_support.h:123: error: 'cn_data' was not declared in this scope ../../src/ssl_support.h:123: error: initializer expression list treated as compo und expression ../../src/ssl_support.h:133: error: 'ASN1_TIME' was not declared in this scope ../../src/ssl_support.h:133: error: expected primary-expression before ',' token ../../src/ssl_support.h:133: error: expected primary-expression before 'char' ../../src/ssl_support.h:133: error: expected primary-expression before 'int' ../../src/ssl_support.h:133: error: initializer expression list treated as compo und expression In file included from ../../src/squid.h:318, from AsyncCall.cc:5: ../../src/structs.h:618: error: ISO C++ forbids declaration of 'SSL_CTX' with no type ../../src/structs.h:618: error: expected ';' before '*' token ../../src/structs.h:968: error: ISO C++ forbids declaration of 'SSL_CTX' with no type ../../src/structs.h:968: error: expected ';' before '*' token ../../src/structs.h:969: error: ISO C++ forbids declaration of 'SSL_SESSION' wit h no type ../../src/structs.h:969: error: expected ';' before '*' token ../../src/structs.h:969: error: ISO C++ forbids declaration of 'SSL_SESSION' wit h no type ../../src/structs.h:969: error: expected ';' before '*' token make[3]: *** [AsyncCall.lo] Erreur 1 make[3]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src/base » make[2]: *** [all-recursive] Erreur 1 make[2]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src » make[1]: *** [all] Erreur 2 make[1]: quittant le répertoire « /usr/src/squid-3.1.19-20120306-r10434/src » make: *** [all-recursive] Erreur 1 > How I can install this version with ssl ? Or I 've downloaded the wrong version I've to download this one 3.1.19.tar.gz? Thx, Clem -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : mercredi 7 mars 2012 13:05 À : squid-users@squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm I use only the last 3.2 releases, but I can try with 3.1.19... -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : mercredi 7 mars 2012 12:08 À : squid-users@squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 7/03/2012 11:27 p.m., Clem wrote: > Thx for your reply Amos, > > So the issue is squid doesn't pass through the type-1 message ... > > I've check the http version, check this on IIS6 logs, it's 1v1 and same with > squid. > For keepalive, I've used the only squid parameters I know (u gave me them > later) as : > client_persistent_connections > and > server_pers
[squid-users] Kerberos TCP/DENIED 407
Hi I followed http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I can see the cache.log the the client is authenticating with a Kerberos ticket however for every connection get a TCP/DENIED 407 and then the connection is made. Is this not what NTLM does? I thought that with Kerberos this does not happen? I have a very strange issue we are using Zimbra Desktop client and with the proxy settings the Zimbra Desktop client fails to connect.. TCP_DENIED/407 2173 CONNECT cluster01.zimbra.com:443 - NONE/- text/html but all the other browsers (IE,FF,Chrome) everything works but the log is full of TCP/DENIED 407. Any help should be appreciated SQUID3 Stable19
