Re: [squid-users] DNS lookup error
Am 14.01.2013 19:47, schrieb Loïc BLOT: You must set and append_domain for FQDN use: # TAG: append_domain # Appends local domain name to hostnames without any dots in # them. append_domain must begin with a period. # # Be warned there are now Internet names with no dots in # them using only top-domain names, so setting this may # cause some Internet sites to become unavailable. # append_domain .mydomain.tld It looks like this did the trick. Thanks. Just corious: Should squid make usage of suffix configured e.g. in /etc/resolv.conf or do I have kind of a missunderstanding here? Cheers, Frank
Re: [squid-users] Massive crashes with 3.2.6 "assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T"
* Amos Jeffries :
> >Hm, doesn't my assertion error occur at another place? And with an IPv6
> >address?
> >
>
> Both your problems are both based in a bug either in
> Comm::ConnOpener::start() or comm_openex() functions. The assert
> exists in order to catch these brokenness rather than permitting the
> traffic to get screwed up silenly ("watermelon metrics" etc).
>
> I have attached an experimental patch which might resolve this to the
> bug report.
This mail didn't have an attachment...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: [squid-users] Massive crashes with 3.2.6 "assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T"
* Ralf Hildebrandt : > This mail didn't have an attachment... Ah, to the bug report. FOund it. Will install right away! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: [squid-users] Re: Maximum Resident Size
On Tue, 15 Jan 2013, Amos Jeffries wrote: On 14/01/2013 12:10 p.m., M A Young wrote: It is probably a memory leak. Squid's memory management fools C++'s automatic memory clean up so it is prone to leaks if objects aren't explicitly cleaned. I know of one still unfixed in 3.2 which was in 3.1 as well, and there could easily be others. Michael: can you point me at that one please? We have just about finished another round of purging memory leaks and other types of leaks in 3.2 and 3.3. It is bug 3567 - squid leaks httprequests if presented with a request with NULL characters in the headers or an invalid HTTP version. It requires bad requests from the client, but unfortunately we seem to have a badly behaved app some people use here. Michael Young
Re: [squid-users] Re: Maximum Resident Size
On Tue, Jan 15, 2013 at 5:27 PM, M A Young wrote: > It is bug 3567 - squid leaks httprequests if presented with a request with > NULL characters in the headers or an invalid HTTP version. It requires bad > requests from the client, but unfortunately we seem to have a badly behaved > app some people use here. > > Michael Young At this point, if this is what I'm encountering, and is in both 3.1 and 3.2, I don't have a lot of options. I'm willing to test this out, depending on what Amos says. Amos, perhaps you may like to comment?
Re: [squid-users] Re: Maximum Resident Size
On Tue, Jan 15, 2013 at 5:27 PM, M A Young wrote: > It is bug 3567 - squid leaks httprequests if presented with a request with > NULL characters in the headers or an invalid HTTP version. It requires bad > requests from the client, but unfortunately we seem to have a badly behaved > app some people use here. > > Michael Young I'm certainly see a lot of "WARNING: HTTP header contains NULL characters", and a quick analysis of the frequency of these entries seem to correlate to the rate of memory growth, and that HttpRequest forms the biggest chunk of my memory usage. Is the one-liner patch applicable to both 3.1 and 3.2?
Re: [squid-users] Massive crashes with 3.2.6 "assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T"
Hi amos, your patch seems to be correct. I try it next monday. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 15 janvier 2013 à 09:32 +0100, Ralf Hildebrandt a écrit : > * Ralf Hildebrandt : > > > This mail didn't have an attachment... > > Ah, to the bug report. FOund it. Will install right away! >
Re: [squid-users] Massive crashes with 3.2.6 "assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T"
* Loïc BLOT : > Hi amos, > your patch seems to be correct. I try it next monday. I already installed it. No crashes so far. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
[squid-users] Squid with Kerberos/NTLM and Google Talk client (solved - workaround)
Hi, I've just managed to solve the authentication issue I had with a Google Talk client with Squid, hope this might help someone with the same problem. I should say that the Google Talk client doesn't seem to work correctly with Kerberos proxy authentication, so this solution is more of a workaround. If someone can see through this and it really is not a Google Talk client problem but a Squid side Kerberos problem, please let me know. Now let me try to explain: Squid (3.2.6) is configured to authenticate from AD using negotiate wrapper for Negotiate/NTLM and Negotiate/Kerberos, NTLM and Basic auth. Google Talk clients (configured for proxy with auth - both options tried "Detect proxy automatically" and "Use the following proxy") produced these cache.log entries: [2013/01/14 10:08:41.150742, 1] libsmb/ntlmssp.c:342(ntlmssp_update) got NTLMSSP command 3, expected 1 And debugging it I could see: 2013/01/14 10:08:41| negotiate_wrapper: received type 1 NTLM token And later on: 2013/01/14 10:08:41| negotiate_wrapper: received type 3 NTLM token So, Google Talk client started with Kerberos and then switched to NTLM, which doesn't work. Next, capturing the Kerberos traffic on the client I could see the following error from DC for the client's TGS-REQ: error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) And the Server Name value: HTTP/squid-server.my.domain:8080 This is definitely wrong, because the principal should be just HTTP/squid-server.my.domain without the :8080 (which is the port my squid listen's on). I don't know why this is added to the request. So, checked this with the spnquery.vbs (from a Windows machine, available from here: http://technet.microsoft.com/library/ee176972.aspx): >cscript spnquery.vbs http/squid-server* my.domain CN=squid-server-K,CN=Computers,DC=my,DC=domain Class: computer Computer DNS: squid-server.my.domain -- HTTP/squid-server.my.domain -- host/squid-server.my.domain That is as it should be, HTTP and Host SPNs. But, the Google Talk client tries to get a ticket with another SPN. So, to work around this, I added a new SPN (again, from Windows): >setspn -A http/squid-server.my.domain:8080 squid-server-K Checked the records again: >cscript spnquery.vbs http/squid-server* my.domain CN=squid-server-K,CN=Computers,DC=my,DC=domain Class: computer Computer DNS: squid-server.my.domain -- http/squid-server.my.domain:8080 -- HTTP/squid-server.my.domain -- host/squid-server.my.domain And now Google Talk client authenticates correctly using Squid with Kerberos. Regards, Tuukka
Re: [squid-users] Massive crashes with 3.2.6 "assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T"
Thanks for the report, i will confirm on monday :) -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 15 janvier 2013 à 14:34 +0100, Ralf Hildebrandt a écrit : > * Loïc BLOT : > > Hi amos, > > your patch seems to be correct. I try it next monday. > > I already installed it. No crashes so far. >
[squid-users] Anyone know what a client would be doing to cause the following log entries?
01-15-2013 12:24:34PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- text/html 01-15-2013 01:00:01PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- text/html -- Thanks, Dean E. Weimer http://www.dweimer.net/
Re: [squid-users] Anyone know what a client would be doing to cause the following log entries?
On Tue, Jan 15, 2013 at 2:39 PM, dweimer wrote: > 01-15-2013 12:24:34PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- > text/html > 01-15-2013 01:00:01PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- > text/html Someone's doing a HEAD request against your proxy as if it was a web server
Re: [squid-users] Anyone know what a client would be doing to cause the following log entries?
On 2013-01-15 13:44, Will Roberts wrote: On Tue, Jan 15, 2013 at 2:39 PM, dweimer wrote: 01-15-2013 12:24:34PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- text/html 01-15-2013 01:00:01PM 0 10.20.146.43 NONE/400 388 HEAD / - NONE/- text/html Someone's doing a HEAD request against your proxy as if it was a web server well, whatever is on his PC that's doing this, isn't telling me any more from a network capture. HEAD / HTTP/1.1 Connection: Close Host: 10.50.20.5:8080 HTTP/1.0 400 Bad Request Server: squid/3.1.20 Mime-Version: 1.0 Date: Tue, 15 Jan 2013 21:30:55 GMT Content-Type: text/html Content-Length: 2573 X-Squid-Error: ERR_INVALID_URL 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from proxy1.orscheln.com X-Cache-Lookup: NONE from proxy1.orscheln.com:8080 Via: 1.0 proxy1.orscheln.com (squid/3.1.20) Connection: close -- Thanks, Dean E. Weimer http://www.dweimer.net/
Re: [squid-users] Transparent Mode and WCCP
Please, see below... > Some bit of clarification here. "WCCP" is a protocol consisting of two > packets HERE_I_AM and I_SEE_YOU. The HTTP traffic always goes via GRE > protocol interface or layer-2 packet routing via Ethernet interface. The > WCCP protocol configuratino in Squid and Cisco determins whether the layer-1 > or GRE are used as return method. > I think from your earlier posts you are confusing "WCCP" protocol with the > name of the interface your config uses (wccp0). Correct me if I am wrong. I understood that I configured "virtual" interface called wccp0 through which wccp/gre communication of http/https protocol is to take place. The thing to keep in mind is that 1. from squid server to firewall, there is SNAT relationship that translates .252 WAN ip address. However, http traffic from client to firewall translates to .254 WAN IP address. It appears the http/https requests from client are routed by firewall through wccp/gre to and from squid server. After it goes out via .254 wan ip address. Is this correct behavior? If all of this makes sense, how can I troubleshoot this?. > > Also, NAT is only ever performed on the first packet of any connnection, > which will always be an incoming packet arriving from your wccp0 interface > in PREROUTING. You did not mention a MASQUERADE rule in the POSTROUTING > chain which is the part handling the return packets to the client. could you give an example. > > Other TCP data packets than that first one seen by NAT table are ESTABLISHED > or RELATED state and will go out whatever interface your routing setup is > configured to send them out. > > The thing to remember the Squid box is acting as a router for these packets. > > > This means only that Squid acting as forward-proxy works, none of the WCCP > protocol and interfaces, NAT or HTTP re-interpretation happens. Squid acting > as interception proxy is a VERY different beast from regular forward proxy. > I hit the same problem even with transparent keyword as opposed to intercept.
Re: [squid-users] DNS lookup error
On 15/01/2013 9:03 p.m., Frank Lanitz wrote: Am 14.01.2013 19:47, schrieb Loïc BLOT: You must set and append_domain for FQDN use: # TAG: append_domain # Appends local domain name to hostnames without any dots in # them. append_domain must begin with a period. # # Be warned there are now Internet names with no dots in # them using only top-domain names, so setting this may # cause some Internet sites to become unavailable. # append_domain .mydomain.tld It looks like this did the trick. Thanks. Just corious: Should squid make usage of suffix configured e.g. in /etc/resolv.conf or do I have kind of a missunderstanding here? You can only append one domain. Squid should make use of the /erc/resolv.conf suffix *unless* append_domain has been configured, which *replaces* the resolv.conf "domain" value with the squid.conf value. /etc/resolv.conf is the better way since it offers both a "domain" to append and an alternative "search" list with multiple domains to search for resoluts in the order given. And all other software such as host / nslookup, wget etc all use /etc/resolve.conf - it helps administration to have everything on the box operating similarly. Amos
Re: [squid-users] Re: Maximum Resident Size
On 16/01/2013 2:08 a.m., csn233 wrote: On Tue, Jan 15, 2013 at 5:27 PM, M A Young wrote: It is bug 3567 - squid leaks httprequests if presented with a request with NULL characters in the headers or an invalid HTTP version. It requires bad requests from the client, but unfortunately we seem to have a badly behaved app some people use here. Michael Young I'm certainly see a lot of "WARNING: HTTP header contains NULL characters", and a quick analysis of the frequency of these entries seem to correlate to the rate of memory growth, and that HttpRequest forms the biggest chunk of my memory usage. Is the one-liner patch applicable to both 3.1 and 3.2? No the patch won't apply to 3.2 or later due to code additions in the file. The problem with the patch particularly is that there are several places in that function which do a "goto finish" and may leak the request object, I suspect at least three of them are doing so. I think a better fix is to change the pointer from a HttpRequest* to a HttpRequest::Pointer. That way we ref-count the object created properly and whenever the function exists it will get destructed properly instead of leaking. Doing a quick test now and will add a patch for 3.2 to the bug report if it builds. Amos
