Re: [squid-users] Unwanted DNS queries
Hi, Am 24.9.2013 23:38, schrieb Eliezer Croitoru: On 09/24/2013 03:56 PM, T Ls wrote: What kind of reconfigure do you mean? The plain command of squid -kreconf. This changed nothing. From your previous mail it seems like these dns queries are new.. SO you are not aware of the existence of these requests before the last few days. That's right, these dns queries may have been there before, but I noticed there existens first on monday (I did not expect them = I did not looked for them). On monday someone (higher-ranking department) played around with the dns servers and the dns replys took much longer than usual, so squids delay was much greater = users complained. On tuesday, the dns servers behaves as usual, users did not complain anymore, but the dns queries are still there (but there influence on squids delay is much smaler). ... Once we do have the debug_options that Amos wanted to see we could then understand in a way the source of the queries which shouldn't be there from first glance at the squid.conf. Ok, thanks so far. Thomas
Re: [squid-users] Re: Squid + DansGuardian + Bridging
On 25/09/2013 5:37 a.m., psd17j-jacob wrote: Hey guys, Thanks for all the suggestions and feedback. I really appreciate your time. I'd like to stick to (attempting) to use DG because I've already come so far. It just seems to be this little bridge issue. I followed the link and added the following lines: ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP unfortunately that did not help. Do you have any other suggestions as to what may help? The current rules are: ebtables: :BROUTING ACCEPT -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 443 -j redirect Try removing these top ones. They overlap and likey clash with the rest. -A BROUTING -p IPv4 -i eth1 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv6 -i eth0 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP Double-check those interface names. iptables: :OUTPUT ACCEPT [3:228] -A PREROUTING -i br0.9 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -i br0.9 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080 I think you can drop the interface names here. The routing rules never get to see any bridged packets, so only the ones which the ebtables rules DROP will ever get here. br0.9 looks like an alias to me, which do not actually exist outside of ifconfigs display, so removing that will likely produce a rule that matches the real interface on packets. -A PREROUTING -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080 Amos
[squid-users] wildcard reverse proxy (not ssl)
Hello :) For a reason, dont ask. I need to configure a Squid that is able to do reverse lookup from a webapp that does dinamic hostdomains. So i need to configure a squid that does *.mydomain. I dont have too much control on *.mydomain IP's, so cache_peer wont be very helpful in this case. I need to relay in DNS for this. Is it a way to make this work? LD
Re: [squid-users] Unwanted DNS queries
Hi, Am 24.9.2013 16:25, schrieb Amos Jeffries: ...Perhase a debug_options ALL,1 11,6 78,6 trace would be more informative. To get an usefull example in the logfiles I requestet http://www.uni-leipzig.de, I found the following in cache.log: ... 2013/09/25 09:08:47.988| persistentConnStatus: FD 17 eof=0 2013/09/25 09:08:47.988| persistentConnStatus: content_length=4 2013/09/25 09:08:47.988| persistentConnStatus: clen=4 2013/09/25 09:08:47.988| persistentConnStatus: body_bytes_read=4 content_length=4 2013/09/25 09:08:47.988| processReplyBody: COMPLETE_PERSISTENT_MSG 2013/09/25 09:08:47.988| Server.cc(169) serverComplete: serverComplete 0x7fa5b432dc48 2013/09/25 09:08:47.988| Server.cc(194) serverComplete2: serverComplete2 0x7fa5b432dc48 2013/09/25 09:08:47.988| Server.cc(234) completeForwarding: completing forwarding for 0x7fa5b4019728*2 2013/09/25 09:08:47.988| Server.cc(225) quitIfAllDone: transaction done 2013/09/25 09:08:47.988| Server.cc(556) cleanAdaptation: cleaning ICAP; ACL: 0 2013/09/25 09:08:47.988| http.cc(163) ~HttpStateData: HttpStateData 0x7fa5b432dc48 destroyed; FD -1 2013/09/25 09:08:47.988| leaving HttpStateData::readReply(FD 17, data=0x7fa5b432dc48, size=131, buf=0x7fa5b4332680) 2013/09/25 09:08:48.929| idnsALookup: buf is 36 bytes for www.uni-leipzig.de, id = 0x44dd 2013/09/25 09:08:48.929| httpStart: GET http://www.uni-leipzig.de/; 2013/09/25 09:08:48.929| http.cc(83) HttpStateData: HttpStateData 0x7fa5b432dc48 created 2013/09/25 09:08:48.929| httpSendRequest: FD 24, request 0x7fa5b4024410, this 0x7fa5b432dc48. 2013/09/25 09:08:48.929| The AsyncCall HttpStateData::httpTimeout constructed, this=0x7fa5ce592ac0 [call4888553] 2013/09/25 09:08:48.929| The AsyncCall HttpStateData::readReply constructed, this=0x7fa5ce758e50 [call4888554] 2013/09/25 09:08:48.929| The AsyncCall HttpStateData::sendComplete constructed, this=0x7fa5ce591430 [call4888555] 2013/09/25 09:08:48.929| httpBuildRequestHeader: Host: www.uni-leipzig.de 2013/09/25 09:08:48.929| httpBuildRequestHeader: User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 2013/09/25 09:08:48.929| httpBuildRequestHeader: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 2013/09/25 09:08:48.929| httpBuildRequestHeader: Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 2013/09/25 09:08:48.929| httpBuildRequestHeader: Accept-Encoding: gzip, deflate 2013/09/25 09:08:48.929| httpBuildRequestHeader: DNT: 1 2013/09/25 09:08:48.929| httpBuildRequestHeader: Connection: keep-alive 2013/09/25 09:08:48.930| httpSendRequest: FD 24: GET http://www.uni-leipzig.de/ HTTP/1.1 Host: www.uni-leipzig.de User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Via: 1.1 lav-desproxy.lav.lsa-net.de (squid/3.1.12) X-Forwarded-For: 11.40.11.223 Cache-Control: max-age=259200 2013/09/25 09:08:48.930| comm.cc(165) will call HttpStateData::sendComplete(FD 24, data=0x7fa5b432dc48) [call4888555] 2013/09/25 09:08:48.930| entering HttpStateData::sendComplete(FD 24, data=0x7fa5b432dc48) 2013/09/25 09:08:48.930| AsyncCall.cc(32) make: make call HttpStateData::sendComplete [call4888555] 2013/09/25 09:08:48.930| HttpStateData status in: [ job298503] 2013/09/25 09:08:48.930| httpSendComplete: FD 24: size 430: errflag 0. 2013/09/25 09:08:48.930| The AsyncCall HttpStateData::httpTimeout constructed, this=0x7fa5ce75b5b0 [call4888556] 2013/09/25 09:08:48.930| HttpStateData status out: [ job298503] 2013/09/25 09:08:48.930| leaving HttpStateData::sendComplete(FD 24, data=0x7fa5b432dc48) 2013/09/25 09:08:48.958| idnsRead: starting with FD 12 2013/09/25 09:08:48.958| idnsRead: FD 12: received 94 bytes from 11.136.15.1:53 2013/09/25 09:08:48.958| idnsGrokReply: ID 0x44dd, 0 answers 2013/09/25 09:08:48.958| idnsGrokReply: www.uni-leipzig.de has no records. Looking up A record instead. 2013/09/25 09:08:48.998| idnsRead: starting with FD 12 2013/09/25 09:08:48.998| idnsRead: FD 12: received 94 bytes from 11.136.15.1:53 2013/09/25 09:08:48.998| idnsGrokReply: ID 0x3243, 0 answers 2013/09/25 09:08:48.998| dns_internal.cc(1143) idnsGrokReply: Sending 0 DNS results to caller. 2013/09/25 09:08:49.261| comm.cc(165) will call HttpStateData::readReply(FD 24, data=0x7fa5b432dc48, size=435, buf=0x7fa5b4332680) [call4888554] 2013/09/25 09:08:49.261| entering HttpStateData::readReply(FD 24, data=0x7fa5b432dc48, size=435, buf=0x7fa5b4332680) 2013/09/25 09:08:49.261| AsyncCall.cc(32) make: make call HttpStateData::readReply [call4888554] 2013/09/25 09:08:49.261| HttpStateData status in: [ job298503] 2013/09/25 09:08:49.261| httpReadReply: FD 24: len 435. 2013/09/25 09:08:49.261| ctx: enter level 0: 'http://www.uni-leipzig.de/' 2013/09/25 09:08:49.262| processReplyHeader: key '882E49B7988A3984505D9280607E717C'
Re: [squid-users] Unwanted DNS queries
Hey, This is indeed the issue I was aiming at.. It was never looked at before since nobody never seen this problem before If I am right. So I have a suggestion. Instead of just shooting at it we have the test subject in hands. The latest stable version of squid is 3.3 We can do run a basic test out of the production environment to make sure that we can reproduce the issue. Amos do we have a QA\BUG_TEST section in the bugzilla? This way we can look at a bug and classify it as a testing bug and close the issue with a more detailed report?? Back.. The issue is that the DNS did not responded fast enough to squid. Since it's not a bug that actually has a ground that affect a working(fully functional) network infrastructure I would say it's less of a bug but more of an issue that needs to be tested at 3.1 3.2 3.3 and 3.4 to make sure that it will be a *known bug* to make sure that in a case of a problem there will be an answer. Eliezer On 09/25/2013 09:04 AM, T Ls wrote: Hi, Am 24.9.2013 23:38, schrieb Eliezer Croitoru: On 09/24/2013 03:56 PM, T Ls wrote: What kind of reconfigure do you mean? The plain command of squid -kreconf. This changed nothing. From your previous mail it seems like these dns queries are new.. SO you are not aware of the existence of these requests before the last few days. That's right, these dns queries may have been there before, but I noticed there existens first on monday (I did not expect them = I did not looked for them). On monday someone (higher-ranking department) played around with the dns servers and the dns replys took much longer than usual, so squids delay was much greater = users complained. On tuesday, the dns servers behaves as usual, users did not complain anymore, but the dns queries are still there (but there influence on squids delay is much smaler). ... Once we do have the debug_options that Amos wanted to see we could then understand in a way the source of the queries which shouldn't be there from first glance at the squid.conf. Ok, thanks so far. Thomas
[squid-users] Skype through SQUID integrated with AD
Hello, I get tired of the topic already two days and I have no power, so please help ... I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even. Only I have a problem with Skype - in access.log I see: 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html; 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html; 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html; I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps. If Skype does not support any of the above authorization, I have tried to allow the unauthorized movement in a similar way to access the pages: http_access allow localnet GlobalAllowedSites but it also fails ... (http_access allow numeric_IPs Skype_UA, CONNECT http_access allow numeric_IPs Skype_UA). What am I doing wrong? How to solve it? p.s: my squid.conf: auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=DOMAIN,dc=pl -D sq...@domain.pl -w PASSw0rd -f sAMAccountName=%s -h dc02.DOMAIN.pl auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b dc=DOMAIN,dc=pl -D sq...@domain.pl -w PASSw0rd -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=Admin-Internet, ou=it,dc=DOMAIN,dc=pl)) -h dc02.DOMAIN.pl acl localnet src 10.22.0.0/16 acl auth proxy_auth REQUIRED acl InternetAccess external memberof Admin-Internet acl GlobalAllowedSites dstdomain /etc/squid3/GlobalAllowedSites.txt acl BlockedSitesdstdomain /etc/squid3/BlockedSites.txt acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgm acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype http_access allow CONNECT numeric_IPS localnet http_access allow numeric_IPS localnet http_access allow Skype_UA http_access allow manager localnet http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow GlobalAllowedSites localnet http_access deny BlockedSites http_access deny !auth http_access allow InternetAccess auth localnet http_access deny all access_log /var/log/squid3/access.log squid !GlobalAllowedSites http_port 10.22.94.130:8080 hierarchy_stoplist cgi-bin ? cache_dir aufs /media/squidcache 1 16 256 coredump_dir /var/spool/squid3 cache_peer 10.22.94.130 parent 8081 0 no-query no-digest default never_direct allow all refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user proxy cache_effective_group proxy Thanks for help Kazio
Re: [squid-users] Unwanted DNS queries
On 25/09/2013 8:25 p.m., T Ls wrote: Hi, Am 24.9.2013 16:25, schrieb Amos Jeffries: ...Perhase a debug_options ALL,1 11,6 78,6 trace would be more informative. To get an usefull example in the logfiles I requestet http://www.uni-leipzig.de, I found the following in cache.log: ... This start is some other transaction ending 2013/09/25 09:08:47.988| persistentConnStatus: FD 17 eof=0 2013/09/25 09:08:47.988| persistentConnStatus: content_length=4 2013/09/25 09:08:47.988| persistentConnStatus: clen=4 2013/09/25 09:08:47.988| persistentConnStatus: body_bytes_read=4 content_length=4 2013/09/25 09:08:47.988| processReplyBody: COMPLETE_PERSISTENT_MSG 2013/09/25 09:08:47.988| Server.cc(169) serverComplete: serverComplete 0x7fa5b432dc48 2013/09/25 09:08:47.988| Server.cc(194) serverComplete2: serverComplete2 0x7fa5b432dc48 2013/09/25 09:08:47.988| Server.cc(234) completeForwarding: completing forwarding for 0x7fa5b4019728*2 2013/09/25 09:08:47.988| Server.cc(225) quitIfAllDone: transaction done 2013/09/25 09:08:47.988| Server.cc(556) cleanAdaptation: cleaning ICAP; ACL: 0 2013/09/25 09:08:47.988| http.cc(163) ~HttpStateData: HttpStateData 0x7fa5b432dc48 destroyed; FD -1 2013/09/25 09:08:47.988| leaving HttpStateData::readReply(FD 17, data=0x7fa5b432dc48, size=131, buf=0x7fa5b4332680) This appears to be the start of a FwdState::dispatch() event which handles the results from peer selection and kicks off the HTTP request generate+send ativities. Can you add debug options 17,5 38,6 to these and confirm that in a new trace please? 2013/09/25 09:08:48.929| idnsALookup: buf is 36 bytes for www.uni-leipzig.de, id = 0x44dd Assuming I'm right about that ... that would make this the netdbPingSite() probe to test how far away the domain is. Squid looks up the host IPs then pings them all in various ways to measure latency and assist peer selection on later traffic. It is not clear why that is using the URL hostname instead of the peer's hostname. Or why it is even being run at this point in the forwarding process. It would seem to have been more relevant a stage or two earlier while determining where to route the request. 2013/09/25 09:08:48.929| httpStart: GET http://www.uni-leipzig.de/; If it was important to suppress these lookups you could build your Squid with --disable-icmp or comment out the particular call to netdbPingSite() in FwdState::dispatch() method of src/forward.cc. Amos
Re: [squid-users] Skype through SQUID integrated with AD
On 26/09/2013 12:58 a.m., kazio wolny wrote: Hello, I get tired of the topic already two days and I have no power, so please help ... I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even. Only I have a problem with Skype - in access.log I see: 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html; 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html; 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html; I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps. Well... if Skype did support authentication you would still see these log lines as part of the normal authentication challenge process. That goes for all authentication types, NTLM is somewhat special in that it always shows up with two 407 in a row like the *.22 client lines above. This may help you: https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server My experience is that Skype has supported proxies and authentication nicely enough in all releases for the last ~2 years not to need any special consideration in the proxy config. Amos
Re: [squid-users] Unwanted DNS queries
On 25/09/2013 10:46 p.m., Eliezer Croitoru wrote: Hey, This is indeed the issue I was aiming at.. It was never looked at before since nobody never seen this problem before If I am right. So I have a suggestion. Instead of just shooting at it we have the test subject in hands. The latest stable version of squid is 3.3 We can do run a basic test out of the production environment to make sure that we can reproduce the issue. Amos do we have a QA\BUG_TEST section in the bugzilla? Not really. We tend to use the enhancement or minor importance level for both things that would be nice to get done. From what it looks like in the trace a proper fix will require someone going through the underlying network measurement logics and rearranging a few things. This way we can look at a bug and classify it as a testing bug and close the issue with a more detailed report?? Back.. The issue is that the DNS did not responded fast enough to squid. Not exactly. Tha debug traces provided in other email make it clear that the request is being sent during the gap where DNS response is waited for. If Squid were relying on that response in order to send the request the events would be sequential asynchronous actions instead of branching into parallel asynchronous actions. Amos
Re: [squid-users] wildcard reverse proxy (not ssl)
On 25/09/2013 6:30 p.m., Luis Daniel Lucio Quiroz wrote: Hello :) For a reason, dont ask. I need to configure a Squid that is able to do reverse lookup from a webapp that does dinamic hostdomains. So i need to configure a squid that does *.mydomain. I dont have too much control on *.mydomain IP's, so cache_peer wont be very helpful in this case. I need to relay in DNS for this. Is it a way to make this work? If you use DNS in the reverse-proxy to access the origin servers you will need even more control of the IPs than you do with cache_peers. Since both configurations require the public DNS needs to be configured to point the clients at your proxy. But a reverse-proxy without cache_peer *also* requires a reliable split-DNS configured because those DNS servers become responsible for preventing forwarding loops and must not send Squid the same IPs which are going to the clients. The configuration in Squid is simple, but leaves you open to a new set of DNS-related security problems such as DNS spoofing or hijacking in addition to the regular HTTP security issues. Starting with the simple virtual-hosting reverse proxy configuration: http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting * You drop the cache_peer directives. * You replace the cache_peer_access with always_direct. always_direct should use the same ACL rules as you would have placed on cache_peer_access. NP: When defining the dstdomain ACL of hostnames you can use the wildcard form of dstdomain: acl outsites dstdomain .mydomain.local HTH Amos
[squid-users] Re: Squid + DansGuardian + Bridging
Thanks Amos, So I now have this for ebtables: :BROUTING ACCEPT -A BROUTING -p IPv4 -i eth1 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv6 -i eth0 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP and this for iptables: -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080 Still no go unfortunately. I'm pretty sure that the brouting interfaces are correct as they are, but just to make sure I flipped them around, restarted ebtables, and still had no luck. I just want to make sure I did not miss anything with my squid configuration. So, I have http_port 3128 transparent I attempted to use the following rules, however squid would have a cow and didn't want to start. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_single_host off httpd_accel_with_proxy on httpd_accel_uses_host_header on In addition in /etc/sysctl.conf I have: net.ipv4.conf.default.rp_filter = 0 net.ipv4.ip_forward = 1 So, when I [root@squid0 ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@squid0 ~]# So I think everything should be good. Please let me know if you have any other ideas. Once again, thanks for your time! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-DansGuardian-Bridging-tp4662202p4662292.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Squid authentication stopped working
Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer
Re: [squid-users] Squid authentication stopped working
What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie
Re: [squid-users] Squid authentication stopped working
I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie
Re: [squid-users] Squid authentication stopped working
so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
can you do a ntlm_auth -v? On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
I am assuming you mean -V and its Version 3.6.3 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote: can you do a ntlm_auth -v? On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
Still at a loss on this. If anyone has an idea let me know. On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am assuming you mean -V and its Version 3.6.3 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote: can you do a ntlm_auth -v? On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
I see The reply for POST http://somedomain.com is DENIED because it matched 'ntlm_auth' but then right after I see the same thing but it says is ALLOWED. On Wed, Sep 25, 2013 at 1:30 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Still at a loss on this. If anyone has an idea let me know. On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am assuming you mean -V and its Version 3.6.3 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote: can you do a ntlm_auth -v? On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie -- /kinkie
Re: [squid-users] Squid authentication stopped working
That's the way NTLM is supposed to work. It requires 2x 407 DENIED for each new tcp connection. On Wed, Sep 25, 2013 at 7:36 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I see The reply for POST http://somedomain.com is DENIED because it matched 'ntlm_auth' but then right after I see the same thing but it says is ALLOWED. On Wed, Sep 25, 2013 at 1:30 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Still at a loss on this. If anyone has an idea let me know. On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am assuming you mean -V and its Version 3.6.3 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote: can you do a ntlm_auth -v? On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I am using /usr/bin/ntlm_auth with squid. On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote: so it's kerberos, not ntlm, is it? On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer e...@ericvanderveer.com wrote: I already rejoined to the domain. I checked to make sure and I can see the certificate when i do a klist. On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote: What kind of ntlm auth helper are you using? Samba's? If so, othe simplest reason I can think of without additional info is that your machine account in AD went stale for some reason.. can you try rejoining the domain? On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer e...@ericvanderveer.com wrote: Hi, I have been running squid, dansguardian and ntlm_authentication for about 2 months now with no problem. This morning it stopped working. I can no longer surf and I get login pop ups on my window clients. On the squid server I can see the domain and its users so I am connected. My cache.log is showing a lot of stuff but most of it is greek to me. Here is a snippet http://pastebin.com/YryKkC0J Any ideas? Thanks Eric Vanderveer -- /kinkie -- /kinkie -- /kinkie -- /kinkie
Re: [squid-users] wildcard reverse proxy (not ssl)
Thank yu very much! Yes Im aware of DNS possible issues 2013/9/25 Amos Jeffries squ...@treenet.co.nz: On 25/09/2013 6:30 p.m., Luis Daniel Lucio Quiroz wrote: Hello :) For a reason, dont ask. I need to configure a Squid that is able to do reverse lookup from a webapp that does dinamic hostdomains. So i need to configure a squid that does *.mydomain. I dont have too much control on *.mydomain IP's, so cache_peer wont be very helpful in this case. I need to relay in DNS for this. Is it a way to make this work? If you use DNS in the reverse-proxy to access the origin servers you will need even more control of the IPs than you do with cache_peers. Since both configurations require the public DNS needs to be configured to point the clients at your proxy. But a reverse-proxy without cache_peer *also* requires a reliable split-DNS configured because those DNS servers become responsible for preventing forwarding loops and must not send Squid the same IPs which are going to the clients. The configuration in Squid is simple, but leaves you open to a new set of DNS-related security problems such as DNS spoofing or hijacking in addition to the regular HTTP security issues. Starting with the simple virtual-hosting reverse proxy configuration: http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting * You drop the cache_peer directives. * You replace the cache_peer_access with always_direct. always_direct should use the same ACL rules as you would have placed on cache_peer_access. NP: When defining the dstdomain ACL of hostnames you can use the wildcard form of dstdomain: acl outsites dstdomain .mydomain.local HTH Amos
Odp: Re: [squid-users] Skype through SQUID integrated with AD
Dnia Środa, 25 Września 2013 16:17 Amos Jeffries squ...@treenet.co.nz napisał(a) On 26/09/2013 12:58 a.m., kazio wolny wrote: Hello, I get tired of the topic already two days and I have no power, so please help ... I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even. Only I have a problem with Skype - in access.log I see: 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html; 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html; 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html; I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps. Well... if Skype did support authentication you would still see these log lines as part of the normal authentication challenge process. That goes for all authentication types, NTLM is somewhat special in that it always shows up with two 407 in a row like the *.22 client lines above. This may help you: https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server My experience is that Skype has supported proxies and authentication nicely enough in all releases for the last ~2 years not to need any special consideration in the proxy config. Amost Thanks, but why Skype doesn't connect to servers? In skype I have this settings like in your link: use port 80,443; https proxy, address and port (10.22.94.130:8080). I was trying with and without enabling proxy auth.. Always the same... When I disable auth on squid, then Skype works great, so I'm thinking, that this is a problem, but I can't solve it.. :-( Kazio
[squid-users] Do not refresh the cache if cache_peer is unavailable
Is it possible to do not refresh the cache in case of an error in the newest request to the cache_peer? What I mean is; suppose that in a reverse proxy I want to refresh the cache of the base URL (the homepage of the website) around every 60 seconds but in case that the cache peers are temporarily unavailable I do not want to refresh the cache because otherwise no content will be shown to the clients. Is there are method to achieve this? Thank you in advance -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Do-not-refresh-the-cache-if-cache-peer-is-unavailable-tp4662306.html Sent from the Squid - Users mailing list archive at Nabble.com.