[squid-users] dynamic ssl certificate generation - ip addresses

[Lennert Rienau]

Hi,
i want squid to create dynamic ssl certificates in intercept mode, which works, 
but squid uses ip-addresses for the certificates of the site, not the host name.
 
Does anybody know why this happens?
 
squid.conf:

cache_effective_user squid
cache_effective_group squid
 
#acl localhost src 127.0.0.1/32 ::1
acl localnet src 192.168.42.0/24
acl blocknet src 192.168.42.10-192.168.42.50
 
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
 
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
always_direct allow all
 
http_access allow all
 
http_port 192.168.42.1:3128 intercept
 
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/ssl_db -M 4MB
sslcrtd_children 5
 
https_port 192.168.42.1:3127 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

 
Thank you!

[squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

[Markus Moeller]

Hi Mihail,

  What does a klist -ekt  show  ? ( I assume you use MIT Kerberos 
on the squid server)


  What do you see with wireshark in the authentication header send to squid 
?


Markus

"Mihail Lukin"  wrote in message 
news:caamm_rzhz8m1vbyf5mvw-zbqyvoqhw0nmf4saop8gsy5x9k...@mail.gmail.com...


I don't know why access-time is not being updated, but strace has
shown that keytab is being read successfully by squid_kerb_auth
process.

On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin  
wrote:

Hello, Markus!

Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
/etc/sysconfig/squid and is readable by squid group. But there is
still something wrong with it: keytab's access time is not changed
neither when I restart squid not when I request an URL through the
proxy.

I think I should strace squid_kerb_auth to see what happens. Thanks
for the hint!

On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
 wrote:

Hi Mihail,

  Did you use export KRB5_KTNAME to point to the right keytab ?  Is the
keytab readable by the user under which squid runs ?

Markus

"Mihail Lukin"  wrote in message
news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=r...@mail.gmail.com...

Hello,

I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
DC with Kerberos. I used this how-to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
CentOS 6 box that I've joined to domain with `net ads join`.

Now I'm getting the error in cache.log when I'm trying to visit any
URL through this proxy:

2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
data' from squid (length: 2295).
2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
data' (decoded length: 1717).
2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more
information.
2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more 
information. '


I could not figure out what the "minor code" is... I googled a lot with 
no

luck.
Any help is very appreciated. Thanks in advance!





--
С уважением,
Михаил Лукин




--
С уважением,
Михаил Лукин 

[squid-users] Re: decode kerberos messages

[Markus Moeller]

The easiest way is to look at the traffic in wireshark.

Markus

"Carlos Defoe"  wrote in message 
news:cahshsyvkkczcf+6f1mqqrmmhgodxyn_boeeqcvva3yh4ywl...@mail.gmail.com...


My goal was only to know which computer and/or user is failing to use
each method of authentication. The network is too big, and among those
thousands of messages I need to know first from where those failed are
coming. Probably the user is being prompted with the auth window, but
as he thinks it is normal, he don't claim our support to fix it. I
wanna know so I can send support to fix or replace the computer.

On Thu, Oct 31, 2013 at 2:14 PM, Carlos Defoe  wrote:

Hi Amos,

Seems that it don't work for kerberos tokens:

NTLM Signature:`� �  +
NTLM Message Type:2551
BITMAP00
Unknown @12:0x 160
...

For a NTLM token it shows the flags.

On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries  
wrote:

On 31/10/2013 6:02 a.m., Carlos Defoe wrote:


Hi,

It is possible to decode those "negotiate_kerberos_auth" debug
messages? I tried "base64 -d", but it shows a lot of garbage and
almost nothing readable.



It is a binary NTLMSSPI packet. I have put a simple decoder together for
debugging purposes:
http://treenet.co.nz/projects/squid/ntlm_token.php

Amos 

[squid-users] Re: transparent proxy on remote box issue

[WorkingMan]

> I am suspecting something is going on but I am just not seen it in the 
logs. 
> tshark is not catching anything either by host  or port 3130 on either 
> VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I 
> was going to try that next?
> 
> ping, dns lookup all seems normal except for port 80 (all apps not using 
> port 80 works). with clean.rules set using your suggested rules I see this 
> (client can browse but doesn't look like it went to SQUID server at all)
> 
> Src: 10.100.0.1 (10.100.0.1, VPN client), Dst: 176.32.98.168 (amazon)
> Src: 10.0.0.170 (10.0.0.170, VPN), Dst: 176.32.98.168 (176.32.98.168)
> Src: 176.32.98.168 (176.32.98.168), Dst: 10.0.0.170 (10.0.0.170)
> 
> Let's just say things look normal.
> 
> With proxy.rules (policy based routing), I see alot of TCP retransmission 
> from VPN client/server to the web server.
> 
> 10.0.0.170 -> 157.166.248.10 TCP 78 60440 > http [SYN] Seq=0 Win=65535 
Len=0 
> MSS=1240 WS=16 TSval=230783310 TSecr=0 SACK_PERM=1
> 10.0.0.170 -> 157.166.248.11 TCP 78 [TCP Retransmission] 60437 > http 
[SYN] 
> Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783793 TSecr=0 SACK_PERM=1
>  10.100.0.1 -> 157.166.249.10 TCP 78 [TCP Retransmission] 60438 > http 
[SYN] 
> Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783995 TSecr=0 SACK_PERM=1
> 
> it does this until it gives up. I hope that rings a bell. I could be 
> debugging this wrong and not seen the obvious. There is no trace on SQUID 
> server or its log so I assume traffic didn't made it over. On VPN server 
> when I do a query to a web site it works which is weird because I thought 
it 
> should also get routed since all tcp on eth0 ared marked (also no log in 
> access.log on squid side so it's not routed).
> 
> Thanks, 
> 
> 


Update. Found this, https://forums.gentoo.org/viewtopic-t-932554-start-
0.html, that helped me look at the mac address of the src/dst.

With proxy.rules now with above info I see mac address of the web site is 
the mac address of SQUID server. Again I only see one direction traffic 
going to the web site. At least we know it's doing something that looks 
correct.

With clean.rules, web site's mac address is the gateway/DNS (in my case is 
the same mac). I see bidirectional traffic between web site and VPN server. 

On SQUID server I have applied 4 rules from this SQUID guide:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

There is no traffic to SQUID using tshark. Nothing in SQUID logs or syslog. 
Nothing in VPN's syslog.


Thanks,

[squid-users] Re: transparent proxy on remote box issue

[WorkingMan]

Eliezer Croitoru  ngtech.co.il> writes:

> 
> Hey,
> 
> On 10/31/2013 09:58 AM, WorkingMan wrote:
> > iptables -t nat -A POSTROUTING -j MASQUERADE
> 
> try to flush all the iptables rules by:
> iptables -t nat -F
> iptables -t filter -F
> iptables -t mangle -F
> 
> then add the next:
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> sysctl -w net.ipv4.ip_forward=1
> 
> The above rules should make the client able to do any network thing he 
> needs to if the vpn client and server are configured to route all the 
> traffic to the VPN server.
> then use tcpdump:
> tcpdump -i eth0 -nn port 80
> 
> to see what traffic is being sent from the server to the web.
> 
> then and only after these tests are made (note that the -F might need 
> the POSTROUTING or any other name of a table after it) you can minimize 
> the cause of the problem to the VPN level or to the iptables or any 
> other level.
> 
> can you by any chance run a "ifconfig -a" command and share the output?
> 
> Eliezer
> 
> 

Do I need to do anything on client side? I am using OS's built-in VPN client 
and browser.

VPN server:

eth0  Link encap:Ethernet  HWaddr 0a:a5:82:f8:2e:93
  inet addr:10.0.0.170  Bcast:10.0.0.255  Mask:255.255.255.0
  inet6 addr: fe80::8a5:82ff:fef8:2e93/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:14748 errors:0 dropped:0 overruns:0 frame:0
  TX packets:5123 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:15268379 (15.2 MB)  TX bytes:917810 (917.8 KB)

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

#this interface has no consequence since it's working with or without it

eth1  Link encap:Ethernet  HWaddr 0a:af:5f:23:3d:31
  inet addr:10.0.0.11  Bcast:10.0.0.255  Mask:255.255.255.0
  inet6 addr: fe80::8af:5fff:fe23:3d31/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:2197 errors:0 dropped:0 overruns:0 frame:0
  TX packets:2326 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:435969 (435.9 KB)  TX bytes:458603 (458.6 KB)

SQUID server:

eth0  Link encap:Ethernet  HWaddr 0a:3c:e1:08:45:b7
  inet addr:10.0.0.117  Bcast:10.0.0.255  Mask:255.255.255.0
  inet6 addr: fe80::83c:e1ff:fe08:45b7/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:105968 errors:0 dropped:0 overruns:0 frame:0
  TX packets:58748 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:101288758 (101.2 MB)  TX bytes:17275538 (17.2 MB)

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:175 errors:0 dropped:0 overruns:0 frame:0
  TX packets:175 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:82568 (82.5 KB)  TX bytes:82568 (82.5 KB)


I am suspecting something is going on but I am just not seen it in the logs. 
tshark is not catching anything either by host  or port 3130 on either 
VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I 
was going to try that next?

ping, dns lookup all seems normal except for port 80 (all apps not using 
port 80 works). with clean.rules set using your suggested rules I see this 
(client can browse but doesn't look like it went to SQUID server at all)

Src: 10.100.0.1 (10.100.0.1, VPN client), Dst: 176.32.98.168 (amazon)
Src: 10.0.0.170 (10.0.0.170, VPN), Dst: 176.32.98.168 (176.32.98.168)
Src: 176.32.98.168 (176.32.98.168), Dst: 10.0.0.170 (10.0.0.170)

Let's just say things look normal.

With proxy.rules (policy based routing), I see alot of TCP retransmission 
from VPN client/server to the web server.

10.0.0.170 -> 157.166.248.10 TCP 78 60440 > http [SYN] Seq=0 Win=65535 Len=0 
MSS=1240 WS=16 TSval=230783310 TSecr=0 SACK_PERM=1
10.0.0.170 -> 157.166.248.11 TCP 78 [TCP Retransmission] 60437 > http [SYN] 
Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783793 TSecr=0 SACK_PERM=1
 10.100.0.1 -> 157.166.249.10 TCP 78 [TCP Retransmission] 60438 > http [SYN] 
Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783995 TSecr=0 SACK_PERM=1

it does this until it gives up. I hope that rings a bell. I could be 
debugging this wrong and not seen the obvious. There is no trace on SQUID 
server or its log so I assume traffic didn't made it over. On VPN server 
when I do a query to a web site it works which is weird because I thought

Re: [squid-users] decode kerberos messages

[Carlos Defoe]

My goal was only to know which computer and/or user is failing to use
each method of authentication. The network is too big, and among those
thousands of messages I need to know first from where those failed are
coming. Probably the user is being prompted with the auth window, but
as he thinks it is normal, he don't claim our support to fix it. I
wanna know so I can send support to fix or replace the computer.

On Thu, Oct 31, 2013 at 2:14 PM, Carlos Defoe  wrote:
> Hi Amos,
>
> Seems that it don't work for kerberos tokens:
>
> NTLM Signature:`� �  +
> NTLM Message Type:2551
> BITMAP00
> Unknown @12:0x 160
> ...
>
> For a NTLM token it shows the flags.
>
> On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries  wrote:
>> On 31/10/2013 6:02 a.m., Carlos Defoe wrote:
>>>
>>> Hi,
>>>
>>> It is possible to decode those "negotiate_kerberos_auth" debug
>>> messages? I tried "base64 -d", but it shows a lot of garbage and
>>> almost nothing readable.
>>
>>
>> It is a binary NTLMSSPI packet. I have put a simple decoder together for
>> debugging purposes:
>> http://treenet.co.nz/projects/squid/ntlm_token.php
>>
>> Amos

[squid-users] Re: IPv6 + Intercept proxy

[WorkingMan]

> 
> TPROXY is not routing. It is packet interception, taking a packet from 
> the kernel TCP stack and delivering it to a local process running on 
> that machine. Taking packets from that same local process marked with a 
> special TPROXY flag and allowing them to be routed despite having a src 
> address of a different machine (spoofing is normally prohibited by the 
> kernel).
> 
> Simple really. But it places a lot of requirement pressure on the 
> networking and routing to handle the packets properly.
> 
> > The alternative for remote host is policy based routing (if you followed 
my
> > other thread on this for ipv4 but ipv6 should not be too different). But 
as I
> > said before I am not able to make it work.
> 
> Unfortunately the policy routing is mandatory whenever there are 
> alternative routes for the packets to travel over which bypass the 
> interceptor proxy.
> 
> Amos
> 
> 

Does TPROXY setup work with remote proxy server?

It appears to be for local routing only. I don't want to start trying this 
if it will not support remote routing (hint: specify this in the wiki, also 
it doesn't say that newer kernel seem to have all the dependency built in 
the kernel out of box; and based on configuration I saw it's all there, most 
of the guide out there on this is for kernel 2.6x which is old).

Thanks,

Re: [squid-users] decode kerberos messages

[Carlos Defoe]

Hi Amos,

Seems that it don't work for kerberos tokens:

NTLM Signature:`��+
NTLM Message Type:2551
BITMAP00
Unknown @12:0x 160
...

For a NTLM token it shows the flags.

On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries  wrote:
> On 31/10/2013 6:02 a.m., Carlos Defoe wrote:
>>
>> Hi,
>>
>> It is possible to decode those "negotiate_kerberos_auth" debug
>> messages? I tried "base64 -d", but it shows a lot of garbage and
>> almost nothing readable.
>
>
> It is a binary NTLMSSPI packet. I have put a simple decoder together for
> debugging purposes:
> http://treenet.co.nz/projects/squid/ntlm_token.php
>
> Amos

Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication

[Amos Jeffries]

On 1/11/2013 2:45 a.m., Matteo De Lazzari wrote:


Uhm, I cannot understand. The user and computer that you found is the
current logged in windows user . It's a local user. If I want to use the
browser, a login box appear. So i try to insert the domain credential in
the form domain\username and the password. After i click on the ok
button, on the log i find that the user that squid are trying to
authenticate is the local logged in user and not just the user which I
inserted.  Have you any idea of what's the cause of this behaviour?


Popup from the browser is supposed to be a *last resort* action to 
locate credentials. They first try any other sources of credentials that 
can be found.


I expect if you look deeply you will see that the browser is sending the 
NTLM local machine credentials over first, then only displaying that 
popup when that NO_SUCH_USER causes them to fail. At least that is what 
is supposed to be happening.


Amos

Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication

[Matteo De Lazzari]

I add another thing. If I click over and over again on the ok button in 
the login prompt, after an unsuccessful login like below, I get a 
successful login with kerberos with the right credentials inserted into 
the login window. For example:


2013/10/31 14:59:06| negotiate_wrapper: Got 'YR 
TlRMTVNTUAABB4IIogAFASgKDw==' from squid 
(length: 59).
2013/10/31 14:59:06| negotiate_wrapper: Decode 
'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded 
length: 40).

2013/10/31 14:59:06| negotiate_wrapper: received type 1 NTLM token
2013/10/31 14:59:06| negotiate_wrapper: Return 'TT 
TlRMTVNTUAACEAAQADgFgomihuhYCU+1bPYAAKoAqgBIBgEAAA9QAFIARQBWAEkARABPAE0AAgAQAFAAUgBFAFYASQBEAE8ATQABABoAUwBSAFYAUwBRAFUASQBEAFAAUgBPAFgAWQAEACgAcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAMARABzAHIAdgBzAHEAdQBpAGQAcAByAG8AeAB5AC4AcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAA=

'
2013/10/31 14:59:06| negotiate_wrapper: Got 'KK 
TlRMTVNTUAADGAAYAIoYABgAogAAABQAFABIGgAaAFwUABQAdgC6BYKIogUBKAoPQgBBAEwARABBAFMAUwBJAE4AUgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAEIAQQBMAEQAQQBTAFMASQBOAFIAq1Q20RKzg8QAMxioQ/YxkVY0L8xikTmoqqYH1sM2078v' 
from squid (length: 251).
2013/10/31 14:59:06| negotiate_wrapper: Decode 
'TlRMTVNTUAADGAAYAIoYABgAogAAABQAFABIGgAaAFwUABQAdgC6BYKIogUBKAoPQgBBAEwARABBAFMAUwBJAE4AUgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAEIAQQBMAEQAQQBTAFMASQBOAFIAq1Q20RKzg8QAMxioQ/YxkVY0L8xikTmoqqYH1sM2078v' 
(decoded length: 186).

2013/10/31 14:59:06| negotiate_wrapper: received type 216 NTLM token
2013/10/31 14:59:06| negotiate_wrapper: Return 'NA = NT_STATUS_NO_SUCH_USER
'
2013/10/31 14:59:44| negotiate_wrapper: Got 'YR 
YIIFvAYGKwYBBQUCoIIFsDCCBaygJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBYIEggV+YIIFegYJKoZIhvcSAQICAQBuggVpMIIFZaADAgEFoQMCAQ6iBwMFACCjggSFYYIEgTCCBH2gAwIBBaEWGxRQUkVWSURPTS5QUkVWSU5FVC5JVKI1MDOgAwIBAqEsMCobBEhUVFAbInNydnNxdWlkcHJveHkucHJldmlkb20ucHJldmluZXQuaXSjggQlMIIEIaADAgEXoQMCAQSiggQTBIIED24e4jfaNzU02uwF2gkyHqaHgFt/BifkbI/kr8++dZLTVxVGVUE+LEuYV5wsjE5UIKtCRRBeKMtX9Qi15U+pSGQ6IHd23PeVFLixYPR/TVUQQT2nYdKQuSfRYwwVZuPKDFdg02vu7+DvNvs4psFXvp2XUwGT4scPFtESfkowhNPzPtJHLdpno6lUHUJhFYq0gMuVAlpVPENuPolCwknER/+QGmFUcPqVl7PUL749cOLi9Xuxf3mbZow6X5wznTnsgoLQsqE555sIGBj68XAeg4wCb0uU9hrUuZzzasW7z26O5SuL0W2n2w0rcZ/MZs6bfS5naoCkH/zSa1ukjZhvP7QHkNko26u1k1UKEckZ8g6Mtt+0eP4lRJ7TpA0G5WewSckZg1pVhFEgf6M3LSr+t3vztJBEwzhy58StIvkJvBH1TfCTn9IGyjbUKko9U2YZ+15epb/6J2vqLFSEMlINxRhV/Pd9dqyODRmOSfsIIZOso4Y6DQjNbcF0CYWRmfMilMvFVPSqF38HBKtW+smMdh7e/UkKGT+jaJA6f4e28uFMAffyIVxKlYXpL44YcAhjaKTveKsGNXHv+NNQV+lm55p8HS37o9DhUC0kUqCuIG6p9IVurcKwqjo8wjgcTjKhmxLSUNgL4iNoV6oZRki9Kfqupg8xOwJazr/PrvP0O0p9GY+8hxK5BR8p/GBeL5EhvGrJDUrbg+OlAZnxSG2tGik/5HN86s0+KgDcqmBg2eNuy/2/oyOYF2OpIup2s25kPuC88ygmmcB6UrliFID6hoN9eOO/+27xBSl+1GqW3Xmcu0yFLUETNg1rBu/qXQ+jPZmkXZ1Pt1TydeA3fYcsfnPIZPxULeO0veteSMypacVawE8AmeTVazrHus+Io6PzE+RF5bwNfGkDqsBG6dadCzU9JsmQwIzaHhYMSx7yx+/R7zPgZDuyr+WrQd++83M1Brqf25UGrTzNczw7pnIH0pEj1ptRovPsowqvyEY5XydP4CRqAOjF7vuuKkMthSPeBcV26H1TczdZ7SKoprFAkzhmJcJmFmbGmOYmtumeoxg8qFpAN8S4Q5fbeRFykeeDLM4SwqaIC0w9QFWTSapSMRsN8x2VZlTKt5ed6DYic0rIuYnH+XaARi5Pex0UvSFLMQU6tp1MJVvkvEwG1QoVba/21nzJ8UlqeEnTc50nnU+LnipGAI15MrH+wM0L9+SLOYuLR8lCRri7u5+JcaUgWwui3E9TGeZGw+VXpasOsQPsdz39kaIidNSAOaWQx1zJ+9qPEXqTudYSBBsR0WwFMmuU81flflo63j93IAzL1j5wORMkrIjlIiICEZWHiG+KMh+XYZz4tyU63F6h/7F2wPybX7JJlxn/dneVEy9Nw9GkgcYwgcOgAwIBF6KBuwSBuGE9SMLyMPc/FurBpMUvbBsESJOs3Yzio6jhP8flw3MLhIGZl9AJZ7nghqukZ1rA6c/Jq8rbPO0VKuz+/Ujlv9j1RXcwJyhMUlKfPPj+xeVXP8tz0RVh0kXkHOaa9WMlxM3eBQjMNkaVhi7fCKV21facbt1/bXgUDHgEzvqiABUf+k56zllf2joVz1/nYKd7vDdkR0/20qfe3cmifh0GQBdave/hdXPCfqsY/eBCHPpBp1Cmwp4t+xs=' 
from squid (length: 1967).
2013/10/31 14:59:44| negotiate_wrapper: Decode 
'YIIFvAYGKwYBBQUCoIIFsDCCBaygJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBYIEggV+YIIFegYJKoZIhvcSAQICAQBuggVpMIIFZaADAgEFoQMCAQ6iBwMFACCjggSFYYIEgTCCBH2gAwIBBaEWGxRQUkVWSURPTS5QUkVWSU5FVC5JVKI1MDOgAwIBAqEsMCobBEhUVFAbInNydnNxdWlkcHJveHkucHJldmlkb20ucHJldmluZXQuaXSjggQlMIIEIaADAgEXoQMCAQSiggQTBIIED24e4jfaNzU02uwF2gkyHqaHgFt/BifkbI/kr8++dZLTVxVGVUE+LEuYV5wsjE5UIKtCRRBeKMtX9Qi15U+pSGQ6IHd23PeVFLixYPR/TVUQQT2nYdKQuSfRYwwVZuPKDFdg02vu7+DvNvs4psFXvp2XUwGT4scPFtESfkowhNPzPtJHLdpno6lUHUJhFYq0gMuVAlpVPENuPolCwknER/+QGmFUcPqVl7PUL749cOLi9Xuxf3mbZow6X5wznTnsgoLQsqE555sIGBj68XAeg4wCb0uU9hrUuZzzasW7z26O5SuL0W2n2w0rcZ/MZs6bfS5naoCkH/zSa1ukjZhvP7QHkNko26u1k1UKEckZ8g6Mtt+0eP4lRJ7TpA0G5WewSckZg1pVhFEgf6M3LSr+t3vztJBEwzhy58StIvkJvBH1TfCTn9IGyjbUKko9U2YZ+15epb/6J2vqLFSEMlINxRhV/Pd9dqyODRmOSfsIIZOso4Y6DQjNbcF0CYWRmfMilMvFVPSqF38HBKtW+smMdh7e/UkKGT+jaJA6f4e28uFMAffyIVxKlYXpL44YcAhjaKTveKsGNXHv+NNQV+lm55p8HS37o9DhUC0kUqCuIG6p9IVurcKwqjo8wjgcTjKhmxLSUNgL4iNoV6oZRki9Kfqupg8xOwJazr/PrvP0O0p9GY+8hxK5BR8p/GBeL5EhvGrJDUrbg+OlAZnxSG2tGik/5HN86s0+KgDcqmBg2eNuy/2/oyOYF2OpIup2s25kPuC88ygmmcB6UrliFID6hoN9eOO/+27xBSl+1GqW3Xmcu0yFLUETNg1rBu/qXQ+jPZmkXZ1Pt1Tyd

Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication

[Matteo De Lazzari]

Uhm, I cannot understand. The user and computer that you found is the
current logged in windows user . It's a local user. If I want to use the
browser, a login box appear. So i try to insert the domain credential in
the form domain\username and the password. After i click on the ok
button, on the log i find that the user that squid are trying to
authenticate is the local logged in user and not just the user which I
inserted.  Have you any idea of what's the cause of this behaviour?

Thanks

Il 29/10/2013 22.44, Amos Jeffries ha scritto:

On 30/10/2013 3:49 a.m., Matteo De Lazzari wrote:

Now I have squid Version 3.3.9, but the problem still persist. This
if from cache.log

2013/10/29 15:07:49| negotiate_wrapper: Got 'YR
TlRMTVNTUAABB4IIogAFASgKDw==' from squid
(length: 59).
2013/10/29 15:07:49| negotiate_wrapper: Decode
'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded
length: 40).
2013/10/29 15:07:49| negotiate_wrapper: received type 1 NTLM token
2013/10/29 15:07:49| negotiate_wrapper: Return 'TT
TlRMTVNTUAACEAAQADgFgomiMudf8qKFH9cAAKoAqgBIBgEAAA9QAFIARQBWAEkARABPAE0AAgAQAFAAUgBFAFYASQBEAE8ATQABABoAUwBSAFYAUwBRAFUASQBEAFAAUgBPAFgAWQAEACgAcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAMARABzAHIAdgBzAHEAdQBpAGQAcAByAG8AeAB5AC4AcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAA=
'
2013/10/29 15:07:49| negotiate_wrapper: Got 'KK
TlRMTVNTUAADGAAYAIYYABgAngAAABIAEgBIGgAaAFoSABIAdAC2BYKIogUBKAoPRABFAEYAQQBWAEUAUgBJAEwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBEAEUARgBBAFYARQBSAEkATACBrzocRC8vigBvHsRiK+DEPUVqWMDAk2PS8BDbT/X3mBg='
from squid (length: 247).
2013/10/29 15:07:49| negotiate_wrapper: Decode
'TlRMTVNTUAADGAAYAIYYABgAngAAABIAEgBIGgAaAFoSABIAdAC2BYKIogUBKAoPRABFAEYAQQBWAEUAUgBJAEwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBEAEUARgBBAFYARQBSAEkATACBrzocRC8vigBvHsRiK+DEPUVqWMDAk2PS8BDbT/X3mBg='
(decoded length: 182).
2013/10/29 15:07:49| negotiate_wrapper: received type 216 NTLM token


NTLM Type:3
Target Name:DEFAVERIL
User Name:   Administrator
Workstation Name:  DEFAVERIL


2013/10/29 15:07:49| negotiate_wrapper: Return 'NA =
NT_STATUS_NO_SUCH_USER



This is not a parser problem This is actually a user credentials not
existing problem.  *NO SUCH USER*.



and again from command prompt all is good:

/usr/bin/ntlm_auth --username=provaproxy --password=Pass1word
--domain=PREVIDOM
NT_STATUS_OK: Success (0x0)



You are testing with different credentials to the ones which are failing.

Amos

Re: [squid-users] squid url_rewrite_program

[John Doe]

From: Sachin Gupta 

> does url_rewrite_access solve this? Sample below. I tried but doesnt
> seem to work.
> 
> url_rewrite_program 
> acl allow_port myportname xxx4 xxx5
> url_rewrite_access allow allow_port

What do you mean by "doesnt seem to work"?
Everyone has access? or nobody?
Did you put a "deny all" after?
Do you purposefully use myportname instead of port?

JD

Re: [squid-users] Re: transparent proxy on remote box issue

[Eliezer Croitoru]

Hey,

On 10/31/2013 09:58 AM, WorkingMan wrote:

iptables -t nat -A POSTROUTING -j MASQUERADE


try to flush all the iptables rules by:
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F

then add the next:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

The above rules should make the client able to do any network thing he 
needs to if the vpn client and server are configured to route all the 
traffic to the VPN server.

then use tcpdump:
tcpdump -i eth0 -nn port 80

to see what traffic is being sent from the server to the web.

then and only after these tests are made (note that the -F might need 
the POSTROUTING or any other name of a table after it) you can minimize 
the cause of the problem to the VPN level or to the iptables or any 
other level.


can you by any chance run a "ifconfig -a" command and share the output?

Eliezer

[squid-users] Re: IPv6 + Intercept proxy

[WorkingMan]

Eliezer Croitoru  ngtech.co.il> writes:

> 
> Hey there,
> 
> On 10/30/2013 10:18 PM, WorkingMan wrote:
> > I think we need a up to date guide on
> > transparent proxy for remote host (with concrete example that works). I
> > followed too many guides that don't work.
> 
> Maybe you still have this list of guides\articles\examples??
> 
> I would like to see what you have seen and understand what is the common 
> source of the problem in these articles.
> I am almost sure that there is a common way of describing the feature 
> which makes it un-understable.
> 
> Thanks,
> Eliezer
> 
> 


My understanding is probably not great on all this matters since I am 
not able to make this work. My requirement is simple: setup a remote 
server that acts as a transparent proxy; 80/443 traffic comes from 
VPN server and should be "redirected" to SQUID.

I addded rules for VPN server with this guide: http://wiki.squid-
cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
and added these rule on SQUID:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
It's not working. 

I just want to be able to follow a guide that result in a functional 
environment with transparent proxy. The only time I was able to 
redirect traffic to SQUID was using DNAT/SDAT from sec 6.1
http://www.tldp.org/HOWTO/TransparentProxy-6.html, but that doesn't work 
for HTTP/1.0 according to the guide. In 6.1 somehow it has eth1 whichis not 
explained (need two network interface?). All SQUID guide I saw 
related to this use one interface only - eth0. 

At this point I don't think more theory will help me resolve this issue.
I need concrete example that just works. You can look at my other post for 
detailed rules I am using on remote transparent proxy.

If I can make this work I will help you make a guide for dummies like myself.

[squid-users] Re: transparent proxy on remote box issue

[WorkingMan]

> Some questions that might lead you in a useful direction for solving this:
> * is eth0 the right interface to be operating with?
>does VPN have an interface of its own with better results?
>is there something special you have to add on top of all this to make 
> it work over a VPN connection?
> (all the testing done so far has been on regular ethernet and wireless 
> connections).
> 
> * when the packets go from client to Squid to Internet they are still 
> labeled by TPROXY as having come from the client IP. What path do they 
> take back to the client?
> is Squid box with its TPROXY logics on that return path?
> 
> Amos
> 
> 


I think I am in a worse shape than you think. port 80 traffic is not going to 
SQUID at all. I don't see it in the access.log anyways.

on SQUID I use these from SQUID wiki:

export WAN=eth0
SQUIDIP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | cut -f 2 -d ":")
SQUIDPORT=3130

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

on VPN I use these (from wiki and maybe some from elsewhere):

export SQUID=
export SQUID_PORT=3130

iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i $WAN  -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i $WAN -o $WAN -p tcp --dport 80 -j ACCEPT

#do the rt_tables change once
echo 202 http >> /etc/iproute2/rt_tables

#remove old rules
ip rule del fwmark 2 table http
ip route del default via $SQUID dev eth0 table http

//add new rules
ip rule add fwmark 2 table http
ip route add default via $SQUID dev eth0 table http
ip route flush cache

iptables-save


Does the above affect local traffic on VPN server as well? On VPN server 
I can query web site without issue. But VPN client can't. I don't 
understand where the traffic is getting dropped. tshark catches nothing, 
nothing in SQUID logs. Is the above configuration correct for what I want to do?

I did add a secondary network interface to my VPN server but I don't 
see how it will help. I did try to use eth1 to route marked traffic but it 
didn't work.

Thanks,

Re: [squid-users] Re: IPv6 + Intercept proxy

[Eliezer Croitoru]

Hey there,

On 10/30/2013 10:18 PM, WorkingMan wrote:

I think we need a up to date guide on
transparent proxy for remote host (with concrete example that works). I
followed too many guides that don't work.


Maybe you still have this list of guides\articles\examples??

I would like to see what you have seen and understand what is the common 
source of the problem in these articles.
I am almost sure that there is a common way of describing the feature 
which makes it un-understable.


Thanks,
Eliezer

Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

[Mihail Lukin]

I'm not sure what should input be. I tried to paste base64-encoded
data from cache.log (YIIGsQYGKwYB...EbrQ==), base64-decoded and
URL-encoded data (%60%82%06%B1%06%06%2B%...%1B%AD), but the output is
a bunch of "Unknowns".

On Thu, Oct 31, 2013 at 10:02 AM, Amos Jeffries  wrote:
> On 31/10/2013 5:54 p.m., Mihail Lukin wrote:
>>
>> I don't know why access-time is not being updated, but strace has
>> shown that keytab is being read successfully by squid_kerb_auth
>> process.
>
>
> This tool may help you identify whether the tokens being sent to Squid are
> the ones you are expecting:
>   http://treenet.co.nz/projects/squid/ntlm_token.php
>
> Amos

Re: [squid-users] invalid request

[Amos Jeffries]

On 31/10/2013 4:17 a.m., Cheikhou Dramé wrote:

Hi everybody ,

I'm a newbie in squid .I have many "clientProcessRequest: Invalid 
request"  errors in my cache.log file . Is there a way to identify the 
client which sending those requests ? my transparent squid server is 
running on centos 6.4.


It means the bytes received by Squid do not parse as an HTTP request. 
Squid only supports HTTP 0.9 / 1.0 / 1.1 protocol as input, with a few 
other port-80 protocols which use HTTP syntax such as ICY streaming 
media. Or in specific builds of Squid HTTPS port 443 traffic.


You can enable debug_options 33,5 to get some more details about what 
the parser found. Usually a lot of them means your network is filled 
with software abusing port 80, or the proxy is otherwise listening on a 
port which is in active use by non-HTTP protocols.


Amos

Re: [squid-users] Re: Squid 3.3.2 SMP Problem

[Amos Jeffries]

On 31/10/2013 6:02 a.m., Dr.x wrote:

hi all ,
ive tried that on kernel of centos 6.4 last one


but it give me :
[root@squid ~]#  sysctl -w net.local.dgram.recvspace=262144
error: "net.local.dgram.recvspace" is an unknown key

wt does that mean ?


It means the system control toggle fro datagram packet buffer size is 
not called that name (if it exists at all).




im trying ti use kernel of centos 6.4 without compiling it  but i have kid
registeration time out !!


Kid registration is due two basic causes:
1) the Unix data sockets opened by SHM between the worker kid and 
coordinator are somehow broken
 - might show up like this if the coordinator was able to open SHM 
properly but the worker has problems.


2) the Worker so overloaded with processing during startup that its 
registration packt does not reach the coordinator quickly enough.

 - might happen if a large cache_dir were being scanned/repaired on startup

There could be other reasons, but those are the big ones we see a lot of 
reports about.
There are now open bug reports about big rock cache_dir takign too long 
to load, AUFS rebuild recovery taking too long to finish, and "squid -z 
; squid" too-fast process sequence (eg as seen in many startup scripts) 
closing SHM connections midway through startup of the second "squid" 
process.


Amos