[squid-users] dynamic ssl certificate generation - ip addresses
Hi, i want squid to create dynamic ssl certificates in intercept mode, which works, but squid uses ip-addresses for the certificates of the site, not the host name. Does anybody know why this happens? squid.conf: cache_effective_user squid cache_effective_group squid #acl localhost src 127.0.0.1/32 ::1 acl localnet src 192.168.42.0/24 acl blocknet src 192.168.42.10-192.168.42.50 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ssl_bump client-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER always_direct allow all http_access allow all http_port 192.168.42.1:3128 intercept sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/ssl_db -M 4MB sslcrtd_children 5 https_port 192.168.42.1:3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem Thank you!
[squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)
Hi Mihail, What does a klist -ekt show ? ( I assume you use MIT Kerberos on the squid server) What do you see with wireshark in the authentication header send to squid ? Markus "Mihail Lukin" wrote in message news:caamm_rzhz8m1vbyf5mvw-zbqyvoqhw0nmf4saop8gsy5x9k...@mail.gmail.com... I don't know why access-time is not being updated, but strace has shown that keytab is being read successfully by squid_kerb_auth process. On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin wrote: Hello, Markus! Sorry for not mentioning it at once, KRB5_KTNAME is being exported in /etc/sysconfig/squid and is readable by squid group. But there is still something wrong with it: keytab's access time is not changed neither when I restart squid not when I request an URL through the proxy. I think I should strace squid_kerb_auth to see what happens. Thanks for the hint! On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller wrote: Hi Mihail, Did you use export KRB5_KTNAME to point to the right keytab ? Is the keytab readable by the user under which squid runs ? Markus "Mihail Lukin" wrote in message news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=r...@mail.gmail.com... Hello, I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 DC with Kerberos. I used this how-to: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on CentOS 6 box that I've joined to domain with `net ads join`. Now I'm getting the error in cache.log when I'm trying to visit any URL through this proxy: 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded data' from squid (length: 2295). 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded data' (decoded length: 1717). 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. ' I could not figure out what the "minor code" is... I googled a lot with no luck. Any help is very appreciated. Thanks in advance! -- С уважением, Михаил Лукин -- С уважением, Михаил Лукин
[squid-users] Re: decode kerberos messages
The easiest way is to look at the traffic in wireshark. Markus "Carlos Defoe" wrote in message news:cahshsyvkkczcf+6f1mqqrmmhgodxyn_boeeqcvva3yh4ywl...@mail.gmail.com... My goal was only to know which computer and/or user is failing to use each method of authentication. The network is too big, and among those thousands of messages I need to know first from where those failed are coming. Probably the user is being prompted with the auth window, but as he thinks it is normal, he don't claim our support to fix it. I wanna know so I can send support to fix or replace the computer. On Thu, Oct 31, 2013 at 2:14 PM, Carlos Defoe wrote: Hi Amos, Seems that it don't work for kerberos tokens: NTLM Signature:`� � + NTLM Message Type:2551 BITMAP00 Unknown @12:0x 160 ... For a NTLM token it shows the flags. On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries wrote: On 31/10/2013 6:02 a.m., Carlos Defoe wrote: Hi, It is possible to decode those "negotiate_kerberos_auth" debug messages? I tried "base64 -d", but it shows a lot of garbage and almost nothing readable. It is a binary NTLMSSPI packet. I have put a simple decoder together for debugging purposes: http://treenet.co.nz/projects/squid/ntlm_token.php Amos
[squid-users] Re: transparent proxy on remote box issue
> I am suspecting something is going on but I am just not seen it in the logs. > tshark is not catching anything either by host or port 3130 on either > VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I > was going to try that next? > > ping, dns lookup all seems normal except for port 80 (all apps not using > port 80 works). with clean.rules set using your suggested rules I see this > (client can browse but doesn't look like it went to SQUID server at all) > > Src: 10.100.0.1 (10.100.0.1, VPN client), Dst: 176.32.98.168 (amazon) > Src: 10.0.0.170 (10.0.0.170, VPN), Dst: 176.32.98.168 (176.32.98.168) > Src: 176.32.98.168 (176.32.98.168), Dst: 10.0.0.170 (10.0.0.170) > > Let's just say things look normal. > > With proxy.rules (policy based routing), I see alot of TCP retransmission > from VPN client/server to the web server. > > 10.0.0.170 -> 157.166.248.10 TCP 78 60440 > http [SYN] Seq=0 Win=65535 Len=0 > MSS=1240 WS=16 TSval=230783310 TSecr=0 SACK_PERM=1 > 10.0.0.170 -> 157.166.248.11 TCP 78 [TCP Retransmission] 60437 > http [SYN] > Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783793 TSecr=0 SACK_PERM=1 > 10.100.0.1 -> 157.166.249.10 TCP 78 [TCP Retransmission] 60438 > http [SYN] > Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783995 TSecr=0 SACK_PERM=1 > > it does this until it gives up. I hope that rings a bell. I could be > debugging this wrong and not seen the obvious. There is no trace on SQUID > server or its log so I assume traffic didn't made it over. On VPN server > when I do a query to a web site it works which is weird because I thought it > should also get routed since all tcp on eth0 ared marked (also no log in > access.log on squid side so it's not routed). > > Thanks, > > Update. Found this, https://forums.gentoo.org/viewtopic-t-932554-start- 0.html, that helped me look at the mac address of the src/dst. With proxy.rules now with above info I see mac address of the web site is the mac address of SQUID server. Again I only see one direction traffic going to the web site. At least we know it's doing something that looks correct. With clean.rules, web site's mac address is the gateway/DNS (in my case is the same mac). I see bidirectional traffic between web site and VPN server. On SQUID server I have applied 4 rules from this SQUID guide: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect There is no traffic to SQUID using tshark. Nothing in SQUID logs or syslog. Nothing in VPN's syslog. Thanks,
[squid-users] Re: transparent proxy on remote box issue
Eliezer Croitoru ngtech.co.il> writes: > > Hey, > > On 10/31/2013 09:58 AM, WorkingMan wrote: > > iptables -t nat -A POSTROUTING -j MASQUERADE > > try to flush all the iptables rules by: > iptables -t nat -F > iptables -t filter -F > iptables -t mangle -F > > then add the next: > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > sysctl -w net.ipv4.ip_forward=1 > > The above rules should make the client able to do any network thing he > needs to if the vpn client and server are configured to route all the > traffic to the VPN server. > then use tcpdump: > tcpdump -i eth0 -nn port 80 > > to see what traffic is being sent from the server to the web. > > then and only after these tests are made (note that the -F might need > the POSTROUTING or any other name of a table after it) you can minimize > the cause of the problem to the VPN level or to the iptables or any > other level. > > can you by any chance run a "ifconfig -a" command and share the output? > > Eliezer > > Do I need to do anything on client side? I am using OS's built-in VPN client and browser. VPN server: eth0 Link encap:Ethernet HWaddr 0a:a5:82:f8:2e:93 inet addr:10.0.0.170 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::8a5:82ff:fef8:2e93/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14748 errors:0 dropped:0 overruns:0 frame:0 TX packets:5123 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15268379 (15.2 MB) TX bytes:917810 (917.8 KB) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) #this interface has no consequence since it's working with or without it eth1 Link encap:Ethernet HWaddr 0a:af:5f:23:3d:31 inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::8af:5fff:fe23:3d31/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2197 errors:0 dropped:0 overruns:0 frame:0 TX packets:2326 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:435969 (435.9 KB) TX bytes:458603 (458.6 KB) SQUID server: eth0 Link encap:Ethernet HWaddr 0a:3c:e1:08:45:b7 inet addr:10.0.0.117 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::83c:e1ff:fe08:45b7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:105968 errors:0 dropped:0 overruns:0 frame:0 TX packets:58748 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:101288758 (101.2 MB) TX bytes:17275538 (17.2 MB) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:175 errors:0 dropped:0 overruns:0 frame:0 TX packets:175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:82568 (82.5 KB) TX bytes:82568 (82.5 KB) I am suspecting something is going on but I am just not seen it in the logs. tshark is not catching anything either by host or port 3130 on either VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I was going to try that next? ping, dns lookup all seems normal except for port 80 (all apps not using port 80 works). with clean.rules set using your suggested rules I see this (client can browse but doesn't look like it went to SQUID server at all) Src: 10.100.0.1 (10.100.0.1, VPN client), Dst: 176.32.98.168 (amazon) Src: 10.0.0.170 (10.0.0.170, VPN), Dst: 176.32.98.168 (176.32.98.168) Src: 176.32.98.168 (176.32.98.168), Dst: 10.0.0.170 (10.0.0.170) Let's just say things look normal. With proxy.rules (policy based routing), I see alot of TCP retransmission from VPN client/server to the web server. 10.0.0.170 -> 157.166.248.10 TCP 78 60440 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783310 TSecr=0 SACK_PERM=1 10.0.0.170 -> 157.166.248.11 TCP 78 [TCP Retransmission] 60437 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783793 TSecr=0 SACK_PERM=1 10.100.0.1 -> 157.166.249.10 TCP 78 [TCP Retransmission] 60438 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783995 TSecr=0 SACK_PERM=1 it does this until it gives up. I hope that rings a bell. I could be debugging this wrong and not seen the obvious. There is no trace on SQUID server or its log so I assume traffic didn't made it over. On VPN server when I do a query to a web site it works which is weird because I thought
Re: [squid-users] decode kerberos messages
My goal was only to know which computer and/or user is failing to use each method of authentication. The network is too big, and among those thousands of messages I need to know first from where those failed are coming. Probably the user is being prompted with the auth window, but as he thinks it is normal, he don't claim our support to fix it. I wanna know so I can send support to fix or replace the computer. On Thu, Oct 31, 2013 at 2:14 PM, Carlos Defoe wrote: > Hi Amos, > > Seems that it don't work for kerberos tokens: > > NTLM Signature:`� � + > NTLM Message Type:2551 > BITMAP00 > Unknown @12:0x 160 > ... > > For a NTLM token it shows the flags. > > On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries wrote: >> On 31/10/2013 6:02 a.m., Carlos Defoe wrote: >>> >>> Hi, >>> >>> It is possible to decode those "negotiate_kerberos_auth" debug >>> messages? I tried "base64 -d", but it shows a lot of garbage and >>> almost nothing readable. >> >> >> It is a binary NTLMSSPI packet. I have put a simple decoder together for >> debugging purposes: >> http://treenet.co.nz/projects/squid/ntlm_token.php >> >> Amos
[squid-users] Re: IPv6 + Intercept proxy
> > TPROXY is not routing. It is packet interception, taking a packet from > the kernel TCP stack and delivering it to a local process running on > that machine. Taking packets from that same local process marked with a > special TPROXY flag and allowing them to be routed despite having a src > address of a different machine (spoofing is normally prohibited by the > kernel). > > Simple really. But it places a lot of requirement pressure on the > networking and routing to handle the packets properly. > > > The alternative for remote host is policy based routing (if you followed my > > other thread on this for ipv4 but ipv6 should not be too different). But as I > > said before I am not able to make it work. > > Unfortunately the policy routing is mandatory whenever there are > alternative routes for the packets to travel over which bypass the > interceptor proxy. > > Amos > > Does TPROXY setup work with remote proxy server? It appears to be for local routing only. I don't want to start trying this if it will not support remote routing (hint: specify this in the wiki, also it doesn't say that newer kernel seem to have all the dependency built in the kernel out of box; and based on configuration I saw it's all there, most of the guide out there on this is for kernel 2.6x which is old). Thanks,
Re: [squid-users] decode kerberos messages
Hi Amos, Seems that it don't work for kerberos tokens: NTLM Signature:`��+ NTLM Message Type:2551 BITMAP00 Unknown @12:0x 160 ... For a NTLM token it shows the flags. On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries wrote: > On 31/10/2013 6:02 a.m., Carlos Defoe wrote: >> >> Hi, >> >> It is possible to decode those "negotiate_kerberos_auth" debug >> messages? I tried "base64 -d", but it shows a lot of garbage and >> almost nothing readable. > > > It is a binary NTLMSSPI packet. I have put a simple decoder together for > debugging purposes: > http://treenet.co.nz/projects/squid/ntlm_token.php > > Amos
Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication
On 1/11/2013 2:45 a.m., Matteo De Lazzari wrote: Uhm, I cannot understand. The user and computer that you found is the current logged in windows user . It's a local user. If I want to use the browser, a login box appear. So i try to insert the domain credential in the form domain\username and the password. After i click on the ok button, on the log i find that the user that squid are trying to authenticate is the local logged in user and not just the user which I inserted. Have you any idea of what's the cause of this behaviour? Popup from the browser is supposed to be a *last resort* action to locate credentials. They first try any other sources of credentials that can be found. I expect if you look deeply you will see that the browser is sending the NTLM local machine credentials over first, then only displaying that popup when that NO_SUCH_USER causes them to fail. At least that is what is supposed to be happening. Amos
Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication
I add another thing. If I click over and over again on the ok button in the login prompt, after an unsuccessful login like below, I get a successful login with kerberos with the right credentials inserted into the login window. For example: 2013/10/31 14:59:06| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2013/10/31 14:59:06| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2013/10/31 14:59:06| negotiate_wrapper: received type 1 NTLM token 2013/10/31 14:59:06| negotiate_wrapper: Return 'TT TlRMTVNTUAACEAAQADgFgomihuhYCU+1bPYAAKoAqgBIBgEAAA9QAFIARQBWAEkARABPAE0AAgAQAFAAUgBFAFYASQBEAE8ATQABABoAUwBSAFYAUwBRAFUASQBEAFAAUgBPAFgAWQAEACgAcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAMARABzAHIAdgBzAHEAdQBpAGQAcAByAG8AeAB5AC4AcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAA= ' 2013/10/31 14:59:06| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIoYABgAogAAABQAFABIGgAaAFwUABQAdgC6BYKIogUBKAoPQgBBAEwARABBAFMAUwBJAE4AUgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAEIAQQBMAEQAQQBTAFMASQBOAFIAq1Q20RKzg8QAMxioQ/YxkVY0L8xikTmoqqYH1sM2078v' from squid (length: 251). 2013/10/31 14:59:06| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIoYABgAogAAABQAFABIGgAaAFwUABQAdgC6BYKIogUBKAoPQgBBAEwARABBAFMAUwBJAE4AUgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAEIAQQBMAEQAQQBTAFMASQBOAFIAq1Q20RKzg8QAMxioQ/YxkVY0L8xikTmoqqYH1sM2078v' (decoded length: 186). 2013/10/31 14:59:06| negotiate_wrapper: received type 216 NTLM token 2013/10/31 14:59:06| negotiate_wrapper: Return 'NA = NT_STATUS_NO_SUCH_USER ' 2013/10/31 14:59:44| negotiate_wrapper: Got 'YR YIIFvAYGKwYBBQUCoIIFsDCCBaygJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBYIEggV+YIIFegYJKoZIhvcSAQICAQBuggVpMIIFZaADAgEFoQMCAQ6iBwMFACCjggSFYYIEgTCCBH2gAwIBBaEWGxRQUkVWSURPTS5QUkVWSU5FVC5JVKI1MDOgAwIBAqEsMCobBEhUVFAbInNydnNxdWlkcHJveHkucHJldmlkb20ucHJldmluZXQuaXSjggQlMIIEIaADAgEXoQMCAQSiggQTBIIED24e4jfaNzU02uwF2gkyHqaHgFt/BifkbI/kr8++dZLTVxVGVUE+LEuYV5wsjE5UIKtCRRBeKMtX9Qi15U+pSGQ6IHd23PeVFLixYPR/TVUQQT2nYdKQuSfRYwwVZuPKDFdg02vu7+DvNvs4psFXvp2XUwGT4scPFtESfkowhNPzPtJHLdpno6lUHUJhFYq0gMuVAlpVPENuPolCwknER/+QGmFUcPqVl7PUL749cOLi9Xuxf3mbZow6X5wznTnsgoLQsqE555sIGBj68XAeg4wCb0uU9hrUuZzzasW7z26O5SuL0W2n2w0rcZ/MZs6bfS5naoCkH/zSa1ukjZhvP7QHkNko26u1k1UKEckZ8g6Mtt+0eP4lRJ7TpA0G5WewSckZg1pVhFEgf6M3LSr+t3vztJBEwzhy58StIvkJvBH1TfCTn9IGyjbUKko9U2YZ+15epb/6J2vqLFSEMlINxRhV/Pd9dqyODRmOSfsIIZOso4Y6DQjNbcF0CYWRmfMilMvFVPSqF38HBKtW+smMdh7e/UkKGT+jaJA6f4e28uFMAffyIVxKlYXpL44YcAhjaKTveKsGNXHv+NNQV+lm55p8HS37o9DhUC0kUqCuIG6p9IVurcKwqjo8wjgcTjKhmxLSUNgL4iNoV6oZRki9Kfqupg8xOwJazr/PrvP0O0p9GY+8hxK5BR8p/GBeL5EhvGrJDUrbg+OlAZnxSG2tGik/5HN86s0+KgDcqmBg2eNuy/2/oyOYF2OpIup2s25kPuC88ygmmcB6UrliFID6hoN9eOO/+27xBSl+1GqW3Xmcu0yFLUETNg1rBu/qXQ+jPZmkXZ1Pt1TydeA3fYcsfnPIZPxULeO0veteSMypacVawE8AmeTVazrHus+Io6PzE+RF5bwNfGkDqsBG6dadCzU9JsmQwIzaHhYMSx7yx+/R7zPgZDuyr+WrQd++83M1Brqf25UGrTzNczw7pnIH0pEj1ptRovPsowqvyEY5XydP4CRqAOjF7vuuKkMthSPeBcV26H1TczdZ7SKoprFAkzhmJcJmFmbGmOYmtumeoxg8qFpAN8S4Q5fbeRFykeeDLM4SwqaIC0w9QFWTSapSMRsN8x2VZlTKt5ed6DYic0rIuYnH+XaARi5Pex0UvSFLMQU6tp1MJVvkvEwG1QoVba/21nzJ8UlqeEnTc50nnU+LnipGAI15MrH+wM0L9+SLOYuLR8lCRri7u5+JcaUgWwui3E9TGeZGw+VXpasOsQPsdz39kaIidNSAOaWQx1zJ+9qPEXqTudYSBBsR0WwFMmuU81flflo63j93IAzL1j5wORMkrIjlIiICEZWHiG+KMh+XYZz4tyU63F6h/7F2wPybX7JJlxn/dneVEy9Nw9GkgcYwgcOgAwIBF6KBuwSBuGE9SMLyMPc/FurBpMUvbBsESJOs3Yzio6jhP8flw3MLhIGZl9AJZ7nghqukZ1rA6c/Jq8rbPO0VKuz+/Ujlv9j1RXcwJyhMUlKfPPj+xeVXP8tz0RVh0kXkHOaa9WMlxM3eBQjMNkaVhi7fCKV21facbt1/bXgUDHgEzvqiABUf+k56zllf2joVz1/nYKd7vDdkR0/20qfe3cmifh0GQBdave/hdXPCfqsY/eBCHPpBp1Cmwp4t+xs=' from squid (length: 1967). 2013/10/31 14:59:44| negotiate_wrapper: Decode 'YIIFvAYGKwYBBQUCoIIFsDCCBaygJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBYIEggV+YIIFegYJKoZIhvcSAQICAQBuggVpMIIFZaADAgEFoQMCAQ6iBwMFACCjggSFYYIEgTCCBH2gAwIBBaEWGxRQUkVWSURPTS5QUkVWSU5FVC5JVKI1MDOgAwIBAqEsMCobBEhUVFAbInNydnNxdWlkcHJveHkucHJldmlkb20ucHJldmluZXQuaXSjggQlMIIEIaADAgEXoQMCAQSiggQTBIIED24e4jfaNzU02uwF2gkyHqaHgFt/BifkbI/kr8++dZLTVxVGVUE+LEuYV5wsjE5UIKtCRRBeKMtX9Qi15U+pSGQ6IHd23PeVFLixYPR/TVUQQT2nYdKQuSfRYwwVZuPKDFdg02vu7+DvNvs4psFXvp2XUwGT4scPFtESfkowhNPzPtJHLdpno6lUHUJhFYq0gMuVAlpVPENuPolCwknER/+QGmFUcPqVl7PUL749cOLi9Xuxf3mbZow6X5wznTnsgoLQsqE555sIGBj68XAeg4wCb0uU9hrUuZzzasW7z26O5SuL0W2n2w0rcZ/MZs6bfS5naoCkH/zSa1ukjZhvP7QHkNko26u1k1UKEckZ8g6Mtt+0eP4lRJ7TpA0G5WewSckZg1pVhFEgf6M3LSr+t3vztJBEwzhy58StIvkJvBH1TfCTn9IGyjbUKko9U2YZ+15epb/6J2vqLFSEMlINxRhV/Pd9dqyODRmOSfsIIZOso4Y6DQjNbcF0CYWRmfMilMvFVPSqF38HBKtW+smMdh7e/UkKGT+jaJA6f4e28uFMAffyIVxKlYXpL44YcAhjaKTveKsGNXHv+NNQV+lm55p8HS37o9DhUC0kUqCuIG6p9IVurcKwqjo8wjgcTjKhmxLSUNgL4iNoV6oZRki9Kfqupg8xOwJazr/PrvP0O0p9GY+8hxK5BR8p/GBeL5EhvGrJDUrbg+OlAZnxSG2tGik/5HN86s0+KgDcqmBg2eNuy/2/oyOYF2OpIup2s25kPuC88ygmmcB6UrliFID6hoN9eOO/+27xBSl+1GqW3Xmcu0yFLUETNg1rBu/qXQ+jPZmkXZ1Pt1Tyd
Re: [squid-users] Problem with negotiate_wrapper and ntlm authentication
Uhm, I cannot understand. The user and computer that you found is the current logged in windows user . It's a local user. If I want to use the browser, a login box appear. So i try to insert the domain credential in the form domain\username and the password. After i click on the ok button, on the log i find that the user that squid are trying to authenticate is the local logged in user and not just the user which I inserted. Have you any idea of what's the cause of this behaviour? Thanks Il 29/10/2013 22.44, Amos Jeffries ha scritto: On 30/10/2013 3:49 a.m., Matteo De Lazzari wrote: Now I have squid Version 3.3.9, but the problem still persist. This if from cache.log 2013/10/29 15:07:49| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2013/10/29 15:07:49| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2013/10/29 15:07:49| negotiate_wrapper: received type 1 NTLM token 2013/10/29 15:07:49| negotiate_wrapper: Return 'TT TlRMTVNTUAACEAAQADgFgomiMudf8qKFH9cAAKoAqgBIBgEAAA9QAFIARQBWAEkARABPAE0AAgAQAFAAUgBFAFYASQBEAE8ATQABABoAUwBSAFYAUwBRAFUASQBEAFAAUgBPAFgAWQAEACgAcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAMARABzAHIAdgBzAHEAdQBpAGQAcAByAG8AeAB5AC4AcAByAGUAdgBpAGQAbwBtAC4AcAByAGUAdgBpAG4AZQB0AC4AaQB0AAA= ' 2013/10/29 15:07:49| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIYYABgAngAAABIAEgBIGgAaAFoSABIAdAC2BYKIogUBKAoPRABFAEYAQQBWAEUAUgBJAEwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBEAEUARgBBAFYARQBSAEkATACBrzocRC8vigBvHsRiK+DEPUVqWMDAk2PS8BDbT/X3mBg=' from squid (length: 247). 2013/10/29 15:07:49| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIYYABgAngAAABIAEgBIGgAaAFoSABIAdAC2BYKIogUBKAoPRABFAEYAQQBWAEUAUgBJAEwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBEAEUARgBBAFYARQBSAEkATACBrzocRC8vigBvHsRiK+DEPUVqWMDAk2PS8BDbT/X3mBg=' (decoded length: 182). 2013/10/29 15:07:49| negotiate_wrapper: received type 216 NTLM token NTLM Type:3 Target Name:DEFAVERIL User Name: Administrator Workstation Name: DEFAVERIL 2013/10/29 15:07:49| negotiate_wrapper: Return 'NA = NT_STATUS_NO_SUCH_USER This is not a parser problem This is actually a user credentials not existing problem. *NO SUCH USER*. and again from command prompt all is good: /usr/bin/ntlm_auth --username=provaproxy --password=Pass1word --domain=PREVIDOM NT_STATUS_OK: Success (0x0) You are testing with different credentials to the ones which are failing. Amos
Re: [squid-users] squid url_rewrite_program
From: Sachin Gupta > does url_rewrite_access solve this? Sample below. I tried but doesnt > seem to work. > > url_rewrite_program > acl allow_port myportname xxx4 xxx5 > url_rewrite_access allow allow_port What do you mean by "doesnt seem to work"? Everyone has access? or nobody? Did you put a "deny all" after? Do you purposefully use myportname instead of port? JD
Re: [squid-users] Re: transparent proxy on remote box issue
Hey, On 10/31/2013 09:58 AM, WorkingMan wrote: iptables -t nat -A POSTROUTING -j MASQUERADE try to flush all the iptables rules by: iptables -t nat -F iptables -t filter -F iptables -t mangle -F then add the next: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sysctl -w net.ipv4.ip_forward=1 The above rules should make the client able to do any network thing he needs to if the vpn client and server are configured to route all the traffic to the VPN server. then use tcpdump: tcpdump -i eth0 -nn port 80 to see what traffic is being sent from the server to the web. then and only after these tests are made (note that the -F might need the POSTROUTING or any other name of a table after it) you can minimize the cause of the problem to the VPN level or to the iptables or any other level. can you by any chance run a "ifconfig -a" command and share the output? Eliezer
[squid-users] Re: IPv6 + Intercept proxy
Eliezer Croitoru ngtech.co.il> writes: > > Hey there, > > On 10/30/2013 10:18 PM, WorkingMan wrote: > > I think we need a up to date guide on > > transparent proxy for remote host (with concrete example that works). I > > followed too many guides that don't work. > > Maybe you still have this list of guides\articles\examples?? > > I would like to see what you have seen and understand what is the common > source of the problem in these articles. > I am almost sure that there is a common way of describing the feature > which makes it un-understable. > > Thanks, > Eliezer > > My understanding is probably not great on all this matters since I am not able to make this work. My requirement is simple: setup a remote server that acts as a transparent proxy; 80/443 traffic comes from VPN server and should be "redirected" to SQUID. I addded rules for VPN server with this guide: http://wiki.squid- cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and added these rule on SQUID: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect It's not working. I just want to be able to follow a guide that result in a functional environment with transparent proxy. The only time I was able to redirect traffic to SQUID was using DNAT/SDAT from sec 6.1 http://www.tldp.org/HOWTO/TransparentProxy-6.html, but that doesn't work for HTTP/1.0 according to the guide. In 6.1 somehow it has eth1 whichis not explained (need two network interface?). All SQUID guide I saw related to this use one interface only - eth0. At this point I don't think more theory will help me resolve this issue. I need concrete example that just works. You can look at my other post for detailed rules I am using on remote transparent proxy. If I can make this work I will help you make a guide for dummies like myself.
[squid-users] Re: transparent proxy on remote box issue
> Some questions that might lead you in a useful direction for solving this: > * is eth0 the right interface to be operating with? >does VPN have an interface of its own with better results? >is there something special you have to add on top of all this to make > it work over a VPN connection? > (all the testing done so far has been on regular ethernet and wireless > connections). > > * when the packets go from client to Squid to Internet they are still > labeled by TPROXY as having come from the client IP. What path do they > take back to the client? > is Squid box with its TPROXY logics on that return path? > > Amos > > I think I am in a worse shape than you think. port 80 traffic is not going to SQUID at all. I don't see it in the access.log anyways. on SQUID I use these from SQUID wiki: export WAN=eth0 SQUIDIP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | cut -f 2 -d ":") SQUIDPORT=3130 iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP on VPN I use these (from wiki and maybe some from elsewhere): export SQUID= export SQUID_PORT=3130 iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT iptables -t mangle -A PREROUTING -i $WAN -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT iptables -t filter -A FORWARD -i $WAN -o $WAN -p tcp --dport 80 -j ACCEPT #do the rt_tables change once echo 202 http >> /etc/iproute2/rt_tables #remove old rules ip rule del fwmark 2 table http ip route del default via $SQUID dev eth0 table http //add new rules ip rule add fwmark 2 table http ip route add default via $SQUID dev eth0 table http ip route flush cache iptables-save Does the above affect local traffic on VPN server as well? On VPN server I can query web site without issue. But VPN client can't. I don't understand where the traffic is getting dropped. tshark catches nothing, nothing in SQUID logs. Is the above configuration correct for what I want to do? I did add a secondary network interface to my VPN server but I don't see how it will help. I did try to use eth1 to route marked traffic but it didn't work. Thanks,
Re: [squid-users] Re: IPv6 + Intercept proxy
Hey there, On 10/30/2013 10:18 PM, WorkingMan wrote: I think we need a up to date guide on transparent proxy for remote host (with concrete example that works). I followed too many guides that don't work. Maybe you still have this list of guides\articles\examples?? I would like to see what you have seen and understand what is the common source of the problem in these articles. I am almost sure that there is a common way of describing the feature which makes it un-understable. Thanks, Eliezer
Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)
I'm not sure what should input be. I tried to paste base64-encoded data from cache.log (YIIGsQYGKwYB...EbrQ==), base64-decoded and URL-encoded data (%60%82%06%B1%06%06%2B%...%1B%AD), but the output is a bunch of "Unknowns". On Thu, Oct 31, 2013 at 10:02 AM, Amos Jeffries wrote: > On 31/10/2013 5:54 p.m., Mihail Lukin wrote: >> >> I don't know why access-time is not being updated, but strace has >> shown that keytab is being read successfully by squid_kerb_auth >> process. > > > This tool may help you identify whether the tokens being sent to Squid are > the ones you are expecting: > http://treenet.co.nz/projects/squid/ntlm_token.php > > Amos
Re: [squid-users] invalid request
On 31/10/2013 4:17 a.m., Cheikhou Dramé wrote: Hi everybody , I'm a newbie in squid .I have many "clientProcessRequest: Invalid request" errors in my cache.log file . Is there a way to identify the client which sending those requests ? my transparent squid server is running on centos 6.4. It means the bytes received by Squid do not parse as an HTTP request. Squid only supports HTTP 0.9 / 1.0 / 1.1 protocol as input, with a few other port-80 protocols which use HTTP syntax such as ICY streaming media. Or in specific builds of Squid HTTPS port 443 traffic. You can enable debug_options 33,5 to get some more details about what the parser found. Usually a lot of them means your network is filled with software abusing port 80, or the proxy is otherwise listening on a port which is in active use by non-HTTP protocols. Amos
Re: [squid-users] Re: Squid 3.3.2 SMP Problem
On 31/10/2013 6:02 a.m., Dr.x wrote: hi all , ive tried that on kernel of centos 6.4 last one but it give me : [root@squid ~]# sysctl -w net.local.dgram.recvspace=262144 error: "net.local.dgram.recvspace" is an unknown key wt does that mean ? It means the system control toggle fro datagram packet buffer size is not called that name (if it exists at all). im trying ti use kernel of centos 6.4 without compiling it but i have kid registeration time out !! Kid registration is due two basic causes: 1) the Unix data sockets opened by SHM between the worker kid and coordinator are somehow broken - might show up like this if the coordinator was able to open SHM properly but the worker has problems. 2) the Worker so overloaded with processing during startup that its registration packt does not reach the coordinator quickly enough. - might happen if a large cache_dir were being scanned/repaired on startup There could be other reasons, but those are the big ones we see a lot of reports about. There are now open bug reports about big rock cache_dir takign too long to load, AUFS rebuild recovery taking too long to finish, and "squid -z ; squid" too-fast process sequence (eg as seen in many startup scripts) closing SHM connections midway through startup of the second "squid" process. Amos