RE: [squid-users] Advice on private keys and SSL
That is exactly what I needed to know. Thank you very much! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, April 15, 2006 1:11 PM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Advice on private keys and SSL lör 2006-04-15 klockan 10:07 -0700 skrev Discussion Lists: Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? Lets put it this way: Normaly you have one key per certificate, and also generate a new key each time the certificate is renewed, and there is no reason not to. I know of only a single situation where one would consider using the same key for multiple certificates and it's if using an RSA accelerator which can not handle multiple keys. But given the fact that even entry level RSA accelerator chips for SSL doesn't have any practical restrictions on the number of RSA keys I doubt you will run into such situation.. Similarly I know of only one situation where one would like to keep the same key on a certificate renewal and it's if the key is somehow recorded into restricted hardware and not easy to change. So while it is true that technically you can use the same key for all certificates if you want to generally it's best to use unique keys per certificate. Regards Henrik
[squid-users] Advice on private keys and SSL
All, Suppose I am using V3 Squid, and I have multiple SSL directives to reverse-proxy multiple domains. I am sorta new to the whole SSL certificate process so forgive the uninformed question here. Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? In other words is it better to use a single key to obtain certificates from, or have multiple keys, one for each certificate? I would assume choice B is the answer, but I just wanted to be sure. TIA!
RE: [squid-users] Squid3 and certificates in a cluster
Great advice, thank you! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, April 10, 2006 2:18 AM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid3 and certificates in a cluster sön 2006-04-09 klockan 21:10 -0700 skrev Discussion Lists: Suppose I have two squid3 machines that are clustered, and I want them both to offer reverse SSL proxy (depending on whichever is active of course). Assuming that all is set up correctly, couldn't I just keep identical copies of the certificate and key on each machine and expect Squid3 and the Internet to not know the difference? Yes. In fact this is even a MUST for clustered SSL servers as otherwise the clients will get quite confused if they get different certificates from the same server.. Please note that it is also important you set the sslcontext differently on the members of the cluster (or alternatively disable the SSL session reuse entirely if you have an RSA accelerator chip or lots of spare CPU time..). If not there is a slight risk of confusion in SSL session reuse causing random client communication failures. Regards Henrik
[squid-users] Squid3 and certificates in a cluster
Suppose I have two squid3 machines that are clustered, and I want them both to offer reverse SSL proxy (depending on whichever is active of course). Assuming that all is set up correctly, couldn't I just keep identical copies of the certificate and key on each machine and expect Squid3 and the Internet to not know the difference? Thanks!
RE: [squid-users] Squid 3 Static compile with SSL
Good deal, I'll give it a try. -Original Message- From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 05, 2006 8:16 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3 Static compile with SSL On 04.04.06 21:36, Discussion Lists wrote: The subject basically says it all. I want to compile squid3 statically with SSL enabled. I have tried doing the following: ./configure --enable-ssl --enable-static=yes But that doesn't work. I still get an error indicating an SSL library is needed and missing. I also tried adding -static to the gcc option in the Makefile, and I also added it to the LDFLAGS (which probably would have worked anyhow). When I do the configure statement above however without the --enable-ssl it seems to be compiled statically, but it just doesn't have SSL capabilities. I've done google searches, I've checked the configure --help, and nothing that I could see. Any ideas? playing with cxonfigure args usually doesn't help if you do not have ssl libray installed. You probably need development version of libssl, which is often packaged separately. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
RE: [squid-users] Simple port 80 squid reverse-proxy question
Thank you VERY much for this. Greatly appreciated! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 04, 2006 1:27 PM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Simple port 80 squid reverse-proxy question lör 2006-04-01 klockan 11:21 -0800 skrev Discussion Lists: I set up a reverse proxy using squid 3.0. It works fine actually, but I wanted to run the config by you all to be sure I wasn't missing anything important. In particular, I am worried about commenting out the http_access deny all. I added an allow all setting, but I was wondering if there was a better way, and also if I am doing the below stuff correctly as well. Here's my setup: always_direct allow all Don't do this in squid-3 accelerators. Instead use the cache_peer directive to tell Squid-3 where the origin server is. This gives you much better control over how Squid routes the requests. Note: The reason why Squid-3 does not allow direct by default on accelerated content is the security concerns raised earlier. By default requiring the use of a configured peer for accelerated content the risk that the accelerator becomes an open proxy by simple access control error (i.e. allow all) is minimized. Regards Henrik
[squid-users] Simple port 80 squid reverse-proxy question
All, I set up a reverse proxy using squid 3.0. It works fine actually, but I wanted to run the config by you all to be sure I wasn't missing anything important. In particular, I am worried about commenting out the http_access deny all. I added an allow all setting, but I was wondering if there was a better way, and also if I am doing the below stuff correctly as well. Here's my setup: Outsideworld --- Squid ---webserver -I am doing normal http port 80 reverse-proxying. acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl allowed_hosts src 10.0.5.0/255.255.255.0 http_access deny manager all http_access allow allowed_hosts #http_access deny all icp_access allow allowed_hosts icp_access deny all cache_dir ufs /usr/local/squid/var/cache 100 16 256 cache_effective_user nobody cache_effective_group nobody visible_hostname Linux always_direct allow all http_port 192.168.1.79:80 defaultsite=www.test.in http_access allow all
RE: [squid-users] SSL reverse-proxy questions (was redirect)
Okay, I'll just start over. First of all, I should never have used the term redirect That is more of a firewall term, and it should have been left out. All I want to do is reverse-proxy SSL connections, hopefully several of them. Each time you set up one of these connections, you have to add in a line similar to below into squid.conf: https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel your.site.name protocol http This will reverse-proxy any request for your.site.name from what I understand. But that is just one site. Suppose I have another site that I want available for SSL? Could I just add another line similar to the above, but for the second, third or more sites? Okay here's the second question. The above line is an example of how to reverse-proxy from SSL to http, or port 443, to port 80 right? Now, suppose I want to reverse-proxy several SSL connections, similar to above, but instead of changing from SSL to http, (443 - 80 as above) I am reverse-proxying straight SSL (443 - 443). Is this possible for multiple sites? If it is, is there some way that I could make it so I would not need a certificate on the firewall for each connection and just have the backend server handle certificate requests? Lastly, I found information on the internet about how to create your own certificates, but nothing about how to import them from somewhere else. Anyone know of any tutorials that deal with this? Thanks, Mark -Original Message- From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 2:55 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSL redirect questions On 22.05 12:35, Discussion Lists wrote: I have some general questions about reverse-proxying SSL. 1. What is the best way to do it using Squid: a. Do a straight redirect from port 443 to port 443 from server to server with no certificate presented from the firewall, but rather from the server that the connection is redirected to (is this even possible with Squid?). b. Redirect port 443 to port 80 on the destination server(s), and use the firewall to present each of the certificates. Are you talking about reverse-proxying or redirecting? when reverse proxying, you do not redirect anything. If redirecting, you do not care about certificates. what I understand under reverse ssl proxy is that squid listens for SSL requests on port 443 and forwards plain HTTP requests to HTTP server. There is of course possibility to forward https requests with different key/certificate, but It has meaning only in some special cases. 2. If the answer is B, I have several backend SSL servers, all of which I want to redirect connections to. why? Why do you want push one level of servers before backends? This is an aspect of proxying/reverse-proxying where my knowledge is weak, maybe some of you have some suggestions. I do not understand why do you need reverse proxying at all... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
[squid-users] SSL redirect questions
All, I have some general questions about reverse-proxying SSL. 1. What is the best way to do it using Squid: a. Do a straight redirect from port 443 to port 443 from server to server with no certificate presented from the firewall, but rather from the server that the connection is redirected to (is this even possible with Squid?). b. Redirect port 443 to port 80 on the destination server(s), and use the firewall to present each of the certificates. 2. If the answer is B, I have several backend SSL servers, all of which I want to redirect connections to. I am not good at all with server keys and certificates. Does anyone know of any documentation for how to deal with importing certificates that were generate for the backend servers, so they work on the Firewall? I found documentation for how to create and generate your own certificates, and keys, but I am afraid I don't know enough about the way keys and certificates work to fully understand how to make that work for my particular purpose. This is an aspect of proxying/reverse-proxying where my knowledge is weak, maybe some of you have some suggestions. Thanks!
[squid-users] NT authentication without joining the domain
Hi All, I am running into a curious problem that I was hoping you all would be able to help me with. I am troubleshooting a problem with a squid config where squid authenticates proxy users against active directory using NT authentication (re: NOT LDAP) and that machine isn't joined to the domain at all. It doesn't work now, but they insist it did work. Does anyone have docs on how to get squid to auth users without being joined to the domain first? Thanks!
[squid-users] 2 squid processes
All, Obscure question here: Has anyone been able to get 2 squid processes running? I remember corresponding to a gentleman a while back who was able to get it to work, and he gave me his init-scripts, and conf files. Since then I have been unable to find that stuff try as I may, so I wanted to check with you good folks to see if any of you have something like that which can help me? The problem is that the single squid process can't handle all of what I want: -Internal squid listener for proxy clients -External squid listener to publish our websites Port 80. -External squid listener to publish SSL Port 443. I found the following link (scroll down a third of the way) and it describes how to do this, but it would be really helpful to see config files, and init files. http://66.102.7.104/search?q=cache:OwnNlpbABqgJ:www.swelltech.com/suppor t/webminguide/ch03.html+%22two+squid+processes%22hl=enclient=firefox-a Thanks!
[squid-users] Redirecting internal sites problem
All, I have squid set up to reverse-proxy a bunch of our internal websites to the Internet. I have listed all of the ones I want reverse-proxied in the httpd_accel_host line and everything seems to work great. Squid however, is reverse-proxying a host that I don't want it to, and I think it is because that host is available through DNS. Here are the rest of the options I specified: Httpd_accl_port 80 Httpd_accel_single_host off Httpd_accel_with_proxy on Httpd_accel_uses_host_header on Since the servers have non-routable IP's, Squid is using our internal DNS servers (split DNS) to resolve the internal IP's to the external names). It is entirely likely that I bungled something above. Could any of you help me? Thanks!
RE: [squid-users] integrating squid/linux with windows 2003 domain controller and active directory
Before you move back to ISA, I think I can help. I was able to get it to work by ensuring that the machine object in AD is pre-windows 2000 compatible, and also by disabling SMB signing at the DC (you have to do that using the security templates). It occurred to me as I was reading this that it may be possible to define some rules in your IPSec policy that disable signing only for communication with the squid machines. I haven't tried that, so I don't know if it would work (I am not even sure it has that functionality), but it may be worth a try. -Original Message- From: narancs [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 08, 2004 1:21 AM To: [EMAIL PROTECTED] Subject: [squid-users] integrating squid/linux with windows 2003 domain controller and active directory Importance: High Dear All, We have this situation: 1. internet proxy for a company is a suse 9.0 linux dist with squid-2.5.STABLE3-110 2. proxy authentication is required 3. usernames/password should be taken from the company's windows' active directory 4. there are three groups of users: three different acls are required: - average joe user can only view some sites based on a list - leaders can view anything, but only http and https - sysadmins can ftp, too 5. group membership should also be taken from windows 6. pre-windows2000 protocols are not enabled because of security policy and requirements, maybe this is the reason why msnt_auth doesn't seem to work. On a DC that enables NT4's protocols, msnt_auth works. 7. both ldap_auth authenticators I couldn't get working, although I have seen the ldap tree scheme, maybe I was wrong understanding it. My question is: - does anybody have experience and tips how to get this working? - will ntlm_auth or msnt_auth work at all with w2k or newer when nt4's older ntlm and lanman is disabled? - can ldap_auth work with active directory? Haven't tried it, but interesting question . . . - can we use group membership info somehow? Yes, I have been able to get it to work using Samba and Winbind. I seem to remember having to replace the wb_ files from Samba to Squid though, one in particular was wb_group if I remember correctly. It has been a while, so I am trying to remember. - is there any way to create a local (open)ldap replica based on the AD? I don't have an answer to that one, although if it is possible, it could allow for a range of other possibilities as well. - should we use pam_auth and pam_ldap instead? or kerberos? I didn't need to go that far with it. I could't find good exaples on google yet, to help us get it right. If me and collegaues can't cope with it, we'll have to move back to MS ISA proxy, which personally I don't really like. thank you very much for your help people! with regards N.N. Also, keep in mind I used Samba 2.x and Winbindd. That worked for me, and I haven't tested out Samba 3 yet, although I hear it is a drastic improvement. The thing about all of this is that it doesn't just work. You kinda have to tinker with it. The wb_ files that come with Squid(correct me if I am wrong someone) don't always play nice with whatever current version Samba you are running, so you either need to get versions that match up, or you have to replace out the files. Maybe someone on the list has more details than I do about that? Thanks, Mark
RE: [squid-users] Using A windows 2003 server to authenticate squid users
I have been able to get this to work. I am working on a how-to, but basically here is how it works. Squid authenticates to Win2003 using Samba and Winbindd. Squid enforces authentication on users connecting to the outside world, and records their activty by username in the access.log. I have a script, that is a modification of the Squid2Mysql script that is on SourceForge.net that will basically tail the access.log and throw it into a MySQL database. There is no way to get it in to MySQL directly as of now that I know of. Once it is in the database, it is trivial write some kind of front-end that will display this data. Would anyone be interested in seeing an how-to for this? I may need some help though, because I have only gotten this to work with Samba 2.x, and haven't had a chance to try verison 3. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 08, 2004 8:08 AM To: [EMAIL PROTECTED] Subject: [squid-users] Using A windows 2003 server to authenticate squid users Hi All Need a pointer or two to track usage of bandwidth for specific people on my network ... The IP is sufficient but I would like to be able to use the usernames of my SMB windows server to track the usage more accurately and easily? Is this possible ...? Thanks Andrew Gargan Programmer/Web Designer - Open Source IT Solutions cell: +27 (073) 146 3490
RE: [squid-users] Squid and OWA using SSL
Matus/list, Thanks for helping me. I have the internal/external DNS thing going already fortunately because of exactly what you mentioned. I guess I was a little confused with how to do the rules. I already have rules that publish internal sites. Httpd_accel_host www.domainname.com, www.domain2name.com Httpd_accel_port 80 Httpd_accel_single_host off Httpd_accel_with_proxy on Httpd_accel_uses_host_header on This is just normal http trafic though. Can I still keep this, and publish https as well? How would those rules look? Thanks, Mark -Original Message- From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] Sent: Sunday, September 05, 2004 11:15 PM To: [EMAIL PROTECTED] Subject: Re: [squid-users] Squid and OWA using SSL On 04.09 21:20, Discussion Lists wrote: I have tried to search for a solution on this, and either I missed it, or it just isn't out there. I need to set up a redirector for OWA using Squid, but here are some details: 1. Users from the Internet need to connect using SSL (this is a must). 2. The connection needs to be redirected back to the Exchange server using normal http. Wanted to check if anyone has done this, and if so, how? Also, is there a how-to out there that describes how to do this specifc thing? Or else how to redirect SSL connections back as http coonections? I can probably figure out the rest from there. I've tried to do this, but there's one problem: the shitty exchange returns BASE HREF=exchange.host.name/exchange/ tag in the generated HTML, so you'll need set up the same hostname visible from internal network and from external. the rest should work using squid as https acceletator. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
RE: [squid-users] Getting username into squid access.log
Hi Joe, I have been able to set up a Squid proxy that forces users to authenticate to it using Samba and Winbind. With a few ACL's I can restrict who can, and cannot access the Internet. This also shows up on the access.log as domain\username. If you need more details, email me directly, and I will be happy to help in any way I can. BTW, this isn't for transparent mode, although (at least in a windows environment) you don't need it. Thanks, Mark -Original Message- From: Joe Kraft [mailto:[EMAIL PROTECTED] Sent: Sunday, September 05, 2004 12:03 PM To: [EMAIL PROTECTED] Subject: [squid-users] Getting username into squid access.log I've read so much Squid documentation that my head is spinning now. I just want to clear up one point before I expend any more brain bytes. If I set up squid to work transparently, ala FAQ 17.1 does than mean that there is absolutely NO WAY I will ever be able to get squid to figure out who is logged in at the machine that made the request? And thus, no usernames in the access.log? I just want to make sure that this is the behavior referenced in the discussions about proxy-auth. So I can control access by the IP address of the machine, but not by user. Squid is not allowed by the RFC to ask anything back to the requesting machine, because the requester is not expecting squid to be there in the middle. Is this correct so far? So the least intrusive way to make this work, and to have the names to to not use squid in a transparent mode and use the automatic configuration script from FAQ 5.2? Thanks, Joe.
RE: [squid-users] Hacking ntlm_auth to allow squidGuard ACLs
Thanks Jay, I have a test environment, so I can just try uninstalling Samba2.x, and just install Samba3 instead. I will give it a try. Thanks again! Mark -Original Message- From: Jay Turner [mailto:[EMAIL PROTECTED] Sent: Friday, September 03, 2004 2:25 AM To: [EMAIL PROTECTED] Subject: RE: [squid-users] Hacking ntlm_auth to allow squidGuard ACLs Hi All, First post here! In the following article the author describes how to get Samba 3 and Squid working. http://www.informatikserver.at/modules.php?name=Newsfile=printsid=27 10 However towards the end the author has a topic called Hacking ntlm_auth to allow squidGuard ACLs He describes making the following changes to the source of the ntlm_auth.c: In source/utils/ntlm_auth.c locate the line: x_fprintf(x_stdout, AF %s\%s , ntlmssp_state-domain, ntlmssp_state-user); And modify it to: x_fprintf(x_stdout, AF %s , ntlmssp_state-user); I came across this page because I was looking for a way to get squidGuard to recognize NT users so that I can create exceptions for certain ones. This way I can still proxy, and log the user's actions, but they won't have their content filtered. Will what this person is describing above accomplish that? Has anyone done this? If not can anyone think of any negative consequences? Also, if this does work the way I think it will, would I not specify the username in squidGuard as domain\user, or just user. domain\user crashes squidguard (probably because of the \ I am guessing. Any ideas? I have successfully done this with Squid2.5, Samba3 SquidGuard 1.2.0 without making any changes to any source. I just setup a number of squidguard userlists which I reference in my squidguard.conf file. Each file contains users in the following format: user1 user2 user3 That's all that was required for me and I can now filter users depending on their ADS user name via SquidGuard. I'm not sure why the article you reference states you need to make changes. I'm sure there is a good reason, I just know that I made no changes. Regards Jay
[squid-users] Squid and OWA using SSL
Hi all, I have tried to search for a solution on this, and either I missed it, or it just isn't out there. I need to set up a redirector for OWA using Squid, but here are some details: 1. Users from the Internet need to connect using SSL (this is a must). 2. The connection needs to be redirected back to the Exchange server using normal http. Wanted to check if anyone has done this, and if so, how? Also, is there a how-to out there that describes how to do this specifc thing? Or else how to redirect SSL connections back as http coonections? I can probably figure out the rest from there. Thanks, Mark
RE: [squid-users] Web site got hack through squid
Hi Tom, People should correct me if I am wrong, however a proxy server such as squid doesn't know the difference between a legitimate web request, and a malicious one. Both can, and in most cases are required to be compliant with various networking RFC's. A malformed GET request, for instance, done with just the right payload (no need to tweak it to work with squid), and aimed at a sufficiently vulnerable windows box/service is all it takes. Reverse-shell spawning payload would give the attacker unlimited to your machine at that point. Since all a proxy server does is forward web transactions, that service is nearly as vulnerable as if the box was sitting naked on the Internet. So without knowing more details, this comes down to a question of how well patched is your web service? Hope that helps, Mark -Original Message- From: Tom Le [mailto:[EMAIL PROTECTED] Sent: Saturday, September 04, 2004 9:49 PM To: [EMAIL PROTECTED] Subject: [squid-users] Web site got hack through squid Hi, I have a website that sits behind squid 2.5 and it got hack into today. Someone from this ip address, 200.148.134.206, has put few files into my website through squid. The content of the index.html is Simiens Crew 2004 Ownz U Here is the log from squid 1094326387.752 899375 200.148.134.206 TCP_MISS/000 0 PUT http://hostname/index.html - DIRECT/my website ip adress - Can any of you give me some insight into this problem, and how to tight my squid server down? Thanks -- Tom Le Phone : (604) 612-6617 Email : [EMAIL PROTECTED] ** This electronic communication (email) is intended only for the use of the addressee and may contain information which is privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please reply to the sender immediately and delete the original and all copies. Thank you. **
[squid-users] Hacking ntlm_auth to allow squidGuard ACLs
Hi All, First post here! In the following article the author describes how to get Samba 3 and Squid working. http://www.informatikserver.at/modules.php?name=Newsfile=printsid=2710 However towards the end the author has a topic called Hacking ntlm_auth to allow squidGuard ACLs He describes making the following changes to the source of the ntlm_auth.c: In source/utils/ntlm_auth.c locate the line: x_fprintf(x_stdout, AF %s\%s , ntlmssp_state-domain, ntlmssp_state-user); And modify it to: x_fprintf(x_stdout, AF %s , ntlmssp_state-user); I came across this page because I was looking for a way to get squidGuard to recognize NT users so that I can create exceptions for certain ones. This way I can still proxy, and log the user's actions, but they won't have their content filtered. Will what this person is describing above accomplish that? Has anyone done this? If not can anyone think of any negative consequences? Also, if this does work the way I think it will, would I not specify the username in squidGuard as domain\user, or just user. domain\user crashes squidguard (probably because of the \ I am guessing. Any ideas? Thanks, Mark
