[squid-users] Unsupported method in request dropbox.com
Hi everybody!! I get these messages on cache.log: 2011/06/14 10:23:54| clientParseRequestMethod: Unsupported method attempted by client_ip: This is not a bug. see squid.conf extension_methods 2011/06/14 10:23:54| clientParseRequestMethod: Unsupported method in request 'X-Dropbox-Locale: es' 2011/06/14 10:23:54| clientProcessRequest: Invalid Request when accessing dropbox: client_ip - user_name [14/Jun/2011:10:23:54 +0200] GET http://notify3.dropbox.com/subscribe? HTTP/1.1 200 366 TCP_MISS:DEFAULT_PARENT doing a tcpdump on squid eth and filtering by client ip address I obtain this: 10:23:54.184989 IP (tos 0x0, ttl 64, id 25600, offset 0, flags [DF], proto TCP (6), length 406) proxy-ip.3128 client_ip.2712: Flags [P.], cksum 0xe043 (incorrect - 0x3668), seq 1:367, ack 308, win 6432, length 366 10:23:54.188327 IP (tos 0x0, ttl 128, id 59315, offset 0, flags [DF], proto TCP (6), length 347) client_ip.2712 proxy-ip.3128: Flags [P.], cksum 0xdeb5 (correct), seq 308:615, ack 367, win 65169, length 307 10:23:54.188345 IP (tos 0x0, ttl 64, id 25601, offset 0, flags [DF], proto TCP (6), length 40) proxy-ip.3128 client_ip.2712: Flags [.], cksum 0x0a1b (correct), seq 367, ack 615, win 7504, length 0 10:23:54.223297 IP (tos 0x0, ttl 64, id 25602, offset 0, flags [DF], proto TCP (6), length 1500) proxy-ip.3128 client_ip.2712: Flags [.], cksum 0xe489 (incorrect - 0x97d6), seq 367:1827, ack 615, win 7504, length 1460 10:23:54.223331 IP (tos 0x0, ttl 64, id 25603, offset 0, flags [DF], proto TCP (6), length 326) proxy-ip.3128 client_ip.2712: Flags [P.], cksum 0xdff3 (incorrect - 0x13cb), seq 1827:2113, ack 615, win 7504, length 286 10:23:54.223756 IP (tos 0x0, ttl 128, id 59316, offset 0, flags [DF], proto TCP (6), length 40) client_ip.2712 proxy-ip.3128: Flags [.], cksum 0x2099 (correct), seq 615, ack 2113, win 65535, length 0 10:23:54.226327 IP (tos 0x0, ttl 64, id 25604, offset 0, flags [DF], proto TCP (6), length 40) proxy-ip.3128 client_ip.2712: Flags [F.], cksum 0x0348 (correct), seq 2113, ack 615, win 7504, length 0 10:23:54.226803 IP (tos 0x0, ttl 128, id 59317, offset 0, flags [DF], proto TCP (6), length 40) client_ip.2712 proxy-ip.3128: Flags [.], cksum 0x2098 (correct), seq 615, ack 2114, win 65535, length 0 I don't understand why it says unsupported method when it is just a GET. Can anyone help me? I use Version 3.0.STABLE25 thanks a lot!
Re: [squid-users] what does this warning means?
Solved!! I realized that at the same time of the warnings, i have at access.log the next entries: [28/Feb/2011:08:34:59 +0100] POST http://activate.pdfcreator-toolbar.org/toolbar/activate.php HTTP/0.0 400 1733 NONE:NONE [28/Feb/2011:08:34:59 +0100] POST http://activate2.pdfcreator-toolbar.org/toolbar/activate.php HTTP/0.0 400 1733 NONE:NONE So it is a toolbar that sometimes PDF Creator installs, and it's trying to make those connections. Just uninstall it and everything ok. Thanks Amos for putting me on the track. 2011/2/25 Amos Jeffries squ...@treenet.co.nz: On 25/02/11 22:39, Gontzal wrote: Hi list, I always have this messages on my cache.log, but i've never been worried about them, it is just curiosity to know what this means and if I can solve it: The message is: 2011/02/25 09:53:53| WARNING: HTTP header contains NULL characters {Accept: */*^M Content-Type: application/x-www-form-urlencoded} Exactly what is says. The HTTP headers contain a NULL character. Older Squid will only display one {} section with the NULL byte being right after the last displayed character. 3.x will display two {} sections with the text NULL in between to indicate the problem better. Squid should be aborting the request unanswered and closing the TCP link involved. This is sign of an attack on the HTTP service, although it can be done by badly broken software unintentionally. In this case the Content-Type indicates the headers came from some client agent. I don't think its a browser since they are usually sending correct HTTP requests. If you have time it is worth tracking down where these come from and seeing what can be done to fix the source. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
[squid-users] what does this warning means?
Hi list, I always have this messages on my cache.log, but i've never been worried about them, it is just curiosity to know what this means and if I can solve it: The message is: 2011/02/25 09:53:53| WARNING: HTTP header contains NULL characters {Accept: */*^M Content-Type: application/x-www-form-urlencoded} Thanks a lot
[squid-users] killing RunCache
Hi list, I´m experiencing something very strange, almost every 20 minutes y get the message Killing RunCache, pid as you can see in this log: 2011/02/18 10:20:01| Killing RunCache, pid 23638 2011/02/18 10:20:01| Preparing for shutdown after 189767 requests 2011/02/18 10:20:01| Waiting 30 seconds for active connections to finish 2011/02/18 10:20:01| FD 183 Closing HTTP connection 2011/02/18 10:20:07| Starting Squid Cache version 3.0.STABLE25 for i686-pc-linux-gnu... 2011/02/18 10:20:07| Process ID 5251 2011/02/18 10:20:07| With 1024 file descriptors available -- 2011/02/18 10:40:02| Killing RunCache, pid 5249 2011/02/18 10:40:02| Preparing for shutdown after 205359 requests 2011/02/18 10:40:02| Waiting 30 seconds for active connections to finish 2011/02/18 10:40:02| FD 183 Closing HTTP connection 2011/02/18 10:40:07| Starting Squid Cache version 3.0.STABLE25 for i686-pc-linux-gnu... 2011/02/18 10:40:07| Process ID 19084 2011/02/18 10:40:07| With 1024 file descriptors available -- 2011/02/18 11:00:03| Killing RunCache, pid 19082 2011/02/18 11:00:03| Preparing for shutdown after 159779 requests 2011/02/18 11:00:03| Waiting 30 seconds for active connections to finish 2011/02/18 11:00:03| FD 183 Closing HTTP connection 2011/02/18 11:00:08| Starting Squid Cache version 3.0.STABLE25 for i686-pc-linux-gnu... 2011/02/18 11:00:08| Process ID 1167 2011/02/18 11:00:08| With 1024 file descriptors available -- 2011/02/18 11:20:01| Killing RunCache, pid 1165 2011/02/18 11:20:01| Preparing for shutdown after 131488 requests 2011/02/18 11:20:01| Waiting 30 seconds for active connections to finish 2011/02/18 11:20:01| FD 183 Closing HTTP connection 2011/02/18 11:20:06| Starting Squid Cache version 3.0.STABLE25 for i686-pc-linux-gnu... 2011/02/18 11:20:06| Process ID 14641 2011/02/18 11:20:06| With 1024 file descriptors available -- 2011/02/18 11:40:01| Killing RunCache, pid 14639 2011/02/18 11:40:01| Preparing for shutdown after 148627 requests 2011/02/18 11:40:01| Waiting 30 seconds for active connections to finish 2011/02/18 11:40:01| FD 183 Closing HTTP connection 2011/02/18 11:40:06| Starting Squid Cache version 3.0.STABLE25 for i686-pc-linux-gnu... 2011/02/18 11:40:06| Process ID 27946 2011/02/18 11:40:06| With 1024 file descriptors available Of course, it means squid restarts whit a few seconds of downtime. I'm running Squid 3.0 Stable 25 over an opensuse 11.0 box. This is the conf part of squid.conf that relates to the cache: cache_mem 32 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 1024 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_dir ufs /var/log/squid/cache 25000 42 256 Anyone knows what's going on? Thanks a lot
[squid-users] cpu excesive utilization
Hello all, We are experiencing some problems with one of our squid boxes, sometimes it has a 95 % of CPU use, offering a low service level. Squid Cache: Version 3.0.STABLE19 with NTLM Auth. I've realized that almost all the times we have this messages at cache.log: [2010/04/26 13:24:29, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2010/04/26 13:24:29, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2010/04/26 13:24:29, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 What does this means? May be any relation whit the CPU problem? Thanks a lot
[squid-users] not asking for auth through proxy.pac
Hello everybody, I'm not sure if it is a question of squid or my problem is because proxy.pac. We are using a pac file to redirect users of subnetA to proxyA, and users of subnetB to proxyB. Both proxies use NTLM auth. Trying to upload a document on to a web page through proxypac it doesn't ask for autentication, and it keeps thinking until error. When doing through proxyA or proxyB directly there is no problem. It happens with a few applications that ask for autentication (NTLM) before posting files. The access.log with proxy.pac: - manuel [16/Dec/2009:13:23:42 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 200 24139 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:23:46 +0100] GET http://catalogopatrimonio.meh.es/pctw/org/org18.aspx HTTP/1.1 200 53395 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:23:46 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/scroll2.js HTTP/1.1 304 632 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:23:46 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 632 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:23:53 +0100] GET http://catalogopatrimonio.meh.es/pctw/org/org19_1.aspx? HTTP/1.1 200 134945 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:23:53 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 632 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT The access.log with ProxyA directly: - manuel [16/Dec/2009:13:34:00 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 629 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:03 +0100] GET http://catalogopatrimonio.meh.es/pctw/org/org18.aspx HTTP/1.1 200 53392 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:04 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/scroll2.js HTTP/1.1 304 629 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:04 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 629 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:09 +0100] GET http://catalogopatrimonio.meh.es/pctw/org/org19_1.aspx? HTTP/1.1 200 134934 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:10 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 629 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - - [16/Dec/2009:13:34:24 +0100] GET http://catalogopatrimonio.meh.es/pctw/proxyAuthorize.aspx HTTP/1.1 407 2161 TCP_DENIED:NONE - - [16/Dec/2009:13:34:47 +0100] POST http://catalogopatrimonio.meh.es/pctw/org/org19_1.aspx? HTTP/1.1 407 2949 TCP_DENIED:NONE - - [16/Dec/2009:13:34:47 +0100] POST http://catalogopatrimonio.meh.es/pctw/org/org19_1.aspx? HTTP/1.1 407 3242 TCP_DENIED:NONE - manuel [16/Dec/2009:13:34:48 +0100] POST http://catalogopatrimonio.meh.es/pctw/org/org19_1.aspx? HTTP/1.1 200 134952 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:34:49 +0100] GET http://catalogopatrimonio.meh.es/pctw/js/FuncionesComunes.js HTTP/1.1 304 629 TCP_REFRESH_UNMODIFIED:DEFAULT_PARENT - - [16/Dec/2009:13:38:07 +0100] GET http://catalogopatrimonio.meh.es/pctw/proxyAuthorize.aspx HTTP/1.1 407 2161 TCP_DENIED:NONE - manuel [16/Dec/2009:13:38:19 +0100] GET http://catalogopatrimonio.meh.es/pctw/proxyAuthorize.aspx HTTP/1.1 200 1365 TCP_MISS:DEFAULT_PARENT - manuel [16/Dec/2009:13:38:20 +0100] POST http://catalogopatrimonio.meh.es//pctw/GetFileUpload.aspx? HTTP/1.1 200 683 TCP_MISS:DEFAULT_PARENT Any idea? Thanks a lot
[squid-users] cannot entry cachemgr.cgi
Hi everybody!! I´ve installed apache on my squid box for testing cachemgr.cgi, but when all is installed, I can't entry to cache manager, it ask for a user and a password I don´t know, I've tried multiple users/passw but always the same message: The following error was encountered while trying to retrieve the URL: cache_object://saturno.iipp.int/ Cache Access Denied. Sorry, you are not currently allowed to request cache_object://saturno.iipp.int/ from this cache until you have authenticated yourself. I've changed the entry on cachemgr.conf form localhost to saturno.iipp.int:3128 with no result I've set cachemgr_passwd password all and tried it with users (root, squid, admin, webmaster, manager, etc) and nothing It is not the same error that other posts I've seen. Going trough the documentation at http://wiki.squid-cache.org/SquidFaq/CacheManager it says about configuring with apache2: First, make sure the cgi-bin directory you're using is listed with a ScriptAlias in your Apache config. In the Apache config there is a sub-directory /etc/apache2/conf.d for application specific settings (unrelated to any specific site). Create a file conf.d/squid containing this... On my installation there isn't any conf.d sub-directory, not in /etc neither on /usr/local/apache2 (default directory). Should I create it? Where? I don't know what more to do, so if anyone can help I'd appreciate. Thanks a lot!
Re: [squid-users] cannot entry cachemgr.cgi
Ok, I forgot the 'http_access allow manager' entry in squid.conf, I've put it, I add localhost in cachemgr.conf and now it's working perfectly. Thanks a lot Mike! 2009/8/27 Mike Rambo mra...@lsd.k12.mi.us: Gontzal wrote: Hi everybody!! I“ve installed apache on my squid box for testing cachemgr.cgi, but when all is installed, I can't entry to cache manager, it ask for a user and a password I don“t know, I've tried multiple users/passw but always the same message: The following error was encountered while trying to retrieve the URL: cache_object://saturno.iipp.int/ Cache Access Denied. Sorry, you are not currently allowed to request cache_object://saturno.iipp.int/ from this cache until you have authenticated yourself. I've changed the entry on cachemgr.conf form localhost to saturno.iipp.int:3128 with no result I've set cachemgr_passwd password all and tried it with users (root, squid, admin, webmaster, manager, etc) and nothing Make sure you allow manager access from more than localhost if you intend to access from other machines. See 'http_access allow manager' in squid.conf. AFAIK the manager name is meaningless. I don't even have to provide one to get into cachemgr.cgi. The password is the one you provide per the last line you quoted above. With the exact line as you have it above your password would be 'password' for all operations. I left localhost in cachemgr.conf but added both the hostname and ip address of the squid server to that file. You then need to specify one of those entries on the cache host line of the login dialog. Either should work. -- Mike Rambo Life takes a bit of time and a lot of relationship. -papa
Re: [squid-users] various squid instances on same server
Yes, you can, more info: http://wiki.squid-cache.org/MultipleInstances I've running 3 different instances on the same server with different authentication modes and it's working fine. But I just change the port, I don't use different ips 2009/8/10 Enrique enri...@banmet.cu: i can install various squid instances on same server? for example: i wnat to some users one squid response by someip:8080 port and external ip A ACL, directives etc... Other squid response to users otherip:3128 and external ip B somes times happen when some users is downloading a file from megaupload, rapidshare ... i can't not now i can configure somes ip addres to my squid proxy and downloading files from thas sites them megaupload will see other ip
Re: [squid-users] proxyauth for certain active directory users
I understand it is working fine authenticating against AD so: Once you have created your AD groups, you have to set some acls depending on the AD group, for example: acl GR_OFICIAL external winbind_group G_2_NAV_Oficial acl GR_NORMAL external winbind_group G_3_NAV_Estandar acl GR_AVANZADO external winbind_group G_4_NAV_Avanzada And then you just allow/deny access to those acls, for example: http_access allow GR_OFICIAL paratodos permitidos http_access allow GR_NORMAL permitidos !ficheros_download http_access allow GR_AVANZADO permitidos Good luck 2009/7/28 Nick Duda nd...@vistaprint.com: Sorry for the silly question, I've been using squid to allow access to users on a domain, but how can I limit access to users only in a certain security group on the domain. - Nick
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Amos, I send the trace as requested, yesterday I just came back from holidays and I was out: CONNECT tp.seg-social.es:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Proxy-Connection: keep-alive Host: tp.seg-social.es HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE16 Mime-Version: 1.0 Date: Tue, 21 Jul 2009 10:28:20 GMT Content-Type: text/html Content-Length: 1681 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm=ProxySquid X-Cache: MISS from deil-trinity2 X-Cache-Lookup: NONE from deil-trinity2:3128 Via: 1.0 deil-trinity2 (squid/3.0.STABLE16) Proxy-Connection: close !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN http://www.w3.org/TR/html4/strict.dtd; htmlhead meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 titleERROR: Cache Access Denied/title style type=text/css!--BODY{background-color:#ff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--/style /head body h1ERROR/h1 h2Cache Access Denied./h2 hr pThe following error was encountered while trying to retrieve the URL: a href=https://tp.seg-social.es/*;https://tp.seg-social.es/*/a/p blockquote pbCache Access Denied./b/p /blockquote pSorry, you are not currently allowed to request https://tp.seg-social.es/* from this cache until you have authenticated yourself./p pPlease contact the a href=mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIEDamp;body=CacheHost%3A%20deil-trinity2%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2021%20Jul%202009%2010%3A28%3A20%20GMT%0D%0A%0D%0AClientIP%3A%20172.28.3.186%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20es-ES%3B%20rv%3A1.9.1.1)%20Gecko%2F20090715%20Firefox%2F3.5.1%20(.NET%20CLR%203.5.30729)%0D%0AProxy-Connection%3A%20keep-alive%0D%0AHost%3A%20tp.seg-social.es%0D%0A%0D%0A%0D%0Acache administrator/a if you have difficulties authenticating yourself or a href=http://deil-trinity2/cgi-bin/chpasswd.cgi;change/a your default password./p br hr div id=footerGenerated Tue, 21 Jul 2009 10:28:20 GMT by deil-trinity2 (squid/3.0.STABLE16)/div /body/html Thanks a lot 2009/7/20 Gontzal gontz...@gmail.com: Responses in the message. 2009/7/20 Amos Jeffries squ...@treenet.co.nz: Gontzal wrote: Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. By none you mean Java still getting the NTLM Proxy_auth header? I think so, because it is not starting the java applet, neither asking for basic auth Do you have a trace of the 407 reply from Squid to be sure of that? I don't know how to get the trace, if you can give me more info to get the trace i would appreciate. I just have the information from the acces.log Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] CONNECT tp.seg-social.es:443 HTTP/1.1 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on auth_param basic realm ProxySquid or may be the domain name as defined on smb.conf? In my case it's not the same value. The realm returned by Squid should always be the one configured in squid.conf auth_param the value of realm must be between or not? Thanks again. Gontzal Amos 2009/7/2 Amos Jeffries squ...@treenet.co.nz: On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal gontz...@gmail.com wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm= The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] CONNECT tp.seg-social.es:443 HTTP/1.1 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on auth_param basic realm ProxySquid or may be the domain name as defined on smb.conf? In my case it's not the same value. 2009/7/2 Amos Jeffries squ...@treenet.co.nz: On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal gontz...@gmail.com wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm= The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? In squid-3 the header_access has been broken in half. I believe you are needing to use reply_header_access. Amos Thanks again!
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Responses in the message. 2009/7/20 Amos Jeffries squ...@treenet.co.nz: Gontzal wrote: Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. By none you mean Java still getting the NTLM Proxy_auth header? I think so, because it is not starting the java applet, neither asking for basic auth Do you have a trace of the 407 reply from Squid to be sure of that? I don't know how to get the trace, if you can give me more info to get the trace i would appreciate. I just have the information from the acces.log Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] CONNECT tp.seg-social.es:443 HTTP/1.1 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on auth_param basic realm ProxySquid or may be the domain name as defined on smb.conf? In my case it's not the same value. The realm returned by Squid should always be the one configured in squid.conf auth_param the value of realm must be between or not? Thanks again. Gontzal Amos 2009/7/2 Amos Jeffries squ...@treenet.co.nz: On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal gontz...@gmail.com wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm= The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? In squid-3 the header_access has been broken in half. I believe you are needing to use reply_header_access. Amos Thanks again! -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
[squid-users] error compiling squid 3.0 stable 16
Hello everybody! I've a problem compiling squid 3.0 stable 16 on a opensuse 10.3 box. These are my configure options: ./configure --prefix=/usr --sysconfdir=/etc/squid --bindir=/usr/sbin --sbindir=/usr/sbin --localstatedir=/var --libexecdir=/usr/sbin --datadir=/usr/share/squid --libdir=/usr/lib --with-dl --sharedstatedir=/var/squid --enable-storeio=aufs,diskd,null,ufs --enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads --enable-removal-policies=heap,lru --enable-icmp --enable-delay-pools --enable-http-violations --enable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-snmp --enable-arp-acl --enable-htcp --enable-ssl --enable-forw-via-db --enable-cache-digests --enable-poll --enable-linux-netfilter --with-large-files --enable-underscores --enable-auth=basic,digest,ntlm,negotiate --enable-basic-auth-helpers=DB,LDAP,MSNT,NCSA,POP3,SASL,SMB,YP,getpwnam,multi-domain-NTLM,squid_radius_auth --enable-ntlm-auth-helpers=SMB,no_check,fakeauth --enable-negotiate-auth-helpers=squid_kerb_auth --enable-digest-auth-helpers=eDirectory,ldap,password --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group --enable-ntlm-fail-open --enable-stacktraces --enable-x-accelerator-vary --with-default-user=squid No problem when configuring. And this is the error when doing make: Making all in squid_kerb_auth make[3]: Entering directory `/tmp/squid-3.0.STABLE16/helpers/negotiate_auth/squid_kerb_auth' gcc -DHAVE_CONFIG_H -I. -I../../../include -I./spnegohelp -I. -m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -g -O2 -MT squid_kerb_auth.o -MD -MP -MF .deps/squid_kerb_auth.Tpo -c -o squid_kerb_auth.o squid_kerb_auth.c squid_kerb_auth.c:76:18: error: krb5.h: No such file or directory squid_kerb_auth.c:77: error: expected â)â before âmajor_statusâ squid_kerb_auth.c:133: error: expected â)â before âmajor_statusâ squid_kerb_auth.c: In function âmainâ: squid_kerb_auth.c:197: error: âOM_uint32â undeclared (first use in this function) squid_kerb_auth.c:197: error: (Each undeclared identifier is reported only once squid_kerb_auth.c:197: error: for each function it appears in.) squid_kerb_auth.c:197: error: expected â;â before âret_flagsâ squid_kerb_auth.c:201: error: expected â;â before âmajor_statusâ squid_kerb_auth.c:202: error: âgss_ctx_id_tâ undeclared (first use in this function) squid_kerb_auth.c:202: error: expected â;â before âgss_contextâ squid_kerb_auth.c:203: error: âgss_name_tâ undeclared (first use in this function) squid_kerb_auth.c:203: error: expected â;â before âclient_nameâ squid_kerb_auth.c:204: error: expected â;â before âserver_nameâ squid_kerb_auth.c:205: error: âgss_cred_id_tâ undeclared (first use in this function) squid_kerb_auth.c:205: error: expected â;â before âserver_credsâ squid_kerb_auth.c:206: error: expected â;â before âdelegated_credâ squid_kerb_auth.c:207: error: âgss_buffer_descâ undeclared (first use in this function) squid_kerb_auth.c:207: error: expected â;â before âserviceâ squid_kerb_auth.c:208: error: expected â;â before âinput_tokenâ squid_kerb_auth.c:209: error: expected â;â before âoutput_tokenâ squid_kerb_auth.c:245: error: âserviceâ undeclared (first use in this function) squid_kerb_auth.c:286: warning: the address of âbufâ will always evaluate as âtrueâ squid_kerb_auth.c:303: warning: implicit declaration of function âgss_release_bufferâ squid_kerb_auth.c:303: error: âminor_statusâ undeclared (first use in this function) squid_kerb_auth.c:303: error: âinput_tokenâ undeclared (first use in this function) squid_kerb_auth.c:304: error: âoutput_tokenâ undeclared (first use in this function) squid_kerb_auth.c:306: warning: implicit declaration of function âgss_release_credâ squid_kerb_auth.c:306: error: âserver_credsâ undeclared (first use in this function) squid_kerb_auth.c:307: error: âdelegated_credâ undeclared (first use in this function) squid_kerb_auth.c:308: warning: implicit declaration of function âgss_release_nameâ squid_kerb_auth.c:308: error: âserver_nameâ undeclared (first use in this function) squid_kerb_auth.c:309: error: âclient_nameâ undeclared (first use in this function) squid_kerb_auth.c:310: warning: implicit declaration of function âgss_delete_sec_contextâ squid_kerb_auth.c:310: error: âgss_contextâ undeclared (first use in this function) squid_kerb_auth.c:313: error: âspnego_flagâ undeclared (first use in this function) squid_kerb_auth.c:341: error: âGSS_C_NO_CONTEXTâ undeclared (first use in this function) squid_kerb_auth.c:400: error: âmajor_statusâ undeclared (first use in this function) squid_kerb_auth.c:400: warning: implicit declaration of function âgss_import_nameâ squid_kerb_auth.c:401: error: âgss_OIDâ undeclared (first use in this function) squid_kerb_auth.c:401: error: expected â)â before âGSS_C_NULL_OIDâ squid_kerb_auth.c:404: error: âGSS_C_NO_NAMEâ undeclared (first use in this function) squid_kerb_auth.c:405: error: âGSS_S_COMPLETEâ undeclared (first use in this function)
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm= The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? Thanks again! 2009/6/30 Amos Jeffries squ...@treenet.co.nz: I agree this does look like a good clean solution. I'll look at implementing a small on/off toggle to do only this change for safer Java bypass. May not be very soon though. What version of Squid are you using? Meanwhile yes, you do have to add the option to the ./configure options and re-compile = re-install Squid. The install process if done right should not alter existing squid.conf and be a simple drop-in to the existing install. But a backup is worth doing just in case. If currently using a packages Squid, you may want to contact the package maintainer for any help on the configure and install steps. Amos On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal gontz...@gmail.com wrote: Hi Kevin, Thanks for your post, I think is a very good solution to the Java security hole. I've seen that for using header_access and header_replace you need to compile with the --enable-http-violations. My question is, if I compiled squid without this option, is there any way to add this feature or I've to compile entire squid again? In this case, should I save my configuration files? Where should I put these lines, after acls? Thanks again Gontzal 2009/6/27 Kevin Blackwell akblack...@gmail.com: This what your looking for? acl javaNtlmFix browser -i java acl javaConnect method CONNECT header_access Proxy-Authenticate deny javaNtlmFix javaConnect header_replace Proxy-Authenticate Basic realm=Internet now only https/ssl access from java will have basic auth and so a password dialog. normal http access will work with ntlm challenge response. thanxs again markus -Ursprüngliche Nachricht- Von: Rietzler, Markus (Firma Rietzler Software / RZF) Gesendet: Dienstag, 16. Oktober 2007 18:17 An: 'Chris Robertson'; squid-users@squid-cache.org Betreff: AW: [squid-users] force basic NTLM-auth for certain clients/urls thanxs for that hint - it worked as a fix i have addes this to my squid.conf acl javaNtlmFix browser -i java header_access Proxy-Authenticate deny javaNtlmFix header_replace Proxy-Authenticate Basic realm=Internet Access now any java-client (java web start, java or applets in browser) will only see the basic auth scheme. a username/password dialog pops up and i have to enter my credentials. any other client (firefox, ie) still se both NTLM and Basic scheme and use NTLM challenge response to authenticate... the little drawback is, that there is that little nasty dialog but connection via proxy is working... thanxs markus On Sat, May 9, 2009 at 12:13 AM, Nitin Bhadaurianitin.bhadau...@tetrain.com wrote: Dear All, Please reply if we have some solution for the problem. I am stuck with the problem my server is live and i can't afforded to allow the java sites to unauthorized users in the network. Regards, Nitin B. Nitin Bhadauria wrote: Dear All, I have the same problem .. Everytime a browser proxying through squid tries to load a secure java applet, it comes up with a red x where the java applet should be. So I have bybass those sites for authentication, But the problem is users how don't have permission to access internet they are also able to access those sites. Please update if we had find any other solution for the problem. Thanks in advance for any reply. Regards, Nitin Bhadauria
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Kevin, Thanks for your post, I think is a very good solution to the Java security hole. I've seen that for using header_access and header_replace you need to compile with the --enable-http-violations. My question is, if I compiled squid without this option, is there any way to add this feature or I've to compile entire squid again? In this case, should I save my configuration files? Where should I put these lines, after acls? Thanks again Gontzal 2009/6/27 Kevin Blackwell akblack...@gmail.com: This what your looking for? acl javaNtlmFix browser -i java acl javaConnect method CONNECT header_access Proxy-Authenticate deny javaNtlmFix javaConnect header_replace Proxy-Authenticate Basic realm=Internet now only https/ssl access from java will have basic auth and so a password dialog. normal http access will work with ntlm challenge response. thanxs again markus -Ursprüngliche Nachricht- Von: Rietzler, Markus (Firma Rietzler Software / RZF) Gesendet: Dienstag, 16. Oktober 2007 18:17 An: 'Chris Robertson'; squid-users@squid-cache.org Betreff: AW: [squid-users] force basic NTLM-auth for certain clients/urls thanxs for that hint - it worked as a fix i have addes this to my squid.conf acl javaNtlmFix browser -i java header_access Proxy-Authenticate deny javaNtlmFix header_replace Proxy-Authenticate Basic realm=Internet Access now any java-client (java web start, java or applets in browser) will only see the basic auth scheme. a username/password dialog pops up and i have to enter my credentials. any other client (firefox, ie) still se both NTLM and Basic scheme and use NTLM challenge response to authenticate... the little drawback is, that there is that little nasty dialog but connection via proxy is working... thanxs markus On Sat, May 9, 2009 at 12:13 AM, Nitin Bhadaurianitin.bhadau...@tetrain.com wrote: Dear All, Please reply if we have some solution for the problem. I am stuck with the problem my server is live and i can't afforded to allow the java sites to unauthorized users in the network. Regards, Nitin B. Nitin Bhadauria wrote: Dear All, I have the same problem .. Everytime a browser proxying through squid tries to load a secure java applet, it comes up with a red x where the java applet should be. So I have bybass those sites for authentication, But the problem is users how don't have permission to access internet they are also able to access those sites. Please update if we had find any other solution for the problem. Thanks in advance for any reply. Regards, Nitin Bhadauria
[squid-users] acl for redirect to another proxy
Hi everybody!! I´m working with squid 3.0 R15 with ntlm-auth + squidGuard 1.4 I´ve a doubt, all we know that when working with ntlm-auth with Active Directory there is a problem for the authentication of the Sun Java VM. Setting an acl browser Java/1.X and giving free access to this group is a security hole. I´ve set another squid instance on the same server with another port that don´t get the auth from user log-on on AD, it just ask for username/password when using JVM and check it against AD. I set the JVM to use this proxy to connect to internet. My doubt is, can I set on my first squid instance an acl that depending on browser (if it is Java) redirect the traffic to the second instance? If it is possible I don´t have to change the configuration of JVM on all machines on my net. Thanks a lot
Re: [squid-users] Banning MAC addresses in squid3
It seems to be ok, have you configure squid with --enable-arp-acl? acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants. # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, then Squid cannot # find out its MAC address. 2009/6/24 Dayo Adewunmi contactd...@gmail.com: Hi all, I'm trying to block MAC address with this ACL: acl banned_MAC arp 00:1a:73:ff:fa:9a http_access deny banned_MAC ...and restarting squid3 gives me this error: 2009/06/24 10:34:52| Reconfiguring Squid Cache (version 3.0.STABLE1)... 2009/06/24 10:34:52| FD 12 Closing HTTP connection 2009/06/24 10:34:52| FD 15 Closing ICP connection 2009/06/24 10:34:52| aclParseAclLine: Invalid ACL type 'arp' Is there something else that needs to be included for 'arp' to become a valid ACL type? Best regards Dayo
Re: [squid-users] Using Squid/Squidguard on
I think that it should work with your Samba PDC server if it is running ok, but I use a W'2003 and the config is made for that, just try... Also take care about smb.conf I use squidGuard because it was installed when I take over this in my company, but I've heard Dansguardian is a very good product, even better, may be other users of this list can give you more light about it. Good luck!! 2009/6/24 shacky shack...@gmail.com: On squidGuard you can also set if you want a AD group not to apply the squidguard rules, for example a privilege group sould be something like: src privilegio { ldapusersearch ldap://ADServer:3268/dc=XX,dc=XX?sAMAccountName?sub?((memberof=CN=G_5_NAV_Privilegio%2cOU=Grupos%20Comunes%2cOU=USUARIOS%2cDC=xx%2cDC=xx)(sAMAccountName=%s))?bindname=cn=%2cOU=Grupos%20Comunes%2cOU=USUARIOS%2cDC=xx%2cDC=xx,x-bindpass=x I see ldap://ADServer:3268. Is this valid even if I don't have a Windows 2003 PDC but I have a Samba PDC server (on the same Linux server)? Another question for you: do you advise me to use Squidguard or Dansguardian?
Re: [squid-users] How to setup squid proxy to run in fail-over mode
Hi Abdul, As has been said the most simple solution is to use a PAC file, i'm using it at my company and balancing the connections depending on the subnet: subnet A goes throught proxy1 and subnet B goes throught proxy2. When proxy1 goes down, connections goes to proxy2, but it doesn´t sinchronyzes the information of the conections, so clients will have to stablish a new connection to proxy2.You have multiple examples of configuring a pac file on internet. Obviouslly this is not the best solution, it is not a load balancing depending on the amount of charge of each proxy. For that you may need a solution including LinuxVirtualServer (LVS) + Heartbeat (like ultramonkey), with two virtual/physicall machines acting as load balancers in Active/Pasive mode (with heartbeat) connected to other two machines acting as proxys. For the final user it acts as an individual machine, with only one ip (virtual ip for the hole structure). It has another advantages, like the LB sinchronyzes the information of the connections throught UDP multicast, so if one server goes down, the other proxy have the information of the connection and the client doesn't have to restart the connection. Also is a HA solution. Also is good for stops due to updates, improves, fails, etc on your servers, its is completely transparent for the users. And you can increase easily the number of servers acting as proxys. Hope it can help you. Gontzal 2009/6/15 K K kka...@gmail.com 1. Use de WPAD protocol: lets say PROXY squid1; PROXY squid2 (this is fail over) IMHO, using PAC (with or without WPAD) is the simplest and most effective approach to failover, requiring no additional software beyond a web server to host the PAC file. With PAC, the browser will automatically switch to the second proxy in the list if the first stops responding. All modern graphical browsers support PAC, and nearly all support WPAD. The PAC script is very powerful, you can use many, but not all, Javascript string and numeric functions. With a little effort you can have PAC distribute user load across multiple proxy servers, or even hash the request URL so, for example, all requests for dilbert.com first go to squid1, to get the most value from cached content. For more on PAC, see http://wiki.squid-cache.org/Technology/ProxyPac
[squid-users] client_side_request.cc
Hi Wong, Wich version of squidGuard are you running? I had the same problem and i resolved it updating from squidGuard 1.3 to 1.4. Never more that error... Gontzal 2009/6/2 Wong wongb...@telkom.net Wong wrote: Dear All, I experienced messages below and squid exiting abnormally. Squid version 3S15 Need your advise help. Thx Rgds, Wong ---snip--- 2009/06/01 08:29:27| client_side_request.cc(825) redirecting body_pipe 0x85fd94c*1 from request 0x8525c90 to 0x886bcd0 These are normal. Visible only because of the level of debug_options. snip 2009/06/01 10:05:51| Preparing for shutdown after 67188 requests 2009/06/01 10:05:51| Waiting 5 seconds for active connections to finish 2009/06/01 10:05:51| FD 25 Closing HTTP connection 2009/06/01 10:05:51| WARNING: redirector #1 (FD 10) exited snip 2009/06/01 10:05:51| WARNING: redirector #9 (FD 18) exited 2009/06/01 10:05:51| Too few redirector processes are running 2009/06/01 10:05:51| Starting new helpers 2009/06/01 10:05:51| helperOpenServers: Starting 9/15 'squidGuard' processes 2009/06/01 10:05:52| WARNING: redirector #10 (FD 19) exited snip I assume the problem you are reporting is the redirectors starting up again during a shutdown. Is this correct? Amos -- Yes Amos, you're absolutely correct. How can I solve this problem? Now I increase the redirector and monitoring progress. Thx Rgds, Wong