[squid-users] per-acl error messages not working
Hi, I'm obviously doing something wrong with my ACLs, and would appreciate any advice. We require authentication via radius, and we only allow each user to be logged on from workstation at a time. Anyone logged on to a server can access the Internet from multiple machines (i.e., for maintenance periods where one admin might be running updates on several boxes simultaneously). If a user logs in from too many machines, or if he enters a wrong password, he gets the error message in ERR_NO_SHARING. I would expect a user who signs on too often to get ERR_NO_SHARING and a user who fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED. Instead, all users get ERR_NO_SHARING. I would like to give the users a useful error message, but obviously I am missing something. The ACL portion of my squid.conf follows. Thanks for any suggestions, ==ml -- error_directory /etc/squid/errors auth_param basic program /usr/local/squid/libexec/squid_radius_auth_new -f /etc/squid/squid_radius_auth.conf auth_param basic children 5 auth_param basic realm 'Web' #confirm our login is still good via Radius at this interval; #this is not the time between password query popups at user's browser! authenticate_ttl 15 minutes acl all src 0.0.0.0/0.0.0.0 # all sources acl manager proto cache_object # internal cache manager acl localhost src 127.0.0.1/255.255.255.255 # This computer's loopback source acl to_localhost dst 127.0.0.0/8 # This computer's loopback destinations acl PURGE method PURGE acl Safe_ports port 80 # http acl Safe_ports port 20 # ftp acl Safe_ports port 21 # ftp-data acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl radius_auth proxy_auth REQUIRED acl no_auth_src src /etc/squid/noauth_src.list acl no_auth_dst dst /etc/squid/noauth_dst.list acl no_auth_hostdst dstdomain /etc/squid/noauth_hostdst #Don't share password authenticate_ip_ttl 60 seconds acl noPwSharing max_user_ip 1 deny_info ERR_NO_SHARING noPwSharing #allow server networks more leeway for administration acl serverPwSharing max_user_ip 5 deny_info ERR_NO_SHARING serverPwSharing #Our internal networks; one for source, one for dest acl our_networks src 10.0.0.0/8 127.0.0.0/8 acl our_servers dst 10.0.0.0/8 127.0.0.0/8 acl server_network src 10.184.1.0/24 acl our_domains dstdomain internal.com acl CONNECT method CONNECT # Http Connect method #Only the local machine can see cache manager http_access allow manager localhost http_access deny manager #management acl http_access allow PURGE localhost http_access deny PURGE #block connections to unsafe ports http_access deny !Safe_ports #Allow everyone through to some sites without auth http_access allow no_auth_dst http_access allow no_auth_src http_access allow no_auth_hostdst #Everyone can access internal servers always_direct allow our_domains #servers can have one user connect multiple times http_access allow server_network radius_auth #clients may only log in from one IP at a time. http_access deny noPwSharing #Clients must auth to radius to leave our network http_access allow our_networks radius_auth #everyone else is denied access http_access deny all #everyone can reply http_reply_access allow all #nobody may use this as a peer proxy icp_access deny all -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Coming Soon: Absolute FreeBSD -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies for security reasons.
[squid-users] squid and antivirus, again
Hi, The search engines give too many answers to this question over the last several years, so I'm just asking here. What is the best antivirus solution for Squid these days? We're running Squid 2.6 on RHEL4. Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Coming Soon: Absolute FreeBSD -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies for security reasons.
Re: [squid-users] Squid as web page cache for dynamic content
On Wed, Jun 20, 2007 at 01:34:16PM +0200, Kimmo Gl?borg wrote: Hello, I'm totally new to Squid and working for the largest IT news portal in Scandinavia. We're looking to replacing our current server side page cache environment with a hardware solution (such as Netapp NetCache for example). Now would this be possible to do maybe with Squid instead? So I don't want to use Squid for client proxy, only website content cache/acceleration and if possible also distribution for streaming media (web tv).. // kimmo You can do this with Squid. You can also use Varnish, which is specifically designed for your problem. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Coming Soon: Absolute FreeBSD -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies for security reasons.
[squid-users] private DNS, browsers, and Squid
Hi, (This might be considered tangential to this list. My apologies if so. I've searched the squid mailing list archives, FAQ, and Google without getting an answer, and squid-users@ is where I'll find the people who have dealt with this before.) I'm running squid 2.6 stable 9, on Linux. Our clients are configured to access the proxy via a proxy.pac file. We want our clients to access internal Web sites directly, but access external sites only through the proxy. Our clients are migrating from having full access to public DNS, to having access to only the internal private DNS. (Not my idea, but when global management says do it, you do it.) When we switch a client over to the private DNS, Web surfing slows a great deal. Packet sniffing shows that the client is talking to the proxy, but the client is also trying all of its DNS servers to resolve the hostname of the Web site. With complex Web sites this can take a while -- for example, the front page for www.cnn.com has several hostnames in it. I suspect this is causing the very slow access. Do other people see this behavior? What did you do? Surely we're not the first people to use Squid, IE, and private DNS? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] private DNS, browsers, and Squid
For the archives: It's not DNS, it's WINS. Disabling WINS made this problem disappear. Sorry for the noise. ==ml On Thu, Apr 26, 2007 at 11:16:58AM -0400, Michael W. Lucas wrote: Hi, (This might be considered tangential to this list. My apologies if so. I've searched the squid mailing list archives, FAQ, and Google without getting an answer, and squid-users@ is where I'll find the people who have dealt with this before.) I'm running squid 2.6 stable 9, on Linux. Our clients are configured to access the proxy via a proxy.pac file. We want our clients to access internal Web sites directly, but access external sites only through the proxy. Our clients are migrating from having full access to public DNS, to having access to only the internal private DNS. (Not my idea, but when global management says do it, you do it.) When we switch a client over to the private DNS, Web surfing slows a great deal. Packet sniffing shows that the client is talking to the proxy, but the client is also trying all of its DNS servers to resolve the hostname of the Web site. With complex Web sites this can take a while -- for example, the front page for www.cnn.com has several hostnames in it. I suspect this is causing the very slow access. Do other people see this behavior? What did you do? Surely we're not the first people to use Squid, IE, and private DNS? Thanks, ==ml -- Michael W. Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] optimizing squid and FreeBSD
On Sat, Mar 17, 2007 at 02:50:12PM -0400, Dave wrote: Hello, Running squid on a 6.x box. I'm going to implement digest user authentication, and want to ensure squid is running optimally. Googling and reading Squid the Definitive Guide by Oreilly indicates that the file descriptors should be raised. I did a sysctl -a|grep maxfiles and found a value of 1440. It was suggested to increase this to 8192, which i did. I then found entries in /etc/login.conf that make me wonder if this change was necessary. All of these are set to unlimited in the default option: datasize, stacksize, memoryuse, filesize and openfiles (one of these the descriptors), maxproc, and Given this do i have to add an options maxfiles=8192 Hi, You don't need to edit your kernel config file, you can set this in /boot/loader.conf. The unlimited in login.conf doesn't really mean infinite; it means all that the kernel can provide. Your kernel is limited to 1440 without a change. in my kernel config file? I've also read the wiki in particular the section on diskd, i'm using the ufs storage scheme, would it help if i implemented diskd? Any other suggestions welcome. Thanks. Dave. -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
[squid-users] periodic user re-authentication via Radius
Hi, We have a need to force users to re-authenticate to the Web periodically. Squid doesn't support this, because of how the browser caches credentials. So I'm having our external Radius auth helper handle this for us. As this seems to be a FAQ, I'm sharing the script here. http://www.blackhelicopters.org/~mwlucas/mwlradius.pl.gz Warnings: 1) Beware of Perl. This means higher overhead on the Squid server. 2) There are edge cases. There are bugs. 3) I am not a programmer. This code illustrates that nicely. 4) Tested only in my particular environment. 5) No warranty. No guarantee. Use at own risk. Bug reports accepted graciously, but not necessarily resolved. (See #3 above.) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
[squid-users] Java, proxy.pac, and squid
Hi,
I'm not sure this is even related to Squid, but it could be and I need
to double-check everything. I'm using Squid 2.5S13 on RHEL ESR4.
We need to access a Web site that launches a Java-based file transfer
client.
If I configure the client browser manually, by entering
proxy.us.add:8080 (.add is our private internal domain), the applet
works.
If I use the following proxy.pac to autoconfigure, however, it doesn't
work:
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = PROXY proxy.us.add:8080;
var proxy_no = DIRECT;
return proxy_yes;
}
To my eye it seems that the browser shoudl be sending all requests to
Squid, no matter what, in either case. access.log seems to indicate
that all the requests are traversing Squid.
So, either Squid handles cases differently or the browser isn't
actually sending all the requests to the proxy. I'll happily track
down the latter elsewhere, but also need to check: does Squid handle
these cases differently?
Thanks,
==ml
--
Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.BlackHelicopters.org/~mwlucas/
Latest book: PGP GPG -- http://www.pgpandgpg.com
The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] Problems with Squid and non-anonymous FTP
On Mon, Aug 21, 2006 at 09:10:50PM +0200, Henrik Nordstrom wrote: m??n 2006-08-21 klockan 14:11 -0400 skrev Michael W. Lucas: We cannot access non-anonymous FTP sites. Config, logs, and error messages follow. 1156181672.956244 10.184.184.193 TCP_MISS/401 1706 GET ftp://[EMAIL PROTECTED]/ - DIRECT/198.22.63.43 text/html Squid asks for a password as you did not supply one in the URL. It's possible your client does not know how to complete the request. Try using a fully qualified URL like ftp://user:[EMAIL PROTECTED]/ That does work, but it's discouraged in the FAQ. I'd also rather not teach my users to type passwords in visible cleartext, I have enough trouble getting them to not use their passwords as desktop wallpaper. :-) My question should then becomes: a) anyone know how to make IE 6 SP 2 and/or Firefox 1.5 prompt for a password at a non-anonymous FTP site? b) As this test cache does not require a username and password, why do I get a Cache Access Denied error saying that I am not allowed to request a non-anonymous FTP URL from the cache until I have authenticated myself? Is it just passing through the incorrect password error from the FTP site? (My production cache does require a username and password, mind you, but I want to get FTP working more correctly in a test environment before I complicate matters further.) Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur pgpzfruv339e6.pgp Description: PGP signature
Re: [squid-users] Problems with Squid and non-anonymous FTP
On Tue, Aug 22, 2006 at 03:21:02PM +0200, Henrik Nordstrom wrote: On Tue, 2006-08-22 at 08:52 -0400, Michael W. Lucas wrote: ftp://user:[EMAIL PROTECTED]/ That does work, but it's discouraged in the FAQ. I'd also rather not teach my users to type passwords in visible cleartext, I have enough trouble getting them to not use their passwords as desktop wallpaper. :-) Then persuade the browser vendors to support HTTP authentication on ftp://[EMAIL PROTECTED]/ links when using proxies. Squid does the best it can and asks for authentication credentials, not sure what else we can do. Fair enough. Squid certainly does its best with what it's given, no offense meant. I would have sworn that I'd seen this working before, but I guess I was wrong. a) anyone know how to make IE 6 SP 2 and/or Firefox 1.5 prompt for a password at a non-anonymous FTP site? As a workaround/test you can use a redirector at the proxy, rewriting some http:// address into the desired ftp address (with some user@ in the host part, what does not matter, just to tell Squid that it's non-anonymous). And all of a sudden the client understands how to do authentication because now the URL starts with http:// instead of ftp://. That's really the only difference in all other aspects, as in both cases the client uses HTTP to the proxy.. That's a clever idea, but will only confuse our users. Thank you for the insight, much appreciated. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
[squid-users] Problems with Squid and non-anonymous FTP
| Accepting SNMP messages on port 3401, FD 16. 2006/08/21 13:35:12| WCCP Disabled. 2006/08/21 13:35:12| Loaded Icons. 2006/08/21 13:35:12| eventCleanup 2006/08/21 13:35:12| Ready to serve requests. access.log includes these entries for this request (plus a sample to show that we are talking to the Net): 1156181666.709106 10.184.184.193 TCP_REFRESH_HIT/200 358 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/sect.gray.gradient_334.gif - DIRECT/64.236.42.21 image/gif 1156181666.722108 10.184.184.193 TCP_REFRESH_HIT/200 337 GET http://i.a.cnn.net/cnn/.element/img/1.1/misc/cl/cl_bar.gif - DIRECT/64.236.42.22 image/gif 1156181666.726110 10.184.184.193 TCP_REFRESH_HIT/200 326 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/cnn_vert.dash.gif - DIRECT/64.236.42.30 image/gif 1156181666.729 44 10.184.184.193 TCP_REFRESH_HIT/200 1039 GET http://i.a.cnn.net/cnn/.element/img/1.3/main/tv/time_tab.gif - DIRECT/64.236.42.38 image/gif 1156181666.836106 10.184.184.193 TCP_REFRESH_HIT/200 1407 GET http://www.cnn.com/favicon.ico - DIRECT/64.236.16.20 image/x-icon 1156181666.877 41 10.184.184.193 TCP_HIT/200 1407 GET http://www.cnn.com/favicon.ico - NONE/- image/x-icon 1156181672.956244 10.184.184.193 TCP_MISS/401 1706 GET ftp://[EMAIL PROTECTED]/ - DIRECT/198.22.63.43 text/html 1156181675.284962 10.184.184.193 TCP_MISS/401 1455 GET ftp://[EMAIL PROTECTED]/ - DIRECT/198.22.63.43 text/html 1156181690.780 25 10.184.184.193 TCP_MISS/401 1706 GET ftp://[EMAIL PROTECTED]/ - DIRECT/198.22.63.43 text/html 1156181718.106118 10.184.184.193 TCP_MISS/401 1706 GET ftp://[EMAIL PROTECTED]/ - DIRECT/198.22.63.43 text/html -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] HowDo I: Get Date stamp on the access.log
I'm lazy, and hate remembering commands like that. I have a shell script: $ cat squidtime.sh #!/bin/sh p erl -p -e 's/^([0-9]*)/[.localtime($1).]/e' (yeah, yeah, it's a sh script that calls perl. What part of I'm lazy didn't you understand? :-) This lets me do: $ cat access.log | squidtime.sh | less On Wed, Aug 02, 2006 at 01:56:56PM +0100, Paul Mattingly wrote: I was looking at a similar issue today and needed to convert the epoch time into a human readable time on the command line. With FreeBSD you can use date -r epoch time i.e. # date -r 1154520379 Wed Aug 2 13:06:19 BST 2006 # I imagine you can do this with other OSs using their specific syntax. Paul. -Original Message- From: John Walubengo [mailto:[EMAIL PROTECTED] Sent: 10 July 2006 06:48 To: Geoff Varney Cc: squid-users@squid-cache.org Subject: RE: [squid-users] HowDo I: Get Date stamp on the access.log Thanx Geoff. U have given me exactly what I needed; a step by step solution aka the 'dummy's version' ;-). thanx alot. walu. --- Geoff Varney [EMAIL PROTECTED] wrote: John, Here are the files if you're interested. Geoff -Original Message- From: John Walubengo [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 1:39 AM To: Guido Serassio; Laurent Marc 00 Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HowDo I: Get Date stamp on the access.log Below is my sample access.log data: 1152258629.089 23364 172.16.32.80 TCP_MISS/200 4625 GET http://www.pcreview.co.uk/template/vbulletin.css student DIRECT/70.86.33.18 text/css 1152258629.261 2792 172.16.32.80 TCP_MISS/200 2570 GET http://www.htmlgoodies.com/css/starlight/star-light.css student DIRECT/63.236.73.67 text/css It is basically the default log; how can i get it to show the date:time stamp so that I get to know WHEN the users accessed these sites? walu. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] Further diagnosis on squid/radius auth problems
On Wed, May 24, 2006 at 02:14:17PM +0200, Henrik Nordstrom wrote:
tis 2006-05-23 klockan 12:53 -0400 skrev Michael W. Lucas:
At times it has seemed that clients attempting to authenticate are
being rejected despite having good passwords. Similarly, users have
been able to get out to the Internet without a legitimate username and
password. Squid's debugging output shows that the authenticator was
returning an ok response for these nonexistent usernames and
passwords. At the time this happened, we would see Warning: Received
invalid reply digest from server errors. A squid -k reconfigure
made those go away by restarting the authenticator children, of
course, but running that once a minute is not an ideal solution.
The invalid digest indicates the radius server and squid_radius_auth
didn't agree on the shared secret authentication.
That's what I guessed, but I thought I'd leave that to you guys.
As the problem is seen with both radius client implementations I would
suspect there is something fishy going on with your server making it
send out either malformed responses or changing between different
secrets..
Could be. This happened on the previous server (running RHEL ES 3)
and this new server (running RHEL ES 4).
At the time of the error, netstat -na -u on the RHEL box shows:
udp 2352 0 10.184.1.94:33009 10.184.1.56:1812
ESTABLISHED
lsof shows that the process with the big recv queue is the
authenticator. This happens with both squid_radius_auth and my perl
applet.
This is a good hint, especially if combined with the digest error
above..
One way I could trigger this was to run squid_radius_auth in a tight
loop. Give it enough credentials close enough together and it chokes.
I think I know what is going in squid_radius_auth here. The code dealing
with retransmits looks a bit fishy..
Any assistance would be vastly appreciated.
In case it helps, here's my perl Radius code. Anyone who has read the
test for auth::radius should recognize its origins.
#!/usr/bin/perl
#$Id: radius_mwl.pl,v 1.2 2006/05/22 14:49:34 system_mwl Exp $
#basic Radius authenticator, for debugging
$host=x.y.z.a
$secret = secret1;
$|=1;
use Authen::Radius;
use Sys::Syslog;
openlog(squid, pid, local0);
$request = new Authen::Radius(Host = $host, Secret = $secret);
#$request = new Authen::Radius(Host = $host, Secret = $secret, Debug =
1);
while (STDIN) {
chop ($_);
@creds=split (/ /, $_);
if ($request - check_pwd(@creds[0], @creds[1])) {
print OK\n;
syslog (notice, user @creds[0] radius auth correct);
} else {
print ERR\n;
syslog (notice, user @creds[0] radius auth error);
}
}
--
Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.BlackHelicopters.org/~mwlucas/
Latest book: PGP GPG -- http://www.pgpandgpg.com
The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
pgpOrlny8RGg2.pgp
Description: PGP signature
[squid-users] Further diagnosis on squid/radius auth problems
Hi, I've had a whole series of issues with Squid and radius, and I believe that at last I have some meat for diagnosis. The problem seems to be with squid_auth_radius, but this seems to be the only related mailing list. I'm using: Squid Cache: Version 2.5.STABLE13 configure options: --prefix=/usr/local/squid --enable-snmp --disable-internal-dns on RHEL 4 with squid_radius_auth 1.08. At times it has seemed that clients attempting to authenticate are being rejected despite having good passwords. Similarly, users have been able to get out to the Internet without a legitimate username and password. Squid's debugging output shows that the authenticator was returning an ok response for these nonexistent usernames and passwords. At the time this happened, we would see Warning: Received invalid reply digest from server errors. A squid -k reconfigure made those go away by restarting the authenticator children, of course, but running that once a minute is not an ideal solution. I'm not comfortable doing random debugging in C, so I made an alternate authenticator out of Perl, based on authen::radius, that logged via syslogd whenever it attempted authentication and the results of that authentication attempt. Either the problem would go away, or I'd have some debugging output. :-) The problem persisted, but I now logged requests that did and didn't match and could compare them to the Radius logs. The Radius authenticator returned an error when the Radius server had returned OK. At the time of the error, netstat -na -u on the RHEL box shows: Proto Recv-Q Send-Q Local Address Foreign Address State ... udp0 0 10.184.1.94:33006 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33007 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33008 10.184.1.56:1812 ESTABLISHED udp 2352 0 10.184.1.94:33009 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33010 10.184.1.56:1812 ESTABLISHED lsof shows that the process with the big recv queue is the authenticator. This happens with both squid_radius_auth and my perl applet. I see a couple of possibilities: a) Red Hat ties up the buffer somehow b) problem in the radius routines in squid_rad_auth c) problem with squid taking the data back from authenticator, or interaction between squid and squid_rad_auth Surely someone out there has experienced this? Any pointers on where to look further? On a related note, should Squid use the same authenticator child most of the time? I have five running, but the log shows that the same child gets queried again and again. We rarely get busy enough to need the second child, however. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
[squid-users] restart authentication helpers
Hi, I'm using Squid 2.5.stable13 on RHEL4 with the squid_radius_auth helper, and have checked Google, the squid FAQ, and the config guide. After a given squid_radius_auth has been running for a while it starts to generate errors. Right now, I'm clearing those errors with a squid -k reconfigure, which appears to restart all the helper processes. I'd like to restart helpers without kicking the whole cache -- say, every 5 minutes, or after answering 100 requests. Is there a way to do this? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
[squid-users] Where to look for re-authentication
Hi, I've inherited a Squid 2.5 box that uses Websense for filtering and squid_radius_auth against a Cisco ACS system for authentication. This system asks for your username and password every fifteen minutes. Trying to find where this is set is driving me nuts. I understand that Squid does not provide this function, as the credentials are cached in the browser and Squid doesn't know the difference between the cached creds and user-entered ones. Fair enough. But does anyone have any idea where this is set, or where I should look in this setup? It's obviously hooked into Squid, somewhere, somehow... Thanks for any ideas or suggestions, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] Where to look for re-authentication
On Mon, May 08, 2006 at 02:01:09PM +0200, Christoph Haas wrote: On Mon, May 08, 2006 at 07:41:02AM -0400, Michael W. Lucas wrote: I've inherited a Squid 2.5 box that uses Websense for filtering and squid_radius_auth against a Cisco ACS system for authentication. This system asks for your username and password every fifteen minutes. Trying to find where this is set is driving me nuts. I understand that Squid does not provide this function Not quite right. You can indeed enforce re-authentication. It's just lousily documented. See: http://workaround.org/moin/HowSquidAclsWork#head-d6e6569888d3fc8fd4e0dd2031e09744d2bd38e7 (Hmm, I should give it a shorter section name. :) ) Thanks for the pointer, that's quite clever. But is there a way to do this every 15 minutes, instead of by site? Another frequent cause of such re-authentications is an erroneous backend. The credentials are indeed cached in the browser from from time to time Squid checks the backend whether the credentials are still valid. If the backend denies that then Squid will ask the user again for the credentials. The time that Squid believes the credentials are still valid without checking the backend are set in the auth_param basic credentialsttl parameter. I'm actually trying to replace this system because of authentication problems. I wonder if my predecessor introduced intermittent authentication errors in an effort to create a 15-minute repeat. (That would be fine, except that sometimes invalid usernames and passwords are accepted...) Thanks much! ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] Squid, radius, invalid user auth problem
On Mon, Apr 10, 2006 at 10:49:07PM +0200, Henrik Nordstrom wrote:
fre 2006-04-07 klockan 22:08 -0400 skrev Michael W. Lucas:
On Fri, Apr 07, 2006 at 11:49:48PM +0200, Henrik Nordstrom wrote:
fre 2006-04-07 klockan 14:49 -0400 skrev Michael W. Lucas:
2006/04/07 14:10:34| helperSubmit: blahuser_t 88
2006/04/07 14:10:34| aclMatchUser: user is blahuser_t, case_insensitive
is 0
2006/04/07 14:10:34| helperSubmit: http://slashdot.org/
10.184.184.193/- blahuser_t GET
The interesting part is what is going on between the first two lines
above.. Squid queried the auth helper, but what response did it get?
Unfortunately, that's all that's in the log. I'm on squid_radius_auth
1.07, and couldn't find any logging options for it.
Are you absolutely sure there is no other lines between those two? I
thought this was only a grep of blahuser_t in cache.log, not a complete
cache.log..
Yes, of course! I'm a doofus, my apologies.
2006/04/07 14:10:34| helperSubmit: blahuser_t 88
2006/04/07 14:10:34| comm_poll: 2+0 FDs ready
2006/04/07 14:10:34| comm_poll: FD 69 ready for writing
2006/04/07 14:10:34| commHandleWrite: FD 69: off 0, sz 18.
2006/04/07 14:10:34| commHandleWrite: write() returns 18
2006/04/07 14:10:34| comm_poll: FD 295 ready for writing
2006/04/07 14:10:34| commHandleWrite: FD 295: off 0, sz 1380.
2006/04/07 14:10:34| commHandleWrite: write() returns 1380
2006/04/07 14:10:34| cbdataValid: 0xa551f30
2006/04/07 14:10:34| clientWriteComplete: FD 295, sz 1380, err 0, off 15180,
len -1
2006/04/07 14:10:34| storeClientCopy: D0FC7FF3CE96707A9741E185ADA23C0C, seen
15180, want 15180, size 4096, cb 0x6c234d, cbdata 0xa551f30
2006/04/07 14:10:34| cbdataLock: 0xa5c0d08
2006/04/07 14:10:34| storeClientCopy2: D0FC7FF3CE96707A9741E185ADA23C0C
2006/04/07 14:10:34| storeClientCopy3: Copying from memory
2006/04/07 14:10:34| memCopy: offset 15180: size 4096
2006/04/07 14:10:34| cbdataValid: 0xa551f30
2006/04/07 14:10:34| clientSendMoreData:
http://tarheelblue.cstv.com/sports/m-footbl/spec-rel/032206aac.html, 4096 bytes
2006/04/07 14:10:34| clientSendMoreData: FD 295
'http://tarheelblue.cstv.com/sports/m-footbl/spec-rel/032206aac.html',
out.offset=15180
2006/04/07 14:10:34| comm_write: FD 295: sz 4096: hndl 0x6c2c10: data 0xa551f30.
2006/04/07 14:10:34| cbdataLock: 0xa551f30
2006/04/07 14:10:34| commSetSelect: FD 295 type 2
2006/04/07 14:10:34| cbdataUnlock: 0xa5c0d08
2006/04/07 14:10:34| cbdataUnlock: 0xa551f30
2006/04/07 14:10:34| comm_poll: 2+0 FDs ready
2006/04/07 14:10:34| comm_poll: FD 69 ready for reading
2006/04/07 14:10:34| cbdataValid: 0x9de9010
2006/04/07 14:10:34| helperHandleRead: 3 bytes from basicauthenticator #1.
2006/04/07 14:10:34| helperHandleRead: end of reply found
2006/04/07 14:10:34| cbdataValid: 0xa03e8c8
2006/04/07 14:10:34| authenticateBasicHandleReply: {OK}
2006/04/07 14:10:34| cbdataValid: 0xa34b178
2006/04/07 14:10:34| authenticateValidateUser: Validating Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateValidateUser: Validated Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| cbdataValid: 0x9d6c538
2006/04/07 14:10:34| aclCheck: checking 'http_access allow our_networks
radius_auth '
2006/04/07 14:10:34| aclMatchAclList: checking our_networks
2006/04/07 14:10:34| aclMatchAcl: checking 'acl our_networks src 10.0.0.0/8
192.168.0.0/16 127.0.0.0/8'
2006/04/07 14:10:34| aclMatchIp: '10.184.184.193' found
2006/04/07 14:10:34| aclMatchAclList: checking radius_auth
2006/04/07 14:10:34| aclMatchAcl: checking 'acl radius_auth proxy_auth REQUIRED
# Use the radius proxy auth'
2006/04/07 14:10:34| authenticateAuthenticate: header Basic
YmxhaHVzZXJfdDo4ODg4ODg=.
2006/04/07 14:10:34| authenticateValidateUser: Validating Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateValidateUser: Validated Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestLock auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestLock auth_user request
'0xa5879a0' now at '2'.
2006/04/07 14:10:34| authenticateAuthUserRequestUnlock auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestUnlock auth_user_request
'0xa5879a0' now at '1'.
2006/04/07 14:10:34| authenticateAuthUserRequestLock auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestLock auth_user request
'0xa5879a0' now at '2'.
2006/04/07 14:10:34| authenticateValidateUser: Validating Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateValidateUser: Validated Auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestUnlock auth_user request
'0xa5879a0'.
2006/04/07 14:10:34| authenticateAuthUserRequestUnlock auth_user_request
'0xa5879a0' now at '1'.
2006/04/07 14:10:34| aclMatchUser: user is blahuser_t, case_insensitive is 0
2006/04/07 14:10:34| Top is (nil), Top-data is Unavailable
2006/04/07 14:10:34| aclMatchUser: user REQUIRED and auth
[squid-users] Squid, radius, invalid user auth problem
Hi, I'm having a problem with a Squid 2.5.stable3 installation using squid_radius_auth and a Websense redirector on Red Hat ES r3. At times you get out even with invalid username and/or password. When makes this more fun is that it's intermittent, so I don't think it's a basic acl problem. Squid is not my strong point, so I'd appreciate any advice on how to troubleshoot this. (Of course, I've inherited the Squid box as part of my new job, and this issue has just raised its ugly head. Here I've left it alone for a few weeks thinking Oh, it's Squid, it's working, I'll investigate it later, and now everyone's screaming.) If you enter a valid username and a password you get Internet access, as you would expect. If you enter an invalid username and an invalid password, you might get Internet access. It appears that the longer Squid is running, the greater chance you have of getting that access. If you enter a valid username and an invalid password, you get asked for a correct password. Three tries later, it kicks you out. Then hit refresh, enter your invalid password, and you *might* get out. Maybe not. It seems that if you refresh often enough and have a bit of patience, eventually you'll get out. I've checked the radius server with squid_rad_auth -f squid_rad_auth.conf and gotten the proper ERR and OK messages no matter what combination of username/password I try. We have 30 children for squid_rad_auth, but increasing it to 60 didn't help. Running with debug_options ALL,9 generates a lot of cache info messages, but grepping for my bogus username gives me stuff like: 2006/04/07 14:10:30| helperSubmit: blahuser_t euhtansoeuhtnsaoeu 2006/04/07 14:10:30| authenticateBasicDecodeAuth: cleartext = 'blahuser_t:euhtansoeuhtnsaoeu' 2006/04/07 14:10:30| authBasicAuthUserFindUsername: Looking for user 'blahuser_t' 2006/04/07 14:10:30| authBasicDecodeAuth: Found user 'blahuser_t' in the user cache as '0xa4f29e8' 2006/04/07 14:10:30| authenticateStart: 'blahuser_t:euhtansoeuhtnsaoeu' 2006/04/07 14:10:30| helperSubmit: blahuser_t euhtansoeuhtnsaoeu For the above two I get prompted again, but asking again got me in with: 2006/04/07 14:10:34| authenticateBasicDecodeAuth: cleartext = 'blahuser_t:88' 2006/04/07 14:10:34| authBasicAuthUserFindUsername: Looking for user 'blahuser_t' 2006/04/07 14:10:34| authBasicDecodeAuth: Found user 'blahuser_t' in the user cache as '0xa4f29e8' 2006/04/07 14:10:34| authenticateStart: 'blahuser_t:88' 2006/04/07 14:10:34| helperSubmit: blahuser_t 88 2006/04/07 14:10:34| aclMatchUser: user is blahuser_t, case_insensitive is 0 2006/04/07 14:10:34| helperSubmit: http://slashdot.org/ 10.184.184.193/- blahuser_t GET Any suggestions would be most appreciated. Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] Squid, radius, invalid user auth problem
On Fri, Apr 07, 2006 at 11:49:48PM +0200, Henrik Nordstrom wrote: fre 2006-04-07 klockan 14:49 -0400 skrev Michael W. Lucas: 2006/04/07 14:10:34| helperSubmit: blahuser_t 88 2006/04/07 14:10:34| aclMatchUser: user is blahuser_t, case_insensitive is 0 2006/04/07 14:10:34| helperSubmit: http://slashdot.org/ 10.184.184.193/- blahuser_t GET The interesting part is what is going on between the first two lines above.. Squid queried the auth helper, but what response did it get? Unfortunately, that's all that's in the log. I'm on squid_radius_auth 1.07, and couldn't find any logging options for it. I'll be upgrading to the latest 2.5 this weekend, we'll see what happens. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur pgprykyqNYOPK.pgp Description: PGP signature
