RE: [squid-users] Video streaming in some cases not working
I am using SquidGuard with Squid 3.1.14 on Ubuntu and this type of message regarding two slashes is logged by it in the SquidGuard log so it is possible SquidGuard was still running in the testing you performed where you thought you had removed SquidGuard from the configuration. The log entry is labelled as a warning and I see quite a lot of them in the SquidGuard log on my proxy server. My guess is SquidGuard is not actually the cause(s) of the problem(s) you are observing if all it is doing is logging these warnings and not actually blocking access. I visited the site and tried playing a few videos and they appeared to work (not sure what I was selecting though as I don't understand what I assume is Russian :-)). The video seemed slow to start though. I did notice a number of warnings from Internet Explorer 8 regarding "Errors on page" while loading the page in the url you posted. You may need to do some more in depth investigation (perhaps using tcpdump) to track the tcp and http exchanges between the browser and the web site to understand more about what is going on (or not going on). Regards Paul > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Thursday, 15 December 2011 2:21 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Video streaming in some cases not working > > On 14/12/2011 3:06 p.m., Roman Gelfand wrote: > > No, squidguard doesn't seem to be the problem as when I remove > > squidguard out of the picture the problem is still there. > > > > Any ideas. > > > > Thanks > > > > On Tue, Dec 13, 2011 at 8:48 PM, Roman Gelfand wrote: > >> Actually, I didn't see this at first, but it looks like the issue is > >> with the squidguard. I realize this is not squidguard forum, but if > >> you know a way to solve this I would appreciate it. > >> > >> 2011-12-13 20:38:22 [3699] WARN: Possible bypass attempt. Found > >> multiple slashes where only one is expected: > >> http://rb.newsru.com//cgi- > bin/banner/148?21490&login=echo_214x92&referer=http://www.echo.msk.ru/ > > This is not a Squid message. Look for whatever is actually producing > that. Probably some intrusion detection system by the looks of it. > > Amos
RE: [squid-users] Problem compiling Squid 3.1.18 on Ubuntu 10.04 LTS - store.cc
Amos Thank you for the very prompt reply. Unfortunately I need ICAP so I will need to wait until the problem is resolved although I guess in the interim I can do as you mention and simply comment out this line and forgo the debugging output. Good luck trying to find the root cause. Regards Paul > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Tuesday, 6 December 2011 2:10 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Problem compiling Squid 3.1.18 on Ubuntu 10.04 > LTS - store.cc > > On Tue, 6 Dec 2011 03:01:40 +, Paul Freeman wrote: > > Hi, > > I have come across a problem compiling Squid 3.1.18 on Ubuntu 10.04 > > LTS (gcc 4.4.3, latest updates from Ubuntu). The problem occurs in > > store.cc and has been reported in an earlier post (3 Dec 2011) > > related > > to compiling 3.1.17. > > > > Another user has also reported this issue on the squid-dev mailing > > list on 5 Dec 2011 but I have not seen a reply yet. > > > > The error is as follows: > > store.cc: In member function 'void StoreEntry::deferProducer(const > > RefCount&)': > > store.cc:376: error: no match for 'operator<<' in 'std::operator<< > > [with _Traits = ... > > > > My knowledge of C++ is limited so I am not sure how to resolve the > > problem. > > Don't worry. This nasty trace is stressing the eyes of us familiar with > C++ as well. > > > > > Someone has reported successfully compiling 3.1.18 on Solaris so > > perhaps the Solaris C++ libraries are a little different than in > > Ubuntu 10.04 LTS. > > > > I am happy to assist with any testing that might be required. > > > It is only affecting adaptation (ICAP/eCAP) builds, so if you can run > happily without those features use --disable, or comment out line 376 of > src/store.cc. > > > Thank you for the testing offer. We can replicate it already so the > only help needed is C++ familiar eyes to find which of this nested set > of templates is missing a required print() operator. > > Amos
[squid-users] Problem compiling Squid 3.1.18 on Ubuntu 10.04 LTS - store.cc
Hi, I have come across a problem compiling Squid 3.1.18 on Ubuntu 10.04 LTS (gcc 4.4.3, latest updates from Ubuntu). The problem occurs in store.cc and has been reported in an earlier post (3 Dec 2011) related to compiling 3.1.17. Another user has also reported this issue on the squid-dev mailing list on 5 Dec 2011 but I have not seen a reply yet. The error is as follows: store.cc: In member function 'void StoreEntry::deferProducer(const RefCount&)': store.cc:376: error: no match for 'operator<<' in 'std::operator<< [with _Traits = ... My knowledge of C++ is limited so I am not sure how to resolve the problem. Someone has reported successfully compiling 3.1.18 on Solaris so perhaps the Solaris C++ libraries are a little different than in Ubuntu 10.04 LTS. I am happy to assist with any testing that might be required. Thanks Paul
[squid-users] RE: squid owa Exchange 2010 / slow load
Jan-Peter I came across the same behaviour late last year when implementing Squid v3.0stable19 (the version which was available as part of Ubuntu 10.04LTS) as a reverse proxy for Exchange 2010 OWA and ActiveSync. I found the browser would pause early on in the connection to OWA for approx 2 min but once this passed I could restart the browser and the pause would no longer occur. If the browser cache was cleared and the browser restarted, the pause returned. What version of Squid are you using? With the assistance of Amos we found the pause was due to issues with chunked Transfer-Encoding header compatibility. Amos suggested I try one of the Squid 3.1.x series due to the improved handling of this. I changed to Squid 3.1.8 and this resolved the problem. Regards Paul > -Original Message- > From: Koopmann, Jan-Peter [mailto:jan-peter.koopm...@seceidos.de] > Sent: Monday, 30 May 2011 9:05 PM > To: squid-users@squid-cache.org > Subject: [squid-users] squid owa Exchange 2010 / slow load > > Hi, > > this topic came up here quite a while ago however without really finding a > solution. We configured a squid reverse proxy for Exchange 2010 (owa, > active-sync etc.). All is working quite well with a small exception: The > first load of owa takes 2-3 minutes. According to firebug the time is > spend in uglobal.js (> 2m). Once all is loaded things seem to work just > fine. This happens with every browser I tested (IE, Firefox, Safari, > Chrome) at least once during the initial load of the page. If you kill the > browser and restart OWA things are ok. This does NOT happen if I address > the Exchange server OWA in question directly, at least I was not able to > reproduce it. > > > > Any idea where/how to look? cache.log does not say anything regarding > this. > > > Kind regards, >JP > > > > -- > Seceidos GmbH&Co. KG| Tel: +49 (6151) 66843-43 > Pfarrer-Staiger-Str. 39 | Fax: +49 (6151) 66843-52 > 55299 Nackenheim| Mobil: > http://www.seceidos.de/ | > Skype: jpkmobil > E-Mail: jan-peter.koopm...@seceidos.de > HRA 40961, Amtsgericht Mainz > > persönlich haftende Gesellschafterin: Seceidos Verwaltungs GmbH, > Nackenheim > HRB 42292, Amtsgericht Mainz > Geschäftsführer: Jan-Peter Koopmann > >
RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Markus After further investigation using gdb I have been able to determine the problem is caused by a particular combination of encryption and checksum types which seems to only occur (at this stage) in Windows 2008 R2 and possibly Windows 7 although I have not confirmed this. In my Windows 2008 R2 environment (including Active Directory, running in Windows 2003 mode rather than Windows 2008), the keytab which I created for squid using msktutil (with enctypes = 28) gave me keys encrypted with ArcFour with HMAC/md5, AES-128 CTS mode with 96-bit SHA-1 HMAC and AES-256 CTS mode with 96-bit SHA-1 HMAC. The problem lies with the Kerberos libraries installed with Ubuntu 10.04 LTS (1.8.1+dfsg-2ubuntu0.3). They return an error when working with AES-256 and the checksum encryption type ArcFour with HMAC/md5. This has been reported on the MIT Kerberos developers list (http://mailmain.mit.edu/pipermail/krbdev/2010-July/009148.html) and assigned ticket 6751. This has been resolved and included in the MIT Kerberos 1.8.3 release. However, it does not appear to have been backported to Ubuntu 10.04 LTS yet. I compiled the MIT Kerberos 1.8.3 source and re-built squid_kerb_auth against these libraries and the problem no longer occurs ie. A domain user logged into a Windows 2008 R2 server can authenticate using Kerberos in IE8. Kerberos authentication continues to work with IE8 and Firefox in Windows XP for domain users. I greatly appreciate the assistance of Markus Moeller in resolving this. Without his guidance and suggestions it would have taken me a lot longer to nail down the problem. Hopefully this information will be of some use to others. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Sunday, 31 October 2010 6:45 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > My tests show the same. RC4 works but AES 128/256 fail. It seems to > be > some incompatibility between MS and MIT/Heimdal Kerberos libraries > introduces in R2 > > Markus > > "DmitrySh" wrote in message > news:1288361044027-3019158.p...@n4.nabble.com... > > > > I solve the problem on Win7 (temporary) > > I set RC4-HMAC type for kerberos transactions in Local Security > Policy > > http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx > > Now both keys on client machine are in RC4-HMAC type (krbtgt and > > HTTP/fqdn_of_proxy) > > That's help in my case. > > Sounds not so good if this be AES256, but i think it's before of > mixed > > mode > > of AD (2003 and 2008). > > Try to communicate with microsoft about this. > > P.S. Sorry for my english :) > > > > Regards, > > Dmitry > > -- > > View this message in context: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication- > using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008- > R2-tp3013070p3019158.html > > Sent from the Squid - Users mailing list archive at Nabble.com. > > > > > > > __ Information from ESET Smart Security, version of virus > signature database 5586 (20101102) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __ Information from ESET Smart Security, version of virus signature database 5589 (20101103) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Markus OK - I was not sure whether the Kerberos libraries used openssl code. I have captured traffic for the following where a domain user is logged onto a w2k8 R2 server (named my-server.my.domain for this discussion) running the 32-bit version of IE8: 1. Between my-server.my.domain and the AD servers 2. Between my-server.my.domain and the squid 3.1.8 proxy server. I have also captured the traffic between the proxy server and the AD servers while executing the kinit command you requested. It's probably not a good idea to post the logs here. Is there anything you want me to look for? I have done some investigation and notice a couple of things which may or may not be relevant or important: 1. When my-server.my.domain issues the TGS-REQ it specifies the fowardable, renewable and canonicalize flags. For a similar setup except using Win XP, only the forwardable, renewable flags are set. 2. For the browser session on my-server.my.domain I notice there are repeated AS-REQ/TGS-REQ requests, even though as far as I can tell the requests are granted. There are also (probably expected) multiple KRB Error: KRB5KDC_ERR_PRE_PREAUTH_REQUIRED messages which look they match the AS-REQ/TGS-REQ requests. When I look in the security logs of the 2 AD domain controllers, I do not see any failed Kerberos events but I notice the requests from server my-server.my.domain have the Client-Address: value set to ::fff:192.168.x.y. I presume this is am IPv6 address? IPv6 is not selected on the nic of my-server.my.domain. For the Win XP server, there are 2 event log entries, one for Client-Address: ::fff:192.168.x.z and the next one for Client-Address is 192.168.x.z. I have not observed the multiple Kerberos on Win XP. Please let me know how I can further assist this investigation. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 27 October 2010 9:15 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > As far as I know the Kerberos libraries do not use openssl code. Can > you > capture the traffic between your 2008 server and AD on port 88 and > between > the 2008 server and squid on 3128 (the squid port). Can you also > capture the > traffic between squid and AD when you try a kinit -kt squid.keytab > HTTP/my-proxy-server.my.dom...@my.domain > > Regards > Markus > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b595604378...@mel-ex-01.eml.local... > Hi Nick > Thanks for looking at this. I appreciate your help. > > My answers to your questions are in line below > > > -Original Message- > > From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] > > Sent: Tuesday, 26 October 2010 8:36 PM > > To: Paul Freeman; Squid Users > > Subject: Re: [squid-users] Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > > > On 26/10/2010 03:56, "Paul Freeman" wrote: > > > > > > >Hi. > > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and > have > > >enabled > > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > >setup is > > >working well and successfully authenticates Windows domain users > when > > they > > >are logged in using their domain credentials on Windows XP > > workstations > > >using > > >Internet Explorer (v6,7 and 8) and Firefox. > > > > > >Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > >second, the Samba ntlm helper. > > > > > >However, today I came across a problem when using Internet Explorer > 8 > > on a > > >server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > >disabled and the logged in user is a standard domain user. The > > Windows > > >server is joined to the domain and is not a domain controller. The > > >Windows > > >server is up to date with Microsoft patches and updates. > > > > > >Authentication is failing for some reason. Instead of > authenticating > > >silently, the user is prompted for a username and password 6 times > > before > > >receiving the Cache Access Denied message. > > > > > >If I disable the squid_kerb_auth helper in squid.conf and restart > > squid, > > >leaving only the Samba NTLM helper, authentication works > successfully. > > > > > >In cache.log I find: > > >squid_kerb_auth: DEBUG: Got 'YR YII... > > >
RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Sorry to reply to my own email but I realised I have not properly described the encryption type problem I had with https which may mean my theory about it being similar to the Kerberos problem is incorrect. The certificate encryption problem I had on Ubuntu 10.04 LTS was due to the Windows Root CA issuing the web server certificate with the sha256RSA signature algorithm. Apparently OpenSSL on ubuntu cannot manage this. Sorry for any confusion. Regards Paul > -Original Message- > From: Paul Freeman [mailto:paul.free...@eml.com.au] > Sent: Wednesday, 27 October 2010 8:13 AM > To: Nick Cairncross; Squid Users > Subject: RE: [squid-users] Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Nick > Thanks for looking at this. I appreciate your help. > > My answers to your questions are in line below > > > -Original Message- > > From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] > > Sent: Tuesday, 26 October 2010 8:36 PM > > To: Paul Freeman; Squid Users > > Subject: Re: [squid-users] Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > > > On 26/10/2010 03:56, "Paul Freeman" wrote: > > > > > > >Hi. > > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and > have > > >enabled > > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > >setup is > > >working well and successfully authenticates Windows domain users > when > > they > > >are logged in using their domain credentials on Windows XP > > workstations > > >using > > >Internet Explorer (v6,7 and 8) and Firefox. > > > > > >Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > >second, the Samba ntlm helper. > > > > > >However, today I came across a problem when using Internet Explorer > 8 > > on a > > >server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > >disabled and the logged in user is a standard domain user. The > > Windows > > >server is joined to the domain and is not a domain controller. The > > >Windows > > >server is up to date with Microsoft patches and updates. > > > > > >Authentication is failing for some reason. Instead of > authenticating > > >silently, the user is prompted for a username and password 6 times > > before > > >receiving the Cache Access Denied message. > > > > > >If I disable the squid_kerb_auth helper in squid.conf and restart > > squid, > > >leaving only the Samba NTLM helper, authentication works > successfully. > > > > > >In cache.log I find: > > >squid_kerb_auth: DEBUG: Got 'YR YII... > > >squid_kerb_auth: DEBUG: Decode 'YII... > > >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > > GSS > > >failure. Minor code may provide more information. > > >squid_kerb_auth: INFO: User not authenticated > > >authenticateNegotiateHandleReply: Error validating user via > Negotiate. > > >Error > > >returned 'BH gss_accept_sec_contect() failed: Unspecified GSS > failure. > > >Minor code may provide more information. ' > > > > > >Has anyone else found this with IE8 on Windows Server 2008 R2? Is > it > > due > > >to > > >the 64-bit version of IE8 or some unusual interaction between the > IE8 > > >version > > >shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > > > > >I have a Wireshark capture of the traffic between the browser > session > > on > > >Windows Server 2008 R2 and the proxy server during authentication > and > > >would > > >like to assist with investigating the problem further if someone can > > >provide > > >some advice as to where to look. > > > > > >Regards > > > > > >Paul > > > > > > Hi Paul, > > Just my thoughts (which are minor in relation to the power of other > > listers..!): Are you specifically running the 64-bit version of IE? > How > > does your DNS look? A/PTR records all in order? What does kerbtray > show? > > What encoding for kerberos are you using? What does klist -ekt > > > show? Correct FQDN in your browser? > > Cheers > > Nick > > > I presumed IE8 was the 64-bit version but on further checking I have > found it > is the 32-bit version. The 64-bit version i
RE: [squid-users] Re: Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Markus Don't worry about asking too many questions - I am happy to answer. Generally questions will lead to some sort of answer or at least a greater understanding of the problem. I just sent a reply to Nick's email and in that I mention the difference between encryption types for Kerberos tickets on Win XP and Win 2008 R2. I suspect this is the problem - in particular AES-256 encryption. I have checked on the Windows 2008 R2 servers and cannot see the patch 951191 installed . Reading up on the Microsoft site about this patch, it seems it only applies to Windows 2008 (32-bit and 64-bit) rather than Windows 2008 R2. Unfortunately, I don't have a Win 7 workstation to try. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 27 October 2010 7:38 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Re: Authentication using squid_kerb_auth > with Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > Did you install http://support.microsoft.com/kb/951191 onto your 2008 > AD > server (it did not work in my case without this patch) ? > > If it is not related to the above, do you know if your 2008 server > tries to > use AES encryption (check the exchange between your 2008 server and AD > on > port 88) ? > > Do you have any Windows 7 clients too ? Do they work ? > > Sorry for that many questions. > > Regards > Markus > > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b595604378...@mel-ex-01.eml.local... > Hi Markus > My AD servers (I have 2) are both Windows 2008 R2. AD is running at > the > 2003 > functional level. The AD environment is the same one that is working > OK > with > Squid and Kerberos authentication for Windows XP workstations running > IE8. > > Regards > > Paul > > > > > -Original Message- > > From: Markus Moeller [mailto:hua...@moeller.plus.com] > > Sent: Wednesday, 27 October 2010 5:09 AM > > To: squid-users@squid-cache.org > > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > Hi Paul, > > > > Is your AD server 2003 or 2008 ? > > > > Markus > > > > "Paul Freeman" wrote in message > > news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local... > > Hi. > > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have > > enabled > > Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > setup > > is > > working well and successfully authenticates Windows domain users when > > they > > are logged in using their domain credentials on Windows XP > workstations > > using > > Internet Explorer (v6,7 and 8) and Firefox. > > > > Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > second, the Samba ntlm helper. > > > > However, today I came across a problem when using Internet Explorer 8 > > on a > > server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > disabled and the logged in user is a standard domain user. The > Windows > > server is joined to the domain and is not a domain controller. The > > Windows > > server is up to date with Microsoft patches and updates. > > > > Authentication is failing for some reason. Instead of authenticating > > silently, the user is prompted for a username and password 6 times > > before > > receiving the Cache Access Denied message. > > > > If I disable the squid_kerb_auth helper in squid.conf and restart > squid, > > leaving only the Samba NTLM helper, authentication works successfully. > > > > In cache.log I find: > > squid_kerb_auth: DEBUG: Got 'YR YII... > > squid_kerb_auth: DEBUG: Decode 'YII... > > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > > GSS > > failure. Minor code may provide more information. > > squid_kerb_auth: INFO: User not authenticated > > authenticateNegotiateHandleReply: Error validating user via Negotiate. > > Error > > returned 'BH gss_accept_sec_contect() failed: Unspecified GSS > failure. > > Minor code may provide more information. ' > > > > Has anyone else found this with IE8 on Windows Server 2008 R2? Is it > > due to > > the 64-bit version of IE8 or some unusual interaction between the IE8 > > version > > shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > > > I have a Wireshark capture of the traffic between the browser session > > on > > Windows Server 2008 R2 and the proxy server during authentication and > > would > > like to assist with investigating the problem further if someone can > > provide > > some advice as to where to look. > > > > Regards > > > > Paul > > > >
RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi Nick Thanks for looking at this. I appreciate your help. My answers to your questions are in line below > -Original Message- > From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] > Sent: Tuesday, 26 October 2010 8:36 PM > To: Paul Freeman; Squid Users > Subject: Re: [squid-users] Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > > On 26/10/2010 03:56, "Paul Freeman" wrote: > > > >Hi. > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have > >enabled > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This > >setup is > >working well and successfully authenticates Windows domain users when > they > >are logged in using their domain credentials on Windows XP > workstations > >using > >Internet Explorer (v6,7 and 8) and Firefox. > > > >Squid is configured with two helpers, the first, squid_kerb_auth and > the > >second, the Samba ntlm helper. > > > >However, today I came across a problem when using Internet Explorer 8 > on a > >server running Windows Server 2008 R2. The IE8 enhanced security mode > is > >disabled and the logged in user is a standard domain user. The > Windows > >server is joined to the domain and is not a domain controller. The > >Windows > >server is up to date with Microsoft patches and updates. > > > >Authentication is failing for some reason. Instead of authenticating > >silently, the user is prompted for a username and password 6 times > before > >receiving the Cache Access Denied message. > > > >If I disable the squid_kerb_auth helper in squid.conf and restart > squid, > >leaving only the Samba NTLM helper, authentication works successfully. > > > >In cache.log I find: > >squid_kerb_auth: DEBUG: Got 'YR YII... > >squid_kerb_auth: DEBUG: Decode 'YII... > >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > GSS > >failure. Minor code may provide more information. > >squid_kerb_auth: INFO: User not authenticated > >authenticateNegotiateHandleReply: Error validating user via Negotiate. > >Error > >returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. > >Minor code may provide more information. ' > > > >Has anyone else found this with IE8 on Windows Server 2008 R2? Is it > due > >to > >the 64-bit version of IE8 or some unusual interaction between the IE8 > >version > >shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > > >I have a Wireshark capture of the traffic between the browser session > on > >Windows Server 2008 R2 and the proxy server during authentication and > >would > >like to assist with investigating the problem further if someone can > >provide > >some advice as to where to look. > > > >Regards > > > >Paul > > > Hi Paul, > Just my thoughts (which are minor in relation to the power of other > listers..!): Are you specifically running the 64-bit version of IE? How > does your DNS look? A/PTR records all in order? What does kerbtray show? > What encoding for kerberos are you using? What does klist -ekt > show? Correct FQDN in your browser? > Cheers > Nick > I presumed IE8 was the 64-bit version but on further checking I have found it is the 32-bit version. The 64-bit version is also installed and I have tried that with the same result. As far as I know (I set DNS up :-) ), DNS is configured correctly with forward and reverse records. I checked the Kerberos tickets on a Windows XP workstation that authenticates correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server using IE8 (32-bit and 64-bit) and found tickets for the proxy server as follows: Win XP Workstation: Server: HTTP/my-proxy-server.my.dom...@my.domain KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/27/2010 17:37:35 Renew Time: 11/3/2010 7:37:35 Win 2008 R2 server: Client" my.login @ MY.DOMAIN Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a0 -> forwardable renewable pre_authent Start Time: 10/27/2010 7:30:13 (local) End Time: 10/27/2010 17:17:38 (local) Renew Time: 11/3/2010 7:17:38 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 The key difference is the ticket encryption type: RC4-HMAC for Win XP vs AES-256-HMAC-SHA1 for Win 2008 R2. On the proxy server, klist -ekt ticket_file shows: KVNOTimestamp Principal 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.dom...@my.domain
RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi Markus My AD servers (I have 2) are both Windows 2008 R2. AD is running at the 2003 functional level. The AD environment is the same one that is working OK with Squid and Kerberos authentication for Windows XP workstations running IE8. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 27 October 2010 5:09 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > Is your AD server 2003 or 2008 ? > > Markus > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local... > Hi. > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have > enabled > Kerberos/NTLM authentication using the squid_kerb_auth helper. This > setup > is > working well and successfully authenticates Windows domain users when > they > are logged in using their domain credentials on Windows XP workstations > using > Internet Explorer (v6,7 and 8) and Firefox. > > Squid is configured with two helpers, the first, squid_kerb_auth and > the > second, the Samba ntlm helper. > > However, today I came across a problem when using Internet Explorer 8 > on a > server running Windows Server 2008 R2. The IE8 enhanced security mode > is > disabled and the logged in user is a standard domain user. The Windows > server is joined to the domain and is not a domain controller. The > Windows > server is up to date with Microsoft patches and updates. > > Authentication is failing for some reason. Instead of authenticating > silently, the user is prompted for a username and password 6 times > before > receiving the Cache Access Denied message. > > If I disable the squid_kerb_auth helper in squid.conf and restart squid, > leaving only the Samba NTLM helper, authentication works successfully. > > In cache.log I find: > squid_kerb_auth: DEBUG: Got 'YR YII... > squid_kerb_auth: DEBUG: Decode 'YII... > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > GSS > failure. Minor code may provide more information. > squid_kerb_auth: INFO: User not authenticated > authenticateNegotiateHandleReply: Error validating user via Negotiate. > Error > returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. > Minor code may provide more information. ' > > Has anyone else found this with IE8 on Windows Server 2008 R2? Is it > due to > the 64-bit version of IE8 or some unusual interaction between the IE8 > version > shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > I have a Wireshark capture of the traffic between the browser session > on > Windows Server 2008 R2 and the proxy server during authentication and > would > like to assist with investigating the problem further if someone can > provide > some advice as to where to look. > > Regards > > Paul >
[squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi. I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is working well and successfully authenticates Windows domain users when they are logged in using their domain credentials on Windows XP workstations using Internet Explorer (v6,7 and 8) and Firefox. Squid is configured with two helpers, the first, squid_kerb_auth and the second, the Samba ntlm helper. However, today I came across a problem when using Internet Explorer 8 on a server running Windows Server 2008 R2. The IE8 enhanced security mode is disabled and the logged in user is a standard domain user. The Windows server is joined to the domain and is not a domain controller. The Windows server is up to date with Microsoft patches and updates. Authentication is failing for some reason. Instead of authenticating silently, the user is prompted for a username and password 6 times before receiving the Cache Access Denied message. If I disable the squid_kerb_auth helper in squid.conf and restart squid, leaving only the Samba NTLM helper, authentication works successfully. In cache.log I find: squid_kerb_auth: DEBUG: Got 'YR YII... squid_kerb_auth: DEBUG: Decode 'YII... squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. squid_kerb_auth: INFO: User not authenticated authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. Minor code may provide more information. ' Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to the 64-bit version of IE8 or some unusual interaction between the IE8 version shipped with Windows Server 2008 R2 and the squid_kerb_auth module? I have a Wireshark capture of the traffic between the browser session on Windows Server 2008 R2 and the proxy server during authentication and would like to assist with investigating the problem further if someone can provide some advice as to where to look. Regards Paul
RE: [squid-users] 304 response preventing site from loading
Shawn I have seen Amos' reply regarding a possible bug in the version of squid you are using and his suggestion to upgrade and try again. After seeing your question, I did some testing using different versions of squid I have access to - Squid 3.1.8 and Squid 2.6stable18. Both squid installations are using authentication (Kerberos/NTLM for 3.1.8 and ntlm/basic for 2.6stable18) and are running on Ubuntu - 3.1.8 on Ubuntu 10.04LTS and 2.6stable18 on Ubuntu 8.04LTS. Transparent interception is _not_ being used in either installation. I tested using Firefox v 3.6.3 and found that going direct (not using squid) works OK (approx 30 sec page load) but going via squid 3.1.8 or squid 2.6stable eventually works but is very slow (approx 4-5minutes to load the entire page contents). Basically, I have found these squid versions both work and load the page successfully but for me, the page is slow to load when using squid compared with going direct. I have investigated this further and the problem may be related to some aspect related to networking on my squid server OS (linux) rather than squid but I am not sure. For those who are interested, please read on ... (a bit long) :-) Regards Paul Freeman The discussion below refers to my investigation using squid 3.1.8. It is running on Ubuntu 10.04LTS and was compiled from a source package created by Amos Jeffries (thanks Amos). The client workstation is running Windows XP SP3. Doing some wireshark packet traces of the traffic leads me to think the slowness is in retrieving two urls: http://www.dushkin.com/web-cgi/olc/nytfeed.pl?DCID=984&N=3 http://www.dushkin.com/web-cgi/olc/gencurrentnew.pl?DCID=984&N=3 Both the GET requests for these urls get 302 re-direct responses as follows (same order as urls above): http://www.mhcls.com/cls/web-cgi/olc/nytfeed.pl?DCID=984&N=3 http://www.mhcls.com/cls/web-cgi/olc/gencurrentnews.pl?DCID=984&N=3 Requests to these re-direct urls also receive 302 re-direct responses as follows (same order as urls above): http://www.mhhe.com/cls/?DCID=984&N=3 http://www.mhhe.com/cls/?DCID=984&N=3 It is this last url (http://www.mhhe.com/cls/?DCID=984&N=3) that seems to take a long to retrieve by squid. I originally thought the slowness may have to do with the HTTP/1.1 feature of Transfer-Encoding: chunked as I have come across this in some other work I have been doing recently. This header is included in the www.dushkin.com and www.mhcls.com 302 re-direct responses. I noticed in the header the word chunked is all lower case. This does not appear to be in violation of the HTTP/1.1 spec but some versions of squid use a case sensitive compare for "Chunked" (capital C) and thus do not match on "chunked". IN some instances and squid versions, the Transfer-Encoding: chunked/Chunked header can cause squid to not be able to determine when all the data to fulfil the GET request has been supplied and so it waits. Eventually the web server replying to the GET request will timeout the connection (timeout various depending on the web server but can be of the order of a minute or more), sending a TCP RST. Search the squid-users mailing list for more info on this one. However on further investigation, I don't think this is the case in this instance. For some reason, the squid GET request to www.mhhe.com (IP 12.26.55.139) takes a long time to be completed - approx. 2 minutes. Some data is returned quickly but then there is a period where on my squid server I see a TCP Previous Segment lost then squid server sending Dup ACKs to www.mhhe.com and www.mhhe.com sending TCP Retransmissions for the same segment. The Retransmission RTTs to ACK the one segment are at 0.2,4,8,16,32 and 60 seconds. After that segment has finally been received, the rest of the data is received OK. The reply headers from the GET to www.mhhe.com are as follows: HTTP/1.0 200 OK Server: MHttpd/3.2 (UAI; sparc-solaris2.6; Meta-HTML/5.06) Date: Thu, 30 Sep 2010 00:06:25 GMT Expires: Wed 29 Sep 2010 00:06:25 GMT Last-modified: Thu Sep 2010 00:05:25 GMT Content-length: 13858 Meta-HTML-Engine: MHtppd/3.2 (UAI; sparc-solaris2.6; Meta-HTML/5.06) Content-type: text/html There are two GET requests for the url http://www.mhhe.com/cls/?DCID=984&N=3 and each takes approx. 2 minutes to complete which accounts for the approx. 4 minute delay in loading the page. I am not sure what is causing this but it appears at first glance to be related to a networking issue on the host squid server OS. Going directly using the same Workstation/Browser/LAN/Firewall/Internet connection combination does not show the same delay - only approx 29 seconds to load. I still see a TCP Previous Segment lost and the Dup ACKs and TCP Retransmissions when going direct but there are fewer TCP Retransmissions (2-3 compared with 6-7) and hence the quicker reply. The IP address of highered.mcgraw-hill.com is 204.8.133.213 while the IP addresses o
RE: [squid-users] Re: Re: Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3
Markus In our current setup, no WINS server is being provided to workstations obtaining an IP address via DHCP. I am finding that Firefox is actually failing at step 3. It is not prompting for a username and password. Unlike IE which is. Thanks Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Thursday, 9 September 2010 6:01 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Re: Squid 3.0 STABLE 19 and SPNEGO with > Windows Firefox 3.6.3 > > > Hi Paul, > > Does your environment provide WINS server details via DHCP to the > desktops > ? I think in theory it should work as follows: > > 1) User connects to proxy which requests negotiate > 2) The browser does not have any tickets and has not joined a domain > to > use NTLM so prompts the user > 3) The user provides u...@domain and password > 4) Desktop tries to find Kerberos kdc locally using NetBIOS or with > WINS > 5) Desktop will send AS-REQ to kdc > 6) Desktop will send TGS-REQ to kdc > 7) Browser will send token to squid. > >This would mean that Firefox does have a problem at step 4) and > creates > an NTLM token for DESKTOP\User > > Markus > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b595604014...@mel-ex-01.eml.local... > Markus > I will try and answer your questions in-line below. Please let me know > if > there is any other information or testing you would like me to do. > > I appreciate your assistance. > > Regards > > Paul > > > -Original Message- > > From: Markus Moeller [mailto:hua...@moeller.plus.com] > > Sent: Wednesday, 8 September 2010 4:54 AM > > To: squid-users@squid-cache.org > > Subject: [squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with > Windows > > Firefox 3.6.3 > > > > Hi Paul, > > > > >"Paul Freeman" wrote in message > > >news:19672eecfb9ae340833c84f3e90b595604014...@mel-ex-01.eml.local... > > >Hi > > >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" > > >(non-transparent) proxy server for a number of Windows workstations > in > > an > > >Active Directory environment using W2K8R2 domain controller servers > > running > > >in W2K3 functional mode. > > > > > >I have implemented suthenitcation in Squid using the squid_kerb_auth > > module > > >from Markus Moeller. Authentication is working fine for users > logging > > in > > >using domain credentials on domain registered workstations using > both > > IE7 > > >and > > >8 on Windows XP and Firefox 3.6.3. > > > > > >However, I would like to allow the occasional non-domain user to > have > > >internet access via Squid and so it would be helpful for a login > > dialog box > > >to be presented. When IE 7 and 8 are used, this occurs and > > authentication > > >is > > >successful. However, with Firefox it does not and an error is > > returned by > > >Squid - Access Denied. > > > > > >Looking at some packet dumps between the Windows workstation and > Squid > > >shows > > >that Firefox tries a few times to auth then gives up. Enabling > > logging in > > >Firefox reveals Firefox responds similarly to IE with a GET request > > with a > > >Proxy-Authorization: Negotiate . header. In the Squid cache log > > it > > >indicates: > > > > > >squid_kerb_auth: Got 'YR T1RMT...Dw==' from squid (length 59). > > >squid_kerb_auth: received type 1 NTLM token > > > > > >However, unlike IE, it then gives up whereas IE then initiates a > KRB5 > > >AS-REQ > > >to a domain controller then gets a ticket and then contacts Squid > > again at > > >which point it authenticates. > > > > > > > I would like to know some more details here. Do you also see a KRB5 > > AS-REQ > > at any time before ? Can you use kerbtray from MS and list Kerberos > > tickets > > for the non domain user ? > > > > I have watched the traffic from prior to launching Firefox to the end > of the > Firefox session. I have not seen any Kerberos related traffic from the > Windows client. > > I have the MS Kerberos tools installed and kerbtray does not show any > tickets > - Client Principal field says "No network credentials". > > Strangely (maybe not???), there are also no tickets shown even while > successfully using IE as a non-domain user. > > > > &
RE: [squid-users] A single website is loading slow
Adding information to my previous reply - sorry. I should have mentioned that my mention of compression was seen between the client and Squid. I am not sure but it is possible that Squid was doing compression with the origin server. In that case it probably invalidates my comments about compression and means something else is causing the slower response. Apologies. Paul > -Original Message- > From: Paul Freeman [mailto:paul.free...@eml.com.au] > Sent: Wednesday, 8 September 2010 3:55 PM > To: RM; Amos Jeffries > Cc: squid-users@squid-cache.org > Subject: RE: [squid-users] A single website is loading slow > > I have had a quick look at the url you mentioned using Squid > 3.0STABLE19 and > IE7 (Windows XP SP2). > > There are 2 requests in the Squid access log which seem to take a while > to > retrieve: > www.realestate.com/css/global/site.css followed by > www.realestate.com/JS/common/re-all/re-all.js. These requests are > approx. > 200KB and 740KB respectively and take about 24sec and 42sec > respectively to > load on our ADSL2+ connection. > > When accessing the site directly rather than via squid from the same > client, > it takes about 15-20sec for the page to load. > > On the second access using Squid, the page loads in approx. 15-20sec. > TCP_HIT is recorded in the Squid access log for the 2 urls mentioned > above. > > I am not sure why it takes longer to load in Squid the first time > except that > maybe it is related to the browser using HTTP1.1 features (Accept- > Encoding, > Transfer-Encoding, etc) as I notice the data is compressed for the > direct > connection and uncompressed for the squid connection and the amount of > data > for the requests is approx 1/4-1/3 for the direct connection versus via > squid. Perhaps Amos will have some ideas? > > Regards > > Paul > > > -Original Message- > > From: RM [mailto:bearm...@gmail.com] > > Sent: Wednesday, 8 September 2010 1:29 PM > > To: Amos Jeffries > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] A single website is loading slow > > > > On Tue, Sep 7, 2010 at 8:21 PM, Amos Jeffries > > wrote: > > > On Tue, 7 Sep 2010 19:31:45 -0700, RM wrote: > > >> I am having issues with just a single website loading very very > > slowly > > >> through Squid. The problematic website loads fine without a proxy > > but > > >> takes several minutes to load through Squid. All other websites > load > > >> perfectly fine. I have tried the following: > > >> > > >> 1) I originally thought the issue was DNS related so I changed the > > >> nameservers that Squid uses by using "dns_nameservers". I tried > > >> several different local nameservers and then eventually tried free > > >> services such as Google's and OpenDNS's. No luck. > > >> > > >> 2) To further convince myself it was not DNS, I entered the > > website's > > >> IP/host information into /etc/hosts and used Squid's "hosts_file" > > >> directive to use /etc/hosts. This did not help either. > > >> > > >> Squid was restarted each time after making the above changes. > > >> > > >> Here are the access.log entries related to loading the website > (URL > > >> and IP addresses have been changed). > > >> > > >> 1283907376.404 320 222.222.222.222 TCP_MISS/301 508 GET > > >> http://website.com username DIRECT/111.111.111.111 text/html > > >> 1283907415.924 39277 222.222.222.222 TCP_MISS/200 62371 GET > > >> http://www.website.com/ username DIRECT/111.111.111 text/html > > >> > > >> As you can see, the first log entry appears quickly after > attempting > > >> to load the website. The title of the website appears in the web > > >> browser's title bar almost immediately but the content of the > > website > > >> does not load until much later. > > >> > > >> Any help is much appreciated. > > > > > > You have erased the vital information about *which* website URL and > > > *where* it is. Have not provided any information about which squid > > version > > > you are talking about either. > > > > > > To get any type of useful help you need to present enough facts for > > > someone else to replicate the problem please. > > > > > > All we can do at this point is say "yes. Your log shows that a > > website is > > > loading slowly". Other sites wo
RE: [squid-users] A single website is loading slow
I have had a quick look at the url you mentioned using Squid 3.0STABLE19 and IE7 (Windows XP SP2). There are 2 requests in the Squid access log which seem to take a while to retrieve: www.realestate.com/css/global/site.css followed by www.realestate.com/JS/common/re-all/re-all.js. These requests are approx. 200KB and 740KB respectively and take about 24sec and 42sec respectively to load on our ADSL2+ connection. When accessing the site directly rather than via squid from the same client, it takes about 15-20sec for the page to load. On the second access using Squid, the page loads in approx. 15-20sec. TCP_HIT is recorded in the Squid access log for the 2 urls mentioned above. I am not sure why it takes longer to load in Squid the first time except that maybe it is related to the browser using HTTP1.1 features (Accept-Encoding, Transfer-Encoding, etc) as I notice the data is compressed for the direct connection and uncompressed for the squid connection and the amount of data for the requests is approx 1/4-1/3 for the direct connection versus via squid. Perhaps Amos will have some ideas? Regards Paul > -Original Message- > From: RM [mailto:bearm...@gmail.com] > Sent: Wednesday, 8 September 2010 1:29 PM > To: Amos Jeffries > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] A single website is loading slow > > On Tue, Sep 7, 2010 at 8:21 PM, Amos Jeffries > wrote: > > On Tue, 7 Sep 2010 19:31:45 -0700, RM wrote: > >> I am having issues with just a single website loading very very > slowly > >> through Squid. The problematic website loads fine without a proxy > but > >> takes several minutes to load through Squid. All other websites load > >> perfectly fine. I have tried the following: > >> > >> 1) I originally thought the issue was DNS related so I changed the > >> nameservers that Squid uses by using "dns_nameservers". I tried > >> several different local nameservers and then eventually tried free > >> services such as Google's and OpenDNS's. No luck. > >> > >> 2) To further convince myself it was not DNS, I entered the > website's > >> IP/host information into /etc/hosts and used Squid's "hosts_file" > >> directive to use /etc/hosts. This did not help either. > >> > >> Squid was restarted each time after making the above changes. > >> > >> Here are the access.log entries related to loading the website (URL > >> and IP addresses have been changed). > >> > >> 1283907376.404 320 222.222.222.222 TCP_MISS/301 508 GET > >> http://website.com username DIRECT/111.111.111.111 text/html > >> 1283907415.924 39277 222.222.222.222 TCP_MISS/200 62371 GET > >> http://www.website.com/ username DIRECT/111.111.111 text/html > >> > >> As you can see, the first log entry appears quickly after attempting > >> to load the website. The title of the website appears in the web > >> browser's title bar almost immediately but the content of the > website > >> does not load until much later. > >> > >> Any help is much appreciated. > > > > You have erased the vital information about *which* website URL and > > *where* it is. Have not provided any information about which squid > version > > you are talking about either. > > > > To get any type of useful help you need to present enough facts for > > someone else to replicate the problem please. > > > > All we can do at this point is say "yes. Your log shows that a > website is > > loading slowly". Other sites work fine? then conclude that the > problems is > > not in Squid itself but somewhere else which impacts Squid. > > > > Amos > > > > The website is www.realestate.com > > I am using Squid Cache: Version 2.6.STABLE21 on CentOS 5.5 32-bit > > Thanks. > > > __ Information from ESET Smart Security, version of virus > signature database 5432 (20100907) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __ Information from ESET Smart Security, version of virus signature database 5432 (20100907) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3
Markus I will try and answer your questions in-line below. Please let me know if there is any other information or testing you would like me to do. I appreciate your assistance. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 8 September 2010 4:54 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with Windows > Firefox 3.6.3 > > Hi Paul, > > >"Paul Freeman" wrote in message > >news:19672eecfb9ae340833c84f3e90b595604014...@mel-ex-01.eml.local... > >Hi > >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" > >(non-transparent) proxy server for a number of Windows workstations in > an > >Active Directory environment using W2K8R2 domain controller servers > running > >in W2K3 functional mode. > > > >I have implemented suthenitcation in Squid using the squid_kerb_auth > module > >from Markus Moeller. Authentication is working fine for users logging > in > >using domain credentials on domain registered workstations using both > IE7 > >and > >8 on Windows XP and Firefox 3.6.3. > > > >However, I would like to allow the occasional non-domain user to have > >internet access via Squid and so it would be helpful for a login > dialog box > >to be presented. When IE 7 and 8 are used, this occurs and > authentication > >is > >successful. However, with Firefox it does not and an error is > returned by > >Squid - Access Denied. > > > >Looking at some packet dumps between the Windows workstation and Squid > >shows > >that Firefox tries a few times to auth then gives up. Enabling > logging in > >Firefox reveals Firefox responds similarly to IE with a GET request > with a > >Proxy-Authorization: Negotiate . header. In the Squid cache log > it > >indicates: > > > >squid_kerb_auth: Got 'YR T1RMT...Dw==' from squid (length 59). > >squid_kerb_auth: received type 1 NTLM token > > > >However, unlike IE, it then gives up whereas IE then initiates a KRB5 > >AS-REQ > >to a domain controller then gets a ticket and then contacts Squid > again at > >which point it authenticates. > > > > I would like to know some more details here. Do you also see a KRB5 > AS-REQ > at any time before ? Can you use kerbtray from MS and list Kerberos > tickets > for the non domain user ? > I have watched the traffic from prior to launching Firefox to the end of the Firefox session. I have not seen any Kerberos related traffic from the Windows client. I have the MS Kerberos tools installed and kerbtray does not show any tickets - Client Principal field says "No network credentials". Strangely (maybe not???), there are also no tickets shown even while successfully using IE as a non-domain user. > > >In the Firefox log, just before the GET request, it shows: > > > >service = fqdn.of.squid.proxy > >using negotiate-sspi > >using SPN of [HTTP/fqdn.of.squid.proxy]] > >AcquireCredentailsHandle() succeeded > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] > >entering nsAuthSSPI::GetNextToken() > >InitializeSecurityContext: continue > >Sending a token of length 40 > > > >Then after sending the GET request and receiving the Squid 407 > response it > >shows: > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] > >entering nsAuthSSPI::GetNextToken() > >Cannot restart authentication sequence! > > > > Does Firefox work after you used IE ? e.g. does IE cache credentials > which > can be used by Firefox ? > Firefox does not work after using IE or even while IE is still running as a non-domain user. > Do you see any Kerberos traffic ? Do you see DNS SRV requests to > determine > the kdc ? > I have not seen any Kerberos related traffic or DNS SRV requests on the client when Firefox is running. > > >Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close > response in > >response to its HTTP1.1 Proxy-Connection: keep-alive GET request? > > > >I am puzzled as to whether Squid, Firefox or IE is behaving as one > would > >expect given the scenario? > > > >Does anyone have any ideas? > > > >If Squid and Firefox are behaving correctly but IE is doing a > workaround > >then > >that is OK and I will need to live with the situation. > > > >I am happy to perform additional debug work to investigate the problem > >further. > > > >I have tried various settings in the Firefox about:config -
[squid-users] Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3
Hi I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" (non-transparent) proxy server for a number of Windows workstations in an Active Directory environment using W2K8R2 domain controller servers running in W2K3 functional mode. I have implemented suthenitcation in Squid using the squid_kerb_auth module from Markus Moeller. Authentication is working fine for users logging in using domain credentials on domain registered workstations using both IE7 and 8 on Windows XP and Firefox 3.6.3. However, I would like to allow the occasional non-domain user to have internet access via Squid and so it would be helpful for a login dialog box to be presented. When IE 7 and 8 are used, this occurs and authentication is successful. However, with Firefox it does not and an error is returned by Squid - Access Denied. Looking at some packet dumps between the Windows workstation and Squid shows that Firefox tries a few times to auth then gives up. Enabling logging in Firefox reveals Firefox responds similarly to IE with a GET request with a Proxy-Authorization: Negotiate . header. In the Squid cache log it indicates: squid_kerb_auth: Got 'YR T1RMT...Dw==' from squid (length 59). squid_kerb_auth: received type 1 NTLM token However, unlike IE, it then gives up whereas IE then initiates a KRB5 AS-REQ to a domain controller then gets a ticket and then contacts Squid again at which point it authenticates. In the Firefox log, just before the GET request, it shows: service = fqdn.of.squid.proxy using negotiate-sspi using SPN of [HTTP/fqdn.of.squid.proxy]] AcquireCredentailsHandle() succeeded nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() InitializeSecurityContext: continue Sending a token of length 40 Then after sending the GET request and receiving the Squid 407 response it shows: nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() Cannot restart authentication sequence! Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in response to its HTTP1.1 Proxy-Connection: keep-alive GET request? I am puzzled as to whether Squid, Firefox or IE is behaving as one would expect given the scenario? Does anyone have any ideas? If Squid and Firefox are behaving correctly but IE is doing a workaround then that is OK and I will need to live with the situation. I am happy to perform additional debug work to investigate the problem further. I have tried various settings in the Firefox about:config - network.negotiate-auth.trusted-uris configuration item, and other similar related settings mentioned in other posts but without success. Reading some Mozilla Dev postings over the last 12 months or so indicate there have been some issues with NTLM and Kerberos in various versions of Firefox but I think these have been addressed. Thanks in advance Paul Freeman __ Information from ESET Smart Security, version of virus signature database 5429 (20100906) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
Amos I re-compiled Ubuntu squid 3.0 stable19 using the strncasecmp version of HttpHeader.cc in Squid 3.1.7 and can confirm that squid no longer issues a 501 in response to the Transfer-Encoding: Chunked header and thus the iPhone can send emails successfully. Regards Paul -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 30 August 2010 1:57 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA On Mon, 30 Aug 2010 12:51:27 +1000, "Paul Freeman" wrote: > Amos > I suspect I may have come across another situation related to chunked > Transfer-Encoding although I am not sure yet. > > I have verified that using a HTC Desire I can successfully sync email, > calendar and notes including sending new calendar items and new email and > replies to emails. > > However, when I try this using an iPhone (3GS, running IOS 4.0.1) it cannot > send email. Pulling data (calendar, email) from Exchange works OK though. > > Squid is replying with a 501 error. I have increased debugging on the > squid > reverse proxy and notice the iPhone is sending a post request, which I have > included below (certain private values replaced), which Squid does not > like. > > POST > /Microsoft-Server-ActiveSync?User=username&DeviceId=fjsdlfjlsdjflskj&DeviceTy > pe=iPhone&Cmd=SmartReply HTTP/1.1 > Host: external.server.name > Content-Type: application/vnd.ms-sync.wbxml > Ms-Asprotocolversion: 14.0 > User-Agent: Apple-iPhone2C1/801.306 > X-Ms-Policykey: 4281201554 > Authorization: Basic asjlfjdal;sjdfl;ajsdf;lajsl;f > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > Connection: keep-alive > Transfer-Encoding: Chunked > > What causes Squid to issue a 501 reply? Is it related to > Transfer-Encoding? It's emitted on OPTIONS requests, unidentified transfer-encodings, and URL which are unknown or invalid protocols for the method given. The above POST might be 501 rejected if it was received by Squid as a non-transparent or non-reverse-proxy request. Or if the squid version was older than 3.1.5. Which only accept "chunked" as implied by the RFC texts. Newer releases are supposed to be more lenient and accept encoding names case-less. Amos __ Information from ESET Smart Security, version of virus signature database 5407 (20100829) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5407 (20100829) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
Amos Thanks. I had come across references to the check for chunked vs Chunked in one of the release notes for a more recent squid. I suspect this is the problem given the iPhone is issuing "Chunked" rather than "chunked" as the value for the Transfer-Encoding attribute. I will try and re-compile the version of squid I have (3.0 stable 19) with the "caseless" comparison from 3.1.7 and see what happens. Thank you again. Regards Paul -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 30 August 2010 1:57 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA On Mon, 30 Aug 2010 12:51:27 +1000, "Paul Freeman" wrote: > Amos > I suspect I may have come across another situation related to chunked > Transfer-Encoding although I am not sure yet. > > I have verified that using a HTC Desire I can successfully sync email, > calendar and notes including sending new calendar items and new email and > replies to emails. > > However, when I try this using an iPhone (3GS, running IOS 4.0.1) it cannot > send email. Pulling data (calendar, email) from Exchange works OK though. > > Squid is replying with a 501 error. I have increased debugging on the > squid > reverse proxy and notice the iPhone is sending a post request, which I have > included below (certain private values replaced), which Squid does not > like. > > POST > /Microsoft-Server-ActiveSync?User=username&DeviceId=fjsdlfjlsdjflskj&DeviceTy > pe=iPhone&Cmd=SmartReply HTTP/1.1 > Host: external.server.name > Content-Type: application/vnd.ms-sync.wbxml > Ms-Asprotocolversion: 14.0 > User-Agent: Apple-iPhone2C1/801.306 > X-Ms-Policykey: 4281201554 > Authorization: Basic asjlfjdal;sjdfl;ajsdf;lajsl;f > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > Connection: keep-alive > Transfer-Encoding: Chunked > > What causes Squid to issue a 501 reply? Is it related to > Transfer-Encoding? It's emitted on OPTIONS requests, unidentified transfer-encodings, and URL which are unknown or invalid protocols for the method given. The above POST might be 501 rejected if it was received by Squid as a non-transparent or non-reverse-proxy request. Or if the squid version was older than 3.1.5. Which only accept "chunked" as implied by the RFC texts. Newer releases are supposed to be more lenient and accept encoding names case-less. Amos __ Information from ESET Smart Security, version of virus signature database 5407 (20100829) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5407 (20100829) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
Amos I suspect I may have come across another situation related to chunked Transfer-Encoding although I am not sure yet. I have verified that using a HTC Desire I can successfully sync email, calendar and notes including sending new calendar items and new email and replies to emails. However, when I try this using an iPhone (3GS, running IOS 4.0.1) it cannot send email. Pulling data (calendar, email) from Exchange works OK though. Squid is replying with a 501 error. I have increased debugging on the squid reverse proxy and notice the iPhone is sending a post request, which I have included below (certain private values replaced), which Squid does not like. POST /Microsoft-Server-ActiveSync?User=username&DeviceId=fjsdlfjlsdjflskj&DeviceTy pe=iPhone&Cmd=SmartReply HTTP/1.1 Host: external.server.name Content-Type: application/vnd.ms-sync.wbxml Ms-Asprotocolversion: 14.0 User-Agent: Apple-iPhone2C1/801.306 X-Ms-Policykey: 4281201554 Authorization: Basic asjlfjdal;sjdfl;ajsdf;lajsl;f Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive Transfer-Encoding: Chunked What causes Squid to issue a 501 reply? Is it related to Transfer-Encoding? Thanks Paul -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 26 August 2010 10:20 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA On Thu, 26 Aug 2010 08:17:23 +1000, "Paul Freeman" wrote: > Amos, > Thank you for your analysis and comments. I appreciate them greatly. > > I have looked at another packet capture for a session between the client > browser and exchange 2010 OWA via http but without squid in between them. > The headers are as below: > > GET /owa/14.0.702.0/scripts/premium/startpage.js HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/vnd.ms-excel, application/vnd.ms-powerpoint, > application/msword, > application/x-shockwave-flash, application/x-ms-application, > application/x-ms-xbap, application/vnd.ms-xpsdocument, > application/xaml+xml, > */* > Accept-Language: en-au > UA-CPU: x86 > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR > 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; > .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) > Host: the.exchange.server > Connection: Keep-Alive > > HTTP/1.1 200 OK > Cache-Control: public,max-age=2592000 > Transfer-Encoding: chunked > Content-Type: application/x-javascript > Content-Encoding: gzip > Last-Modified: Fri, 25 Sep 2009 04:59:56 GMT > Accept-Ranges: bytes > ETag: "c08cce69d3dca1:0" > Vary: Accept-Encoding > Server: Microsoft-IIS/7.5 > X-Powered-By: ASP.NET > X-UA-Compatible: IE=EmulateIE7 > Date: Wed, 25 Aug 2010 05:19:21 GMT > > The browser (IE7) is using HTTP 1.1. Apart from the GET request specifying > HTTP 1.1 there is no difference to the request sent by squid included in my > original email. > > However, I notice that this time IIS replies with a Transfer-Encoding > header > (chunked) which was not present in the scenario where squid was acting as a > reverse proxy. All the other headers are the same as when using squid. > > Also, there is still no Content-Length header sent by IIS. > > I am not familiar with the HTTP specifications at all. Is it OK that squid > sends a HTTP 1.0 request with an Accept-Encoding header or is the issue > with > chunked Transfer-Encoding? I think it is doing its failover to non-chunked HTTP/1.0 badly. With chunked encoding each 4KB or so chunk of the body is labeled with an indicator of how long it is, and a final empty chunk sent at the end. There is no Content-Length header required because of the known chunk sizes. However in that first trace it was not doing the chunking and thus no size info gets back to Squid at all in the HTTP level stuff. This compatibility problem is resolved in 3.1 series which are HTTP/1.1 toward servers. I have 3.1.3 and supporting packages available for Ubuntu at https://launchpad.net/~yadi/+archive/ppa, with 3.1.7 coming in a week or so when it makes it into Debian. Amos > > Is IIS actually not replying correctly to a HTTP 1.0 request? Yes and no. The HTTP part is valid, but it's maybe failing the TCP/IP level close. > > I will take a look at the packet captures to see if IIS is sending the FIN > at > the completion of sending the request data. > > Regards > > Paul > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, 25 August 2010 8:46 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Regarding long pauses with Squid3 as a reverse
RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
Amos Thanks again. I will wait until v3.1.7 is available for Ubuntu on your site. In the meantime, I will use the request_header_access directive to remove the Accept-Encoding header on requests sent to the exchange server by squid. Regards Paul -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 26 August 2010 10:20 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA On Thu, 26 Aug 2010 08:17:23 +1000, "Paul Freeman" wrote: > Amos, > Thank you for your analysis and comments. I appreciate them greatly. > > I have looked at another packet capture for a session between the client > browser and exchange 2010 OWA via http but without squid in between them. > The headers are as below: > > GET /owa/14.0.702.0/scripts/premium/startpage.js HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/vnd.ms-excel, application/vnd.ms-powerpoint, > application/msword, > application/x-shockwave-flash, application/x-ms-application, > application/x-ms-xbap, application/vnd.ms-xpsdocument, > application/xaml+xml, > */* > Accept-Language: en-au > UA-CPU: x86 > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR > 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; > .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) > Host: the.exchange.server > Connection: Keep-Alive > > HTTP/1.1 200 OK > Cache-Control: public,max-age=2592000 > Transfer-Encoding: chunked > Content-Type: application/x-javascript > Content-Encoding: gzip > Last-Modified: Fri, 25 Sep 2009 04:59:56 GMT > Accept-Ranges: bytes > ETag: "c08cce69d3dca1:0" > Vary: Accept-Encoding > Server: Microsoft-IIS/7.5 > X-Powered-By: ASP.NET > X-UA-Compatible: IE=EmulateIE7 > Date: Wed, 25 Aug 2010 05:19:21 GMT > > The browser (IE7) is using HTTP 1.1. Apart from the GET request specifying > HTTP 1.1 there is no difference to the request sent by squid included in my > original email. > > However, I notice that this time IIS replies with a Transfer-Encoding > header > (chunked) which was not present in the scenario where squid was acting as a > reverse proxy. All the other headers are the same as when using squid. > > Also, there is still no Content-Length header sent by IIS. > > I am not familiar with the HTTP specifications at all. Is it OK that squid > sends a HTTP 1.0 request with an Accept-Encoding header or is the issue > with > chunked Transfer-Encoding? I think it is doing its failover to non-chunked HTTP/1.0 badly. With chunked encoding each 4KB or so chunk of the body is labeled with an indicator of how long it is, and a final empty chunk sent at the end. There is no Content-Length header required because of the known chunk sizes. However in that first trace it was not doing the chunking and thus no size info gets back to Squid at all in the HTTP level stuff. This compatibility problem is resolved in 3.1 series which are HTTP/1.1 toward servers. I have 3.1.3 and supporting packages available for Ubuntu at https://launchpad.net/~yadi/+archive/ppa, with 3.1.7 coming in a week or so when it makes it into Debian. Amos > > Is IIS actually not replying correctly to a HTTP 1.0 request? Yes and no. The HTTP part is valid, but it's maybe failing the TCP/IP level close. > > I will take a look at the packet captures to see if IIS is sending the FIN > at > the completion of sending the request data. > > Regards > > Paul > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Wednesday, 25 August 2010 8:46 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Regarding long pauses with Squid3 as a reverse > proxy to Exchange 2010 OWA > > Paul Freeman wrote: >> Apologies in advance for the long posting. I have tried to provide what >> I >> hope is sufficient information to explain a problem I am experiencing. >> > > Excellent collection of details. Thank you. > I'm going to snip most of them > > > After reading I have a theory ... > > A detailed look at the wireshark trace packets during the lag period > will be needed to verify. > > The reply HTTP headers coming from Exchange appear to have no > Content-Length: header telling Squid how much data is following. This > places responsibility for FINishing the connection squarely in Exchanges > hands. > > What needs checking in wireshark is whether Exchange actually sends > that FIN packet following the object data. > Unless there is some secret information OWA knows about to close the > transact
RE: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
Amos, Thank you for your analysis and comments. I appreciate them greatly. I have looked at another packet capture for a session between the client browser and exchange 2010 OWA via http but without squid in between them. The headers are as below: GET /owa/14.0.702.0/scripts/premium/startpage.js HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-au UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: the.exchange.server Connection: Keep-Alive HTTP/1.1 200 OK Cache-Control: public,max-age=2592000 Transfer-Encoding: chunked Content-Type: application/x-javascript Content-Encoding: gzip Last-Modified: Fri, 25 Sep 2009 04:59:56 GMT Accept-Ranges: bytes ETag: "c08cce69d3dca1:0" Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7 Date: Wed, 25 Aug 2010 05:19:21 GMT The browser (IE7) is using HTTP 1.1. Apart from the GET request specifying HTTP 1.1 there is no difference to the request sent by squid included in my original email. However, I notice that this time IIS replies with a Transfer-Encoding header (chunked) which was not present in the scenario where squid was acting as a reverse proxy. All the other headers are the same as when using squid. Also, there is still no Content-Length header sent by IIS. I am not familiar with the HTTP specifications at all. Is it OK that squid sends a HTTP 1.0 request with an Accept-Encoding header or is the issue with chunked Transfer-Encoding? Is IIS actually not replying correctly to a HTTP 1.0 request? I will take a look at the packet captures to see if IIS is sending the FIN at the completion of sending the request data. Regards Paul -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, 25 August 2010 8:46 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA Paul Freeman wrote: > Apologies in advance for the long posting. I have tried to provide what I > hope is sufficient information to explain a problem I am experiencing. > Excellent collection of details. Thank you. I'm going to snip most of them After reading I have a theory ... A detailed look at the wireshark trace packets during the lag period will be needed to verify. The reply HTTP headers coming from Exchange appear to have no Content-Length: header telling Squid how much data is following. This places responsibility for FINishing the connection squarely in Exchanges hands. What needs checking in wireshark is whether Exchange actually sends that FIN packet following the object data. Unless there is some secret information OWA knows about to close the transaction from its end, there is no way for Squid or OWA to know the end has come. So they wait. You may find that 3.1.7 fairs better since it advertises 1.1 to Exchange and that may be enough to fool Exchange into handing back some useful information such as the object chunk sizes to Squid. I may be able to provide a source package bundle in a few days for that if you need one. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1 __ Information from ESET Smart Security, version of virus signature database 5397 (20100825) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5397 (20100825) __ The message was checked by ESET Smart Security. http://www.eset.com
[squid-users] Regarding long pauses with Squid3 as a reverse proxy to Exchange 2010 OWA
nk page, just two long pauses during which any input to the browser was ignored. I implemented one of the suggestions by Amos - using request_header_access and found it to work. Has anyone else observed this or come across it before? Is this something related to some aspect of HTTP 1.1 support in squid or perhaps a quirk of IIS/Exchange? I am happy to conduct additional testing if required and can provide offline some packet traces. Thanks in advance. Regards Paul Freeman EML AIR Pty Ltd Australia __ Information from ESET Smart Security, version of virus signature database 5394 (20100824) __ The message was checked by ESET Smart Security. http://www.eset.com
RE: [squid-users] Problems using Microsoft Windows SoftwareUpdateServices (WSUS) 3.0 with Squid
Henrik The WSUS service is running under the local network service account. There is a configuration option to specify whether a proxy server is used and whether user credentials are required. I have selected this option and entered the correct details for the proxy and a valid domain user account. Using a proxy server worked fine under WSUS 2.0 and .Net 1.1. Regards Paul +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty LtdTelephone: +61 3 9836 1999 417-431 Canterbury RoadFacsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:52 AM To: Paul Freeman Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Problems using Microsoft Windows SoftwareUpdateServices (WSUS) 3.0 with Squid tis 2007-05-08 klockan 09:13 +1000 skrev Paul Freeman: > I was wondering whether I can determine why the authentication from WSUS is > not working and whether there is anything that can be done about it rather > than having to allow access via CONNECT without auth for the WSUS server? Is the software performing the HTTP CONNECT requests running using a domain account, or a local account? Regards Henrik
RE: [squid-users] Problems using Microsoft Windows Software UpdateServices (WSUS) 3.0 with Squid
Henrik Thanks for this. I looked further and worked out how to allow the CONNECT method for a particular host without authentication. I had not realized this option was available. I was wondering whether I can determine why the authentication from WSUS is not working and whether there is anything that can be done about it rather than having to allow access via CONNECT without auth for the WSUS server? Regards Paul +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty LtdTelephone: +61 3 9836 1999 417-431 Canterbury RoadFacsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 11:29 PM To: Paul Freeman Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Problems using Microsoft Windows Software UpdateServices (WSUS) 3.0 with Squid mån 2007-05-07 klockan 18:58 +1000 skrev Paul Freeman: > I have a squid.conf http_access rule (using dstdomain) which allows access to > various windows updates sites without authorization so I am a little puzzled > why I am getting the problem. Looks like your config still requires authentication for the CONNECT method. Regards Henrik
[squid-users] Problems using Microsoft Windows Software Update Services (WSUS) 3.0 with Squid
Hi, I am hoping someone can help me with a WSUS 3.0 problem (running on Windows 2003 Server SP1). I have been successfully running WSUS 2.0 for some time and downloading updates from Microsoft through a squid-2.6.stable9 proxy (using NTLM auth). I needed to update to WSUS 3.0 and so went through the process of upgrading my WSUS 2.0 installation. Everything went fine except WSUS 3.0 cannot connect through my squid proxy anymore. I tried the suggestion in the WSUS notes to re-enter the proxy username and password but this did not help. The error I am getting is to do with authorization: WebException: The remote server returned an error: (407) Proxy Authentication Required. at System.Net.HttpWebRequest.GetRequestStream() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.Get AuthConfig() at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig (ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper) at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationM anager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper) at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFro mUSS() at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol( Boolean allowRedirect) For some reason WSUS 3.0 does not negotiate the NTLM auth properly and so squid returns a 407 error. The squid access log shows multiple entries of the form: 1178525046.333 0 192.168.10.12 TCP_DENIED/407 1982 CONNECT www.update.microsoft.com:443 - NONE/- text/html 1178525051.460 0 192.168.10.12 TCP_DENIED/407 1856 CONNECT stats.update.microsoft.com:443 - NONE/- text/html The logs show WSUS does connect successfully to the following url: 1178522814.681 1791 192.168.10.12 TCP_MISS/200 10335 GET http://download.windowsupdate.com/v7/wsus/redir/wsusredir.cab? - DIRECT/203.206.129.16 application/octet-stream I have a squid.conf http_access rule (using dstdomain) which allows access to various windows updates sites without authorization so I am a little puzzled why I am getting the problem. As part of the upgrade it was necessary to install the .Net Framework 2.0 so I am unsure whether the problem has to do with WSUS 3.0 or .Net Framework 2. Has anyone come across this before? Any suggestions? How might I debug the problem further? I can provide a tcpdump log of a synch session if this helps. I have tried upgrading to the latest squid version (2.6.stable12-20070507) but the problem remains. At this stage all I can think of doing is allowing direct access to the various updates sites for this server through our firewall (not really what I want to do!) Thanks Paul +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999 417-431 Canterbury Road Facsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127 Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
RE: [squid-users] Squid-2.6stable4 in reverse proxy mode -possible SSL memory leak
Henrik I will try this. I have not used ssldump before so it may take a little while to work out how to use it:-) I will let you know how I go Regards Paul +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999 417-431 Canterbury Road Facsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127 Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ >-Original Message- >From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] >Sent: Tuesday, October 31, 2006 12:01 PM >To: Paul Freeman >Cc: squid-users@squid-cache.org >Subject: Re: [squid-users] Squid-2.6stable4 in reverse proxy mode -possible >SSL memory leak > >tis 2006-10-31 klockan 11:21 +1100 skrev Paul Freeman: > >> 2006/10/31 10:50:16| fwdNegotiateSSL: Error negotiating SSL connection on >FD 16: error::lib(0):func(0):reason(0) (5/0/0) >> 2006/10/31 10:50:16| TCP connection to xxx.xxx.xxx.xxx/443 failed > >Is there any hints if you look at the same traffic with ssldump? > >Note: For best results you need to export the private key of the OWA >server and give this to ssldump. > >Also check the event logs on the OWA. > >Regards >Henrik
RE: [squid-users] Squid-2.6stable4 in reverse proxy mode - possible SSL memory leak
Adrian Thanks for the reply. I will fill out the Bugzilla report. Regards Paul +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999 417-431 Canterbury Road Facsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127 Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ >-Original Message- >From: Adrian Chadd [mailto:[EMAIL PROTECTED] >Sent: Tuesday, October 31, 2006 12:59 PM >To: Paul Freeman >Cc: squid-users@squid-cache.org >Subject: Re: [squid-users] Squid-2.6stable4 in reverse proxy mode - >possible SSL memory leak > >On Tue, Oct 31, 2006, Paul Freeman wrote: > >> 2006/10/31 10:50:16| fwdNegotiateSSL: Error negotiating SSL connection on >FD 16: error::lib(0):func(0):reason(0) (5/0/0) >> 2006/10/31 10:50:16| TCP connection to xxx.xxx.xxx.xxx/443 failed >> >> No errors are reported by the client or in the access log and everything >appears to working fine. >> >> The memory usage of squid grows and eventually I get an out of memory >error and squid is terminated by the kernel. This takes about a week to >occur with the current usage of the proxy. > >That does sound like a memory leak. Could you please throw the contents >of your email into a Bugzilla report so the bug can be verified and >repaired? > >http://www.squid-cache.org/ has a link to the Squid Bugzilla site. > > > > >Adrian
[squid-users] Squid-2.6stable4 in reverse proxy mode - possible SSL memory leak
Hi I am running squid-2.6stable4 in reverse proxy mode as a front end for a Microsoft exchange 2003 SP2 server providing outlook web access, outlook mobile access and active synch. I am terminating the SSL connection between the internet client and squid at the squid server then establishing another https connection between squid and the exchange server. The configuration is working well however I am getting lots of the following errors in my cache log. 2006/10/31 10:50:16| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error::lib(0):func(0):reason(0) (5/0/0) 2006/10/31 10:50:16| TCP connection to xxx.xxx.xxx.xxx/443 failed No errors are reported by the client or in the access log and everything appears to working fine. The memory usage of squid grows and eventually I get an out of memory error and squid is terminated by the kernel. This takes about a week to occur with the current usage of the proxy. I upgraded from squid-2.6stable3 as I was seeing the same behaviour and hoped stable4 may have a fix. The relevant (hopefully) sections of my squid.conf follow (hostnames edited) https_port squid.exchange.proxy.ip:443 defaultsite=xxx.xxx.xxx.xxx \ cert=/etc/httpd/conf/ssl.crt/xxx.xxx.xxx.xxx_proxy.pem \ key=/etc/httpd/conf/ssl.key/xxx.xxx.xxx.xxx_proxy.key protocol=https cache_peer exchange.server.fqdn parent 443 0 front-end-https=on \ ssl sslcert=/etc/httpd/conf/ssl.crt/emlcssurproxy02_client.pem \ sslkey=/etc/httpd/conf/ssl.key/emlcssurproxy02_client.key \ sslcafile=/etc/httpd/conf/ssl.crt/emlcsca.pem \ originserver proxy-only connection-auth=off no-digest login=PASS Perhaps I have an incorrect setting in squid.conf which is causing the error? I have searched on the net for similar errors but have not found an adequate explanation yet. I look forward to suggestions from the group. Please let me know if there is more information required to debug the problem. Regards Paul Freeman +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999 417-431 Canterbury Road Facsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127 Email: [EMAIL PROTECTED] +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++