Re: AW: AW: AW: AW: [squid-users] Re: dns_v4_first on ignored?

2013-02-12 Thread Petter Abrahamsson 
Christian,

This sounds very similar to what I have seen with a few sites.
My solution was to add the problematic domains to /etc/hosts (only ipv4
address) and restart squid. I'm not proud or happy about this solution but
it does the trick for me.

Kind regards,
/petter

On Tue, Feb 12, 2013 at 5:36 AM, Sandrini Christian (xsnd) x...@zhaw.ch wrote:
 That is what I guessed as well. But we can not control their DNS and the 
 solution so far was not to check for  records. It is silly for one 
 domain but it is a quite important one that is used a lot.

 Not sure if there is any alternatives? I thought that squid 3.2 is doing 
 parallel lookups to  and A records?

 -Ursprüngliche Nachricht-
 Von: Amos Jeffries [mailto:squ...@treenet.co.nz]
 Gesendet: Dienstag, 12. Februar 2013 10:54
 An: squid-users@squid-cache.org
 Betreff: Re: AW: AW: AW: AW: [squid-users] Re: dns_v4_first on ignored?

 On 12/02/2013 8:41 p.m., Sandrini Christian (xsnd) wrote:
 Hi

 I have now enabled ipv6

 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state 
 UNKNOWN qlen 1000
  link/ether 00:50:56:a6:07:27 brd ff:ff:ff:ff:ff:ff
  inet 160.85.104.14/24 brd 160.85.104.255 scope global eth1
  inet6 fe80::250:56ff:fea6:727/64 scope link
 valid_lft forever preferred_lft forever

 When I dig for  record to ipv6.idrobot.net I don't get a timeout

 dig  ipv6.idrobot.net

 ;  DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6  
 ipv6.idrobot.net ;; global options: +cmd ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 34596 ;; flags:
 qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;ipv6.idrobot.net.  IN  

 ;; AUTHORITY SECTION:
 net.900 IN  SOA a.gtld-servers.net. 
 nstld.verisign-grs.com. 1360654692 1800 900 604800 86400

 ;; Query time: 17 msec
 ;; SERVER: 160.85.192.100#53(160.85.192.100) ;; WHEN: Tue Feb 12
 08:38:40 2013 ;; MSG SIZE  rcvd: 107

 When I dig for  record to www2.zhlex.zh.ch I get one

 dig  www2.zhlex.zh.ch

 ;  DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6  
 www2.zhlex.zh.ch ;; global options: +cmd ;; connection timed out; no
 servers could be reached


 Do you have the same timout as well with that host and ipv6 running? This is 
 a domain which is queried a lot.

 Yes. I traced it through three CNAME redirections to a pair of DNS servers 
 which do not respond to any  queries.


 # dig  zhcompublicweb1.subd.djiktzh.ch @lc1.djiktzh.ch

 ;  DiG 9.3.6-P1   zhcompublicweb1.subd.djiktzh.ch
 @lc1.djiktzh.ch
 ;; global options:  printcmd
 ;; connection timed out; no servers could be reached


 # dig  zhcompublicweb1.subd.djiktzh.ch @lc2.djiktzh.ch

 ;  DiG 9.3.6-P1   zhcompublicweb1.subd.djiktzh.ch
 @lc2.djiktzh.ch
 ;; global options:  printcmd
 ;; connection timed out; no servers could be reached


 Those DNS servers lc1.djiktzh.ch and lc2.djiktzh.ch are broken.

 Amos

[squid-users] Connection pinning (NTLM pass through)

2012-05-25 Thread Petter Abrahamsson 
Hi,

I'm trying to get NTLM pass through to work with squid 3.1.19. I have
followed the instructions found on the wiki[1] on connection pinning
but I just keep receiving 401 status messages.
Below is the very simple squid.conf that I'm using for this test.

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080 connection-auth=on
hierarchy_stoplist cgi-bin ?
coredump_dir /var/cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

And below is the corresponding access.log entries with obfuscated ip
addresses and host names.

1337976537.852 63 192.168.12.214 TCP_MISS/401 466 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976550.714 29 192.168.12.214 TCP_MISS/401 1074 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976551.025 57 192.168.12.214 TCP_MISS/401 466 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976554.627 57 192.168.12.214 TCP_MISS/401 1074 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976558.006   3128 192.168.12.214 TCP_MISS/401 466 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976559.462 59 192.168.12.214 TCP_MISS/401 1074 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html
1337976559.760 56 192.168.12.214 TCP_MISS/401 466 GET
http://www.example.net/directory/ - DIRECT/x.x.x.x text/html

I feel like I'm missing something obvious since the instructions on
the wiki are quite simple.
When I try the same website through a v2.7 squid it lets me login.
Let me know if any other information is needed.
Any help would be very much appreciated.

Regards,
/petter

[1] http://wiki.squid-cache.org/Features/ConnPin