Re: [squid-users] SSLBUMP certificate verify failed
I am not sure where I am going wrong here... ssl bump certificate openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout squidCA.pem -out squidCA.pem The der certificate was generated and deployed on client computer trusted root openssl x509 -in squidCA.pem -outform DER -out squidCA.der squid.conf http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem On Sun, Jan 17, 2016 at 1:58 PM, Yuri Voinov <yvoi...@gmail.com> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > No. > > 18.01.16 0:56, Roman Gelfand пишет: > > I am getting an error, below, in a cache.log. How can I identify the > > request associated with this error? It doesn't appear to be an issue > with > > client-to-proxy. It seems like a problem with proxy-to-remote_server. > > > > Error negotiating SSL on FD 43: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > > > > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWm+Q5AAoJENNXIZxhPexGCx4H/1GA/dIKAJ2QKZEBwClw7Ii2 > eVgV8HvEBQzzX1hXwWcJetnbEnQWyc6EHZ+hSi9z5Sh4Ybgy1LdtzocecXWWnSl8 > sZZth8aVqEdB/2yQCzq4t1Hs0myPhgJbI3yBAs3NUBsdZbJeNLi9PHgSxAKjMs4Q > rEdPfi/EbCE7ihHlCsX+iGD7dly4wMmmBxzy3+VRnv7m0/OD0/S82G3edlpVFUpk > 0OtzyvvyTcvIFLJZmXCCZleliS6lBXCQ+iiQ2A8JwrO2cleIbzoNStR6HYDZbI8l > aVCy1ogJae2IM1WNx3sARJExXq3uYz9PkZO1qY1y1T9jUDYdhbIkPbrYu4MAc6I= > =+ss3 > -END PGP SIGNATURE- > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSLBUMP certificate verify failed
I am getting an error, below, in a cache.log. How can I identify the request associated with this error? It doesn't appear to be an issue with client-to-proxy. It seems like a problem with proxy-to-remote_server. Error negotiating SSL on FD 43: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSLBUMP Issue
I am getting the following error. Would anyone know the reason? Error negotiating SSL connection on FD 37: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number My sslbump config is http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem ssl_bump server-first all ssl_bump peek all ssl_bump terminate all Thanks in advance ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Running configuration
I accidentally deleted the squid.conf while squid has been running. The squid is still running. Is there a way to retrieve a running configuration? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ICAP Error
I am getting an error, below, when when attempting to bring up http://ads.adfox.ru/173362/goLink?. How can I troubleshoot this? ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: http://ads.adfox.ru/173362/goLink? ICAP protocol error. The system returned: [No Error] This means that some aspect of the ICAP communication failed. Some possible problems are: The ICAP server is not reachable. An Illegal response was received from the ICAP server. Generated Wed, 23 Jul 2014 22:53:21 GMT by websap.masmid.com (squid)
[squid-users] Firefox update problems
I have an ssl bump setup with ssl_bump server-first all. When firefox is attempting an update, end user gets error something is trying to trick firefox into accepting an insecure update. From what I gathered, unless I am wrong, firefox doesn't like when certificate changes in the middle. In any case, is there a way to deal with this either specifically bypassing ssl bump or something else? Thanks in advance
[squid-users] ICAP Error
For 99.9% of the sites, my icap services are working, There instances where I am getting the following icap error. Not sure as to how to start debugging it. I am using the latest squid and icap versions. The following error was encountered while trying to retrieve the URL: https://www.flowroute.com/accounts/login/ ICAP protocol error. The system returned: [No Error] This means that some aspect of the ICAP communication failed. Some possible problems are: The ICAP server is not reachable. An Illegal response was received from the ICAP server. Thanks in advance
[squid-users] Language Pack and Translations
What configure options should I add if I would like to deploy all language packs and perform translations? Thanks in advance
[squid-users] Transparent Proxy
Is there a way I could control access to various sites based on user irregardless of workstation they are on? All in transparent proxy. Thanks in advance
Re: [squid-users] tproxy configuration
Amos, Do you have an idea as to what I am doing wrong here? Thanks, On Fri, Feb 22, 2013 at 12:40 PM, Roman Gelfand rgelfa...@gmail.com wrote: Thanks for taking time to help me out. If I understood you correctly, I think I made the changes you mentioned including iptables -A FORWARD -i eth0 -j ACCEPT line. still no luck. Below, is the is the diagnostics. Chain PREROUTING (policy ACCEPT 13 packets, 8499 bytes) pkts bytes target prot opt in out source destination 337 93649 ACCEPT all -- anyany anywhere 192.168.8.21 226 48201 DIVERT tcp -- anyany anywhere anywhere socket 0 0 TPROXY tcp -- anyany anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3228 mark 0x1/0x1 0 0 TPROXY tcp -- anyany anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3229 mark 0x1/0x1 Chain INPUT (policy ACCEPT 576 packets, 150K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 644 packets, 135K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 644 packets, 135K bytes) pkts bytes target prot opt in out source destination Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 226 48201 MARK all -- anyany anywhere anywhere MARK set 0x1 226 48201 ACCEPT all -- anyany anywhere anywhere On Fri, Feb 22, 2013 at 2:14 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 22/02/2013 5:07 p.m., Roman Gelfand wrote: On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 22/02/2013 11:03 a.m., Roman Gelfand wrote: Please, find below the network topology, squid.conf and rc.local configuration files. It appears that the squid is not routing the http requests. I am not sure what I am doing wrong here Please note, the same squid.conf works on transparent proxy (non tproxy), for the exception of tproxy keyword and service changes. Thanks in advance, WAN || || wccp/gre tunnel || squid==Fortigate FW/RT Int ip 1 192.168.8.1 3.3|| Int ip 2 192.168.11.1 ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 || || WLAN Router Int. ip 192.168.11.32 Ext. ip 192.168.7.1 || || || Client Workstation 192.168.7.110 #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0 on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # GRE Tunnel : echo Loading modules.. modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre LOCALIP=192.168.8.21 FORTIDIRIP=192.168.8.1 FORTIIPID=XX.XX.XXX.254 echo changing routing and reverse path stuff.. echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter What about rp_filter on eth0 where the traffic is actually exiting the Squid box? Could you elaborate on this.. What rp_filter does is prevent packets from local software using that interface from using IP addresses that do not belong to that box. The purpose of TPROXY being to spoof the _clients_ IP address on outgoing trafffic. Which does not leave the machine on lo, but through eth0 or some other interface. Amos
Re: [squid-users] Transparent Proxy and Authentication
yep, it is an ip based authentication. On Fri, Feb 22, 2013 at 8:40 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 23/02/2013 8:48 a.m., Roman Gelfand wrote: Please, consider the network topology below. I could always configure outgoing http traffic on the firewall to authenticate with firewall user. How is this different from having squid authenticate in transparent mode? That is a good question. *How* is the firewall getting the clients to add Proxy-Authenticate headers to their traffic when they are not talking to a proxy? You either have clients who are so broken they transmit the users credentials to any attacker who wants to request them Or you are not doing HTTP authentication on the firewall. I think your firewall is not doing HTTP authentication. Perhapse it is doing RADIUS, with IP-based or MAC-based authorization. Amos
Re: [squid-users] tproxy configuration
Thanks for taking time to help me out. If I understood you correctly, I think I made the changes you mentioned including iptables -A FORWARD -i eth0 -j ACCEPT line. still no luck. Below, is the is the diagnostics. Chain PREROUTING (policy ACCEPT 13 packets, 8499 bytes) pkts bytes target prot opt in out source destination 337 93649 ACCEPT all -- anyany anywhere 192.168.8.21 226 48201 DIVERT tcp -- anyany anywhere anywhere socket 0 0 TPROXY tcp -- anyany anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3228 mark 0x1/0x1 0 0 TPROXY tcp -- anyany anywhere anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3229 mark 0x1/0x1 Chain INPUT (policy ACCEPT 576 packets, 150K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 644 packets, 135K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 644 packets, 135K bytes) pkts bytes target prot opt in out source destination Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 226 48201 MARK all -- anyany anywhere anywhere MARK set 0x1 226 48201 ACCEPT all -- anyany anywhere anywhere On Fri, Feb 22, 2013 at 2:14 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 22/02/2013 5:07 p.m., Roman Gelfand wrote: On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 22/02/2013 11:03 a.m., Roman Gelfand wrote: Please, find below the network topology, squid.conf and rc.local configuration files. It appears that the squid is not routing the http requests. I am not sure what I am doing wrong here Please note, the same squid.conf works on transparent proxy (non tproxy), for the exception of tproxy keyword and service changes. Thanks in advance, WAN || || wccp/gre tunnel || squid==Fortigate FW/RT Int ip 1 192.168.8.1 3.3|| Int ip 2 192.168.11.1 ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 || || WLAN Router Int. ip 192.168.11.32 Ext. ip 192.168.7.1 || || || Client Workstation 192.168.7.110 #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0 on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # GRE Tunnel : echo Loading modules.. modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre LOCALIP=192.168.8.21 FORTIDIRIP=192.168.8.1 FORTIIPID=XX.XX.XXX.254 echo changing routing and reverse path stuff.. echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter What about rp_filter on eth0 where the traffic is actually exiting the Squid box? Could you elaborate on this.. What rp_filter does is prevent packets from local software using that interface from using IP addresses that do not belong to that box. The purpose of TPROXY being to spoof the _clients_ IP address on outgoing trafffic. Which does not leave the machine on lo, but through eth0 or some other interface. Amos
Re: [squid-users] Transparent Proxy and Authentication
Please, consider the network topology below. I could always configure outgoing http traffic on the firewall to authenticate with firewall user. How is this different from having squid authenticate in transparent mode? WAN || || wccp/gre tunnel || squid==Fortigate FW/RT Int ip 1 192.168.8.1 3.3|| Int ip 2 192.168.11.1 ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 || || WLAN Router Int. ip 192.168.11.32 Ext. ip 192.168.7.1 || || || Client Workstation 192.168.7.110 On Wed, Feb 20, 2013 at 7:55 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 21/02/2013 4:42 a.m., Roman Gelfand wrote: I guess the 2 don't mix as per NOTICE: Authentication not applicable on intercepted requests. message. Would it follow user access control via transparent proxy? or is there a way around the above limitation? Please read the Interception Proxy FAQs: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F Amos
[squid-users] tproxy configuration
Please, find below the network topology, squid.conf and rc.local configuration files. It appears that the squid is not routing the http requests. I am not sure what I am doing wrong here Please note, the same squid.conf works on transparent proxy (non tproxy), for the exception of tproxy keyword and service changes. Thanks in advance, WAN || || wccp/gre tunnel || squid==Fortigate FW/RT Int ip 1 192.168.8.1 3.3|| Int ip 2 192.168.11.1 ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 || || WLAN Router Int. ip 192.168.11.32 Ext. ip 192.168.7.1 || || || Client Workstation 192.168.7.110 #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0 on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # GRE Tunnel : echo Loading modules.. modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre LOCALIP=192.168.8.21 FORTIDIRIP=192.168.8.1 FORTIIPID=XX.XX.XXX.254 echo changing routing and reverse path stuff.. echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward echo creating tunnel... iptunnel add wccp0 mode gre remote $FORTIIPID local $LOCALIP dev eth0 ifconfig wccp0 127.0.1.1/32 up echo creating routing table for tproxy... ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo creating iptables tproxy rules... iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT iptables -A INPUT -s $FORTIDIRIP -p udp -m udp --dport 2048 -j ACCEPT iptables -A INPUT -i wccp0 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -t mangle -F iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3228 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 exit 0 squid.conf --- #debug_options ALL,1 33,2 #debug_options ALL,1 33,2 28,9 hierarchy_stoplist cgi-bin acl QUERY urlpath_regex cgi-bin #cache_effective_user squid shutdown_lifetime 1 second visible_hostname server httpd_suppress_version_string on forwarded_for off #1GB disk cache cache_dir ufs /usr/local/var/cache/squid 1024 16 256 maximum_object_size 5 MB cache_mem 1024 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 512 KB request_header_access Referer deny all reply_header_access Referer deny all http_port 80 accel acl site1 dstdomain site1.domain.com acl site2 dstdomain site2.domain.com acl site3 dstdomain site3.domain.com acl site4 dstdomain site4.domain.com acl site5 dstdomain site5.domain.com acl site6 dstdomain site6.domain.com acl site7 dstdomain site7.domain.com https_port 443 cert=/etc/ssl/certs/domain_sites.crt key=/etc/ssl/private/domain.key accel vport # never_direct allow site1 always_direct allow site1 http_access allow site1 http_access deny site1 always_direct allow site2 http_access allow site2 http_access deny site2 always_direct allow site3 http_access allow site3 http_access deny site3 always_direct allow site4 http_access allow site4 http_access deny site4 always_direct allow site5 http_access allow site5 http_access deny site5 always_direct allow site6 http_access allow site6 http_access deny site6 always_direct allow site7 http_access allow site7 http_access deny site7 # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src {WAN Network} # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl SSL_ports port 4435 acl SSL_ports port 8443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl
Re: [squid-users] tproxy configuration
On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 22/02/2013 11:03 a.m., Roman Gelfand wrote: Please, find below the network topology, squid.conf and rc.local configuration files. It appears that the squid is not routing the http requests. I am not sure what I am doing wrong here Please note, the same squid.conf works on transparent proxy (non tproxy), for the exception of tproxy keyword and service changes. Thanks in advance, WAN || || wccp/gre tunnel || squid==Fortigate FW/RT Int ip 1 192.168.8.1 3.3|| Int ip 2 192.168.11.1 ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 || || WLAN Router Int. ip 192.168.11.32 Ext. ip 192.168.7.1 || || || Client Workstation 192.168.7.110 #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0 on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # GRE Tunnel : echo Loading modules.. modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre LOCALIP=192.168.8.21 FORTIDIRIP=192.168.8.1 FORTIIPID=XX.XX.XXX.254 echo changing routing and reverse path stuff.. echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter What about rp_filter on eth0 where the traffic is actually exiting the Squid box? Could you elaborate on this.. echo 1 /proc/sys/net/ipv4/ip_forward echo creating tunnel... iptunnel add wccp0 mode gre remote $FORTIIPID local $LOCALIP dev eth0 ifconfig wccp0 127.0.1.1/32 up echo creating routing table for tproxy... ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 You may need this to be dev eth0 instead of dev lo. Experiment to find out which. echo creating iptables tproxy rules... iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT What about forwarding of non-localhost traffic? such as the TPROXY spoofed client IPs. Could you elaborate on this, as well. iptables -A INPUT -s $FORTIDIRIP -p udp -m udp --dport 2048 -j ACCEPT iptables -A INPUT -i wccp0 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -t mangle -F iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3228 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 exit 0 squid.conf --- #debug_options ALL,1 33,2 #debug_options ALL,1 33,2 28,9 hierarchy_stoplist cgi-bin acl QUERY urlpath_regex cgi-bin #cache_effective_user squid shutdown_lifetime 1 second visible_hostname server httpd_suppress_version_string on forwarded_for off #1GB disk cache cache_dir ufs /usr/local/var/cache/squid 1024 16 256 maximum_object_size 5 MB cache_mem 1024 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 512 KB request_header_access Referer deny all reply_header_access Referer deny all http_port 80 accel acl site1 dstdomain site1.domain.com acl site2 dstdomain site2.domain.com acl site3 dstdomain site3.domain.com acl site4 dstdomain site4.domain.com acl site5 dstdomain site5.domain.com acl site6 dstdomain site6.domain.com acl site7 dstdomain site7.domain.com https_port 443 cert=/etc/ssl/certs/domain_sites.crt key=/etc/ssl/private/domain.key accel vport # never_direct allow site1 always_direct allow site1 http_access allow site1 http_access deny site1 always_direct allow site2 http_access allow site2 http_access deny site2 always_direct allow site3 http_access allow site3 http_access deny site3 always_direct allow site4 http_access allow site4 http_access deny site4 always_direct allow site5 http_access allow site5 http_access deny site5 always_direct allow site6 http_access allow site6 http_access deny site6 always_direct allow site7 http_access allow site7 http_access deny site7 # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src
[squid-users] Transparent Proxy and Authentication
I guess the 2 don't mix as per NOTICE: Authentication not applicable on intercepted requests. message. Would it follow user access control via transparent proxy? or is there a way around the above limitation? Thanks in advance
[squid-users] Installation not building helpers
Below, are the configuration parameters I use to build squid. After make install, the basic_ldap_auth is not found in /usr/local/libexec. Why? It is interesting as it did create these -rwxr-xr-x 1 root staff 72755 Feb 18 00:40 basic_fake_auth -rwxr-xr-x 1 root staff 103712 Feb 18 00:40 basic_getpwnam_auth -rwxr-xr-x 1 root staff 317249 Feb 18 00:40 basic_msnt_auth -rwxr-xr-x 1 root staff 3954 Feb 18 00:40 basic_msnt_multi_domain_auth -rwxr-xr-x 1 root staff 227438 Feb 18 00:40 basic_ncsa_auth -rwxr-xr-x 1 root staff 128612 Feb 18 00:40 basic_nis_auth -rwxr-xr-x 1 root staff 1460 Feb 18 00:40 basic_pop3_auth -rwxr-xr-x 1 root staff 145564 Feb 18 00:40 basic_radius_auth -rwxr-xr-x 1 root staff 156404 Feb 18 00:40 basic_smb_auth -rwxr-xr-x 1 root staff 2229 Feb 18 00:40 basic_smb_auth.sh -rwxr-xr-x 1 root staff 440976 Feb 18 00:41 cachemgr.cgi -rwxr-xr-x 1 root staff 227340 Feb 18 00:40 digest_file_auth -rwxr-xr-x 1 root staff 197133 Feb 18 00:41 diskd -rwxr-xr-x 1 root staff 158211 Feb 18 00:40 ext_file_userip_acl -rwxr-xr-x 1 root staff 3935 Feb 18 00:40 ext_sql_session_acl -rwxr-xr-x 1 root staff 132251 Feb 18 00:40 ext_unix_group_acl -rwxr-xr-x 1 root staff 4999 Feb 18 00:40 ext_wbinfo_group_acl -rwxr-xr-x 1 root staff 5499 Feb 18 00:41 helper-mux.pl -rwxr-xr-x 1 root staff 12166 Feb 18 00:40 log_db_daemon -rwxr-xr-x 1 root staff 76515 Feb 18 00:40 log_file_daemon -rwxr-xr-x 1 root staff 65044 Feb 18 00:40 negotiate_wrapper_auth -rwxr-xr-x 1 root staff 123618 Feb 18 00:40 ntlm_fake_auth -rwxr-xr-x 1 root staff 210415 Feb 18 00:40 ntlm_smb_lm_auth -rwsr-xr-x 1 root staff 695897 Feb 18 00:41 pinger configure options: '--enable-icap-client' '--enable-gnuregex' '--enable-icmp' '--enable-ssl' '--enable-kill-parent-hack' '--enable-snmp' '--disable-ident-lookups' '--enable-cache-digests' '--enable-eui' '--enable-removal-policies=heap,lru' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-negotiate' '--enable-auth-digest' '--enable-external-acl-helpers' '--with-maxfd=16384' '--enable-follow-x-forwarded-for' '--with-logdir=/var/log/squid' '--with-squid=/usr/local/src/squid-3.3.1' '--prefix=/usr/local' '--with-default-user=proxy' '--enable-ltdl-convenience' '--disable-ipv6' Also, the config log shows below. configure:21936: Authentication support enabled: yes configure:22011: Basic auth helper LDAP ... found but cannot be built configure:22011: Basic auth helper PAM ... found but cannot be built configure:22011: Basic auth helper SASL ... found but cannot be built configure:22011: Basic auth helper SSPI ... found but cannot be built configure:22016: Basic auth helpers to be built: DB MSNT MSNT-multi-domain NCSA NIS POP3 RADIUS SMB fake getpwnam configure:22069: NTLM auth helper SSPI ... found but cannot be built configure:22074: NTLM auth helpers built: fake smb_lm configure:22128: Negotiate auth helper SSPI ... found but cannot be built configure:22128: Negotiate auth helper kerberos ... found but cannot be built configure:22133: Negotiate auth helpers built: wrapper configure:22187: Digest auth helper LDAP ... found but cannot be built configure:22187: Digest auth helper eDirectory ... found but cannot be built configure:22192: Digest auth helpers built: file configure:22244: Log daemon helpers built: DB file configure:22363: checking for krb5-config configure:22391: result: no configure:23502: external acl helper AD_group ... found but cannot be built configure:23502: external acl helper LDAP_group ... found but cannot be built configure:23502: external acl helper LM_group ... found but cannot be built configure:23502: external acl helper eDirectory_userip ... found but cannot be built configure:23502: external acl helper kerberos_ldap_group ... found but cannot be built configure:23502: external acl helper session ... found but cannot be built configure:23502: external acl helper time_quota ... found but cannot be built configure:23507: External acl helpers built: SQL_session file_userip unix_group wbinfo_group Thanks in advance
Re: [squid-users] Installation not building helpers
thanks for the clarification. On Tue, Feb 19, 2013 at 5:25 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 20/02/2013 4:22 a.m., Roman Gelfand wrote: Below, are the configuration parameters I use to build squid. After make install, the basic_ldap_auth is not found in /usr/local/libexec. Why? It is interesting as it did create these -rwxr-xr-x 1 root staff 72755 Feb 18 00:40 basic_fake_auth -rwxr-xr-x 1 root staff 103712 Feb 18 00:40 basic_getpwnam_auth -rwxr-xr-x 1 root staff 317249 Feb 18 00:40 basic_msnt_auth -rwxr-xr-x 1 root staff 3954 Feb 18 00:40 basic_msnt_multi_domain_auth -rwxr-xr-x 1 root staff 227438 Feb 18 00:40 basic_ncsa_auth -rwxr-xr-x 1 root staff 128612 Feb 18 00:40 basic_nis_auth -rwxr-xr-x 1 root staff 1460 Feb 18 00:40 basic_pop3_auth -rwxr-xr-x 1 root staff 145564 Feb 18 00:40 basic_radius_auth -rwxr-xr-x 1 root staff 156404 Feb 18 00:40 basic_smb_auth -rwxr-xr-x 1 root staff 2229 Feb 18 00:40 basic_smb_auth.sh -rwxr-xr-x 1 root staff 440976 Feb 18 00:41 cachemgr.cgi -rwxr-xr-x 1 root staff 227340 Feb 18 00:40 digest_file_auth -rwxr-xr-x 1 root staff 197133 Feb 18 00:41 diskd -rwxr-xr-x 1 root staff 158211 Feb 18 00:40 ext_file_userip_acl -rwxr-xr-x 1 root staff 3935 Feb 18 00:40 ext_sql_session_acl -rwxr-xr-x 1 root staff 132251 Feb 18 00:40 ext_unix_group_acl -rwxr-xr-x 1 root staff 4999 Feb 18 00:40 ext_wbinfo_group_acl -rwxr-xr-x 1 root staff 5499 Feb 18 00:41 helper-mux.pl -rwxr-xr-x 1 root staff 12166 Feb 18 00:40 log_db_daemon -rwxr-xr-x 1 root staff 76515 Feb 18 00:40 log_file_daemon -rwxr-xr-x 1 root staff 65044 Feb 18 00:40 negotiate_wrapper_auth -rwxr-xr-x 1 root staff 123618 Feb 18 00:40 ntlm_fake_auth -rwxr-xr-x 1 root staff 210415 Feb 18 00:40 ntlm_smb_lm_auth -rwsr-xr-x 1 root staff 695897 Feb 18 00:41 pinger configure options: '--enable-icap-client' '--enable-gnuregex' '--enable-icmp' '--enable-ssl' '--enable-kill-parent-hack' '--enable-snmp' '--disable-ident-lookups' '--enable-cache-digests' '--enable-eui' '--enable-removal-policies=heap,lru' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-negotiate' '--enable-auth-digest' '--enable-external-acl-helpers' '--with-maxfd=16384' '--enable-follow-x-forwarded-for' '--with-logdir=/var/log/squid' '--with-squid=/usr/local/src/squid-3.3.1' '--prefix=/usr/local' '--with-default-user=proxy' '--enable-ltdl-convenience' '--disable-ipv6' Also, the config log shows below. configure:21936: Authentication support enabled: yes configure:22011: Basic auth helper LDAP ... found but cannot be built configure:22011: Basic auth helper PAM ... found but cannot be built configure:22011: Basic auth helper SASL ... found but cannot be built configure:22011: Basic auth helper SSPI ... found but cannot be built configure:22016: Basic auth helpers to be built: DB MSNT MSNT-multi-domain NCSA NIS POP3 RADIUS SMB fake getpwnam configure:22069: NTLM auth helper SSPI ... found but cannot be built configure:22074: NTLM auth helpers built: fake smb_lm configure:22128: Negotiate auth helper SSPI ... found but cannot be built configure:22128: Negotiate auth helper kerberos ... found but cannot be built configure:22133: Negotiate auth helpers built: wrapper configure:22187: Digest auth helper LDAP ... found but cannot be built configure:22187: Digest auth helper eDirectory ... found but cannot be built configure:22192: Digest auth helpers built: file configure:22244: Log daemon helpers built: DB file configure:22363: checking for krb5-config configure:22391: result: no configure:23502: external acl helper AD_group ... found but cannot be built configure:23502: external acl helper LDAP_group ... found but cannot be built configure:23502: external acl helper LM_group ... found but cannot be built configure:23502: external acl helper eDirectory_userip ... found but cannot be built configure:23502: external acl helper kerberos_ldap_group ... found but cannot be built configure:23502: external acl helper session ... found but cannot be built configure:23502: external acl helper time_quota ... found but cannot be built configure:23507: External acl helpers built: SQL_session file_userip unix_group wbinfo_group Thanks in advance When you don't specify the helper names (or = for none) Squid will auto-detect support for each helper and build all the ones which can be built. You are missing build dependencies for these helpers which are found but cannot be built. Since you specifically want the LDAP helper you will need a devel version of the LDAP libraries and headers installed before ./configure'ing Squid. Amos
Re: [squid-users] ldap auth helper
I meant authentication helper. Sorry about that. On Sun, Feb 17, 2013 at 4:52 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 18/02/2013 3:38 a.m., Roman Gelfand wrote: I am running squid 3.3. I have compiled squid with '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'. What is the name of squid ldap authorization helper? I could not find squid_ldap_auth anywhere. The authorization helpers are built using --enable-external-acl-helpers=. Did you mean authentication? There were some big changes in squid-3.2 series you need to become aware of: http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss4.2 (also section 4.3) http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6 Amos
[squid-users] Basic AUTH Helper
What does this message mean? configure: Basic auth helper LDAP ... found but cannot be built Thanks in advance
[squid-users] TPROXY Configuration
I have configured the tproxy as follows, but it appears packets are not hitting squid. Please note, the wccp configuration on the router is already working with squid http_port transparent configuration and, obviously, different iptables configuration. Any help is appreciated. Thanks in advance. squid.conf --- http_port 3228 tproxy https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt key=/etc/ssl/private/domain.key # FortiGate interface of wccp wccp2_router 192.168.5.1 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443 wccp2_service dynamic 95 wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80,443 # tunneling method GRE for forward traffic wccp2_forwarding_method 1 # tunneling method GRE for return traffic wccp2_return_method 1 # Assignemment method (default), only relevant if multiple caches used wccp2_assignment_method 1 # wccp weight (default) ,only relevant if multiple caches used wccp2_weight 1 # which interface to use for WCCP (0.0.0.0 determines the interface from routing) wccp2_address 0.0.0.0 rc.local --- modprobe ip_gre modprobe ip_tables modprobe x_tables ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0 ip addr add 192.168.5.21/32 dev wccp0 ip link set wccp0 up # Route to send the content back to the GRE tunnel route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0 # Disabling reverse path filtering and enable routing in the kernel echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward # Setup the redirection of traffic from the GRE tunnel to squid port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3228 iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 exit 0
[squid-users] Re: TPROXY Configuration
Please, ignore this post. I found I need to add more configuration as in http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration On Wed, Feb 6, 2013 at 9:27 AM, Roman Gelfand rgelfa...@gmail.com wrote: I have configured the tproxy as follows, but it appears packets are not hitting squid. Please note, the wccp configuration on the router is already working with squid http_port transparent configuration and, obviously, different iptables configuration. Any help is appreciated. Thanks in advance. squid.conf --- http_port 3228 tproxy https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt key=/etc/ssl/private/domain.key # FortiGate interface of wccp wccp2_router 192.168.5.1 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443 wccp2_service dynamic 95 wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80,443 # tunneling method GRE for forward traffic wccp2_forwarding_method 1 # tunneling method GRE for return traffic wccp2_return_method 1 # Assignemment method (default), only relevant if multiple caches used wccp2_assignment_method 1 # wccp weight (default) ,only relevant if multiple caches used wccp2_weight 1 # which interface to use for WCCP (0.0.0.0 determines the interface from routing) wccp2_address 0.0.0.0 rc.local --- modprobe ip_gre modprobe ip_tables modprobe x_tables ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0 ip addr add 192.168.5.21/32 dev wccp0 ip link set wccp0 up # Route to send the content back to the GRE tunnel route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0 # Disabling reverse path filtering and enable routing in the kernel echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward # Setup the redirection of traffic from the GRE tunnel to squid port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3228 iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 exit 0
[squid-users] TPROXY
Is content filtering possible with tproxy? If yes, would somebody have a working iptable configuration for tproxy? Thanks in advance
Re: [squid-users] SQUID Debugging
k.. I figured this out already. I was under the impression there was no command https_port. After changing the http_port to https_port, I am getting results. Thanks On Thu, Jan 31, 2013 at 11:27 PM, Roman Gelfand rgelfa...@gmail.com wrote: Is the request or response arrives on port 80? Thanks From: Amos Jeffries Sent: 1/31/2013 11:15 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SQUID Debugging On 1/02/2013 6:32 a.m., Roman Gelfand wrote: I am attempting to debug the problem I am hitting. Looking at this, I am not sure if squid or target server doesn't like client's ssl handshaking request. Also, I am not sure how to interpret local or remote addresses as what says remote is the client machine that is trying to acces the target site which is identified as local. Also, if you could shed some light as to what these messages are all about, I would greatly appreciate it. 2013/01/31 12:11:38.007 kid1| TcpAcceptor.cc(197) doAccept: New connection on FD 29 2013/01/31 12:11:38.009 kid1| TcpAcceptor.cc(272) acceptNext: connection on local=0.0.0.0:3229 remote=[::] FD 29 flags=41 2013/01/31 12:11:38.014 kid1| client_side.cc(2582) clientProcessRequest: clientProcessRequest: Invalid Request 2013/01/31 12:11:38.017 kid1| errorpage.cc(1282) BuildContent: No existing error page language negotiated for ERR_INVALID_REQ. Using default error file. It looks like the HTTP request is invalid... Either you are receiving HTTPS traffic on an HTTP port. Or you are receiving non-HTTPS. I don't see any debug trace of SSL handshake being performed, so I assume this is an http_port being sent SSH binary data. 2013/01/31 12:11:38.019 kid1| store.cc(994) checkCachable: StoreEntry::checkCachable: NO: not cachable 2013/01/31 12:11:38.022 kid1| client_side_reply.cc(1966) processReplyAccessResult: The reply for NONE error:invalid-request is ALLOWED, because it matched 'NO ACL's' 2013/01/31 12:11:38.024 kid1| client_side.cc(1386) sendStartOfMessage: HTTP Client local=173.194.75.106:443 remote=192.168.5.35:38723 FD 11 flags=33 2013/01/31 12:11:38.026 kid1| client_side.cc(1387) sendStartOfMessage: HTTP Client REPLY: - HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Thu, 31 Jan 2013 17:11:38 GMT Content-Type: text/html Content-Length: 3662 X-Squid-Error: ERR_INVALID_REQ 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from server X-Cache-Lookup: NONE from server:80 Yep. Something that is not plain-text HTTP/1.x arriving on port 80 into Squid.. Via: 1.1 server (squid) Connection: close Thanks in advance Amos
[squid-users] transparent vs. not-transparent oddity
In non-transparent mode, ie 9 worked much faster chrome. In trasparent mode, just the opposite. Why? Thanks
[squid-users] SQUID Debugging
I am attempting to debug the problem I am hitting. Looking at this, I am not sure if squid or target server doesn't like client's ssl handshaking request. Also, I am not sure how to interpret local or remote addresses as what says remote is the client machine that is trying to acces the target site which is identified as local. Also, if you could shed some light as to what these messages are all about, I would greatly appreciate it. 2013/01/31 12:11:38.007 kid1| TcpAcceptor.cc(197) doAccept: New connection on FD 29 2013/01/31 12:11:38.009 kid1| TcpAcceptor.cc(272) acceptNext: connection on local=0.0.0.0:3229 remote=[::] FD 29 flags=41 2013/01/31 12:11:38.014 kid1| client_side.cc(2582) clientProcessRequest: clientProcessRequest: Invalid Request 2013/01/31 12:11:38.017 kid1| errorpage.cc(1282) BuildContent: No existing error page language negotiated for ERR_INVALID_REQ. Using default error file. 2013/01/31 12:11:38.019 kid1| store.cc(994) checkCachable: StoreEntry::checkCachable: NO: not cachable 2013/01/31 12:11:38.022 kid1| client_side_reply.cc(1966) processReplyAccessResult: The reply for NONE error:invalid-request is ALLOWED, because it matched 'NO ACL's' 2013/01/31 12:11:38.024 kid1| client_side.cc(1386) sendStartOfMessage: HTTP Client local=173.194.75.106:443 remote=192.168.5.35:38723 FD 11 flags=33 2013/01/31 12:11:38.026 kid1| client_side.cc(1387) sendStartOfMessage: HTTP Client REPLY: - HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Thu, 31 Jan 2013 17:11:38 GMT Content-Type: text/html Content-Length: 3662 X-Squid-Error: ERR_INVALID_REQ 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from server X-Cache-Lookup: NONE from server:80 Via: 1.1 server (squid) Connection: close Thanks in advance
RE: [squid-users] SQUID Debugging
Is the request or response arrives on port 80? Thanks From: Amos Jeffries Sent: 1/31/2013 11:15 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SQUID Debugging On 1/02/2013 6:32 a.m., Roman Gelfand wrote: I am attempting to debug the problem I am hitting. Looking at this, I am not sure if squid or target server doesn't like client's ssl handshaking request. Also, I am not sure how to interpret local or remote addresses as what says remote is the client machine that is trying to acces the target site which is identified as local. Also, if you could shed some light as to what these messages are all about, I would greatly appreciate it. 2013/01/31 12:11:38.007 kid1| TcpAcceptor.cc(197) doAccept: New connection on FD 29 2013/01/31 12:11:38.009 kid1| TcpAcceptor.cc(272) acceptNext: connection on local=0.0.0.0:3229 remote=[::] FD 29 flags=41 2013/01/31 12:11:38.014 kid1| client_side.cc(2582) clientProcessRequest: clientProcessRequest: Invalid Request 2013/01/31 12:11:38.017 kid1| errorpage.cc(1282) BuildContent: No existing error page language negotiated for ERR_INVALID_REQ. Using default error file. It looks like the HTTP request is invalid... Either you are receiving HTTPS traffic on an HTTP port. Or you are receiving non-HTTPS. I don't see any debug trace of SSL handshake being performed, so I assume this is an http_port being sent SSH binary data. 2013/01/31 12:11:38.019 kid1| store.cc(994) checkCachable: StoreEntry::checkCachable: NO: not cachable 2013/01/31 12:11:38.022 kid1| client_side_reply.cc(1966) processReplyAccessResult: The reply for NONE error:invalid-request is ALLOWED, because it matched 'NO ACL's' 2013/01/31 12:11:38.024 kid1| client_side.cc(1386) sendStartOfMessage: HTTP Client local=173.194.75.106:443 remote=192.168.5.35:38723 FD 11 flags=33 2013/01/31 12:11:38.026 kid1| client_side.cc(1387) sendStartOfMessage: HTTP Client REPLY: - HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Thu, 31 Jan 2013 17:11:38 GMT Content-Type: text/html Content-Length: 3662 X-Squid-Error: ERR_INVALID_REQ 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from server X-Cache-Lookup: NONE from server:80 Yep. Something that is not plain-text HTTP/1.x arriving on port 80 into Squid.. Via: 1.1 server (squid) Connection: close Thanks in advance Amos
Re: [squid-users] SQUID as Tranparent Proxy
I was referring to the following configuration line. I suppose this is nat interception. The reason why I am asking about all of this is that... I captured ssl traffic on the firewall. It tells me the client( internal lan ip) sent SSL Client Hello packet to target server successfully with ack. However, the target server never sent SSL Client Hello back. Instead, it said the server squid gave bad request (see below). http_port 3229 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt key=/etc/ssl/private/domain.key HTTP/1.1 400 Bad Request Server: squid Mime-Version: 1.0 Date: Mon, 28 Jan 2013 22:42:56 GMT Content-Type: text/html Content-Length: 3662 X-Squid-Error: ERR_INVALID_REQ 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from server X-Cache-Lookup: NONE from server:80 Via: 1.1 server (squid) Connection: close On Tue, Jan 29, 2013 at 1:23 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 29/01/2013 12:57 p.m., Roman Gelfand wrote: When squid is acting as transparent proxy, does squid rewrite ip or layer 2 data. Let's say the route is as follows. Will the outgoing traffic be seen as coming from client's ip as source ip or squid's ip as source ip? client firewall wan ^ || || || eth0|| || GRE tunnel (on eth0 Physical interface) || || || V SQUID Server Thanks in advance Are you asking about NAT interception or TPROXY interception? One does, one does not. Amos
[squid-users] SQUID as Tranparent Proxy
When squid is acting as transparent proxy, does squid rewrite ip or layer 2 data. Let's say the route is as follows. Will the outgoing traffic be seen as coming from client's ip as source ip or squid's ip as source ip? client firewall wan ^ || || || eth0|| || GRE tunnel (on eth0 Physical interface) || || || V SQUID Server Thanks in advance
Re: [squid-users] Transparent Mode and WCCP
Please, see below... Some bit of clarification here. WCCP is a protocol consisting of two packets HERE_I_AM and I_SEE_YOU. The HTTP traffic always goes via GRE protocol interface or layer-2 packet routing via Ethernet interface. The WCCP protocol configuratino in Squid and Cisco determins whether the layer-1 or GRE are used as return method. I think from your earlier posts you are confusing WCCP protocol with the name of the interface your config uses (wccp0). Correct me if I am wrong. I understood that I configured virtual interface called wccp0 through which wccp/gre communication of http/https protocol is to take place. The thing to keep in mind is that 1. from squid server to firewall, there is SNAT relationship that translates .252 WAN ip address. However, http traffic from client to firewall translates to .254 WAN IP address. It appears the http/https requests from client are routed by firewall through wccp/gre to and from squid server. After it goes out via .254 wan ip address. Is this correct behavior? If all of this makes sense, how can I troubleshoot this?. Also, NAT is only ever performed on the first packet of any connnection, which will always be an incoming packet arriving from your wccp0 interface in PREROUTING. You did not mention a MASQUERADE rule in the POSTROUTING chain which is the part handling the return packets to the client. could you give an example. Other TCP data packets than that first one seen by NAT table are ESTABLISHED or RELATED state and will go out whatever interface your routing setup is configured to send them out. The thing to remember the Squid box is acting as a router for these packets. This means only that Squid acting as forward-proxy works, none of the WCCP protocol and interfaces, NAT or HTTP re-interpretation happens. Squid acting as interception proxy is a VERY different beast from regular forward proxy. I hit the same problem even with transparent keyword as opposed to intercept.
Re: [squid-users] Transparent Mode and WCCP
So, the fortigate was configured based on the whitepaper you pointed me to. The unencrypted http traffic works, but what I find is that even though a request from the client arrives on squid via wccp, going back it is routed via standard tcp/ip path. Is that how wccp communication supposed to work with squid or should it come back to the client via wccp? Also, https traffic is not working. I am not sure if it is ssl bump that is causing it. Can you see why it wouldn't work? Please, note the same squid configuration works for for both http and https proxy is explicitly specified in the browser. Thanks again for your help. On Thu, Jan 3, 2013 at 11:37 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey, I have found this: http://kb.fortinet.com/kb/viewContent.do?externalId=FD30096 which pretty much covers what needed to be done. WCCP suppose to be a layer 2 interception which TPROXY is the closest thing for that. TPROXY use the same src IP of the client for outgoing traffic based on a client connection. You can try to configure the fortigate device and maybe try to open a ticket for the FORTI guys in case you dont get it right. WCCP works with most catalyst devices I have tried. There are other ways to intercept traffic and it's only up to the level of your skills and knowledge. It seems like the fortigate is the right place to integrate squid interception to me. I noticed that you didn't configured all squid needed directives to support auto WCCP service registration. Try to do it manually on the fortigate and see the results. Best regards, Eliezer On 1/4/2013 1:22 AM, Roman Gelfand wrote: Thanks for your help. Please, see attached configuration files and topology picture. I am not using cisco device. I configured fortigate 50b firewall wccp service using gre tunnel. In this case, I am using straight transparent proxy. I have never used tproxy. I do have catalyst router which supports wccp2. Should I use that instead of the fortigate? How does using tproxy instead of transparent proxy improves wccp routing? Thanks again On Wed, Jan 2, 2013 at 4:39 AM, Eliezer Croitoru elie...@ngtech.co.il wrote: Based on what you configured you cisco router? what did you configured on your cisco router? What cisco device are you using? did you had the chance to look at: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 please try to share more information on the infrastructure and the whole squid.conf removing only confrontational INFO. Did you had the chance to use TPROXY before? Did you tried to sniff with tcpdump? Eliezer On 1/2/2013 3:38 AM, Roman Gelfand wrote: I use wccp/gre tunnel. Port 80 requests work but 443 don't. I am not sure if this is right, but even though data was received on wccp, no data was transmitted back over wccp. In other words, squid server response was routed back, through eth0 interface, rather than go through wccp0 interface. Is this expected behavior? If not, what do I do to make response go over wccp? my iptable config look like this iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.5.81:3228 iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to 192.168.5.81:3229 and squid.conf wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp priority=240 ports=80,443 -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] Implementing SslBump using Bump-Server-First in Transparent mode using squid-3.HEAD-20121231-r12554
I have the same configuration, except I use wccp/gre tunnel. Port 80 requests work but 443 don't. I am not sure if this is right, but even though data was received on wccp, no data was transmitted back over wccp. Is this expected behavior? If not, what do I do to make response go over wccp? my iptable config look like this iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.5.81:3228 iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to 192.168.5.81:3229 and squid.conf wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp priority=240 ports=80,443 On Tue, Jan 1, 2013 at 2:08 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 1/01/2013 7:19 p.m., Swapneel Patnekar wrote: Eliezer Amos, Thank you for your input assistance. The iptables rules are on the same machine in which I'm running squid. Amos, just for my understanding changing the below given directive should do the trick ? ssl_bump client-first all to ssl_bump server-first all As far as I am aware at this stage yes. Amos
[squid-users] Transparent Mode and WCCP
I use wccp/gre tunnel. Port 80 requests work but 443 don't. I am not sure if this is right, but even though data was received on wccp, no data was transmitted back over wccp. In other words, squid server response was routed back, through eth0 interface, rather than go through wccp0 interface. Is this expected behavior? If not, what do I do to make response go over wccp? my iptable config look like this iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to 192.168.5.81:3228 iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to 192.168.5.81:3229 and squid.conf wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp priority=240 ports=80,443
[squid-users] sslbump dynamic ssl certs
It appears that signed certificates are being cached. How can I flush that cache? Thanks in advance
[squid-users] ICAP Service Chaining Issue
I am getting the following error when chaining qlproxy and squidclamav services. If I was to configure just qlproxy or just squidclamav service, it works. Note, this is a rare case as for the most part everything works fine. I am guessing because I hit mixed content (http and https). The configuration is below. ICAP protocol error. The system returned: (14) Unknown error 14 This means that some aspect of the ICAP communication failed. Some possible problems are: The ICAP server is not reachable. An Illegal response was received from the ICAP server. - The squid config... icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service_failure_limit -1 icap_service_revival_delay 30 icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod icap_service squidclamav1 reqmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav icap_service squidclamav2 respmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav adaptation_service_chain svcRequest qlproxy1 squidclamav1 adaptation_service_chain svcResponse qlproxy2 squidclamav2 adaptation_access svcRequest allow all adaptation_access svcResponse allow all Thanks in advance
[squid-users] CRL Messages
What do these messages mean? Why is squid interested in certificate revocation? btw... I was able to download this file from box running squid using wget command. 2012/10/10 23:41:37 kid1| Failed to select source for 'http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl' 2012/10/10 23:41:37 kid1| always_direct = 1 2012/10/10 23:41:37 kid1|never_direct = 0 2012/10/10 23:41:37 kid1|timedout = 0 Thanks in advance
[squid-users] icap chaining issue
I am running into a problem when chaining 2 icap services. I tried configuring one of the services and that worked fine. The issue happens with specific sites. For example, http://www.php.net/get/php-5.3.16.tar.bz2/from/a/mirror The error I get... The following error was encountered while trying to retrieve the URL: http://www.php.net/get/php-5.3.16.tar.bz2/from/a/mirror ICAP protocol error. The system returned: (14) Unknown error 14 This means that some aspect of the ICAP communication failed. Some possible problems are: The ICAP server is not reachable. An Illegal response was received from the ICAP server. My icap configuration is icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service_failure_limit -1 icap_service_revival_delay 30 icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod icap_service squidclamav1 reqmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav icap_service squidclamav2 respmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav adaptation_service_chain svcRequest qlproxy1 squidclamav1 adaptation_service_chain svcResponse qlproxy2 squidclamav2 adaptation_access svcRequest allow all adaptation_access svcResponse allow all Thanks in advance
Re: [squid-users] ssl_crtd cannot initialize SSL DB
Is /usr/local/squid a link? if so, try it using the actual directories. Make sure that /usr/local/squid/var/lib, which ever you will use, directory exists. On Fri, Sep 7, 2012 at 5:59 AM, Ahmed Talha Khan aun...@gmail.com wrote: Hey, I am using squid-3.HEAD-20120421-r12120 and compiled it with the correct options(--enable-ssl-crtd). The problem is that that when i try to initialize the the ssl_db via /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db It gives an error Initialization SSL db... /usr/local/squid-3.3/libexec/ssl_crtd: Cannot create /usr/local/squid-3.3/var/lib/ssl_db I ran it as root user. Dont seem to know what the problem might me Machine is a ubuntu virtual server. Earlier i have been using it on other machines easily without any error(fedora,centos etc) Any help -- Regards, -Ahmed Talha Khan
[squid-users] SSL Bump Dynamic SSL Certs
I previously understood that with squid 3.2 end user will be able to see filtered certificate errors and decide whether to accept or reject a certificate. By filtered, I mean, certificate errors found by squid were going to be passed to end user to decide on whether to accept or reject. Is this correct? If yes, can you point me to a configuration. So far, I found verify flag which denys automatically sites with bad certificates. Thanks in advance
[squid-users] Transparent proxy
Assuming that configuring client browsers' proxy is not a problem, is there a good (where good overweighs bad) reason to use squid transparent proxy feature? The reason why I am asking is I just skimmed through squid book and they are not painting a rosy picture around transparent proxy. Thanks in advance
[squid-users] TCP_REFRESH_UNMODIFIED/200
I am running transparent proxy. In my squid.conf, I have a url rewrite base on squidguard program. Why would rewrite leave TCP_REFRESH_UNMODIFIED/200 message. Thanks in advance
[squid-users] SQUID and GRE Tunneling
I have setup squid 3.1.20 in transparent mode with GRE tunneling over wccp to my firewall. In monitoring the firewall, the traffic is moving correctly. On the squid server, I setup rewrite based on squidguard. I tested it in non-transparent mode and it works. However, using the above configuration, the firewall is not getting back rewritten content. What could it be? Thanks in advance
[squid-users] Transparent Proxy
My goal is to make suid as transparent proxy. I see several options. Not sure which one I should be using. I am looking for standard transparent proxy server. --enable-ipfw-transparent or --enable-ipf-transparent or --enable-pf-transparent Thanks in advance
Re: [squid-users] Transparent Proxy
debian/2.6.26-2-686 Thanks for your help On Sun, Aug 19, 2012 at 3:14 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: On 8/19/2012 10:00 PM, Roman Gelfand wrote: My goal is to make suid as transparent proxy. I see several options. Not sure which one I should be using. I am looking for standard transparent proxy server. --enable-ipfw-transparent or --enable-ipf-transparent or --enable-pf-transparent Thanks in advance what os? what kernel? ver? Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
[squid-users] IP Address Change
I am running squid 3.19 on debian lenny. I have changed the ip address in /etc/network/interfaces. Majority of sites work. However, there are instances where squid responds to a workstation request with the old ip as return address. Where could squid still be getting the old ip from? What is there to do? Thanks in advance
[squid-users] Re: IP Address Change
sorry for the false alarm. As it turns out, it was calling java application which had old ip for proxy. Thanks On Wed, Jul 4, 2012 at 1:25 PM, Roman Gelfand rgelfa...@gmail.com wrote: I am running squid 3.19 on debian lenny. I have changed the ip address in /etc/network/interfaces. Majority of sites work. However, there are instances where squid responds to a workstation request with the old ip as return address. Where could squid still be getting the old ip from? What is there to do? Thanks in advance
Re: [squid-users] DNS Attack
Here is the request this guy is sending. Perhaps, this could shed some light. ..E..dm.@.|...`9.P..].-..#PH..GET.http://www.asd818.com/.HTTP/1.1..Accept:.*/*..Referer:.http://www.asd818.com/..Accept-Language:.zh-cn..Accept-Encoding:.gzip,.deflate..User-Agent:.Mozilla/4.0.(compatible;.MSIE.6.0;.Windows.5.1;Windows.5.5;Windows.6.0)..Host:.www.asd818.com..Proxy-Connection:.Keep-Alive..Pragma:.no-cache..Cookie:.Keep-Alive... Thanks again On Mon, Jun 4, 2012 at 7:42 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 4/06/2012 8:36 a.m., Roman Gelfand wrote: I have setup squid server to function as both forward and reverse proxy. It appears that I am getting flooded with http requests with non existant urls. Consequently, this slows down my firewall as the dns server is slowing down the query response. Is there a way to prevent dns lookup if url doesn't match the pattern? Thanks in advance Squid rejects requests with non-existant URLs as invalid HTTP syntax during parsing. There is no DNS involved there. I assume you mean the URL has a unregistered domain name and the requests are coming in with a great many different domains? Reverse-proxy requests should have 0 DNS usage. Forward-proxy should only need DNS after accepting a request for relay. There are some exceptions to that, but most networks will fit that generalization. It is achieved by reverse-proxy using dstdomain ACLs, and forward-proxy using src client IP or proxy_auth login credentials to determin traffic acceptance. DNS is not involved in any of those ACL types. This small alteration (adding localnet filter) to the basic reverse-proxy config should stop those requests no DNS involved: # reverse-proxy rules acl localdomains dstdomain example.com http_access allow localdomains http_access deny !localnet # ... other forward-proxy rules... Also; If you have dst in the reverse-proxy allow rules, change it to dstdomain and DNS load should vanish. Amos
[squid-users] DNS Attack
I have setup squid server to function as both forward and reverse proxy. It appears that I am getting flooded with http requests with non existant urls. Consequently, this slows down my firewall as the dns server is slowing down the query response. Is there a way to prevent dns lookup if url doesn't match the pattern? Thanks in advance
[squid-users] Local Client Access
My client access configuration is as follows. always_direct allow all http_access allow all # Squid normally listens to port 3128 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/host.pem url_rewrite_children 64 url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf It appears that, when sending ougoing requests, http header is from the original host. I guessing, this is why it is called transparent proxy. It seems that that causes routing problems. Could you tell me where I am going wrong here. Thanks in advance
Re: [squid-users] Local Client Access
My squid server is behind NATed firewall. When accessing site www.dnsstuff.com, it reports my ip address as local address of the client. For instance, 1. squid server ip is 192.168.1.10 2. client accesing the www.dnsstuff.com site via squid server is 192.168.1.101. The www.dnsstuff.com reports my ip as 192.168.1.101 instead of wan ip. I am using squid 3.19 Thanks for your help On Mon, Apr 30, 2012 at 9:03 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 30/04/2012 11:56 p.m., Roman Gelfand wrote: My client access configuration is as follows. always_direct allow all http_access allow all # Squid normally listens to port 3128 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/host.pem url_rewrite_children 64 url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf It appears that, when sending ougoing requests, http header is from the original host. I guessing, this is why it is called transparent proxy. There is nothing of transparent proxying in this config. * You have ssl-bump decryption of CONNECT requests. * You have a re-writer/redirector altering the traffic URLs. Tranparent means the requests are not altered. It seems that that causes routing problems. Could you tell me where I am going wrong here. Could you please explain the problem? And also give an indication of what Squid version you are talking about please. Amos
[squid-users] Reverse Proxy Encrypting HTTP Site
Is there a facility on squid server that would allow me to publish a http site as https? If yes, could you provide sample config. Thanks in advance
Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA
Hi Amos, I could be wrong, but I understood from your several posts that this type of configuration is not recommended (either due to security issues or performance, I don't remember exactly). Is that right? Thanks, On Tue, Feb 21, 2012 at 7:29 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 21/02/2012 11:21 p.m., Fried Wil wrote: On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote: I have this error on my access.log 1329819182.985 0 CLIENT_IP TCP_DENIED/302 340 GET https://webmail.domain.foo/ - NONE/- text/html 1329819183.011 0 CLIENT_IP TCP_MISS/404 1530 GET https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ - FIRST_UP_PARENT/exchangeServer text/html 1329819183.043 0 CLIENT_IP TCP_MISS/404 1530 GET https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer text/html for these lines acl redirectOWA urlpath_regex ^/$ deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA http_access deny HTTPSOWA redirectOWA replace 303 by 302 give the same error bad configuration ? Sorry. Yes. Drop the 303: part. It is just the new URL for squid 3.1. Amos
[squid-users] WCCP
Currently, my NAT firewall (fortigate) is both forwarding wan web requests in reverse proxy and receiving web requests in proxy to squid server. The communication between the firewall and squid server is done through http/https. I am thinking of connecting squid server with fortigate firewall via wccp. It seems it should greatly improve the speed and administration. Is there any issues with doing this? Thanks in advance
[squid-users] Error Pages
Is there a way I could access error pages from a web browser? Thanks
[squid-users] Rewriting URL
Consider the following configuration... acl host1 dst host1.dom.com http_port 80 accel defaultsite=host1.dom.com vhost cache_peer 192.168.1.42 parent 80 0 no-query originserver name=host1server never_direct allow host1 http_access allow host1 cache_peer_access host1server allow host1 cache_peer_access host1server deny all This is a case of forwarding requests internal server without changing header. What changes would I need to make if I wanted to a) listen for http://www.maindom.com/host1 b) forward these requests to http://host1.dom.com Thanks in advance
[squid-users] Re: Audio Streaming Issue
It appears there were no issues with squid per se. I don't know what it is, but squidguard is using blacklist 7 db's. I had noticed that one of the db's were filtering based on the text domain file content. After recreating the .db files, the filtering worked and mms streaming also worked. I am not sure what is the relationship between the two. Thanks, On Fri, Feb 10, 2012 at 12:34 AM, Roman Gelfand rgelfa...@gmail.com wrote: I am using squid 3.16. I have no problem getting streaming content with flash plugin. However, wmp plugin breaks. The url in question http://www.radioshaker.com/ At the site, attempt to play any radio station. You will find it is not working. However, when not using squid proxy, it works. Any help is appreciated. Thanks in advance
[squid-users] Audio Streaming Issue
I am using squid 3.16. I have no problem getting streaming content with flash plugin. However, wmp plugin breaks. The url in question http://www.radioshaker.com/ At the site, attempt to play any radio station. You will find it is not working. However, when not using squid proxy, it works. Any help is appreciated. Thanks in advance
Re: [squid-users] Forcing Header in Reverse Proxy
I made several mistakes in my original post. So, I am rewriting it here... I have setup configuration to forward requests to a backend server... acl mail urlpath_regex ^/mesg https_port 443 cert=/etc/certs/mail.pem key=/etc/certs/mail.key vhost vport cache_peer mail.mydomain.com parent 80 0 no-query originserver name=mail login=PASS cache_peer_access mail allow mail cache_peer_access mail deny all http_access allow mail The problem is host mail resolves to mesg.mydomain.com instead of mail.mydomain.com. How can I force the header to be mesg.mydomain.com? On Mon, Jan 16, 2012 at 12:25 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 16/01/2012 5:36 p.m., Roman Gelfand wrote: I have setup configuration to forward requests to a backend server... acl dspam urlpath_regex ^/mesg https_port 443 cert=/etc/certs/mail.pem key=/etc/certs/mail.key vhost vport cache_peer host.mydomain.com parent 80 0 no-query originserver name=mail login=PASS cache_peer_access mail allow mail You have omitted the definition for mail. I will assume that it is defined right. cache_peer_access mail deny all never_direct allow !localnet never_direct is not relevant on reverse-proxy traffic. http_access allow !localnet Um, permitting traffic from anywhere *except* LAN? Bit strange. Why not do the usual reverse-proxy config of http_access allow mail? it makes no difference to Squid where the traffic comes from so long as it is valid for the peers to receive. The problem is host mail resolves to mesg.mydomain.com instead of mail.mydomain.com. How can I force the header to be mesg.mydomain.com? Its not clear why you need to force anything. Surely the server at host.mydomain.com has been correctly setup to host all of the FQDN which are passed to it? Note that what the FQDN resolves to should be the Squid IP address. This resolution is done only by the client and is completely separate to the *textual* FQDN label which remains unchanged when passing through Squid to the server. The config demos show it using dstdomain to test the *textual* FQDN label for acceptible values instead of resolving the IP or other complex things by reason of domain FQDN being the most stable and dependable property of the traffic. Amos
Re: [squid-users] Forcing Header in Reverse Proxy
fair enough. How would you, then, implement the following... I would like to forward https://xyz.mydomain.com/server1 to http://server1.mydomain.com and https://xyz.mydomain.com/server2 to http://server2.mydomain.com. Please, keep in mind, the target server is apache and it has servername tag which depends on header. Thanks for your help On Mon, Jan 16, 2012 at 4:55 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 17.01.2012 04:15, Roman Gelfand wrote: I made several mistakes in my original post. So, I am rewriting it here... I have setup configuration to forward requests to a backend server... acl mail urlpath_regex ^/mesg https_port 443 cert=/etc/certs/mail.pem key=/etc/certs/mail.key vhost vport cache_peer mail.mydomain.com parent 80 0 no-query originserver name=mail login=PASS cache_peer_access mail allow mail cache_peer_access mail deny all http_access allow mail The problem is host mail resolves to mesg.mydomain.com instead of mail.mydomain.com. How can I force the header to be mesg.mydomain.com? My original questions about *why* you need to do this rather nasty and problematic change on production traffic are still not answered... On Mon, Jan 16, 2012 at 12:25 AM, Amos Jeffries wrote: Its not clear why you need to force anything. Surely the server at host.mydomain.com has been correctly setup to host all of the FQDN which are passed to it? Note that what the FQDN resolves to should be the Squid IP address. This resolution is done only by the client and is completely separate to the *textual* FQDN label which remains unchanged when passing through Squid to the server. The config demos show it using dstdomain to test the *textual* FQDN label for acceptible values instead of resolving the IP or other complex things by reason of domain FQDN being the most stable and dependable property of the traffic. To explain why I'm making a point about considering the why: Re-writing these things to specific values hits a lot of problems directly attributable to the server outgoing traffic all being about the forced domain rather than the domain the client is aware of. Followup responses from the client disappearing, links being broken, internal structure being revealed, validation miss-match errors, XSS leaks etc. are all common and well known side effects of re-writing details in the middle of a client-server transaction. There are whole RFCs related to the same problems when they occur in NAT systems, which are just the IP address version of this. Identifying and avoiding all the effects is often more difficult than fixing the server and making the middle a simple relay. A little extra trouble at the start avoiding it will save a lot of headaches for both yourself and every other network involved in the traffic. If you are happy to face down all those problems and your Squid is recent enough (2.7 or 3.1 series, some late 2.6 series) it will support the forcedomain= option on the cache_peer line. Amos
[squid-users] Forcing Header in Reverse Proxy
I have setup configuration to forward requests to a backend server... acl dspam urlpath_regex ^/mesg https_port 443 cert=/etc/certs/mail.pem key=/etc/certs/mail.key vhost vport cache_peer host.mydomain.com parent 80 0 no-query originserver name=mail login=PASS cache_peer_access mail allow mail cache_peer_access mail deny all never_direct allow !localnet http_access allow !localnet The problem is host mail resolves to mesg.mydomain.com instead of mail.mydomain.com. How can I force the header to be mesg.mydomain.com? Thanks in advance
Re: [squid-users] SQUID Reverse Proxy not forwarding requests to Apache web server
Now, you got me curious. k.. I would the reverse proxy to control which server a web request 1) in case of https, forwarded to a web server box based on path 2) in case of http, forwarded based on url and/or path. Please, let me know if this is doable with squid. If so, by all means, I would like to use squid. If you, have an example, I would greatly appreciate it. BTW... if 2) could be done with ssl, I would appreciate an example. Thanks for your help. On Mon, Jan 2, 2012 at 10:16 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 2/01/2012 1:52 p.m., Roman Gelfand wrote: My squid server 3.1.6 sits in dmz. On this server, I am running apache server 2.2.9. My goal is to a) cash owa responses b) forward https owa requests to the Apache server on port 8443 c) The Apache server forwards the request to internal exchange server. Why bother with relaying it through Apache? Squid does the job of being a proxy better than Apache web server can. Particularly since you already have the traffic going through a Squid. Below, is my squid reverse proxy configuration. The domain webmail.mydomain.com resolves to the of external interface of the exchange server. However, I am saying, in configuration, that cache_peer is localhost. Nevertheless, the https request is never forwarded to apache server. Rather, it is going directly to the external interface of the exchange server. Where am I going wrong here? You have not provided any info about what the client traffic is actually requesting and what the Apache server is responding with when squid tries to pass the requests there. You are missing the cache_peer_access rules to limit what traffic goes through Apache. So everything will be attempted. You are missing never_direct rules denying Squid direct contact with the requested domain server. hierarchy_stoplist cgi-bin acl QUERY urlpath_regex cgi-bin shutdown_lifetime 1 second visible_hostname webmail.mydomain.com #1GB disk cache cache_dir ufs /usr/local/squid/var/cache 1024 16 256 maximum_object_size 5 MB cache_mem 1024 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 512 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA https_port 443 cert=/etc/apache2/certs/pkey.pem key=/etc/apache2/certs/sitecert.key vhost vport cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS Thanks in advance
[squid-users] SQUID Reverse Proxy not forwarding requests to Apache web server
My squid server 3.1.6 sits in dmz. On this server, I am running apache server 2.2.9. My goal is to a) cash owa responses b) forward https owa requests to the Apache server on port 8443 c) The Apache server forwards the request to internal exchange server. Below, is my squid reverse proxy configuration. The domain webmail.mydomain.com resolves to the of external interface of the exchange server. However, I am saying, in configuration, that cache_peer is localhost. Nevertheless, the https request is never forwarded to apache server. Rather, it is going directly to the external interface of the exchange server. Where am I going wrong here? hierarchy_stoplist cgi-bin acl QUERY urlpath_regex cgi-bin shutdown_lifetime 1 second visible_hostname webmail.mydomain.com #1GB disk cache cache_dir ufs /usr/local/squid/var/cache 1024 16 256 maximum_object_size 5 MB cache_mem 1024 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 512 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA https_port 443 cert=/etc/apache2/certs/pkey.pem key=/etc/apache2/certs/sitecert.key vhost vport cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS Thanks in advance
Re: [squid-users] Reverse Proxy Configuration
I suppose you answered my question. I was referring to multiple certificates on one port. Any eta on the 3.2 stable version? Thanks On Fri, Dec 30, 2011 at 6:18 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Wed, 28 Dec 2011, Roman Gelfand wrote: Consider the following configuration lines https_port 443 cert=/etc/apache2/certs/server.pem key=/etc/apache2/certs/server.key vhost vport cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS What if there is more site ssl sites which I would like to forward, how can I accomplish that? Also, it appears that alternate CN names are not being recognized. Is there anything to do about that? Thanks in advance On 29/12/2011 7:22 a.m., Roman Gelfand wrote: version 3.16. On Wed, Dec 28, 2011 at 1:21 PM, Pieter De Wit wrote: Hi Roman, What version of Squid are you using ? And how do you define more site ssl sites which I would like to forward ... multiple sites with the same certificate passed to several backend servers? or, multiple sites with separate certificates? Noting that the certificate in 3.1 and earlier Squid is hard-coded into the config file as one certificate per https_port. For multiple different certificates on one port you will need the dynamic certificate generator feature from Squid-3.2. It was created for ssl-bump ports but with a little tweaking could be used to supply several certs on a https_port with vhost when the clients send SNI information. No idea if it actually works yet though, nobody who has tried it has reported back. Amos
[squid-users] Reverse Proxy Configuration
Consider the following configuration lines https_port 443 cert=/etc/apache2/certs/server.pem key=/etc/apache2/certs/server.key vhost vport cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS What if there is more site ssl sites which I would like to forward, how can I accomplish that? Also, it appears that alternate CN names are not being recognized. Is there anything to do about that? Thanks in advance
Re: [squid-users] Reverse Proxy Configuration
version 3.16. On Wed, Dec 28, 2011 at 1:21 PM, Pieter De Wit pie...@insync.za.net wrote: Hi Roman, What version of Squid are you using ? Cheers, Pieter On Wed, 28 Dec 2011, Roman Gelfand wrote: Consider the following configuration lines https_port 443 cert=/etc/apache2/certs/server.pem key=/etc/apache2/certs/server.key vhost vport cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS What if there is more site ssl sites which I would like to forward, how can I accomplish that? Also, it appears that alternate CN names are not being recognized. Is there anything to do about that? Thanks in advance
[squid-users] Windows Media Player Plugin Issue
This was working for quite well in the past. I had since upgraded a number server software. I am getting the following message in access.log. 1324250287.644 5125 192.168.3.210 TCP_MISS/000 0 GET http://villeradio.mixstream.net:8000/ - DIRECT/87.98.168.27 - I ran the following command to confirm connectify from squid server and as you can there is connectivity. host1:/usr/local/squid/var/logs# telnet villeradio.mixstream.net 8000 Trying 87.98.168.27... Connected to villeradio.mixstream.net. Escape character is '^]'. How can I find out why the server is not responding. Thanks in advance
[squid-users] Video streaming in some cases not working
Video streaming on this site http://www.echo.msk.ru/blog/video/838893-echo/ not working. I am not sure if it has anything to do with it, but I am using ssl bump. The squid version is 3.1.16. Squidclamav version is 6.4. c-icap version is 0.1.7 1323811211.100369 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.210102 192.168.3.210 TCP_MISS/304 285 GET http://crl.microsoft.com/pki/crl/products/CSPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.334116 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.757415 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811211.820 55 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811321.159988 192.168.3.210 TCP_MISS/200 2567 GET http://img2.imgsmail.ru/r/my/app/flash_lc.swf - DIRECT/94.100.187.36 application/x-shockwave-flash Thanks in advance
Re: [squid-users] Video streaming in some cases not working
Actually, I didn't see this at first, but it looks like the issue is with the squidguard. I realize this is not squidguard forum, but if you know a way to solve this I would appreciate it. 2011-12-13 20:38:22 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/ 2011-12-13 20:38:23 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/48?795035login=echo_214x92-1referer=http://www.echo.msk.ru/ 2011-12-13 20:38:27 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/926?52490login=echomsk234referer=http://www.echo.msk.ru/ 2011-12-13 20:38:27 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/ 2011-12-13 20:38:28 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/492?777login=echoreferer=http://www.echo.msk.ru/ 2011-12-13 20:38:31 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:33 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/48?795035login=echo_214x92-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:34 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:34 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2109?52490login=echomsk234referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/460?777login=echoreferer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:14 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:23 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/510?52490login=echomsk234referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/492?777login=echoreferer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:36 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ On Tue, Dec 13, 2011 at 6:21 PM, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 13 Dec 2011 16:49:02 -0500, Roman Gelfand wrote: Video streaming on this site http://www.echo.msk.ru/blog/video/838893-echo/ not working. I am not sure if it has anything to do with it, but I am using ssl bump. The squid version is 3.1.16. Squidclamav version is 6.4. c-icap version is 0.1.7 1323811211.100 369 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.210 102 192.168.3.210 TCP_MISS/304 285 GET http://crl.microsoft.com/pki/crl/products/CSPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.334 116 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.757 415 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811211.820 55 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811321.159 988 192.168.3.210 TCP_MISS/200 2567 GET http://img2.imgsmail.ru/r/my/app/flash_lc.swf - DIRECT/94.100.187.36 application/x-shockwave-flash Notice how the log contains *no* HTTP errors of any kind. In fact how echo.msk.ru does not occur in it at all. Do you have any more details about the problem? Amos
Re: [squid-users] Video streaming in some cases not working
No, squidguard doesn't seem to be the problem as when I remove squidguard out of the picture the problem is still there. Any ideas. Thanks On Tue, Dec 13, 2011 at 8:48 PM, Roman Gelfand rgelfa...@gmail.com wrote: Actually, I didn't see this at first, but it looks like the issue is with the squidguard. I realize this is not squidguard forum, but if you know a way to solve this I would appreciate it. 2011-12-13 20:38:22 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/ 2011-12-13 20:38:23 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/48?795035login=echo_214x92-1referer=http://www.echo.msk.ru/ 2011-12-13 20:38:27 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/926?52490login=echomsk234referer=http://www.echo.msk.ru/ 2011-12-13 20:38:27 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/ 2011-12-13 20:38:28 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/492?777login=echoreferer=http://www.echo.msk.ru/ 2011-12-13 20:38:31 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:33 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/48?795035login=echo_214x92-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:34 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:34 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2109?52490login=echomsk234referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:38:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/460?777login=echoreferer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:14 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:23 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://rb.newsru.com//cgi-bin/banner/148?21490login=echo_214x92referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/510?52490login=echomsk234referer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:35 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://sj1.ru//cgi-bin/banner/492?777login=echoreferer=http://www.echo.msk.ru/blog/video/838893-echo/ 2011-12-13 20:39:36 [3699] WARN: Possible bypass attempt. Found multiple slashes where only one is expected: http://234.adru.net//cgi-bin/banner/2031?215045login=echomsk234-1referer=http://www.echo.msk.ru/blog/video/838893-echo/ On Tue, Dec 13, 2011 at 6:21 PM, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 13 Dec 2011 16:49:02 -0500, Roman Gelfand wrote: Video streaming on this site http://www.echo.msk.ru/blog/video/838893-echo/ not working. I am not sure if it has anything to do with it, but I am using ssl bump. The squid version is 3.1.16. Squidclamav version is 6.4. c-icap version is 0.1.7 1323811211.100 369 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.210 102 192.168.3.210 TCP_MISS/304 285 GET http://crl.microsoft.com/pki/crl/products/CSPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.334 116 192.168.3.210 TCP_MISS/304 286 GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl - DIRECT/96.17.10.72 application/pkix-crl 1323811211.757 415 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811211.820 55 192.168.3.210 TCP_MISS/304 235 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - DIRECT/70.37.128.164 application/pkix-crl 1323811321.159 988 192.168.3.210 TCP_MISS/200 2567 GET http
[squid-users] Chaining Privoxy to SQUID
I am currently running i-cap/squidclamav/squidguard. Is there a way to add privoxy? Thanks in advance
[squid-users] SSLBump
In case of certificate error, is it possible to redirect to another page describing the certificate with a choice/hyperlink to view the page or not. Thanks in advance
[squid-users] Content Filtering
Can somebody recommend an opensource content filtering software that works with SQUID. What I mean by content filtering is... 1. Block pages based on words or word patterns like regular expressions. 2. Block pages based on type image, etc... Thanks in advance
[squid-users] SSL Requests
I have configured squid with filtering using squidguard. Is there a way to decrypt SSL requests at the squid server so that squidguard could filter it? Thanks in advance
[squid-users] url_rewrite_program
I would like to use both ufdbguard and squidgard with squid. It appears I am not able to specify both entries at the same time. Either entry individually works. Perhaps, there are other setting to make it work? Thanks in advance