[squid-users] problems squid_kerb_auth
Hello
I'm doing a test with squid using kerberos configured as follows squid
and kerberos
squid.conf
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all
krb4.conf
[libdefaults]
default_realm = VIALACTEA.CORP
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
VIALACTEA.CORP = {
kdc = 192.168.1.155
admin_server = 192.168.1.155
}
[domain_realm]
.vialactea.corp = VIALACTEA.CORP
vialactea.corp = VIALACTEA.CORP
[login]
krb4_convert = true
krb4_get_tickets = false
On the client pointed out the proxy address configured and the following
variables firefox with the domain name:
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
When trying to browse I get the following messages in the logs with
debugging enabled.
2011/05/29 02:42:57| squid_kerb_auth: Got 'YR
TlRMTVNTUAABl4II4gAGAbAdDw==' from squid
(length: 59).
2011/05/29 02:42:57| squid_kerb_auth: received type 1 NTLM token
Does anyone have any idea of the problem? At the station installed
Kerbtray and it shows the ticket
Regards.
Re: [squid-users] Re: problems squid_kerb_auth
Hi, For the log can not see any connection against the Active Directory on port 88 (kerberos, right). Attached is the. pcap. I did the configuration of firefox as below firefox set variables as follows: network.negotiate-auth.delegation-uris=vialactea.corp network.negotiate-auth.trusted-uris= vialactea.corp where vialactea.corp is the domain of the Active Directory. I tried in IE but he keeps asking for login and password infinitely Regards On 05/29/2011 09:39 AM, Markus Moeller wrote: Hi, The squid log file says that the client could not use Kerberos and fell back to NTLM. Can you capture the traffic from the client to the proxy and to your Kerberos servers (e.g. active directory) with wireshark and send me the cap file (if not too big) ? Markus log_squid3.pcap Description: application/cap
Re: [squid-users] Re: problems squid_kerb_auth
Hi, For the log can not see any connection against the Active Directory on port 88 (kerberos, right). Attached is the. pcap. I did the configuration of firefox as below firefox set variables as follows: network.negotiate-auth.delegation-uris=vialactea.corp network.negotiate-auth.trusted-uris= vialactea.corp where vialactea.corp is the domain of the Active Directory. I tried in IE but he keeps asking for login and password infinitely Regards On 05/29/2011 09:39 AM, Markus Moeller wrote: Hi, The squid log file says that the client could not use Kerberos and fell back to NTLM. Can you capture the traffic from the client to the proxy and to your Kerberos servers (e.g. active directory) with wireshark and send me the cap file (if not too big) ? Markus log_squid3.pcap Description: application/cap
Re: [squid-users] Re: Re: problems squid_kerb_auth
On 05/31/2011 11:07 AM, spiderslack wrote: On 05/30/2011 07:02 PM, Markus Moeller wrote: That looks better, but not quite right. What does klist -ekt (for MIT) or ktutil -k list (for Heimdal) give ? Also can you do a kinit and then a kvno HTTP/ ( I assume MIT here) ? On 05/30/2011 07:02 PM, Markus Moeller wrote: That looks better, but not quite right. What does klist -ekt (for MIT) or ktutil -k list (for Heimdal) give ? Also can you do a kinit and then a kvno HTTP/ ( I assume MIT here) ? follows the output of the commands: root@teste:/etc/squid3# root@teste:/etc/squid3# klist -ekt /etc/squid3/proxy.keytab Keytab name: WRFILE:/etc/squid3/proxy.keytab KVNO Timestamp Principal - 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with CRC-32) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with RSA-MD5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (ArcFour with HMAC/md5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-256 CTS mode with 96-bit SHA-1 HMAC) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-128 CTS mode with 96-bit SHA-1 HMAC) root@teste:/etc/squid3# root@teste:/etc/squid3# root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp HTTP/proxy.vialactea.c...@vialactea.corp: kvno = 9 root@teste:/etc/squid3# root@teste:/etc/squid3# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sq...@vialactea.corp Valid starting ExpiresService principal 05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/vialactea.c...@vialactea.corp renew until 05/31/11 23:22:23 root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp HTTP/proxy.vialactea.c...@vialactea.corp: kvno = 8 root@teste:/etc/squid3# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sq...@vialactea.corp Valid starting ExpiresService principal 05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/vialactea.c...@vialactea.corp renew until 05/31/11 23:22:23 05/30/11 23:25:38 05/31/11 09:25:30 HTTP/proxy.vialactea.c...@vialactea.corp renew until 05/31/11 23:22:23 root@teste:/etc/squid3# I did not understand what is KVNO, what would it be? also ran the command klist windows on the client which I am trying to connect via internet explorer see below C:\kerberos>klist Current LogonId is 0:0x2fe13 Cached Tickets: (2) #0> Client: Administrator @ VIALACTEA.CORP Server: krbtgt/VIALACTEA.CORP @ VIALACTEA.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e0 -> forwardable renewable initial pre_authent Start Time: 5/31/2011 14:39:29 (local) End Time: 6/1/2011 0:39:29 (local) Renew Time: 6/7/2011 14:39:29 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 #1> Client: Administrator @ VIALACTEA.CORP Server: HTTP/proxy.vialactea.corp @ VIALACTEA.CORP KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a0 -> forwardable renewable pre_authent Start Time: 5/31/2011 14:44:25 (local) End Time: 6/1/2011 0:39:29 (local) Renew Time: 6/7/2011 14:39:29 (local) Session Key Type: RSADSI RC4-HMAC(NT) C:\kerberos> is attached another. pcap what intrigued me was the following line of capture. APOptions: 2000 (Mutual required) .0.. = Use Session Key: Do NOT use the session key to encrypt the ticket ..1. = Mutual required: MUTUAL authentication is REQUIRED Do not use the session key? Thanks for the help. Att. squid_kerberos2.pcap Description: application/cap
Re: [squid-users] Re: problems squid_kerb_auth
Hi, I testing with Internet Explorer and obtain this error 2011/05/30 22:06:36| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found Regards On 05/30/2011 05:52 PM, spiderslack wrote: Hi, For the log can not see any connection against the Active Directory on port 88 (kerberos, right). Attached is the. pcap. I did the configuration of firefox as below firefox set variables as follows: network.negotiate-auth.delegation-uris=vialactea.corp network.negotiate-auth.trusted-uris= vialactea.corp where vialactea.corp is the domain of the Active Directory. I tried in IE but he keeps asking for login and password infinitely Regards On 05/29/2011 09:39 AM, Markus Moeller wrote: Hi, The squid log file says that the client could not use Kerberos and fell back to NTLM. Can you capture the traffic from the client to the proxy and to your Kerberos servers (e.g. active directory) with wireshark and send me the cap file (if not too big) ? Markus
Re: [squid-users] Re: Re: Re: problems squid_kerb_auth
Hi, So that the correct version numbers 2 root@teste:~# klist -ekt /etc/squid3/proxy.keytab Keytab name: WRFILE:/etc/squid3/proxy.keytab KVNO Timestamp Principal - 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with CRC-32) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with RSA-MD5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (ArcFour with HMAC/md5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-256 CTS mode with 96-bit SHA-1 HMAC) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-128 CTS mode with 96-bit SHA-1 HMAC) root@teste:~# root@teste:~# root@teste:~# kvno HTTP/proxy.vialactea.corp HTTP/proxy.vialactea.c...@vialactea.corp: kvno = 9 root@teste:~# 9 in both But like so mean to each password change this kvno and amended, if I generate a keytab now that time and place the file in / etc/squid3 and go and change the password is invalid keytab? Regards On 05/31/2011 03:57 PM, Markus Moeller wrote: Hi Firstly kvno means Kerberos key version number and marks each key so that you can keep old and new keys. Each time you change the password of the AD account associated to the HTTP service principal the version number increases by 1. "spiderslack" wrote in message news:4de5091f.4090...@yahoo.com.br... On 05/31/2011 11:07 AM, spiderslack wrote: On 05/30/2011 07:02 PM, Markus Moeller wrote: That looks better, but not quite right. What does klist -ekt (for MIT) or ktutil -k list (for Heimdal) give ? Also can you do a kinit and then a kvno HTTP/ ( I assume MIT here) ? On 05/30/2011 07:02 PM, Markus Moeller wrote: That looks better, but not quite right. What does klist -ekt (for MIT) or ktutil -k list (for Heimdal) give ? Also can you do a kinit and then a kvno HTTP/ ( I assume MIT here) ? follows the output of the commands: root@teste:/etc/squid3# root@teste:/etc/squid3# klist -ekt /etc/squid3/proxy.keytab Keytab name: WRFILE:/etc/squid3/proxy.keytab KVNO Timestamp Principal - 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with CRC-32) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (DES cbc mode with RSA-MD5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (ArcFour with HMAC/md5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-256 CTS mode with 96-bit SHA-1 HMAC) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.c...@vialactea.corp (AES-128 CTS mode with 96-bit SHA-1 HMAC) root@teste:/etc/squid3# root@teste:/etc/squid3# root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp HTTP/proxy.vialactea.c...@vialactea.corp: kvno = 9 root@teste:/etc/squid3# This is what I see also in the pcap. kvno = 9 and RC4-hmac which is the same as ArcFour with HMAC/md5 [truncated] Proxy-Authorization: Negotiate YIIGHwYGKwYBBQUCoIIGEzCCBg+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBdkEggXVYIIF0QYJKoZIhvcSAQICAQBuggXAMIIFvKADAgEFoQMCAQ6iBwMFACCjggSlYYIEoTCCBJ2gAwIBBaEQGw5WSUFM GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) SPNEGO negTokenInit mechTypes: 4 items mechToken: 608205D106092A864886F71201020201006E8205C0308205... krb5_blob: 608205D106092A864886F71201020201006E8205C0308205... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 2000 (Mutual required) Ticket Tkt-vno: 5 Realm: VIALACTEA.CORP Server Name (Service and Instance): HTTP/proxy.vialactea.corp enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 9 enc-part: 7080B29BE044CEFD9C56911F2F481F93E00D89E23963ED57... Authenticator rc4-hmac This should have worked as it matches a key in the keytab. root@teste:/etc/squid3# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sq...@vialactea.corp Valid starting ExpiresService principal 05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/vialactea.c...@vialactea.corp renew until 05/31/11 23:22:23 root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp HTTP/proxy.vialactea.c...@vialactea.corp: kvno = 8 Wh
Re: [squid-users] Re: Squid authenticate via squid_kerb_ldap
Hi Markus. I setting the flag -d the follow output root@Firewall:~/squid_kerb_ldap# ./squid_kerb_ldap -d -g G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:43| squid_kerb_ldap: Starting version 1.2.2 2011/10/04 20:52:43| squid_kerb_ldap: Group list G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:43| squid_kerb_ldap: Group G_Internet_RH Domain DOMAIN.LOCAL 2011/10/04 20:52:43| squid_kerb_ldap: Netbios list NULL 2011/10/04 20:52:43| squid_kerb_ldap: No netbios names defined. 2011/10/04 20:52:43| squid_kerb_ldap: ldap server list NULL 2011/10/04 20:52:43| squid_kerb_ldap: No ldap servers defined. rodrigo.lopes@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Got User: rodrigo.lopes Domain: DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: User domain loop: group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Found group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Setup Kerberos credential cache 2011/10/04 20:52:53| squid_kerb_ldap: Get default keytab file name 2011/10/04 20:52:53| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2011/10/04 20:52:53| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2011/10/04 20:52:53| squid_kerb_ldap: Keytab entry has realm name: DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Found principal name: HTTP/Firewall.domain.local@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_15365 2011/10/04 20:52:53| squid_kerb_ldap: Got principal name HTTP/Firewall.domain.local@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Stored credentials 2011/10/04 20:52:53| squid_kerb_ldap: Initialise ldap connection 2011/10/04 20:52:53| squid_kerb_ldap: Canonicalise ldap server name for domain DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMAIN.LOCAL record to srvdc.lmvidros.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMAIN.LOCAL record to srvarq.lmvidros.loca l 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 1 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 2 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 3 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 4 of DOMAIN.LOCAL to srvarq.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 5 of DOMAIN.LOCAL to srvarq.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 6 of DOMAIN.LOCAL to srvarq.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Adding DOMAIN.LOCAL to list 2011/10/04 20:52:53| squid_kerb_ldap: Sorted ldap server names for domain DOMAIN.LOCAL: 2011/10/04 20:52:53| squid_kerb_ldap: Host: srvarq.domain.local Port: 389 Priority: 0 Weight: 100 2011/10/04 20:52:53| squid_kerb_ldap: Host: srvdc.domain.local Port: 389 Priority: 0 Weight: 100 2011/10/04 20:52:53| squid_kerb_ldap: Host: DOMAIN.LOCAL Port: -1 Priority: -2 Weight: -2 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server srvarq.domain.local:389 2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI 2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server srvdc.domain.local:389 2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI 2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server DOMAIN.LOCAL:389 2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI 2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2011/10/04 20:52:53| squid_kerb_ldap: User rodrigo.lopes is not member of group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Default domain loop: group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Default group loop: group@domain G_Internet_RH@DOMAIN.LOCAL ERR 2011/10/04 20:52:53| squid_kerb_ldap: ERR I trying settings the sasl. I installed libsasl-dev and recompile squid_kerb_ldap. I setting the file /etc/default/saslauthd and /etc/saslauthd.conf root@Firewall:~/squid_kerb_ldap# cat /etc/default/saslauthd | egrep -v -r '(^#|^$)' START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MEC
Re: [squid-users] Re: Re: Squid authenticate via squid_kerb_ldap
On 10/06/2011 03:57 PM, Markus Moeller wrote: If that fails you maybe missing cyrus-sasl-gssapi No i worked root@Firewall:~# ldapsearch -H ldap://srvarq.domain.local -s sub -b dc=domain,dc=local serviceprincipalname=ldap/srvarq.domain.local SASL/GSSAPI authentication started SASL username: HTTP/Firewall.domain.local@DOMAIN.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: serviceprincipalname=ldap/srvarq.domain.local # requesting: ALL # # SRVARQ, Domain Controllers, domain.local dn: CN=SRVARQ,OU=Domain Controllers,DC=domain,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: SRVARQ distinguishedName: CN=SRVARQ,OU=Domain Controllers,DC=domain,DC=local instanceType: 4 whenCreated: 20070426135212.0Z whenChanged: 20110929091109.0Z displayName: SRVARQ$ uSNCreated: 7279 uSNChanged: 5432614 name: SRVARQ objectGUID:: 4LCuu2VQ+k+ocfyfkrj6vA== userAccountControl: 532480 codePage: 0 countryCode: 0 lastLogon: 129623116150837736 localPolicyFlags: 0 pwdLastSet: 129617610543168750 primaryGroupID: 516 objectSid:: AQUAAAUVCBFp0m3WiWiioI3tiB== accountExpires: 9223372036854775807 logonCount: 667 sAMAccountName: SRVARQ$ sAMAccountType: 805306369 operatingSystem: Windows Server 2003 operatingSystemVersion: 5.2 (3790) operatingSystemServicePack: Service Pack 2 serverReferenceBL: CN=SRVARQ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configuration,DC=domain,DC=local dNSHostName: srvarq.domain.local rIDSetReferences: CN=RID Set,CN=SRVARQ,OU=Domain Controllers,DC=domain,DC=lo cal servicePrincipalName: ldap/srvarq.domain.local/ForestDnsZones.domain.local servicePrincipalName: ldap/srvarq.domain.local/DomainDnsZones.domain.local servicePrincipalName: DNS/srvarq.domain.local servicePrincipalName: GC/srvarq.domain.local/domain.local servicePrincipalName: HOST/srvarq.domain.local/domain.local servicePrincipalName: HOST/srvarq.domain.local/DOMAIN servicePrincipalName: ldap/8e1ab25f-de62-46ba-8369-ee9093a58f48._msdcs.lmvidro s.local servicePrincipalName: ldap/srvarq.domain.local/DOMAIN servicePrincipalName: ldap/SRVARQ servicePrincipalName: ldap/srvarq.domain.local servicePrincipalName: ldap/srvarq.domain.local/domain.local servicePrincipalName: NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/srvarq.lmvidr os.local servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/8e1ab25f-de62-46ba- 8369-ee9093a58f48/domain.local servicePrincipalName: HOST/SRVARQ servicePrincipalName: HOST/srvarq.domain.local objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=local isCriticalSystemObject: TRUE frsComputerReferenceBL: CN=SRVARQ,CN=Domain System Volume (SYSVOL share),CN=Fi le Replication Service,CN=System,DC=domain,DC=local dSCorePropagationData: 20111003195908.0Z dSCorePropagationData: 1601010101.0Z # search reference ref: ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=loc al # search reference ref: ldap://DomainDnsZones.domain.local/DC=DomainDnsZones,DC=domain,DC=loc al # search reference ref: ldap://domain.local/CN=Configuration,DC=domain,DC=local # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 root@Firewall:~#
[squid-users] doubt squid message log TCP_MISS/403
Hi all, What diference between message TCP_MISS/403 and TCP_DENIED/403. My file logs its displaying this message TCP_MISS/403. that when I have a rule allowing all access "http_access allow all". Any idea
[squid-users] squid cache_dir COSS
Hi all, I compiled squid3 with support the coss cache_dir, but when start squid, display follow message: 2012/11/08 22:10:25| Max Swap size: 3072 KB 2012/11/08 22:10:25| /dev/sda8/swap.state: (20) Not a directory FATAL: storeCossDirOpenSwapLog: Failed to open swap log. Squid Cache (Version 3.2.3): Terminated abnormally. my settings squid.conf for cache_dir cache_dircoss /dev/sda8 3 max-size=100 block-size=2048 I'm confused I thought the method COSSI would deliver a raw device for the squid and he takes care to use the device as desired. Avoiding the overheadof filesystem. This is not how it should work? Any idea? Regards.
Re: [squid-users] squid cache_dir COSS
On 11/08/2012 11:29 PM, Amos Jeffries wrote: On 9/11/2012 1:20 p.m., spiderslack wrote: Hi all, I compiled squid3 with support the coss cache_dir, but when start squid, display follow message: 2012/11/08 22:10:25| Max Swap size: 3072 KB 2012/11/08 22:10:25| /dev/sda8/swap.state: (20) Not a directory FATAL: storeCossDirOpenSwapLog: Failed to open swap log. Squid Cache (Version 3.2.3): Terminated abnormally. my settings squid.conf for cache_dir cache_dircoss /dev/sda8 3 max-size=100 block-size=2048 I'm confused I thought the method COSSI would deliver a raw device for the squid and he takes care to use the device as desired. Avoiding the overheadof filesystem. This is not how it should work? It is not expected to work in squid 3.x. The original COSS implementation had a lot of bugs and the people who fixed it up for the squid-2.6+ fork did not assist with getting many of those fixes into the squid-3 branch. 3.2 provides rock store type instead which is an updated design similar to COSS but with SMP support and some other improvements. Amos Hi Amos, Cool! rock store seems formidable, i trying , but same rock, appearing is not possible using raw device, for example /dev/sda8. neither type store this makes? Regards
Re: [squid-users] squid cache_dir COSS
On 11/08/2012 11:29 PM, Amos Jeffries wrote: On 9/11/2012 1:20 p.m., spiderslack wrote: Hi all, I compiled squid3 with support the coss cache_dir, but when start squid, display follow message: 2012/11/08 22:10:25| Max Swap size: 3072 KB 2012/11/08 22:10:25| /dev/sda8/swap.state: (20) Not a directory FATAL: storeCossDirOpenSwapLog: Failed to open swap log. Squid Cache (Version 3.2.3): Terminated abnormally. my settings squid.conf for cache_dir cache_dircoss /dev/sda8 3 max-size=100 block-size=2048 I'm confused I thought the method COSSI would deliver a raw device for the squid and he takes care to use the device as desired. Avoiding the overheadof filesystem. This is not how it should work? It is not expected to work in squid 3.x. The original COSS implementation had a lot of bugs and the people who fixed it up for the squid-2.6+ fork did not assist with getting many of those fixes into the squid-3 branch. 3.2 provides rock store type instead which is an updated design similar to COSS but with SMP support and some other improvements. Amos Hi Amos. Trying using the rock store, but is not work. view message. Nov 10 11:06:50 hades squid: Rock cache_dir[0] rebuild of /cache1/rock failed: cannot read db header I researching and found in historic, mentioned the bug, the bug persist? http://www.squid-cache.org/mail-archive/squid-users/20/0278.html Regards
[squid-users] cache not working?
Hi all I am setting up a proxy with squid and realized that he is not a cache, or my understanding is incorrect examine me follow my setup. visible_hostname galileu acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl manager url_regex -i ^cache_object:///squid-internal-mgr/ acl localhost src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 cache_dir ufs /var/squid/cache/squid 1000 16 256 coredump_dir /var/squid/cache/squid cache allow all the command "cache allow all" was just to test but still did not work I try to access a site with static content where the html and simple thing like " test " but does not work In the log,in the logs I see only TCP_MISS not TCP_HIT this is correct? according to the official website of squuid http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes TCP_MISS: The response object delivered was the network response object. TCP_HIT: The response object delivered was the local cache object. 1388784386.986130 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.105 65 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.278 84 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html any idea where I am going wrong?
Re: [squid-users] cache not working?
Hi, after various test get work. This problems is head with option cache-control=no-cache for example. My doubt is, its possible alter the head for caching? I trying using the option "cache allow all" but website with option cache-control not worked. Regards On 01/06/2014 12:03 AM, Eliezer Croitoru wrote: Hey Spider, Are you sure you are wrong? What version of squid are you using? What is the result for the same request when you use "curl" or "wget"? In order to cache the request you are talking about there is a need to make sure that the request and the response do support caching and allow them. There are many cases which there is a need for the file to not be cached by the server request or by the client request and squid obeys them. We can determine it manually by looking at the request and response or maybe you can even try the tool redbot: http://redbot.org/ It is very simple to use. Feel free to just ask about the subject. Eliezer On 06/01/14 04:30, spiderslack wrote: Hi all I am setting up a proxy with squid and realized that he is not a cache, or my understanding is incorrect examine me follow my setup. visible_hostname galileu acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl manager url_regex -i ^cache_object:///squid-internal-mgr/ acl localhost src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 cache_dir ufs /var/squid/cache/squid 1000 16 256 coredump_dir /var/squid/cache/squid cache allow all the command "cache allow all" was just to test but still did not work I try to access a site with static content where the html and simple thing like " test " but does not work In the log,in the logs I see only TCP_MISS not TCP_HIT this is correct? according to the official website of squuid http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes TCP_MISS: The response object delivered was the network response object. TCP_HIT: The response object delivered was the local cache object. 1388784386.986130 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.105 65 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.278 84 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html any idea where I am going wrong?
Re: [squid-users] cache not working?
Hi all Trying http://wiki.squid-cache.org/ConfigExamples/DynamicContent/Coordinator Thanks :) On 01/15/2014 12:02 PM, spiderslack wrote: Hi, after various test get work. This problems is head with option cache-control=no-cache for example. My doubt is, its possible alter the head for caching? I trying using the option "cache allow all" but website with option cache-control not worked. Regards On 01/06/2014 12:03 AM, Eliezer Croitoru wrote: Hey Spider, Are you sure you are wrong? What version of squid are you using? What is the result for the same request when you use "curl" or "wget"? In order to cache the request you are talking about there is a need to make sure that the request and the response do support caching and allow them. There are many cases which there is a need for the file to not be cached by the server request or by the client request and squid obeys them. We can determine it manually by looking at the request and response or maybe you can even try the tool redbot: http://redbot.org/ It is very simple to use. Feel free to just ask about the subject. Eliezer On 06/01/14 04:30, spiderslack wrote: Hi all I am setting up a proxy with squid and realized that he is not a cache, or my understanding is incorrect examine me follow my setup. visible_hostname galileu acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl manager url_regex -i ^cache_object:///squid-internal-mgr/ acl localhost src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 cache_dir ufs /var/squid/cache/squid 1000 16 256 coredump_dir /var/squid/cache/squid cache allow all the command "cache allow all" was just to test but still did not work I try to access a site with static content where the html and simple thing like " test " but does not work In the log,in the logs I see only TCP_MISS not TCP_HIT this is correct? according to the official website of squuid http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes TCP_MISS: The response object delivered was the network response object. TCP_HIT: The response object delivered was the local cache object. 1388784386.986130 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.105 65 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html 1388784387.278 84 192.168.1.112 TCP_MISS/200 399 GET http:///~leandro/test.html - HIER_DIRECT/xxx.xxx.xxx.xxx text/html any idea where I am going wrong?
[squid-users] doubt in how squid works with cache
Hi all. i am trying to do web squid store any content, compiled squid 3.4 and I'm auditioning. The first test is the desire of many network administrators do youtube cache. After some tests the cache was not done the youtube video then panned the html the following videohttps://www.youtube.com/watch?v=KaI8sdDxCAc .it possesses 11 seconds to test everything and not spend time waiting for the video 1 hour eg load. After panning with wireshark the html found true URL https://youtube.googleapis.com/v/KaI8sdDxCAc?autohide=1&=&version=3 . The video opens fullscreen in firefox. But to take the test by monitoring the access.log I see q he does not cache. I did the accessing of a computer with IP address 192.168.1.104 did 2 test request he made the first storing far so good because the content was not in the cache, but the second request he continued giving TCP_MISS first request 1392741947.876 50655 192.168.1.104 TCP_MISS/200 4839 CONNECT youtube.googleapis.com:443 - HIER_DIRECT/74.125.196.95 - 1392741947.876 50655 192.168.1.104 TCP_MISS/200 4839 CONNECT youtube.googleapis.com:443 - HIER_DIRECT/74.125.196.95 - 1392741954.058 1868 192.168.1.104 TCP_MISS/200 191067 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741954.058 1868 192.168.1.104 TCP_MISS/200 191067 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741957.880192 192.168.1.104 TCP_MISS/200 8191 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741957.880192 192.168.1.104 TCP_MISS/200 8191 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.315 8123 192.168.1.104 TCP_MISS_ABORTED/200 765472 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.315 8123 192.168.1.104 TCP_MISS_ABORTED/200 765472 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.696380 192.168.1.104 TCP_MISS/200 42829 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.696380 192.168.1.104 TCP_MISS/200 42829 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.723408 192.168.1.104 TCP_MISS/200 31464 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392741960.723408 192.168.1.104 TCP_MISS/200 31464 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream second request 1392742008.148 60272 192.168.1.104 TCP_MISS/200 4834 CONNECT youtube.googleapis.com:443 - HIER_DIRECT/74.125.196.95 - 1392742008.148 60272 192.168.1.104 TCP_MISS/200 4834 CONNECT youtube.googleapis.com:443 - HIER_DIRECT/74.125.196.95 - 1392742013.610 2082 192.168.1.104 TCP_MISS/200 191067 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742013.610 2082 192.168.1.104 TCP_MISS/200 191067 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742017.411 97 192.168.1.104 TCP_MISS_ABORTED/200 6270 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742017.411 97 192.168.1.104 TCP_MISS_ABORTED/200 6270 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742020.215 8687 192.168.1.104 TCP_MISS_ABORTED/200 766932 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742020.215 8687 192.168.1.104 TCP_MISS_ABORTED/200 766932 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742021.253 1039 192.168.1.104 TCP_MISS/200 42829 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742021.253 1039 192.168.1.104 TCP_MISS/200 42829 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742021.696 1484 192.168.1.104 TCP_MISS/200 31464 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742021.696 1484 192.168.1.104 TCP_MISS/200 31464 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_DIRECT/200.172.62.13 application/octet-stream 1392742026.135197 192.168.1.104 TCP_MISS/200 9 GET http://r2---sn-xhcg5uxa-bpbe.googlevideo.com/videoplayback? - HIER_
