Re: [squid-users] Java not working behind squid
Amos Jeffries schrieb: On Wed, 17 Mar 2010 23:21:44 +0100, Thomas Klein mailinglist-postfixb...@online.de wrote: Truth Seeker schrieb: - http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! So does it mean, i need to put them as the following; ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java http_access deny !AuthorizedUsers Yes when i modified as the above, its working fine Now another doubt. will this solve the issues related to all the java sites? Hi there, i have actually also the problem that java-applications are in no way able to get a working connect to the internet, but this workaround with the example of http://www.dailyfx.com/ doesn't work for me in any case My test-user matches the acl gruppe_vollzugriff - i'm using 2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM auth against a AD. If I do it in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow localnet Java http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access deny all I get in access.log the following: 1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - If i modify the order of the http_access line in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access allow localnet Java http_access deny all I get the following output in the log: 1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html As I described, java isn't able to get a working connect to the internet. What's wrong in my case? I would be glad if you have a hint for me There is some form of deny line happening outside the set you showed. Which blocks the first configuration form working. The Java auth problem blocks the second. Amos Thank you for your hint - i'm using squidGuard, and this seems to be the problem. If I comment out the following line from squid.conf, Java works fine: url_rewrite_program /root/squidGuard -c /etc/squid/squidGuard.conf Ok so far - I'm now a step closer but i'm afraid that's not the solution, because if I disable the content filter from squidGuard, my boss will kill me ;) I checked the squidGuard Logfiles, but there is nothing to find about authentication and so on only the database updates are being logged. Because the AD-Authentication from squidguard did not work, I'm pulling with net rpc group members every 10 Minutes all members of the neccessary AD-Groups into a local file for each access group in the squidguard-Database directory, and squidguard looks into these files for finding the usernames there. This works so far for the whole internet access, but Java seems to get in trouble with this. The case is also strange, that squidguard does not log any information about authentication or something about the filtering in its logfiles -
Re: [squid-users] Java not working behind squid
Truth Seeker schrieb: - http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! So does it mean, i need to put them as the following; ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java http_access deny !AuthorizedUsers Yes when i modified as the above, its working fine Now another doubt. will this solve the issues related to all the java sites? Hi there, i have actually also the problem that java-applications are in no way able to get a working connect to the internet, but this workaround with the example of http://www.dailyfx.com/ doesn't work for me in any case My test-user matches the acl gruppe_vollzugriff - i'm using 2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM auth against a AD. If I do it in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow localnet Java http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access deny all I get in access.log the following: 1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - If i modify the order of the http_access line in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access allow localnet Java http_access deny all I get the following output in the log: 1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html As I described, java isn't able to get a working connect to the internet. What's wrong in my case? I would be glad if you have a hint for me thanks best regards Thomas
Re: [squid-users] Java not working behind squid
On Wed, 17 Mar 2010 23:21:44 +0100, Thomas Klein mailinglist-postfixb...@online.de wrote: Truth Seeker schrieb: - http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! So does it mean, i need to put them as the following; ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java http_access deny !AuthorizedUsers Yes when i modified as the above, its working fine Now another doubt. will this solve the issues related to all the java sites? Hi there, i have actually also the problem that java-applications are in no way able to get a working connect to the internet, but this workaround with the example of http://www.dailyfx.com/ doesn't work for me in any case My test-user matches the acl gruppe_vollzugriff - i'm using 2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM auth against a AD. If I do it in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow localnet Java http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access deny all I get in access.log the following: 1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - 1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 - DIRECT/- - If i modify the order of the http_access line in this way: acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis acl gruppe_test external wbinfo_group Proxygruppe-test acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 172.1.0.0/19 ... http_access allow gruppe_azubis erlaubte_seiten_azubis http_access allow gruppe_standarduser http_access allow gruppe_test http_access allow gruppe_vollzugriff http_access allow localnet Java http_access deny all I get the following output in the log: 1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT balancer.netdania.com:443 - NONE/- text/html 1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT balancer.netdania.com:443 - NONE/- text/html As I described, java isn't able to get a working connect to the internet. What's wrong in my case? I would be glad if you have a hint for me There is some form of deny line happening outside the set you showed. Which blocks the first configuration form working. The Java auth problem blocks the second. Amos
Re: [squid-users] Java not working behind squid
working. In the client side i tested with a. ubuntu 9.04 box and with firefox 3.0, (here a java window is prompting for user/pass and once i given the req info, then it says Error Details in that Java window in dailyfx.com) b. with win XP and firefox and IE (both just given Error details) Now what can i do? to get this site working with our env Does the above http_access come before or after the http_access which allows people to access when authenticated? Well... the following is an extract from my squid.conf #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS ### MY Rules begins here... ### Atuhentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access deny !AuthorizedUsers #http_access allow AuthorizedUsers external_acl_type unix_group %LOGIN /usr/lib/squid/wbinfo_group.pl ### ACL Declarations!!! acl top_acl external unix_group topusers acl itusers_acl external unix_group itusers acl power_acl external unix_group power acl dusers_acl external unix_group dusers acl duplus_acl external unix_group dusersplus acl liusers_acl external unix_group liusers acl usersplus_acl external unix_group usersplus acl users_acl external unix_group users acl nauthy_acl external unix_group naughty acl ultimate_acl external unix_group ultimate ### For Java on dailyfx.com #acl dailyfx_acl dstdomain .netdania.com #http_access allow dailyfx_acl CONNECT ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java ### Blocking Proxy Sites acl proxy_sites dstdomain /etc/squid/include-files/proxy_sites.squid http_access allow ultimate_acl proxy_sites http_access deny proxy_sites deny_info ERR_PROXY_SITES proxy_sites ### Acl defining off time acl off_time_1 time ASMTWH 12:00-14:30 ### Off timing for Thursday #acl thursday_off_time time H 11:00-16:00 ### Exclusion Site for power acl power_exclusion_acl url_regex /etc/squid/include-files/power_sites.squid http_access allow power_acl power_exclusion_acl ### ACL for IT Groups for technical reasons acl techie_acl url_regex /etc/squid/include-files/technical_sites.squid http_access allow itusers_acl techie_acl ### Yahoo messenger for Vista users #acl vista_ip src /etc/squid/include-files/vista_ip.squid #acl yahoomsngr_acl dstdomain .yahoo.com #http_access allow vista_ip yahoomsngr_acl ### Bypass Rules acl bypass_ip src /etc/squid/include-files/bypass_ip.squid http_access allow bypass_ip all ### Personal mail Access Policies (Yahoo/Gmail etc) acl mail_sites dstdomain /etc/squid/include-files/mail_sites.squid http_access allow mail_sites top_acl http_access allow mail_sites itusers_acl http_access allow mail_sites power_acl http_access allow mail_sites ultimate_acl http_access allow mail_sites duplus_acl http_access allow mail_sites usersplus_acl #http_access allow mail_sites thursday_off_time dusers_acl http_access allow mail_sites off_time_1 dusers_acl #http_access allow mail_sites thursday_off_time users_acl http_access allow mail_sites off_time_1 users_acl http_access deny mail_sites deny_info ERR_MAIL_SITES mail_sites ### Instant Messaging Sites Access Policies (meebo.com, etc) acl instant_msg_sites dstdomain /etc/squid/include-files/instant_msg.squid http_access allow instant_msg_sites top_acl http_access allow instant_msg_sites itusers_acl http_access allow instant_msg_sites power_acl http_access allow instant_msg_sites ultimate_acl http_access allow instant_msg_sites duplus_acl http_access allow instant_msg_sites usersplus_acl http_access allow instant_msg_sites off_time_1 dusers_acl http_access allow instant_msg_sites off_time_1 users_acl http_access deny instant_msg_sites deny_info ERR_INST_MSG_SITES instant_msg_sites ### Temporarily blocking suspicious sites acl suspicious_sites dstdomain /etc/squid/include-files/suspicious_sites.squid http_access allow ultimate_acl suspicious_sites http_access allow top_acl suspicious_sites http_access allow power_acl suspicious_sites http_access deny suspicious_sites deny_info
Re: [squid-users] Java not working behind squid
Truth Seeker wrote: working. In the client side i tested with a. ubuntu 9.04 box and with firefox 3.0, (here a java window is prompting for user/pass and once i given the req info, then it says Error Details in that Java window in dailyfx.com) b. with win XP and firefox and IE (both just given Error details) Now what can i do? to get this site working with our env Does the above http_access come before or after the http_access which allows people to access when authenticated? Well... the following is an extract from my squid.conf And squid reads it top-down #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS ### MY Rules begins here... ### Atuhentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! #http_access allow AuthorizedUsers external_acl_type unix_group %LOGIN /usr/lib/squid/wbinfo_group.pl ### ACL Declarations!!! acl top_acl external unix_group topusers acl itusers_acl external unix_group itusers acl power_acl external unix_group power acl dusers_acl external unix_group dusers acl duplus_acl external unix_group dusersplus acl liusers_acl external unix_group liusers acl usersplus_acl external unix_group usersplus acl users_acl external unix_group users acl nauthy_acl external unix_group naughty acl ultimate_acl external unix_group ultimate ### For Java on dailyfx.com #acl dailyfx_acl dstdomain .netdania.com #http_access allow dailyfx_acl CONNECT ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java ### Blocking Proxy Sites acl proxy_sites dstdomain /etc/squid/include-files/proxy_sites.squid http_access allow ultimate_acl proxy_sites http_access deny proxy_sites deny_info ERR_PROXY_SITES proxy_sites ### Acl defining off time acl off_time_1 time ASMTWH 12:00-14:30 ### Off timing for Thursday #acl thursday_off_time time H 11:00-16:00 ### Exclusion Site for power acl power_exclusion_acl url_regex /etc/squid/include-files/power_sites.squid http_access allow power_acl power_exclusion_acl ### ACL for IT Groups for technical reasons acl techie_acl url_regex /etc/squid/include-files/technical_sites.squid http_access allow itusers_acl techie_acl ### Yahoo messenger for Vista users #acl vista_ip src /etc/squid/include-files/vista_ip.squid #acl yahoomsngr_acl dstdomain .yahoo.com #http_access allow vista_ip yahoomsngr_acl ### Bypass Rules acl bypass_ip src /etc/squid/include-files/bypass_ip.squid http_access allow bypass_ip all ### Personal mail Access Policies (Yahoo/Gmail etc) acl mail_sites dstdomain /etc/squid/include-files/mail_sites.squid http_access allow mail_sites top_acl http_access allow mail_sites itusers_acl http_access allow mail_sites power_acl http_access allow mail_sites ultimate_acl http_access allow mail_sites duplus_acl http_access allow mail_sites usersplus_acl #http_access allow mail_sites thursday_off_time dusers_acl http_access allow mail_sites off_time_1 dusers_acl #http_access allow mail_sites thursday_off_time users_acl http_access allow mail_sites off_time_1 users_acl http_access deny mail_sites deny_info ERR_MAIL_SITES mail_sites ### Instant Messaging Sites Access Policies (meebo.com, etc) acl instant_msg_sites dstdomain /etc/squid/include-files/instant_msg.squid http_access allow instant_msg_sites top_acl http_access allow instant_msg_sites itusers_acl http_access allow instant_msg_sites power_acl http_access allow instant_msg_sites ultimate_acl http_access allow instant_msg_sites duplus_acl http_access allow instant_msg_sites usersplus_acl http_access allow instant_msg_sites off_time_1 dusers_acl http_access allow instant_msg_sites off_time_1 users_acl http_access deny instant_msg_sites deny_info ERR_INST_MSG_SITES instant_msg_sites ### Temporarily blocking suspicious sites acl suspicious_sites dstdomain /etc/squid/include-files/suspicious_sites.squid http_access allow ultimate_acl suspicious_sites http_access
Re: [squid-users] Java not working behind squid
- http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! So does it mean, i need to put them as the following; ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java http_access deny !AuthorizedUsers
Re: [squid-users] Java not working behind squid
- http_access deny !AuthorizedUsers ... performs authentication. Which was your problem with Java... order is important! So does it mean, i need to put them as the following; ### For JAVA acl Java browser Java/1.4 Java/1.5 Java/1.6 acl testnet src 192.168.7.0/24 acl testnet src 192.168.8.0/24 http_access allow testnet Java http_access deny !AuthorizedUsers Yes when i modified as the above, its working fine Now another doubt. will this solve the issues related to all the java sites?
Re: [squid-users] Java not working behind squid
Try putting this acl acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This worked for me when using NTLauth. Thanks, though I'm not the one in need of a solution and I'm not that keen to give Java full unauthenticated browsing rights. Perhaps Truth Seeker(?) might try that though. Am I to understand that Java is just really bad at NTLM auth, so much so that people just whitelist it for unauthenticated access? Yes. Personally I recommend adding other ACL such as sources which are allowed to use Java in this way. To reduce the impact and security holes this method opens. Amos Well Amos, could you please give me an example acl entry to achieve what you said...
Re: [squid-users] Java not working behind squid
Truth Seeker wrote: Try putting this acl acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This worked for me when using NTLauth. Thanks, though I'm not the one in need of a solution and I'm not that keen to give Java full unauthenticated browsing rights. Perhaps Truth Seeker(?) might try that though. Am I to understand that Java is just really bad at NTLM auth, so much so that people just whitelist it for unauthenticated access? Yes. Personally I recommend adding other ACL such as sources which are allowed to use Java in this way. To reduce the impact and security holes this method opens. Amos Well Amos, could you please give me an example acl entry to achieve what you said... really you are serious? This is ultimate _basics_ ACL construction. acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 192.168.0.1/24 http_access allow localnet Java Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] Java not working behind squid
acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 192.168.0.1/24 http_access allow localnet Java But for me even with the above said acl's its not working. In the client side i tested with a. ubuntu 9.04 box and with firefox 3.0, (here a java window is prompting for user/pass and once i given the req info, then it says Error Details in that Java window in dailyfx.com) b. with win XP and firefox and IE (both just given Error details) Now what can i do? to get this site working with our env
Re: [squid-users] Java not working behind squid
On Thu, 03 Sep 2009, Truth Seeker wrote: acl Java browser Java/1.4 Java/1.5 Java/1.6 acl localnet src 192.168.0.1/24 http_access allow localnet Java But for me even with the above said acl's its not working. In the client side i tested with a. ubuntu 9.04 box and with firefox 3.0, (here a java window is prompting for user/pass and once i given the req info, then it says Error Details in that Java window in dailyfx.com) b. with win XP and firefox and IE (both just given Error details) Now what can i do? to get this site working with our env Does the above http_access come before or after the http_access which allows people to access when authenticated? Gavin
Re: [squid-users] Java not working behind squid
Really thanks for your effort... i was not able to get back to you, just bcoz there were so many unexpected issues on the proxy... Now your resolution didnt worked for me... I didnt even got the http://balancer.netdania.com/StreamingServer/StreamingServer? in my access.log rather i could see always DENIED for balancer like the following TCP_DENIED/407 2912 CONNECT balancer.netdania.com:443 - NONE/- text/html Any HELP please... We have a similar setup on one VLAN, with squid on linux authenticating users using active directory. We've seen lots of issues with Java not being able to authenticate. Testing the page you're talking about (albeit with a linux desktop), I get a java popup window asking me for my AD username/password/domain, I type it in but repeatedly it fails. The squid access.log says: 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html I'm not sure if these lines in cache.log are relevant or not. [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 My usual workaround is to add an ACL for that site which is far from ideal. I've added the following ACL: acl dailyfx dstdomain balancer.netdania.com http_access allow dailyfx CONNECT That works around the issue for me. I still get prompted for the username and password and the logs suggest some traffic isn't getting through. 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html If I drop the word CONNECT I get no errors at all, but that disables authentication entirely for that site. There is definitely some issue with austhentication and Java. I'm not sure if it might actually be Authentication+Java+SSL. Our problems are generally with java-driven online banking applications. Gavin
Re: [squid-users] Java not working behind squid
On Tue, 01 Sep 2009, Truth Seeker wrote: Really thanks for your effort... i was not able to get back to you, just bcoz there were so many unexpected issues on the proxy... Now your resolution didnt worked for me... I didnt even got the http://balancer.netdania.com/StreamingServer/StreamingServer? in my access.log rather i could see always DENIED for balancer like the following TCP_DENIED/407 2912 CONNECT balancer.netdania.com:443 - NONE/- text/html Perhaps you might tell us (ie copy and paste config) exactly what you did. Gavin
Re: [squid-users] Java not working behind squid
Gavin , Try putting this acl acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This worked for me when using NTLauth. Regards Tej On Tue, Sep 1, 2009 at 2:45 PM, Truth Seekertruth_seeker_3...@yahoo.com wrote: Really thanks for your effort... i was not able to get back to you, just bcoz there were so many unexpected issues on the proxy... Now your resolution didnt worked for me... I didnt even got the http://balancer.netdania.com/StreamingServer/StreamingServer? in my access.log rather i could see always DENIED for balancer like the following TCP_DENIED/407 2912 CONNECT balancer.netdania.com:443 - NONE/- text/html Any HELP please... We have a similar setup on one VLAN, with squid on linux authenticating users using active directory. We've seen lots of issues with Java not being able to authenticate. Testing the page you're talking about (albeit with a linux desktop), I get a java popup window asking me for my AD username/password/domain, I type it in but repeatedly it fails. The squid access.log says: 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html I'm not sure if these lines in cache.log are relevant or not. [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 My usual workaround is to add an ACL for that site which is far from ideal. I've added the following ACL: acl dailyfx dstdomain balancer.netdania.com http_access allow dailyfx CONNECT That works around the issue for me. I still get prompted for the username and password and the logs suggest some traffic isn't getting through. 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html If I drop the word CONNECT I get no errors at all, but that disables authentication entirely for that site. There is definitely some issue with austhentication and Java. I'm not sure if it might actually be Authentication+Java+SSL. Our problems are generally with java-driven online banking applications. Gavin
Re: [squid-users] Java not working behind squid
Hi, On Tue, 01 Sep 2009, Tejpal Amin wrote: Try putting this acl acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This worked for me when using NTLauth. Thanks, though I'm not the one in need of a solution and I'm not that keen to give Java full unauthenticated browsing rights. Perhaps Truth Seeker(?) might try that though. Am I to understand that Java is just really bad at NTLM auth, so much so that people just whitelist it for unauthenticated access? Gavin
Re: [squid-users] Java not working behind squid
tis 2009-09-01 klockan 02:15 -0700 skrev Truth Seeker: Really thanks for your effort... i was not able to get back to you, just bcoz there were so many unexpected issues on the proxy... Now your resolution didnt worked for me... I didnt even got the http://balancer.netdania.com/StreamingServer/StreamingServer? in my access.log rather i could see always DENIED for balancer like the following TCP_DENIED/407 2912 CONNECT balancer.netdania.com:443 - NONE/- text/html That looks like arequest for https://balancer.netdania.com/... Regards Henrik
Re: [squid-users] Java not working behind squid
On Tue, 1 Sep 2009 12:43:13 +0100, Gavin McCullagh gavin.mccull...@gcd.ie wrote: Hi, On Tue, 01 Sep 2009, Tejpal Amin wrote: Try putting this acl acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This worked for me when using NTLauth. Thanks, though I'm not the one in need of a solution and I'm not that keen to give Java full unauthenticated browsing rights. Perhaps Truth Seeker(?) might try that though. Am I to understand that Java is just really bad at NTLM auth, so much so that people just whitelist it for unauthenticated access? Yes. Personally I recommend adding other ACL such as sources which are allowed to use Java in this way. To reduce the impact and security holes this method opens. Amos
[squid-users] Java not working behind squid
Hi all... I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place. The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them. in the following site; http://www.dailyfx.com/ 3rd coloumn in the right side shows the Live currency rates which is working with java. This is a must in our environment... Awaiting your response...
Re: [squid-users] Java not working behind squid
Hi, On Tue, 25 Aug 2009, Truth Seeker wrote: I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place. The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them. in the following site; http://www.dailyfx.com/ 3rd coloumn in the right side shows the Live currency rates which is working with java. This is a must in our environment... Awaiting your response... We have a similar setup on one VLAN, with squid on linux authenticating users using active directory. We've seen lots of issues with Java not being able to authenticate. Testing the page you're talking about (albeit with a linux desktop), I get a java popup window asking me for my AD username/password/domain, I type it in but repeatedly it fails. The squid access.log says: 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html I'm not sure if these lines in cache.log are relevant or not. [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 My usual workaround is to add an ACL for that site which is far from ideal. I've added the following ACL: acl dailyfx dstdomain balancer.netdania.com http_access allow dailyfx CONNECT That works around the issue for me. I still get prompted for the username and password and the logs suggest some traffic isn't getting through. 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.516277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html If I drop the word CONNECT I get no errors at all, but that disables authentication entirely for that site. There is definitely some issue with austhentication and Java. I'm not sure if it might actually be Authentication+Java+SSL. Our problems are generally with java-driven online banking applications. Gavin
Re: [squid-users] Java not working behind squid
Gavin McCullagh wrote: Hi, On Tue, 25 Aug 2009, Truth Seeker wrote: I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place. The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them. in the following site; http://www.dailyfx.com/ 3rd coloumn in the right side shows the Live currency rates which is working with java. This is a must in our environment... Awaiting your response... We have a similar setup on one VLAN, with squid on linux authenticating users using active directory. We've seen lots of issues with Java not being able to authenticate. Testing the page you're talking about (albeit with a linux desktop), I get a java popup window asking me for my AD username/password/domain, I type it in but repeatedly it fails. The squid access.log says: 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html I'm not sure if these lines in cache.log are relevant or not. [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 My usual workaround is to add an ACL for that site which is far from ideal. I've added the following ACL: acl dailyfx dstdomain balancer.netdania.com http_access allow dailyfx CONNECT That works around the issue for me. I still get prompted for the username and password and the logs suggest some traffic isn't getting through. 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.516277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html If I drop the word CONNECT I get no errors at all, but that disables authentication entirely for that site. There is definitely some issue with austhentication and Java. I'm not sure if it might actually be Authentication+Java+SSL. Our problems are generally with java-driven online banking applications. Gavin Probably not java+auth+SSL if the normal requests still fail the same way. java + proxy auth in general is a known issue with certain versions of Java. Thus the age-old 'browser' ACL for allowing Java seen in tutorials all over the web. I've heard rumours of newer versions doing better and fixing various things. But no idea which versions, if its fully fixed or just half-fixed for some protocols/requests. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13