Re: [squid-users] Re: squid3 block all 443 ports request
On Fri, Feb 14, 2014 at 9:39 PM, khadmin khalil.bens...@hotmail.com wrote: Hi, -For the client 192.168.1.53 i configure the browser not to use the proxy and it fetch www.google.com web site -For the local machine (the server where squid is intalled) without the proxy i can fetch www.google.com with the proxy configured on 127.0.0.1 i get this message on access.log file: 1392393591.247 38412 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://www.google-analytics.com/__utm.gif? - HIER_DIRECT/2a00:1450:4002:804::1006 - 1392393632.774 40544 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://googleads.g.doubleclick.net/pagead/ads? - HIER_DIRECT/2a00:1450:4006:802::100d - 1392392594.681 59856 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.tn:443 - HIER_NONE/- - If it is not very critical, just disable IPv6 temporarily and check if yahoo, google etc. work or not. Most probably it is the case of non-working IPv6 infrastructure. Regards, Sachin Divekar
[squid-users] Re: squid3 block all 443 ports request
Hi, I want to thank you all for your efforts, finally it works i have to disable IPV6 protocole on clients and it works perfectly. Thank you again Regards, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664884.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On 17/02/2014 8:55 p.m., khadmin wrote: Hi Amos, Thank you for the response, actually i'am working with IPV4 on my network architecture. While Squid appears to be trying to use the half-working IPv6 network you have available. Not that your Squid is apparently *successfully* performing the TCP SYN/SYN-ACK exchange to setup the remote server connections over IPv6. *Then* failing on the data packets. As a friend of mine is becoming famous for saying: Welcome to your IPv6 transit network, whether you know it or not. All the client are connected to a DC Windows 2012 server that manage DNS,DHCP and AD. The proxy server is not under the domain controller and have a static Ip adress. Any way I will try to run MTU Path and i will give you feed-back. Other way would you advise me to installa nother version of Squid proxy? I advise looking into fixing the IPv6 on your network. Since Squid is getting as far as it does you can be sure there are other software on your network doing same, or possibly even getting working connections. Start with the firewall rules on your routers ASAP so that when you get around to fixing packet transit your normal security policies does not suddenly gain lots of holes. Amos
Re: [squid-users] Re: squid3 block all 443 ports request
On 18/02/2014 4:45 a.m., khadmin wrote: Hi, I want to thank you all for your efforts, finally it works i have to disable IPV6 protocole on clients and it works perfectly. That is wrong. The clients were already working perfectly and disabling IPv6 breaks more than just this one small problem. See the FAQ Q. What are Microsoft's recommendations about disabling IPv6? http://technet.microsoft.com/en-us/network/cc987595.aspx It was the Squid-server connections which were having trouble and the correct solution is to fix the brokenness by making IPv6 work (for values of work which include denied) rather than disabling things more. Amos
[squid-users] Re: squid3 block all 443 ports request
Hi Amos, Thank you for the response, actually i'am working with IPV4 on my network architecture. All the client are connected to a DC Windows 2012 server that manage DNS,DHCP and AD. The proxy server is not under the domain controller and have a static Ip adress. Any way I will try to run MTU Path and i will give you feed-back. Other way would you advise me to installa nother version of Squid proxy? Regards, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664867.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On 15/02/2014 5:09 a.m., khadmin wrote: Hi, -For the client 192.168.1.53 i configure the browser not to use the proxy and it fetch www.google.com web site -For the local machine (the server where squid is intalled) without the proxy i can fetch www.google.com with the proxy configured on 127.0.0.1 i get this message on access.log file: 1392393591.247 38412 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://www.google-analytics.com/__utm.gif? - HIER_DIRECT/2a00:1450:4002:804::1006 - 1392393632.774 40544 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://googleads.g.doubleclick.net/pagead/ads? - HIER_DIRECT/2a00:1450:4006:802::100d - How good is your IPv6 connectivity? What that ABORTED shows is that Squid successfully connected to the server, but 0 bytes had been received back before the client gave up. This process took around 30-60 seconds to happen, so the client is not particularly impatient. It is not uncommon to see these types of things on networks where people have IPv6 operating over a broken tunnel, or have disabled ICMP (ICMP is not optional in IPv6). This tool may help determine the problem: http://www.iea-software.com/products/mtupath.cfm Amos
[squid-users] Re: squid3 block all 443 ports request
Hi, First of all I want to thank you for your answers. I get the Squid.conf default file and i replace the other Squid.conf file. I just added cache_effective_user proxy-server because i'm administrating Squid with Webmin and everything works great. But i still have this problem with some web page like Google.com,youtbe,facebook I cheked the access.log file under /var/log/squid3 and i notice that some web page use non safe ports to connect (like 809,807..) Join to this post you will find my squid.config file what you recommend me to do??? Regards, Khalil squid.conf http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4664813/squid.conf -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664813.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On 15/02/2014 12:07 a.m., khadmin wrote: Hi, First of all I want to thank you for your answers. I get the Squid.conf default file and i replace the other Squid.conf file. I just added cache_effective_user proxy-server because i'm administrating Squid with Webmin and everything works great. But i still have this problem with some web page like Google.com,youtbe,facebook I cheked the access.log file under /var/log/squid3 and i notice that some web page use non safe ports to connect (like 809,807..) Join to this post you will find my squid.config file what you recommend me to do??? Check out careully why they are needed, and whether there is any danger using them (I've not heard anything about those port numbers but check for yoruself anyway). If its all good, add them to both SSL_Ports and Safe_Ports ACLs. Amos
[squid-users] Re: squid3 block all 443 ports request
Hi, I get this in tle access.log file when i tried to access www.google.com , www.youtube.com or facebook.com 1392389240.880 43296 192.168.1.53 TCP_MISS_ABORTED/000 0 GET http://www.youtube.com/ - HIER_DIRECT/2a00:1450:4001:c02::be - 1392389241.746 41230 192.168.1.53 TCP_MISS_ABORTED/000 0 GET http://www.google.com/ - HIER_DIRECT/2a00:1450:4007:803::1012 - 1392389312.371 59785 192.168.1.53 TCP_MISS/503 0 CONNECT www.facebook.com:443 - HIER_NONE/- - like you see in the 5th column that represent the amount of data delivered to the client is 0. I don't understand the problem. I hope to find someone that face the same thing beacuse it's the only step that blocks my deployment. Regards, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664820.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On Friday 14 February 2014 at 16:04:01, khadmin wrote: Hi, I get this in tle access.log file when i tried to access www.google.com , www.youtube.com or facebook.com 1392389240.880 43296 192.168.1.53 TCP_MISS_ABORTED/000 0 GET http://www.youtube.com/ - HIER_DIRECT/2a00:1450:4001:c02::be - 1392389241.746 41230 192.168.1.53 TCP_MISS_ABORTED/000 0 GET http://www.google.com/ - HIER_DIRECT/2a00:1450:4007:803::1012 - 1392389312.371 59785 192.168.1.53 TCP_MISS/503 0 CONNECT www.facebook.com:443 - HIER_NONE/- - like you see in the 5th column that represent the amount of data delivered to the client is 0. I don't understand the problem. Is it possible that there is something else filtering accesses to these sites from your network? I see that the Google and Facebook requests show ABORTED, therefore something terminated the request. Please try the following: 1. From the same client machine 192.168.1.53 configure the browser not to use a proxy (access the Internet directly) and see whether you can reach the same sites. 2. Using either a browser (if one is installed) or a tool such as wget on the Squid proxy itself, try to access http://www.google.com etc and see whether it can fetch a page. If it can, tell the browser or wget to use 127.0.0.1 as a proxy and try again. Hope this helps, Antony. -- There's no such thing as bad weather - only the wrong clothes. - Billy Connolly Please reply to the list; please don't CC me.
[squid-users] Re: squid3 block all 443 ports request
Hi, -For the client 192.168.1.53 i configure the browser not to use the proxy and it fetch www.google.com web site -For the local machine (the server where squid is intalled) without the proxy i can fetch www.google.com with the proxy configured on 127.0.0.1 i get this message on access.log file: 1392393591.247 38412 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://www.google-analytics.com/__utm.gif? - HIER_DIRECT/2a00:1450:4002:804::1006 - 1392393632.774 40544 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://googleads.g.doubleclick.net/pagead/ads? - HIER_DIRECT/2a00:1450:4006:802::100d - 1392392594.681 59856 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.tn:443 - HIER_NONE/- - Regards, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664825.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: squid3 block all 443 ports request
Hi, With this configuration all request are blocked. I don't find a solution yet. Port 443 exist even in the safe_ports list i don't know if it have something to do with this restrictions. I hope someone can help me on this because it's the only problem that blocks the deployement of Squid3 Regards, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664771.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: squid3 block all 443 ports request
my config file is squid.conf http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4664772/squid.conf -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664772.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On Thursday 13 February 2014 at 15:49:27, khadmin wrote: Hi, With this configuration all request are blocked. On Thursday 13 February 2014 at 15:50:03, khadmin wrote: my config file is http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4664772/squid.conf Yes. You have: http_access deny Safe_ports !Safe_ports This means deny X and also deny the opposite of X (in this case X being a number of different ports). Therefore everything is denied, as you specified. Regards, Antony. -- The tofu battle I saw last weekend was quite brutal. - Marija Danute Brigita Kuncaitis Please reply to the list; please don't CC me.
[squid-users] Re: squid3 block all 443 ports request
HI Antony, Actually I'm trying to have something that works without any restrictions or control. i allow all the ACl http_access allow Safe_ports http_access allow SSL_ports http_access allow !Safe_ports http_access allow !SSL_ports Even when i do that somme web pages don't response(like google.com,youtube,facebook.) I'm wondering if the problem is really because of SSl_ports because web sites like Hotmail.com works perfectly and i can sign in. here again my config file squid.conf http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4664774/squid.conf Regars, Khalil -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664774.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
On Thursday 13 February 2014 at 16:19:16, khadmin wrote: HI Antony, Actually I'm trying to have something that works without any restrictions or control. Have you tried taking the competely default squid.conf, adding an acl for the source IP range of your network (see the example lines starting with #acl localnet src), and an http_access allow rule for that network range (see the example line #http_access allow localnet), with no other changes? That should do what you're trying to achieve. Antony. -- Users don't know what they want until they see what they get. Please reply to the list; please don't CC me.
Re: [squid-users] Re: squid3 block all 443 ports request
On 2014-02-14 05:27, Antony Stone wrote: On Thursday 13 February 2014 at 16:19:16, khadmin wrote: HI Antony, Actually I'm trying to have something that works without any restrictions or control. You mean? http_access allow all - does exactly what you just said. But is very insecure as it drops protection against attackers and the protocol smuggling vulnerabilities in HTTP. The below from Antony is best-practice advice: Have you tried taking the competely default squid.conf, adding an acl for the source IP range of your network (see the example lines starting with #acl localnet src), and an http_access allow rule for that network range (see the example line #http_access allow localnet), with no other changes? That should do what you're trying to achieve. Antony. Note that the _documentation file_ you currently have is not actually the default config. Your Squid should have installed with a squid.conf.default file which is the actual default configuration for Squid. If that is missing for any reason the wiki release page contains a copy: http://wiki.squid-cache.org/Squid-3.3 Amos
[squid-users] Re: squid3 block all 443 ports request
Better make it http_access deny !SSL_ports -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664753.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid3 block all 443 ports request
Hi Khalil, You've supplied a logically invalid access rule, ie an impossible match. You're trying to block everything that is on port 445 and also at the same time everything that is *not* on 443. I'd be surprised if you can get any access with that! What you need is something like (if you want to block ssl) http_access allow !SSL_ports http_access deny SSL_ports Swap it around if you want to allow SSL only. Read the docs, the way acls and access rules is clearly explained there. Access lists are logically and'ed in the same entry., and or'ed (in order before a deny rule) over multiple entries. acls are or'ed in the same entry, and across multiple entries. Cheers Alex On 12/02/14 15:27, khadmin wrote: Hi, here is my squid.conf file. here is my configuration concerning ssl ports: acl SSL_ports port 443 http_access deny SSL_ports !SSL_ports Regards, Khalil squid.conf http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4664752/squid.conf -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid3-block-all-443-ports-request-tp4664735p4664752.html Sent from the Squid - Users mailing list archive at Nabble.com.