Re: [squid-users] Redirector problems with squid 2.6
On Tue, 2008-03-04 at 09:45 +1000, Jonne Hannon wrote: I'm using squid 2.6STABLE18 as squid 3 is not yet compatibile with Smartfilter. In what way are the two incompatible? Is there a bug report for this problem? Thank you, Alex.
Re: [squid-users] Redirector problems with squid 2.6
Hi Henrik, To work with squid 2.6, I had to add a newline to the string being written back to stdout. This was not required with squid 2.5. Thanks for your help. Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au Henrik Nordstrom [EMAIL PROTECTED] 4/03/2008 10:08:57 am On Mon, 2008-03-03 at 11:23 +1000, Jonne Hannon wrote: It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Have you disabled output buffering in the helper? Regards Henrik ** This message has passed through an insecure network. Please direct all enquiries to the message author. ** ** This message has passed through an insecure network. Please direct all enquiries to the message author. **
Re: [squid-users] Redirector problems with squid 2.6
Jonne Hannon wrote: Hi, I'm currently upgrading Squid and Smartfilter to a supported combination of squid 2.6STABLE18 + Smartfilter 4.2.1. Included in this mix is a redirection program, written in c. The redirection program was written to intercept all proxy requests and query LDAP to check if the user has accepted Internet usage terms and conditions. If the user has not accepted or needs to re-confirm acceptance, the browser is redirected to the terms and conditions website. If the user has a valid acceptance record then they can continue on the requested website. The redirector program reads from buffered stdout, queries LDAP and writes back to stdout using fprintf. This worked in squid 2.5, but using squid 2.6, the browser appears to timeout with no error reported back to the user. There is no log entry in the access.log, but there is a log entry in store.log that looks like the following: 1204259653.333 RELEASE -1 AF6C1D6C4B3CEF474FB849A84B6F9371 200 1204256053 1204256053 1204259653 application/cache-digest 817/817 GET internal://xxx.xxx.xxx.xxx/squid-internal-periodic/store_digest It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Are you sure this is done with a rediretor? How is it getting its user info to query LDAP? Redirectors receive a bare URI. You would probably be better off using basic auth (against LDAP) and a special deny_info for when it fails. To prevent popups there is a config trick: acl authUsers proxy_auth REQUIRED acl dummy_auth src all http_access allow authUsers dummy_auth deny_info http://.../conditions.html dummy_auth Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Redirector problems with squid 2.6
Hi Amos, Thanks for your reply. We already use basic auth to authenticate the user against the LDAP tree. The username is passed to the redirector via the ident parameter and this is how LDAP is queried from the redirector. I have turned on debugging options and the following is logged to the cache log: 2008/03/03 14:24:03| clientRedirectStart: 'http://www.news.com.au/' 2008/03/03 14:24:03| redirectStart: 'http://www.news.com.au/' and thats where the logging stops. The redirector logs that it got the input from stdin, logs the successful LDAP query, logs the output sent to stdout, then nothing. It appears that squid is not noticing that the output has been written to stdout from the redirector and it waiting. This is the output being written to stdout from the redirector: Mar 3 14:24:03 esl4 (tc_redirector)[3354]: Sent 'http://www.news.com.au/ xxx.xxx.xxx.xxx/- abc123 GET'. I'm using squid 2.6STABLE18 as squid 3 is not yet compatibile with Smartfilter. Thanks, Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au Amos Jeffries [EMAIL PROTECTED] 3/03/2008 5:58:58 pm Jonne Hannon wrote: Hi, I'm currently upgrading Squid and Smartfilter to a supported combination of squid 2.6STABLE18 + Smartfilter 4.2.1. Included in this mix is a redirection program, written in c. The redirection program was written to intercept all proxy requests and query LDAP to check if the user has accepted Internet usage terms and conditions. If the user has not accepted or needs to re-confirm acceptance, the browser is redirected to the terms and conditions website. If the user has a valid acceptance record then they can continue on the requested website. The redirector program reads from buffered stdout, queries LDAP and writes back to stdout using fprintf. This worked in squid 2.5, but using squid 2.6, the browser appears to timeout with no error reported back to the user. There is no log entry in the access.log, but there is a log entry in store.log that looks like the following: 1204259653.333 RELEASE -1 AF6C1D6C4B3CEF474FB849A84B6F9371 200 1204256053 1204256053 1204259653 application/cache-digest 817/817 GET internal://xxx.xxx.xxx.xxx/squid-internal-periodic/store_digest It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Are you sure this is done with a rediretor? How is it getting its user info to query LDAP? Redirectors receive a bare URI. You would probably be better off using basic auth (against LDAP) and a special deny_info for when it fails. To prevent popups there is a config trick: acl authUsers proxy_auth REQUIRED acl dummy_auth src all http_access allow authUsers dummy_auth deny_info http://.../conditions.html dummy_auth Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases. ** This message has passed through an insecure network. Please direct all enquiries to the message author. ** ** This message has passed through an insecure network. Please direct all enquiries to the message author. **
Re: [squid-users] Redirector problems with squid 2.6
On Mon, 2008-03-03 at 11:23 +1000, Jonne Hannon wrote: It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Have you disabled output buffering in the helper? Regards Henrik
Re: [squid-users] Redirector problems with squid 2.6
Hi Henrik, We are using the following code to disable output buffering: if (setvbuf(stdout, NULL, _IONBF, 0) != 0) return 1; and using fprintf() statements to write to stdout. Thanks, Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au Henrik Nordstrom [EMAIL PROTECTED] 4/03/2008 10:08:57 am On Mon, 2008-03-03 at 11:23 +1000, Jonne Hannon wrote: It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Have you disabled output buffering in the helper? Regards Henrik ** This message has passed through an insecure network. Please direct all enquiries to the message author. ** ** This message has passed through an insecure network. Please direct all enquiries to the message author. **
Fwd: Re: [squid-users] Redirector problems with squid 2.6
Hi Henrik, We are using the following code to disable output buffering: if (setvbuf(stdout, NULL, _IONBF, 0) != 0) return 1; and using fprintf() statements to write to stdout. Thanks, Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au Henrik Nordstrom [EMAIL PROTECTED] 4/03/2008 10:08:57 am On Mon, 2008-03-03 at 11:23 +1000, Jonne Hannon wrote: It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Have you disabled output buffering in the helper? Regards Henrik ** This message has passed through an insecure network. Please direct all enquiries to the message author. ** ** This message has passed through an insecure network. Please direct all enquiries to the message author. **
[squid-users] Redirector problems with squid 2.6
Hi, I'm currently upgrading Squid and Smartfilter to a supported combination of squid 2.6STABLE18 + Smartfilter 4.2.1. Included in this mix is a redirection program, written in c. The redirection program was written to intercept all proxy requests and query LDAP to check if the user has accepted Internet usage terms and conditions. If the user has not accepted or needs to re-confirm acceptance, the browser is redirected to the terms and conditions website. If the user has a valid acceptance record then they can continue on the requested website. The redirector program reads from buffered stdout, queries LDAP and writes back to stdout using fprintf. This worked in squid 2.5, but using squid 2.6, the browser appears to timeout with no error reported back to the user. There is no log entry in the access.log, but there is a log entry in store.log that looks like the following: 1204259653.333 RELEASE -1 AF6C1D6C4B3CEF474FB849A84B6F9371 200 1204256053 1204256053 1204259653 application/cache-digest 817/817 GET internal://xxx.xxx.xxx.xxx/squid-internal-periodic/store_digest It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further? Thanks, Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au ** This message has passed through an insecure network. Please direct all enquiries to the message author. **