Re: [squid-users] Problem with 6.1 squidclient mgr:

[Alex Rousskov]

On 7/31/23 09:47, Alex Rousskov wrote:

On 7/31/23 06:13, Gérard Parat wrote:


I use Squid as a Windows 10 service with Cygwin since 5.7 release.

I usually monitor activity with squidclient mgr: but since 6.1 it
doesn't work anymore:

   * HTTP/1.1 403 Forbidden

However, squidclient cache_object://localhost/ is working fine.

Is there new options to add to squid.conf to access mgr: ?


Does your Squid identify itself as "localhost" in Via headers and other 
output? If not, you are probably suffering from bug #5283:

https://bugs.squid-cache.org/show_bug.cgi?id=5283

There are several workarounds, including Squid patches, but no long-term 
solution yet. If you do not want to patch Squid, use "squidclient -h..." 
as suggested at https://bugs.squid-cache.org/show_bug.cgi?id=5283#c1


Just an update in case somebody else suffers from this problem and reads 
this thread: After looking through Gérard's debugging logs, I can 
confirm that this setup suffers from Squid bug #5283, and that 
"squidclient -h" workaround helps. However, that workaround is not 
sufficient in this particular use case because


1. Like many Squids, this Squid is configured to allow manager requests 
sent from localhost only. When "squidclient -h example.text mgr:info" 
runs on the same host as Squid, and example.test resolves to something 
other than a localhost address (e.g., 192.168.28.150), squidclient 
connects from that other IP address, and Squid denies that request 
because the manager ACL matches but the localhost ACL does not.


2. On Linux, the problem in item 1 above can be overcome by telling 
squidclient (that runs on the same host as Squid) to connect from 
127.0.0.1 or another localhost address. For example:


squidclient -v -l 127.0.0.1 -h example.text mgr:info

However, in some environments (e.g., Windows 10?), it is not possible to 
connect from 127.0.0.1 to, say, 192.168.28.150, even if both IPs belong 
to the same host where squidclient is executed. In those environments, 
forcing source address results in a squidclient TCP connection 
establishment failure:


$ squidclient -v -l 127.0.0.1 -h example.text mgr:info
...
Transport detected: IPv4-mapped  and IPv6
Resolving 127.0.0.1 ...
Resolving... example.test
Connecting... example.test (192.168.28.150:3128)
ERROR: Cannot connect to 192.168.28.150:3128

Some client have "resolve DNS name X as IP address Y" features (e.g., 
"curl --resolve") that can be used to work around item 2 problems, but 
squidclient lacks those.



HTH,

Alex.

--- cache.log analysis ---

All three cases below were handled as I would expect them to be handled 
given the current set of known Squid problems. SelfName or 
"example.test" is the host name that this Squid identifies itself as *in 
cache manager request handling context*. In general, SelfName may be 
different from the name used in Via and Cache-Status headers, 
complicating the issues further. In this setup, they are the same.



## Case A: Request not matching SelfName of the receiving Squid

$ squidclient mgr:info

... HTTP Client local=[::1]:3128 remote=[::1]
GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
Host: localhost:3128
User-Agent: squidclient/6.1


The above squidclient request is not recognized as a request to the 
cache manager of the receiving Squid because receiving Squid's SelfName 
is example.test rather than localhost. Squid bug #5283 is relevant here.


Receiving Squid (let's call it Squid A) forwards the above request to 
the server at localhost:3128 address (let's call that Squid B). In this 
test, Squid A and Squid B are the same Squid instance, but Squid 
forwarding code does not know that. Forwarding a request from Squid A 
instance to (the same) Squid B instance creates a forwarding loop:


2023/08/01 11:14:15| WARNING: Forwarding loop detected for:
GET /squid-internal-mgr/info HTTP/1.1
Host: example.test:3128
User-Agent: squidclient/6.1
Via: 1.0 example.test (squid/6.1)

Squid B denies the request because Squid B has detected the above 
forwarding loop and all forwarding loops are blocked:


HTTP/1.1 403 Forbidden
Server: squid/6.1
X-Squid-Error: ERR_ACCESS_DENIED 0
Cache-Status: example.test;detail=mismatch
Via: 1.1 example.test (squid/6.1)

Squid A forwards the above denial response to squidclient (note the two 
Cache-Status fields and two Via field values):


HTTP/1.1 403 Forbidden
Server: squid/6.1
X-Squid-Error: ERR_ACCESS_DENIED 0
Cache-Status: example.test;detail=mismatch
Via: 1.1 example.test (squid/6.1),
 1.1 example.test (squid/6.1)
Cache-Status: example.test;detail=no-cache


## Case B: Not-from-localhost request

$ squidclient -h example.test mgr:info

... HTTP Client local=192.168.28.150:3128 remote=192.168.28.150
GET http://example.test:3128/squid-internal-mgr/info HTTP/1.0
Host: example.test:3128
User-Agent: squidclient/6.1

The above 

Re: [squid-users] Problem with 6.1 squidclient mgr:

[Alex Rousskov]

On 7/31/23 06:13, Gérard Parat wrote:


I use Squid as a Windows 10 service with Cygwin since 5.7 release.

I usually monitor activity with squidclient mgr: but since 6.1 it
doesn't work anymore:

   * HTTP/1.1 403 Forbidden

However, squidclient cache_object://localhost/ is working fine.

Is there new options to add to squid.conf to access mgr: ?


Does your Squid identify itself as "localhost" in Via headers and other 
output? If not, you are probably suffering from bug #5283:

https://bugs.squid-cache.org/show_bug.cgi?id=5283

There are several workarounds, including Squid patches, but no long-term 
solution yet. If you do not want to patch Squid, use "squidclient -h..." 
as suggested at https://bugs.squid-cache.org/show_bug.cgi?id=5283#c1



HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with 6.1 squidclient mgr:

[Gérard Parat]

Hi all,

I use Squid as a Windows 10 service with Cygwin since 5.7 release.

I usually monitor activity with squidclient mgr: but since 6.1 it
doesn't work anymore:

  * HTTP/1.1 403 Forbidden

However, squidclient cache_object://localhost/ is working fine.

Is there new options to add to squid.conf to access mgr: ?

Thanks,

Gérard
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with 6.1 squidclient mgr:

[Gérard Parat]

Hi all,

I use Squid as a Windows 10 service with Cygwin since 5.7 release.

I usually monitor activity with squidclient mgr: but since 6.1 it 
doesn't work anymore:


  * HTTP/1.1 403 Forbidden

However, squidclient cache_object://localhost/ is working fine.

Is there new options to add to squid.conf to access mgr: ?

Thanks,

Gérard

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with wss protocol.

[squid3]

On 2022-11-02 06:59, Armando Ramos Roche wrote:

Hi all.
I was working with squid v3.3 on ubuntu 18.04, after migrating to 
ubuntu
20.04 a few months ago, squid was updated to version 3.5, currently 
version

3.5.27.
And I have realized that nothing that uses the wss or ws protocol works 
for

me, for example whatsapp, messenger etc...
I've searched the logs, but nothing shows up.


Not showing up in logs, even as a failed or rejected transaction is a 
sign that it is not going to Squid.


From the syntax shown by Firefox it looks to me like HTTP/2 or HTTP/3. 
Which also means it is probably not going to Squid.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with wss protocol.

[Armando Ramos Roche]

Hi all.
I was working with squid v3.3 on ubuntu 18.04, after migrating to ubuntu
20.04 a few months ago, squid was updated to version 3.5, currently version
3.5.27.
And I have realized that nothing that uses the wss or ws protocol works for
me, for example whatsapp, messenger etc...
I've searched the logs, but nothing shows up.
I am not doing SSL Bump.
And I've done some searching on the internet and can't find anything to
help me.
It does not even get a response from the server, it does not even leave a
trace in the log
Here the request in firefox:
{
"GET": {
"scheme": "wss",
"host": "web.whatsapp.com",
"filename": "/ws/chat"
}
}
{
"Cabeceras de la petición (585 B)": {
"headers": [
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Accept-Language",
"value": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3"
},
{
"name": "Cache-Control",
"value": "no-cache"
},
{
"name": "Connection",
"value": "keep-alive, Upgrade"
},
{
"name": "DNT",
"value": "1"
},
{
"name": "Host",
"value": "web.whatsapp.com"
},
{
"name": "Origin",
"value": "https://web.whatsapp.com;
},
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Sec-Fetch-Dest",
"value": "websocket"
},
{
"name": "Sec-Fetch-Mode",
"value": "websocket"
},
{
"name": "Sec-Fetch-Site",
"value": "same-origin"
},
{
"name": "Sec-WebSocket-Extensions",
"value": "permessage-deflate"
},
{
"name": "Sec-WebSocket-Key",
"value": "CahSZ7V991nVOR4e+FTLIg=="
},
{
"name": "Sec-WebSocket-Version",
"value": "13"
},
{
"name": "Upgrade",
"value": "websocket"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0)
Gecko/20100101 Firefox/106.0"
}
]
}
}
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem caching range requests with range_offset_limit

[osy]

I was able to fix the issue by patching Squid to keep the client
connection open until the full object is fetched. My changes are
detailed in https://gist.github.com/osy/30c5c96d7575efd1d2a2db5e3def0815

On Wed, Aug 10, 2022 at 7:43 PM osy  wrote:
>
> I am trying to cache Azure objects. I have SSL bump and the following config:
>
> maximum_object_size 1000 MB
> acl azure_storage dstdomain .blob.core.windows.net
> range_offset_limit -1 azure_storage
>
> My expectation is that when a request is made with the Range header,
> that Squid will request the object starting from the beginning, return
> the data when it reaches the range, then keep the connection open and
> keep requesting data until the end. However, I observe the last part
> isn't true: the connection to the server is closed after the proxy
> client closes the connection.
>
> 2022/08/10 18:55:23.152| 5,3| Read.cc(92) ReadNow:
> local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1, size 3644,
> retval 0, errno 0
> 2022/08/10 18:55:23.152| 33,5| Server.cc(147) doClientRead:
> local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1 closed?
> 2022/08/10 18:55:23.152| 33,3| client_side.cc(1418)
> connFinishedWithConn: local=127.0.0.1:3128 remote=127.0.0.1:57075 FD
> 21 flags=1 aborted (half_closed_clients disabled)
> 2022/08/10 18:55:23.152| 33,3| Pipeline.cc(56) terminateAll: Pipeline
> 0x149704e80 notify(0) 0x13a817600*3
> 2022/08/10 18:55:23.152| 90,3| store_client.cc(651) storeUnregister:
> storeUnregister: called for 'F43F6204305C4808C2A393C7CC905C16'
> 2022/08/10 18:55:23.153| 90,3| store_client.cc(764)
> CheckQuickAbortIsReasonable: entry=e:d5@0=w1p2V/0x638f6d80*6
> 2022/08/10 18:55:23.153| 90,3| store_client.cc(755)
> storePendingNClients: storePendingNClients: returning 0
> 2022/08/10 18:55:23.153| 90,3| store_client.cc(788)
> CheckQuickAbortIsReasonable: mem=0x14a14bcb0
> 2022/08/10 18:55:23.153| 90,3| store_client.cc(817)
> CheckQuickAbortIsReasonable: quick-abort? NO admin configured range
> replies to full-download
> 2022/08/10 18:55:23.153| 33,3| Pipeline.cc(69) popMe: Pipeline
> 0x149704e80 drop 0x13a817600*3
> 2022/08/10 18:55:23.153| 33,3| client_side_request.cc(270)
> ~ClientHttpRequest: httpRequestFree: [url here]
>
> I also tried setting "half_closed_clients on" but that just defers the
> error to a write later on. Any advice would be appreciated, thanks!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem caching range requests with range_offset_limit

[Alex Rousskov]

On 8/10/22 22:43, osy wrote:

I am trying to cache Azure objects. I have SSL bump and the following config:

maximum_object_size 1000 MB
acl azure_storage dstdomain .blob.core.windows.net
range_offset_limit -1 azure_storage

My expectation is that when a request is made with the Range header,
that Squid will request the object starting from the beginning, return
the data when it reaches the range, then keep the connection open and
keep requesting data until the end.


N.B. In the above "keep the connection" should refer to the 
Squid-to-origin connection, not the user_agent-to-Squid connection.




However, I observe the last part
isn't true: the connection to the server is closed after the proxy
client closes the connection.

2022/08/10 18:55:23.152| 5,3| Read.cc(92) ReadNow:
local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1, size 3644,
retval 0, errno 0
2022/08/10 18:55:23.152| 33,5| Server.cc(147) doClientRead:
local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1 closed?
2022/08/10 18:55:23.152| 33,3| client_side.cc(1418)
connFinishedWithConn: local=127.0.0.1:3128 remote=127.0.0.1:57075 FD
21 flags=1 aborted (half_closed_clients disabled)
2022/08/10 18:55:23.152| 33,3| Pipeline.cc(56) terminateAll: Pipeline
0x149704e80 notify(0) 0x13a817600*3
2022/08/10 18:55:23.152| 90,3| store_client.cc(651) storeUnregister:
storeUnregister: called for 'F43F6204305C4808C2A393C7CC905C16'
2022/08/10 18:55:23.153| 90,3| store_client.cc(764)
CheckQuickAbortIsReasonable: entry=e:d5@0=w1p2V/0x638f6d80*6
2022/08/10 18:55:23.153| 90,3| store_client.cc(755)
storePendingNClients: storePendingNClients: returning 0
2022/08/10 18:55:23.153| 90,3| store_client.cc(788)
CheckQuickAbortIsReasonable: mem=0x14a14bcb0
2022/08/10 18:55:23.153| 90,3| store_client.cc(817)
CheckQuickAbortIsReasonable: quick-abort? NO admin configured range
replies to full-download
2022/08/10 18:55:23.153| 33,3| Pipeline.cc(69) popMe: Pipeline
0x149704e80 drop 0x13a817600*3
2022/08/10 18:55:23.153| 33,3| client_side_request.cc(270)
~ClientHttpRequest: httpRequestFree: [url here]


Just to avoid any misunderstanding, the above debugging quote does _not_ 
show the connection to the origin server being closed. There are many 
things called "servers" and "clients" in this context. The "Server.cc" 
above is a Squid task parsing requests from user agents and responding 
with a replies. It is nearly unrelated to the origin server.


The above trace does not necessarily contradict your configuration and 
expectations AFAICT. It shows that the user agent closed the connection 
to Squid, but Squid may have decided to keep going with downloading the 
response from the origin server ("quick-abort? NO"). Something else 
could have gone wrong with that download later (or even earlier), of 
course, but the trace does not show that AFAICT.



HTH,

Alex.




I also tried setting "half_closed_clients on" but that just defers the
error to a write later on. Any advice would be appreciated, thanks!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem caching range requests with range_offset_limit

[osy]

I am trying to cache Azure objects. I have SSL bump and the following config:

maximum_object_size 1000 MB
acl azure_storage dstdomain .blob.core.windows.net
range_offset_limit -1 azure_storage

My expectation is that when a request is made with the Range header,
that Squid will request the object starting from the beginning, return
the data when it reaches the range, then keep the connection open and
keep requesting data until the end. However, I observe the last part
isn't true: the connection to the server is closed after the proxy
client closes the connection.

2022/08/10 18:55:23.152| 5,3| Read.cc(92) ReadNow:
local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1, size 3644,
retval 0, errno 0
2022/08/10 18:55:23.152| 33,5| Server.cc(147) doClientRead:
local=127.0.0.1:3128 remote=127.0.0.1:57075 FD 21 flags=1 closed?
2022/08/10 18:55:23.152| 33,3| client_side.cc(1418)
connFinishedWithConn: local=127.0.0.1:3128 remote=127.0.0.1:57075 FD
21 flags=1 aborted (half_closed_clients disabled)
2022/08/10 18:55:23.152| 33,3| Pipeline.cc(56) terminateAll: Pipeline
0x149704e80 notify(0) 0x13a817600*3
2022/08/10 18:55:23.152| 90,3| store_client.cc(651) storeUnregister:
storeUnregister: called for 'F43F6204305C4808C2A393C7CC905C16'
2022/08/10 18:55:23.153| 90,3| store_client.cc(764)
CheckQuickAbortIsReasonable: entry=e:d5@0=w1p2V/0x638f6d80*6
2022/08/10 18:55:23.153| 90,3| store_client.cc(755)
storePendingNClients: storePendingNClients: returning 0
2022/08/10 18:55:23.153| 90,3| store_client.cc(788)
CheckQuickAbortIsReasonable: mem=0x14a14bcb0
2022/08/10 18:55:23.153| 90,3| store_client.cc(817)
CheckQuickAbortIsReasonable: quick-abort? NO admin configured range
replies to full-download
2022/08/10 18:55:23.153| 33,3| Pipeline.cc(69) popMe: Pipeline
0x149704e80 drop 0x13a817600*3
2022/08/10 18:55:23.153| 33,3| client_side_request.cc(270)
~ClientHttpRequest: httpRequestFree: [url here]

I also tried setting "half_closed_clients on" but that just defers the
error to a write later on. Any advice would be appreciated, thanks!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in squid log

[Alex Rousskov]

On 11/9/21 3:45 AM, Majed Zouhairy wrote:

> i have ufdbguard but i don't think i have smp..

The problem, whatever it is, is unlikely to be caused by ufdbguard.

My current bet is on access.log record truncation fixed in February 2020
in master/v6[1]. I do not know why that fix has not been backported to
v5. I have reminded about it ~5 months ago[2], but that did not seem to
help. We need to improve how backporting requests/decisions are tracked.

[1] https://github.com/squid-cache/squid/commit/a03343c
[2] https://github.com/squid-cache/squid/pull/332/#issuecomment-853275691

You may be able to confirm my suspicion by studying raw rejected
access.log records. Please note that the problematic record might be
merged with the next record/line.


If my suspicions are correct, then you may be able to work around the
problem by limiting the length of logged URLs. Look for ".width_max" in
your logformat documentation.


HTH,

Alex.


> the last line of squid conf are
> 
> url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
> sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
> /var/log/squid/
> url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
> 
> i think ufdbguard does not support squid version 5 yet, which might be
> the problem
> 
> On 11/8/21 10:42 PM, Alex Rousskov wrote:
>> On 11/8/21 5:30 AM, Majed Zouhairy wrote:
>>> when i run sarg
>>>
>>> SARG: sarg version: 2.4.0 Jan-16-2020
>>> SARG: Reading access log file: /var/log/squid/access.log
>>> SARG: Log format identified as "squid log format" for
>>> /var/log/squid/access.log
>>> SARG: The following line read from /var/log/squid/access.log could not
>>> be parsed and is ignored
>>> 1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET
>>> https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_
>>>
>>>
>>> 
>>> UPVydoTW1636349696.714    629 10.106.0.2 NONE_NONE/200 0 CONNECT
>>> azscus1-client-s.gateway.messenger.live.com:443 -
>>> HIER_DIRECT/40.74.219.49 -
>>> SARG: 4 consecutive errors found in the input log file
>>> /var/log/squid/access.log
>>>
>>> so i think the solution would be to exclude zen.yandex.by from
>>> processing ?
>>
>> The correct solution would depend on what you are trying to accomplish
>> (with sarg), but that solution is unlikely to include disabling logging
>> of requests to any domains IMHO.
>>
>> Based on the above output (that could have been changed by multiple mail
>> agents), it is difficult for me to guess what sarg did not like, but if
>> you are suffering from Squid SMP workers corrupting each-other
>> access.log entries, then please see Bug 5173:
>> https://bugs.squid-cache.org/show_bug.cgi?id=5173
>>
>>
>> HTH,
>>
>> Alex.
>>

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in squid log

[Marcus Kool]

Hi, I am the author of ufdbGuard and ufdbGuard supports Squid 5.x

The SARG error in access.log has nothing to do with ufdbGuard.


On 09/11/2021 08:45, Majed Zouhairy wrote:

hmmm, this started happening after the last squid update.. i just noticed it is 
now version 5.2
i have ufdbguard but i don't think i have smp..

the last line of squid conf are

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" 
referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64

i think ufdbguard does not support squid version 5 yet, which might be the 
problem

On 11/8/21 10:42 PM, Alex Rousskov wrote:

On 11/8/21 5:30 AM, Majed Zouhairy wrote:

when i run sarg

SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not
be parsed and is ignored
1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET
https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_ 




UPVydoTW1636349696.714    629 10.106.0.2 NONE_NONE/200 0 CONNECT
azscus1-client-s.gateway.messenger.live.com:443 -
HIER_DIRECT/40.74.219.49 -
SARG: 4 consecutive errors found in the input log file
/var/log/squid/access.log

so i think the solution would be to exclude zen.yandex.by from processing ?


The correct solution would depend on what you are trying to accomplish
(with sarg), but that solution is unlikely to include disabling logging
of requests to any domains IMHO.

Based on the above output (that could have been changed by multiple mail
agents), it is difficult for me to guess what sarg did not like, but if
you are suffering from Squid SMP workers corrupting each-other
access.log entries, then please see Bug 5173:
https://bugs.squid-cache.org/show_bug.cgi?id=5173


HTH,

Alex.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in squid log

[Majed Zouhairy]

hmmm, this started happening after the last squid update.. i just 
noticed it is now version 5.2

i have ufdbguard but i don't think i have smp..

the last line of squid conf are

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64

i think ufdbguard does not support squid version 5 yet, which might be 
the problem


On 11/8/21 10:42 PM, Alex Rousskov wrote:

On 11/8/21 5:30 AM, Majed Zouhairy wrote:

when i run sarg

SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not
be parsed and is ignored
1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET
https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_


UPVydoTW1636349696.714    629 10.106.0.2 NONE_NONE/200 0 CONNECT
azscus1-client-s.gateway.messenger.live.com:443 -
HIER_DIRECT/40.74.219.49 -
SARG: 4 consecutive errors found in the input log file
/var/log/squid/access.log

so i think the solution would be to exclude zen.yandex.by from processing ?


The correct solution would depend on what you are trying to accomplish
(with sarg), but that solution is unlikely to include disabling logging
of requests to any domains IMHO.

Based on the above output (that could have been changed by multiple mail
agents), it is difficult for me to guess what sarg did not like, but if
you are suffering from Squid SMP workers corrupting each-other
access.log entries, then please see Bug 5173:
https://bugs.squid-cache.org/show_bug.cgi?id=5173


HTH,

Alex.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in squid log

[Alex Rousskov]

On 11/8/21 5:30 AM, Majed Zouhairy wrote:
> when i run sarg
> 
> SARG: sarg version: 2.4.0 Jan-16-2020
> SARG: Reading access log file: /var/log/squid/access.log
> SARG: Log format identified as "squid log format" for
> /var/log/squid/access.log
> SARG: The following line read from /var/log/squid/access.log could not
> be parsed and is ignored
> 1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET
> https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_
> 
> 
> UPVydoTW1636349696.714    629 10.106.0.2 NONE_NONE/200 0 CONNECT
> azscus1-client-s.gateway.messenger.live.com:443 -
> HIER_DIRECT/40.74.219.49 -
> SARG: 4 consecutive errors found in the input log file
> /var/log/squid/access.log
> 
> so i think the solution would be to exclude zen.yandex.by from processing ?

The correct solution would depend on what you are trying to accomplish
(with sarg), but that solution is unlikely to include disabling logging
of requests to any domains IMHO.

Based on the above output (that could have been changed by multiple mail
agents), it is difficult for me to guess what sarg did not like, but if
you are suffering from Squid SMP workers corrupting each-other
access.log entries, then please see Bug 5173:
https://bugs.squid-cache.org/show_bug.cgi?id=5173


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem in squid log

[Majed Zouhairy]

when i run sarg

SARG: sarg version: 2.4.0 Jan-16-2020
SARG: Reading access log file: /var/log/squid/access.log
SARG: Log format identified as "squid log format" for 
/var/log/squid/access.log
SARG: The following line read from /var/log/squid/access.log could not 
be parsed and is ignored
1636349341.484 12 10.184.0.2 NONE_NONE/400 20417 GET 
https://zen.yandex.by/lz5XeGt8f/ir4w02684/13f5fd2qrAJ2/p_CMhOoMLrxy4M2QFtQI-HLBvD5tHT6JdGbykwp9eDzBNcrpN2RIqcyiFH9pWekXwFsAEtIMz3_5FVo5y8zXIrAwGER6-e4cM0VckNJR_CjjEd2OObzKrHDSM2ZrfFzJ9CELTSJAeFt45wBcaGm_VqdcIXKVKFp7THc-uX7PdjLGAUpRv63aKSdE2OOnMXyOt0SJK0vNXql0thIirh9cGORGu31DYR9cCKZAW9gYjiGgfTFlxfgLOitwTohOyMZzx3ZNcK_K-rk2Vb_


UPVydoTW1636349696.714629 10.106.0.2 NONE_NONE/200 0 CONNECT 
azscus1-client-s.gateway.messenger.live.com:443 - HIER_DIRECT/40.74.219.49 -
SARG: 4 consecutive errors found in the input log file 
/var/log/squid/access.log


so i think the solution would be to exclude zen.yandex.by from processing ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with upload size limit in squid

[Alex Rousskov]

On 2/25/21 8:44 PM, Raj Nagar wrote:

> Is there any way by which I can enforce these
> limits on other protocols as https?

If you want to enforce HTTP request size limits for HTTPS transactions,
then you have to bump TLS connections (to see HTTP inside TLS).

If you want to enforce connection limits for TLS (and other non-HTTP)
connections, then you can either enhance Squid or perhaps use some
TCP-level software that can track individual TCP connection usage. Since
this option deals with TCP connections, it cannot limit individual HTTP
uploads, only the total amount of bytes sent by the client. One TLS/TCP
connection could carry one (encrypted) request or thousands of
(encrypted) requests or even non HTTP traffic -- Squid cannot tell
without bumping that TLS connection.

Both options have ugly drawbacks. There is no good solution for what you
want to do (if you do not control the browser).

Alex.


> On Thu, Feb 25, 2021, 23:33 Alex Rousskov wrote:
> 
> On 2/24/21 11:51 PM, Raj Nagar wrote:
> 
> > I am using squid as forward proxy and want to restrict upload of files
> > larger than 1 MB. I have used following configuration for
> > same: *request_body_max_size 1 MB*.
> > But this is not working for me and I am able to upload larger files.
> > Can someone please help for same. Thanks in advance
> 
> Does your Squid have access to the HTTP request information? For
> example, if it is an HTTPS request, and you are not bumping the
> corresponding TLS connection, then Squid would not be working at HTTP
> level and, hence, would not be able to limit individual HTTP request
> sizes.
> 
> The corresponding access.log record may tell us more about the
> problematic transaction.
> 
> 
> HTH,
> 
> Alex.
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with upload size limit in squid

[Raj Nagar]

Hi Alex,

Thanks for your response. Is there any way by which I can enforce these
limits on other protocols as https ?

On Thu, Feb 25, 2021, 23:33 Alex Rousskov 
wrote:

> On 2/24/21 11:51 PM, Raj Nagar wrote:
>
> > I am using squid as forward proxy and want to restrict upload of files
> > larger than 1 MB. I have used following configuration for
> > same: *request_body_max_size 1 MB*.
> > But this is not working for me and I am able to upload larger files.
> > Can someone please help for same. Thanks in advance
>
> Does your Squid have access to the HTTP request information? For
> example, if it is an HTTPS request, and you are not bumping the
> corresponding TLS connection, then Squid would not be working at HTTP
> level and, hence, would not be able to limit individual HTTP request sizes.
>
> The corresponding access.log record may tell us more about the
> problematic transaction.
>
>
> HTH,
>
> Alex.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with upload size limit in squid

[Alex Rousskov]

On 2/24/21 11:51 PM, Raj Nagar wrote:

> I am using squid as forward proxy and want to restrict upload of files
> larger than 1 MB. I have used following configuration for
> same: *request_body_max_size 1 MB*.
> But this is not working for me and I am able to upload larger files.
> Can someone please help for same. Thanks in advance

Does your Squid have access to the HTTP request information? For
example, if it is an HTTPS request, and you are not bumping the
corresponding TLS connection, then Squid would not be working at HTTP
level and, hence, would not be able to limit individual HTTP request sizes.

The corresponding access.log record may tell us more about the
problematic transaction.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with upload size limit in squid

[Raj Nagar]

Hi,

I am using squid as forward proxy and want to restrict upload of files
larger than 1 MB. I have used following configuration for same:
*request_body_max_size
1 MB*.
But this is not working for me and I am able to upload larger files.
Can someone please help for same. Thanks in advance

-- 
Regards,
Raj Nagar
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with tcp_outgoing_address

[Amos Jeffries]

On 24/01/21 5:40 am, hlager wrote:

Hey guys,
i'm trying to get squid working with two outgoing ip adresses, but only 
one will work, i hope someone can help me.
I'm using an ESXI with a Ubuntu VM, i got 3 NICs on it. One Local were 
the traffic comes in and two which are for the outgoing traffic. The 
booth outgoing nics are in the same subnet and have the same gateway but 
of course different ips.



i used the following config:



http_port 10.5.5.3:3128 name=3128
http_port 10.5.5.3:3129 name=3129
http_port 10.5.5.3:3130 name=3130



acl test1 myportname 3128 src 1.0.0.0/8


You do not have a port named "src" or a port named "1.0.0.0/8"


http_access allow test1
tcp_outoing_address 132.15.115.14 test1



acl test2 myportname 3129 src 1.0.0.0/8
http_access allow test2
tcp_outoing_address 132.15.115.15 test2




test1 and test3 (only for testing purpose) works fine, but test2 wont work.


Please explain how you are testing and what you are seeing happening 
that makes you say that.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with tcp_outgoing_address

[hlager]

Hey guys, 

 

i'm trying to get squid working with two outgoing ip adresses, but only one will work, i hope someone can help me. 

 


I'm using an ESXI with a Ubuntu VM, i got 3 NICs on it. One Local were the traffic comes in and two which are for the outgoing traffic. The booth outgoing nics are in the same subnet and have the same gateway but of course different ips.

 

i used the following config: 

 

http_port 10.5.5.3:3128 name=3128

http_port 10.5.5.3:3129 name=3129

http_port 10.5.5.3:3130 name=3130

 

acl test1 myportname 3128 src 1.0.0.0/8 

http_access allow test1

tcp_outoing_address 132.15.115.14 test1

 


acl test2 myportname 3129 src 1.0.0.0/8 

http_access allow test2

tcp_outoing_address 132.15.115.15 test2

 


acl test3 myportname 3130 src 1.0.0.0/8 

http_access allow test3

tcp_outoing_address 132.15.115.14 test3

 

test1 and test3 (only for testing purpose) works fine, but test2 wont work. 



 

should i adjust the routing table? 

 

thanks for the help 

 

heinz

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with access.log and when using SMP

[mikio . kishi]

Hi Amos,

Thank you for your reply.

> What version of Squid are you using? I thought that problem was solved
> long ago.

I'm using squid-3.5. I would like to know which version was solved.
I checked the difference codes of log_file_daemon.cc between squid-3.5 and
squid-4.13,
however could not find out the fixed codes..

Regards,
--
Mikio Kishi

On Sat, Dec 19, 2020 at 5:39 PM Amos Jeffries  wrote:

> On 19/12/20 8:07 pm, mikio.ki...@gmail.com wrote:
> > Hi,
> >
> > I have the following same problem using access_log.
> >
>
>   What version of Squid are you using? I thought that problem was solved
> long ago.
>
> > In that case, does the following "stdio" logging module also become a
> > workaround to solve the issue ?
> >
>
> No. That issue is multiple processes trying to write to one disk file.
> Only workarounds are writing to different files. Or not using a
> file-based module (eg syslog, UDP, TCP) or a daemon that does not output
> straight to files (eg the DB one).
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with access.log and when using SMP

[Amos Jeffries]

On 19/12/20 8:07 pm, mikio.ki...@gmail.com wrote:

Hi,

I have the following same problem using access_log.



What version of Squid are you using? I thought that problem was solved 
long ago.



In that case, does the following "stdio" logging module also become a 
workaround to solve the issue ?




No. That issue is multiple processes trying to write to one disk file.
Only workarounds are writing to different files. Or not using a 
file-based module (eg syslog, UDP, TCP) or a daemon that does not output 
straight to files (eg the DB one).



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with access.log and when using SMP

[mikio . kishi]

Hi,

I have the following same problem using access_log.


http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-access-log-and-when-using-SMP-td4668524.html

In that case, does the following "stdio" logging module also become a
workaround to solve the issue ?

> stdio Write each log line to disk immediately at the completion of each
request.
>   Place: the filename and path to be written.

Regards,
--
Mikio Kishi
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Service MV]

Hi everybody!
I am just writing to thank you all for the excellent comments, you have
been very helpful.

I also take this opportunity to mention which operating model I decided to
use, which is working well so far.

DNS A and PTR record "balancer.mydomain.local" pointing to keepalived
virtual IP of HAProxy. This is my HA frontend.
Haproxy server in TCP mode.
The SQUID nodes joined to the domain and authenticated by Kerberos and LDAP.
In each SQUID node I added the credentials of the AD user account in the
keytab. I configured the AD user account 'without expiring the password'
and 'not requiring pre-authentication kerberos'.
If anyone wants or needs more information just let me know.

Best regards

Gabriel


squid.conf
visible_hostname debian-proxy.mydomain.local
http_port 3128 require-proxy-header
acl haproxy src 10.10.8.213
proxy_protocol_access allow haproxy
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for transparent
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s
GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
auth_param basic program /opt/squid411/libexec/basic_ldap_auth -P -R -b
"dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W
/opt/squid411/etc/ldappass.txt -f sAMAccountName=%s -h dc1.mydomain.local
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny all


haproxy.cfg
global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
modetcp
option  tcplog
option  dontlognull
timeout connect 5000
timeout client  5
timeout server  5

frontend squid
bind 10.10.8.213:3128
default_backend squid_pool

backend squid_pool
balance source
mode tcp
option tcp-check
tcp-check connect port 3128
server squid1 10.10.8.205:3128 check inter 2000 rise 2 fall 3 send-proxy
server squid2 10.10.8.214:3128 check inter 2000 rise 2 fall 3 send-proxy

ktutil
read_kt /opt/squid411/etc/PROXY.keytab
list
   1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   2 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   3 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   4 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   5 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   6 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   7 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
   8 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
   9 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
  10 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  11 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  12 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  13 2 HTTP/inet.mydomain.local@MYDOMAIN.LOCAL
  14 2 HTTP/inet@MYDOMAIN.LOCAL

global_defs {
notification_email {
  some.user@mydomain.local
}
notification_email_from pxbalancer01@mydomain.local
smtp_server smtp.mydomain.local
smtp_connect_timeout 60
router_id pxbalancer01
}

vrrp_instance VI_1 {
  state MASTER
  interface eth0
  virtual_router_id 114
  priority 110
  advert_int 1
  authentication {
auth_type PASS
auth_pass SomePASS123
}
  virtual_ipaddress {
10.10.8.213
}
  virtual_routes {
10.10.8.0/22 via 10.10.8.207 src 10.10.8.213
}
}


El vie., 24 de jul. de 2020 a la(s) 06:44, Rafael Akchurin (
rafael.akchu...@diladele.com) escribió:

> Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp*
> connections and let the sslbump/authentication run on the cluster of squids
> - thus you would get working auth on squid side and use keepalived/haproxy
> on the client side.
>
> I do not see any reason why it cannot work unless you specifically desire
> to use some haproxy's features for l7 loadbalancing.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -Original Message-
> From: squid-users  On Behalf
> Of Klaus Brandl
> Sent: Friday, July 24, 2020 10:45 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos
> authentication
>
> Hi Brett,
>
> but then you have a single point of failure, if your loadbalancer is down,
> nothing will work. We need a solution, that each system can work by
> itself. So
> at the moment we merge the keytabs of each system together, and we are
> able to
> takeover the addresses of the other systems. Then we have no
>

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Brett Lymn]

On Fri, Jul 24, 2020 at 10:44:34AM +0200, Klaus Brandl wrote:
> 
> but then you have a single point of failure, if your loadbalancer is down, 
> nothing will work. We need a solution, that each system can work by itself. 
> So 
> at the moment we merge the keytabs of each system together, and we are able 
> to 
> takeover the addresses of the other systems. Then we have no loadbalancing, 
> but a fallback solution, what is more important on our systems.
> 

No, you don't have a single point of failure, this is why I mentioned
using ktutil (well, I said ktadmin, my bad).  You merge the keytab for
the machine with the keytab for the HA user.  This way the clients are
able to both auth to the HA and to the the underlying machine.  It is
what we do, it works fine.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 
846
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, 
Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, 
South Australia, 5000.
If the identity of the sending company is not clear from the content of this 
email, please contact the sender.

This email and any attachments may contain confidential and legally privileged 
information. If you are not the intended recipient, do not copy or disclose its 
content, but please reply to this email immediately and highlight the error to 
the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Markus Moeller]

Hi 


Maybe some general comments about LB, CNAMEs and Squid Kerberos will help.  The 
kerberos client will try to request a ticket based on the used hostname. e.g. 
if you configure in your browser the proxy name as  ha-proxy.slb.example.com 
then the client will look for a serviceprincipal of 
HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser 
dependencies e.g. 

  ha-proxy.slb.example.com CNAME HA-server1.real.example.com 

Some browsers will use HTTP/ha-proxy.slb.example.com  and some will use 
HTTP/HA-server1.real.example.com  

Now if your squid server name is squid1.real.example.com you will have probably 
only HTTP/squid1.real.example.com  in your keytab.  


There are now 2 Options:

1 ) Create one entry in AD for all squid servers  i.e. the AD entry will have 
at least number of servers + 2  service principals associated to it, extract 
the key to a keytab and use the option –s GSS_C_NO_NAME with the 
negotiate_kerberos_auth helper 
 .e.g HTTP/squid1.real.example.com , HTTP/squid2.real.example.com , 
HTTP/HA-server1.real.example.com  ,  HTTP/ha-proxy.slb.example.com  
2) Create separate entries in AD for each squid server, the LB and the CNAMEs 
and then merge the keys into one keytab to be used on all squid servers.

Kind Regards
Markus



"L.P.H. van Belle"  wrote in message 
news:vmime.5f1aa165.2c44.7eb4bc368bae...@ms249-lin-003.rotterdam.bazuin.nl...
forgot 1 thing. (sorry) 
# 
adduser proxyuser winbind_priv 

or things might not work. 

 



--
  Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
L.P.H. van Belle
  Verzonden: vrijdag 24 juli 2020 10:46
  Aan: squid-users@lists.squid-cache.org
  Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication


  i would recommend to ..
  1) use debian buster,
  2) use squid 4.12
  3) use samba (winbind). 

  needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  # renew the kerberos ticket
  winbind refresh tickets = yes

  # Added for freeradius support
  #ntlm auth = mschapv2-and-ntlmv2-only


  apt install winbind krb5-user should be sufficient. 

  samba joins the domain. 
  /etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

  And for squid its keytab. 

  kinit Administrator
  export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
  net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

  # alias name to keytab
  net ads keytab ADD HTTP/CNAME.FQDN 

  # check keytab file.
  klist -ke /etc/squid/HTTP-$(hostname -s).keytab
  unset KRB5_KTNAME

  # set rights.
  chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
  chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

  And i use  in squid 
  auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
  --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
  -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
  --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

  Point to think about. 

  server IP's needs A + PTR 
  use CNAMEs in the DNS. 
  and make sure the resolving is setup correctly. 

  Add a caching DNS to the proxy. ( and let squid use it also ) 

  I had this working (without HAproxy) but with keepalived. 

  As far i can tel, your problem is in how the hostnames and ip are used. 
  but above might give you ideas. 


  Greetz, 

  Louis







Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication


Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 
some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: MailScanner warning: 
numerical links are often malicious: MailScanner warning: numerical links are 
often malicious: 172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to 
which by redundancy I configured a virtual IP with the keepalived service. When 
I point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log 
no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleap

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

Hai Rafael,

First, thank you for maintaining diladele, each time i read them,
i learned something :-) As usual, your manuals look great. 

I have a few suggestion if i may point these out, just small update for the 
site. 

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
This part, The krb5.conf should be updated it with. 

; for Windows 2008+ with AES support ( you might want to remove rc4 and des, 
its there for compatibility)
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5


https://docs.diladele.com/administrator_guide_stable/active_directory/create_user/index.html
/quote: 
Some tutorials describing integration of Squid with Active Directory rely on 
creating special computer account in AD for the same goal. Unfortunately it 
ties the proxy machine to Active Directory and prevents us from making and 
restoring VM snapshots because the restored snapshot loses the AD join state 
and needs to be rejoined manually.
/quote.

Well, all i can say here is, this works fine for me, but i understand where its 
coming from. 
As your pointing out, yes, i did use a "user" account also in the past.
But if samba/winbind is setup correcty with its hostName, and you use CNAMES 
for the proxy it's serviceName, 
after a backup/restore of a VM and samba/winbind starts, winbind handles the 
"computername" keytab and its password.
Squid has its own keytab file and CNAME and is untouched. 

Resulting in, you can restore a VM. I do this on XenServers, i suggest, give it 
a try. 
But note, i dont have HAProxy running (yet), so i cant say anyting about that 
part,
The logical parts should be the same (hostname A - PTR and CNAMES for serices) 

The COMPUTER needs A and PTR (this is the real hostname) 
Now you can setup any CNAME SPN for the proxy it's "ServiceName" 
You can use or the computer account or a separated account for the Squid 
CNAME-ed SPN's. 
Als long these are somewhere to findable in AD. 

You might want to test this, this setup removed the need of ktpass in windows, 
which was always giving problems at my side. 

And last, if winbind is use and you want to add a automounted homedir with NFS 
or CIFS.
Then half of the work is already done. 
It basicly only needs : nfs-common nfs4-acl-tools 
And : 
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
And/or 
net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator

In the Haproxy setup, well, thats next on my list, 
i saw something i liked and dont have it running yet.  
Learning a lot here. :-) 

Main difference between your setups, i dont have any windows servers. 
I running fully on Samba AD-DC's and member servers and my client PC's are 
windows 10. 

I hope I could give you someone ideas here and people can use them. 
If you have questions, just ask. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Rafael Akchurin
> Verzonden: vrijdag 24 juli 2020 11:39
> Aan: Brett Lymn; Klaus Brandl
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 
> 4.11 + Kerberos authentication
> 
> Hello Klaus, Brett, all list members,
> 
> This is the scheme with haproxy and Squid we use all the time 
> in our test lab for Web Safety - we need to constantly 
> add/remove test nodes to the cluster without 
> breaking/changing anything in Kerberos settings for the 
> constantly running client pool - 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory_extra/redundancy/haproxy_proxy_protocol.html
> 
> And yes we do *not* use computer account, we use *user* 
> account instead.
> See the reasoning  in the tutorial.
> 
> Best regards,
> Rafael Akchurin
> Diladele B.V.
> 
>   
> 
> -Original Message-
> From: squid-users  
> On Behalf Of Brett Lymn
> Sent: Friday, July 24, 2020 2:23 AM
> To: Klaus Brandl 
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 
> + Kerberos authentication
> 
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > 
> > But if anyone knows a solution, i will spread my ears :)
> > 
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA 
> front end, set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user 
> created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Service MV]

Thanks Amos, Kerberos is really hard to learn for a rookie like me, but you
explained it in an excellent and concise way.
In my case, the SQUID servers are joined to the domain with their
respective SPN and UPN that I mentioned in the msktutil command.
And in the case of the Load Balancer HAProxy I used a user account and I
set that the password does not expire. I know this may not be the safest
way to do it, but I couldn't find a way to do it with a computer account. I
guess I should join the HAProxy to the domain as well.
The detail, as you mentioned, is that the DNS A record (eg
inet.mydomain.local) is to match exactly the SPN for that user account,
which at this point is a service account.

Thanks again

Gabriel

El vie., 24 de jul. de 2020 a la(s) 00:10, Amos Jeffries (
squ...@treenet.co.nz) escribió:

> On 24/07/20 5:09 am, Service MV wrote:
> > Hi Klaus,
> > I think something similar. But I understand that you can use the
> > Kerberos delegation in AD. That's partly why I'm not convinced by the
> > documentation I read, which tells me to create a user account in Active
> > Directory. And I don't understand what a user account has to do here.
> > Maybe the documentation is wrong and actually refers to a computer
> > account, and the operation of adding a Service Principal Name should be
> > done to the computer object. I don't know. But I'm going to try to do it
> > and see what I can achieve.
> >
>
> Kerberos authentication in HTTP uses the Negotiate scheme. The model for
> that scheme is that it authenticates the exact TCP connection over which
> the credentials are transmitted.
>
> So for it to work *through* a proxy (eg HAProxy) that proxy must ensure
> the *two* TCP connections it is handling (from-client and to-Squid) are
> pinned together with all HTTP multiplexing features disabled _and_ the
> Proxy-Auth* headers are not touched or used along the way.
>
>  => If either of those conditions is broken the auth will not work and
> users will definitely get the behaviour you are seeing. That behaviour
> may also occur anyway if later stages are broken - this is just the
> first and most non-obvious problem for beginners.
>
>
> [ below is simplified a bit/lot to ensure you have the basic
> understanding. There is a steep learning curve for Kerberos tools and
> one needs basics before troubleshooting exposes the gory details ]
>
> The HTTP agent which is doing the Kerberos auth validation (eg Squid)
> must be configured with an account that can perform authentication tasks
> with the central domain server.
>  This can be either User or Machine account as you know. The important
> difference is their policy on passwords. User accounts need password
> rotation, machines are effectively permanent. Since keytab used by Squid
> has to be re-generated every time the account password changes User
> accounts are naturally far more complex to administrate for reliable auth.
>
>  => So ... your choice and YMMV. But we recommend a machine account
> unless you have reason to go the more complex way.
>
>
> At the other end the client software needs a keytab with a "Principal"
> name telling it what to request from the central domain server when it
> needs a token that Squid can validate.
>
>  => The principal name has to match up with the account details used by
> the proxy which is checking the auth credentials. This is why the middle
> proxy (eg HAProxy) cannot touch the authentication on its way to Squid.
>
>  => The principal name is also case-sensitive and and must survive
> *exact* string comparisons despite DNS resolve being involved [ because
> reasons :( ].  So be sure to use full FQDN rather than host name
> abbreviations.
>
>
>
> > I'll be back.
> >
> > El jue., 23 de jul. de 2020 a la(s) 13:16, Klaus Brandl escribió:
> >
> > Hi Gabriel,
> >
> > same problem here on our HA systems.
> > I think, this is caused by kerberos overall, the tickets are always
> > bound to
> > the hosts realname and address, look at "klist" on your client, and
> > only
> > exactly this name could be used as proxy entry.
>
>
> Indeed. Use of wrong names (eg not using the full FQDN), wrong case, or
> the hostnames not being DNS resolvable are common causes of Kerberos not
> working.
>
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Service MV]

Thanks, Brett, for the answer. I did exactly the same thing and it's
working for me now.
I only have to decrypt how to see the client's IP in SQUID's logs. I will
follow your instructions to try to achieve it.

Best regards,

Gabriel


El jue., 23 de jul. de 2020 a la(s) 21:23, Brett Lymn (
brett.l...@baesystems.com) escribió:

> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> >
> > But if anyone knows a solution, i will spread my ears :)
> >
>
> What we do is:
>
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
>
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
>
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.
>
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies
> within the BAE Systems Australia group of companies:
>
> BAE Systems Australia Limited - Australian Company Number 008 423 005
> BAE Systems Australia Defence Pty Limited - Australian Company Number 006
> 870 846
> ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864
>
> BAE Systems Australia's registered office is Evans Building, Taranaki
> Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
> ASC Shipbuilding's registered office is Level 2, 80 Flinders Street,
> Adelaide, South Australia, 5000.
> If the identity of the sending company is not clear from the content of
> this email, please contact the sender.
>
> This email and any attachments may contain confidential and legally
> privileged information. If you are not the intended recipient, do not copy
> or disclose its content, but please reply to this email immediately and
> highlight the error to the sender and then immediately delete the message.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

forgot 1 thing. (sorry) 
# 
adduser proxyuser winbind_priv 

or things might not work. 

 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
L.P.H. van Belle
Verzonden: vrijdag 24 juli 2020 10:46
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind). 
 
needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
#ntlm auth = mschapv2-and-ntlmv2-only


apt install winbind krb5-user should be sufficient. 

samba joins the domain. 
/etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

And for squid its keytab. 

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN 

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

Point to think about. 


server IP's needs A + PTR 
use CNAMEs in the DNS. 
and make sure the resolving is setup correctly. 

Add a caching DNS to the proxy. ( and let squid use it also ) 

I had this working (without HAproxy) but with keepalived. 

As far i can tel, your problem is in how the hostnames and ip are used. 
but above might give you ideas. 


Greetz, 


Louis


 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user 
HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: MailScanner warning: 
numerical links are often malicious: 172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which 
by redundancy I configured a virtual IP with the keepalived service. When I 
point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- 
text/


In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is the 
physical IP of my VM, instead of the virtual IP configured in HAProxy, which is 
the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help me to 
find where my configuration error is.

keepalived.conf   global_defs {
     notification_email {
       some.user@mydomain.local
     }
     notification_email_from balancer1@mydomain.local
     smtp_server smtp. mydomain.local 
     smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      }
      virtual_ipaddress {
          10.10.8.213
      }
  }




haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often 
malicious: MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[L . P . H . van Belle]

i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind). 
 
needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
#ntlm auth = mschapv2-and-ntlmv2-only


apt install winbind krb5-user should be sufficient. 

samba joins the domain. 
/etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

And for squid its keytab. 

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN 

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

Point to think about. 


server IP's needs A + PTR 
use CNAMEs in the DNS. 
and make sure the resolving is setup correctly. 

Add a caching DNS to the proxy. ( and let squid use it also ) 

I had this working (without HAproxy) but with keepalived. 

As far i can tel, your problem is in how the hostnames and ip are used. 
but above might give you ideas. 


Greetz, 


Louis


 

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication



Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user 
HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which 
by redundancy I configured a virtual IP with the keepalived service. When I 
point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- 
text/


In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is the 
physical IP of my VM, instead of the virtual IP configured in HAProxy, which is 
the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help me to 
find where my configuration error is.

keepalived.conf   global_defs {
     notification_email {
       some.user@mydomain.local
     }
     notification_email_from balancer1@mydomain.local
     smtp_server smtp. mydomain.local 
     smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      }
      virtual_ipaddress {
          10.10.8.213
      }
  }




haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often 
malicious: 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

### statistics
listen stats
bind MailScanner warning: numerical links are often malicious: 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123

### balancer
listen squid
bind MailScanner warning: numerical links are often malicious: 10.10.8.213:3128
  mode

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Rafael Akchurin]

Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp* connections 
and let the sslbump/authentication run on the cluster of squids - thus you 
would get working auth on squid side and use keepalived/haproxy on the client 
side.

I do not see any reason why it cannot work unless you specifically desire to 
use some haproxy's features for l7 loadbalancing.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of 
Klaus Brandl
Sent: Friday, July 24, 2020 10:45 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication

Hi Brett,

but then you have a single point of failure, if your loadbalancer is down, 
nothing will work. We need a solution, that each system can work by itself. So 
at the moment we merge the keytabs of each system together, and we are able to 
takeover the addresses of the other systems. Then we have no loadbalancing, 
but a fallback solution, what is more important on our systems.

On Friday 24 July 2020 09:53:03 Brett Lymn wrote:
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > But if anyone knows a solution, i will spread my ears :)
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> 
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> 
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Rafael Akchurin]

Hello Klaus, Brett, all list members,

This is the scheme with haproxy and Squid we use all the time in our test lab 
for Web Safety - we need to constantly add/remove test nodes to the cluster 
without breaking/changing anything in Kerberos settings for the constantly 
running client pool - 
https://docs.diladele.com/administrator_guide_stable/active_directory_extra/redundancy/haproxy_proxy_protocol.html

And yes we do *not* use computer account, we use *user* account instead.
See the reasoning  in the tutorial.

Best regards,
Rafael Akchurin
Diladele B.V.

  

-Original Message-
From: squid-users  On Behalf Of 
Brett Lymn
Sent: Friday, July 24, 2020 2:23 AM
To: Klaus Brandl 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication

On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> 
> But if anyone knows a solution, i will spread my ears :)
> 

What we do is:

1) create a user account in AD that will be used for the HA front end, set a 
password and export the keytab for this user
2) Use ktadmin to import the keytab entries for the user created in step
1 into the keytab for squid on the squid servers.
3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user 
created in 1

The SPN (service principal name) tells kerberos to use the user details set up 
in step 1 to authenticate http requests.  This works for us, has been for years.

One thing, if you want to know the IP addresses of your clients in the squid 
logs you will need to do some extra stuff because all accesses will appear to 
come from the HA loadbalancer.  We have configured our load balancers to insert 
the X-Forwarded-For header into the http traffic and then modified the logging 
to log both the loadblancer and client IP.

--
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE 
Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, 
Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, 
South Australia, 5000.
If the identity of the sending company is not clear from the content of this 
email, please contact the sender.

This email and any attachments may contain confidential and legally privileged 
information. If you are not the intended recipient, do not copy or disclose its 
content, but please reply to this email immediately and highlight the error to 
the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Klaus Brandl]

Hi Brett,

but then you have a single point of failure, if your loadbalancer is down, 
nothing will work. We need a solution, that each system can work by itself. So 
at the moment we merge the keytabs of each system together, and we are able to 
takeover the addresses of the other systems. Then we have no loadbalancing, 
but a fallback solution, what is more important on our systems.

On Friday 24 July 2020 09:53:03 Brett Lymn wrote:
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > But if anyone knows a solution, i will spread my ears :)
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> 
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> 
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Amos Jeffries]

On 24/07/20 5:09 am, Service MV wrote:
> Hi Klaus,
> I think something similar. But I understand that you can use the
> Kerberos delegation in AD. That's partly why I'm not convinced by the
> documentation I read, which tells me to create a user account in Active
> Directory. And I don't understand what a user account has to do here.
> Maybe the documentation is wrong and actually refers to a computer
> account, and the operation of adding a Service Principal Name should be
> done to the computer object. I don't know. But I'm going to try to do it
> and see what I can achieve.
> 

Kerberos authentication in HTTP uses the Negotiate scheme. The model for
that scheme is that it authenticates the exact TCP connection over which
the credentials are transmitted.

So for it to work *through* a proxy (eg HAProxy) that proxy must ensure
the *two* TCP connections it is handling (from-client and to-Squid) are
pinned together with all HTTP multiplexing features disabled _and_ the
Proxy-Auth* headers are not touched or used along the way.

 => If either of those conditions is broken the auth will not work and
users will definitely get the behaviour you are seeing. That behaviour
may also occur anyway if later stages are broken - this is just the
first and most non-obvious problem for beginners.


[ below is simplified a bit/lot to ensure you have the basic
understanding. There is a steep learning curve for Kerberos tools and
one needs basics before troubleshooting exposes the gory details ]

The HTTP agent which is doing the Kerberos auth validation (eg Squid)
must be configured with an account that can perform authentication tasks
with the central domain server.
 This can be either User or Machine account as you know. The important
difference is their policy on passwords. User accounts need password
rotation, machines are effectively permanent. Since keytab used by Squid
has to be re-generated every time the account password changes User
accounts are naturally far more complex to administrate for reliable auth.

 => So ... your choice and YMMV. But we recommend a machine account
unless you have reason to go the more complex way.


At the other end the client software needs a keytab with a "Principal"
name telling it what to request from the central domain server when it
needs a token that Squid can validate.

 => The principal name has to match up with the account details used by
the proxy which is checking the auth credentials. This is why the middle
proxy (eg HAProxy) cannot touch the authentication on its way to Squid.

 => The principal name is also case-sensitive and and must survive
*exact* string comparisons despite DNS resolve being involved [ because
reasons :( ].  So be sure to use full FQDN rather than host name
abbreviations.



> I'll be back.
> 
> El jue., 23 de jul. de 2020 a la(s) 13:16, Klaus Brandl escribió:
> 
> Hi Gabriel,
> 
> same problem here on our HA systems.
> I think, this is caused by kerberos overall, the tickets are always
> bound to
> the hosts realname and address, look at "klist" on your client, and
> only
> exactly this name could be used as proxy entry.


Indeed. Use of wrong names (eg not using the full FQDN), wrong case, or
the hostnames not being DNS resolvable are common causes of Kerberos not
working.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Brett Lymn]

On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> 
> But if anyone knows a solution, i will spread my ears :)
> 

What we do is:

1) create a user account in AD that will be used for the HA front end,
set a password and export the keytab for this user
2) Use ktadmin to import the keytab entries for the user created in step
1 into the keytab for squid on the squid servers.
3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
created in 1

The SPN (service principal name) tells kerberos to use the user details
set up in step 1 to authenticate http requests.  This works for us, has
been for years.

One thing, if you want to know the IP addresses of your clients in the
squid logs you will need to do some extra stuff because all accesses
will appear to come from the HA loadbalancer.  We have configured our
load balancers to insert the X-Forwarded-For header into the http
traffic and then modified the logging to log both the loadblancer and
client IP.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 
846
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, 
Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, 
South Australia, 5000.
If the identity of the sending company is not clear from the content of this 
email, please contact the sender.

This email and any attachments may contain confidential and legally privileged 
information. If you are not the intended recipient, do not copy or disclose its 
content, but please reply to this email immediately and highlight the error to 
the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Service MV]

Hi Klaus,
I think something similar. But I understand that you can use the Kerberos
delegation in AD. That's partly why I'm not convinced by the documentation
I read, which tells me to create a user account in Active Directory. And I
don't understand what a user account has to do here. Maybe the
documentation is wrong and actually refers to a computer account, and the
operation of adding a Service Principal Name should be done to the computer
object. I don't know. But I'm going to try to do it and see what I can
achieve.

I'll be back.

El jue., 23 de jul. de 2020 a la(s) 13:16, Klaus Brandl (
klaus_bra...@genua.de) escribió:

> Hi Gabriel,
>
> same problem here on our HA systems.
> I think, this is caused by kerberos overall, the tickets are always bound
> to
> the hosts realname and address, look at "klist" on your client, and only
> exactly this name could be used as proxy entry.
>
> But if anyone knows a solution, i will spread my ears :)
>
> Klaus
>
> ---
>
> genua GmbH
> Domagkstrasse 7, 85551 Kirchheim bei Muenchen
> tel +49 89 991950-0, fax -999, www.genua.de
>
> Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
> Amtsgericht Muenchen HRB 98238
> genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Klaus Brandl]

Hi Gabriel,

same problem here on our HA systems.
I think, this is caused by kerberos overall, the tickets are always bound to 
the hosts realname and address, look at "klist" on your client, and only 
exactly this name could be used as proxy entry.

But if anyone knows a solution, i will spread my ears :)

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Service MV]

Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443
some.user HIER_DIRECT/172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to
which by redundancy I configured a virtual IP with the keepalived service.
When I point my browser to the DNS A record (balancer.mydomain.local) which
in turn points to the keepalived virtual IP, the authentication stops
working:
cache.log
no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 -
HIER_NONE/- text/

In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is
the physical IP of my VM, instead of the virtual IP configured in HAProxy,
which is the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help
me to find where my configuration error is.

keepalived.conf
  global_defs {
 notification_email {
   some.user@mydomain.local
 }
 notification_email_from balancer1@mydomain.local
 smtp_server smtp. mydomain.local
 smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
  state MASTER
  interface eth0
  virtual_router_id 101
  priority 101
  advert_int 1
  authentication {
  auth_type PASS
  auth_pass somepass123
  }
  virtual_ipaddress {
  10.10.8.213
  }
  }


haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

### statistics
listen stats
bind 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123

### balancer
listen squid
bind 10.10.8.213:3128
  mode http
  option httplog
  balance source
  hash-type consistent
  option httpclose
  cookie SERVERID insert indirect nocache
  option forwardfor header X-Client
  server proxy1 10.10.8.205:3128 check inter 2000 rise 2 fall 5
  server proxy2 10.10.8.206:3128 check inter 2000 rise 2 fall 5


squid.conf
# minimal configuration for testing
visible_hostname proxy1.mydomain.local
http_port 3128
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for on
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s
GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all


squid -v
Squid Cache: Version 4.11
Service Name: squid

This binary uses OpenSSL 1.0.2u  20 Dec 2019. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/opt/squid411' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info'
'--localstatedir=/opt/squid411/var' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline'
'--enable-async-io' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers'
'--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation'
'--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd'


env
KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab
KRB5RCACHETYPE=none


/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h

 

Re: [squid-users] Problem with squid proxy authentication configuration

[Amos Jeffries]

On 12/06/20 12:29 am, Amiq Nahas wrote:
> On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries wrote:
>>
>> On 10/06/20 9:26 pm, Amiq Nahas wrote:
>>> Hi Guys,
>>>
>>> I am trying to configure squid so as to have user proxy
>>> authentication, below is how my squid.conf file looks like:
>>>
>>> -
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80# http
>>> acl Safe_ports port 21# ftp
>>> acl Safe_ports port 443# https
>>> acl Safe_ports port 70# gopher
>>> acl Safe_ports port 210# wais
>>> acl Safe_ports port 1025-65535# unregistered ports
>>> acl Safe_ports port 280# http-mgmt
>>> acl Safe_ports port 488# gss-http
>>> acl Safe_ports port 591# filemaker
>>> acl Safe_ports port 777# multiling http
>>> acl CONNECT method CONNECT
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 3128
>>> coredump_dir /var/spool/squid
>>>
>>> refresh_pattern ^ftp:144020%10080
>>> refresh_pattern ^gopher:14400%1440
>>> refresh_pattern -i (/cgi-bin/|\?) 00%0
>>> refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
>>> refresh_pattern .020%4320
>>> -
>>>
>>> The above lines were default in squid.conf file.
>>>
>>> I have added below lines:
>>>
>>
>> *Where* did you add them? order is important.
> 
> I have added the below lines exactly in this order at the end of the
> file squid.conf.
> 

That is the wrong place to be adding the http_access part of your custom
config.


>>> -
>>> icap_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_preview_enable on
>>> icap_preview_size 1024
>>>
>>> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
>>> adaptation_access service_req allow all
>>>
>>> icap_service service_resp respmod_precache bypass=0 
>>> icap://127.0.0.1:1344/echo
>>> adaptation_access service_resp allow all
>>>
>>> acl ncsa src 0.0.0.0/0.0.0.0
>>
>> Don't do that. Use "all" to match any IP address.
>>
>> If you want to match IPv4-only clients there is a special value "ipv4"
>> which is used like so:
>>   acl ipv4_only src ipv4
>>
>> Be careful with these type of control. Different access behaviours for
>> IPv4 and IPv6 is how security bypass issues are created.
>>
>>
>>
>>> auth_param basic program /usr/lib/squid/basic_ncsa_auth 
>>> /etc/squid/squid_passwd
>>> auth_param basic realm proxy
>>> acl ncsa proxy_auth REQUIRED
>>
>> "ncsa" was already defined as a IP address matching ACL.
>>
>>
>>> http access allow ncsa
>>
>>
>> This will only allow clients who are already trying to send credentials.
>> It will not inform clients that they need to and no sane client will
>> broadcast its credential secrets unless it has to.
>>
>> To have HTTP auth work in the usual way it is best to *deny*
>> non-authenticated traffic and allow based on any other criteria you
>> have. Like so:
>>
>>   http_access deny !ncsa
>>   http_access allow localnet
>>
>> or
>>
>>   http_access deny !ncsa
>>   http_access allow ncsa
> 
> So I changed the configuration according to what you suggested and now
> I can access the internet.
> Below is how the configuration now looks like:
> 
> acl ncsa src all

That is the same as the built-in "all" ACL ...


> auth_param basic program /usr/lib/squid/basic_ncsa_auth 
> /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated ncsa

... which makes the above line same as:

  http_access allow authenticated all

Which actively *prevents* Squid from requesting credentials from clients.

> 
> I am able to access the internet now, does this mean that everything
> worked fine?

No. There are many ways to configure Squid to allow traffic through.
Most of them do not in any way match your policy.


> I am asking because I will be using this proxy
> authentication setup in c-icap for setting up the url_check service.
> Also I am not prompted for any password, I am able to access the
> internet just like that. Is that how it is supposed to work

It is what you currently configured to be happening.
I wrote earlier that you needed something like this:

  http_access deny !ncsa
  http_access allow localnet


That needs to be in sequence with the other http_access rules in your
config:


  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost manager
  http_access deny manager

  acl authenticated proxy_auth REQUIRED
  http_access deny !authenticated

  http_access allow localhost
  http_access deny all


> because if
> I don't need to enter the password before browsing the web what would
> be the point of it all. Right? or am I missing something here?

You are missing the order http_access 

Re: [squid-users] Problem with squid proxy authentication configuration

[Amiq Nahas]

On Wed, Jun 10, 2020 at 6:48 PM Alex Rousskov
 wrote:
>
> On 6/10/20 5:26 AM, Amiq Nahas wrote:
>
> > http_port 3128
>
>
> > I have configured 127.0.0.1:3128 as manual proxy in firefox.
> >
> > But when I try to connect to internet it displays "The proxy server is
> > refusing connections"
>
> Does your Squid run on the same machine as your browser? If yes, are
> there any errors or warnings in Squid's cache.log, access.log? Does
> "netstat -na" or equivalent (executed on the browser machine) show
> something listening for TCP/IPv4 connection on port 3128?


Thanks for the reply.

Yes, Squid is running on the same machine as the browser.
I have checked cache.log and access.log, there are no errors or
warnings that get generated when the browser shows the proxy refusing
connections error page.
I ran netstat -na and no 3128 port is not listening.

I should mention that before I added the below lines in the
configuration, it was running all running fine. I could browse the net
and was getting logs of websites visited in the access.log file.
So I am guessing these lines are the problem, but the more important
problem at hand is that 3128 port is not listening. Any thoughts?

acl ncsa src 0.0.0.0/0.0.0.0
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl ncsa proxy_auth REQUIRED
http access allow ncsa

In case if system environment has something to do with the problem.
The system in question runs Ubuntu 18.04 with Linux-5.6.0-rc7.

Thanks
Amiq
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with squid proxy authentication configuration

[Amiq Nahas]

On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries  wrote:
>
> On 10/06/20 9:26 pm, Amiq Nahas wrote:
> > Hi Guys,
> >
> > I am trying to configure squid so as to have user proxy
> > authentication, below is how my squid.conf file looks like:
> >
> > -
> > acl SSL_ports port 443
> > acl Safe_ports port 80# http
> > acl Safe_ports port 21# ftp
> > acl Safe_ports port 443# https
> > acl Safe_ports port 70# gopher
> > acl Safe_ports port 210# wais
> > acl Safe_ports port 1025-65535# unregistered ports
> > acl Safe_ports port 280# http-mgmt
> > acl Safe_ports port 488# gss-http
> > acl Safe_ports port 591# filemaker
> > acl Safe_ports port 777# multiling http
> > acl CONNECT method CONNECT
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost manager
> > http_access deny manager
> > http_access allow localhost
> > http_access deny all
> > http_port 3128
> > coredump_dir /var/spool/squid
> >
> > refresh_pattern ^ftp:144020%10080
> > refresh_pattern ^gopher:14400%1440
> > refresh_pattern -i (/cgi-bin/|\?) 00%0
> > refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
> > refresh_pattern .020%4320
> > -
> >
> > The above lines were default in squid.conf file.
> >
> > I have added below lines:
> >
>
> *Where* did you add them? order is important.

I have added the below lines exactly in this order at the end of the
file squid.conf.

> > -
> > icap_enable on
> > icap_send_client_ip on
> > icap_send_client_username on
> > icap_client_username_header X-Authenticated-User
> > icap_preview_enable on
> > icap_preview_size 1024
> >
> > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> > adaptation_access service_req allow all
> >
> > icap_service service_resp respmod_precache bypass=0 
> > icap://127.0.0.1:1344/echo
> > adaptation_access service_resp allow all
> >
> > acl ncsa src 0.0.0.0/0.0.0.0
>
> Don't do that. Use "all" to match any IP address.
>
> If you want to match IPv4-only clients there is a special value "ipv4"
> which is used like so:
>   acl ipv4_only src ipv4
>
> Be careful with these type of control. Different access behaviours for
> IPv4 and IPv6 is how security bypass issues are created.
>
>
>
> > auth_param basic program /usr/lib/squid/basic_ncsa_auth 
> > /etc/squid/squid_passwd
> > auth_param basic realm proxy
> > acl ncsa proxy_auth REQUIRED
>
> "ncsa" was already defined as a IP address matching ACL.
>
>
> > http access allow ncsa
>
>
> This will only allow clients who are already trying to send credentials.
> It will not inform clients that they need to and no sane client will
> broadcast its credential secrets unless it has to.
>
> To have HTTP auth work in the usual way it is best to *deny*
> non-authenticated traffic and allow based on any other criteria you
> have. Like so:
>
>   http_access deny !ncsa
>   http_access allow localnet
>
> or
>
>   http_access deny !ncsa
>   http_access allow ncsa

So I changed the configuration according to what you suggested and now
I can access the internet.
Below is how the configuration now looks like:

acl ncsa src all
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated ncsa

I am able to access the internet now, does this mean that everything
worked fine? I am asking because I will be using this proxy
authentication setup in c-icap for setting up the url_check service.
Also I am not prompted for any password, I am able to access the
internet just like that. Is that how it is supposed to work because if
I don't need to enter the password before browsing the web what would
be the point of it all. Right? or am I missing something here?
I have been using this article for reference
http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/

Thanks
Amiq
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with squid proxy authentication configuration

[Amos Jeffries]

On 10/06/20 9:26 pm, Amiq Nahas wrote:
> Hi Guys,
> 
> I am trying to configure squid so as to have user proxy
> authentication, below is how my squid.conf file looks like:
> 
> -
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443# https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
> 
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern -i (/cgi-bin/|\?) 00%0
> refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
> refresh_pattern .020%4320
> -
> 
> The above lines were default in squid.conf file.
> 
> I have added below lines:
> 

*Where* did you add them? order is important.


> -
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> 
> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> adaptation_access service_req allow all
> 
> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
> adaptation_access service_resp allow all
> 
> acl ncsa src 0.0.0.0/0.0.0.0

Don't do that. Use "all" to match any IP address.

If you want to match IPv4-only clients there is a special value "ipv4"
which is used like so:
  acl ipv4_only src ipv4

Be careful with these type of control. Different access behaviours for
IPv4 and IPv6 is how security bypass issues are created.



> auth_param basic program /usr/lib/squid/basic_ncsa_auth 
> /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl ncsa proxy_auth REQUIRED

"ncsa" was already defined as a IP address matching ACL.


> http access allow ncsa


This will only allow clients who are already trying to send credentials.
It will not inform clients that they need to and no sane client will
broadcast its credential secrets unless it has to.

To have HTTP auth work in the usual way it is best to *deny*
non-authenticated traffic and allow based on any other criteria you
have. Like so:

  http_access deny !ncsa
  http_access allow localnet

or

  http_access deny !ncsa
  http_access allow ncsa





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with squid proxy authentication configuration

[Alex Rousskov]

On 6/10/20 5:26 AM, Amiq Nahas wrote:

> http_port 3128


> I have configured 127.0.0.1:3128 as manual proxy in firefox.
> 
> But when I try to connect to internet it displays "The proxy server is
> refusing connections"

Does your Squid run on the same machine as your browser? If yes, are
there any errors or warnings in Squid's cache.log, access.log? Does
"netstat -na" or equivalent (executed on the browser machine) show
something listening for TCP/IPv4 connection on port 3128?

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with squid proxy authentication configuration

[Amiq Nahas]

Hi Guys,

I am trying to configure squid so as to have user proxy
authentication, below is how my squid.conf file looks like:

-
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid

refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320
-

The above lines were default in squid.conf file.

I have added below lines:

-
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
adaptation_access service_resp allow all

acl ncsa src 0.0.0.0/0.0.0.0
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl ncsa proxy_auth REQUIRED
http access allow ncsa
-

With this in place, I have configured 127.0.0.1:3128 as manual proxy in firefox.

But when I try to connect to internet it displays "The proxy server is
refusing connections"
(https://i.ytimg.com/vi/-LJAxo9TVig/hqdefault.jpg)

Please point out what I am doing wrong?

Thanks
Amiq
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Debugging Useragent

[Amos Jeffries]

On 7/05/20 4:11 am, Ahmad Alzaeem wrote:
> Hello Floks ,
> 
> 
> We have squid 4.x
> 
> We need to debug the user agents being  sent from our local network .
> 
> We added :
> logformat useragent  %>a [%tl] "%{User-Agent}>h"
> access_log stdio:/var/log/squid/${service_name}-useragent.log useragent
> 

The only thing wrong with that config is that the "useragent" is a
built-in logformat name. Do not re-define it.

If you want any differences to the built-in, use a different name for
your custom format.


> 
> But out logs only logs as below :
> 
> 
> 12.14.49.200 [06/May/2020:12:09:56 -0400] "-"
...
> 
> It seems to be “-“   , Not the useragent we suppose to see .
> 

What makes you think those transactions have User-Agent headers?
The '-' means no such header present.


> 
> How can we let squid debug the incoming user agent and the outgoing user 
> agent what go out  to the website ?
> 

You can try this to see what the headers actually contain.

  logformat ualog  %>a [%tl] "%{User-Agent}>h" "%>h"
  access_log stdio:/var/log/squid/${service_name}-useragent.log ualog

If the string with full headers contain 'User-Agent:' when "-" is
displayed first there is a bug, otherwise it is just your expectation
being incorrect.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

[John Sweet-Escott]

Hi Tanner

Unfortunately not. We have tried everything we can think of, plus suggested 
items from this list, with no success. If you figure it out let me know. 

Many thanks 
John 

Sent from my iPhone

> On 20 Nov 2019, at 21:34, tannmann  wrote:
> 
> Hey John,
> 
> It looks like we have a very similar setup and configuration as you, and we
> are experiencing the same problem. Have you been able to figure out a way to
> get connections to google to work with Squid 4.8 as a transparent proxy?
> 
> Thanks,
> 
> Tanner
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

[tannmann]

Hey John,

It looks like we have a very similar setup and configuration as you, and we
are experiencing the same problem. Have you been able to figure out a way to
get connections to google to work with Squid 4.8 as a transparent proxy?

Thanks,

Tanner



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem webpagge filter - acl & http_access

[ndoigny]

Hi,

I tested with an acl .eurosport.com* and garagegardi.be* who aren't https
and it's working.

I see that for https pages, I need a root certificate that will be exported
to all machines.

Thank you for you help.

Nicolas



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem webpagge filter - acl & http_access

[Rafał Stanilewicz]

Most likely your browser redirects you to HTTPS, instead of HTTP, so
what you need is peek and splice.

On Wed, 16 Oct 2019 at 06:52, Vacheslav  wrote:
>
> I too wanted to block, but it was youtube, and eventually the best way
> to do it was squid + ufdbguard
>
> On Tue, 2019-10-15 at 13:03 -0500, ndoigny wrote:
> > Hi All,
> >
> > I did a Squid basic configuration on the port 3128.
> >
> > The server proxy works correcly and I can browser from a client
> > machine when
> > I configure the proxy configuration.
> > But when I try to do some web filtering on some sites, I always
> > manage to
> > access it
> >
> > I created a txt file 'blocked_sites' in the path
> > 'C:\squid\etc\squid'.
> > I created the following ACL :
> > acl blocked_sites dstdomain '/etc/squid/blocked_sites.txt'
> > http_access deny blocked_sites
> >
> > In the blocked_sites file txt, I indicate :
> >
> > .facebook.com
> > .msn.com
> > .orange.be
> >
> > I restarted the Squid service but the filter isn't working.
> >
> > Can you help me ?
> >
> > Thanks in advance.
> >
> > Nicolas
> >
> >
> >
> > --
> > Sent from:
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



-- 
Zanim wydrukujesz, pomyśl o środowisku.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem webpagge filter - acl & http_access

[Vacheslav]

I too wanted to block, but it was youtube, and eventually the best way
to do it was squid + ufdbguard

On Tue, 2019-10-15 at 13:03 -0500, ndoigny wrote:
> Hi All,
> 
> I did a Squid basic configuration on the port 3128.
> 
> The server proxy works correcly and I can browser from a client
> machine when
> I configure the proxy configuration.
> But when I try to do some web filtering on some sites, I always
> manage to
> access it
> 
> I created a txt file 'blocked_sites' in the path
> 'C:\squid\etc\squid'.
> I created the following ACL :
> acl blocked_sites dstdomain '/etc/squid/blocked_sites.txt'
> http_access deny blocked_sites
> 
> In the blocked_sites file txt, I indicate :
> 
> .facebook.com
> .msn.com
> .orange.be
> 
> I restarted the Squid service but the filter isn't working.
> 
> Can you help me ?
> 
> Thanks in advance.
> 
> Nicolas
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem webpagge filter - acl & http_access

[ndoigny]

Hi All,

I did a Squid basic configuration on the port 3128.

The server proxy works correcly and I can browser from a client machine when
I configure the proxy configuration.
But when I try to do some web filtering on some sites, I always manage to
access it

I created a txt file 'blocked_sites' in the path 'C:\squid\etc\squid'.
I created the following ACL :
acl blocked_sites dstdomain '/etc/squid/blocked_sites.txt'
http_access deny blocked_sites

In the blocked_sites file txt, I indicate :

.facebook.com
.msn.com
.orange.be

I restarted the Squid service but the filter isn't working.

Can you help me ?

Thanks in advance.

Nicolas



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

[John]

Hi Amos

Thank you for your help.

On Tue, 17 Sep 2019 at 07:26, Amos Jeffries  wrote:
> ...
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
>
> I suspect it might have something to do with these ECDSA keys.
>
> You do not have Elliptic-Curves enabled on the https_port client-facing
> connection. So the TLS extensions associated are likely not to be
> compatible between the client and the server connections Squid is
> attempting to bridge between.
>
I generated a dhparams file using the command:
openssl dhparam -out dhparams.pem 2048
and then I configured the port with the following options:
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
tls-dh=prime256v1:/etc/squid/dhparams.pem
options=SINGLE_ECDH_USE,SINGLE_DH_USE

But this still gives this in the log when I connect:
2019/09/18 08:19:44 kid1| ERROR: negotiating TLS on FD 17:
error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
fallback (1/-1/0)

I have also tried restricting the cipher to the same cipher that works
for the ubuntu connection and I get the same error:
openssl s_client -tls1_2  -CAfile squid.crt -cipher
ECDHE-RSA-AES128-GCM-SHA256  -connect www.google.com:443

With this restriction, the client hello to squid is:
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 156
Version: TLS 1.2 (0x0303)
Random: e52eb8a54705dc32774c5832694dd4567cd9b0f34556ebf3…
Session ID Length: 0
Cipher Suites Length: 4
Cipher Suites (2 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 111
Extension: server_name (len=19)
Extension: ec_point_formats (len=4)
Extension: supported_groups (len=12)
Extension: session_ticket (len=0)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: signature_algorithms (len=48)
The proxied hello to google is identical to the above.
The server hello from google is:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 63
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 59
Version: TLS 1.2 (0x0303)
Random: 5d81da909e779d7e67f2663d6563236721b0906d09dacf02…
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 19
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Extension: ec_point_formats (len=2)
Extension: session_ticket (len=0)
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2537
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2533
Certificates Length: 2530
Certificates (2530 bytes)
Certificate Length: 1422
Certificate:
3082058a30820472a0030201020210556630a312faeab908…
(id-at-commonName=www.google.com,id-at-organizationName=Google
LLC,id-at-localityName=Mountain
View,id-at-stateOrProvinceName=California,id-at-countryName=US)
Certificate Length: 1102
Certificate:
3082044a30820332a003020102020d01e3b49aa18d8aa981…
(id-at-commonName=GTS CA 1O1,id-at-organizationName=Google Trust
Services,id-at-countryName=US)
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 300
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 296
EC Diffie-Hellman Server Params
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done

If you have any further suggestions as to how/where I should debug I
would be extremely grateful.

John

On Tue, 17 Sep 2019 at 07:26, Amos Jeffries  wrote:
>
>
> On 15/09/19 10:41 pm, John Sweet-Escott wrote:
> > Hi All
> >
> > We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on
> > Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering
> > of HTTPS traffic using SNI (see config in [2]). It it works correctly
> > when contacting some addresses (e.g. https://www.ubuntu.com) but not
> > others (e.g. https://www.google.com). When we contact
> > https://www.google.com using TLS1.2 we get the error in the logs:
> > 2019/09/15 10:33:09 kid1| ERROR: negotiating TLS on FD 19:
> > error:1425F175:SSL 

Re: [squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

[Amos Jeffries]

On 15/09/19 10:41 pm, John Sweet-Escott wrote:
> Hi All
> 
> We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on
> Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering
> of HTTPS traffic using SNI (see config in [2]). It it works correctly
> when contacting some addresses (e.g. https://www.ubuntu.com) but not
> others (e.g. https://www.google.com). When we contact
> https://www.google.com using TLS1.2 we get the error in the logs:
> 2019/09/15 10:33:09 kid1| ERROR: negotiating TLS on FD 19:
> error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
> fallback (1/-1/0)
...
>     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

I suspect it might have something to do with these ECDSA keys.

You do not have Elliptic-Curves enabled on the https_port client-facing
connection. So the TLS extensions associated are likely not to be
compatible between the client and the server connections Squid is
attempting to bridge between.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

[John Sweet-Escott]

Hi All

We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on
Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering of
HTTPS traffic using SNI (see config in [2]). It it works correctly when
contacting some addresses (e.g. https://www.ubuntu.com) but not others
(e.g. https://www.google.com). When we contact https://www.google.com using
TLS1.2 we get the error in the logs:
2019/09/15 10:33:09 kid1| ERROR: negotiating TLS on FD 19:
error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
fallback (1/-1/0)
and the page returned to the client contains ERR_SECURE_CONNECT_FAIL. When
TLS1.3 is used, the connections are made correctly, however my application
is constrained to java8 & tomcat8 which does not support TLS1.3.

Connections are made using curl or openssl s_client. For example:
openssl s_client -tls1_2  -CAfile squid.crt -connect www.google.com:443
-tlsextdebug
[237/1854]CONNECTED(0005)
TLS server extension "renegotiation info" (id=65281), len=1
 - 00.
TLS server extension "EC point formats" (id=11), len=4
 - 03 00 01 02   
TLS server extension "session ticket" (id=35), len=0
TLS server extension "extended master secret" (id=23), len=0
depth=1 C = GB, ST = London, L = squid, O = squid, CN = squid
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = GB, ST = London, L = squid, O = squid, CN = squid
 1 s:C = GB, ST = London, L = squid, O = squid, CN = squid
   i:C = GB, ST = London, L = squid, O = squid, CN = squid
 2 s:C = GB, ST = London, L = squid, O = squid, CN = squid
   i:C = GB, ST = London, L = squid, O = squid, CN = squid
etc

Attached are pcap files showing first a bad connection to google and then a
working connection to ubuntu. Looking at the pcap files the difference in
the google and ubuntu server hello lies in the extensions and the cypher:
Google:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 59
Version: TLS 1.2 (0x0303)
Random: 5d7e05552e1fdea260f67e0bdf413f6a9837fbaffdebeb35…
Session ID Length: 0
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Compression Method: null (0)
Extensions Length: 19
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Extension: ec_point_formats (len=2)
Extension: session_ticket (len=0)
Ubuntu:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 61
Version: TLS 1.2 (0x0303)
Random: 7ec2c3a2554bac610e0290ac1f160c3ed185bdd1159e377c…
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 21
Extension: server_name (len=0)
Extension: renegotiation_info (len=1)
Extension: ec_point_formats (len=4)
Extension: session_ticket (len=0)
Differences are that Google supplies extended_master_secretand Ubuntu
supplies server_name extensions. The cyphers chosen by the server is also
different. Enabling debug using squid -k debug indicates that this is the
likely problematic area:

2019/09/15 11:21:02.486 kid1| 83,5| PeerConnector.cc(712)
checkForMissingCertificates: SSL server sent 2 certificates
2019/09/15 11:21:02.486 kid1| 83,7| AsyncCall.cc(26) AsyncCall: The
AsyncCall Security::PeerConnector::negotiate constructed,
this=0x560d937c94b0 [call515701]2019/09/15 11:21:02.486 kid1| 83,7|
AsyncCall.cc(93) ScheduleCall: PeerConnector.cc(391) will call
Security::PeerConnector::negotiate() [call515701]
2019/09/15 11:21:02.486 kid1| 83,7| AsyncJob.cc(154) callEnd:
Ssl::PeekingPeerConnector status out: [ FD 19 job24663]
2019/09/15 11:21:02.486 kid1| 83,7| AsyncCallQueue.cc(57) fireNext: leaving
Security::PeerConnector::negotiate()
2019/09/15 11:21:02.486 kid1| 83,7| AsyncCallQueue.cc(55) fireNext:
entering Security::PeerConnector::negotiate()
2019/09/15 11:21:02.486 kid1| 83,7| AsyncCall.cc(38) make: make call
Security::PeerConnector::negotiate [call515701]
2019/09/15 11:21:02.486 kid1| 83,7| AsyncJob.cc(123) callStart:
Ssl::PeekingPeerConnector status in: [ FD 19 job24663]
2019/09/15 11:21:02.486 kid1| 83,5| PeerConnector.cc(188) negotiate:
SSL_connect session=0x560d93835950
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(356) giveBuffered: 5<=5 bytes to
OpenSSL
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(356) giveBuffered: 63<=63 bytes
to OpenSSL
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(164) stateChanged: FD 19 now:
0x1001 TWCH (SSLv3/TLS write client hello)
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(471) write: postpone writing 7
bytes to SSL FD 19
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(164) stateChanged: FD 19 now:
0x4008 SSLERR (error)
2019/09/15 11:21:02.486 kid1| 83,7| bio.cc(164) stateChanged: FD 19 now:
0x1002 SSLERR (error)
2019/09/15 11:21:02.486 kid1| 83,5| NegotiationHistory.cc(83)

Re: [squid-users] problem compiling squid 4 on ubuntu 18.04

[Rafael Akchurin]

Hello Alex,

Please take a look at how we recompile Squid 4.6 for Ubuntu 18.
It compiles and runs nicely without errors.

See https://docs.diladele.com/howtos/build_squid_4_on_ubuntu/index.html

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users  On Behalf Of Alex 
Gutiérrez Martínez
Sent: Wednesday, 27 February 2019 22:48
To: squid-users@lists.squid-cache.org
Subject: [squid-users] problem compiling squid 4 on ubuntu 18.04

Hello comunity, can someone be so nice to tell me what i´m doing wrong


Im compiling squid 4.5 on ubuntu 18.04


this are the dependency i have installed


apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev libldap2-dev 
libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl
libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils


this are the options for squid

./configure --build=x86_64-linux-gnu --enable-delay-pools 
--enable-cache-digests --enable-icap-client --enable-ssl --enable-ssl-crtd 
--with-openssl --enable-follow-x-forwarded-for 
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" 
--enable-auth-digest="file,LDAP" --prefix=/usr --includedir=${prefix}/include 
--mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc 
--localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. 
--disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules 
--datadir=/usr/share/squid --sysconfdir=/etc/squid --mandir=/usr/share/man 
--enable-inline --disable-arch-native
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock
--enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests 
--enable-icap-client --enable-follow-x-forwarded-for 
--enable-auth-negotiate=kerberos,wrapper
--enable-auth-ntlm=fake,smb_lm
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi --enable-zph-qos 
--enable-ecap --disable-translation --with-swapdir=/var/spool/squid 
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid 
--with-filedescriptors=65536 --with-large-files --with-default-user=proxy 
--enable-ssl --with-open-ssl=/etc/ssl/openssl.cnf --enable-linux-netfilter 
'CFLAGS=-g
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security'


im getting this error


error: NTLM auth helper smb_lm ... not found


thanks in advance


--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem compiling squid 4 on ubuntu 18.04

[Amos Jeffries]

On 28/02/19 10:47 am, Alex Gutiérrez Martínez wrote:
> Hello comunity, can someone be so nice to tell me what i´m doing wrong
> 
> 
> Im compiling squid 4.5 on ubuntu 18.04
> 

...
> 
> 
> im getting this error
> 
> 
> error: NTLM auth helper smb_lm ... not found
> 





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem compiling squid 4 on ubuntu 18.04

[Alex Gutiérrez Martínez]

Hello comunity, can someone be so nice to tell me what i´m doing wrong


Im compiling squid 4.5 on ubuntu 18.04


this are the dependency i have installed


apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev 
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev 
libldap2-dev libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl 
libecap3 libecap3-dev libntlm0-dev libkf5kiontlm5 samba-dev ldap-utils



this are the options for squid

./configure --build=x86_64-linux-gnu --enable-delay-pools 
--enable-cache-digests --enable-icap-client --enable-ssl 
--enable-ssl-crtd --with-openssl --enable-follow-x-forwarded-for 
--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" 
--enable-auth-digest="file,LDAP" --prefix=/usr 
--includedir=${prefix}/include --mandir=${prefix}/share/man 
--infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var 
--libexecdir=${prefix}/lib/squid --srcdir=. --disable-maintainer-mode 
--disable-dependency-tracking --disable-silent-rules 
--datadir=/usr/share/squid --sysconfdir=/etc/squid 
--mandir=/usr/share/man --enable-inline --disable-arch-native 
--enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock 
--enable-removal-policies=lru,heap --enable-delay-pools 
--enable-cache-digests --enable-icap-client 
--enable-follow-x-forwarded-for --enable-auth-negotiate=kerberos,wrapper 
--enable-auth-ntlm=fake,smb_lm 
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group 
--enable-url-rewrite-helpers=fake --enable-eui --enable-esi 
--enable-zph-qos --enable-ecap --disable-translation 
--with-swapdir=/var/spool/squid --with-logdir=/var/log/squid 
--with-pidfile=/var/run/squid.pid --with-filedescriptors=65536 
--with-large-files --with-default-user=proxy --enable-ssl 
--with-open-ssl=/etc/ssl/openssl.cnf --enable-linux-netfilter 'CFLAGS=-g 
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE 
-fstack-protector-strong -Wformat -Werror=format-security'



im getting this error


error: NTLM auth helper smb_lm ... not found


thanks in advance


--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem rtmp traffic through Squid

[Amos Jeffries]

On 14/02/19 1:37 am, Ahmad, Sarfaraz wrote:
> Did you add them to “safe_ports” acl ? ( assuming you have one )
> 

Port 1935 is already part of the Safe_ports ACL by default.

What it is not part of is the SSL_Ports ACL which prohibits almost all
ports having CONNECT tunnels opened.

If the Flash agent in use, or its Browser is properly using the proxy
it/they should be attempting to open a CONNECT tunnel to the RTMP server
(possibly port 1935, maybe another) for the stream to flow within.

Check your proxy access.log for these attempts and decide from there
what detail(s) you are going to use to permit access (port, server name,
or UA string, etc).
 Likely you will need to add the relevant port to SSL_Ports (preventing
it being forbidden) and then also add other http_access lines to
restrict which traffic is allowed to contact that port.


> 
> *From:* squid-users *On
> Behalf Of *? ?? 
> *Sent:* Wednesday, February 13, 2019 5:56 PM
> 
> Hello! In our organization, we use squid proxy server. And we found a
> problem with viewing webinars that run on adobe Flash. Network engineers
> found out that rtmp traffic on port 1935 bypasses the proxy server,
> which is specified in the browser settings. In this connection, the site
> does not work media content. The same problem is covered on the Adobe
> website https://forums.adobe.com/thread/905051
> 
> Can you help with providing information on configuring squid to work
> with adobe Flash?
> 


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem rtmp traffic through Squid

[Ahmad, Sarfaraz]

Did you add them to "safe_ports" acl ? ( assuming you have one )

Look here some more inputs,
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-conf-blocking-live-video-stream-td4680866.html



From: squid-users  On Behalf Of 
? ?? 
Sent: Wednesday, February 13, 2019 5:56 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem rtmp traffic through Squid

Hello! In our organization, we use squid proxy server. And we found a problem 
with viewing webinars that run on adobe Flash. Network engineers found out that 
rtmp traffic on port 1935 bypasses the proxy server, which is specified in the 
browser settings. In this connection, the site does not work media content. The 
same problem is covered on the Adobe website 
https://forums.adobe.com/thread/905051
Can you help with providing information on configuring squid to work with adobe 
Flash?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem rtmp traffic through Squid

[Герасимов Никита Вячеславович]

Hello! In our organization, we use squid proxy server. And we found a problem 
with viewing webinars that run on adobe Flash. Network engineers found out that 
rtmp traffic on port 1935 bypasses the proxy server, which is specified in the 
browser settings. In this connection, the site does not work media content. The 
same problem is covered on the Adobe website 
https://forums.adobe.com/thread/905051
Can you help with providing information on configuring squid to work with adobe 
Flash?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with kerb/ntlm authentication

[Yanier Salazar Sanchez]

I already fixed the problem that caused NTLM authentication to work only.

Greetings yanier

 

 

Ing. Yanier Salazar Sánchez

Administrador de Red

Empresa Eléctrica Ciego de Avila

Teléfonos: (33) 228613 ext 305

 



  

 

From: squid-users  On Behalf Of
Yanier Salazar Sanchez
Sent: Friday, September 14, 2018 13:57
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem with kerb/ntlm authentication

 

Sorry for my bad english.

 

This is the scenario

 

I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6,  AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer

 

I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)

 

I joined the proxy to the active directory

 

All the commands seem to work correctly

 

I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-krb.mired@mired.lan
<mailto:HTTP//srv-squid-krb.mired@mired.lan> 

Valid starting ExpiresService principal

09/13/2018 16:29:4809/14/2018 02:29:48 krbtgt/mired@mired.lan
<mailto:krbtgt/mired@mired.lan> 

09/13/2018 16:55:5709/14/2018 02:29:48
host/srv-squid-krb.mired@mired.lan
<mailto:host/srv-squid-krb.mired@mired.lan> 

09/13/2018 16:56:1309/14/2018 02:29:48 host/srv-dc.mired@mired.lan
<mailto:host/srv-dc.mired@mired.lan> 

 

I run this command

kinit squidtest

password for squidt...@mired.lan <mailto:squidt...@mired.lan> :

 

I create a proxy.keytab in my windows server 2012 r2 with this command 

ktpass -princ HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan>   -mapuser MIRED\squidtest
-pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out d:\proxy.keytab

proxy.keytab permission

rw-r—r root proxy proxy.keytab

 

 

My krb5.conf file

 

[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

   .mired.lan = MIRED.LAN

 

 

 

 

I run this command

klist –k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6  HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan> 

6  HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan> 

6  HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan> 

6  HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan> 

6  HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-krb.mired@mired.lan> 

 

I run this command

wbinfo –authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded

 

I run this command

wbinfo –krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0

 

I run this command

wbinfo –g  (List all groups in AD)

I run this command

wbinfo –u  (List all users in AD)

 

I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw….. blabla   /B8VWAxn29WaG/j

 

 

The squid.conf it’s basic configuration only with 

 

auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth –d
–ntlm /usr/bin/ntlm_auth –diagnostics –helper-protocol=2.5-ntlmssp
–domain=mired –kerberos /usr/lib/squid/negotiate_kerberos_auth –d –r –s
HTTP//srv-squid-krb.mired@mired.lan
<mailto:HTTP//srv-squid-krb.mired@mired.lan> 

auth_program negotiate children 10

auth_program negotiate keep_alive off

 

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
–helper-protocol=squid-2.5-ntlmssp 

auth_param ntlm children 10

auth_param ntlm keep_alive off

 

acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED

 

and 

http_access allow red auth

 

 

But the problem is that Kerberos don’t work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp 

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-krb.mired@mired.lan
<mailto:HTTP/srv-squid-k

[squid-users] Problem with kerb/ntlm authentication

[Yanier Salazar Sanchez]

Sorry for my bad english.

 

This is the scenario

 

I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6,  AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer

 

I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)

 

I joined the proxy to the active directory

 

All the commands seem to work correctly

 

I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-krb.mired@mired.lan
 

Valid starting ExpiresService principal

09/13/2018 16:29:4809/14/2018 02:29:48 krbtgt/mired@mired.lan
 

09/13/2018 16:55:5709/14/2018 02:29:48
host/srv-squid-krb.mired@mired.lan
 

09/13/2018 16:56:1309/14/2018 02:29:48 host/srv-dc.mired@mired.lan
 

 

I run this command

kinit squidtest

password for squidt...@mired.lan  :

 

I create a proxy.keytab in my windows server 2012 r2 with this command 

ktpass -princ HTTP/srv-squid-krb.mired@mired.lan
   -mapuser MIRED\squidtest
-pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out d:\proxy.keytab

proxy.keytab permission

rw-r-r root proxy proxy.keytab

 

 

My krb5.conf file

 

[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

   .mired.lan = MIRED.LAN

 

 

 

 

I run this command

klist -k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

 

I run this command

wbinfo -authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded

 

I run this command

wbinfo -krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0

 

I run this command

wbinfo -g  (List all groups in AD)

I run this command

wbinfo -u  (List all users in AD)

 

I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw... blabla   /B8VWAxn29WaG/j

 

 

The squid.conf it's basic configuration only with 

 

auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth -d
-ntlm /usr/bin/ntlm_auth -diagnostics -helper-protocol=2.5-ntlmssp
-domain=mired -kerberos /usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP//srv-squid-krb.mired@mired.lan
 

auth_program negotiate children 10

auth_program negotiate keep_alive off

 

this lines are comment because in cache.log show the folloing messages
cache.log

username must be specified! 

Usage: [OPTION]

  --helper-protocol=

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
-helper-protocol=squid-2.5-ntlmssp 

#auth_param ntlm children 10

#auth_param ntlm keep_alive off

 

acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED

 

and 

http_access allow red auth

 

if I run this commando on console

/usr/bin/ntlm_auth -help-protocol=squid-2.5-basic -username=user
-password=password

NT_STATUS_OK: The operation completed successfully (0x0)

/usr/bin/ntlm_auth -help-protocol=squid-2.5-ntlmssp -username=user
-password=password

NT_STATUS_OK: The operation completed successfully (0x0)

But if I run /usr/bin/ntlm_auth -help-protocol=squid-2.5-ntlmssp

The answer is username must be specified

 

 

But the problem is that Kerberos don't work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp 

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:

[squid-users] Problem with kerb/ntlm authentication

[Yanier Salazar Sanchez]

Sorry for my bad english.

 

This is the scenario

 

I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6,  AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer

 

I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)

 

I joined the proxy to the active directory

 

All the commands seem to work correctly

 

I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-krb.mired@mired.lan
 

Valid starting ExpiresService principal

09/13/2018 16:29:4809/14/2018 02:29:48 krbtgt/mired@mired.lan

09/13/2018 16:55:5709/14/2018 02:29:48
host/srv-squid-krb.mired@mired.lan
 

09/13/2018 16:56:1309/14/2018 02:29:48 host/srv-dc.mired@mired.lan
 

 

I run this command

kinit squidtest

password for squidt...@mired.lan  :

 

I create a proxy.keytab in my windows server 2012 r2 with this command 

ktpass -princ HTTP/srv-squid-krb.mired@mired.lan  -mapuser
MIRED\squidtest -pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out
d:\proxy.keytab

proxy.keytab permission

rw-r-r root proxy proxy.keytab

 

 

My krb5.conf file

 

[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

   .mired.lan = MIRED.LAN

 

 

 

 

I run this command

klist -k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

6  HTTP/srv-squid-krb.mired@mired.lan
 

 

I run this command

wbinfo -authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded

 

I run this command

wbinfo -krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0

 

I run this command

wbinfo -g  (List all groups in AD)

I run this command

wbinfo -u  (List all users in AD)

 

I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw... blabla   /B8VWAxn29WaG/j

 

 

The squid.conf it's basic configuration only with 

 

auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth -d
-ntlm /usr/bin/ntlm_auth -diagnostics -helper-protocol=2.5-ntlmssp
-domain=mired -kerberos /usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP//srv-squid-krb.mired@mired.lan
 

auth_program negotiate children 10

auth_program negotiate keep_alive off

 

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
-helper-protocol=squid-2.5-ntlmssp 

auth_param ntlm children 10

auth_param ntlm keep_alive off

 

acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED

 

and 

http_access allow red auth

 

 

But the problem is that Kerberos don't work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp 

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-krb.mired@mired.lan 

negotiate_kerberos_auth.cc(487): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq

negotiate_kerberos_auth.cc(546): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab

negotiate_kerberos_auth.cc(570): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_10816

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACDgAOADgVgonigQb5TAh6RigAAJwAnABGBgEAAA9F

Re: [squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Thanks for your time! Know is working fine.

a little and stupid question where i can found the start script of
squid??? This is a Centos 7.

I want put this

KRB5RCACHETYPE=none
export KRB5RCACHETYPE

[root@squid etc]# cat /usr/lib/systemd/system/squid.service
## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##

[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target

[Service]
Type=forking
LimitNOFILE=16384
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/bin/mkdir -p /var/run/squid
ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
ExecStart=/usr/sbin/squid -sYC
ExecReload=/usr/sbin/squid -kreconf
ExecStop=/usr/sbin/squidshut.sh
TimeoutStopSec=36
KillMode=none

[Install]
WantedBy=multi-user.target


Thanks!!!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[Flashdown]

Also on a specific interval windows will automatically refresh kerberos tickets 
in the background but when depends on your domain settings and I am unsure 
about the default interval.

Am 5. Februar 2018 17:46:29 MEZ schrieb Enrico Heine :
>Only users that can't use the proxy need to do it.
>
>Am 5. Februar 2018 17:43:58 MEZ schrieb Enrico Heine
>:
>>This is maybe because the users have a old kerberos ticket and need to
>>renew it. So simple solution for them is to log off and logon again to
>>their windows PC or they can close the browsers and tools that need to
>>authenticate against the proxy afterwards they should lock and
>directly
>>unlock their station --> this will force windows to refresh their
>>kerberos ticket. After all did it these messages will disappear,
>>sometimes it's easier to tell the users to just restart their PC. 
>>
>>Am 5. Februar 2018 17:09:04 MEZ schrieb erdosain9
>>:
>>>Ok. 
>>>Thanks
>>>
>>>Know the ticket is fine, and is working (people are going throug
>>>internet
>>>and i see in access.log there user names) but... im having this
>>>error in
>>>the log.
>>>
>>>2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating
>>>user.
>>>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>>>Unspecified GSS failure.  Minor code may provide more information.
>>>Cannot
>>>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>>>for
>>>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>>>2018/02/05 12:57:55 kid1| ERROR: Negotiate Authentication validating
>>>user.
>>>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>>>Unspecified GSS failure.  Minor code may provide more information.
>>>Cannot
>>>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>>>for
>>>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>>>(END)
>>>
>>>I change @ for - 
>>>
>>>Thanks.
>>>
>>>
>>>
>>>--
>>>Sent from:
>>>http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>>>___
>>>squid-users mailing list
>>>squid-users@lists.squid-cache.org
>>>http://lists.squid-cache.org/listinfo/squid-users
>>
>>-- 
>>Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
>-- 
>Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[Enrico Heine]

Only users that can't use the proxy need to do it.

Am 5. Februar 2018 17:43:58 MEZ schrieb Enrico Heine :
>This is maybe because the users have a old kerberos ticket and need to
>renew it. So simple solution for them is to log off and logon again to
>their windows PC or they can close the browsers and tools that need to
>authenticate against the proxy afterwards they should lock and directly
>unlock their station --> this will force windows to refresh their
>kerberos ticket. After all did it these messages will disappear,
>sometimes it's easier to tell the users to just restart their PC. 
>
>Am 5. Februar 2018 17:09:04 MEZ schrieb erdosain9
>:
>>Ok. 
>>Thanks
>>
>>Know the ticket is fine, and is working (people are going throug
>>internet
>>and i see in access.log there user names) but... im having this
>>error in
>>the log.
>>
>>2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating
>>user.
>>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>>Unspecified GSS failure.  Minor code may provide more information.
>>Cannot
>>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>>for
>>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>>2018/02/05 12:57:55 kid1| ERROR: Negotiate Authentication validating
>>user.
>>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>>Unspecified GSS failure.  Minor code may provide more information.
>>Cannot
>>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>>for
>>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>>(END)
>>
>>I change @ for - 
>>
>>Thanks.
>>
>>
>>
>>--
>>Sent from:
>>http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>>___
>>squid-users mailing list
>>squid-users@lists.squid-cache.org
>>http://lists.squid-cache.org/listinfo/squid-users
>
>-- 
>Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[Enrico Heine]

This is maybe because the users have a old kerberos ticket and need to renew 
it. So simple solution for them is to log off and logon again to their windows 
PC or they can close the browsers and tools that need to authenticate against 
the proxy afterwards they should lock and directly unlock their station --> 
this will force windows to refresh their kerberos ticket. After all did it 
these messages will disappear, sometimes it's easier to tell the users to just 
restart their PC. 

Am 5. Februar 2018 17:09:04 MEZ schrieb erdosain9 :
>Ok. 
>Thanks
>
>Know the ticket is fine, and is working (people are going throug
>internet
>and i see in access.log there user names) but... im having this
>error in
>the log.
>
>2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating
>user.
>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>Unspecified GSS failure.  Minor code may provide more information.
>Cannot
>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>for
>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>2018/02/05 12:57:55 kid1| ERROR: Negotiate Authentication validating
>user.
>Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>Unspecified GSS failure.  Minor code may provide more information.
>Cannot
>decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key
>for
>HTTP/squid.domain.lan-DOMAIN.LAN; }}
>(END)
>
>I change @ for - 
>
>Thanks.
>
>
>
>--
>Sent from:
>http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>___
>squid-users mailing list
>squid-users@lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Ok. 
Thanks

Know the ticket is fine, and is working (people are going throug internet
and i see in access.log there user names) but... im having this error in
the log.

2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. Cannot
decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key for
HTTP/squid.domain.lan-DOMAIN.LAN; }}
2018/02/05 12:57:55 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. Cannot
decrypt ticket for HTTP/squid.domain.lan-DOMAIN.LAN using keytab key for
HTTP/squid.domain.lan-DOMAIN.LAN; }}
(END)

I change @ for - 

Thanks.



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos ticket keytab

[Flashdown]

I am answering to fast, but I am writing in my little break, so sorry 
for that :D forget my last mail regarding "to call it correctly" that 
was misleading and wrong. sure you are talking about the HTTP SPN which 
have the same KVNO. So if you want to get rid of it delete the computer 
object, as your are updating all the SPN's that the Computer Object 
holds. If you use the Attribut-Editor you may can modify the Attribut 
servicePrincipalName and delete the wrong one and recreate the keytab 
afterwards, without deleting the Computer Object at all.




Am 2018-02-05 16:39, schrieb Flashdown:

Just to call it correctly, what is wrong is the host principle after
you have deleted the computer object and waited for the object to
disappear on other DC's as well (if you have replication between dc's)
and rejoined it, it should be as you want it to be. Hope this helps
with your setup.

Am 5. Februar 2018 16:12:29 MEZ schrieb Flashdown
:


Delete the Computer Object in Active Directory to clear these spn's
up.

Am 5. Februar 2018 15:54:26 MEZ schrieb erdosain9
:


Hi to all.

The squid was working fine, but i made a mistake and... delete the
proxy.keytab. I try to do it again, but make a mistake in the
syntax

wrong syntax (the real name is not squidproxy.domain.lan is
squid.domain.lan):

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.lan -k
/etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squidproxy.domain.lan --server adw-1.domain.lan --verbose
--enctypes 28

now i put well the syntax, but the keytab is wrong... why??

well syntax:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squid.domain.lan -h
squid.domain.lan
-k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squid.domain.lan --server adw-1.domain.lan --verbose
--enctypes 28

[root@squid squid]# ktutil
ktutil:  read_kt PROXY.keytab
ktutil:  l
slot KVNO Principal
 

-

1   18 squidproxy-k$@DOMAIN.LAN
2   18 squidproxy-k$@DOMAIN.LAN
3   18 squidproxy-k$@DOMAIN.LAN
4   18HTTP/squidproxy.domain@domain.lan
5   18HTTP/squidproxy.domain@domain.lan
6   18HTTP/squidproxy.domain@domain.lan
7   18 host/squid.domain@domain.lan
8   18 host/squid.domain@domain.lan
9   18 host/squid.domain@domain.lan
10   18 HTTP/squid.domain@domain.lan
11   18 HTTP/squid.domain@domain.lan
12   18 HTTP/squid.domain@domain.lan

Why squidproxy.DOMAIN.LAN? what can i do to solve this???

Thanks to all!!

--
Sent from:




http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


-

squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with Kerberos ticket keytab

[erdosain9]

Hi to all.

The squid was working fine, but i made a mistake and... delete the
proxy.keytab. I try to do it again, but make a mistake in the syntax

wrong syntax (the real name is not squidproxy.domain.lan is
squid.domain.lan):

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.lan -k
/etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squidproxy.domain.lan --server adw-1.domain.lan --verbose --enctypes 28

now i put well the syntax, but the keytab is wrong... why??

well syntax:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squid.domain.lan -h squid.domain.lan
-k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squid.domain.lan --server adw-1.domain.lan --verbose --enctypes 28


[root@squid squid]# ktutil 
ktutil:  read_kt PROXY.keytab 
ktutil:  l
slot KVNO Principal
 
-
   1   18 squidproxy-k$@DOMAIN.LAN
   2   18 squidproxy-k$@DOMAIN.LAN
   3   18 squidproxy-k$@DOMAIN.LAN
   4   18HTTP/squidproxy.domain@domain.lan
   5   18HTTP/squidproxy.domain@domain.lan
   6   18HTTP/squidproxy.domain@domain.lan
   7   18 host/squid.domain@domain.lan
   8   18 host/squid.domain@domain.lan
   9   18 host/squid.domain@domain.lan
  10   18 HTTP/squid.domain@domain.lan
  11   18 HTTP/squid.domain@domain.lan
  12   18 HTTP/squid.domain@domain.lan


Why squidproxy.DOMAIN.LAN? what can i do to solve this???

Thanks to all!!



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem loading Facebook profiles

[Antony Stone]

On Friday 12 January 2018 at 17:39:09, Roberto Carna wrote:

> Dear, I have a Squid 3.5.27 proxy server with Squidguard in
> transparent mode, for HTTP and HTTPS traffic.

Please show us the Squid configuration file (omitting comments and blank lines) 
- that will show us what you've asked Squid to do.

> Everything is OK, except when I access Facebook and select a profile
> from any user: in this case, the profile load the name, picture, but
> doesn't load the other data at all (pictures, friends, comments,
> etc.).
> 
> I've tried to whitelist some hostname and IP's related to Facebook,
> but it doesn't work.
> 
> Please can you help me in put to work Facebook through Squid in
> transparent mode?

Show us what turns up in your Squid access log and your Squidguard blocking 
log (sorry, I'm not familiar with what this might properly be called, but I 
assume Squidguard has a log file showing which requests it has blocked) when 
such a request gets made.

Please try to:

a) restrict what you show us to only the user / IP making the request (no need 
to include other users' requests going through Squid at the same time)

b) include *everything* relating to that user, even if you think something 
might not be relevant

c) copy and paste the text from the log files, don't send a screenshot (osrry 
if that's obvious, but you might be surprised what some people do)


That will give us some idea of what's working and what isn't.


Regards,


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem loading Facebook profiles

[Roberto Carna]

Dear, I have a Squid 3.5.27 proxy server with Squidguard in
transparent mode, for HTTP and HTTPS traffic.

Everything is OK, except when I access Facebook and select a profile
from any user: in this case, the profile load the name, picture, but
doesn't load the other data at all (pictures, friends, comments,
etc.).

I've tried to whitelist some hostname and IP's related to Facebook,
but it doesn't work.

Please can you help me in put to work Facebook through Squid in
transparent mode?

Special thanks,

Robert
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem using auth digest

[Amos Jeffries]

On 07/12/17 03:59, aismel.valle wrote:

Hi guys,

well i implement the auth digest and work's fine only with the browser,
when i config the internet download manager for download files have
problems always show me the form authentication and don't accept the
credentials i know the data is fine because when i use the seem
credentials in the browser it's work.

Ideas???




What do you mean by "download manager" ?
 do you know what it is doing with HTTP ?

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem using auth digest

[aismel . valle]

Hi guys,

well i implement the auth digest and work's fine only with the browser,
when i config the internet download manager for download files have
problems always show me the form authentication and don't accept the
credentials i know the data is fine because when i use the seem
credentials in the browser it's work.

Ideas???

Thanks any help

Best regards



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with squid and acces to localhost ipv6

[Amos Jeffries]

On 10/11/17 02:58, Nicolás Hervé wrote:
Hi, I have a problem with some users who use pgadmin v4, sometimes a 
"connection to :: 1 failed" error appears when they enter http: // 
localhost: 55501 / the system returns (111) connection refused. Why can 
this be happening? and how can I solve it?



The details you have provide do not contain any useful clues about the 
'why' question.  You will have to figure that out for yourself.


Check what IP addresses the pgadmin service is listening on. Does it 
actually listen on *all* localhost IP addresses? or is it perhape only 
listening on 127.0.0.1 - which despite 'common knowledge' is not the 
only localhost address even in IPv4.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with squid and acces to localhost ipv6

[Nicolás Hervé]

Hi, I have a problem with some users who use pgadmin v4, sometimes a
"connection to :: 1 failed" error appears when they enter http: //
localhost: 55501 / the system returns (111) connection refused. Why can
this be happening? and how can I solve it?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem squid squidguard with outlook 2016

[Antony Stone]

On Tuesday 07 November 2017 at 14:34:36, rmohammed wrote:

> I have a problem with outlook 2016 in my office,
> 
> When i activate squid and squidguard,

Is the behaviour the same if you use Squid without Squidguard?

> outlook stop to receive and send emails,
> 
> can anyone help me plz?

Tell us what you see in the access log when people attempt this.

Also, if there is any error message reported by Outlook 2016, please tell us 
what it says.


Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem squid squidguard with outlook 2016

[rmohammed]

I have a problem with outlook 2016 in my office,

When i activate squid and squidguard,

outlook stop to receive and send emails,

can anyone help me plz?

thanks



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

[Eliezer Croitoru]

Hey iziz1,

Try to work with what Amos suggested.
Try to first turn on the via ie:
via on

and see if still works fine.
If indeed it works fine then try to change the 
forwarded_for delete
into
forwarded_for transparent

and see what works for you.
It’s better to leave the via on and not off.
But from what I understand it seems that this site(is it a bank?) is broken and 
their webmaster and security personal should be aware of your findings for 
their sake.
It can cause their system act in a very weird way.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: Kurczewski, Bartłomiej (WP.PL) [mailto:iz...@poczta.wp.pl] 
Sent: Thursday, July 20, 2017 10:20
To: Eliezer Croitoru <elie...@ngtech.co.il>; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem with login to website by Squid web proxy 
3.5.20 on Centos 7

Hi Eliezer,
First of all I would like to thank you for fast answer.
And my second "thanks" is for your help.
Your solution works, and the problem has been solved.

Regards,
iziz1

W dniu 2017-07-19 o 20:08, Eliezer Croitoru pisze:
> Hey iziz1,
> 
> Can you try to add squid.conf the next and see if it affects anything:
> forwarded_for delete
> via off
> 
> http://www.squid-cache.org/Doc/config/via/
> http://www.squid-cache.org/Doc/config/forwarded_for/
> 
> And see if it changes anything?
> 
> Let Me Know if something changes,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Kurczewski, Bart?omiej (WP.PL)
> Sent: Tuesday, July 18, 2017 15:56
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Problem with login to website by Squid web proxy 
> 3.5.20 on Centos 7
> 
> Hi,
> I have a problem to login to one website (http://intouch.techdata.com)
> using Squid 3.5.20 on Centos 7 with default Squid configuration, which
> is acting as web proxy (non-transparent) on 3128 port in my network:
> 
> --
> #
> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refres

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

[WP.PL]

Hi Eliezer,
First of all I would like to thank you for fast answer.
And my second "thanks" is for your help.
Your solution works, and the problem has been solved.

Regards,
iziz1

W dniu 2017-07-19 o 20:08, Eliezer Croitoru pisze:
> Hey iziz1,
> 
> Can you try to add squid.conf the next and see if it affects anything:
> forwarded_for delete
> via off
> 
> http://www.squid-cache.org/Doc/config/via/
> http://www.squid-cache.org/Doc/config/forwarded_for/
> 
> And see if it changes anything?
> 
> Let Me Know if something changes,
> Eliezer
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Kurczewski, Bart?omiej (WP.PL)
> Sent: Tuesday, July 18, 2017 15:56
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Problem with login to website by Squid web proxy 
> 3.5.20 on Centos 7
> 
> Hi,
> I have a problem to login to one website (http://intouch.techdata.com)
> using Squid 3.5.20 on Centos 7 with default Squid configuration, which
> is acting as web proxy (non-transparent) on 3128 port in my network:
> 
> --
> #
> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl CONNECT method CONNECT
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 144020% 10080
> refresh_pattern ^gopher:  14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
> refresh_pattern . 0   20% 4320
> --
> 
> 
> In a FF browser with my Squid server settings I put correct password on
> techdata website, but webpage redirect me to the same web form and
> doesn't allow to login. The password is correct, because when I put
> wrong password I got JavaScript alert from this website that password is
> incorrect.
> 
> When I disable using Squid proxy in FF and use normal PAT connection via
> my Juniper firewall everything works perfect on the same machine and I
> can login to TechData website.
> I Squid access.log I can see only this:
> 
> --

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

[Amos Jeffries]

On 20/07/17 06:08, Eliezer Croitoru wrote:

Hey iziz1,

Can you try to add squid.conf the next and see if it affects anything:
forwarded_for delete
via off

http://www.squid-cache.org/Doc/config/via/
http://www.squid-cache.org/Doc/config/forwarded_for/

And see if it changes anything?



Er, try those one at a time.

If the forwarded_for delete works, also try "forwarded_for transparent" 
and use just that if sufficient.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

[Eliezer Croitoru]

Hey iziz1,

Can you try to add squid.conf the next and see if it affects anything:
forwarded_for delete
via off

http://www.squid-cache.org/Doc/config/via/
http://www.squid-cache.org/Doc/config/forwarded_for/

And see if it changes anything?

Let Me Know if something changes,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Kurczewski, Bart?omiej (WP.PL)
Sent: Tuesday, July 18, 2017 15:56
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem with login to website by Squid web proxy 3.5.20 
on Centos 7

Hi,
I have a problem to login to one website (http://intouch.techdata.com)
using Squid 3.5.20 on Centos 7 with default Squid configuration, which
is acting as web proxy (non-transparent) on 3128 port in my network:

--
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
--


In a FF browser with my Squid server settings I put correct password on
techdata website, but webpage redirect me to the same web form and
doesn't allow to login. The password is correct, because when I put
wrong password I got JavaScript alert from this website that password is
incorrect.

When I disable using Squid proxy in FF and use normal PAT connection via
my Juniper firewall everything works perfect on the same machine and I
can login to TechData website.
I Squid access.log I can see only this:

-
1500364995.497140 10.48.22.33 TCP_MISS/302 735 GET
http://intouch.techdata.com/intouch/Home.aspx? -
HIER_DIRECT/192.230.78.204 text/html
-

I suspect some problems with redirection on TechData website, but spend
hours in Internet to find solution, unfortunately without success
Maybe you can help me?

Regards,
iziz1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with login to website by Squid web proxy 3.5.20 on Centos 7

[WP.PL]

Hi,
I have a problem to login to one website (http://intouch.techdata.com)
using Squid 3.5.20 on Centos 7 with default Squid configuration, which
is acting as web proxy (non-transparent) on 3128 port in my network:

--
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
--


In a FF browser with my Squid server settings I put correct password on
techdata website, but webpage redirect me to the same web form and
doesn't allow to login. The password is correct, because when I put
wrong password I got JavaScript alert from this website that password is
incorrect.

When I disable using Squid proxy in FF and use normal PAT connection via
my Juniper firewall everything works perfect on the same machine and I
can login to TechData website.
I Squid access.log I can see only this:

-
1500364995.497140 10.48.22.33 TCP_MISS/302 735 GET
http://intouch.techdata.com/intouch/Home.aspx? -
HIER_DIRECT/192.230.78.204 text/html
-

I suspect some problems with redirection on TechData website, but spend
hours in Internet to find solution, unfortunately without success
Maybe you can help me?

Regards,
iziz1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Authentication ( after sambaupgrades )

[L . P . H . van Belle]

Hi Amos and others. 

Its not a "samba" thing or a squid thing.   
Maybe in the end yes, but this is a configuration thing. 

For you guys to know, samba AD DC setup this parameter as default : 
 ldap server require strong auth = yes 
Which obligates the use of TLS. 

Next, users dont configure /etc/ldap/ldap.conf when they use TLS. 
Squid and samba may need the CA root if you use TLS. 
Which should to in ldap.conf 
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

Samba sets these days: 
ntlm auth = no
Laman auth = no

Which disables NTLMv1 and last, users dont know kerberos and the need of A/PTR 
records. 

For others, i've posted a example auth setup and smb.conf setup for squid on 
Debian Jessie.
Tested as of squid 3.4.8 upto 3.5.24. ( with and without ssl bumping ) 
Google for : Problems with Samba 4.6.3 Authentication  
Post date 23-may 2017

When upgrading samba/winbind as of 4.2 upto 4.5 or 4.6. 
You MUST read the change logs at least for every samba 4.X.0 version. \
At least 4.2.0 4.3.0 4.4.0 4.5.0 and 4.6.0 

https://www.samba.org/samba/history/ 
Look a the smb.conf changes. 
Like this one for 4.5 : 
smb.conf changes


  Parameter NameDescription Default
  ----- ---
  kccsrv:samba_kcc  Changed default yes
  ntlm auth Changed default no
  only user Removed
  password hash gpg key ids New
  shadow:snapprefix New
  shadow:delimiter  New _GMT
  smb2 leases   Changed default yes
  username  Removed



Greetz, 

Louis



 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: maandag 22 mei 2017 22:46
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Squid3 Authentication
> 
> On 23/05/17 02:15, Marcio Demetrio Bacci wrote:
> > I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but 
> now my Squid 
> > authentication doesn't work.
> >
> > In samba 4.2.1 is working properly.
> >
> > This is my authentication block:
> >
> >
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
> > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f 
> "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored auth_param basic 
> > credentialsttl 8 hours auth_param basic casesensitive off
> >
> > I'm using Squid 3.4.8
> >
> > Can anybody help me ?
> 
> If the only thing that changed was Samba its clearly an issue 
> with that end of the system.
> 
> I suggest you compare those LDAP parameters with what the new 
> Samba version needs, and if there is no issue there please 
> contact your vendor or the Samba help channels.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Authentication

[Amos Jeffries]

On 23/05/17 02:15, Marcio Demetrio Bacci wrote:
I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid 
authentication doesn't work.


In samba 4.2.1 is working properly.

This is my authentication block:


auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br 
-w password -h 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"

auth_param basic children 50
auth_param basic realm Access Monitored
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off

I'm using Squid 3.4.8

Can anybody help me ?


If the only thing that changed was Samba its clearly an issue with that 
end of the system.


I suggest you compare those LDAP parameters with what the new Samba 
version needs, and if there is no issue there please contact your vendor 
or the Samba help channels.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with Squid3 Authentication

[Marcio Demetrio Bacci]

I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid
authentication doesn't work.

In samba 4.2.1 is working properly.

This is my authentication block:


auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w
password -h 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Access Monitored
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off

I'm using Squid 3.4.8

Can anybody help me ?

Regards,

Márcio Bacci
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with basic_ldap_auth

[Max Giesbert]

Thank you so much! That did the trick. You made my day :-D

Amos Jeffries  schrieb am Mi., 29. März 2017 um
03:08 Uhr:

> On 29/03/2017 2:54 a.m., Max Giesbert wrote:
> > Hi everyone,
> >
> > I am running Squid from the repos on Ubuntu 16.04. I can login to Squid
> > using basic_nsca_auth without problems. When I replace the according line
> > using basic_ldap_auth I am unable to login. The browser keeps requesting
> > the user credentials over and over again.
> >
> > If I run the command in a shell it works as expected. I type:
> >
> > /usr/lib/squid/basic_ldap_auth -v 3 -b ou="MYOU",dc=DOMAINNAME,dc=TLD -D
> > ldap_squid@MYDOMAIN -w "THEPASSWORD" -f sAMAccountName=%s -h MYHOST
> >
> > Then I type username and password separated by a space and it gives "OK"
> or
> > ERR if wrong credentials are provided.
> >
> > Any hints what could be wrong? How can I debug further what actually is
> > happened behind the scenes?
> >
>
> Why do you have quotes around the MYOU ?
>  If that includes spaces or special characters you need quotes around
> the whole "ou=...dc=TLD" parameter for Squid to pass it to the helper as
> a single command line option.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-- 
Dipl. Inf. (FH) Max Giesbert
Geschäftsführer

exactt technology GmbH

Mobil: +49 17 75 07 53 44
Festnetz: +49 89 38 15 64 42 1
Fax: +49 89 38 15 64 42 5
Web: http://exactt.de

Fäustlestraße 3
80339 München
Germany

Fernwartung:
https://get.teamviewer.com/y5kz3vc

Sitz der Gesellschaft: München
Registergericht: Amtsgericht München, HRB 213444
Geschäftsführer: Max Giesbert, Roman Weiss
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with basic_ldap_auth

[Amos Jeffries]

On 29/03/2017 2:54 a.m., Max Giesbert wrote:
> Hi everyone,
> 
> I am running Squid from the repos on Ubuntu 16.04. I can login to Squid
> using basic_nsca_auth without problems. When I replace the according line
> using basic_ldap_auth I am unable to login. The browser keeps requesting
> the user credentials over and over again.
> 
> If I run the command in a shell it works as expected. I type:
> 
> /usr/lib/squid/basic_ldap_auth -v 3 -b ou="MYOU",dc=DOMAINNAME,dc=TLD -D
> ldap_squid@MYDOMAIN -w "THEPASSWORD" -f sAMAccountName=%s -h MYHOST
> 
> Then I type username and password separated by a space and it gives "OK" or
> ERR if wrong credentials are provided.
> 
> Any hints what could be wrong? How can I debug further what actually is
> happened behind the scenes?
> 

Why do you have quotes around the MYOU ?
 If that includes spaces or special characters you need quotes around
the whole "ou=...dc=TLD" parameter for Squid to pass it to the helper as
a single command line option.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with basic_ldap_auth

[Max Giesbert]

Hi everyone,

I am running Squid from the repos on Ubuntu 16.04. I can login to Squid
using basic_nsca_auth without problems. When I replace the according line
using basic_ldap_auth I am unable to login. The browser keeps requesting
the user credentials over and over again.

If I run the command in a shell it works as expected. I type:

/usr/lib/squid/basic_ldap_auth -v 3 -b ou="MYOU",dc=DOMAINNAME,dc=TLD -D
ldap_squid@MYDOMAIN -w "THEPASSWORD" -f sAMAccountName=%s -h MYHOST

Then I type username and password separated by a space and it gives "OK" or
ERR if wrong credentials are provided.

Any hints what could be wrong? How can I debug further what actually is
happened behind the scenes?

Thx for your help.

Max
-- 
Dipl. Inf. (FH) Max Giesbert
Geschäftsführer

exactt technology GmbH

Mobil: +49 17 75 07 53 44
Festnetz: +49 89 38 15 64 42 1
Fax: +49 89 38 15 64 42 5
Web: http://exactt.de

Fäustlestraße 3
80339 München
Germany

Fernwartung:
https://get.teamviewer.com/y5kz3vc

Sitz der Gesellschaft: München
Registergericht: Amtsgericht München, HRB 213444
Geschäftsführer: Max Giesbert, Roman Weiss
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[matg2s]

Hi Rafael,

I actually stumbled on your project (and I've gotta say it's very impressive
and well made/documented) in the past.
I did try adapting it to Squid 4.0 but wasn't able to. The dsc file expects
a "3.5.23" tar.gz, and then there some problems with the patches and other
errors so I gave up :-)

I will try it again unless someone succeeded with this and will of course
update.
Thanks!
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090p4681141.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[Rafael Akchurin]

Hello Matt,

This is how we repackage Debian 8's 3.5.23 into Ubuntu 16. It is pretty easy - 
https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html
I hope you can adapt the build instructions for Squid 4. 

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of matg2s
Sent: Thursday, January 12, 2017 8:59 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Problem building Squid4

Hi,

Ok, I'm not sure why - but it seems that using the following configure fixed
this:
./configure --disable-external-acl-helpers --enable-ssl-crtd --with-openssl 
--datadir=/usr/share/squid --sysconfdir=/etc/squid --libexecdir=/usr/lib/squid 
--mandir=/usr/share/man --with-swapdir=/var/spool/squid 
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid 
--without-mit-krb5 --without-heimdal-krb5 --with-default-user=proxy 
'PKG_CONFIG_PATH=/usr/local/lib'

Eliezer - thanks! I'd love to try and build/get a deb package for Squid 4. 
Could you please point me to either the deb packages others are building or if 
you happen to have scripts that do that?

Thanks!
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090p4681139.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[matg2s]

Hi,

Ok, I'm not sure why - but it seems that using the following configure fixed
this:
./configure --disable-external-acl-helpers --enable-ssl-crtd --with-openssl
--datadir=/usr/share/squid --sysconfdir=/etc/squid
--libexecdir=/usr/lib/squid --mandir=/usr/share/man
--with-swapdir=/var/spool/squid --with-logdir=/var/log/squid
--with-pidfile=/var/run/squid.pid --without-mit-krb5 --without-heimdal-krb5
--with-default-user=proxy 'PKG_CONFIG_PATH=/usr/local/lib'

Eliezer - thanks! I'd love to try and build/get a deb package for Squid 4. 
Could you please point me to either the deb packages others are building or
if you happen to have scripts that do that?

Thanks!
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090p4681139.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[Eliezer Croitoru]

I have compiled squid 4.0.17 on 16.04 fully updated and it's available in 
tar.xz at:
http://ngtech.co.il/repo/bin/ubuntu/1604/beta/

I am still planning to put it inside a deb file but for now there are others 
who do that so I am just building it to make sure it builds and works as 
expected.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of matg2s
Sent: Sunday, January 8, 2017 11:32 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem building Squid4

Hey,

I'm trying to compile Squid 4 (on Ubuntu 14/16) and am getting the following
error:

In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h: In instantiation of ‘void 
RefCount::dereference(const C*) [with C = AnyP::PortCfg]’:
../../src/base/RefCount.h:35:20:   required from ‘RefCount::~RefCount()
[with C = AnyP::PortCfg]’
../../src/servers/Server.h:31:23:   required from here
../../src/base/RefCount.h:96:40: error: invalid use of incomplete type ‘const 
class AnyP::PortCfg’
 if (tempP_ && tempP_->unlock() == 0)
^ In file included from 
../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class 
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: error: possible problem detected in invocation 
of delete operator: [-Werror=delete-incomplete]
 delete tempP_;
 ^
../../src/base/RefCount.h:93:19: error: ‘tempP_’ has incomplete type [-Werror]
 C const (*tempP_) (p_);
   ^
In file included from ../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class 
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: note: neither the destructor nor the 
class-specific operator delete will be called, even if they are declared when 
the class is defined
 delete tempP_;
 ^
cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’
[-Werror]

I'm using the following to build:
wget http://www.squid-cache.org/Versions/v4/squid-4.0.17.tar.gz
I used various configurations, from:
./configure --enable-ssl-crtd
to
./configure --sysconfdir=/etc/squid  --mandir=/usr/share/man 
--with-default-user=proxy  --disable-maintainer-mode 
--disable-dependency-tracking  --enable-inline  --enable-async-io=8 
--enable-storeio="ufs,aufs,diskd"  --enable-removal-policies="lru,heap" 
--enable-poll  --enable-delay-pools  --enable-cache-digests --enable-snmp 
--enable-htcp  --enable-select  --enable-carp  --with-large-files 
--enable-underscores  --disable-arch-native  --disable-auth 
--with-krb5-config=no  --disable-external-acl-helpers  --disable-eui
--with-filedescriptors=65536  --enable-epoll  --enable-linux-netfilter 
--enable-ssl-crtd --with-openssl 

and then "make" but I'm keep getting compilation errors and the problem seems 
to lies with sslcrtd. 
I used the following versions:
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
g++ (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
But also other gcc versions (4.8, 4.9 and later) and even clang (3.5) but to no 
avail.

Any help would be appreciated!
Thanks,
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[Eliezer Croitoru]

With hope I will have time I will try to build a tar.xz of latest 4 branch on 
16.04.
The last I have built was 4.0.14.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of matg2s
Sent: Sunday, January 8, 2017 11:32 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem building Squid4

Hey,

I'm trying to compile Squid 4 (on Ubuntu 14/16) and am getting the following
error:

In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h: In instantiation of ‘void 
RefCount::dereference(const C*) [with C = AnyP::PortCfg]’:
../../src/base/RefCount.h:35:20:   required from ‘RefCount::~RefCount()
[with C = AnyP::PortCfg]’
../../src/servers/Server.h:31:23:   required from here
../../src/base/RefCount.h:96:40: error: invalid use of incomplete type ‘const 
class AnyP::PortCfg’
 if (tempP_ && tempP_->unlock() == 0)
^ In file included from 
../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class 
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: error: possible problem detected in invocation 
of delete operator: [-Werror=delete-incomplete]
 delete tempP_;
 ^
../../src/base/RefCount.h:93:19: error: ‘tempP_’ has incomplete type [-Werror]
 C const (*tempP_) (p_);
   ^
In file included from ../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class 
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: note: neither the destructor nor the 
class-specific operator delete will be called, even if they are declared when 
the class is defined
 delete tempP_;
 ^
cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’
[-Werror]

I'm using the following to build:
wget http://www.squid-cache.org/Versions/v4/squid-4.0.17.tar.gz
I used various configurations, from:
./configure --enable-ssl-crtd
to
./configure --sysconfdir=/etc/squid  --mandir=/usr/share/man 
--with-default-user=proxy  --disable-maintainer-mode 
--disable-dependency-tracking  --enable-inline  --enable-async-io=8 
--enable-storeio="ufs,aufs,diskd"  --enable-removal-policies="lru,heap" 
--enable-poll  --enable-delay-pools  --enable-cache-digests --enable-snmp 
--enable-htcp  --enable-select  --enable-carp  --with-large-files 
--enable-underscores  --disable-arch-native  --disable-auth 
--with-krb5-config=no  --disable-external-acl-helpers  --disable-eui
--with-filedescriptors=65536  --enable-epoll  --enable-linux-netfilter 
--enable-ssl-crtd --with-openssl 

and then "make" but I'm keep getting compilation errors and the problem seems 
to lies with sslcrtd. 
I used the following versions:
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
g++ (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
But also other gcc versions (4.8, 4.9 and later) and even clang (3.5) but to no 
avail.

Any help would be appreciated!
Thanks,
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem building Squid4

[Alex Rousskov]

On 01/08/2017 02:31 AM, matg2s wrote:

> I'm trying to compile Squid 4 (on Ubuntu 14/16) and am getting the following
> error:

Builds OK here with similar SSL-related ./configure options. Could be an
OpenSSL library version incompatibility or a similar problem. If you are
building with OpenSSL v1.0, then I suggest posting complete build log or
at least your "./configure ..." output. Otherwise, try that version
instead of OpenSSL v1.1.

Alex.


> In file included from ../../src/base/AsyncCall.h:14:0,
>  from ../../src/comm/IoCallback.h:12,
>  from ../../src/comm.h:12,
>  from ../../src/client_side.h:16,
>  from ServerBump.cc:13:
> ../../src/base/RefCount.h: In instantiation of ‘void
> RefCount::dereference(const C*) [with C = AnyP::PortCfg]’:
> ../../src/base/RefCount.h:35:20:   required from ‘RefCount::~RefCount()
> [with C = AnyP::PortCfg]’
> ../../src/servers/Server.h:31:23:   required from here
> ../../src/base/RefCount.h:96:40: error: invalid use of incomplete type
> ‘const class AnyP::PortCfg’
>  if (tempP_ && tempP_->unlock() == 0)
> ^
> In file included from ../../src/MasterXaction.h:12:0,
>  from ../../src/CommCalls.h:16,
>  from ../../src/comm.h:13,
>  from ../../src/client_side.h:16,
>  from ServerBump.cc:13:
> ../../src/anyp/forward.h:17:7: note: forward declaration of ‘class
> AnyP::PortCfg’
>  class PortCfg;
>^
> In file included from ../../src/base/AsyncCall.h:14:0,
>  from ../../src/comm/IoCallback.h:12,
>  from ../../src/comm.h:12,
>  from ../../src/client_side.h:16,
>  from ServerBump.cc:13:
> ../../src/base/RefCount.h:97:13: error: possible problem detected in
> invocation of delete operator: [-Werror=delete-incomplete]
>  delete tempP_;
>  ^
> ../../src/base/RefCount.h:93:19: error: ‘tempP_’ has incomplete type
> [-Werror]
>  C const (*tempP_) (p_);
>^
> In file included from ../../src/MasterXaction.h:12:0,
>  from ../../src/CommCalls.h:16,
>  from ../../src/comm.h:13,
>  from ../../src/client_side.h:16,
>  from ServerBump.cc:13:
> ../../src/anyp/forward.h:17:7: note: forward declaration of ‘class
> AnyP::PortCfg’
>  class PortCfg;
>^
> In file included from ../../src/base/AsyncCall.h:14:0,
>  from ../../src/comm/IoCallback.h:12,
>  from ../../src/comm.h:12,
>  from ../../src/client_side.h:16,
>  from ServerBump.cc:13:
> ../../src/base/RefCount.h:97:13: note: neither the destructor nor the
> class-specific operator delete will be called, even if they are declared
> when the class is defined
>  delete tempP_;
>  ^
> cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’
> [-Werror]
> 
> I'm using the following to build:
> wget http://www.squid-cache.org/Versions/v4/squid-4.0.17.tar.gz
> I used various configurations, from:
> ./configure --enable-ssl-crtd
> to 
> ./configure --sysconfdir=/etc/squid  --mandir=/usr/share/man 
> --with-default-user=proxy  --disable-maintainer-mode 
> --disable-dependency-tracking  --enable-inline  --enable-async-io=8
> --enable-storeio="ufs,aufs,diskd"  --enable-removal-policies="lru,heap" 
> --enable-poll  --enable-delay-pools  --enable-cache-digests --enable-snmp 
> --enable-htcp  --enable-select  --enable-carp  --with-large-files 
> --enable-underscores  --disable-arch-native  --disable-auth
> --with-krb5-config=no  --disable-external-acl-helpers  --disable-eui
> --with-filedescriptors=65536  --enable-epoll  --enable-linux-netfilter
> --enable-ssl-crtd --with-openssl 
> 
> and then "make" but I'm keep getting compilation errors and the problem
> seems to lies with sslcrtd. 
> I used the following versions:
> gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
> g++ (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
> But also other gcc versions (4.8, 4.9 and later) and even clang (3.5) but to
> no avail.
> 
> Any help would be appreciated!
> Thanks,
> Matt
> 
> 
> 
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem building Squid4

[matg2s]

Hey,

I'm trying to compile Squid 4 (on Ubuntu 14/16) and am getting the following
error:

In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h: In instantiation of ‘void
RefCount::dereference(const C*) [with C = AnyP::PortCfg]’:
../../src/base/RefCount.h:35:20:   required from ‘RefCount::~RefCount()
[with C = AnyP::PortCfg]’
../../src/servers/Server.h:31:23:   required from here
../../src/base/RefCount.h:96:40: error: invalid use of incomplete type
‘const class AnyP::PortCfg’
 if (tempP_ && tempP_->unlock() == 0)
^
In file included from ../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: error: possible problem detected in
invocation of delete operator: [-Werror=delete-incomplete]
 delete tempP_;
 ^
../../src/base/RefCount.h:93:19: error: ‘tempP_’ has incomplete type
[-Werror]
 C const (*tempP_) (p_);
   ^
In file included from ../../src/MasterXaction.h:12:0,
 from ../../src/CommCalls.h:16,
 from ../../src/comm.h:13,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/anyp/forward.h:17:7: note: forward declaration of ‘class
AnyP::PortCfg’
 class PortCfg;
   ^
In file included from ../../src/base/AsyncCall.h:14:0,
 from ../../src/comm/IoCallback.h:12,
 from ../../src/comm.h:12,
 from ../../src/client_side.h:16,
 from ServerBump.cc:13:
../../src/base/RefCount.h:97:13: note: neither the destructor nor the
class-specific operator delete will be called, even if they are declared
when the class is defined
 delete tempP_;
 ^
cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’
[-Werror]

I'm using the following to build:
wget http://www.squid-cache.org/Versions/v4/squid-4.0.17.tar.gz
I used various configurations, from:
./configure --enable-ssl-crtd
to 
./configure --sysconfdir=/etc/squid  --mandir=/usr/share/man 
--with-default-user=proxy  --disable-maintainer-mode 
--disable-dependency-tracking  --enable-inline  --enable-async-io=8
--enable-storeio="ufs,aufs,diskd"  --enable-removal-policies="lru,heap" 
--enable-poll  --enable-delay-pools  --enable-cache-digests --enable-snmp 
--enable-htcp  --enable-select  --enable-carp  --with-large-files 
--enable-underscores  --disable-arch-native  --disable-auth
--with-krb5-config=no  --disable-external-acl-helpers  --disable-eui
--with-filedescriptors=65536  --enable-epoll  --enable-linux-netfilter
--enable-ssl-crtd --with-openssl 

and then "make" but I'm keep getting compilation errors and the problem
seems to lies with sslcrtd. 
I used the following versions:
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
g++ (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
But also other gcc versions (4.8, 4.9 and later) and even clang (3.5) but to
no avail.

Any help would be appreciated!
Thanks,
Matt



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-building-Squid4-tp4681090.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem authentication ntlm with squid 3.5.21

[Amos Jeffries]

On 2017-01-04 03:14, ama...@tin.it wrote:

Hello
I upgrade squid from 3.4.9-20141203-r13193 to 3.5.21-20160908-
r14081 and I have a problem with authentication to ntlm in a
transparent configuration:
the squid doesn't switch to https and so it
doesn't authentication


This doesn't compute. Your config below has nothing to do with NTLM or 
HTTPS.




In my older version the configuration it so:


auth_param basic children 5
auth_param basic realm Squid proxy-caching
web server
auth_param basic credentialsttl 2 hours


Three problems here:

1) without a "program" line specified the above do nothing.

2) the above lines are for *Basic* auth, not NTLM.

3) "transparent" interception proxy cannot perform authentication.




cache_peer xxx.xxx.
xxx.xxx parent 3128 0 no-query no-digest sourcehash name=PRX_ONE

cache_peer yyy.yyy.yyy.yyy parent 3128 0 no-query no-digest sourcehash
name=PRX_TWO

that it works, but after I upgrade if I use http it
doesn't autheticate.


see above.

If the parent(s) are performing NTLM authentication you need the 
login=PASSTHRU option to be specified on the cache_peer lines and to 
remove the auth_param settings.


HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem authentication ntlm with squid 3.5.21

[ama...@tin.it]

Hello
I upgrade squid from 3.4.9-20141203-r13193 to 3.5.21-20160908-
r14081 and I have a problem with authentication to ntlm in a 
transparent configuration:
the squid doesn't switch to https and so it 
doesn't authentication
In my older version the configuration it so:


auth_param basic children 5
auth_param basic realm Squid proxy-caching 
web server
auth_param basic credentialsttl 2 hours

cache_peer xxx.xxx.
xxx.xxx parent 3128 0 no-query no-digest sourcehash name=PRX_ONE

cache_peer yyy.yyy.yyy.yyy parent 3128 0 no-query no-digest sourcehash 
name=PRX_TWO

that it works, but after I upgrade if I use http it 
doesn't autheticate.
Thank you

Best regards,
Mau
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with ssl_crtd

[Eduardo Carneiro]

I admit that I am sad because it is a bug and has not been solved yet. In
this way, I will not be able to use this feature while this bug has not been
solved because, if I enable ssl-bump on my port, the squid sporadically
stops.

Here is the important part to us, of my squid.conf. I use url rewrite, store
id and some regular expressions to make dynamic cache content like Youtube,
per example.

---
url_rewrite_program /usr/local/bin/simplerewrite

acl rewritedoms dstdomain .ubuntu.com .fbcdn.net .akamaihd.net
acl yt url_regex -i googlevideo.*videoplayback
acl globo url_regex -i ^https?:\/\/voddownload[0-9]+\.video\.globo\.com.*
acl ubuntu url_regex -i ^https?:\/\/.*ubuntu.*.iso$
acl getmethod method GET

range_offset_limit none
quick_abort_min -1 KB

store_id_program /usr/local/bin/dynamic-cache -file
/usr/local/etc/dynamic-cache-db.txt
store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp referer=%{Referer}>h"
store_id_children 40 startup=10 idle=5 concurrency=0
store_id_access deny !getmethod
store_id_access allow rewritedoms
store_id_access allow yt
store_id_access allow globo
store_id_access allow ubuntu
store_id_access deny all

refresh_pattern -i squid\.internal 10080 90% 79900 override-lastmod
override-expire ignore-reload ignore-no-store ignore-must-revalidate
ignore-private ignore-auth ignore-no-cache
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms\.*).*$ 
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)\.*).*$ 
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i
\.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav\.*).*$
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)\.*).*$
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims

acl text-plain rep_mime_type text/plain
acl youtube_dom dstdomain .googlevideo.com
store_miss deny text-plain youtube_dom
send_hit deny text-plain youtube_dom

http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/ProxyCert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

strip_query_terms off
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
ssl_bump none localhost
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 128 MB
snmp_port 3401
max_filedescriptors 40960
detect_broken_pconn on
pipeline_prefetch off
half_closed_clients off
shutdown_lifetime 1 second
cache_mgr u...@domain.com
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
balance_on_multiple_ip off

acl PURGE method PURGE
http_access deny PURGE !localhost

cache_mem 2097152 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 2048 KB
maximum_object_size 2 GB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /proxycache 307200 16 256
cache_access_log /var/log/squid/access.log
memory_pools off
log_icp_queries off
buffered_logs on
half_closed_clients off

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
"dc=domain,dc=com" -D u...@domain.com -w password -f
(|(userPrincipalName=%s)(sAMAccountName=%s)) -h dcserver.domain.com
auth_param basic children 10
auth_param basic realm Enter you password
auth_param basic credentialsttl 1 minute
---

If you find something wrong please report me.

Thanks.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-ssl-crtd-tp4680998p4681010.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users