Re: [squid-users] Unable to get username in logs for access denied(HTTP 407)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/11/2014 10:36 p.m., santosh wrote: Hello Team, We have setup squid proxy server and the backend authentication is through Open LDAP . each user is given with an unique id and password . We have been tracking the logs for accessdenied results , it has been found that squid hasn't been logging the username ,in the place there is - HIER_NONE/- , below are sample log .What could be the reason ? There is no authenticated username for that transaction. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUbGl8AAoJELJo5wb/XPRjs/MIANgHDrIcA6lB0uO0Zk1zKWnM zACOs7yB7hZfwwdkTG+CkG2W99cRLdy+o22B4NHpujwpXV1jlKbQY7BSKLe2rX+Y YNlePWbWOr8uYXOF168rlS0nXde98WGcCpD/N2+B1gGuaHbp3+YpRT6CW9nQwf6p rTNT9D8jFMmmxJoPYP3nSeJAapkj4LXL1sq3I0WK6z9btbzxSQOZcN0IPleqi6MF G3BgX2Rzn+o3xduU2UdYI9f0xBPHoELt9iNDUDPHyLAu+o3+uys1GY6RvsgVrSxq Gl5Qm0VFM9NwU3z8IPAQk5EMyWRWNP1yDMYr4qzq/paAiOzTvvrQeVPwwoPGoxs= =x9lk -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Unable to get username in logs for access denied(HTTP 407)
I have got fresh set of logs my username is spai and i 'm already authenticated and one of the site www.flipkart.com is blocked and i accessed it for testing purpose ,but the user name is still not shown . 1416392601.192 2427 192.168.4.7 TCP_MISS/302 874 GET http://cc.chango.com/c/o? spai HIER_DIRECT/184.30.51.146 text/html 1416392601.243 46 192.168.4.7 TCP_MISS/302 1100 GET http://cm.g.doubleclick.net/pixel? spai HIER_DIRECT/74.125.236.185 text/html 1416392601.808562 192.168.4.7 TCP_MISS/200 704 GET http://gcm.chango.com/collector/relator? spai HIER_DIRECT/173.192.202.135 image/gif 1416392605.309 209269 192.168.4.12 TCP_MISS/200 5107 CONNECT 0.client-channel.google.com:443 - HIER_DIRECT/74.125.130.189 - 1416392606.919 23334 192.168.4.6 TCP_MISS/200 2074 GET http://www.cricbuzz.com/cbz_pub/fetch? irfan HIER_DIRECT/119.81.109.21 application/octet-stream 1416392607.728 0 192.168.4.7 TCP_DENIED/403 3945 GET http://www.flipkart.com/ - HIER_NONE/- text/html 1416392607.928 24 192.168.4.7 TCP_HIT/200 13092 GET http://www.squid-cache.org/Artwork/SN.png spai HIER_NONE/- image/png 1416392607.945 0 192.168.4.7 TCP_DENIED/403 3839 GET http://www.flipkart.com/favicon.ico - HIER_NONE/- text/html -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Unable-to-get-username-in-logs-for-access-denied-HTTP-407-tp4668460p4668462.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
One word of caution: pactester uses the Firefox JavaScript engine, which is more forgiving than MSIE's. So while it is a very useful tool, it may let some errors slip through. On Nov 18, 2014 9:45 PM, Jason Haar jason_h...@trimble.com wrote: On 19/11/14 01:39, Brendan Kearney wrote: i would suggest that if you use a pac/wpad solution, you look into pactester, which is a google summer of code project that executes pac files and provides output indicating what actions would be returned to the browser, given a URL. couldn't agree more. We have it built into our QA to run before we ever roll out any change to our WPAD php script (a bug in there means everyone loses Internet access - so we have to be careful). Auto-generating a PAC script per client allows us to change behaviour based on User-Agent, client IP, proxy and destination - and allows us to control what web services should be DIRECT and what should be proxied. There is no other way of achieving those outcomes. Oh yes, and now that both Chrome and Firefox support proxies over HTTPS, I'm starting to ponder putting up some form of proxy on the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Unable to get username in logs for access denied(HTTP 407)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/11/2014 11:19 p.m., santosh wrote: I have got fresh set of logs my username is spai and i 'm already authenticated and one of the site www.flipkart.com is blocked and i accessed it for testing purpose ,but the user name is still not shown . No login was necessary to deny those requests. So there is no need for Squid to waste time decoding the HTTP headers where the credentials were stored. If you need the credentials to always be logged then move the blocked sites denial down below the http_access lines which require authentication. Note that this will slow your proxy down as it does all the extra credentials checking work. Something like so: http_access deny !auth http_access deny blockedSites ... Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUbIKHAAoJELJo5wb/XPRjmj4H/0c3vhjMxaTtYNFmBjO6VVjK /UQpLf2RMkK0YeEx4E+014vKftv5XUGIQhAEplJU0vb5DasHgml/jiO4hh5Gzgw5 PcnZLYWlpMaxmXqb6AqKedS5PfHJnEGRszIMzRuwhwz6F7XM5XgGsAexbtyeblnI 0ishLx+01OU7xh1Bh3pQfbRuwnvEpCpIJWLtaMyP96i3UP3uD+s0TOcfIeOH4irZ ZJCHePyOkvFaBYVqd4Og4rJBmTuh4+dzZQTRHgH8DO+4+ERW4388NKg4aUFDL35L WMCn/5n2X1BJhy+Ywswh+ECkM1xZp+EChl0QP5pYmU/mJnh637M8oAHWgf1r8Uw= =CJlV -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
Yes and it seems java is even more sensitive. I had an array member defined on a line that was not terminated with a semicolon and browsers did not throw errors, but java did. Pactester did not catch this. Missing curly braces and I think quotes are caught. Also of note, you have to set the content type header for a pac file or else you run into weird issues. I found that browsers are forgiving and will execute the script and take its output if the header is not set. Flash does not do this. It might call for the script but does not use it if the Content-Type header is not set to application/x-ns-proxy-autoconfig. GoToMeeting has also pissed me off. The client parses the script and takes any value found in it, before executing the script and taking the output of the execution. This has the result of finding inappropriate proxies to use, when you are in a corporate environment and have proxies dedicated to client access or other functions that should not be leveraged in all cases. I got their technical team on a call because we have a large citrix install base (both products have the same parent company) and complained to no avail. I had to write a doc on how to correct the client config for anyone needing to use GoTo... products. On Nov 19, 2014 6:18 AM, Kinkie gkin...@gmail.com wrote: One word of caution: pactester uses the Firefox JavaScript engine, which is more forgiving than MSIE's. So while it is a very useful tool, it may let some errors slip through. On Nov 18, 2014 9:45 PM, Jason Haar jason_h...@trimble.com wrote: On 19/11/14 01:39, Brendan Kearney wrote: i would suggest that if you use a pac/wpad solution, you look into pactester, which is a google summer of code project that executes pac files and provides output indicating what actions would be returned to the browser, given a URL. couldn't agree more. We have it built into our QA to run before we ever roll out any change to our WPAD php script (a bug in there means everyone loses Internet access - so we have to be careful). Auto-generating a PAC script per client allows us to change behaviour based on User-Agent, client IP, proxy and destination - and allows us to control what web services should be DIRECT and what should be proxied. There is no other way of achieving those outcomes. Oh yes, and now that both Chrome and Firefox support proxies over HTTPS, I'm starting to ponder putting up some form of proxy on the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
On 19 November 2014 6:41:44 pm IST, brendan kearney bpk...@gmail.com wrote: Yes and it seems java is even more sensitive. I had an array member defined on a line that was not terminated with a semicolon and browsers did not throw errors, but java did. Pactester did not catch this. Missing curly braces and I think quotes are caught. Also of note, you have to set the content type header for a pac file or else you run into weird issues. I found that browsers are forgiving and will execute the script and take its output if the header is not set. Flash does not do this. It might call for the script but does not use it if the Content-Type header is not set to application/x-ns-proxy-autoconfig. GoToMeeting has also pissed me off. The client parses the script and takes any value found in it, before executing the script and taking the output of the execution. This has the result of finding inappropriate proxies to use, when you are in a corporate environment and have proxies dedicated to client access or other functions that should not be leveraged in all cases. I got their technical team on a call because we have a large citrix install base (both products have the same parent company) and complained to no avail. I had to write a doc on how to correct the client config for anyone needing to use GoTo... products. On Nov 19, 2014 6:18 AM, Kinkie gkin...@gmail.com wrote: One word of caution: pactester uses the Firefox JavaScript engine, which is more forgiving than MSIE's. So while it is a very useful tool, it may let some errors slip through. On Nov 18, 2014 9:45 PM, Jason Haar jason_h...@trimble.com wrote: On 19/11/14 01:39, Brendan Kearney wrote: i would suggest that if you use a pac/wpad solution, you look into pactester, which is a google summer of code project that executes pac files and provides output indicating what actions would be returned to the browser, given a URL. couldn't agree more. We have it built into our QA to run before we ever roll out any change to our WPAD php script (a bug in there means everyone loses Internet access - so we have to be careful). Auto-generating a PAC script per client allows us to change behaviour based on User-Agent, client IP, proxy and destination - and allows us to control what web services should be DIRECT and what should be proxied. There is no other way of achieving those outcomes. Oh yes, and now that both Chrome and Firefox support proxies over HTTPS, I'm starting to ponder putting up some form of proxy on the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
On 19 November 2014 6:41:44 pm IST, brendan kearney bpk...@gmail.com wrote: it if the Content-Type header is not set to application/x-ns-proxy-autoconfig. Ah so that is why most of the java applets don't honour PAC settings and I was blaming poor coding of those applets. I usually serve PAC file with uhttpd or lighttpd servers running on the gateways and never bothered to set correct content-type headers. Would be great if you could include that in your document too. Regards, Nishant GoToMeeting has also pissed me off. The client parses the script and takes any value found in it, before executing the script and taking the output of the execution. This has the result of finding inappropriate proxies to use, when you are in a corporate environment and have proxies dedicated to client access or other functions that should not be leveraged in all cases. I got their technical team on a call because we have a large citrix install base (both products have the same parent company) and complained to no avail. I had to write a doc on how to correct the client config for anyone needing to use GoTo... products. On Nov 19, 2014 6:18 AM, Kinkie gkin...@gmail.com wrote: One word of caution: pactester uses the Firefox JavaScript engine, which is more forgiving than MSIE's. So while it is a very useful tool, it may let some errors slip through. On Nov 18, 2014 9:45 PM, Jason Haar jason_h...@trimble.com wrote: On 19/11/14 01:39, Brendan Kearney wrote: i would suggest that if you use a pac/wpad solution, you look into pactester, which is a google summer of code project that executes pac files and provides output indicating what actions would be returned to the browser, given a URL. couldn't agree more. We have it built into our QA to run before we ever roll out any change to our WPAD php script (a bug in there means everyone loses Internet access - so we have to be careful). Auto-generating a PAC script per client allows us to change behaviour based on User-Agent, client IP, proxy and destination - and allows us to control what web services should be DIRECT and what should be proxied. There is no other way of achieving those outcomes. Oh yes, and now that both Chrome and Firefox support proxies over HTTPS, I'm starting to ponder putting up some form of proxy on the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/11/2014 2:11 a.m., brendan kearney wrote: Yes and it seems java is even more sensitive. I had an array member defined on a line that was not terminated with a semicolon and browsers did not throw errors, but java did. Pactester did not catch this. Missing curly braces and I think quotes are caught. Also of note, you have to set the content type header for a pac file or else you run into weird issues. I found that browsers are forgiving and will execute the script and take its output if the header is not set. Flash does not do this. It might call for the script but does not use it if the Content-Type header is not set to application/x-ns-proxy-autoconfig. GoToMeeting has also pissed me off. The client parses the script and takes any value found in it, before executing the script and taking the output of the execution. This has the result of finding inappropriate proxies to use, when you are in a corporate environment and have proxies dedicated to client access or other functions that should not be leveraged in all cases. I got their technical team on a call because we have a large citrix install base (both products have the same parent company) and complained to no avail. I had to write a doc on how to correct the client config for anyone needing to use GoTo... products. Ouch. Thank you for that. I've had questions but not had access to systems to find out. This is stuff that should be published on http://findproxyforurl.com/. If you can find the author of that site (Peter Hayes?) please let them know these. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUbJ0xAAoJELJo5wb/XPRj4SYIAIUklyLTyHN5VnerwL4cuxGE D1UOe7JF1xZMvLjbnZqKc0tOiy5PxabSbWREUTpQSKfFGwn21KPTL4bn2IMIkjM4 00zMucVr2xu7KRX99QFCWbOgU2cu7CGCkAQd1BmPaoQr5gE4VC5eo2b/MCz4fTx6 F0HjlKWlyJYhHcRhlnPLrkQV+gwHgJBpum4riATsd+TlnLH4C0zbKsy9/VYTzzWP Lcm5wONkn1Ja1sSxagarDqeCbb94577b+s8sV2Iz9jYGYAHkVILxc0yBAuloG/PO LD/N3Vhh+AGYk22raX9MlBuueTHCcz8rg/wWt6q5OQFfuaTuegjsDgKj8XE169A= =EQKG -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with digest authentification and credential backend
Hi, After some strange authentication issues, I saw that my problem occurs when a admin sets a new password or removes a user. The backend authentification is only checked in logon at first popup, if something changes in LDAP the browser still always connected unlike basic ident. Maybe I forgot something like authenticate_ttl ? I already saw this - http://www.squid-cache.org/mail-archive/squid-users/201107/0259.html but without any answer. Regards Wm ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Centralized Squid - design and implementation
On Wed, 2014-11-19 at 19:06 +0530, Nishant Sharma wrote: On 19 November 2014 6:41:44 pm IST, brendan kearney bpk...@gmail.com wrote: it if the Content-Type header is not set to application/x-ns-proxy-autoconfig. Ah so that is why most of the java applets don't honour PAC settings and I was blaming poor coding of those applets. I usually serve PAC file with uhttpd or lighttpd servers running on the gateways and never bothered to set correct content-type headers. Would be great if you could include that in your document too. Regards, Nishant GoToMeeting has also pissed me off. The client parses the script and takes any value found in it, before executing the script and taking the output of the execution. This has the result of finding inappropriate proxies to use, when you are in a corporate environment and have proxies dedicated to client access or other functions that should not be leveraged in all cases. I got their technical team on a call because we have a large citrix install base (both products have the same parent company) and complained to no avail. I had to write a doc on how to correct the client config for anyone needing to use GoTo... products. On Nov 19, 2014 6:18 AM, Kinkie gkin...@gmail.com wrote: One word of caution: pactester uses the Firefox JavaScript engine, which is more forgiving than MSIE's. So while it is a very useful tool, it may let some errors slip through. On Nov 18, 2014 9:45 PM, Jason Haar jason_h...@trimble.com wrote: On 19/11/14 01:39, Brendan Kearney wrote: i would suggest that if you use a pac/wpad solution, you look into pactester, which is a google summer of code project that executes pac files and provides output indicating what actions would be returned to the browser, given a URL. couldn't agree more. We have it built into our QA to run before we ever roll out any change to our WPAD php script (a bug in there means everyone loses Internet access - so we have to be careful). Auto-generating a PAC script per client allows us to change behaviour based on User-Agent, client IP, proxy and destination - and allows us to control what web services should be DIRECT and what should be proxied. There is no other way of achieving those outcomes. Oh yes, and now that both Chrome and Firefox support proxies over HTTPS, I'm starting to ponder putting up some form of proxy on the Internet for our staff to use (authenticated of course!) - WPAD makes that something we could implement with no client changes - pretty cool :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users i didn't mean to get your hopes up about the document i wrote. i wrote it for my employer and its details are specific to our environment. i am sure i could create something if people would want it, but i am not sure which topic to provide documentation for. is it the web server / pac file stuff or the GoToMeeting stuff? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users