Re: [squid-users] select parent proxy based on ACL

2016-04-05 Thread Pascal Watteel 
anyone?

On Tue, 2016-04-05 at 12:08 +, Pascal Watteel wrote:
> Hi peeps,
> 
> I have written a python based download accelerator based proxy.
> It does exactly the same thing as what aria2c would do, but as a
> proxy.
> 
> I now want to tell squid to only send .zip .iso .whatever to this
> proxy
> as an parent proxy.
> But i only find a way how to tell squid to do this for domains with
> peer_domain.
> 
> Is there a way how i can tell squid to decide the parent proxy based
> on
> a ACL so i can just use regex define the files i wanna send to this
> parent?
> 
> Regards
> 
> Watteel Pascal
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-05 Thread Nicolaas Hyatt 
I know I'm a few minor revisions behind, but I am a little confused as 
to if it is possible to request squid include the configured certificate 
along with the certificate generated. I know that this is somewhat 
confusing to read.


+Root (Self Signed) CA Cert
|
`+ Intermediate Certificate (Used by squid.)
 |
 `- Squid Auto Generated Certificate

I have the Self Signed Root CA Cert installed on all the systems, but 
the Intermediate Certificate is not sent by squid, so the trust chain 
fails. I have been reading threads here and there and saw a post form 
Amos a bit ago (referring to squid v3.3) where there may (or may not) 
have been a configuration option to modify squid's behavior to do as I 
am requesting, but details in the thread do not include the 
configuration directive.


If this is not a valid feature, I understand, and can fully accept that 
answer, I'm not complaining about free software!



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] External ACL Lookup

2016-04-05 Thread Rafael Akchurin 
Well I would then first run the request with ldp.exe just to be sure the user 
is indeed in the group
In our ICAP we use a little different filter - may be it can give you some 
ideas :(
Please note I do not know squid equivalents for {{ bla-bla }} macros.

(&(|(userPrincipalName={{USER_NAME}})(sAMAccountName={{USER_NAME_STRIPPED}}))(memberOf:1.2.840.113556.1.4.1941:=CN=Internet
 Relaxed,CN=Users,DC=diladele,DC=lan))

Sorry nothing to offer more.

Best regards,
Rafael

From: Craddock, Tommy [mailto:tommy.cradd...@bicgraphic.com]
Sent: Tuesday, April 5, 2016 11:53 PM
To: Rafael Akchurin ; 
squid-users@lists.squid-cache.org
Subject: RE: External ACL Lookup

Rafael,

Thanks for your reply.   Substituting userPrincipalName for sAMAccountName in 
both the command line and squid.conf produces an ERR:

/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
ERR

cat /etc/squid/squid.conf | grep userPrin
external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b 
"dc=example,dc=com" -D sq...@example.com -W 
/etc/squid/password -f 
"(&(objectclass=person)(userPrincipalName=$)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com

cache.log:

2016/04/05 17:45:24.190| authenticateAuthUserAddIp: user 
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:57445)
2016/04/05 17:45:24.190| aclMatchExternal: memberof("tcradd...@example.com 
Full.Access") = lookup needed
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com 
Full.Access": entry=@0, age=0
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com 
Full.Access": queueing a call.
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com 
Full.Access": return -1.
2016/04/05 17:45:24.190| externalAclLookup: lookup in 'memberof' for 
'tcradd...@example.com Full.Access'
2016/04/05 17:45:24.196| externalAclHandleReply: reply="ERR"
2016/04/05 17:45:24.196| external_acl_cache_add: Adding 'tcradd...@example.com 
Full.Access' = 0
2016/04/05 17:45:24.196| aclMatchExternal: memberof = 0

 [cid:E16BB7E4-AAA7-4D07-803E-E39F6201D081]
Tommy E CRADDOCK JR
Systems Admin
BIC Advertising & Promotional Products
14421 Myer Lake Circle
Clearwater, FL  33760
727-507-3080
tommy.cradd...@bicgraphic.com

www.bicgraphic.com

[cid:37DF6999-C959-46F8-BA13-A4CFA37F691F]

CONFIDENTIALITY NOTICE
This electronic message is confidential and may contain legally privileged 
information intended only for the use of the individual or company named above.
If the reader of this message is not the intended recipient, or the employee or 
agent responsible to deliver it to the intended recipient, you are hereby 
notified
that any dissemination, distribution or copying of this communications is 
strictly prohibited. If you have received this communication in error, please 
immediately
notify us by telephone, and return the original message to us at the address 
above

From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com]
Sent: Tuesday, April 05, 2016 5:25 PM
To: Craddock, Tommy; 
squid-users@lists.squid-cache.org
Subject: RE: External ACL Lookup

Hello Tommy,

Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP 
filter.
The squid logs indicate the user is authenticated as 
tcradd...@example.com which is *not* in 
sAMAccountName for sure.

Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy at http://www.diladele.com.

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Craddock, Tommy
Sent: Tuesday, April 5, 2016 11:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] External ACL Lookup

Hello,

Trying to use an external ACL helper to do a lookup of my user in a group in a 
Windows AD.  I can test from the command line:


/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
OK


In the cache.log w/debug set to ALL,3:

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not

Re: [squid-users] External ACL Lookup

2016-04-05 Thread Craddock, Tommy 
Rafael,

Thanks for your reply.   Substituting userPrincipalName for sAMAccountName in 
both the command line and squid.conf produces an ERR:

/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
ERR

cat /etc/squid/squid.conf | grep userPrin
external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b 
"dc=example,dc=com" -D sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(userPrincipalName=$)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com

cache.log:

2016/04/05 17:45:24.190| authenticateAuthUserAddIp: user 
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:57445)
2016/04/05 17:45:24.190| aclMatchExternal: memberof("tcradd...@example.com 
Full.Access") = lookup needed
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access": 
entry=@0, age=0
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access": 
queueing a call.
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access": 
return -1.
2016/04/05 17:45:24.190| externalAclLookup: lookup in 'memberof' for 
'tcradd...@example.com Full.Access'
2016/04/05 17:45:24.196| externalAclHandleReply: reply="ERR"
2016/04/05 17:45:24.196| external_acl_cache_add: Adding 'tcradd...@example.com 
Full.Access' = 0
2016/04/05 17:45:24.196| aclMatchExternal: memberof = 0

 [cid:E16BB7E4-AAA7-4D07-803E-E39F6201D081]
Tommy E CRADDOCK JR
Systems Admin
BIC Advertising & Promotional Products
14421 Myer Lake Circle
Clearwater, FL  33760
727-507-3080
tommy.cradd...@bicgraphic.com

www.bicgraphic.com

[cid:37DF6999-C959-46F8-BA13-A4CFA37F691F]

CONFIDENTIALITY NOTICE
This electronic message is confidential and may contain legally privileged 
information intended only for the use of the individual or company named above.
If the reader of this message is not the intended recipient, or the employee or 
agent responsible to deliver it to the intended recipient, you are hereby 
notified
that any dissemination, distribution or copying of this communications is 
strictly prohibited. If you have received this communication in error, please 
immediately
notify us by telephone, and return the original message to us at the address 
above

From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com]
Sent: Tuesday, April 05, 2016 5:25 PM
To: Craddock, Tommy; squid-users@lists.squid-cache.org
Subject: RE: External ACL Lookup

Hello Tommy,

Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP 
filter.
The squid logs indicate the user is authenticated as 
tcradd...@example.com which is *not* in 
sAMAccountName for sure.

Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__
--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy at http://www.diladele.com.

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Craddock, Tommy
Sent: Tuesday, April 5, 2016 11:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] External ACL Lookup

Hello,

Trying to use an external ACL helper to do a lookup of my user in a group in a 
Windows AD.  I can test from the command line:


/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
OK


In the cache.log w/debug set to ALL,3:

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
GETTING KERB TOKEN.
...
2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:56059)
2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcradd...@example.com 
Full.Access") = lookup needed
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": entry=@0, age=0
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": queueing a call.
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": return -1.
2016/04/05

Re: [squid-users] External ACL Lookup

2016-04-05 Thread Rafael Akchurin 
Hello Tommy,

Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP 
filter.
The squid logs indicate the user is authenticated as 
tcradd...@example.com which is *not* in 
sAMAccountName for sure.

Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy at http://www.diladele.com.

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Craddock, Tommy
Sent: Tuesday, April 5, 2016 11:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] External ACL Lookup

Hello,

Trying to use an external ACL helper to do a lookup of my user in a group in a 
Windows AD.  I can test from the command line:


/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
OK


In the cache.log w/debug set to ALL,3:

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
GETTING KERB TOKEN.
...
2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:56059)
2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcradd...@example.com 
Full.Access") = lookup needed
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": entry=@0, age=0
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": queueing a call.
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com 
Full.Access": return -1.
2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 
'tcradd...@example.com Full.Access'
2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"
2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcradd...@example.com 
Full.Access' = 0
2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0

In the file referenced in the ACLs:

acl RestrictedAccessexternal memberof "/etc/squid/restricted_access.txt"
acl FullAccess  external memberof "/etc/squid/full_access.txt"


it has:

cat /etc/squid/full_access.txt
Full.Access

cat /etc/squid/restricted_access.txt
Restricted.Access

Im not sure why the logs show my user is getting ERR as the response to group 
checking, when I run it from the command line, I get an OK.


Info about my setup:

[root@clwslprox01p squid]# squid -v
Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' 
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' 
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--enable-internal-dns' 
'--disable-strict-error-checking' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-arp-acl' '--enable-follow-x-forwarded-for' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
 '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
'--enable-digest-auth-helpers=password,ldap,eDirectory' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' 
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
 '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' 
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' 
'--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' 
'--enable-esi' '--enable-http-violations' '--with-aio' 
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' 
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 
'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic 
-fpie'

[squid-users] External ACL Lookup

2016-04-05 Thread Craddock, Tommy 
Hello,

Trying to use an external ACL helper to do a lookup of my user in a group in a 
Windows AD.  I can test from the command line:


/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
sq...@example.com -W /etc/squid/password -f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some 
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
OK


In the cache.log w/debug set to ALL,3:

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
GETTING KERB TOKEN.
...
2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:56059)
2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcradd...@example.com 
Full.Access") = lookup needed
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access": 
entry=@0, age=0
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access": 
queueing a call.
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access": 
return -1.
2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 
'tcradd...@example.com Full.Access'
2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"
2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcradd...@example.com 
Full.Access' = 0
2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0

In the file referenced in the ACLs:

acl RestrictedAccessexternal memberof "/etc/squid/restricted_access.txt"
acl FullAccess  external memberof "/etc/squid/full_access.txt"


it has:

cat /etc/squid/full_access.txt
Full.Access

cat /etc/squid/restricted_access.txt
Restricted.Access

Im not sure why the logs show my user is getting ERR as the response to group 
checking, when I run it from the command line, I get an OK.


Info about my setup:

[root@clwslprox01p squid]# squid -v
Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' 
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' 
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--enable-internal-dns' 
'--disable-strict-error-checking' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-arp-acl' '--enable-follow-x-forwarded-for' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
 '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
'--enable-digest-auth-helpers=password,ldap,eDirectory' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' 
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
 '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' 
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' 
'--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' 
'--enable-esi' '--enable-http-violations' '--with-aio' 
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' 
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 
'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic 
-fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23

[root@clwslprox01p squid]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external 
helpers to do group lookups to a Windows AD.  Windows AD is 2008 and 2012 in my 
env.

Squid.conf:


### cache manager
cache_mgr pc...@example.com

#Define the cache_peer to be used
# cache_peer proxy1.ap.webscanningservice.com parent 3128  default no-query 
no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128  default no-query 
no-digest
  cache_peer proxy1.us.webscanningservice.com parent 3128  default no-query 
no-digest
# cache_peer proxy1.hk.webscanningservice.com parent 3128  default no-query 
no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128  default no-query 
no-digest


### negotiate kerberos and ntlm authentication
auth_param

Re: [squid-users] how to use squid as a tcp forward proxy?

2016-04-05 Thread Alex Rousskov 
On 04/05/2016 01:50 AM, phafer wrote:

> how can I extend squid to process/modify payload of my private
> application protocol basing on TCP?

You probably should not -- Squid is not designed to be a TCP proxy and
there ought to be better/true TCP proxies out there.


> Client->squid->my squid plugin which is used to process/modify payload
> of tcp traffic->Server

If you insist on modifying Squid, you can try to do what Native FTP code
in Squid does today:

1. Accept traffic from FTP clients at ftp_port.
2. Convert FTP traffic into fake HTTP messages.
3. General Squid code, including eCAP/ICAP, handles those HTTP messages.
4. Convert fake HTTP messages back into FTP traffic sent to FTP servers.

Doing so requires lots of complicated development, but should give you
what you want at the end. Standard eCAP/ICAP "plugin" interfaces can
then be used for message adaptation:
http://wiki.squid-cache.org/SquidFaq/ContentAdaptation


Again, most likely, Squid is the wrong solution for your problem.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] filtering http(s) sites, transparently

2016-04-05 Thread Jok Thuau 
On Mon, Apr 4, 2016 at 6:23 PM, Amos Jeffries  wrote:

> >>>
> >>> If i remove *all* the http_access lines, then the behavior appears
> >> correct
> >>> (from a "splicing/bumping" standpoint).
> >>>
> >>
> >> Strange. Squid without any http_access lines should be denying traffic
> >> 100%.
> >>
> >>
> > I do not see this behavior. Traffic appears to be allowed, and bumped
> > (though with the wrong certificate, depending on the config, as explained
> > before).
> >
> >
>




> >
> > my apologies for trying to show only the relevant parts. Find below the
> > current config.
> > It appears to be bumping everything rather than splicing any of the
> config
> > (which may be due to the limitations documented on the wiki)
> >
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 443 # https
> > acl SSL_ports port 443
> > acl CONNECT method CONNECT
> > http_port 3129 intercept
> > https_port 8443 intercept ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=64MB \
> > cert=/etc/squid/ssl/proxy.pem \
> > key=/etc/squid/ssl/proxy.key \
> > cafile=/etc/squid/ssl/proxy.pem
> > always_direct allow all
>
> always_direct has not been necessary with SSL-Bump sice 3.1 series. You
> should remove it.
>
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> > acl SniBypass ssl::server_name_regex \.slashdot\.org
> > acl SniBypass ssl::server_name_regex \.fsdn\.com
>

I have moved those "SniBypass" acl into a separate files and replaced this
with an include, as that list will end up growing.


> > acl http_bypass dstdomain .slashdot.org
> > acl http_bypass dstdomain .fsdn.com


and similarly here, replaced by an include...


>
> > acl https_bypass all-of CONNECT SniBypass
>
> This https_bypass ACL definition is a bit weird. It requires a single
> message to match both TLS and HTTP properties simultaneously.


> As you might imagine it is difficult for a TLS messages to match HTTP
> properties, and vice versa. So it wont ever match.
>
>
I don't understand. SniBypass is based on ssl::server_name_regex which
shouldn't apply to http at all...
Would that not be coming from the (client|server)Hello?


> Note: SNI is *not* equivalent to Host or URL domain name. They can
> contain very different values. The only thing they have in common is
> that they both are supposed to point at the IP of the server being
> contacted.
>
>
> > acl http_ok all-of http_bypass Safe_ports
> > ssl_bump peek step1
> > ssl_bump splice SniBypass step2
>
> This splice will work if (and only if) the client sends TLS SNI values
> to Squid. It will ignore the server cert details.
>
> For clients which do not send SNI or for all connections where the SNI
> does not match your ACL the bump rule below will do client-first bumping
> (without the server cert).
>
> > ssl_bump bump all
>
> I suggets you try these ssl_bump rules instead:
> [snip]

 OK

> [snip]
> Okay. That sort of matches your policy. Except that you are missing the
> security defaults. Those lines are carefully tuned for the specific
> behaviour to protect against security attacks:
>
>  http_access deny !Safe_ports
>  http_access deny CONNECT !SSL_ports
>
> .. and should be above your custom rules.
>

I added those at the top as requested...


>  cache allow all
>  cache deny all
>
> ... pick one.
>
>
done - the deny one is the one left in there now.

>
> > shutdown_lifetime 3 seconds
>

for clarification, I also moved the two sets of ACLs into separate files,
as those will eventually be maintained externally (SniBypass and
http_bypass).

The config file is now:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
http_port 3129 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
workers 6
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
include "/etc/squid/snibypass.acl"
include "/etc/squid/dstbypass.acl"
acl https_ok all-of CONNECT SniBypass
acl http_ok all-of http_bypass Safe_ports
ssl_bump splice SniBypass
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cert_sign_hash sha256
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
http_access allow http_ok
http_access allow https_ok
http_access deny all
cache deny all
shutdown_lifetime 3 seconds

Re: [squid-users] Kerberos authentication only working with 1 domain server

2016-04-05 Thread Drikus Brits 
 

i believe i might have fixed it 

will advise soonest. 

On 2016-04-05 16:01, Drikus Brits wrote: 

> Extra info : 
> 
> root@mw-sqproxy-test:/home/geosupport# uname -a
> Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 
> 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 
> 
> root@mw-sqproxy-test:/home/geosupport# squid3 -v
> Squid Cache: Version 3.3.8
> Ubuntu
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' 
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
> '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' 
> '--disable-dependency-tracking' '--disable-silent-rules' 
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' 
> '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' 
> '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' 
> '--enable-icap-client' '--enable-follow-x-forwarded-for' 
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
>  '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' 
> '--enable-auth-ntlm=fake,smb_lm' 
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' 
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' 
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' 
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
> root@mw-sqproxy-test:/home/geosupport# 
> 
> Thanks, 
> 
> Drikus 
> 
> On 2016-04-05 15:50, Drikus Brits wrote: 
> 
>> Hi Experts, 
>> 
>> After much struggling it seems i've reached some point of success but yet 
>> still not. I've checked a multitude of websites for help before coming here, 
>> but didn't get anything valuable yet. My problem as follows : 
>> 
>> I have 1x win2008R2 server that works with kerberos authentication, but none 
>> of the other PC's in the network wants to work, the others all come up with 
>> a login challenge/ 
>> 
>> My Configs : 
>> 
>> /etc/krb5.conf 
>> 
>> 
>> #cat /etc/krb5.conf
>> [logging]
>> 
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log [1]
>> 
>> [libdefaults]
>> default_realm = DOMAIN.CO.ZA
>> dns_lookup_kdc = yes
>> dns_lookup_realm = yes
>> ticket_lifetime = 24h
>> default_keytab_name = /etc/squid/PROXY.keytab
>> 
>> #; for Windows 2008 with AES
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
>> des-cbc-md5
>> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
>> des-cbc-md5
>> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> 
>> [realms]
>> 
>> DOMAIN.CO.ZA = {
>> kdc = mw-ad.domain.co.za
>> admin_server = mw-ad.domain.co.za
>> default_domain = domain.co.za
>> }
>> 
>> [domain_realm]
>> 
>> .domain.co.za = DOMAIN.CO.ZA
>> domain.co.za = DOMAIN.CO.ZA
>> 
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>  
>> 
>> my /etc/squid/squid.conf 
>> 
>> 
>> #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
>> /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego 
>> --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i 
>> ###WORKING - half/half
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d 
>> --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
>> --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d 
>> -s GSS_C_NO_NAME
>> #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s 
>> GSS_C_NO_NAME
>> 
>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
>> --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
>> auth_param ntlm children 10
>> auth_param ntlm keep_alive off
>> 
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b 
>> "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder 
>> Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H 
>> ldap://MW-AD.domain.co.za -R
>> auth_param basic realm Web-Proxy
>> auth_param basic credentialsttl 1 minute
>> 
>> acl proxy-auth proxy_auth REQUIRED
>> 
>> http_access allow proxy-auth
>>  
>> 
>> When the Win2008R2 connectes is get the following in 
>> /var/log/squid3/cache.log 
>> 
>>  
>> 
>>

Re: [squid-users] Kerberos authentication only working with 1 domain server

2016-04-05 Thread Drikus Brits 
 

Extra info : 

root@mw-sqproxy-test:/home/geosupport# uname -a
Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul
24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 

root@mw-sqproxy-test:/home/geosupport# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
root@mw-sqproxy-test:/home/geosupport# 

Thanks, 

Drikus 

On 2016-04-05 15:50, Drikus Brits wrote: 

> Hi Experts, 
> 
> After much struggling it seems i've reached some point of success but yet 
> still not. I've checked a multitude of websites for help before coming here, 
> but didn't get anything valuable yet. My problem as follows : 
> 
> I have 1x win2008R2 server that works with kerberos authentication, but none 
> of the other PC's in the network wants to work, the others all come up with a 
> login challenge/ 
> 
> My Configs : 
> 
> /etc/krb5.conf 
> 
> 
> #cat /etc/krb5.conf
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log [1]
> 
> [libdefaults]
> default_realm = DOMAIN.CO.ZA
> dns_lookup_kdc = yes
> dns_lookup_realm = yes
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid/PROXY.keytab
> 
> #; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 
> [realms]
> 
> DOMAIN.CO.ZA = {
> kdc = mw-ad.domain.co.za
> admin_server = mw-ad.domain.co.za
> default_domain = domain.co.za
> }
> 
> [domain_realm]
> 
> .domain.co.za = DOMAIN.CO.ZA
> domain.co.za = DOMAIN.CO.ZA
> 
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>  
> 
> my /etc/squid/squid.conf 
> 
> 
> #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN 
> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i ###WORKING - 
> half/half
> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm 
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
> --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d 
> -s GSS_C_NO_NAME
> #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s 
> GSS_C_NO_NAME
> 
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
> --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b 
> "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder 
> Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H 
> ldap://MW-AD.domain.co.za -R
> auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 1 minute
> 
> acl proxy-auth proxy_auth REQUIRED
> 
> http_access allow proxy-auth
>  
> 
> When the Win2008R2 connectes is get the following in 
> /var/log/squid3/cache.log 
> 
>  
> 
> 2016/04/05 12:26:46| negotiate_wrapper: Got 'YR 
> YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSqDVzSeCUH4ntF1lHc='
>  from squid (length: 2419).
> 2016/04/05 12:26:46| negotiate_wrapper: Decode 
> 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgUnIKhxWxh52aDVzSeCUH4ntF1lHc=' 
> (decoded length:

[squid-users] Kerberos authentication only working with 1 domain server

2016-04-05 Thread Drikus Brits 
 

Hi Experts, 

After much struggling it seems i've reached some point of success but
yet still not. I've checked a multitude of websites for help before
coming here, but didn't get anything valuable yet. My problem as follows
: 

I have 1x win2008R2 server that works with kerberos authentication, but
none of the other PC's in the network wants to work, the others all come
up with a login challenge/ 

My Configs : 

/etc/krb5.conf 


 #cat /etc/krb5.conf
 [logging]

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log [1]

 [libdefaults]
 default_realm = DOMAIN.CO.ZA
 dns_lookup_kdc = yes
 dns_lookup_realm = yes
 ticket_lifetime = 24h
 default_keytab_name = /etc/squid/PROXY.keytab

 #; for Windows 2008 with AES
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

 [realms]

 DOMAIN.CO.ZA = {
 kdc = mw-ad.domain.co.za
 admin_server = mw-ad.domain.co.za
 default_domain = domain.co.za
 }

 [domain_realm]

 .domain.co.za = DOMAIN.CO.ZA
 domain.co.za = DOMAIN.CO.ZA

 [login]
 krb4_convert = true
 krb4_get_tickets = false
 

my /etc/squid/squid.conf 

 
 #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego
--domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i
###WORKING - half/half
 auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
 #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME

 auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
 auth_param ntlm children 10
 auth_param ntlm keep_alive off

 auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
"DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder
Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H
ldap://MW-AD.domain.co.za -R
 auth_param basic realm Web-Proxy
 auth_param basic credentialsttl 1 minute

 acl proxy-auth proxy_auth REQUIRED

 http_access allow proxy-auth
  

When the Win2008R2 connectes is get the following in
/var/log/squid3/cache.log 

  

 2016/04/05 12:26:46| negotiate_wrapper: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSqDVzSeCUH4ntF1lHc='
from squid (length: 2419).
 2016/04/05 12:26:46| negotiate_wrapper: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgUnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
 2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
 negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBJDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
from squid (length: 2419).
 negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
 2016/04/05 12:26:46| negotiate_wrapper: Return 'AF
oYG2MIGzoAMKAQChCwYJZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw=
administra...@domain.co.za 

  

But when other PC's connect of which another win2008R2 or win10 or win7
i get : 

  

 negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoII+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid
(length: 2419).
 negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBvMprtChSPMuUX9nnZfT+cJk=' (decoded
length: 1811).
 negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
 2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. ' 

  

My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not
supposed to say that :). I've had others that had Successfully
authenticated to Kerberos V5 as well, but then the working win2008r2
doesn't work -- see below.. 

  

 # kinit -V -kt /etc/squid3/PROXY.keytab
 Using default cache: /tmp/krb5cc_0
 Using principal: host/mw-sqproxy-test.domain.co...@domain.co.za
 Using keytab: /etc/squid3/PROXY.keytab
 kinit: Preauthentication failed while getting initial credentials 

  

working with "authenticated with kerberos but no srv or pc working 

  

 msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s
HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k
/etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST

[squid-users] select parent proxy based on ACL

2016-04-05 Thread Pascal Watteel 
Hi peeps,

I have written a python based download accelerator based proxy.
It does exactly the same thing as what aria2c would do, but as a proxy.

I now want to tell squid to only send .zip .iso .whatever to this proxy
as an parent proxy.
But i only find a way how to tell squid to do this for domains with
peer_domain.

Is there a way how i can tell squid to decide the parent proxy based on
a ACL so i can just use regex define the files i wanna send to this
parent?

Regards

Watteel Pascal
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid ftp-proxy

2016-04-05 Thread Axel.Eberhardt 
Hello,

Maybe someone can give me a hint :-)

I try to enable the Native ftp proxying.
The documentation I have found is:
http://wiki.squid-cache.org/Features/FtpRelay

But there is no example for this. Also in the Mail Archives I was not able to 
find a hint.

I have configured the ftp proxy with parameter:
ftp_port 21

Version:

squid -v
Squid Cache: Version 3.5.15
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' 
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' 
'--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' 
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' 
'--enable-auth-negotiate=kerberos,wrapper' 
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'
 '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' 
'--enable-removal-policies=heap,lru' '--enable-snmp' 
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' 
'--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 
'--with-included-ltdl' '--disable-arch-native' '--enable-ecap' 
'--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic' 
'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 
-grecord-gcc-switches   -m64 -mtune=generic -fPIC' 
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience


Now my problem.

I am able to connect via ftp client to the squid.
Also the login will be correct: 
example:  anonym...@ftp.informatik.rwth-aachen.de

But after a command which use a data channel the connection fails:
421 Service not available, remote server has closed connection


I try a tcpdump but I cannot find a failure. 
The only different between a native ftp session and a connection over the squid 
is a missing TCP ACK after the last ftp data package. 

___ 
  
Kind regards
Axel Eberhardt 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] how to use squid as a tcp forward proxy?

2016-04-05 Thread phafer 
hi,


how can I extend squid to process/modify payload of my private application 
protocol basing on TCP?
Client->squid->my squid plugin which is used to process/modify payload of tcp 
traffic->Server


BR,
Bin___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

2016-04-05 Thread FredB 
Hi Amos,

I confirm, cleaning the cache (mkfs in my case) do not fix the issue 

Fred 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users