Re: [squid-users] Limit Bandwith for youtube....

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I'm a little differently solve the problem of the speed limit streaming
video. I limit the speed of the video on the router to the proxy, the
proxy itself gives cached video streaming to the local network at full
speed, because the speed of the local network I is not limited. My main
task is to prevent the exhaustion of uplink bandwidth.


30.08.2016 2:13, erdosain9 пишет:
> Ok,thanks!
> But something is wrong with my config
> I dont have almost no users... (because is proxy testing) and i have too
> many download avg.
>
> Look , this is Torch to the ip of proxy, to see whats going on...
>
>
>


>
>


>
> This is my config
>
> #Pools para ancho de Banda
> delay_pools 5
>
> ###VELOCIDAD PARA REDES SOCIALES
> delay_class 1 1
> delay_parameters 1 1/10
> delay_access 1 allow redes_sociales limitado
> delay_access 1 allow redes_sociales full
> delay_access 1 allow redes_sociales adminis
>
> #Limitar YOUTUBE
> delay_class 2 1
> delay_parameters 2 1/10
> delay_access 2 allow youtube adminis
> delay_access 2 allow youtube full
> delay_access 2 allow youtube limitado
>
> #Ancho de Banda Administracion
> delay_class 3 2
> delay_parameters 3 512000/512000 6/256000
> delay_access 3 allow adminis
>
> #Ancho de Banda Sistemas
> delay_class 4 2
> delay_parameters 4 512000/512000 64000/256000
> delay_access 4 allow sistemas
>
> #Ancho de Banda Logistica
> delay_class 5 2
> delay_parameters 5 256000/256000 3/125000
> delay_access 5 allow limitado
>
>
> if I have delay pools with low bandwidth . How can it be that "long period
> of time " the squid has a bandwidth so high ??
>
> Thanks!
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Limit-Bandwith-for-youtube-tp4679182p4679253.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXxKizAAoJENNXIZxhPexGVRsH/1z+Z35AFdhTP1n/hMelYo4/
4padot4Aw5XBzP8igI3MhF7U5sTmH8Z8lvKD8W5G0wikqeIfS0uPcW/qpyXJyibw
iuJkHxWAFpolDN5bxUsmDUJ8I5OMzXnJduUha6BkK498/iBgmJDzJx6DyLyKjZs6
pd4KkoyFAFnGeY7pgUJrIXpkTeYejdcO+3kjnK1qQeJhHCGuQl1Oo8ARbE5iIZUP
apuZnPz8Xt0iG6X/um0Se5opvvNaxKs+st+hElpw4rGQBUqMBpqGVPLOryEUdbyN
pa+bhjH70djKxyGNDC1meEKRL5yjH2u1teKN4DasG+Q6A+THblqHuA6DvQyUOZo=
=qIfq
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Limit Bandwith for youtube....

[erdosain9]

Ok,thanks!
But something is wrong with my config
I dont have almost no users... (because is proxy testing) and i have too
many download avg.

Look , this is Torch to the ip of proxy, to see whats going on...



 


 

This is my config 

#Pools para ancho de Banda
delay_pools 5 

###VELOCIDAD PARA REDES SOCIALES
delay_class 1 1
delay_parameters 1 1/10
delay_access 1 allow redes_sociales limitado
delay_access 1 allow redes_sociales full
delay_access 1 allow redes_sociales adminis

#Limitar YOUTUBE
delay_class 2 1
delay_parameters 2 1/10
delay_access 2 allow youtube adminis
delay_access 2 allow youtube full
delay_access 2 allow youtube limitado

#Ancho de Banda Administracion
delay_class 3 2
delay_parameters 3 512000/512000 6/256000
delay_access 3 allow adminis

#Ancho de Banda Sistemas
delay_class 4 2
delay_parameters 4 512000/512000 64000/256000
delay_access 4 allow sistemas

#Ancho de Banda Logistica
delay_class 5 2
delay_parameters 5 256000/256000 3/125000
delay_access 5 allow limitado


if I have delay pools with low bandwidth . How can it be that "long period
of time " the squid has a bandwidth so high ??

Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Limit-Bandwith-for-youtube-tp4679182p4679253.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent intercept Squid 3.5.20: where VPNs go to die.

[Alex Rousskov]

On 08/29/2016 10:43 AM, Stanford Prescott wrote:

> Is there a way to tell Squid that there may be port 443 connections that
> don't use TLS/SSL so that a useful message could be generated other than
> the "connection failed" message the VPN client gives?

Not quite, but we are slowly getting there:

Recent Squids have on_unsupported_protocol feature that is usually
triggered when Squid receives a request using the wrong protocol,
including receiving non-SSL bytes instead of SSL Hello. You can
configure Squid to respond with an error response in that case (in fact,
that is the default behavior).

In theory, you can also configure Squid to customize that error response
using deny_info, but see
http://lists.squid-cache.org/pipermail/squid-users/2016-August/012124.html
 (Ideally, we should support a better way of customize error responses
than denying them and using deny_info to customize denied responses!)

Even if deny_info works, there is currently no way to customize an error
response so that it becomes a non-HTTP response, but that (together with
ACLs/code to detect common non-HTTP protocols) would be a welcomed
feature IMO. Ideally, the admin should be able to tell Squid exactly
what bytes to send to the client (as opaque or opaque with placeholders
data) if needed.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

[Markus Moeller]

Hi Louis,

I know a user and machine account can be used and they work the same. What 
my concern is, is that many companies deploy password policies for users in AD. 
 You would need to create exceptions for user accounts which have SPNs with 
associated keytabs as a password change will make the keytab invalid.

Markus 


"L.P.H. van Belle"  wrote in message 
news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN 
>>name, so the UPN must be the same as the SPN.  There is no easy way to query 
>>what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user 
>>account in AD. 

>>The reason I prefer this is that often user accounts have a global password 
>>policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my 
>>preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) 
same an user account. 

Like a computer account = a user account. 

 

some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, 
but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer 
to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 




Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe )

 

Hi,

 

   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 

 

  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 

 

   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.

 

 

Kind regards

Markus

 

 

"L.P.H. van Belle"  wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...

Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be 

Re: [squid-users] Trouble negotiate_kerberos_auth

[Markus Moeller]

Hi Marcio,

That looks OK.  TT means the helper requires additional data from the client 
which I did not prepare a test for. In my case I get the AF response.

#  /opt/squid-trunk/sbin/negotiate_kerberos_auth_test opensuse42.suse.home | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}'  | 
/opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s 
HTTP/opensuse42.suse.home
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group=
BH quit command

  Anyway the basic check looks good. You now just need to run the helper with 
squid.  I will see if I can create a test which deals with the TT response too.

Regards
Markus

"Marcio Demetrio Bacci"  wrote in message 
news:CA+0Tdyr+2jEL7p09yrtJQ516M-2uE-q=Zayd3F5J0A=25zc...@mail.gmail.com...
Hi Markus, thank you for help me.

When I type the klist command, the result is:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rob...@cms.ensino.br
Valid starting   Expires  Service principal
28-08-2016 22:40:53  29-08-2016 08:40:53  krbtgt/cms.ensino...@cms.ensino.br
renew until 29-08-2016 22:40:41

But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk 
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br 

Result:
TT 
oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command


The HTTP/proxy.cms.ensino.br is in keytab files

I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, 
but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.

My Linux distribution is CentOS 7


Regards,


Márcio






2016-08-28 15:24 GMT-03:00 Markus Moeller :


  HI Marcio,

The helper need a Kerberos token as input.  Please have a look at 
test_negotiate_auth.sh  which is in src/auth/negotiate/kerberos of the trunk 
version. The squid hostname must match the entry in your keytab and you must 
have done kinit to authenticate against a Kerberos server (e.g. AD) as user 
first.

  Regards
  Markus 


  "Marcio Demetrio Bacci"  wrote in message 
news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com...
  I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm 
using CentOS 7 and Squid 3.3.8 (yum install squid)


  When I type the bellow command in terminal: 
  /usr/lib64/squid/negotiate_kerberos_auth -d -i -s 
HTTP/proxy.cms.ensino...@cms.ensino.br
  john xyz@12345

  I have the following error:
  negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14).
  negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]
  BH invalid request 


  Here are my files configuration:

  /etc/krb5.conf
  [libdefaults]
  default_realm = CMS.ENSINO.BR
  [realms]
  CMS.ENSINO.BR = {
  kdc = dc1.cms.ensino.br:88
  admin_server = dc1.cms.ensino.br
  default_domain = CMS.ENSINO.BR 
  }
  [domain_realm]
  .cms.ensino.br = CMS.ENSINO.BR
  cms.ensino.br = CMS.ENSINO.BR



  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
   
--
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br


  Keytab name: FILE:/etc/squid/PROXY.keytab
  KVNO Principal
   
--
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 

[squid-users] Transparent intercept Squid 3.5.20: where VPNs go to die.

[Stanford Prescott]

I have successfully gotten Squid 3.5.20 to filter both HTTP and HTTPS in
transparent intercept mode. With intercept mode, iptables rules redirect
port 80 to squid's http_port 800 and HTTPS port 443 is redirected to
Squid's https_port 801. It all seems to work exactly as it should.

I have recently been trying to integrate a urlfilter using
url_redirect_program with my Squid implementation, and that works very
well, also.

The problem:

One of the useful features of the urlfilter is that it detects proxy
tunnels and blocks them. Not being very proficient in the use of proxy
tunnels and VPNs I wanted to test it out. I setup a VPN client (CyberGhost
VPN) on my Linux client connected to my firewall with the Squid
implementation and could successfully establish a VPN connection *via port
443* when Squid and the URL Filter were disabled. After disconnecting the
VPN and enabling Squid and the urlfilter, attempting to connect using the
VPN over 443 failed to connect.

Now that actually might be a good thing because I am trying to block it
anyway. But the block is an error and not in the manner that is expected.
It is blocked, it seems, because the redirection of port 443 to Squid
causes Squid to barf on the VPN because the VPN, while using port 443 is
not a TLS/SSL encrypted connection and Squid doesn't seem to know what to
do with the connection.

Is there a way to tell Squid that there may be port 443 connections that
don't use TLS/SSL so that a useful message could be generated other than
the "connection failed" message the VPN client gives? There are error
messages in the Squid cache.log about connection attempts failed because of
problems with TLS/SSL and certs.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Limit Bandwith for youtube....

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Regex for fb video:

fbcdn\.net\/v\/(.*\.mp4)\?

Written with help of https://regex101.com.


29.08.2016 21:08, erdosain9 пишет:
> ... and a last thing with this theme of limit video. for
> facebook?
> what would be the sysntax???
>
>
> (i get this on log
>
>
>
https://video-yyz1-1.xx.fbcdn.net/v/t42.1790-2/14194700_1292914777409287_1273911953_n.mp4?
> - HIER_DIRECT/31.13.80.9 video/mp4
>
> )
>
> Thanks
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Limit-Bandwith-for-youtube-tp4679182p4679242.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXxGR0AAoJENNXIZxhPexG2DwIALwaO7hRJ5gjWjge+3XTiQWc
sNPfm3lgaEWL1mTlbhUY1ThG17dbZaCDGF0Rz0HbfsfAGeCodovcj7Pr3p+Mbzq1
e26Z0XjxBHG7wY2cJDEACmOubtBjJYVMV3hdl+PJbXzMfcJ5aDPU17yCrRclDZps
qafxbhudtwOC/ayefpV3RuUMhH0a9sUTV3fvdOGsKDlDRVMCKK0jKUa9Pcx7mcnI
J+J7tjkf2IEzenCDiBUcUixm/RaQEL7q7MpwPs/TmXGjeb05MQls703xt2KhHkJE
DwQFUNFTJfVYpd1AI50xIjwOOq2GW40eqimJsFTHvMKbDTFDxao9+Nzi2dDlxdk=
=uCfT
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid user session/connections control

[Amos Jeffries]

On 27/08/2016 4:57 a.m., Ahmed Alzaeem wrote:
> hi amos 
> sorry i didn’t understand you 
> 
> did you mean that the settings below will limit connections per user to 100 
> connection ?
> 
> or per ip
> 
> 
> can you clarify please ??
> 

On 26/08/2016 7:05 a.m., --Ahmad-- wrote:
>
> user will connect to squid and have only 50 max connections .
>
> my config are below :
>
> ##
> acl vvv maxconn 100
>

"maxconn 100" is not "50 max". It is 100 == 100.


On 26/08/2016 7:05 a.m., --Ahmad-- wrote:
>
> i have a question in mind on how can i limit connections for a user
that is connected using AUTH_NTLM method
...
>
> my config are below :
>
> ##
...
>
> auth_param basic program ...

"auth_param basic" is not NTLM.


Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Limit Bandwith for youtube....

[erdosain9]

... and a last thing with this theme of limit video. for
facebook? 
what would be the sysntax???


(i get this on log 


https://video-yyz1-1.xx.fbcdn.net/v/t42.1790-2/14194700_1292914777409287_1273911953_n.mp4?
- HIER_DIRECT/31.13.80.9 video/mp4

)

Thanks




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Limit-Bandwith-for-youtube-tp4679182p4679242.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with random outgoing ip from pool of 1000 ips

[Alex Rousskov]

On 08/29/2016 12:14 AM, --Ahmad-- wrote:

> but can you confirm me about the list below if its correct ???

Sorry, I do not have the time to validate your math.


> should it be like 1/9987 or .088787  formatting ?

According to squid.conf.documented, both should work. However, I
recommend the latter because I am not sure you can express p/(q^i) using
a proper fraction with nominator and denominator small enough for an
integer (assuming Squid uses integers when parsing those -- I have not
checked).

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

[Alex Rousskov]

On 08/29/2016 07:40 AM, Omid Kosari wrote:
> config:
> http_reply_access deny all
> deny_info TCP_RESET all 
> 
> =
> test type:
> telnet 123.com 80
> sgsdgsdgsdgsdg 
> 
> RESULT: 
> HTTP/1.1 403 Forbidden
> Server: squid
> Mime-Version: 1.0
> Date: Mon, 29 Aug 2016 13:30:47 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 5
> X-Cache: MISS from cache1
> X-Cache-Lookup: NONE from cache1:3128
> Connection: close
> 
> reset

and

> config:
> acl test dst 69.58.188.49
> deny_info TCP_RESET test
> http_reply_access deny test 
> 
> 
> =
> test type:
> telnet 123.com 80
> GET / HTTP/1.1
> host: 123.com
> 
> 
> RESULT:
> HTTP/1.1 403 Forbidden
> Server: squid
> Mime-Version: 1.0
> Date: Sun, 28 Aug 2016 08:45:23 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 5
> X-Cache: MISS from cache1
> X-Cache-Lookup: MISS from cache1:3128
> Connection: keep-alive
> 
> reset


Based on v3.5.19 test results you have posted, your Squid does not honor
deny_info when processing http_reply_access. This problem definitely
affects error messages generated by non-HTTP requests and probably
affects regular responses as well. Most likely, Squid modifications
would be required to fix/improve this. The next steps are outlined at

http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

[Omid Kosari]

Alex Rousskov wrote
> On 08/28/2016 03:10 AM, Omid Kosari wrote:
>> Alex Rousskov wrote
>>> I understand that it works for regular requests. Does it also work
>>> (i.e.,
>>> does Squid reset the connection) when handling a non-HTTP request on
>>> port 80?
> 
>> No , when the request is non-HTTP it does not reset the connection .
> 
> Great. Now please go back to the simpler configuration I asked you to
> test some time ago:
> 
>   http_reply_access deny all
>   deny_info TCP_RESET all
> 
> Does that work for non-HTTP request on port 80?

config:
http_reply_access deny all
deny_info TCP_RESET all 

=
test type:
telnet 123.com 80
sgsdgsdgsdgsdg 

RESULT: 
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Mon, 29 Aug 2016 13:30:47 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 5
X-Cache: MISS from cache1
X-Cache-Lookup: NONE from cache1:3128
Connection: close

reset

Connection to host lost.
==




Alex Rousskov wrote
> I am confused. Earlier you said "As i mention before the deny_info works
> in other configs" and gave a very similar configuration example with
> dstdomain ACL. Now you are showing that this example does _not_ work
> even with regular requests (you are getting HTTP headers from Squid
> instead of a TCP connection reset). Am I missing something?

Sorry i mean with adapted_http_access . Maybe my typo 





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679239.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem

[L . P . H . van Belle]

Hello Markus, 

 

No, im not useing the latest from trunk Atm i use the ( by debian testing ) 
supplied 3.5.19.

If you want me test test something, im happy to do that for you. 

 

Best regards, 

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:38
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem


 

Hi  Louis,


 


    I made lately a change in how the SSL certifcate verification is done.  Did 
you use the latest version from trunk ?  Also set the variable TLS_CACERTFILE 
in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do 
not read any ldap.conf file for this yet.


 


Markus


 


 


 


"L.P.H. van Belle"  wrote in message 
news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl...




Hai, 

 

I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. 

The last part, here i need some help.

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set certificate file for ldap server to 
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable 
TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP 
server

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set certificate file for ldap server to 
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable 
TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP 
server

 

I tried to set 

TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there 
to put these variables. 

 

I need a user to connect to the ldap.  Hi have that one in place. 

I just can find how to put this in this line so i can test this out, but i can 
only authenticate if the TLS_CACERTFILE is set correctly. 

 

Any suggestions here? 

 

 

Greetz, 

 

Louis


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

[L . P . H . van Belle]

Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN 
>>name, so the UPN must be the same as the SPN.  There is no easy way to query 
>>what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user 
>>account in AD. 

>>The reason I prefer this is that often user accounts have a global password 
>>policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my 
>>preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) 
same an user account. 

Like a computer account = a user account. 

 

 some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, 
but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer 
to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe )


 

Hi,


 


   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 


 


  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 


 


   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.


 


 


Kind regards


Markus


 


 


"L.P.H. van Belle"  wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...




Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in 
ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but 
i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable 
through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT  /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

Re: [squid-users] squid with random outgoing ip from pool of 1000 ips

[--Ahmad--]

Ok


but can you confirm me about the list below if its correct ???



should it be like 1/9987 or .088787  formatting ?




acl half10001 random 0.000998001000
acl half10006 random 0.0009930209650350
acl half10011 random 0.0009880657804942
acl half10020 random 0.0009792086759647
acl half10037 random 0.0009626946373158
acl half10043 random 0.0009569328906720
acl half10059 random 0.0009417362622232
acl half10079 random 0.0009230793978373
acl half10082 random 0.0009203129279589
acl half10084 random 0.0009184732224159
acl half10094 random 0.0009093297114627
acl half10098 random 0.0009056978449587
acl half10109 random 0.0008957848329039
acl half10113 random 0.0008922070646991
acl half10114 random 0.0008913148576344
acl half10122 random 0.0008842092457380
acl half10137 random 0.0008710385479118
acl half10154 random 0.0008563487636013
acl half10168 random 0.0008444374977929
acl half10171 random 0.0008419067177676
acl half10173 random 0.0008402237462388
acl half10218 random 0.0008032337005613
acl half10221 random 0.0008008264083574
acl half10222 random 0.0008000255819491
acl half10223 random 0.0007992255563671
acl half10227 random 0.0007960334462989
acl half10247 random 0.0007802631200941
acl half10248 random 0.0007794828569740
.
.
.
.
.

> On Aug 28, 2016, at 12:56 PM, --Ahmad--  wrote:
> 
> just to tell you 
> i updated the acl as below :
> acl half10001 random 0.000998001000
> acl half10006 random 0.0009930209650350
> acl half10011 random 0.0009880657804942
> acl half10020 random 0.0009792086759647
> acl half10037 random 0.0009626946373158
> acl half10043 random 0.0009569328906720
> acl half10059 random 0.0009417362622232
> acl half10079 random 0.0009230793978373
> acl half10082 random 0.0009203129279589
> acl half10084 random 0.0009184732224159
> acl half10094 random 0.0009093297114627
> acl half10098 random 0.0009056978449587
> acl half10109 random 0.0008957848329039
> acl half10113 random 0.0008922070646991
> acl half10114 random 0.0008913148576344
> acl half10122 random 0.0008842092457380
> acl half10137 random 0.0008710385479118
> acl half10154 random 0.0008563487636013
> acl half10168 random 0.0008444374977929
> acl half10171 random 0.0008419067177676
> acl half10173 random 0.0008402237462388
> acl half10218 random 0.0008032337005613
> acl half10221 random 0.0008008264083574
> acl half10222 random 0.0008000255819491
> acl half10223 random 0.0007992255563671
> acl half10227 random 0.0007960334462989
> acl half10247 random 0.0007802631200941
> acl half10248 random 0.0007794828569740
> .
> .
> .
> .
> .
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users