Re: [squid-users] Squid doesn't call helper
Thank you very much With the debug option i found the error An external acl program later in the config returned a number and OK in one line (5:OK or 10:ERR) The acl handler in squid got an exception handling this returned result and all requests got DENIED After correcting the external handler squid works OK AAA Yours Anton Kornexl -Ursprüngliche Nachricht- Von: squid-users Im Auftrag von Amos Jeffries Gesendet: Dienstag, 20. Oktober 2020 13:38 An: squid-users@lists.squid-cache.org Betreff: Re: [squid-users] Squid doesn't call helper On 20/10/20 6:18 pm, Kornexl, Anton wrote: > Squid 4.10 on Ubuntu 20.04 > > > > The configured program is started but not called (or the result not used) > Please check cache.log to find out which of those two very different things is happening. One means the ACL is not being checked or credentials not provided. The other means credentials are invalid. You may need to set this directive: debug_options 11,2 29,5 28,4 > The authentication window does not show up in the browser That means the auth result was not deny. > > All request are denied because acl proxyuser doesn’t match > There is no deny line in your shown config using auth ACLs. > The same config runs on squid 3.5.27 on Ubuntu 18.04 and squid 4.13 on > opensuse 4.13 > > > > How can i debug this problem > Check cache.log with this directive set: debug_options 11,2 29,5 28,4 > Other helpers are also not called/used > > That strongly implies you have an ordering problem in your config file. One early ACL allowing or denying traffic before any helpers get checked. > > http_access allow jufi1 > > http_access allow jufi1-6 > > http_access allow jufi2 > > http_access allow jufi2-6 > Since they are all the same type, and used the same way at the same time You can combine all those ACLs into one name. > > http_access allow proxyusers > Please try the recommended auth config: http_access deny !proxyusers http_access allow localnet Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid doesn't call helper
Squid 4.10 on Ubuntu 20.04 The configured program is started but not called (or the result not used) The authentication window does not show up in the browser All request are denied because acl proxyuser doesn't match The same config runs on squid 3.5.27 on Ubuntu 18.04 and squid 4.13 on opensuse 4.13 How can i debug this problem Other helpers are also not called/used The squid user can execute the configured program /usr/local/bin/mysql_auth and returns an OK sudo -u squid /usr/local/bin/mysql_auth test testing OK --- auth_param basic program /usr/local/bin/mysql_auth auth_param basic children 10 startup=5 idle=1 auth_param basic utf8 on auth_param basic realm "Squid proxy-caching web server" auth_param basic credentialsttl 2 hours acl jufi1 src 1.2.3.4/32 acl jufi1-6 src 2a01:.::2 acl jufi2 src 1.2.3.5/32 acl jufi2-6 src 2a01:.::2 acl proxyusers proxy_auth REQUIRED http_access allow jufi1 http_access allow jufi1-6 http_access allow jufi2 http_access allow jufi2-6 http_access allow proxyusers --- Yours Anton Kornexl ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid access.log
Thank you for this INFO I use ufdbguard with the line url_rewrite_program /usr/sbin/sgwrapper_ufdb I had redirect-https "https://www.jug in the config file for ufdbguard Removing https:// from this definition removed the fake CONNECT https:443 entries Anton Kornexl -Ursprüngliche Nachricht- Von: squid-users Im Auftrag von Amos Jeffries Gesendet: Donnerstag, 16. Januar 2020 20:59 An: squid-users@lists.squid-cache.org Betreff: Re: [squid-users] Squid access.log On 17/01/20 3:08 am, Alex Rousskov wrote: > On 1/16/20 3:06 AM, Kornexl, Anton wrote: >> I see many requests with CONNECT https:443 in my access.log > >> How are these entries triggered? > > These records are logged when your Squid is done with an HTTP CONNECT > tunnel or after Squid intercepts a TLS connection. In very broad terms, > they are a sign that your Squid participates in HTTPS transactions. > Normally, there should be more than "https:443" in those CONNECT records. > This particular "https:443" happens when people use SquidGuard or similarly broken redirector to tell Squid the *URI* (hostname:443) of a CONNECT tunnel is a *URL* (https://hostname:443[path]).. If this is your case, fix the redirector or use this: uri_rewrite_access deny CONNECT Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid access.log
I use squid 4.9 on OpenSuse 15.1 Almost all https-Requests are logged with https:443 1579204357.578 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.623 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.672 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.677 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.680 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204359.261 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204360.227 8766 1.2.3.4 TCP_TUNNEL/200 47056 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 - 1579204363.236 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204377.895 16489 1.2.3.4 TCP_TUNNEL/200 3851 CONNECT t.uimserv.net:443 - HIER_DIRECT/195.20.250.183 - 1579204381.210 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204381.960 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204383.712 8416 1.2.3.4 TCP_TUNNEL/200 8409 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 - 1579204396.847 45930 1.2.3.4 TCP_TUNNEL/200 77063 CONNECT adimg.uimserv.net:443 - HIER_DIRECT/23.210.249.45 - Only some https-Requests get logged with a useful line I don't use SSLBump I have logged the traffic in a haproxy in front of this squid: These requests 2020-01-16T20:59:28+01:00 Jufi haproxy[1796]: 1.2.3.4:20711 [16/Jan/2020:20:59:28.656] squid squidservers/squidserver1 0/0/0/3/3 503 4252 - - 12/12/11/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T20:59:34+01:00 Jufi haproxy[1796]: 1.2.3.4:30065 [16/Jan/2020:20:59:34.226] squid squidservers/squidserver1 0/0/0/1/1 503 4252 - - 13/13/12/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T21:01:14+01:00 Jufi haproxy[1796]: 1.2.3.4:19521 [16/Jan/2020:21:01:14.892] squid squidservers/squidserver1 0/0/0/2/2 503 4252 - - 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T21:01:15+01:00 Jufi haproxy[1796]: 1.2.3.4:31880 [16/Jan/2020:21:01:15.901] squid squidservers/squidserver1 0/0/0/0/0 503 4252 - - 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" don't show up in access.log (squid) These requests are logged (with time at the start of the line converted to human readable) Thu Jan 16 20:59:28 2020 2 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 20:59:34 2020 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 21:01:14 2020 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 21:01:15 2020 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Why are some https-requests logged with the correct hostname and no fake CONNECT https:443 and other requests are logged without correct domain but with fake CONNECT entries On another system i have squid 3.5.27 (Ubuntu 18.04) There are no CONNECT https:443 log lines and all https-requests are logged with CONNECT :443 entries. Anton Kornexl -Ursprüngliche Nachricht- Von: Alex Rousskov Gesendet: Donnerstag, 16. Januar 2020 15:08 An: Kornexl, Anton ; 217.252.117.35 Betreff: Re: [squid-users] Squid access.log On 1/16/20 3:06 AM, Kornexl, Anton wrote:: > I see many requests with CONNECT https:443 in my access.log > How are these entries triggered? These records are logged when your Squid is done with an HTTP CONNECT tunnel or after Squid intercepts a TLS connection. In very broad terms, they are a sign that your Squid participates in HTTPS transactions. Normally, there should be more than "https:443" in those CONNECT records. > They produce errors in some accounting scripts Consider either fixing the scripts or, if losing information about CONNECT tunnels is acceptable to your accounting, filtering CONNECT records out before giving the logs to the scripts. You can also configure Squid to stop logging CONNECT transactions (using access_log ACLs), but I do not recommend hiding the truth that may be critical in a triage. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid access.log
Hello I see many requests with CONNECT https:443 in my access.log How are these entries triggered? They produce errors in some accounting scripts Kind regards Anton Kornexl smime.p7s Description: S/MIME cryptographic signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users