Re: [squid-users] Squid + ICQ contest ;)
Here is two parallel blocks of data: sniffing session from proxy box, and the same time squid access.log entries: root @ cthulhu / # snoop 192.168.100.103|grep icq Using device aggr1 (promiscuous mode) 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040 192.168.100.103 -> api.evip.icq.com HTTP C port=9041 api.evip.icq.com -> 192.168.100.103 HTTP R port=9041 192.168.100.103 -> api.evip.icq.com HTTP C port=9041 192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG api.evip.icq.com -> 192.168.100.103 HTTP R port=9041 api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK api.evip.icq.com -> 192.168.100.103 HTTP encoding="UTF-8"?> api.evip.icq.com -> 192.168.100.103 HTTP R port=9041 192.168.100.103 -> api.evip.icq.com HTTP C port=9041 192.168.100.103 -> api.evip.icq.com HTTP C port=9041 192.168.100.103 -> api.evip.icq.com HTTP C port=9041 api.evip.icq.com -> 192.168.100.103 HTTP R port=9041 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045 192.168.100.103 -> api.evip.icq.com HTTP C port=9053 api.evip.icq.com -> 192.168.100.103 HTTP R port=9053 192.168.100.103 -> api.evip.icq.com HTTP C port=9053 192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG api.evip.icq.com -> 192.168.100.103 HTTP R port=9053 api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK api.evip.icq.com -> 192.168.100.103 HTTP encoding="UTF-8"?> api.evip.icq.com -> 192.168.100.103 HTTP R port=9053 192.168.100.103 -> api.evip.icq.com HTTP C port=9053 192.168.100.103 -> api.evip.icq.com HTTP C port=9053 192.168.100.103 -> api.evip.icq.com HTTP C port=9053 api.evip.icq.com -> 192.168.100.103 HTTP R port=9053 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079 192.168.100.103 -> api.evip.icq.com HTTP C port=9080 api.evip.icq.com -> 192.168.100.103 HTTP R port=9080 192.168.100.103 -> api.evip.icq.com HTTP C port=9080 192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG api.evip.icq.com -> 192.168.100.103 HTTP R port=9080 api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK api.evip.icq.com -> 192.168.100.103 HTTP encoding="UTF-8"?> api.evip.icq.com -> 192.168.100.103 HTTP R port=9080 192.168.100.103 -> api.evip.icq.com HTTP C port=9080 192.168.100.103 -> api.evip.icq.com HTTP C port=9080 192.168.100.103 -> api.evip.icq.com HTTP C port=9080 api.evip.icq.com -> 192.168.100.103 HTTP R port=9080 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081 192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093 bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093 192.168.100.103 ->
Re: [squid-users] Squid + ICQ contest ;)
On 27/10/2015 9:36 a.m., Yuri Voinov wrote: > > The problem is: I can't see most part of ICQ traffic. Because of it uses > non-HTTP/HTTPS/FTP ports. Only with sniffer. Okay, that should not matter much. That part of the traffic there is nothing we can do about in Squid. > > Looks like this: > > 1. Login starts over 5190 port with CONNECT method. And normal squid's > config blocks it - this is non-SSL port. Nod. > 2. If we add this port to SSL_ports acl, connect starts via HTTP over > HTTPS port. Squid's prohibit it too. If we relax config (and make it > less secure!), login phase goes next step. Pause, how does Squid prohibit that _exactly_ ? Maybe somebody else can find a way to do it without loosing security. > 3. And finally Squid got XML-answer via HTTP/HTTPS, which is visible by > squid, and at this moment client got "Login denied, check > login/password". Whenever right or wrong password. Okay. That sounds a bit like it could be from something Squid is adding (or not adding). Actually seeing those request and reply messages here would help a lot. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + ICQ contest ;)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The problem is: I can't see most part of ICQ traffic. Because of it uses non-HTTP/HTTPS/FTP ports. Only with sniffer. Looks like this: 1. Login starts over 5190 port with CONNECT method. And normal squid's config blocks it - this is non-SSL port. 2. If we add this port to SSL_ports acl, connect starts via HTTP over HTTPS port. Squid's prohibit it too. If we relax config (and make it less secure!), login phase goes next step. 3. And finally Squid got XML-answer via HTTP/HTTPS, which is visible by squid, and at this moment client got "Login denied, check login/password". Whenever right or wrong password. Viola, connection denied completely. 27.10.15 0:27, Amos Jeffries пишет: > On 27/10/2015 6:30 a.m., Yuri Voinov wrote: >> >> I think the right question is not "What headers pass through Squid" and >> "Why did they pass through a transparent proxy, if the port that is >> used, not 80 or 443?" >> > > ICQ speaks HTTP on port 80. Not sure about 443, it should at least speak > TLS hopefully with ALPN and/or HTTP inside. > > Even so, whats going through (or at least into) Squid is the detail you > need to provide to get a chance at a solid answer. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWLo7hAAoJENNXIZxhPexGodsIAKHkuz36C7/V2E4VLWMSdMUy eTjSnG0A58+h3Kl70cR/u0ICkI0aK5wqTP+51S3CPIw7c0l6eWKx1Yb6Qz0sbJjw wy6PJKQx2nNUt9CDX7MMaETwpyWDfkxl7RjbskvmOQbGwf+EgK4HPGO8bn/FZTu3 r4HhN6ARxoIpGqHt8uQbfaV8jHw2Xgl/MonWlEKKn7Nv/JeQcXjfeko4u+3hGl45 v6PkLD8SsMhgmqOI48MnxkvQSfjUGpSbDej0vb/Jy4jYcmZz3qCcUoJflMdIG6nD PlmQFloofXXApm7nf7gAJ0v1j2B/oXexMjW838Ge7LMAQ4xfrwszznlu76rHKJk= =2khV -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid + ICQ contest ;)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi gents. There is a good contest for all squidmans ;) So. We have wey idiotic protocol - OSCAR, and very antique IM client. This is ICQ. So what - it's work via Squid 3.4.x (both transparent and forwarding) using proxy settings by client. But - no way we could get it to connect through Squid 3.5 or 4. Never. Nothing. "Login/password" error. For correct accounts. With right and working passwords. So, end users is in frustration. :) The question is: somebody knows workaround for this stupid, idiotic and antique clients? NB: Yes, Google don't know this too. ;) Google-Fu skills is no matter. ;) WBR, Yuri -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWLkyyAAoJENNXIZxhPexGQZcH/1IVHT2Zks0SxaPcAlm7D50q RYKnN3ksxpTtpEf+lmpNtrz74zy38jnmOlg9ipI9hXv7LCqHy9S2fVHM3CaDEYdA on0a/agXKJoL9uBp60P1XmmmhPElJcLvEtPf/ufYFwsbvj0ZLRtc4CT9NawD7fui Xxz3qemrTw8M4VufUxhW84WyJ85PGssd+ZJ7TiKEH4Q+m1iLKBu0Hgs8/h9fMHKv beGVZH8uXIyE07rsMdiQjdk/n8x0GC+78DjPMzjGofovRVP5VZOvpakZ3ZVROP6t R5L7S9e4FWqqmCWp653Ewbj9fT4AGN0T0chgbYk55NdL5dQkyQJ5fPkDMVscOt0= =BVO7 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + ICQ contest ;)
On 27/10/2015 4:54 a.m., Yuri Voinov wrote: > > Hi gents. > > There is a good contest for all squidmans ;) > > So. > > We have wey idiotic protocol - OSCAR, and very antique IM client. > > This is ICQ. > > So what - it's work via Squid 3.4.x (both transparent and forwarding) > using proxy settings by client. > > But - no way we could get it to connect through Squid 3.5 or 4. Never. > Nothing. "Login/password" error. For correct accounts. With right and > working passwords. > > So, end users is in frustration. :) > > The question is: somebody knows workaround for this stupid, idiotic and > antique clients? So I think the real question is what HTTP headers are going through Squid? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + ICQ contest ;)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I think the right question is not "What headers pass through Squid" and "Why did they pass through a transparent proxy, if the port that is used, not 80 or 443?" 26.10.15 23:26, Amos Jeffries пишет: > On 27/10/2015 4:54 a.m., Yuri Voinov wrote: >> >> Hi gents. >> >> There is a good contest for all squidmans ;) >> >> So. >> >> We have wey idiotic protocol - OSCAR, and very antique IM client. >> >> This is ICQ. >> >> So what - it's work via Squid 3.4.x (both transparent and forwarding) >> using proxy settings by client. >> >> But - no way we could get it to connect through Squid 3.5 or 4. Never. >> Nothing. "Login/password" error. For correct accounts. With right and >> working passwords. >> >> So, end users is in frustration. :) >> >> The question is: somebody knows workaround for this stupid, idiotic and >> antique clients? > > > So I think the real question is what HTTP headers are going through Squid? > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWLmMcAAoJENNXIZxhPexGQDkH/Rq0ZSFD1O2ylW/Xr0KFYnhd GP6GRypyKvB4ei6sY9lulPJDdGJb09Z+BDSdYASWanoX5kDa9WhkQ3lDZzqffo/o XH1EZQ6bftvlL8pVJqajMCwp6PNkHZ62W8IwzxNE3yNVVmBmsgLc60V/CqdyP8Tx qLy5FwMISnF9wSjHM3uE/X6ECZPT3VhEudFYuzf1+9SBwXUtK7yD3ytxY5fvy6W5 pDCWhoLfhajFI+A06bEPrdhSDN2+zqLgMhDk6HAuMcDVCBGj8iiNIsP4+yVVxztC dOOLyHK7a5CGFeiia1zmm7nw1VedNY7k4UeRsOE7GNDOfj859cBlBjIpqbBoqK8= =oLYP -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + ICQ contest ;)
On 27/10/2015 6:30 a.m., Yuri Voinov wrote: > > I think the right question is not "What headers pass through Squid" and > "Why did they pass through a transparent proxy, if the port that is > used, not 80 or 443?" > ICQ speaks HTTP on port 80. Not sure about 443, it should at least speak TLS hopefully with ALPN and/or HTTP inside. Even so, whats going through (or at least into) Squid is the detail you need to provide to get a chance at a solid answer. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + ICQ contest ;)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ICQ, like Skype later, uses special technique to bypass proxies/firewalls, and conventionally checks, after it native port 5190, other ports: 80,443,110,25 and other before it can connect to it's load balancer. Moreover, when use 443, it CONNECT over 443, but not use true HTTPS, just HTTP (squid writes it in cache.log). The problem is: ICQ is use not only own protocol-specific port 5190, but ANY other well-known port, and breaks standard usage of this ports. Squid can't pass this behaviour. I see no one squid.conf, which can be clearly pass ICQ. 27.10.15 0:27, Amos Jeffries пишет: > On 27/10/2015 6:30 a.m., Yuri Voinov wrote: >> >> I think the right question is not "What headers pass through Squid" and >> "Why did they pass through a transparent proxy, if the port that is >> used, not 80 or 443?" >> > > ICQ speaks HTTP on port 80. Not sure about 443, it should at least speak > TLS hopefully with ALPN and/or HTTP inside. > > Even so, whats going through (or at least into) Squid is the detail you > need to provide to get a chance at a solid answer. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWLnGxAAoJENNXIZxhPexGSYwH/3AUXCgAsQZH8atsFnzjVzFz oE/83spzQqA+81I9JmUfoAkjfQHNQeyl14OTGUubxnVcM5bd5DlKfxZVQR9rFMaR 6H1nPV1nmxTOgH2rrVBRA1TeaAx19HcitgND99WrjPJ2bNzUl/gZwvHFcuNflWh7 1cHJBG3G6tRbGpvKi3tWVjWuX2u+7Vbc2ABWuLzVf1scMdCm13D/qohIPfptPhat PPvAyqsrwStLPi86SH0R5N9+yfkAHbHqdcydacDvyrGWG1WrWIN8vCNB7NB3+Kts ao20X4tb8zv9pLo74obFUKfXdCG7p1ERJxYfuk/qejP/LA0iqKziS4kGyEoRE5A= =U0iw -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users