Re: [squid-users] Forward loop detected: what does this mean?
On 20/05/11 03:01, Boniforti Flavio wrote: Hello Amos... What does that forward loop mean Your squid is sending requests out which subsequently arrive back to it. OK. and how could it happen? I've noticed Most likely your NAT rules are broken. Packets leaving Squid MUST NOT be sent back to Squids listening port. This is my iptables setup: proxy:/var/log/squid3# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes) pkts bytes target prot opt in out source destination 62956 3123K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 10 548 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:83 redir ports 3128 What you see there are some services redirected to my internal servers and the rule for intercepting web traffic... Okay. Looks okay. The use of "eth0" replaces a specific Squid bypass. Squid will be using the Internet link eth1. Or maybe the requests are for a domain which is pointing at your Squid with its IPs. that the originating IP was from a PC I had in my LAN which was infected with some sort of mal-/spy-ware... Or some attempted attack which is being short-circuited by setting the attackers domain to point at 0.0.0.0 or 127.0.0.1. In which case "http_access deny to_localhost" with the default definition of to_localhost should block it before looping. I get tons of these in the access.log: 1305812157.825 14481 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - 1305812227.706 14095 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - What could this be meaning? It look like the PC is trying to connect to the proxy port 3128, which is then directed to itself... uh?! Yes, this is the access.log displayed for all the forwarding attempts which failed. For each "Forward loop detected" there will be one or more of these in access.log to show the request which was forwarded to Squid then abandoned. The transaction looks something like this: client -> squid (access.log "000" / request aborted by server) -> squid (access.log "000" / request aborted by server) -> squid (cache.log "forward loop" abort) Congratulations, active use of the CVE-2009-0801 vulnerabilities. I would be grateful if you could provide any detailed info about the malware seen on the client box and the traffic itself ("tcpdump -s0" traces would be great). If this can be confirmed as the malware and not just a forward-proxy config in the client browser I'm going to have to make an announcement that its finally gone wild. The fix; is to follow the recommended config of not using port 3128 for intercept or transparent. Use a randomly selected high port instead. Also, at the Squid box "mangle" table configure this for your newly chosen intercept port: iptables -t mangle -A PREROUTING -p tcp --dport $NEW_PORT -j DROP Make sure *nobody* can get to Squid with that port directly from inside OR outside the network. If you want to be more selective and only block -i eth0 or -s 172.16.16.1, okay. But DNAT needs to be used then instead of REDIRECT since DNAT allows some explicit control over which IP gets picked by NAT and listened on by Squid. Match that IP to the mangle protected IP or NIC. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [squid-users] using reverse squid to manage XMPP
You'll never silence the voice of the voiceless, squid-users! 2011/05/19 16:47:22 -0400 Carlos Manuel Trepeu Pupo => To Amos Jeffries : CMTP> Sorry, I already know that squid itsn't that I want, but do you know CMTP> any relay XMPP, I search and I didn't find anything CMTP> CMTP> >> I have a rule that tell all the incoming traffic in XMPP ports go to CMTP> >> my squid at 3128 port, but nothing happens, even in the log of squid CMTP> >> do not appear nothing. CMTP> >> CMTP> >> I make a proof with my Jabber (Openfire) in/out throw Kerio and there CMTP> >> is no problem, so I'm missing some squid's configuration to do this, CMTP> >> or Squid it's not the solution to my trouble. You can manage all the incoming traffic in XMPP ports go to your Jabber the same way you can do to your squid? 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org
Re: [squid-users] using reverse squid to manage XMPP
Sorry, I already know that squid itsn't that I want, but do you know any relay XMPP, I search and I didn't find anything 2011/5/17 Amos Jeffries : > On Tue, 17 May 2011 11:24:50 -0400, Carlos Manuel Trepeu Pupo wrote: >> >> Hello, until now, everything that I question here have been solved, so >> here I bring this new situation: >> >> Debian 6 64 bits, with squid 3.1.12. >> >> I have only one real IP with Kerio as firewall and in my private net >> one reverse squid to publish my internal pages. I use Kerio because I >> also have email and more services. So my clients wants to publish >> their jabber to internet and I have the idea that the Squid could >> route me the XMPP incoming traffic, because the outgoing traffic pass >> throw the firewall with NAT. >> >> I have a rule that tell all the incoming traffic in XMPP ports go to >> my squid at 3128 port, but nothing happens, even in the log of squid >> do not appear nothing. >> >> I make a proof with my Jabber (Openfire) in/out throw Kerio and there >> is no problem, so I'm missing some squid's configuration to do this, >> or Squid it's not the solution to my trouble. >> >> >> Can you help me? > > No, squid is HTTP proxy. XMMP is a completely different protocol. > > Look for an XMMP relay. > > Amos >
RE: [squid-users] Forward loop detected: what does this mean?
Hello Amos... > > What does that forward loop mean > > Your squid is sending requests out which subsequently arrive > back to it. OK. > > and how could it happen? I've noticed > > Most likely your NAT rules are broken. Packets leaving Squid > MUST NOT be sent back to Squids listening port. This is my iptables setup: proxy:/var/log/squid3# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes) pkts bytes target prot opt in out source destination 62956 3123K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 10 548 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:83 redir ports 3128 31 1542 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21 to:172.16.16.254 4689 277K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 to:172.16.16.254 19 1144 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 to:172.16.16.254 14 822 DNAT 47 -- eth1 * 0.0.0.0/0 0.0.0.0/0 to:172.16.16.254 4170 213K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.16.16.254 8 444 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.16.16.254 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.16.16.254 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt: to:172.16.16.37 227 13204 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 22,873 to:172.16.16.240 Chain INPUT (policy ACCEPT 96511 packets, 7924K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 341K packets, 21M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 291K packets, 17M bytes) pkts bytes target prot opt in out source destination 234K 18M MASQUERADE all -- * eth10.0.0.0/0 0.0.0.0/0 What you see there are some services redirected to my internal servers and the rule for intercepting web traffic... > Or maybe the requests are for a domain which is pointing at > your Squid with its IPs. > > > that the originating IP was from a PC I had in my LAN which was > > infected with some sort of mal-/spy-ware... > > Or some attempted attack which is being short-circuited by > setting the attackers domain to point at 0.0.0.0 or > 127.0.0.1. In which case "http_access deny to_localhost" with > the default definition of to_localhost should block it before looping. I get tons of these in the access.log: 1305812157.825 14481 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - 1305812227.706 14095 172.16.16.38 TCP_MISS/000 0 GET http://172.16.16.1:3128/ - DIRECT/172.16.16.1 - What could this be meaning? It look like the PC is trying to connect to the proxy port 3128, which is then directed to itself... uh?! I'll be further investigating on the client "victim" (172.16.16.38)... Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] Forward loop detected: what does this mean?
On 20/05/11 00:24, Boniforti Flavio wrote: Hello everybody. I ran out of space on my squid log directory because cache.log grew very fast filled by "forward loop detected" messages. I'm using my squid as a transparent proxy. What does that forward loop mean Your squid is sending requests out which subsequently arrive back to it. and how could it happen? I've noticed Most likely your NAT rules are broken. Packets leaving Squid MUST NOT be sent back to Squids listening port. Or maybe the requests are for a domain which is pointing at your Squid with its IPs. that the originating IP was from a PC I had in my LAN which was infected with some sort of mal-/spy-ware... Or some attempted attack which is being short-circuited by setting the attackers domain to point at 0.0.0.0 or 127.0.0.1. In which case "http_access deny to_localhost" with the default definition of to_localhost should block it before looping. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [squid-users] ACLs help "DENIED, because it matched 'ldapauth'"
On 20/05/11 01:27, David Touzeau wrote: Hi all... I need help... I would like to understand why squid refuse the SSL upload command using 'ldapauth' here it is the debug events : 2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| urlParse: Split URL 'lennyleonard.wetransfer.com:443' into proto='', host='lennyleonard.wetransfer.com', port='443', path='' Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.934| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.934| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.935| aclRegexData::match: checking 'lennyleonard.wetransfer.com:443' 2011/05/19 12:39:17.935| The request CONNECT lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth' 2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443 There are no Proxy-Authentication with credentials in that request. The denial should be a "regular" auth 407 challenge. The auth systems use a different debug_options (section 29) so is does not show up in the access control (section 28) debug. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
[squid-users] ACLs help "DENIED, because it matched 'ldapauth'"
Hi all... I need help... I would like to understand why squid refuse the SSL upload command using 'ldapauth' here it is the debug events : 2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| urlParse: Split URL 'lennyleonard.wetransfer.com:443' into proto='', host='lennyleonard.wetransfer.com', port='443', path='' Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.934| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.934| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.935| aclRegexData::match: checking 'lennyleonard.wetransfer.com:443' 2011/05/19 12:39:17.935| The request CONNECT lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth' 2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443 Here it is the squid.conf acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds #- LDAP AUTH settings #Authentification mode, building using squid compiled for 127.0.0.1:389 auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=my-domain,dc=com" -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword" -f "(&(objectClass=userAccount)(uid=%s))" -v 3 -h 127.0.0.1 -p 389 #- GLOBAL external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword" -b "dc=my-domain,dc=com" -f "(&(objectClass=posixGroup)(gidNumber=%a)(memberUid=%v))" -S -v 3 -h 127.0.0.1 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server acl ldapauth proxy_auth REQUIRED #- TWEEKS performancessquid-us...@squid-cache.org # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #- UfdbGuard url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid url_rewrite_children 20 startup=5 idle=1 concurrency=0 #- SQUID PARENTS (feature not enabled) #- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^.*player acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar| cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$ acl office_network src 192.168.0.0/24 10.0.0.0/8 acl group_password external ldap_group #- GROUPS definition #no groups #- MAIN RULES... always_direct allow FTP # - SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863 #msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT acl Safe_ports port 20 #ftp-data acl Safe_ports port 21 #ftp# acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat # AOL Instant Messenger to connect to oscar.aol.com acl AIM_ports port 5190 9898 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com acl AIM_nets dst 64.12.0.0/255.255.0.0 acl AIM_methods method CONNECT # Permit IRC acl IRC_ports port 6667 acl IRC_domains dstdomain .freenode.net acl IRC_hosts dstdomain irc.freenode.net acl IRC_methods meth
[squid-users] Cache_peer configuration
Hello All, We have 5 squid servers and each squid server is configured to send requests from certain clients to cache_peer( cache_peer is a filter) and rest of the request passes as direct requests. We have disk caching at all servers and need to share disk caching among the five servers. How to configure all squid servers with sibling relationship and ensure the clients which are supposed to pass through filter(cache_peer) are not bypassed filter or passed as direct requests? Whether following configuration will achieve it? Please share your views. proxy1 configuration: client range: 172.16.1.0/24 and 10.0.0.0/8 cache_peer example.comĀ parent 3128 7 no-query no-digest default name=filter acl peer src 172.16.1.0/24 cache_peer_access filter allow peer cache_peer proxy2 sibling 3128 7 no-query proxy-only round-robin cache_peer proxy3 sibling 3128 7 no-query proxy-only round-robin cache_peer proxy4 sibling 3128 7 no-query proxy-only round-robin cache_peer proxy5 sibling 3128 7 no-query proxy-only round-robin Thanks Senthil
[squid-users] Forward loop detected: what does this mean?
Hello everybody. I ran out of space on my squid log directory because cache.log grew very fast filled by "forward loop detected" messages. I'm using my squid as a transparent proxy. What does that forward loop mean and how could it happen? I've noticed that the originating IP was from a PC I had in my LAN which was infected with some sort of mal-/spy-ware... Any informations will be appreciated, thanks! Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: fla...@piramide.ch
Re: [squid-users] Traffic Management Addon for Squid
On 19/05/11 22:00, Malvin Rito wrote: Hi List, Is there any Add-on or utility for squid to manage, monitor and prioritize traffic? If there is please advise. Many Thanks. Malvin Not as such. Squid can be configured to directly marks its outgoing traffic with TOS/DiffServ and/or netfilter MARKs using the directivesqos_flows (on type of HIT/MISS/peer data source relationship) or tcp_outgoing_tos (on any given ACL criteria). Any QoS management software should be able to work with the resulting packets as they flow. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
[squid-users] Traffic Management Addon for Squid
Hi List, Is there any Add-on or utility for squid to manage, monitor and prioritize traffic? If there is please advise. Many Thanks. Malvin