Re: [squid-users] Forward loop detected: what does this mean?

2011-05-19 Thread Amos Jeffries

On 20/05/11 03:01, Boniforti Flavio wrote:

Hello Amos...


What does that forward loop mean


Your squid is sending requests out which subsequently arrive
back to it.


OK.


and how could it happen? I've noticed


Most likely your NAT rules are broken. Packets leaving Squid
MUST NOT be sent back to Squids listening port.


This is my iptables setup:

proxy:/var/log/squid3# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes)
  pkts bytes target prot opt in out source
destination
62956 3123K REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 redir ports 3128
10   548 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0   tcp dpts:81:83 redir ports 3128




What you see there are some services redirected to my internal servers
and the rule for intercepting web traffic...


Okay. Looks okay. The use of "eth0" replaces a specific Squid bypass. 
Squid will be using the Internet link eth1.





Or maybe the requests are for a domain which is pointing at
your Squid with its IPs.


that the originating IP was from a PC I had in my LAN which was
infected with some sort of mal-/spy-ware...


Or some attempted attack which is being short-circuited by
setting the attackers domain to point at 0.0.0.0 or
127.0.0.1. In which case "http_access deny to_localhost" with
the default definition of to_localhost should block it before looping.


I get tons of these in the access.log:

1305812157.825  14481 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -
1305812227.706  14095 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -

What could this be meaning? It look like the PC is trying to connect to
the proxy port 3128, which is then directed to itself... uh?!


Yes, this is the access.log displayed for all the forwarding attempts 
which failed. For each "Forward loop detected" there will be one or more 
of these in access.log to show the request which was forwarded to Squid 
then abandoned.


The transaction looks something like this:
client ->
  squid (access.log "000" / request aborted by server) ->
squid (access.log "000" / request aborted by server) ->
  squid (cache.log "forward loop" abort)


Congratulations, active use of the CVE-2009-0801 vulnerabilities.
  I would be grateful if you could provide any detailed info about the 
malware seen on the client box and the traffic itself ("tcpdump -s0" 
traces would be great). If this can be confirmed as the malware and not 
just a forward-proxy config in the client browser I'm going to have to 
make an announcement that its finally gone wild.



The fix; is to follow the recommended config of not using port 3128 for 
intercept or transparent. Use a randomly selected high port instead.


Also, at the Squid box "mangle" table configure this for your newly 
chosen intercept port:

  iptables -t mangle -A PREROUTING -p tcp --dport $NEW_PORT -j DROP

Make sure *nobody* can get to Squid with that port directly from inside 
OR outside the network.
 If you want to be more selective and only block -i eth0 or -s 
172.16.16.1,  okay. But DNAT needs to be used then instead of REDIRECT 
since DNAT allows some explicit control over which IP gets picked by NAT 
and listened on by Squid. Match that IP to the mangle protected IP or NIC.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1


Re: [squid-users] using reverse squid to manage XMPP

2011-05-19 Thread Peter Vereshagin
You'll never silence the voice of the voiceless, squid-users!
2011/05/19 16:47:22 -0400 Carlos Manuel Trepeu Pupo  => 
To Amos Jeffries :
CMTP> Sorry, I already know that squid itsn't that I want, but do you know
CMTP> any relay XMPP, I search and I didn't find anything
CMTP> 
CMTP> >> I have a rule that tell all the incoming traffic in XMPP ports go to
CMTP> >> my squid at 3128 port, but nothing happens, even in the log of squid
CMTP> >> do not appear nothing.
CMTP> >>
CMTP> >> I make a proof with my Jabber (Openfire) in/out throw Kerio and there
CMTP> >> is no problem, so I'm missing some squid's configuration to do this,
CMTP> >> or Squid it's not the solution to my trouble.

You can manage all the incoming traffic in XMPP ports go to your Jabber the
same way you can do to your squid?

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB  12F8 0CE1 4AAC A0E2 6627)
--
http://vereshagin.org


Re: [squid-users] using reverse squid to manage XMPP

2011-05-19 Thread Carlos Manuel Trepeu Pupo
Sorry, I already know that squid itsn't that I want, but do you know
any relay XMPP, I search and I didn't find anything

2011/5/17 Amos Jeffries :
> On Tue, 17 May 2011 11:24:50 -0400, Carlos Manuel Trepeu Pupo wrote:
>>
>> Hello, until now, everything that I question here have been solved, so
>> here I bring this new situation:
>>
>> Debian 6 64 bits, with squid 3.1.12.
>>
>> I have only one real IP with Kerio as firewall and in my private net
>> one reverse squid to publish my internal pages. I use Kerio because I
>> also have email and more services. So my clients wants to publish
>> their jabber to internet and I have the idea that the Squid could
>> route me the XMPP incoming traffic, because the outgoing traffic pass
>> throw the firewall with NAT.
>>
>> I have a rule that tell all the incoming traffic in XMPP ports go to
>> my squid at 3128 port, but nothing happens, even in the log of squid
>> do not appear nothing.
>>
>> I make a proof with my Jabber (Openfire) in/out throw Kerio and there
>> is no problem, so I'm missing some squid's configuration to do this,
>> or Squid it's not the solution to my trouble.
>>
>>
>> Can you help me?
>
> No, squid is HTTP proxy. XMMP is a completely different protocol.
>
> Look for an XMMP relay.
>
> Amos
>


RE: [squid-users] Forward loop detected: what does this mean?

2011-05-19 Thread Boniforti Flavio
Hello Amos...

> > What does that forward loop mean
> 
> Your squid is sending requests out which subsequently arrive 
> back to it.

OK.

> > and how could it happen? I've noticed
> 
> Most likely your NAT rules are broken. Packets leaving Squid 
> MUST NOT be sent back to Squids listening port.

This is my iptables setup:

proxy:/var/log/squid3# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes)
 pkts bytes target prot opt in out source
destination
62956 3123K REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 redir ports 3128
   10   548 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0   tcp dpts:81:83 redir ports 3128
   31  1542 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpts:20:21 to:172.16.16.254
 4689  277K DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp multiport dports 80,443 to:172.16.16.254
   19  1144 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:1723 to:172.16.16.254
   14   822 DNAT   47   --  eth1   *   0.0.0.0/0
0.0.0.0/0   to:172.16.16.254
 4170  213K DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:25 to:172.16.16.254
8   444 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:110 to:172.16.16.254
0 0 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpt:143 to:172.16.16.254
0 0 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp dpt: to:172.16.16.37
  227 13204 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0   tcp multiport dports 22,873 to:172.16.16.240

Chain INPUT (policy ACCEPT 96511 packets, 7924K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 341K packets, 21M bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 291K packets, 17M bytes)
 pkts bytes target prot opt in out source
destination
 234K   18M MASQUERADE  all  --  *  eth10.0.0.0/0
0.0.0.0/0

What you see there are some services redirected to my internal servers
and the rule for intercepting web traffic...

> Or maybe the requests are for a domain which is pointing at 
> your Squid with its IPs.
> 
> > that the originating IP was from a PC I had in my LAN which was 
> > infected with some sort of mal-/spy-ware...
> 
> Or some attempted attack which is being short-circuited by 
> setting the attackers domain to point at 0.0.0.0 or 
> 127.0.0.1. In which case "http_access deny to_localhost" with 
> the default definition of to_localhost should block it before looping.

I get tons of these in the access.log:

1305812157.825  14481 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -
1305812227.706  14095 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -

What could this be meaning? It look like the PC is trying to connect to
the proxy port 3128, which is then directed to itself... uh?!
I'll be further investigating on the client "victim" (172.16.16.38)...

Kind regards,
Flavio Boniforti

PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: fla...@piramide.ch 


Re: [squid-users] Forward loop detected: what does this mean?

2011-05-19 Thread Amos Jeffries

On 20/05/11 00:24, Boniforti Flavio wrote:

Hello everybody.

I ran out of space on my squid log directory because cache.log grew very
fast filled by "forward loop detected" messages.

I'm using my squid as a transparent proxy.

What does that forward loop mean


Your squid is sending requests out which subsequently arrive back to it.


and how could it happen? I've noticed


Most likely your NAT rules are broken. Packets leaving Squid MUST NOT be 
sent back to Squids listening port.


Or maybe the requests are for a domain which is pointing at your Squid 
with its IPs.



that the originating IP was from a PC I had in my LAN which was infected
with some sort of mal-/spy-ware...


Or some attempted attack which is being short-circuited by setting the 
attackers domain to point at 0.0.0.0 or 127.0.0.1. In which case 
"http_access deny to_localhost" with the default definition of 
to_localhost should block it before looping.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1


Re: [squid-users] ACLs help "DENIED, because it matched 'ldapauth'"

2011-05-19 Thread Amos Jeffries

On 20/05/11 01:27, David Touzeau wrote:

Hi all...
I need help...
I would like to understand why squid refuse the SSL upload command using
'ldapauth'

here it is the debug events :

2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT
lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing
possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| urlParse: Split URL
'lennyleonard.wetransfer.com:443' into proto='',
host='lennyleonard.wetransfer.com', port='443', path=''
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.934| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.934| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.935| aclRegexData::match: checking
'lennyleonard.wetransfer.com:443'
2011/05/19 12:39:17.935| The request CONNECT
lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth'
2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443



There are no Proxy-Authentication with credentials in that request. The 
denial should be a "regular" auth 407 challenge.


The auth systems use a different debug_options (section 29) so is does 
not show up in the access control (section 28) debug.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1


[squid-users] ACLs help "DENIED, because it matched 'ldapauth'"

2011-05-19 Thread David Touzeau
Hi all...
I need help...
I would like to understand why squid refuse the SSL upload command using
'ldapauth'

here it is the debug events :

2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT
lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing
possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| urlParse: Split URL
'lennyleonard.wetransfer.com:443' into proto='',
host='lennyleonard.wetransfer.com', port='443', path=''
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.934| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.934| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.935| aclRegexData::match: checking
'lennyleonard.wetransfer.com:443'
2011/05/19 12:39:17.935| The request CONNECT
lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth'
2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443



Here it is the squid.conf



acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
#- LDAP AUTH settings

#Authentification mode, building using squid compiled for 127.0.0.1:389
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
"dc=my-domain,dc=com" -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword"
-f "(&(objectClass=userAccount)(uid=%s))" -v 3 -h 127.0.0.1 -p 389
#- GLOBAL
external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -D
"cn=myuser,dc=my-domain,dc=com" -w "mypassword" -b "dc=my-domain,dc=com"
-f "(&(objectClass=posixGroup)(gidNumber=%a)(memberUid=%v))" -S -v 3 -h
127.0.0.1 -p 389
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
acl ldapauth proxy_auth REQUIRED


#- TWEEKS performancessquid-us...@squid-cache.org
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#- UfdbGuard
url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=1 concurrency=0

#- SQUID PARENTS (feature not enabled)

#- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^.*player
acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar|
cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$
acl office_network src 192.168.0.0/24 10.0.0.0/8
acl group_password external ldap_group

#- GROUPS definition
#no groups

#- MAIN RULES...
always_direct allow FTP
# - SAFE ports
acl Safe_ports port 80   #http
acl Safe_ports port 22   #ssh
acl Safe_ports port 443 563   #https, snews
acl Safe_ports port 1863   #msn
acl Safe_ports port 70   #gopher
acl Safe_ports port 210   #wais
acl Safe_ports port 1025-65535   #unregistered ports
acl Safe_ports port 280   #http-mgmt
acl Safe_ports port 488   #gss-http
acl Safe_ports port 591   #filemaker
acl Safe_ports port 777   #multiling http
acl Safe_ports port 631   #cups
acl Safe_ports port 873   #rsync
acl Safe_ports port 901   #SWAT
acl Safe_ports port 20   #ftp-data
acl Safe_ports port 21   #ftp#
acl SSL_ports port 9000   #Artica
acl SSL_ports port 443   #HTTPS
acl SSL_ports port 563   #https, snews
acl SSL_ports port 6667   #tchat

# AOL Instant Messenger to connect to oscar.aol.com
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT

# Permit IRC
acl IRC_ports port 6667
acl IRC_domains dstdomain .freenode.net
acl IRC_hosts dstdomain  irc.freenode.net
acl IRC_methods meth

[squid-users] Cache_peer configuration

2011-05-19 Thread senthil kumar
Hello All,

We have 5 squid servers and each squid server is configured to send
requests from certain clients to cache_peer( cache_peer is a filter)
and rest of the request passes as direct requests. We have disk
caching at all servers and need to share disk caching among the five
servers. How to configure all squid servers with sibling relationship
and ensure the clients which are supposed to pass through
filter(cache_peer) are not bypassed filter or passed as direct
requests?

Whether following configuration will achieve it? Please share your views.

proxy1 configuration:

client range: 172.16.1.0/24 and 10.0.0.0/8

cache_peer example.comĀ  parent 3128 7 no-query no-digest default name=filter
acl peer src 172.16.1.0/24
cache_peer_access filter allow peer

cache_peer proxy2 sibling 3128 7 no-query proxy-only round-robin
cache_peer proxy3 sibling 3128 7 no-query proxy-only round-robin
cache_peer proxy4 sibling 3128 7 no-query proxy-only round-robin
cache_peer proxy5 sibling 3128 7 no-query proxy-only round-robin

Thanks
Senthil


[squid-users] Forward loop detected: what does this mean?

2011-05-19 Thread Boniforti Flavio
Hello everybody.

I ran out of space on my squid log directory because cache.log grew very
fast filled by "forward loop detected" messages.

I'm using my squid as a transparent proxy.

What does that forward loop mean and how could it happen? I've noticed
that the originating IP was from a PC I had in my LAN which was infected
with some sort of mal-/spy-ware...

Any informations will be appreciated, thanks!

Flavio Boniforti

PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: fla...@piramide.ch 


Re: [squid-users] Traffic Management Addon for Squid

2011-05-19 Thread Amos Jeffries

On 19/05/11 22:00, Malvin Rito wrote:

Hi List,

Is there any Add-on or utility for squid to manage, monitor and
prioritize traffic? If there is please advise.

Many Thanks.

Malvin


Not as such.

Squid can be configured to directly marks its outgoing traffic with 
TOS/DiffServ and/or netfilter MARKs using the directivesqos_flows (on 
type of HIT/MISS/peer data source relationship) or tcp_outgoing_tos (on 
any given ACL criteria).


Any QoS management software should be able to work with the resulting 
packets as they flow.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1


[squid-users] Traffic Management Addon for Squid

2011-05-19 Thread Malvin Rito

Hi List,

Is there any Add-on or utility for squid to manage, monitor and 
prioritize traffic? If there is please advise.


Many Thanks.

Malvin