RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere
Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15 TLSv1Client Hello 5 0.003850192.168.3.15 192.168.1.10 TLSv1Server Hello, Certificate, Server Hello Done 6 0.003887192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=96 Ack=933 Win=7712 Len=0 TSV=81334044 TSER=23422065 7 0.007140192.168.1.10 192.168.3.15 TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 8 0.042683192.168.3.15 192.168.1.10 TLSv1Change Cipher Spec, Encrypted Handshake Message 9 0.043505192.168.1.10 192.168.3.15 TLSv1 Application Data -- ANORMAL2 (SQUID) END -- -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : jeudi 26 janvier 2012 12:24 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On 26/01/2012 11:55 p.m., Clem wrote: Amos and Isenberg, For me, ntlm is not an option, I have to make it working, cause all my clients are in ntlm on outlook, especially the external ones. And that worked without squid, and I want that can work with it at frond end. I've sniffed the sequence on working ntlm auth and not working (squid) auth (192.168.3.15 is exchange serv, 192.168.1.134 my IP on direct RPCoHTTPS, and 192.168.1.10 squid server redirecting from an external ip): Aha. Some use yes. It seems to confirm that the supported SSL encryption types are probably the problem. The packets you call NORMAL the client connects, server accepts that and hands over its certificate. The packets you call ANORMAL the client connects, the server indicates a encryption change, the client accepts and sends the requst in new form. The server certificate is apaprently not involved. You can probably drill down into those packets with Change Cipher Spec to see more about what is going on. Search engine is likely to be more help than me for the details you find. Amos -- NORMAL --- 2 0.000377192.168.3.15 192.168.1.134 TCP https 26701 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 3 0.000428192.168.1.134 192.168.3.15 TCP 26701 https [ACK] Seq=1 Ack=1 Win=64240 Len=0 4 0.000992192.168.1.134 192.168.3.15 TLSv1Client Hello 5 0.002007192.168.3.15 192.168.1.134 TLSv1Server Hello, Certificate, Server Hello Done 6 0.002642192.168.1.134 192.168.3.15 TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 7 0.035230192.168.3.15 192.168.1.134 TLSv1Change Cipher Spec, Encrypted Handshake Message 8 0.036034192.168.1.134
Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere
Hi Clem, I have test OWA RPC HTTPS and .. Apache = fail. Apache sees this as a security leak. This is a raw explanation :-). The problem is how apache and Exchange RPC use http 1.1 . Microsoft let bigger package pass over http 1.1. Check these links : https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 http://forum.nginx.org/read.php?2,3511 http://httpd.apache.org/security/vulnerabilities_20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 Squid as RP = OK. I have the final configuration. If u're interessted, tell me and i'll send u the squid.conf Nginx = Not tested but I think it will be the same as Apache ... Regards, Wilfried On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote: Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15 TLSv1Client Hello 5 0.003850192.168.3.15 192.168.1.10 TLSv1Server Hello, Certificate, Server Hello Done 6 0.003887192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=96 Ack=933 Win=7712 Len=0 TSV=81334044 TSER=23422065 7 0.007140192.168.1.10 192.168.3.15 TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 8 0.042683192.168.3.15 192.168.1.10 TLSv1Change Cipher Spec, Encrypted Handshake Message 9 0.043505192.168.1.10 192.168.3.15 TLSv1 Application Data -- ANORMAL2 (SQUID) END -- -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : jeudi 26 janvier 2012 12:24 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On 26/01/2012 11:55 p.m., Clem wrote: Amos and Isenberg, For me, ntlm is not an option, I have to make it working, cause all my clients are in ntlm on outlook, especially the external ones. And that worked without squid, and I want that can work with it at frond end. I've sniffed the sequence on working ntlm auth and not working (squid) auth (192.168.3.15 is exchange serv, 192.168.1.134 my IP on direct RPCoHTTPS, and 192.168.1.10 squid server redirecting from an external ip): Aha. Some use yes. It seems to confirm that the supported SSL encryption types are probably the problem. The packets you call NORMAL the client connects, server accepts that and hands over its certificate. The packets you call ANORMAL the client connects, the server indicates a encryption change, the client accepts and sends the requst in new form. The server certificate is apaprently not involved. You can probably drill down into those packets with Change Cipher Spec to see more about what is going on. Search engine
RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere
Hi Fried, I know all this links !! :), but As you I've made squid to work like a charm in front of my exchange for owa activesync and RPC too ... in basic auth, not in NTLM auth, and I still stuck there. Impossible to find a solution to make a linux front-end, neither with squid nginx apach or pound ! That's it ! I think I'll give up. BTW Thx ! -Message d'origine- De : Fried Wil [mailto:wilfried.pasca...@gmail.com] Envoyé : mercredi 22 février 2012 11:26 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, I have test OWA RPC HTTPS and .. Apache = fail. Apache sees this as a security leak. This is a raw explanation :-). The problem is how apache and Exchange RPC use http 1.1 . Microsoft let bigger package pass over http 1.1. Check these links : https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 http://forum.nginx.org/read.php?2,3511 http://httpd.apache.org/security/vulnerabilities_20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 Squid as RP = OK. I have the final configuration. If u're interessted, tell me and i'll send u the squid.conf Nginx = Not tested but I think it will be the same as Apache ... Regards, Wilfried On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote: Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15 TLSv1Client Hello 5 0.003850192.168.3.15 192.168.1.10 TLSv1Server Hello, Certificate, Server Hello Done 6 0.003887192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=96 Ack=933 Win=7712 Len=0 TSV=81334044 TSER=23422065 7 0.007140192.168.1.10 192.168.3.15 TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 8 0.042683192.168.3.15 192.168.1.10 TLSv1Change Cipher Spec, Encrypted Handshake Message 9 0.043505192.168.1.10 192.168.3.15 TLSv1 Application Data -- ANORMAL2 (SQUID) END -- -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : jeudi 26 janvier 2012 12:24 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On 26/01/2012 11:55 p.m., Clem wrote: Amos and Isenberg, For me, ntlm is not an option, I have to make it working, cause all my clients are in ntlm on outlook, especially the external ones. And that worked without squid, and I want that can work with it at frond end. I've sniffed the sequence on working ntlm auth and not working (squid) auth (192.168.3.15 is exchange serv, 192.168.1.134 my IP on direct RPCoHTTPS, and 192.168.1.10 squid
[squid-users] Squid server on Amazon EC2
Dear Squid users, I want your experts solution for having squid proxy server configured in the cloud. What I am planning to do is : ---[LAN]-[local_squid_proxy]{internet cloud}-[squid proxy in cloud Amazon EC2 ] what I want to setup is configure my local squid proxy with cache_peer pointing to my squid proxy server in Amazon EC2 cloud. cache_peer proxy.amazonec2.com parent 3128 3130 default so that all my http request are forwarded from my local squid_proxy to the proxyserver in the cloud. Can anyone suggest me if above situation workable. Thank you in advance. -Original Message- From: Fried Wil [mailto:wilfried.pasca...@gmail.com] Sent: Wednesday,22 February , 2012 2:56 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, Did you test CAS Server as Frontal just to test NTLM authentication less Reverse proxy ? User -- FW -- NAT@CAS Server and not User -- FW -- NAT@Reverseproxy -- CAS Server Just to test NTLM Authentication mecanism if it will be ok Thx On Wed, Feb 22, 2012 at 12:33:09PM +0100, Clem wrote: Hi Fried, I know all this links !! :), but As you I've made squid to work like a charm in front of my exchange for owa activesync and RPC too ... in basic auth, not in NTLM auth, and I still stuck there. Impossible to find a solution to make a linux front-end, neither with squid nginx apach or pound ! That's it ! I think I'll give up. BTW Thx ! -Message d'origine- De : Fried Wil [mailto:wilfried.pasca...@gmail.com] Envoyé : mercredi 22 février 2012 11:26 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, I have test OWA RPC HTTPS and .. Apache = fail. Apache sees this as a security leak. This is a raw explanation :-). The problem is how apache and Exchange RPC use http 1.1 . Microsoft let bigger package pass over http 1.1. Check these links : https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 http://forum.nginx.org/read.php?2,3511 http://httpd.apache.org/security/vulnerabilities_20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 Squid as RP = OK. I have the final configuration. If u're interessted, tell me and i'll send u the squid.conf Nginx = Not tested but I think it will be the same as Apache ... Regards, Wilfried On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote: Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15 TLSv1 Client Hello 5 0.003850192.168.3.15 192.168.1.10
RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere
Yes, my Exchange server is the frontal server at the moment, and that works in ntlm -Message d'origine- De : Fried Wil [mailto:wilfried.pasca...@gmail.com] Envoyé : mercredi 22 février 2012 13:56 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, Did you test CAS Server as Frontal just to test NTLM authentication less Reverse proxy ? User -- FW -- NAT@CAS Server and not User -- FW -- NAT@Reverseproxy -- CAS Server Just to test NTLM Authentication mecanism if it will be ok Thx On Wed, Feb 22, 2012 at 12:33:09PM +0100, Clem wrote: Hi Fried, I know all this links !! :), but As you I've made squid to work like a charm in front of my exchange for owa activesync and RPC too ... in basic auth, not in NTLM auth, and I still stuck there. Impossible to find a solution to make a linux front-end, neither with squid nginx apach or pound ! That's it ! I think I'll give up. BTW Thx ! -Message d'origine- De : Fried Wil [mailto:wilfried.pasca...@gmail.com] Envoyé : mercredi 22 février 2012 11:26 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, I have test OWA RPC HTTPS and .. Apache = fail. Apache sees this as a security leak. This is a raw explanation :-). The problem is how apache and Exchange RPC use http 1.1 . Microsoft let bigger package pass over http 1.1. Check these links : https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 http://forum.nginx.org/read.php?2,3511 http://httpd.apache.org/security/vulnerabilities_20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 Squid as RP = OK. I have the final configuration. If u're interessted, tell me and i'll send u the squid.conf Nginx = Not tested but I think it will be the same as Apache ... Regards, Wilfried On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote: Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15 TLSv1 Client Hello 5 0.003850192.168.3.15 192.168.1.10 TLSv1 Server Hello, Certificate, Server Hello Done 6 0.003887192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=96 Ack=933 Win=7712 Len=0 TSV=81334044 TSER=23422065 7 0.007140192.168.1.10 192.168.3.15 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 8 0.042683192.168.3.15 192.168.1.10 TLSv1 Change Cipher Spec, Encrypted Handshake Message 9 0.043505192.168.1.10 192.168.3.15 TLSv1 Application
[squid-users] logformat server FQDN
Hi I want to log server FQDN instead of server ip. i wrote new logformat with %A but in squid 3.1 it write just server ip to access_log. I tested it with squid 3.2 and everythings work like as charm. Thanks
Re: [squid-users] Squid server on Amazon EC2
On 2/22/2012 10:23 AM, Ananthnag Bonthala. R. wrote: Dear Squid users, I want your experts solution for having squid proxy server configured in the cloud. What I am planning to do is : ---[LAN]-[local_squid_proxy]{internet cloud}-[squid proxy in cloud Amazon EC2 ] what I want to setup is configure my local squid proxy with cache_peer pointing to my squid proxy server in Amazon EC2 cloud. cache_peer proxy.amazonec2.com parent 3128 3130 default so that all my http request are forwarded from my local squid_proxy to the proxyserver in the cloud. Can anyone suggest me if above situation workable. Thank you in advance. Hello Bonthala: Please do not reuse other emails changing subject; people that use threads will have their email broken. And if you do, the least is to remove the other people text. It looks your setup is correct. You might want to add some ACLs if you have local lan content to be accessed instead of using the remote proxy. Regards Sebastian
[squid-users] WCCP
Currently, my NAT firewall (fortigate) is both forwarding wan web requests in reverse proxy and receiving web requests in proxy to squid server. The communication between the firewall and squid server is done through http/https. I am thinking of connecting squid server with fortigate firewall via wccp. It seems it should greatly improve the speed and administration. Is there any issues with doing this? Thanks in advance
RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere
On 23.02.2012 00:33, Clem wrote: Hi Fried, I know all this links !! :), but As you I've made squid to work like a charm in front of my exchange for owa activesync and RPC too ... in basic auth, not in NTLM auth, and I still stuck there. Impossible to find a solution to make a linux front-end, neither with squid nginx apach or pound ! That's it ! I think I'll give up. Like all that Apache argument said, that 1GB is an abuse of HTTP. It is both requiring 1GB of data to be transferred over that connection When you combine it with the other abuse of HTTP which NTLM does things go bad very quickly. Think about the network handling 3 GB of data transfer to receive a ~2500 byte username+password token. From every single user browsing, perhapse a couple of times a minute. How big are the network pipes? Like the Apache people said the client user agent (outlook) needs to use chunked encoding. NTLM in particular uses three handshake requests... request #1 depending on your version of Squid, may or may not hit an efficiency optimization dropping the initial connection when the challenge goes back. == what does this do to the initial 1GB request from outlook? does outlook fail or recover? MS wrote NTLM assuming the connection would stay available, open, has end-to-end properties and exists on a fast LAN environment. == this optimization is controlled by the auth_param ntlm keepalive on/off setting. request #2 and #3 are stateful token exchange and NTLM *REQUIRES* them to share a connection. If #2 also has 1 GB length that GB will be waited for before the #3 request is received on the pipeline by Squid. == how long does that GB take? versus what timeouts? Amos BTW Thx ! -Message d'origine- De : Fried Wil [mailto:wilfried.pasca...@gmail.com] Envoyé : mercredi 22 février 2012 11:26 À : squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere Hi Clem, I have test OWA RPC HTTPS and .. Apache = fail. Apache sees this as a security leak. This is a raw explanation :-). The problem is how apache and Exchange RPC use http 1.1 . Microsoft let bigger package pass over http 1.1. Check these links : https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 http://forum.nginx.org/read.php?2,3511 http://httpd.apache.org/security/vulnerabilities_20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 Squid as RP = OK. I have the final configuration. If u're interessted, tell me and i'll send u the squid.conf Nginx = Not tested but I think it will be the same as Apache ... Regards, Wilfried On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote: Hello, Coming back after weeks of researches, gave up with squid, tried with pound and nginx reverse proxy, and same issue, and the point is (getting it from numbers of hints and searches in forums): For pound (from a user in forum): -- POUND I looked into this when I first started using pound. This is a rather simplified explanation of what I discovered (and could be completely wrong - I don't know enough about RPC or HTTP). When Outlook sends the first HTTP request it specifies a content-length of 1GB. I think this is so the request stays open and RPC commands get sent via this tunnel. Pound (being the good proxy that it is) sits and waits for the 1GB of data to arrive and does not pass the request to the BE until it does. Pound eventually times out waiting for the promised 1GB of data and gives up. Here's Microsoft's details of the protocol: http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx -- END POUND -- For NGINX (in logs) : --- NGINX 2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too large body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request: RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host: mail.xx.fr -- END NGINX --- IMHO, it's exactly the same issue I had with squid and rpc over https with NTLM ... Hope that can help, I'm now completely stucked ! Regards Clémence -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012 13:12 À : 'squid-users@squid-cache.org' Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook everywhere On se second anormal I've sent, the certificate is sent. The auth works on basic, I think the certificate is OK, however it would be rejected, isn't it ? -- ANORMAL2 (SQUID) -- 2 0.001415192.168.3.15 192.168.1.10 TCP https 33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 SACK_PERM=1 3 0.001457192.168.1.10 192.168.3.15 TCP 33043 https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0 4 0.002583192.168.1.10 192.168.3.15
Re: [squid-users] logformat server FQDN
On 23.02.2012 06:54, Mohsen Saeedi wrote: Hi I want to log server FQDN instead of server ip. i wrote new logformat with %A but in squid 3.1 it write just server ip to access_log. I tested it with squid 3.2 and everythings work like as charm. 3.1 and older %A meant server IP, FQDN or peer name and required log_fqdn ON to log the FQDN. 3.2 log_fqdn is obsolete and %A is always the textual label for the server (FQDN or peer name) Amos
Re: [squid-users] WCCP
On 23.02.2012 09:53, Roman Gelfand wrote: Currently, my NAT firewall (fortigate) is both forwarding wan web requests in reverse proxy and receiving web requests in proxy to squid server. The communication between the firewall and squid server is done through http/https. I am thinking of connecting squid server with fortigate firewall via wccp. It seems it should greatly improve the speed and administration. Is there any issues with doing this? Thanks in advance Others have mentioned using Fortigates' with WCCP to Squid in the past. WCCP is IPv4-only, but other than that the only issues are getting the configuration right for your network. If anything you gain. NAT must not be done outside of the Squid box due to the way it erases the destination IP. WCCP retains the original IPs on the packets. So if the Fortigate is currently doing NAT to redirect the packets at Squid you are likely to require WCCP and/or policy routing to upgrade beyond squid-3.1. Amos
Re: [squid-users] WEB-server`s ntlm-authenticate doesnt work by squid-3. x
On 22/02/2012 8:32 p.m., Ольховский Г.Ю. wrote: Hi! WEB-server`s ntlm-authenticate doesnt work by squid-3. * . Why? Some trees are not green in winter. Why? Perhapse you were only testing it on the third Monday of the month, when it was down for maintenance. Seriously though. There is no way anybody can answer that question. Please supply some simple details about what you know. Such as: exactly what squid version(s) you are talking about (3.* represents nearly 10 years of releases) what website you are talking about, what you tried and saw happen, what you are expecting to happen. Amos
Re: [squid-users] Can't access IIS website with Integrated Windows Authentication, why?
On 22/02/2012 5:30 p.m., Jiang Wen Dong wrote: I have 2 IIS website with Integrated Windows Authentication. Users access internet and these 2 websites by squid. Access internet is ok, but can’t access these 2 websites. I have tied v3.1 and v3.2 with default config, but the problem still there. It seems squid cut off www-auth information. Anybody can help me with this? Is squid operating in forward or reverse proxy mode? * forward proxy never touch www-auth headers * reverse proxy are where the auth is destined to be tested. Squid will attempt to validate them using your configured auth_param. NP: login using NTLM credentials to a backend is not supported. (what often appears to be a relay is actually Squid logging into the backend itself). Is the website on the local LAN or out on the Internet? * NTLM requires end-to-end connectivity. Many Internet links do not provide those guarantees since proxy gateways and NAT were invented. Do you have persistent connections enabled or disabled? * NTLM requires them. Amos
Re: [squid-users] squid user accounting using radius
On 21/02/2012 3:09 a.m., Ebrahim Khalilzadeh wrote: Dear Users Is there an application like squid_radius_auth for accounting squid users via radius? Can i use freeradius for accounting my squid users? They exist, and yes one of the ones I'm aware of can use freeradius. But I've yet to see one released into the public domain (or even for sale publicly). Sorry I can't say more than that. Amos
Re: [squid-users] squid user accounting using radius
Hi ebrahim we have a product do that it but in different way. we use hotspot (not mikrotik!) and we send any user to squid log with additional program. I'm in iran same as you. but our product in commercial and we wrote advanced log analyzer for log any user attemps. thanks /*Amos Jeffries squ...@treenet.co.nz*/ wrote on Thu, 23 Feb 2012 17:36:03 +1300: On 21/02/2012 3:09 a.m., Ebrahim Khalilzadeh wrote: Dear Users Is there an application like squid_radius_auth for accounting squid users via radius? Can i use freeradius for accounting my squid users? They exist, and yes one of the ones I'm aware of can use freeradius. But I've yet to see one released into the public domain (or even for sale publicly). Sorry I can't say more than that. Amos
答复: [squid-users] Can't access IIS website with Integrated Windows Authentication, why?
Website in local LAN. Forward mode, not reverse mode. auth_param ntlm keep_alive on NTLM doesn’t work, neither Kerberos. Jiang Wendong (姜文栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年2月23日 12:34 收件人: squid-users@squid-cache.org 主题: Re: [squid-users] Can't access IIS website with Integrated Windows Authentication, why? On 22/02/2012 5:30 p.m., Jiang Wen Dong wrote: I have 2 IIS website with Integrated Windows Authentication. Users access internet and these 2 websites by squid. Access internet is ok, but can’t access these 2 websites. I have tied v3.1 and v3.2 with default config, but the problem still there. It seems squid cut off www-auth information. Anybody can help me with this? Is squid operating in forward or reverse proxy mode? * forward proxy never touch www-auth headers * reverse proxy are where the auth is destined to be tested. Squid will attempt to validate them using your configured auth_param. NP: login using NTLM credentials to a backend is not supported. (what often appears to be a relay is actually Squid logging into the backend itself). Is the website on the local LAN or out on the Internet? * NTLM requires end-to-end connectivity. Many Internet links do not provide those guarantees since proxy gateways and NAT were invented. Do you have persistent connections enabled or disabled? * NTLM requires them. Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( (c)TD Tech Co.,Ltd) 重要提示:此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收到此邮件,特此提醒您此邮件的机密性,请立即通知我们并从您的系统中删除此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件进行利用、复制或向他人透露其内容。 ( (c)TD Tech Co.,Ltd)
Re: [squid-users] Use squid to switch to Tor network
Hi, The scenario is: [intercept] squid will forward traffic to Privoxy by cache_peer directive. But I only want forward some *specific* routing to Privoxy to the unreachable path, the remain Internet traffic is as usual. Can it? Thanks. On 2/15/2012 7:26 PM, Amos Jeffries wrote: The key to all of this is that the traffic goes from point A inside your network where the clients can reach to some point B outside from which the domains can be reached. You could do this with any sort of relay or tunnel service. Squid only handles HTTP, so the clients other traffic will stay broken. The type of service you are looking for is usually seen with two Squid operating with a VPN or TLS tunnel between them, using cache_peer to pass traffic over it (works just as well as a routed packet path too if you add NAT). SOCKS proxy is a good idea, as would be a VPN-like tunnel with yoru routing sending packets to some outside server acting as a relay router. Amos
[squid-users] Websites with # hash in URL
Hello, how can i define a website with a hash (#) in the URL in squid.conf ? It's necessary for twitter.com/#!/myCompany for example. Therefore i must configure in the whitelist the URL with a hash # (ordinarily is hash a comment). Example: acl ExampleURL url_regex .twitter.com/#!/myCompany http_access allow ExampleURL My Squid Version under Windows: 2.7/STABLE6 Thank you for the support.