[squid-users] Problem with a website...

[brekler88]

Hello everyone, im having problem with 1 website, my PC does not pass by the
squid proxy, so its all fine, i can access the website normally, 
http://www.sintegra.fazenda.pr.gov.br/sintegra/, but when i try to access by
squid it does not access, and does not get denied... i look into the logs
and couldnt see anything...
the message i get is this..

O seguinte erro foi encontrado ao tentar recuperar a URL:
http://www.sintegra.fazenda.pr.gov.br/sintegra/

Impossível determinar o endereço IP do nome de host
www.sintegra.fazenda.pr.gov.br (impossible to get the IP address of the host
www...)

O servidor DNS retornou: (DNS returned)

Server Failure: The name server was unable to process this query.
Isto significa que o cache não pode resolver o nome de host contido na URL.
Verifique se o endereço está correto.

Seu administrador do cache é root.

Any ideas ? 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-a-website-tp4667160.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] unbound and squid not resolving SSL sites

[squid]

Current config below:


In my network I have unbound redirecting some sites through the proxy
server and checking authentication, If I redirect www.thisite.com it
works corectly. However, as soon as SSL is used https://www.thissite.com
it doesn't resolve at all. Any ideas what I have to do to enable ssl
redirects in unbound or squid?


Handle port 443 traffic and the encrypted traffic there.
You are only receiving port 80 traffic in this config file.


I am already redirecting 443 traffic but the proxy won't pick it up.
There is a SSL ports directive in the squid.conf so it should accept them?
For example, this line redirect all HTTP traffic but as soon as the  
browser wants a SSL connection, it is dropped:

local-data: anywhere.mysite.com. 600 IN A 109.xxx.xx.xxx
local-zone: identity.mysite.com. redirect




external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth


What does this helper do exactly to earn the term authentication?
TCP/IP address alone is insufficient to verify the end-users identity.

This helper checks that an IP address is contained within a database table.
If the IP address exists, then it allows them to use the proxy server.

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny to_localhost
external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth
acl interval_auth external time_squid_auth
http_access allow interval_auth
#http_access allow all
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 80 accel vhost allow-direct
hierarchy_stoplist cgi-bin ?
#cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

[squid-users] let squid to request the page using client IP?

[Mark jensen]

I have asked this question on Apache mailing list but they tell me to ask it 
here:

we know that we can allow some IPS with out authentication using Allow from IP:
 
Directory /var/www/html/template
  Order allow,deny
  Allow from 192.168.1.5
  Satisfy any
  AuthName LDAP Authentication
  AuthType Basic
 
  AuthBasicProvider ldap
  AuthzLDAPauthoritative off
  AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
/Directory
 
But what if we use proxy (squid) in front, then the source IP will be the proxy 
IP, How can I make Apache to deal with the client IP not the proxy IP?

or How to let squid to request the page using client IP?
  

Re: [squid-users] let squid to request the page using client IP?

[Brendan Kearney]

On Thu, 2014-08-07 at 22:02 +, Mark jensen wrote:
 I have asked this question on Apache mailing list but they tell me to ask it 
 here:
 
 we know that we can allow some IPS with out authentication using Allow from 
 IP:
  
 Directory /var/www/html/template
   Order allow,deny
   Allow from 192.168.1.5
   Satisfy any
   AuthName LDAP Authentication
   AuthType Basic
  
   AuthBasicProvider ldap
   AuthzLDAPauthoritative off
   AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
 /Directory
  
 But what if we use proxy (squid) in front, then the source IP will be the 
 proxy IP, How can I make Apache to deal with the client IP not the proxy IP?
 
 or How to let squid to request the page using client IP?
 

you will want to look into the X-Forwarded-For header.  Make sure you
are inserting it with squid, and that apache is parsing the header for
the value and basing the access on it.  the client ip will be in the
first position (0 based, i think), when using comma (,) as a delimiter.

Re: [squid-users] let squid to request the page using client IP?

[Jason Haar]

Googling apache x-forwarded-for led me to mod_extract_forwarded

http://www.openinfo.co.uk/apache/

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [squid-users] let squid to request the page using client IP?

[Brendan Kearney]

On Fri, 2014-08-08 at 11:48 +1200, Jason Haar wrote:
 Googling apache x-forwarded-for led me to mod_extract_forwarded
 
 http://www.openinfo.co.uk/apache/
 

from the apache mod_proxy page:

Reverse Proxy Request Headers

When acting in a reverse-proxy mode (using the ProxyPass directive, for
example), mod_proxy_http adds several request headers in order to pass
information to the origin server. These headers are:

X-Forwarded-For
The IP address of the client.
X-Forwarded-Host
The original host requested by the client in the Host HTTP request
header.
X-Forwarded-Server
The hostname of the proxy server.

Be careful when using these headers on the origin server, since they
will contain more than one (comma-separated) value if the original
request already contained one of these headers. For example, you can use
%{X-Forwarded-For}i in the log format string of the origin server to log
the original clients IP address, but you may get more than one address
if the request passes through several proxies.

See also the ProxyPreserveHost and ProxyVia directives, which control
other request headers.

looks like all you need is mod_proxy_http.