Re: [squid-users] squid yum install
On 08/29/2014 09:43 PM, Lawrence Pingree wrote: Awesome! Thank you. Will that roll into their prod repositories? I am not sure about it, Sorry. Eliezer
[squid-users] I was wondering about htcp and ssl connections.
Hey All, I am unsure what would be the result and there for asking. In a case I have couple cache_peers and they are htcp enabled, would the main ssl_bump server send htcp query to the cache_peers about any of the https urls? (I want it to do that..) Thanks, Eliezer
Re: [squid-users] Forward Proxy Mode HTTPS Connect with invalid server certificate
On 08/29/2014 09:55 PM, Eduard Deffner wrote: Dear Team! My problem is about using squid in the forward proxy mode. Squid Version 3.3.8 under openSUSE 13.1 in conjunction with squidguard The general function everythings works well. But if any client in our LAN try to connect to a https-Site that have a invalid server certificate (the URL of the cert is other than the URL of the site) the proxy refuse the connection. If the cert is valid everything is OK. Hey Eduard, How exactly do you see that the proxy is denying the connection by any way? What do you see in squid access.log? Did you tried to disable squidguard which might be the reason for that? Also do you use any cache_peer directive in your squid.conf? Can you share the squid.conf file? Elizer
Re: [squid-users] SSL Bump and certificate pinning
On 09/01/2014 01:19 PM, Antony Stone wrote: Fromhttps://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. That seems to me to say that if the root of the certificate chain is a user- added cert, pinning will not be enforced, therefore the user isn't affected? Hey Antony, It means that if the user will disable the Pinning check it will work. I assume they will choose option 2 of the 4 but it's different from chrome which do not allow you to disable the pinning at all for google.com. Eliezer
Re: [squid-users] Forward Proxy Mode HTTPS Connect with invalid server certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/08/2014 6:55 a.m., Eduard Deffner wrote: > Dear Team! > > My problem is about using squid in the forward proxy mode. Squid > Version 3.3.8 under openSUSE 13.1 in conjunction with squidguard > The general function everythings works well. But if any client in > our LAN try to connect to a https-Site that have a invalid server > certificate (the URL of the cert is other than the URL of the site) > the proxy refuse the connection. If the cert is valid everything is > OK. If you are using proper forward proxy mode and CONNECT requests then teh proxy has nothign to do with the HTTPS. All the proxy does is open a TCP connection to the server and pump bytes back and forth between client and server machines. Anything related to te connection TLS is strictly between the client and server software which are communicating over that tunnel. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBH01AAoJELJo5wb/XPRj1KYIAJP/GAV7fN+sskeBlmrJiQGh X6RBcmhU3WvSLcjIMoejFWFXZ9RvRXOOQxq5sGHcdMMIseF/ePusgkaHrJGstk3c qZBpePyrgxh3r6i7KNSd99vsCo9u+786DtjO+1d7aXy09zgJJ6Hh/K2kysL/wO0C LFt3XfKElULmqQqPEKWHcwRmAeXCXURVAjar7chuBa/333bWRMxt0l5O9y4I3AQg 7sVvpwGoEAg3el/PBxDgX1jiNuZziGSsMkqpiHldbF/gYLckgsckHB0bbU1hFjWP xoCfTx3sgxCDTIJ9RPTEKOeE8BArCmqzyE8kYhaC7LIrJMXsxZzL26T0CQwU8QE= =cJ+5 -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On 09/01/2014 12:34 PM, Santosh Bhabal wrote: Hello Experts, I am getting below error while compiling Squid 3.4.7 : To make sure you have everything to build squid try to run this script: http://www1.ngtech.co.il/squid/basic_data.sh It will give many details and also one of them is the installed packages on the OS. Take a look at the installed packages on the build node of squid here: http://wiki.squid-cache.org/BuildFarm/CentosInstall Eliezer
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your machine is missing a C++ compiler. Squid is known to build on g++ and usually clang or Intel CC. Others are a best-effort situation. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBHl6AAoJELJo5wb/XPRj/oEH/jDoqnX61gfzfR6IiCzWc0zF bhJEcArG7zwEVSjkCukXGh4x1HRLcbDpswEvN99maZDXKoSzvqkxWpD9W4gAr7iU 5ImocqSVLIinNWnyKYEbK8KKqX4Urj2TfObmsL/guNMuChcrEKZtw9D13DboSg2y aTJemwF1nKp5tOGxKriBREEuxvq1p685EvWogZMxDqPwsYyEIMoOXmGQkZjnfH7t HW5ZRxgbBXtRkD9Ou/NVHaBL51zssDtOb6rWLwxiEXGJ6XNnMDXyiDudMvB3bXPB 2L2uuZvQitnGyZIkqVhSqK9PyisbUa9bu7ORH0gGZ+fyjvIsKbdAHSR3hNdpVrI= =8IwO -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Please find the attached autoconf.h Regards Santosh On Mon, Sep 1, 2014 at 6:55 PM, Amos Jeffries wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 2/09/2014 1:21 a.m., Santosh Bhabal wrote: >> Yes :) > > Can you mail me the config.log and include/autoconf.h files produced > by the Squid ./configure please? > > Amos > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUBHOyAAoJELJo5wb/XPRj/aEIAMT26s9gu1Kwd9alSOEmt6rE > Ix4zGKIbnjPgigOYN0P0uqBG/Otdj67ZvEDQ0bhgnDPeRug2soog9xnQn+frqokH > rfHfSVB0vvEmvxMf6MlyEo9rHk3pfMpouLOJyVpd4TExyZZy1hBpJaESAcesJdpD > AQsnnr6ZlfA+YoPq7WBhjIGIccDzaY9SHemcA7qF9eVZ+R+51ul7EPA2Y4lT/rsz > 7IeeSBwuvuZTaD9EeWmM0GKbdEmNoFBr+UyzXHEr7lfuM1jS+2b2TQTu16thaypE > cR7EHjFyDXEz4ud4vCwyeNnakP6yukizK0CIAgUXmFXiFJknGBLSj+lnKMcPtFU= > =TEX6 > -END PGP SIGNATURE- autoconf.rar Description: application/rar
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On Mon, 2014-09-01 at 18:51 +0530, Santosh Bhabal wrote: > Yes :) > > Regards > Santosh > > > > On Mon, Sep 1, 2014 at 6:50 PM, Antony Stone > wrote: > > On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: > > > >> Yes, './configure --prefix=/usr/local/squid' command successfully > >> completed. Facing issue with 'make all' command. > > > > Have you successfully compiled other software on this machine? > > > > > > Antony > > > > -- > > If you were ploughing a field, which would you rather use - two strong oxen > > or > > 1024 chickens? > > > > - Seymour Cray, pioneer of supercomputing > > > >Please reply to the list; > > please *don't* CC > > me. Do a: file 'which squid` and ldd `which squid` and ls -l --full `which squid` Just to see what we're looking at here... James
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 1:21 a.m., Santosh Bhabal wrote: > Yes :) Can you mail me the config.log and include/autoconf.h files produced by the Squid ./configure please? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBHOyAAoJELJo5wb/XPRj/aEIAMT26s9gu1Kwd9alSOEmt6rE Ix4zGKIbnjPgigOYN0P0uqBG/Otdj67ZvEDQ0bhgnDPeRug2soog9xnQn+frqokH rfHfSVB0vvEmvxMf6MlyEo9rHk3pfMpouLOJyVpd4TExyZZy1hBpJaESAcesJdpD AQsnnr6ZlfA+YoPq7WBhjIGIccDzaY9SHemcA7qF9eVZ+R+51ul7EPA2Y4lT/rsz 7IeeSBwuvuZTaD9EeWmM0GKbdEmNoFBr+UyzXHEr7lfuM1jS+2b2TQTu16thaypE cR7EHjFyDXEz4ud4vCwyeNnakP6yukizK0CIAgUXmFXiFJknGBLSj+lnKMcPtFU= =TEX6 -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Yes :) Regards Santosh On Mon, Sep 1, 2014 at 6:50 PM, Antony Stone wrote: > On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: > >> Yes, './configure --prefix=/usr/local/squid' command successfully >> completed. Facing issue with 'make all' command. > > Have you successfully compiled other software on this machine? > > > Antony > > -- > If you were ploughing a field, which would you rather use - two strong oxen or > 1024 chickens? > > - Seymour Cray, pioneer of supercomputing > >Please reply to the list; > please *don't* CC me.
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: > Yes, './configure --prefix=/usr/local/squid' command successfully > completed. Facing issue with 'make all' command. Have you successfully compiled other software on this machine? Antony -- If you were ploughing a field, which would you rather use - two strong oxen or 1024 chickens? - Seymour Cray, pioneer of supercomputing Please reply to the list; please *don't* CC me.
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
Yes, './configure --prefix=/usr/local/squid' command successfully completed. Facing issue with 'make all' command. Regards Santosh On Mon, Sep 1, 2014 at 6:33 PM, Amos Jeffries wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 2/09/2014 12:53 a.m., Santosh Bhabal wrote: >> CentOS release 6.3 (Final) x86_64 >> > > Did you run ./configure before building? > > We built Squid on CentOS 6 and 7 without problems before releasing. > > Amos > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUBG6nAAoJELJo5wb/XPRjJsUIAIo4dyCrvEbgBG9/gdZHmRJf > 7acCu/OKn1teLnets1WpzAEytgpQvS6tfF8XEwq7sWet8ECUfhSCPtG/9evKluEw > 9xPekYf+eLYrZkt6X8e6Uw5FKWkL3Ng6CslWyKFtwp9tepa49h/ZZA322R3ca6ks > Ui8ABuvc0ebw2TqH5TJCUWR5zM9RGMK5m4TABKrGx0fNRdCvzH5t6veoSVXn+C9C > +3yQ9oTtiD3JWGioAWuho+PrfKRDIr4SZpJcZDZ0vFprOYbTevMOi04Vjcr8in9V > 5JEFmuNxjzEGtE+CRel3u/ssxzRLrdWy2XXOwzuL8ASTPC9te8+J6sTD0i23ka8= > =h/ks > -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/09/2014 12:53 a.m., Santosh Bhabal wrote: > CentOS release 6.3 (Final) x86_64 > Did you run ./configure before building? We built Squid on CentOS 6 and 7 without problems before releasing. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBG6nAAoJELJo5wb/XPRjJsUIAIo4dyCrvEbgBG9/gdZHmRJf 7acCu/OKn1teLnets1WpzAEytgpQvS6tfF8XEwq7sWet8ECUfhSCPtG/9evKluEw 9xPekYf+eLYrZkt6X8e6Uw5FKWkL3Ng6CslWyKFtwp9tepa49h/ZZA322R3ca6ks Ui8ABuvc0ebw2TqH5TJCUWR5zM9RGMK5m4TABKrGx0fNRdCvzH5t6veoSVXn+C9C +3yQ9oTtiD3JWGioAWuho+PrfKRDIr4SZpJcZDZ0vFprOYbTevMOi04Vjcr8in9V 5JEFmuNxjzEGtE+CRel3u/ssxzRLrdWy2XXOwzuL8ASTPC9te8+J6sTD0i23ka8= =h/ks -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
CentOS release 6.3 (Final) x86_64 Regards Santosh On Mon, Sep 1, 2014 at 6:20 PM, Amos Jeffries wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 1/09/2014 9:34 p.m., Santosh Bhabal wrote: >> Hello Experts, >> >> I am getting below error while compiling Squid 3.4.7 : >> >> [root@localhost squid-3.4.7]# make all Making all in compat >> make[1]: Entering directory `/opt/squid-3.4.7/compat' >> source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps >> depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool >> --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include >> -I../lib -I../src -I../include -I../libltdl -c -o assert.lo >> assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include >> -I../lib -I../src -I../include -I../libltdl -c assert.cc -o >> .libs/assert.o In file included from ../compat/compat.h:51, from >> ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: >> error: #error size_t is not 32-bit or 64-bit In file included from >> ../compat/compat.h:81, from ../include/squid.h:66, from >> assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO >> VARARGS ** XX In file included from ../compat/compat.h:80, from >> ../include/squid.h:66, from assert.cc:32: >> ../compat/compat_shared.h:97: error: field 'ru_stime' has >> incomplete type ../compat/compat_shared.h:98: error: field >> 'ru_utime' has incomplete type In file included from >> ../compat/compat_shared.h:219, from ../compat/compat.h:80, from >> ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: >> error: 'int64_t' does not name a type assert.cc: In function 'void >> xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not >> declared in this scope assert.cc:36: error: 'fprintf' was not >> declared in this scope assert.cc:37: error: 'abort' was not >> declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: >> Leaving directory `/opt/squid-3.4.7/compat' make: *** >> [all-recursive] Error 1 > > > Interesting errors. What operating system are you building on and are > you cross-building for any particular other system? > > Amos > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUBGuoAAoJELJo5wb/XPRjubUH/0c+c+shBlAmhehbcRJwjeaI > Fscp5c7f7k8E4TAdoJqKhFVTSzkEp8MpRLv1OImpf5FsDF5ZZ9apXk87L7rr42Hi > lNF/043MVYLsFMTzQX/u/cAVmw65HIVwxVpbrQwvFr9es0JpcZlTmQzb2getzPg4 > dQlAtbTjdqbc+T3Up9+lno8VDtOXtKf2tn48CX8BWiBVWzIL8qt70OMtVmsHLBma > 8I2faZt7ks6I0yI0gsNhZyWEOo/rX3opLCp01unNKuyn5dJ7LP9v2uCoPik+2X4W > yBxmeuLWV+pE3IyZUbAB4kCjlQzNhkIfAUMIq25ZFpRgOBw2R1yF1R8Y3X203ck= > =6cz0 > -END PGP SIGNATURE-
Re: [squid-users] error: #error .... is not 32-bit or 64-bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/09/2014 9:34 p.m., Santosh Bhabal wrote: > Hello Experts, > > I am getting below error while compiling Squid 3.4.7 : > > [root@localhost squid-3.4.7]# make all Making all in compat > make[1]: Entering directory `/opt/squid-3.4.7/compat' > source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps > depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool > --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include > -I../lib -I../src -I../include -I../libltdl -c -o assert.lo > assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include > -I../lib -I../src -I../include -I../libltdl -c assert.cc -o > .libs/assert.o In file included from ../compat/compat.h:51, from > ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: > error: #error size_t is not 32-bit or 64-bit In file included from > ../compat/compat.h:81, from ../include/squid.h:66, from > assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO > VARARGS ** XX In file included from ../compat/compat.h:80, from > ../include/squid.h:66, from assert.cc:32: > ../compat/compat_shared.h:97: error: field 'ru_stime' has > incomplete type ../compat/compat_shared.h:98: error: field > 'ru_utime' has incomplete type In file included from > ../compat/compat_shared.h:219, from ../compat/compat.h:80, from > ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: > error: 'int64_t' does not name a type assert.cc: In function 'void > xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not > declared in this scope assert.cc:36: error: 'fprintf' was not > declared in this scope assert.cc:37: error: 'abort' was not > declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: > Leaving directory `/opt/squid-3.4.7/compat' make: *** > [all-recursive] Error 1 Interesting errors. What operating system are you building on and are you cross-building for any particular other system? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBGuoAAoJELJo5wb/XPRjubUH/0c+c+shBlAmhehbcRJwjeaI Fscp5c7f7k8E4TAdoJqKhFVTSzkEp8MpRLv1OImpf5FsDF5ZZ9apXk87L7rr42Hi lNF/043MVYLsFMTzQX/u/cAVmw65HIVwxVpbrQwvFr9es0JpcZlTmQzb2getzPg4 dQlAtbTjdqbc+T3Up9+lno8VDtOXtKf2tn48CX8BWiBVWzIL8qt70OMtVmsHLBma 8I2faZt7ks6I0yI0gsNhZyWEOo/rX3opLCp01unNKuyn5dJ7LP9v2uCoPik+2X4W yBxmeuLWV+pE3IyZUbAB4kCjlQzNhkIfAUMIq25ZFpRgOBw2R1yF1R8Y3X203ck= =6cz0 -END PGP SIGNATURE-
Re: [squid-users] SSL Bump and certificate pinning
On Monday 01 September 2014 at 12:07:57 (EU time), Steve Hill wrote: > Mozilla have announced that Firefox 32 does public key pinning: > http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public- > key-pinning.html > > Obviously this has the potential to render SSL-bump considerably less > useful. At the moment it seems to be restricted to a small number of > domains, but that's sure to increase. > > Whilst I support the idea of ensuring that traffic isn't surreptitiously > intercepted, there are legitimate instances where interception is > necessary *and* the user is fully aware that it is happening (and has > therefore imported the proxy's CA certificate into their key chain). So > I'm wondering if there is any kind of workaround to keep SSL-bump > working with these sites? From https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. That seems to me to say that if the root of the certificate chain is a user- added cert, pinning will not be enforced, therefore the user isn't affected? > 1. It seems to me that imported CA certs should have some kind of flag > associated with them to indicate that they should be trusted even for > pinned domains. > 2. I'm guessing that this is not an issue for devices that *always* go > through an intercepting proxy, since presumably they would never get to > see the real cert, so wouldn't pin it? So this is mainly an issue for > devices that move between networks? Regards, Antony. -- Tinned food was developed for the British Navy in 1813. The tin opener was not invented until 1858. Please reply to the list; please *don't* CC me.
[squid-users] SSL Bump and certificate pinning
Mozilla have announced that Firefox 32 does public key pinning: http://monica-at-mozilla.blogspot.co.uk/2014/08/firefox-32-supports-public-key-pinning.html Obviously this has the potential to render SSL-bump considerably less useful. At the moment it seems to be restricted to a small number of domains, but that's sure to increase. Whilst I support the idea of ensuring that traffic isn't surreptitiously intercepted, there are legitimate instances where interception is necessary *and* the user is fully aware that it is happening (and has therefore imported the proxy's CA certificate into their key chain). So I'm wondering if there is any kind of workaround to keep SSL-bump working with these sites? 1. It seems to me that imported CA certs should have some kind of flag associated with them to indicate that they should be trusted even for pinned domains. 2. I'm guessing that this is not an issue for devices that *always* go through an intercepting proxy, since presumably they would never get to see the real cert, so wouldn't pin it? So this is mainly an issue for devices that move between networks? -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com
[squid-users] error: #error .... is not 32-bit or 64-bit
Hello Experts, I am getting below error while compiling Squid 3.4.7 : [root@localhost squid-3.4.7]# make all Making all in compat make[1]: Entering directory `/opt/squid-3.4.7/compat' source='assert.cc' object='assert.lo' libtool=yes \ DEPDIR=.deps depmode=none /bin/sh ../cfgaux/depcomp \ /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -c assert.cc -o .libs/assert.o In file included from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: ../compat/types.h:134:2: error: #error size_t is not 32-bit or 64-bit In file included from ../compat/compat.h:81, from ../include/squid.h:66, from assert.cc:32: ../compat/stdvarargs.h:31:2: error: #error XX **NO VARARGS ** XX In file included from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/compat_shared.h:97: error: field 'ru_stime' has incomplete type ../compat/compat_shared.h:98: error: field 'ru_utime' has incomplete type In file included from ../compat/compat_shared.h:219, from ../compat/compat.h:80, from ../include/squid.h:66, from assert.cc:32: ../compat/strtoll.h:14: error: 'int64_t' does not name a type assert.cc: In function 'void xassert(char*, char*, int)': assert.cc:36: error: 'stderr' was not declared in this scope assert.cc:36: error: 'fprintf' was not declared in this scope assert.cc:37: error: 'abort' was not declared in this scope make[1]: *** [assert.lo] Error 1 make[1]: Leaving directory `/opt/squid-3.4.7/compat' make: *** [all-recursive] Error 1 Please help. Regards Santosh
[squid-users] squid 3.3.8 kerberos and ldap auth
Hi all! Please help me. My problem is: I want to setup squid with two auth methods. The first method is: kerberos auth. The second is: BASIC ldap auth as a fail back method for users without a kerberos ticket. I see that is don't work. When user wants to login without kerberos, browser (IE 8/9/10 ; FF 30/31 ; chrome) asks for a BASIC login and password, after insert a correct login and pass browser ask again for BASIC auth - and again and again. - In access.log I see only 407 code and nothing any and an error about NTLM auth. If I disable kerberos auth , I can use BASIC auth without any problem. Why Windows wants to use NTLM..? I use samba 4.1.9 as a DC/kerberos server. Kerberos works fine in Windows client, but not good for linux - it get proxy refuse connection from time to time. I use squid from ubuntu 14.04 repo: # squid3 -v Squid Cache: Version 3.3.8 Ubuntu configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' # cat krb5.conf [libdefaults] default_realm = COMPANY.RU kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false rdns = false default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac permitted_enctypes = rc4-hmac [realms] COMPANY.RU = { kdc = domainctrl.company.ru admin_server = domainctrl.company.ru default_domain = COMPANY.RU } [domain_realm] domainctrl.company.ru = COMPANY.RU .domainctrl.company.ru = COMPANY.RU # egrep -v '^($|#)' /etc/squid3/squid.conf auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r auth_param negotiate children 150 startup=20 idle=20 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/basic_pam_auth -n squid -t 300 -o auth_param basic children 5 startup=5 idle=1 auth_param basic credentialsttl 10800 seconds acl auth proxy_auth REQUIRED acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow auth http_access deny all http_port 3128 coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20%2880 refresh_pattern .020%4320 # cat /etc/pam.d/squid auth sufficient pam_krb5.so alt_auth_map=%s...@company.ru account required pam_krb5.so I have played with BASIC ldap auth with the same result. I have played with krb5.conf without success. Best regards, Victor.