Re: [squid-users] host header forgery check in docker environment

[Kedar K]

Hi Amos,
Here is the topology:

client (curl from host running docker) --> squid_child (docker, using
ssl-bump with intercept) --> squid_parent (VM with internet connection,
https_port without ssl-bump) --> origin server.

local - 72.19.0.2:443 is the container running squid child
remote - remote=172.19.0.1:44522  is the host machine where containers are
running, I am using a curl to do initial tests. Eventually, request would
come from other containers or external hosts on the docker daemon host.

With http traffic this works fine; wherein the request is forwarded to
Parent and then to origin server. However, with https header forgery kicks
in and tls is terminated.

- Kedar

On Mon, Jun 18, 2018 at 9:44 AM Amos Jeffries  wrote:

> On 18/06/18 02:08, Kedar K wrote:
> > Hello,
> >
> > I am hitting this issue when running squid in a docker with ssl parent
> > cache_peer.
> >
>
> Can you describe that a bit clearer please? An end-client, two proxies
> and origin server makes four HTTP agents involved with this traffic.
>
>  Which of those proxies (and/or server) is inside the container?
>
>  And how are you getting the traffic from the client to the first proxy?
>
>
> > Host header forgery detected on local=11 72.19.0.2:443
> > remote=172.19.0.1:44522
> > FD 15 flags=33 (local IP does not match any domain IP)
> >
> > ​The host ip of the docker would not resolve to a domain. How to
> > work-around this problem?​
>
> The agent being client for the proxy reporting this message apparently
> thinks there is a origin server running at "72.19.0.2:443" hosting some
> domain name. They are trying to contact that origin server.
>
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 

*- Kedar Kekan*
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Integration?

[Amos Jeffries]

On 17/06/18 18:36, Periko Support wrote:
> Hi people.
> 
> If we need to integrate squid 3.5+ with a windows domain AD(2008+) and
> authenticated users from the domain.
> 
> Linux(squid) need to be part of the domain?

Depends on what authentication types you want to use, and how you want
to use them.

The proxy needs the ability to ask the DC about credentials.  If you use
a prepared helper, decide the auth scheme and look at what the helpers
for that scheme can do.


> Or we can just enable a common LDAP query to the AD server?

What do you mean by "common" ?

LDAP requires credentials for the proxy to login to the DC with, in
order to check credentials etc. So it may or may not work off-domain.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] host header forgery check in docker environment

[Amos Jeffries]

On 18/06/18 02:08, Kedar K wrote:
> Hello,
> 
> I am hitting this issue when running squid in a docker with ssl parent
> cache_peer.
> 

Can you describe that a bit clearer please? An end-client, two proxies
and origin server makes four HTTP agents involved with this traffic.

 Which of those proxies (and/or server) is inside the container?

 And how are you getting the traffic from the client to the first proxy?


> Host header forgery detected on local=11 72.19.0.2:443
> remote=172.19.0.1:44522 
> FD 15 flags=33 (local IP does not match any domain IP)
> 
> ​The host ip of the docker would not resolve to a domain. How to
> work-around this problem?​

The agent being client for the proxy reporting this message apparently
thinks there is a origin server running at "72.19.0.2:443" hosting some
domain name. They are trying to contact that origin server.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] 4.0.25 -- build, ok... probs on 3.x still there, but may not be so important?

[Amos Jeffries]

On 17/06/18 22:04, L A Walsh wrote:
> It seems I didn't patch it correctly...weird didn't see
> any output.
> 
> Tried applying .25 patch to copy of .24 dir and it didn't
> apply correctly, since I d/l the tarball, and now it build
> fine...so gonna go play with this now...
> 

FYI: if you are applying the inter-version patches instead of building
from a clean copy of the sources in the new release's tarball then you
are definitely changing the .am etc files those WARNING are talking
about. It is just that you are also changing the Makefile as if automake
was being used to generate from that file. So the change is not truly
relevant, but lbltdl still detects and warns.

You can usually avoid auto-tools mismatch issues by using the
--with-included-ltdl or --without-included-ltdl build options, depending
on which of them you are using now that produces the warning.


> FWIW, though the 3.x issues -- compiler changed...not sure
> what else would be causing weird issues...
> one of them was deprecation warnings and that could easily
> be the new compiler...

These were fixed in the 3.5 release since .21 came out, current release
in that series is 3.5.27.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] host header forgery check in docker environment

[Kedar K]

Hello,

I am hitting this issue when running squid in a docker with ssl parent
cache_peer.

Host header forgery detected on local=11 72.19.0.2:443 remote=
172.19.0.1:44522 FD 15 flags=33 (local IP does not match any domain IP)

​The host ip of the docker would not resolve to a domain. How to
work-around this problem?​

*- Keda​r​*
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] 4.0.25 -- build, ok... probs on 3.x still there, but may not be so important?

[L A Walsh]

It seems I didn't patch it correctly...weird didn't see
any output.

Tried applying .25 patch to copy of .24 dir and it didn't
apply correctly, since I d/l the tarball, and now it build
fine...so gonna go play with this now...

FWIW, though the 3.x issues -- compiler changed...not sure
what else would be causing weird issues...
one of them was deprecation warnings and that could easily
be the new compiler...
Anyway...gonna go try to get 4.0.25 running...

sorry for bother.



L A Walsh wrote:


Also, tried recompiling 3.5.21+22 and ran into some issues (which
don't really need solving if I get 4.0.25 up and running, but thought
I'd mention them as they seem to be related to me using a more recent
gcc toolchain (7.1.0).
Got a few warnings that were escalated into errors:

1 was due to something deprecated (from 3.5.21 build)

In file included from ../../include/util.h:37:0,
 from ntlmauth.cc:20:
../../include/SquidNew.h:21:51: error: dynamic exception specifications 
are deprecated in C++11 [-Werror=deprecated]

 _SQUID_EXTERNNEW_ void *operator new(size_t size) throw (std::bad_alloc)
   ^
../../include/SquidNew.h:29:54: error: dynamic exception specifications 
are deprecated in C++11 [-Werror=deprecated]

 _SQUID_EXTERNNEW_ void *operator new[] (size_t size) throw (std::bad_alloc)


After disabling that fatal warning, I ran into a different warning
in the FtpGateway.cc file:
FtpGateway.cc: In member function ‘const char* Ftp::Gateway::ftpRealm()’:
FtpGateway.cc:1288:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 8188 
[-Werror=format-truncation=]

 Ftp::Gateway::ftpRealm()
 ^~~
FtpGateway.cc:1294:17: note: ‘snprintf’ output between 13 and 8204 bytes 
into a destination of size 8192

 snprintf(realm, 8192, "FTP %s unknown", user);
 ^
FtpGateway.cc:1288:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 8188 
[-Werror=format-truncation=]

 Ftp::Gateway::ftpRealm()
 ^~~
...
~~
FtpGateway.cc: In function ‘void ftpSendUser(Ftp::Gateway*)’:
FtpGateway.cc:1304:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 1019 
[-Werror=format-truncation=]

 ftpSendUser(Ftp::Gateway * ftpState)
 ^~~
cc1plus: all warnings being treated as errors

There were others, of the same sort that I didn't copy here.  I turned off
fatal warnings, as this used to work under an older compiler,
but then some things didn't want to link:

  CXXLDpinger
debug.o: In function `FileNameHashCached(char const*)':
debug.cc:(.text+0x4e): undefined reference to 
`TextException::FileNameHash(char const*)'

globals.o: In function `FileNameHashCached(char const*)':
globals.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

SquidConfig.o: In function `FileNameHashCached(char const*)':
SquidConfig.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

stub_HelperChildConfig.o: In function `FileNameHashCached(char const*)':
stub_HelperChildConfig.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

collect2: error: ld returned 1 exit status
Makefile:880: recipe for target 'pinger' failed
make[3]: *** [pinger] Error 1


Made wonder if maybe gcc V7.1.0 wasn't supported or tried?

---

That's when I decided to try 4.0.25...which points back to the
top of this email...

so...missing 'func_quote_for_eval'?  relation to am-1.15?
am-1.16 usable instead?

Thanks,
-linda





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid test-suite / benchmarks

[Stoica Bogdan Alexandru]

Thank you all for your suggestions. Polygraph is a good benchmark, but 
unfortunately it has a strict terms & conditions when it comes to publishing 
results and we plan to make the measurements part of a research paper.

Thanks again!

From: Coenraad Loubser [mailto:coenr...@wish.org.za]
Sent: Thursday, June 7, 2018 11:26 AM
To: Stoica Bogdan Alexandru 
Cc: squid-users@lists.squid-cache.org; Alex Rousskov 

Subject: Re: [squid-users] Squid test-suite / benchmarks

My first port of call would be apachebench with and without your proxies. A web 
search for "squid apachebench" might yield some leads to people who have done 
this. (I'm sure apachebench is well tested.)
Eg. the third hit on Google: 
https://2bits.com/articles/using-apachebench-benchmarking-logged-users-automated-approach.html

On Thu, Jun 7, 2018 at 7:20 PM, Alex Rousskov 
mailto:rouss...@measurement-factory.com>> 
wrote:
On 06/07/2018 04:17 AM, Stoica Bogdan Alexandru wrote:

> We’re a small research team interested in benchmarking Squid for a
> research project.

> Ideally, we would like to have good code coverage while doing so.

> Are there any good benchmarks used for such purpose?

Performance benchmarks usually focus on things other than code coverage.
It is very difficult to write a quality benchmark for a proxy, even
without code coverage as a goal!

One the other hand, a decent proxy benchmark has enough knobs to tickle
most "interesting" code paths in Squid (or any other proxy). Web
Polygraph[1] (mentioned on this thread earlier) is a good example -- you
can trigger cache revalidation, simulate heavy tailed hit distributions
that stress disk caching, exercise the code that handles aborted
transactions, persistent connection races, etc., etc.


> Or, even better, is
> there a more comprehensive test suite apart from the one Squid comes with?

Squid does not come with a comprehensive test suite (yet) and the tests
distributed with Squid are not performance tests (a.k.a. "benchmarks").
If you are looking for functionality rather than performance testing,
then there is Co-Advisor[2]. Squid is tested with Co-Advisor, but those
tests have not been automated (yet).

  [1] http://www.web-polygraph.org/
  [2] http://coad.measurement-factory.com/


HTH,

Alex.
P.S. Disclaimer: The company I work for is responsible for both of the
test tools mentioned above.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



--

Coenraad Loubser

Wireless Internet Services & Hardware (Pty) Ltd.
210 Long Street, Cape Town, 8001, ZA

Office: +27 21 481 1824
Skype: Coenraad_Loubser
Email: coenr...@wish.org.za
Cell: +27 73 772 1223

-- Spending Money is like watering a plant.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] building 4.0.25

[L A Walsh]

I unpacked the tar and ran configure via a script.

Ran make, but am running into this:

 CCLD libmiscencoding.la
../libtool: line 7979: func_quote_for_eval: command not found
...
../libtool: line 7979: func_quote_for_eval: command not found
 CXXLDlibmisccontainers.la
../libtool: line 7979: func_quote_for_eval: command not found
...
../libtool: line 7979: func_quote_for_eval: command not found
 CXXLDlibmiscutil.la
../libtool: line 7979: func_quote_for_eval: command not found
...
../libtool: line 7979: func_quote_for_eval: command not found
make[2]: Leaving directory '/home/tools/squid/squid-4.0.25/lib'
make[1]: Leaving directory '/home/tools/squid/squid-4.0.25/lib'
Making all in libltdl
make[1]: Entering directory '/home/tools/squid/squid-4.0.25/libltdl'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh 
/home/tools/squid/squid-4.0.25/cfgaux/missing aclocal-1.15 -I m4
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh 
/home/tools/squid/squid-4.0.25/cfgaux/missing autoconf
cd . && /bin/sh /home/tools/squid/squid-4.0.25/cfgaux/missing 
automake-1.15 --foreign
/home/tools/squid/squid-4.0.25/cfgaux/missing: line 81: automake-1.15: 
command not found

WARNING: 'automake-1.15' is missing on your system.
You should only need it if you modified 'Makefile.am' or
'configure.ac' or m4 files included by 'configure.ac'.


Is the libtool failure what is causing it to think automake is missing
(it isn't on my system and suse is shipping automake-1.16 which I haven't
installed yet).

My question is the WARNING above -- saying I shouldn't need it unless
I modified various files.  I haven't.  Just ran configure, which I'm
assuming doesn't modify those files? 


I didn't want to go off and find am1.15 without finding out why it
thinks I need it (since haven't changed any source files at this point).
Also wondering if am1.16 would work in place of am1.15 -- I know
sometimes one needs to keep multiple versions of am around.

Also, tried recompiling 3.5.21+22 and ran into some issues (which
don't really need solving if I get 4.0.25 up and running, but thought
I'd mention them as they seem to be related to me using a more recent
gcc toolchain (7.1.0).
Got a few warnings that were escalated into errors:

1 was due to something deprecated (from 3.5.21 build)

In file included from ../../include/util.h:37:0,
from ntlmauth.cc:20:
../../include/SquidNew.h:21:51: error: dynamic exception specifications 
are deprecated in C++11 [-Werror=deprecated]

_SQUID_EXTERNNEW_ void *operator new(size_t size) throw (std::bad_alloc)
  ^
../../include/SquidNew.h:29:54: error: dynamic exception specifications 
are deprecated in C++11 [-Werror=deprecated]

_SQUID_EXTERNNEW_ void *operator new[] (size_t size) throw (std::bad_alloc)


After disabling that fatal warning, I ran into a different warning
in the FtpGateway.cc file:
FtpGateway.cc: In member function ‘const char* Ftp::Gateway::ftpRealm()’:
FtpGateway.cc:1288:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 8188 
[-Werror=format-truncation=]

Ftp::Gateway::ftpRealm()
^~~
FtpGateway.cc:1294:17: note: ‘snprintf’ output between 13 and 8204 bytes 
into a destination of size 8192

snprintf(realm, 8192, "FTP %s unknown", user);
^
FtpGateway.cc:1288:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 8188 
[-Werror=format-truncation=]

Ftp::Gateway::ftpRealm()
^~~
...
~~
FtpGateway.cc: In function ‘void ftpSendUser(Ftp::Gateway*)’:
FtpGateway.cc:1304:1: error: ‘%s’ directive output may be truncated 
writing up to 8191 bytes into a region of size 1019 
[-Werror=format-truncation=]

ftpSendUser(Ftp::Gateway * ftpState)
^~~
cc1plus: all warnings being treated as errors

There were others, of the same sort that I didn't copy here.  I turned off
fatal warnings, as this used to work under an older compiler,
but then some things didn't want to link:

 CXXLDpinger
debug.o: In function `FileNameHashCached(char const*)':
debug.cc:(.text+0x4e): undefined reference to 
`TextException::FileNameHash(char const*)'

globals.o: In function `FileNameHashCached(char const*)':
globals.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

SquidConfig.o: In function `FileNameHashCached(char const*)':
SquidConfig.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

stub_HelperChildConfig.o: In function `FileNameHashCached(char const*)':
stub_HelperChildConfig.cc:(.text+0x2c): undefined reference to 
`TextException::FileNameHash(char const*)'

collect2: error: ld returned 1 exit status
Makefile:880: recipe for target 'pinger' failed
make[3]: *** [pinger] Error 1


Made wonder if maybe gcc V7.1.0 wasn't supported or tried?

---

[squid-users] Active Directory Integration?

[Periko Support]

Hi people.

If we need to integrate squid 3.5+ with a windows domain AD(2008+) and
authenticated users from the domain.

Linux(squid) need to be part of the domain?
Or we can just enable a common LDAP query to the AD server?

Thanks.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users