RE: [squid-users] Re: Re: Re: squid 3.1.14 kerberos single sign on
Hi Markus, I added allow_weak_crypto = yes to the krb.conf file. Now everything worked. Any suggestion on how to allow safer/stronger cryptos? Thanks Ming -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Saturday, July 30, 2011 7:51 AM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: Re: squid 3.1.14 kerberos single sign on Hi Ming, That looks correct. I have three suggestions: 1) Can you reset the AD account password for the squid user and re- extract the keytab ? 2) Use another tool like msktutil (see http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos ) 3) Clear the kerberos cache on the client with kerbtray. It might be that the client cached an old key. Additionally if you want to support Win 7 and Win 2008 you must use RC4-HMAC encryption as DES has been declared as a weak encryption method and is not anymore supported in Win 7 / Win 2008. Regards Markus Ming Fu ming...@watchguard.com wrote in message news:09177155B3E82945AD8AF1F744B326458A7E5EA6@es05co... Hi Markus, My keytab file is generated from the win 2003 DC using ktpass command. On Liunx where the squid is running: klist -ekt /usr/local/squid/etc/squid27.keytab Keytab name: WRFILE:/usr/local/squid/etc/squid27.keytab KVNO Timestamp Principal - - --- 9 12/31/69 19:00:00 HTTP/squid.sit27.borderware@sit27.borderware.com (DES cbc mode with RSA-MD5) [root@squid etc]# ^C [root@squid etc]# echo $KRB5_KTNAME /usr/local/squid/etc/squid27.keytab On windows 2003 C:\Documents and Settings\Administratorktpass -princ HTTP/squid.sit27.borderwar e@sit27.borderware.com -mapuser squid -crypto DES-CBC-MD5 +DesOnly - pass -ptype KRB5_NT_PRINCIPAL -out squid27.keytab Targeting domain controller: 27dc.sit27.borderware.com Using legacy password setting method Successfully mapped HTTP/squid.sit27.borderware.com to squid. Key created. Output keytab to squid27.keytab: Keytab version: 0x502 keysize 79 HTTP/squid.sit27.borderware@sit27.borderware.com ptype 1 (KRB5_NT _PRINCIPAL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8 (0x10bf6eea2531436b) Account squid has been set for DES-only encryption. C:\Documents and Settings\Administratorsetspn -L squid Registered ServicePrincipalNames for CN=Squid,CN=Users,DC=sit27,DC=borderware,DC =com: HTTP/squid.sit27.borderware.com Best Regards, Ming -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Thursday, July 28, 2011 3:09 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: squid 3.1.14 kerberos single sign on Hi Ming, This indicates that now your client got the ticket from AD, but it does not match the entry in your keytab. Did you set the environment variable KRB5_KTNAME correctly ? Can you do a klist -ekt squid.keytab and compare the entries with the wireshark information of the encoded HTTP Negotiate request ? Does the name, encryption type and , key version number (kvno) match ? Markus Ming Fu ming...@watchguard.com wrote in message news:09177155B3E82945AD8AF1F744B326458A7E58B8@es05co... Hi Markus, I tried the same test on a Windows 2003 domain with XP clients. I was able to get pass the SGT from DC to the XP. Now my problem is the following squid error: Any suggestion how to debug further? 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGC NwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAA AACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEk MCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEE ooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+a kRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4 haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgr HNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB0 3v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OH Yhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzB K1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEc PkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3Nf qfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081 xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94U WGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2c GiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE 6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQ vx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gsa mYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00g
RE: [squid-users] Re: Re: squid 3.1.14 kerberos single sign on
Hi Markus, My keytab file is generated from the win 2003 DC using ktpass command. On Liunx where the squid is running: klist -ekt /usr/local/squid/etc/squid27.keytab Keytab name: WRFILE:/usr/local/squid/etc/squid27.keytab KVNO Timestamp Principal - 9 12/31/69 19:00:00 HTTP/squid.sit27.borderware@sit27.borderware.com (DES cbc mode with RSA-MD5) [root@squid etc]# ^C [root@squid etc]# echo $KRB5_KTNAME /usr/local/squid/etc/squid27.keytab On windows 2003 C:\Documents and Settings\Administratorktpass -princ HTTP/squid.sit27.borderwar e@sit27.borderware.com -mapuser squid -crypto DES-CBC-MD5 +DesOnly -pass -ptype KRB5_NT_PRINCIPAL -out squid27.keytab Targeting domain controller: 27dc.sit27.borderware.com Using legacy password setting method Successfully mapped HTTP/squid.sit27.borderware.com to squid. Key created. Output keytab to squid27.keytab: Keytab version: 0x502 keysize 79 HTTP/squid.sit27.borderware@sit27.borderware.com ptype 1 (KRB5_NT _PRINCIPAL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8 (0x10bf6eea2531436b) Account squid has been set for DES-only encryption. C:\Documents and Settings\Administratorsetspn -L squid Registered ServicePrincipalNames for CN=Squid,CN=Users,DC=sit27,DC=borderware,DC =com: HTTP/squid.sit27.borderware.com Best Regards, Ming -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Thursday, July 28, 2011 3:09 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: squid 3.1.14 kerberos single sign on Hi Ming, This indicates that now your client got the ticket from AD, but it does not match the entry in your keytab. Did you set the environment variable KRB5_KTNAME correctly ? Can you do a klist -ekt squid.keytab and compare the entries with the wireshark information of the encoded HTTP Negotiate request ? Does the name, encryption type and , key version number (kvno) match ? Markus Ming Fu ming...@watchguard.com wrote in message news:09177155B3E82945AD8AF1F744B326458A7E58B8@es05co... Hi Markus, I tried the same test on a Windows 2003 domain with XP clients. I was able to get pass the SGT from DC to the XP. Now my problem is the following squid error: Any suggestion how to debug further? 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGC NwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAA AACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEk MCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEE ooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+a kRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4 haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgr HNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB0 3v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OH Yhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzB K1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEc PkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3Nf qfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081 xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94U WGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2c GiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE 6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQ vx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gsa mYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00g k22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FD YnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz 6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT 3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsds Rad56U' from squid (length: 1647). 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode 'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAG CNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACA AAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqE kMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgE EooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+ akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC 4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwg rHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB 03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868O HYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnz BK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8
RE: [squid-users] Re: squid 3.1.14 kerberos single sign on
Hi Markus, I tried the same test on a Windows 2003 domain with XP clients. I was able to get pass the SGT from DC to the XP. Now my problem is the following squid error: Any suggestion how to debug further? 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACCjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U' from squid (length: 1647). 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode 'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACCjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U' (decoded length: 1233). 2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' Thanks Ming -Original Message- From: Ming Fu [mailto:ming...@watchguard.com] Sent: Wednesday, July 27, 2011 4:21 PM To: Markus Moeller; squid-users@squid-cache.org Subject: RE: [squid-users] Re: squid 3.1.14 kerberos single sign on Hi Markus, From the windows domain controller: === Microsoft Windows [Version 6.0.6002] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Users\Administratorsetspn -L squid Registered ServicePrincipalNames for CN=squid,CN=Users,DC=sit26,DC=borderware,DC =com: HTTP/squid.sit26.borderware.com C:\Users\Administrator = From the wireshark: == The Kerberos response error is Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: SIT26.BORDERWARE.COM Server Name
RE: [squid-users] Re: squid 3.1.14 kerberos single sign on
Hi Markus, From the windows domain controller: === Microsoft Windows [Version 6.0.6002] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Users\Administratorsetspn -L squid Registered ServicePrincipalNames for CN=squid,CN=Users,DC=sit26,DC=borderware,DC =com: HTTP/squid.sit26.borderware.com C:\Users\Administrator = From the wireshark: == The Kerberos response error is Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: SIT26.BORDERWARE.COM Server Name (Service and Instance): HTTP/squid.sit26.borderware.com Name-type: service and instance (2) Name: HTTP Name: squid.sit26.borderware.com === I can attach the whole tcpdump if necessary. Regards, Ming -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Monday, July 25, 2011 4:27 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: squid 3.1.14 kerberos single sign on This looks like the client does not get a Kerberos token, which can have several reasons. 1) Is the proxy name used in the browser the fqdn used in the serviceprincipaname in AD e.g. HTTP/fqdn ? 2) Is the right encryption type used (Win7 / 2008 do not support DES out of the box) Can you capture with wireshark the communication between your Win7 client and AD on port 88 ( Kerberos port ) and send me the capture file ? Regards Markus Ming Fu ming...@watchguard.com wrote in message news:09177155B3E82945AD8AF1F744B326458A7E1581@es05co... Hi, I am trying to setup squid 3.1.14 on linux with Kerberos SSO against windows 2008 server and win7 client. But both firefox 5.0.1 and IE 8 generate same log from squid. Is this a problem with squid or the browsers? squid logs 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31. 2011/07/25 10:54:29| HTCP Disabled. 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/25 10:54:29| Loaded Icons. 2011/07/25 10:54:29| Ready to serve requests. 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbAdDw==' from squid (length: 59). 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded length: 40). 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' --- HTTP exchange Firefox to squid - GET http://www.google.ca/ HTTP/1.1 Host: www.google.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://www.google.ca/ Cookie: PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 0546:S=CwtXJNRFT1U2j2O8; NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.14 Mime-Version: 1.0 Date: Mon, 25 Jul 2011 15:38:05 GMT Content-Type: text/html Content-Length: 3945 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en-us Proxy-Authenticate: Negotiate X-Cache: MISS from squid.sit26.borderware.com Via: 1.0 squid.sit26.borderware.com (squid/3.1.14) Connection: keep-alive GET http://www.google.ca/ HTTP/1.1 Host: www.google.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://www.google.ca/ Cookie: PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135 0546:S=CwtXJNRFT1U2j2O8; NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 Proxy-Authorization: Negotiate TlRMTVNTUAABl4II4gAGAbEdDw== Regards, Ming
[squid-users] squid 3.1.14 kerberos single sign on
Hi, I am trying to setup squid 3.1.14 on linux with Kerberos SSO against windows 2008 server and win7 client. But both firefox 5.0.1 and IE 8 generate same log from squid. Is this a problem with squid or the browsers? squid logs 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31. 2011/07/25 10:54:29| HTCP Disabled. 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/25 10:54:29| Loaded Icons. 2011/07/25 10:54:29| Ready to serve requests. 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbAdDw==' from squid (length: 59). 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded length: 40). 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' --- HTTP exchange Firefox to squid - GET http://www.google.ca/ HTTP/1.1 Host: www.google.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://www.google.ca/ Cookie: PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=1311350546:S=CwtXJNRFT1U2j2O8; NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HPrqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.14 Mime-Version: 1.0 Date: Mon, 25 Jul 2011 15:38:05 GMT Content-Type: text/html Content-Length: 3945 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en-us Proxy-Authenticate: Negotiate X-Cache: MISS from squid.sit26.borderware.com Via: 1.0 squid.sit26.borderware.com (squid/3.1.14) Connection: keep-alive GET http://www.google.ca/ HTTP/1.1 Host: www.google.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://www.google.ca/ Cookie: PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=1311350546:S=CwtXJNRFT1U2j2O8; NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HPrqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7 Proxy-Authorization: Negotiate TlRMTVNTUAABl4II4gAGAbEdDw== Regards, Ming
RE: [squid-users] SSLBump and intermedia CA Certificate.
Hi Amos, I am trying to make the intermediate certs into the dynamic ssl connection. Based on the code, the cert entry of http_port configure is actually a cert chain file. So the configure does have enough info for the intermediate cert chain to work. What is missing is when the SSL_CTX is dynamically generated, it only added the resigned server cert without the chain of certs. My current difficulty is after I located the dynamic SSL_CTX context, how can I find the resigning cert chain defined in configure line http_port . cert=certfile Is it stored in some global? Regards, Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, June 22, 2011 7:20 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] SSLBump and intermedia CA Certificate. On Wed, 22 Jun 2011 21:37:35 +, Ming Fu wrote: I am also interested in understanding the issue. Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is. It is indeed possible. The certificate generator is new and does not cover every possible situation of SSL. Patches welcome. Amos Ming -Original Message- From: Lindsay Hill [mailto:linds...@makonetworks.com] Sent: Tuesday, June 07, 2011 11:31 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSLBump and intermedia CA Certificate. On 06/08/2011 02:52 PM, Amos Jeffries wrote: On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: Hi all. Finally I successful implemented ssl-bump with dynamic certificate generation feature. But, I don't know how to configure squid to use intermediate ca certificate. I generated Root CA, then using Root CA i signed Intermediate CA certificate and now, I want squid to use this Intermediate CA Certificate while generating certs for https connections. Then I want to import Root CA certificate into Windows PKI to solve Unknown CA error while surfing https pages. How can I do that? The client must have a full chain of trust from the root all the way down to the end certificate during the transactions. I think you may find that signing with an intermediate CA needs to install both the root and the intermediate public CA on the clients. I'm looking around cafile, capath of ssl-bump options but nothing works for me. http://wiki.squid-cache.org/Features/SslBump To squid there is only the cert PEM you told it to sign with. Amos This matches up with what I've seen so far with my testing - I thought I might be able to get it to provide the full certificate chain to users, by playing around with the cafile settings, but no joy. Since all my browsers already trust my root CA, I thought that creating an intermediate CA for use by Squid would be sufficient. But no, I've had to install the intermediate CA on my browsers too. Feature request I guess? - Lindsay
RE: [squid-users] SSLBump and intermedia CA Certificate.
I am also interested in understanding the issue. Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is. Ming -Original Message- From: Lindsay Hill [mailto:linds...@makonetworks.com] Sent: Tuesday, June 07, 2011 11:31 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSLBump and intermedia CA Certificate. On 06/08/2011 02:52 PM, Amos Jeffries wrote: On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: Hi all. Finally I successful implemented ssl-bump with dynamic certificate generation feature. But, I don't know how to configure squid to use intermediate ca certificate. I generated Root CA, then using Root CA i signed Intermediate CA certificate and now, I want squid to use this Intermediate CA Certificate while generating certs for https connections. Then I want to import Root CA certificate into Windows PKI to solve Unknown CA error while surfing https pages. How can I do that? The client must have a full chain of trust from the root all the way down to the end certificate during the transactions. I think you may find that signing with an intermediate CA needs to install both the root and the intermediate public CA on the clients. I'm looking around cafile, capath of ssl-bump options but nothing works for me. http://wiki.squid-cache.org/Features/SslBump To squid there is only the cert PEM you told it to sign with. Amos This matches up with what I've seen so far with my testing - I thought I might be able to get it to provide the full certificate chain to users, by playing around with the cafile settings, but no joy. Since all my browsers already trust my root CA, I thought that creating an intermediate CA for use by Squid would be sufficient. But no, I've had to install the intermediate CA on my browsers too. Feature request I guess? - Lindsay
RE: [squid-users] SslBump and bad cert
It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Meanwhile it is worth investigate why you are getting so many failures... The actual failure is not my problem, however, the potential of failure or behavior difference from none sslbump setup is becoming a roadblock for sslbump acceptance. Ming
RE: [squid-users] SslBump and bad cert
It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Why surprised? ssl-bumps' purpose is to remove the SSL layer on arriving traffic. The data inside is just HTTP and gets handled same as any other. Caching, filtering, alterations. Anything goes once the security layer is erased. This does make me worried. For a web developer writing an https only site, He wouldn't bother with cache control headers the same as when he is develop http site. The https itself implies private to sharing. I would expect sslbump perverse this privacy in dealing with https traffic. Ming
[squid-users] SslBump and bad cert
Hi, When using sslbump and encounter a bad server cert, the squid can choose to deny or allow such error. Some static ACL can be used to choose the sites that the squid would tolerate a bad cert. However, such acl is like a fixed list in the configure. Every time the user encounter a new problem site, the squid admin has to modify the acl. The squid administrator is also required to frequently clean up this list. Is there a way I can let the user at the browser to overwrite a certificate error message and temporarily proceed to a site with bad cert without involving the squid administrator to modify the acl for sslproxy_cert_error. The following is probably no good for security, but it is no worth than without sslbump involved. I was thinking if it is possible for squid to on-the-fly sign the man-in-the-middle cert as flawed as the bad server certificate instead of deny is out right. E.g. if the server cert has expired, sign an expired squid cert to the browser. At least this will reproduce the same behavior as if the sslbump is not turned on. The browser will warn the certificate problem and the user can proceed at his own risk. The squid administrator can be kept out of the loop in dealing with not so well maintained server certificate. Regards, Ming
RE: [squid-users] SslBump and bad cert
Hi Alex, One question about sslbump implementation, was the client side cert exchange done before squid start the ssl to the server? If so, it might be too late when squid learns that the server cert is not good. The client side cert was already sent out. If the client side cert was exchanged after the server side, I am willing to experiment with the openssl to see if purposefully sign a flawed cert is possible. Ming -Original Message- From: Alex Crow [mailto:a...@nanogherkin.com] Sent: Tuesday, May 24, 2011 12:25 PM To: Ming Fu Cc: squid-users@squid-cache.org Subject: Re: [squid-users] SslBump and bad cert E.g. if the server cert has expired, sign an expired squid cert to the browser. At least this will reproduce the same behavior as if the sslbump is not turned on. The browser will warn the certificate problem and the user can proceed at his own risk. The squid administrator can be kept out of the loop in dealing with not so well maintained server certificate. Regards, Ming Sounds like it could work, but I don't know with openssl if it's even possible to generate a cert that has already expired! Alex
RE: [squid-users] bug 1991/1939 and kqueue
My SSL is OpenSSL 0.9.8n. Looking at the epoll code, the logic seems that if read is pending, the squid needs something to trigger a read on the socket that is pending. But as there might not be incoming data to push kqueue/epoll into a read event for a long time. The code instead asking for a write event. The write event is almost sure an immediate trigger as the chance of write buffer full is low. However, once the write triggers and the read pending is on, a read callback is called instead of write. I will put in the epoll logic to kqueue. Will report its effect. Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, May 11, 2011 10:22 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] bug 1991/1939 and kqueue On 12/05/11 07:21, Ming Fu wrote: Hi, I was looking into the fix for 1939 on Linux epoll. I am wondering if similarly apply the same modification to kqueue will do the same magic for 1991. On Linux epoll that fix seems to enable write monitoring whenever read_pending is present. I don't understand the logic, but if it works for Linux, would it work for FreeBSD as well? Regards, Ming Thank you for taking an interest in fixing bugs! Which version(s) or Squid and OpenSSL are you replicating it with? The logic goes that if there is read pending, then SSL might have something buffered needing to write. I suspect it may be a higher level problem with SSL omitting a write somewhere or a flags we omit to disable OpenSSl buffering. But if Henrik failed to find it, could be hard. Nothing beats experiments for finding things out. Try it and see. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
RE: [squid-users] bug 1991/1939 and kqueue
Hi,
Here is a patch for bug 1991 on FreeBSD compiled with kqueue. It fixed the
websites that previously won't load through sslbump on FreeBSD with kqueue
enabled.
--- /home/fming/work/squid-3.1.12.1-20110506/src/comm_kqueue.cc 2011-05-06
00:27:39.0 -0400
+++ comm_kqueue.cc 2011-05-12 10:03:49.0 -0400
@@ -198,7 +198,11 @@
assert(F-flags.open);
if (type COMM_SELECT_READ) {
+if (F-flags.read_pending)
+kq_update_events(fd, EVFILT_WRITE, handler);
+
kq_update_events(fd, EVFILT_READ, handler);
+
F-read_handler = handler;
F-read_data = client_data;
}
@@ -291,31 +295,24 @@
continue;/* XXX! */
}
-switch (ke[i].filter) {
-
-case EVFILT_READ:
-
+if (ke[i].filter == EVFILT_READ || F-flags.read_pending) {
if ((hdl = F-read_handler) != NULL) {
F-read_handler = NULL;
F-flags.read_pending = 0;
hdl(fd, F-read_data);
}
+}
-break;
-
-case EVFILT_WRITE:
-
+if (ke[i].filter == EVFILT_WRITE) {
if ((hdl = F-write_handler) != NULL) {
F-write_handler = NULL;
hdl(fd, F-write_data);
}
+}
-break;
-
-default:
-/* Bad! -- adrian */
+if (ke[i].filter != EVFILT_WRITE ke[i].filter != EVFILT_READ) {
+/* Bad! -- adrian */
debugs(5, 1, comm_select: kevent returned ke[i].filter
!);
-break;
}
}
[squid-users] squid ssl certificate db for ssl_bump
Hi, A few questions about sslbump: 1. Can ssl_crtd from different squids on the same hardware shared the same ssl_crtd certificate cache directory? 2. If the certificate used to sign the dynamic cert is altered, should the ssl_db be recreated (old cached cert removed)? 3. With the -c option on the ssl_crtd, it seems to insist on recreating the directory for ssl_db. Would it possible to just clean the content in that directory without removing the directory itself? Regards, Ming
[squid-users] bug 1991/1939 and kqueue
Hi, I was looking into the fix for 1939 on Linux epoll. I am wondering if similarly apply the same modification to kqueue will do the same magic for 1991. On Linux epoll that fix seems to enable write monitoring whenever read_pending is present. I don't understand the logic, but if it works for Linux, would it work for FreeBSD as well? Regards, Ming
RE: [squid-users] Squid 3.2.0.7 beta is available
Thanks, fixed my problem, even on FreeBSD. Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, April 28, 2011 12:10 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.2.0.7 beta is available For those testing this release and having new trouble with ssl-bump feature please be aware of a patch: http://bugs.squid-cache.org/show_bug.cgi?id=3205 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
[squid-users] 3.2.0.7 compile error on fedora 14.
Hi, I was trying to investigate if the sslBump problem recently reported by Will Metcalf is a result of bug 1991 that SSL does not work well with FreeBSD kqueue. So I tried to test the same setting on a Linux. The system is a RedHat Fedora 14. Gcc version 4.5.1. 20100924, and OpenSSL 1.0.0d-fips 8 Feb 2011 ./configure '--disable-loadable-modules' '--disable-esi' '--enable-icap_client' '--enable-ssl' '--enable-auth' '--enable-ssl-crtd' --enable-ltdl-convenience However I was blocked by the compile error: make[3]: Entering directory `/home/fming/squid-3.2.0.7/src/ssl' g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ssl_crtd.o -MD -MP -MF .deps/ssl_crtd.Tpo -c -o ssl_crtd.o ssl_crtd.cc In file included from ssl_crtd.cc:9:0: ../../src/ssl/certificate_db.h: In static member function 'static long unsigned int Ssl::CertificateDb::index_serial_hash_LHASH_HASH(const void*)': ../../src/ssl/certificate_db.h:113:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:113:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:113:12: error: 'index_serial_hash_hash' was not declared in this scope ../../src/ssl/certificate_db.h: In static member function 'static int Ssl::CertificateDb::index_serial_cmp_LHASH_COMP(const void*, const void*)': ../../src/ssl/certificate_db.h:114:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:114:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:114:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:114:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:114:12: error: 'index_serial_cmp_cmp' was not declared in this scope ../../src/ssl/certificate_db.h: In static member function 'static long unsigned int Ssl::CertificateDb::index_name_hash_LHASH_HASH(const void*)': ../../src/ssl/certificate_db.h:115:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:115:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:115:12: error: 'index_name_hash_hash' was not declared in this scope ../../src/ssl/certificate_db.h: In static member function 'static int Ssl::CertificateDb::index_name_cmp_LHASH_COMP(const void*, const void*)': ../../src/ssl/certificate_db.h:116:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:116:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:116:12: error: duplicate 'const' ../../src/ssl/certificate_db.h:116:12: error: invalid conversion from 'const void*' to 'const char***' ../../src/ssl/certificate_db.h:116:12: error: 'index_name_cmp_cmp' was not declared in this scope make[3]: *** [ssl_crtd.o] Error 1 Any help is appreciated, Ming
RE: [squid-users] Re: SSLBump+DynamicSSL not working in Squid 3.2.0.7?
Here is some observation, hope it will be useful solve the problem. I use curl as the client application. The squid is 3.2.0.7 Curl -x 10.1.19.16:3128 -k https://www.google.com Tcpdump shown that the CONNECT method is send to ICAP server and a reply is received. Tcpdump also show that the SSL 1.0 negotiation was done between the squid and curl. The curl verbose output confirms the SSL establishment as well. However, after curl sends the GET to www.google.com through the tunnel, there is no action on the squid site. Searching through the squid log of ALL,9, there is no indication that the squid ever notice the GET request to www.google.com. Ming -Original Message- From: Ming Fu [mailto:ming...@watchguard.com] Sent: Monday, April 25, 2011 3:34 PM To: Will Metcalf; squid-users@squid-cache.org Subject: RE: [squid-users] Re: SSLBump+DynamicSSL not working in Squid 3.2.0.7? I experience the same problem for 3.2.0.7 on FreeBSD 8.0. When https to a site, the CONNECT request is sent for reqmod, but after receiving the reqmod reply, the squid is not proceeding to make the connection to the web server. Here is the logs with debug option for 93 and 28 on. 2011/04/25 15:19:15.303 kid1| ModXact.cc(696) parseHeaders: parse ICAP headers 2011/04/25 15:19:15.303 kid1| ModXact.cc(1026) parseHead: have 405 head bytes to parse; state: 0 2011/04/25 15:19:15.303 kid1| ModXact.cc(1041) parseHead: parse success, consume 405 bytes, return true 2011/04/25 15:19:15.303 kid1| ModXact.cc(1119) stopParsing: will no longer parse [FD 39;rG/RwP(ieof) job269] 2011/04/25 15:19:15.303 kid1| Adaptation::Icap::ModXact still cannot be repeated because preparing to echo content [FD 39;G/RwP(ieof)rp job269] 2011/04/25 15:19:15.303 kid1| ModXact.cc(667) disableBypass: not protecting group bypass because preparing to echo content 2011/04/25 15:19:15.304 kid1| Xaction.cc(459) setOutcome: ICAP_ECHO 2011/04/25 15:19:15.304 kid1| ModXact.cc(890) prepEchoing: cloning virgin message 0x801fd1800 2011/04/25 15:19:15.304 kid1| ModXact.cc(927) prepEchoing: cloned virgin message 0x801fd1800 to 0x801fd1f00 2011/04/25 15:19:15.304 kid1| ModXact.cc(946) prepEchoing: no virgin body to echo 2011/04/25 15:19:15.304 kid1| ModXact.cc(561) stopSending: Enter stop sending 2011/04/25 15:19:15.304 kid1| ModXact.cc(564) stopSending: Proceed with stop sending 2011/04/25 15:19:15.304 kid1| ModXact.cc(576) stopSending: will not start sending [FD 39;/RwP(ieof)rp job269] 2011/04/25 15:19:15.304 kid1| HttpRequest.cc(428) adaptHistory: made 0x802b1ba40*1 for 0x801fd1f00 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact still cannot be repeated because sent headers [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Answer.cc(23) Forward: forwarding: 0x801fd1f00 2011/04/25 15:19:15.304 kid1| The AsyncCall Initiator::noteAdaptationAnswer constructed, this=0x802b949c0 [call49851] 2011/04/25 15:19:15.304 kid1| Initiate.cc(54) will call Initiator::noteAdaptationAnswer(0) [call49851] 2011/04/25 15:19:15.304 kid1| ModXact.cc(494) readMore: returning from readMore because reader or doneReading() 2011/04/25 15:19:15.304 kid1| Xaction.cc(305) callEnd: Adaptation::Icap::ModXact done with I/O [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Xaction.cc(192) closeConnection: pushing pconn [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact still cannot be retried [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) ends job [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| ModXact.cc(1189) swanSong: swan sings [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| ModXact.cc(561) stopSending: Enter stop sending 2011/04/25 15:19:15.304 kid1| Initiate.cc(36) swanSong: swan sings [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Initiate.cc(43) swanSong: swan sang [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact destructed, this=0x801fd1118 [icapxjob269] 2011/04/25 15:19:15.304 kid1| HttpRequest.cc(67) ~HttpRequest: destructed, this=0x801fd0a00 2011/04/25 15:19:15.304 kid1| AsyncJob destructed, this=0x801fd1728 type=Adaptation::Icap::ModXact [job269] 2011/04/25 15:19:15.304 kid1| AsyncJob.cc(138) callEnd: Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) ended 0x801fd1728 2011/04/25 15:19:15.304 kid1| leaving Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) 2011/04/25 15:19:15.304 kid1| entering Initiator::noteAdaptationAnswer(0) 2011/04/25 15:19:15.304 kid1| AsyncCall.cc(32) make: make call Initiator::noteAdaptationAnswer [call49851] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXactLauncher status in: [ job268] 2011/04/25 15:19:15.304 kid1| Launcher.cc(56) noteAdaptationAnswer: launches: 1 answer: 0 2011/04/25 15:19:15.304 kid1| The AsyncCall Initiator
RE: [squid-users] Re: SSLBump+DynamicSSL not working in Squid 3.2.0.7?
I experience the same problem for 3.2.0.7 on FreeBSD 8.0. When https to a site, the CONNECT request is sent for reqmod, but after receiving the reqmod reply, the squid is not proceeding to make the connection to the web server. Here is the logs with debug option for 93 and 28 on. 2011/04/25 15:19:15.303 kid1| ModXact.cc(696) parseHeaders: parse ICAP headers 2011/04/25 15:19:15.303 kid1| ModXact.cc(1026) parseHead: have 405 head bytes to parse; state: 0 2011/04/25 15:19:15.303 kid1| ModXact.cc(1041) parseHead: parse success, consume 405 bytes, return true 2011/04/25 15:19:15.303 kid1| ModXact.cc(1119) stopParsing: will no longer parse [FD 39;rG/RwP(ieof) job269] 2011/04/25 15:19:15.303 kid1| Adaptation::Icap::ModXact still cannot be repeated because preparing to echo content [FD 39;G/RwP(ieof)rp job269] 2011/04/25 15:19:15.303 kid1| ModXact.cc(667) disableBypass: not protecting group bypass because preparing to echo content 2011/04/25 15:19:15.304 kid1| Xaction.cc(459) setOutcome: ICAP_ECHO 2011/04/25 15:19:15.304 kid1| ModXact.cc(890) prepEchoing: cloning virgin message 0x801fd1800 2011/04/25 15:19:15.304 kid1| ModXact.cc(927) prepEchoing: cloned virgin message 0x801fd1800 to 0x801fd1f00 2011/04/25 15:19:15.304 kid1| ModXact.cc(946) prepEchoing: no virgin body to echo 2011/04/25 15:19:15.304 kid1| ModXact.cc(561) stopSending: Enter stop sending 2011/04/25 15:19:15.304 kid1| ModXact.cc(564) stopSending: Proceed with stop sending 2011/04/25 15:19:15.304 kid1| ModXact.cc(576) stopSending: will not start sending [FD 39;/RwP(ieof)rp job269] 2011/04/25 15:19:15.304 kid1| HttpRequest.cc(428) adaptHistory: made 0x802b1ba40*1 for 0x801fd1f00 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact still cannot be repeated because sent headers [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Answer.cc(23) Forward: forwarding: 0x801fd1f00 2011/04/25 15:19:15.304 kid1| The AsyncCall Initiator::noteAdaptationAnswer constructed, this=0x802b949c0 [call49851] 2011/04/25 15:19:15.304 kid1| Initiate.cc(54) will call Initiator::noteAdaptationAnswer(0) [call49851] 2011/04/25 15:19:15.304 kid1| ModXact.cc(494) readMore: returning from readMore because reader or doneReading() 2011/04/25 15:19:15.304 kid1| Xaction.cc(305) callEnd: Adaptation::Icap::ModXact done with I/O [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Xaction.cc(192) closeConnection: pushing pconn [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact still cannot be retried [FD 39;/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) ends job [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| ModXact.cc(1189) swanSong: swan sings [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| ModXact.cc(561) stopSending: Enter stop sending 2011/04/25 15:19:15.304 kid1| Initiate.cc(36) swanSong: swan sings [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Initiate.cc(43) swanSong: swan sang [/RwP(ieof)rpS job269] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXact destructed, this=0x801fd1118 [icapxjob269] 2011/04/25 15:19:15.304 kid1| HttpRequest.cc(67) ~HttpRequest: destructed, this=0x801fd0a00 2011/04/25 15:19:15.304 kid1| AsyncJob destructed, this=0x801fd1728 type=Adaptation::Icap::ModXact [job269] 2011/04/25 15:19:15.304 kid1| AsyncJob.cc(138) callEnd: Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) ended 0x801fd1728 2011/04/25 15:19:15.304 kid1| leaving Adaptation::Icap::Xaction::noteCommRead(FD 39, data=0x801fd1118, size=405, buf=0x802a55000) 2011/04/25 15:19:15.304 kid1| entering Initiator::noteAdaptationAnswer(0) 2011/04/25 15:19:15.304 kid1| AsyncCall.cc(32) make: make call Initiator::noteAdaptationAnswer [call49851] 2011/04/25 15:19:15.304 kid1| Adaptation::Icap::ModXactLauncher status in: [ job268] 2011/04/25 15:19:15.304 kid1| Launcher.cc(56) noteAdaptationAnswer: launches: 1 answer: 0 2011/04/25 15:19:15.304 kid1| The AsyncCall Initiator::noteAdaptationAnswer constructed, this=0x802b94c00 [call49854] 2011/04/25 15:19:15.304 kid1| Initiate.cc(54) will call Initiator::noteAdaptationAnswer(0) [call49854] 2011/04/25 15:19:15.304 kid1| Initiator::noteAdaptationAnswer(0) ends job [ job268] 2011/04/25 15:19:15.304 kid1| ModXact.cc(1875) swanSong: swan sings 2011/04/25 15:19:15.304 kid1| Initiate.cc(36) swanSong: swan sings [ job268] 2011/04/25 15:19:15.304 kid1| Initiate.cc(43) swanSong: swan sang [ job268] 2011/04/25 15:19:15.304 kid1| AsyncJob destructed, this=0x8029978b0 type=Adaptation::Icap::ModXactLauncher [job268] 2011/04/25 15:19:15.304 kid1| AsyncJob.cc(138) callEnd: Initiator::noteAdaptationAnswer(0) ended 0x8029978b0 2011/04/25 15:19:15.304 kid1| leaving Initiator::noteAdaptationAnswer(0) 2011/04/25 15:19:15.304 kid1| entering Initiator::noteAdaptationAnswer(0) 2011/04/25 15:19:15.304 kid1| AsyncCall.cc(32) make: make
RE: [squid-users] Squid uses all cpu
Hi Tibby, Try turn on some debug options and -k reconfigure the squid, not restarting it. Maybe we can find out what is using the cpu for. It happens to me a while ago. The squid does not receive any traffic, but use 100% of one cpu core. The debug shown that the squid is logging Engine is idle line continuously. A normal running squid only logs such line once per seconds. The squid didn't recover from this crazy logging for hours. Restart squid fix the problem. The clock of the squid box was adjusted before I discover the high cpu load on squid. Maybe that triggers it. Ming -Original Message- From: Tóth Tibor Péter [mailto:tibor.peter.t...@mtv.hu] Sent: Thursday, April 14, 2011 11:59 AM To: squid-users@squid-cache.org Subject: [squid-users] Squid uses all cpu Hi! What could cause squid to use the CPU on 100%? Until now, it worked fine, but for some reasons since this morning, it allways runs on 100% squid version is 3.19 Memory is 8GB, cpu is quad core intel. It shouldn't be a proble to handle all the incoming requests. Thanks for the help! Tibby
[squid-users] Engine ... is idle.
Hi, I have one squid 3.1.11 running at 100% cpu load with virtually no traffic. The squid is on a box with two parallel forward squid. The other squid runs normally. The only difference between the two squid is they listen on different port and use different cache directory, log and pid files. Even with the high cpu load, the little traffic passing through both squid was processed normally. I turned on debug on both squid, the one with higher load logs the following lines far more frequently than the other normal running squid. 2011/03/30 17:08:42.686| Engine 0x7fffed30 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed60 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed30 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed60 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed30 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed60 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed30 is idle. 2011/03/30 17:08:42.686| Engine 0x7fffed60 is idle. 2011/03/30 17:08:42.687| Engine 0x7fffed30 is idle. I have been running this setup for a while. This is the first time we observe the problem. Is there any further debug I can do to trace down the problem? I am afraid if I restart the squid, the problem will be gone. Ming
RE: [squid-users] sslbump and always_direct
Did some tcpdump between the squid and its parent proxy, saw many connection on port 443 were sent in clear. So sslbump + parent proxy is not advisable for now. Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: January-27-11 11:59 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump and always_direct On 28/01/11 01:53, Ming Fu wrote: Hi Amos, Does this mean if I use sslbump, I can't have parent proxy. Should work most of the time. Just be aware there is at least one bug. We know it bites badly when there is auth involved, other circumstances are unknown. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: January-26-11 5:53 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump and always_direct On Wed, 26 Jan 2011 20:18:08 +, Ming Fu wrote: Hi, The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested addi= ng always_direct allow all. This will prevent me from having a peer proxy when sslbump is configured. Wonder what is the reason behind the setting. With ssl-bump Squid will hit bugs when un-wrapping back to a CONNECT request or may send raw unencrypted https://... URLs to the peers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
RE: [squid-users] sslbump and always_direct
Hi Amos, Does this mean if I use sslbump, I can't have parent proxy. Regards, Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: January-26-11 5:53 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump and always_direct On Wed, 26 Jan 2011 20:18:08 +, Ming Fu wrote: Hi, The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested addi= ng always_direct allow all. This will prevent me from having a peer proxy when sslbump is configured. Wonder what is the reason behind the setting. With ssl-bump Squid will hit bugs when un-wrapping back to a CONNECT request or may send raw unencrypted https://... URLs to the peers. Amos
RE: [squid-users] sslbump and always_direct
Hi Amos, Thanks for the insight. Do you remember the bug number? I want to understand the issue especially when unencrypted traffic can be sent. Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: January-27-11 11:59 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump and always_direct On 28/01/11 01:53, Ming Fu wrote: Hi Amos, Does this mean if I use sslbump, I can't have parent proxy. Should work most of the time. Just be aware there is at least one bug. We know it bites badly when there is auth involved, other circumstances are unknown. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: January-26-11 5:53 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump and always_direct On Wed, 26 Jan 2011 20:18:08 +, Ming Fu wrote: Hi, The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested addi= ng always_direct allow all. This will prevent me from having a peer proxy when sslbump is configured. Wonder what is the reason behind the setting. With ssl-bump Squid will hit bugs when un-wrapping back to a CONNECT request or may send raw unencrypted https://... URLs to the peers. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] sslbump and always_direct
Hi, The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested addi= ng always_direct allow all. This will prevent me from having a peer proxy when sslbump is configured. Wonder what is the reason behind the setting. Regards, Ming
RE: [squid-users] ssl-bump pause for 2 minutes for certain sites
Hi Amos, The pause happens when ICAP sends about 90% of the payload. The Content-Length header shown the exact size as 106900. I believe by the time squid starts to send the RESPMOD payload, all the DNS should already finished. If you look at the tcpdump on port 443, it pauses for 2 minutes and then RST by the web server. There is no additional data coming in after the pause from the webserver on port 443. So squid must already have the payload in full, but some how didn't do anything until kicked by the RST from the web server. After squid resume sending the ICAP payload, it actually sent in several 600 to 1400 sized packets. So it does not look like that the web server was holding back the payload. Regards, Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: December-16-10 8:49 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] ssl-bump pause for 2 minutes for certain sites On 17/12/10 08:45, Ming Fu wrote: Hi, When using squid 3.1.9 and ssl-bump, access to https://www.e-secure-it.com/info.html will cause squid RESPMOD to pause for about 2 minutes when sending the body playload to the ICAP server. The payload will eventually arrive. Just can't explain what happens during the 2 minute. Tcpdump on port 443 show that there is a pause during the end of SSL transaction with the e-secure. The time of the port 443 pause correlates to the pause of ICAP body upload. But there is no such pause when browser is direct connected to the e-secure site without squid in the middle. You seem to have answered your own question. Sending stuff to that ICAP server is very slow. Other things to consder: * Did the packets actually stop completely at that point? or did something else happen? * look at DNS etc as well. Squid may be waiting on the ICAP server name to resolve. * take a full packet traces (tcpdump -s 0 ...) and see what is actually being transfered to/from ICAP. It could be non-HTTP, broken syntax, or any kind of secondary encoding inside a HTTPS security channel. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
[squid-users] ssl-bump pause for 2 minutes for certain sites
Hi, When using squid 3.1.9 and ssl-bump, access to https://www.e-secure-it.com/info.html will cause squid RESPMOD to pause for about 2 minutes when sending the body playload to the ICAP server. The payload will eventually arrive. Just can't explain what happens during the 2 minute. Tcpdump on port 443 show that there is a pause during the end of SSL transaction with the e-secure. The time of the port 443 pause correlates to the pause of ICAP body upload. But there is no such pause when browser is direct connected to the e-secure site without squid in the middle. Below are the tcpdumps of the traffic, note the pause happens on 13:40:45 Tcpdump snip of port 443, 10.1.19.16 is the squid box 3:38:35.047078 IP 89.184.165.228.https 10.1.19.16.50768: . 107523:108911(1388) ack 2141 win 64944 nop,nop,timestamp 55051709 124354221 13:38:35.047088 IP 10.1.19.16.50768 89.184.165.228.https: . ack 108911 win 8154 nop,nop,timestamp 124354317 55051709 13:38:35.047091 IP 89.184.165.228.https 10.1.19.16.50768: . 108911:110299(1388) ack 2141 win 64944 nop,nop,timestamp 55051709 124354221 13:38:35.047204 IP 10.1.19.16.50768 89.184.165.228.https: . ack 110299 win 8328 nop,nop,timestamp 124354317 55051709 13:38:35.047236 IP 89.184.165.228.https 10.1.19.16.50768: . 110299:111687(1388) ack 2141 win 64944 nop,nop,timestamp 55051709 124354222 13:38:35.047392 IP 89.184.165.228.https 10.1.19.16.50768: . 111687:113075(1388) ack 2141 win 64944 nop,nop,timestamp 55051709 124354222 13:38:35.047401 IP 10.1.19.16.50768 89.184.165.228.https: . ack 113075 win 8154 nop,nop,timestamp 124354317 55051709 13:38:35.047405 IP 89.184.165.228.https 10.1.19.16.50768: P 113075:113425(350) ack 2141 win 64944 nop,nop,timestamp 55051709 124354222 13:38:35.148063 IP 10.1.19.16.50768 89.184.165.228.https: . ack 113425 win 8328 nop,nop,timestamp 124354418 55051709 13:40:45.414223 IP 89.184.165.228.https 10.1.19.16.50768: R 113425:113425(0) ack 2141 win 0 Tcpdump snip of ICAP 13:38:34.954401 IP 10.1.19.16.59226 10.1.19.25.5099: P 102382:102987(605) ack 1662 win 8326 nop,nop,timestamp 124354224 1375105687 13:38:34.954437 IP 10.1.19.16.59226 10.1.19.25.5099: . 102987:104435(1448) ack 1662 win 8326 nop,nop,timestamp 124354224 1375105687 13:38:34.954442 IP 10.1.19.16.59226 10.1.19.25.5099: P 104435:105040(605) ack 1662 win 8326 nop,nop,timestamp 124354224 1375105687 13:38:34.954487 IP 10.1.19.16.59226 10.1.19.25.5099: . 105040:106488(1448) ack 1662 win 8326 nop,nop,timestamp 124354224 1375105687 13:38:34.954491 IP 10.1.19.16.59226 10.1.19.25.5099: P 106488:107085(597) ack 1662 win 8326 nop,nop,timestamp 124354224 1375105687 13:38:34.954713 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 92117 win 8145 nop,nop,timestamp 1375105781 124354224 13:38:34.954870 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 92722 win 8250 nop,nop,timestamp 1375105781 124354224 13:38:34.955027 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 94775 win 8069 nop,nop,timestamp 1375105781 124354224 13:38:34.955184 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 96828 win 8069 nop,nop,timestamp 1375105782 124354224 13:38:34.955341 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 98276 win 8145 nop,nop,timestamp 1375105782 124354224 13:38:34.955498 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 98881 win 8250 nop,nop,timestamp 1375105782 124354224 13:38:34.955503 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 100934 win 8069 nop,nop,timestamp 1375105782 124354224 13:38:34.955655 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 102382 win 8145 nop,nop,timestamp 1375105782 124354224 13:38:34.955812 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 102987 win 8250 nop,nop,timestamp 1375105782 124354224 13:38:34.955817 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 105040 win 8069 nop,nop,timestamp 1375105782 124354224 13:38:34.956126 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 107085 win 8070 nop,nop,timestamp 1375105783 124354224 13:38:35.047538 IP 10.1.19.16.59226 10.1.19.25.5099: . 107085:108533(1448) ack 1662 win 8326 nop,nop,timestamp 124354317 1375105783 13:38:35.047543 IP 10.1.19.16.59226 10.1.19.25.5099: P 108533:109138(605) ack 1662 win 8326 nop,nop,timestamp 124354317 1375105783 13:38:35.048036 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 108533 win 8145 nop,nop,timestamp 1375105874 124354317 13:38:35.048193 IP 10.1.19.25.5099 10.1.19.16.59226: . ack 109138 win 8250 nop,nop,timestamp 1375105874 124354317 13:40:45.414333 IP 10.1.19.16.59226 10.1.19.25.5099: . 109138:110586(1448) ack 1662 win 8326 nop,nop,timestamp 124484684 1375105874 13:40:45.414339 IP 10.1.19.16.59226 10.1.19.25.5099: P 110586:91(605) ack 1662 win 8326 nop,nop,timestamp 124484684 1375105874 13:40:45.414382 IP 10.1.19.16.59226 10.1.19.25.5099: . 91:112639(1448) ack 1662 win 8326 nop,nop,timestamp 124484684 1375105874 13:40:45.414387 IP 10.1.19.16.59226 10.1.19.25.5099: P 112639:113244(605) ack 1662 win 8326 nop,nop,timestamp 124484684 1375105874 13:40:45.414423 IP 10.1.19.16.59226
[squid-users] icap respmod and cache_peer
Hi, I have the following cache_peer and icap configure for squid 3.1.4 I can get respmod without the cache_peer line, but with cache_peer, only reqmod is triggered, no respmod. cache_peer 10.1.19.24 parent 8080 0 no-query no-digest icap_enable on icap_preview_enable on icap_preview_size 10240 icap_send_client_ip on icap_client_username_header X-Client-Username icap_client_username_encode off icap_send_client_username on icap_service is_pxyscn_req reqmod_precache 0 icap://127.0.0.1:5099/pxyscn/r= eqmod icap_service is_pxyscn_resp respmod_precache 0 icap://127.0.0.1:5099/pxyscn= /respmod adaptation_access is_pxyscn_req allow !localhost adaptation_access is_pxyscn_resp allow !localhost adaptation_masterx_shared_names X-SubScribe Best Regards, Ming
RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
-Original Message- 2010/11/29 15:27:04 kid3| Set Current Directory to /usr/local/squid/var/cache 2010/11/29 15:27:04 kid1| Set Current Directory to /usr/local/squid/var/cache 2010/11/29 15:27:04 kid2| Set Current Directory to /usr/local/squid/var/cache Note how .../var/cache is not in your config at all. It is a default home location for the core dumps etc. FATAL: kid2 registration timed out ... something else is causing the worker process not to make contact with the coordinator process. Any hint on how can I find out the problem source. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
Hi Henrik, Thanks for point out that I need to use the if..else--endif statement, however, I can't find the condition macros for the if to test. For example, If first worker Cache_dir here ... Else Cache_dir there ... Endif How do I say the first worker? Ming -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: November-27-10 4:34 AM To: Ming Fu Cc: squid-users@squid-cache.org; Squid Developers Subject: RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored fre 2010-11-26 klockan 21:08 + skrev Ming Fu: Ktrace shown that the bind failed because it try to open unix socket in /usr/local/squid/var/run and it does not have the permission. So it is easy to fix. After the permission is corrected, I run into other problem, here is the log snip: 2010/11/26 20:55:35 kid2| Starting Squid Cache version 3.2.0.3 for amd64-unknown-freebsd8.1... 2010/11/26 20:55:35 kid3| Starting Squid Cache version 3.2.0.3 for amd64-unknown-freebsd8.1... 2010/11/26 20:55:35 kid1| Starting Squid Cache version 3.2.0.3 for amd64-unknown-freebsd8.1... 2010/11/26 20:55:35 kid3| Set Current Directory to /usr/local/squid/var/cache 2010/11/26 20:55:35 kid2| Set Current Directory to /usr/local/squid/var/cache 2010/11/26 20:55:35 kid1| Set Current Directory to /usr/local/squid/var/cache Each worker need their own cache location. http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.1 Regards Henrik
RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
The cache_dir setting in the if..else ..endif does not seem to take effect.
Squid -z does create the cache subdirectory without issue, but the squid seems
to use the default cache directory as if didn't see the if statement.
= squid.conf
workers 2
if ${process_number} = 1
cache_dir aufs /usr/local/squid/var/a 500 16 256
else
cache_dir aufs /usr/local/squid/var/b 500 16 256
endif
==
=logs===
2010/11/29 15:23:56 kid1| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/29 15:23:56 kid1| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:23:58 kid1| basic/basicScheme.cc(64) done: Basic authentication
Schema Detached.
2010/11/29 15:23:58 kid3| basic/basicScheme.cc(64) done: Basic authentication
Schema Detached.
2010/11/29 15:27:04 kid3| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid2| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid1| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/29 15:27:04 kid3| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:27:04 kid1| Set Current Directory to /usr/local/squid/var/cache
2010/11/29 15:27:04 kid2| Set Current Directory to /usr/local/squid/var/cache
FATAL: kid2 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.024 seconds = 0.016 user + 0.008 sys
Maximum Resident Size: 10312 KB
Page faults with physical i/o: 0
FATAL: kid1 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.024 seconds = 0.012 user + 0.012 sys
Maximum Resident Size: 10524 KB
Page faults with physical i/o: 0
Ming
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: November-29-10 9:08 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers'
(from 1 to 2) is not supported and ignored
On 30/11/10 02:41, Ming Fu wrote:
Hi Henrik,
Thanks for point out that I need to use the if..else--endif statement,
however, I can't find the condition macros for the if to test.
For example,
If first worker
Cache_dir here ...
Else
Cache_dir there ...
Endif
How do I say the first worker?
if ${process_number} = 1
...
else
...
endif
Another method if you want a cache_dir for each is to have a numbered
subdirectory for each worker:
cache_dir aufs /var/cache/${process_number} ...
Then squid -z to create as usual. Just remember that this will take up N
times the configured directory size.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
Ktrace shown that the bind failed because it try to open unix socket in
/usr/local/squid/var/run and it does not have the permission. So it is easy to
fix.
After the permission is corrected, I run into other problem, here is the log
snip:
2010/11/26 20:55:35 kid2| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/26 20:55:35 kid3| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/26 20:55:35 kid1| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/26 20:55:35 kid3| Set Current Directory to /usr/local/squid/var/cache
2010/11/26 20:55:35 kid2| Set Current Directory to /usr/local/squid/var/cache
2010/11/26 20:55:35 kid1| Set Current Directory to /usr/local/squid/var/cache
FATAL: commonUfsDirCloseTmpSwapLog: rename failed
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.043 seconds = 0.000 user + 0.043 sys
Maximum Resident Size: 10416 KB
Page faults with physical i/o: 0
2010/11/26 20:55:38 kid1| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/26 20:55:38 kid1| Set Current Directory to /usr/local/squid/var/cache
FATAL: kid2 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
CPU Usage: 0.041 seconds = 0.010 user + 0.031 sys
Maximum Resident Size: 10324 KB
Page faults with physical i/o: 0
2010/11/26 20:55:46 kid2| Starting Squid Cache version 3.2.0.3 for
amd64-unknown-freebsd8.1...
2010/11/26 20:55:47 kid2| Set Current Directory to /usr/local/squid/var/cache
FATAL: kid1 registration timed out
Squid Cache (Version 3.2.0.3): Terminated abnormally.
===
Here is the trace log for the error
==
35092 initial thread CALL rename(0x80283f460,0x80283f430)
35092 initial thread NAMI /usr/local/squid/var/cache/swap.state.new
35092 initial thread RET rename -1 errno 2 No such file or directory
35092 initial thread CALL setgroups(0x1,0x89ccac)
35092 initial thread RET setgroups -1 errno 1 Operation not permitted
35092 initial thread CALL setgid(0)
35092 initial thread RET setgid 0
35092 initial thread CALL geteuid
35092 initial thread RET geteuid 65534/0xfffe
35092 initial thread CALL clock_gettime(0xd,0x7fffd980)
35092 initial thread RET clock_gettime 0
35092 initial thread CALL socket(PF_LOCAL,SOCK_DGRAM,0)
35092 initial thread RET socket 12/0xc
35092 initial thread CALL fcntl(0xc,F_SETFD,FD_CLOEXEC)
35092 initial thread RET fcntl 0
35092 initial thread CALL connect(0xc,0x7fffd8f0,0x6a)
35092 initial thread STRU struct sockaddr { AF_LOCAL, /var/run/logpriv }
35092 initial thread NAMI /var/run/logpriv
35092 initial thread RET connect -1 errno 13 Permission denied
35092 initial thread CALL connect(0xc,0x7fffd8f0,0x6a)
35092 initial thread STRU struct sockaddr { AF_LOCAL, /var/run/log }
35092 initial thread NAMI /var/run/log
35092 initial thread RET connect 0
35092 initial thread CALL sendto(0xc,0x7fffda10,0x48,0,0,0)
35092 initial thread GIO fd 12 wrote 72 bytes
9Nov 26 20:55:35 (squid-1): commonUfsDirCloseTmpSwapLog: rename
failed
=
What is squid trying to do here?
Also I was wondering if I run 2 workers, should I see two cache directories,
one for each worker?
Ming
-Original Message-
From: Ming Fu [mailto:ming...@watchguard.com]
Sent: November-22-10 2:55 PM
To: squid-users@squid-cache.org; Squid Developers
Subject: RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers'
(from 1 to 2) is not supported and ignored
Hi Amos,
Is there any news for this problem. I tested squid 3.2.0.3. The problem is
still there. I am using FreeBSD 8.1.
Regards,
Ming
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: August-04-10 9:56 AM
To: squid-users@squid-cache.org; Squid Developers
Subject: Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers'
(from 1 to 2) is not supported and ignored
Zeller, Jan (ID) wrote:
It looks like that message only occurs on a reconfigure. Does -k
restart
after the config change work?
Amos
hmm the change applies once squid is restarted but now I am getting :
010/08/04 08:21:20 kid3| commBind: Cannot bind socket FD 12 to [::]: (13)
Permission denied
.
.
squid is running as
cache_effective_user proxy
cache_effective_group proxy
squid processes are running but no listening port. Any clue why this happens
?
Nothing I know about should lead to a kidN using bind on [::] or 0.0.0.0.
Maybe Alex has a clue.
cc'ing to squid-dev where beta release problems really need to be
discussed. Please followup there.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.6
RE: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored
Hi Amos, Is there any news for this problem. I tested squid 3.2.0.3. The problem is still there. I am using FreeBSD 8.1. Regards, Ming -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: August-04-10 9:56 AM To: squid-users@squid-cache.org; Squid Developers Subject: Re: [squid-users] Beta testers wanted for 3.2.0.1 - Changing 'workers' (from 1 to 2) is not supported and ignored Zeller, Jan (ID) wrote: It looks like that message only occurs on a reconfigure. Does -k restart after the config change work? Amos hmm the change applies once squid is restarted but now I am getting : 010/08/04 08:21:20 kid3| commBind: Cannot bind socket FD 12 to [::]: (13) Permission denied . . squid is running as cache_effective_user proxy cache_effective_group proxy squid processes are running but no listening port. Any clue why this happens ? Nothing I know about should lead to a kidN using bind on [::] or 0.0.0.0. Maybe Alex has a clue. cc'ing to squid-dev where beta release problems really need to be discussed. Please followup there. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.851 / Virus Database: 271.1.1/3050 - Release Date: 08/04/10 00:45:00
[squid-users] icap 407 from icap-server
Hi, I was using the icap server to do client authentication, I was wondering if the following is a valid transaction. Squid did not send anything back to the browser. Squid version 3.1.4. Found the previous thread about a similar issue: http://www.spinics.net/lists/squid/msg49394.html Is there a bug already submitted, I searched the squid bug list, didn't find anything fits the description. REQMOD icap://127.0.0.1:5099/pxyscn/reqmod ICAP/1.0 Host: 127.0.0.1:5099 Date: Mon, 23 Aug 2010 15:26:40 GMT Encapsulated: req-hdr=0, null-body=415 Allow: 204 X-Client-IP: 10.1.19.70 GET http://www.freebsd.org/ HTTP/1.1 Host: www.freebsd.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.5.9-1.fc11 Firefox/3.5.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Cookie: style=Normal Text Cache-Control: max-age=0 ICAP/1.0 200 OK Date: Mon, 23 Aug 2010 15:26:40 UTC ISTags: XYZ123 Server: XYZ ICAP Server Connection: close Encapsulated: res-hdr=0, res-body=110 HTTP/1.1 407 Proxy Authentication Required Cache-Control: no-cache Proxy-Authenticate: Basic realm=XYZ Thanks in advance, Ming
[squid-users] sslbump and google cert error
I was using squid 3.1.0.16 icap + sslbump The following log is from command curl -x 10.1.19.16:3128 -k https://www.google.com; What is the error number 20 and 27 for? 2010/03/12 10:47:56.569| ClientHttpRequest::httpStart: NONE for 'https://www.google.com/' 2010/03/12 10:47:56.569| clientProcessRequest2: StoreEntry is NULL - MISS 2010/03/12 10:47:56.569| SSL unknown certificate error 20 in /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| bypassing SSL error 20 in /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| SSL unknown certificate error 27 in /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| bypassing SSL error 27 in /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| SSL Certificate signature OK: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| Verifying server domain www.google.com to certificate dn /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 2010/03/12 10:47:56.812| Verifying server domain www.google.com to certificate cn www.google.com 2010/03/12 10:47:56.953| Iterator.cc(171) updatePlan: no service-proposed plan received Thanks, Ming -- Ming Fu | Senior Developer WatchGuard Technologies, Inc. | www.watchguard.com (905)-804-1855 ext 229 fm...@watchguard.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Get red. Get secured.
[squid-users] ICAP and ISTag header
I am wondering how the ISTag header is used by the squid 3. Will the change of the ISTag cause all cache to be invalid or just the cache of the requested url become invalid? In the code, it seems the IStag is only parsed on Options. Thanks Ming -- Ming Fu | Senior Developer WatchGuard Technologies, Inc. | www.watchguard.com (905)-804-1855 ext 229 fm...@watchguard.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Get red. Get secured.
Re: [squid-users] Forward Cache not working
authenticated requests are not cache-able unless over write by Cache-control: public in server respond. Ming On 01/04/2010 11:12 PM, Mike Makowski wrote: I have attached is a screenshot of WGET header output with the -S option. I see nothing about private in the headers so I'm assuming this content should be getting cached. Yet, each time I run wget and then view the Squid access log it shows TCP_MISS on every attempt. I'll try the Ignore Private parameter in squid just to make sure that isn't the cause. Very puzzling. Mike -Original Message- From: Chris Robertson [mailto:crobert...@gci.net] Sent: Monday, January 04, 2010 6:48 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Forward Cache not working Mike Makowski wrote: Here is my basic config. Using defaults for everything else. acl localnet src 172.16.0.0/12 http_access allow local_net maximum_object_size 25 MB Here is a log entry showing one connection from a LAN user through the proxy. I am guessing that the TCP_MISS is significant. Perhaps the original source is marked as Private as Chris suggested. Don't really know how to even tell that though. Add a -S to wget to output the server headers. wget -S http://www.sortmonster.net/master/Updates/test.xyz -O test.new.gz --header=Accept-Encoding:gzip --http-user=myuserid --http-passwd=mypassword Can squid be forced to cache regardless of source settings? Yes. http://www.squid-cache.org/Versions/v3/3.0/cfgman/refresh_pattern.html Keyword ignore-private. 1262645523.217 305633 172.17.0.152 TCP_MISS/200 11674081 GET http://www.sortmonster.net/master/Updates/test.xyz - DIRECT/74.205.4.93 application/x-sortmonster 1262645523.464 122 Mike Chris
Re: [squid-users] Forward Cache not working
On 01/05/2010 01:28 PM, Mike Makowski wrote: I understand that authenticated requests are not cache-able unless over written by Cache-control: public in server respond. I am assuming this is true even though the wget header responses above dont indicate any type of Private or Authenticated session. Is the fact that I am simply including a username and password in the wget command line enough for squid to assume this is not a cacheable session? Yes, any request with Authorization header. The wget will add that header on when you have username and passwd Since I experimented with the squid caching options to no avail last night could you please suggest a config file line with full syntax that I can try? Is it simply Cache-control: public in server respond? Ask the server to put Cache-Control: public on the respond header if you have control of it. Thanks Mike -Original Message- From: Mike Marchywka [mailto:marchy...@hotmail.com] Sent: Tuesday, January 05, 2010 6:15 AM To: mi...@btslink.com; crobert...@gci.net; squid-users@squid-cache.org Subject: RE: [squid-users] Forward Cache not working From: To: crobert...@gci.net; squid-users@squid-cache.org Date: Mon, 4 Jan 2010 22:12:56 -0600 Subject: RE: [squid-users] Forward Cache not working I have attached is a screenshot of WGET header output with the -S option. LOL, can you just email the text in a plain text email? If I didn't know better I'd think someone put you up to this- you often are forced to with GUI output from which concise ASCII information can not be extracted. I see nothing about private in the headers so I'm assuming this content should be getting cached. Yet, each time I run wget and then view the Squid access log it shows TCP_MISS on every attempt. I'll try the Ignore Private parameter in squid just to make sure that isn't the cause. You can look at ietf spec and grep it for each header key wget returned ( assuming you have an easy way to extract these from your jpg image that should be quite quick LOL). Text is interoperable, images require you buy some wget-to-ietf-GUI tool that converts the ietf spec into the same font as your wget output and looks for blocks of pixles that are the same ( sorry to beat this to death but it comes up a lot and creates a lot of problems in other contexts). Very puzzling. Mike -Original Message- From: Chris Robertson [mailto:crobert...@gci.net] Sent: Monday, January 04, 2010 6:48 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Forward Cache not working Mike Makowski wrote: Here is my basic config. Using defaults for everything else. acl localnet src 172.16.0.0/12 http_access allow local_net maximum_object_size 25 MB Here is a log entry showing one connection from a LAN user through the proxy. I am guessing that the TCP_MISS is significant. Perhaps the original source is marked as Private as Chris suggested. Don't really know how to even tell that though. Add a -S to wget to output the server headers. wget -S http://www.sortmonster.net/master/Updates/test.xyz -O test.new.gz --header=Accept-Encoding:gzip --http-user=myuserid --http-passwd=mypassword Can squid be forced to cache regardless of source settings? Yes. http://www.squid-cache.org/Versions/v3/3.0/cfgman/refresh_pattern.html Keyword ignore-private. 1262645523.217 305633 172.17.0.152 TCP_MISS/200 11674081 GET http://www.sortmonster.net/master/Updates/test.xyz - DIRECT/74.205.4.93 application/x-sortmonster 1262645523.464 122 Mike Chris _ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/=
