On Sun, 20 Feb 2011 11:57:28 -0500, Shawn wrote:
Hi my name is Shawn Caron I am havving issues with the new squid
3.1.11. I cant get my laptop to download any updates from with in
squid
3.1.11. I have digest auth installed working correctly for web
browsers
only. But when i try to update the laptop through aptitude using a sh
script i cant get it to connect to the update servers like,
debian.org
or ubuntu.org for package updates. Also when i am at school at
davenport university in lansing michigan their blackboard system uses
ice java plugin and when i cannect through my remote proxy using
astrada firewill i will get a username and password box asking for my
user name and password. And if i dont type in the correct information
and cancel the promt the browser will lock up and i have to restart
the
browser. Can any one provide the answers on this. Or do i have to
switch to a different auth scheem to make this work with both the
browsers and aptitude and apt-get. I can attach my squid.conf file if
needed. and also the update script also,
My primary goals is the have the most secure connection and block all
port 80,443 going out. Also i want to allow only certian mac address
to
bypass squid for updates only and not allow any web bassed traffic
out
with out it going through the quid proxy first
AFAIK, the software you have listed in the updaters list do not support
secure authentication. WindowsUpdate at least requires NO authentication
for it to work properly. Apt on debian-based OS has Basic support, but I
cant find anything on Digest.
Also i want to be able to have vpn access remotely from out side-
into
my home network. For that i use kvpnc and astrado firewall. I have
had
issues with the connections using kvpnc and not been able to get a
completed connection to the drop off point inside the network.
Here is the squid.comf Currently working on squid3 version 3.1.11
#Authorization
auth_param digest program /usr/lib/squid3/digest_pw_auth
-c /etc/squid3/auth/digest/authlist
auth_param digest nonce_garbage_interval 24 hours
auth_param digest nonce_max_duration 24 hours
auth_param digest nonce_max_count 50
auth_param digest children 5
auth_param digest realm Secured Proxy Server Authenication Required
authenticate_cache_garbage_interval 24 hour
authenticate_ttl 24 hour
#auth_parm basic program /usr/lib/squid3/ncsa_auth
/etc/squid3/userpass
# ACL Lists
acl manager proto cache_object
acl localhost src 127.0.0.1/32
New 3.1 definition:
acl localhost src 127.0.0.1 ::1
acl to_localhost dst 127.0.0.0/8
New 3.1 definition:
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl CONNECT method CONNECT
acl safe port 21 80
acl sslports port 22 441 443 465 587 631 995 8001
acl http proto http
acl ftp proto ftp
acl updateports port 21 80
acl updates
dstdomain .debian.org .microsoft.com .symantec.com .windowsupdate.com
.database.clamav.net .ubuntu.org
acl Authorized-worstations src "/etc/squid3/workstations"
acl Authorized-servers src "/etc/squid3/servers"
acl Authorized-wireless src "/etc/squid3/wireless"
acl Authorized-proxy src "/etc/squid3/proxy"
acl Authorized-pfsense src "/etc/squid3/pfsense"
acl webmin src "/etc/squid3/webmin"
acl purge method purge
acl Authorization-admins proxy_auth REQUIRED
acl Authorization-users proxy_auth REQUIRED
acl internal port 8080 8081 8118 10000 57310 57311 7001
acl bad_url url_regex "/etc/squid3/bad-sites.acl"
#acl localnet 10.2.2.254/24 10.2.2.11/24 10.2.2.10/24 10.2.2.9/24
10.2.2.134/24
# HTTP ACCESS
# Only allow cachemgr access from localhost
http_access allow http updateports updates
http_access allow ftp updateports updates
http_access allow Authorization-admins Authorization-users
So.. if someone is logged in as BOTH an admin and a user
simultaneously? um yeah.
It's a good thing that those names are wrongly describing what those
ACL tests do. Both ACLs only check that valid credentials are given. Not
what type they are.
You can remove either Authorization-admins or Authorization-users
completely with no effect on your access situation. Its also probably
best to rename the one you keep as "authenticated" or similar generic
description to avoid future confusion.
http_access allow safe sslports internal
This is also not working as intended. The port cannot be a member of
three non-overlapping value sets.
http_access allow localhost
http_access allow manager localhost
http_access allow CONNECT webmin Authorized-pfsense updateports
updates
The location of this below the auth line is part of the problem.
Windows Update and maybe the others will be bouncing off the
"http_access allow Authorization-admins" test when they try to get
https:// files.
http_access allow Authorized-worstations
http_access allow Authorized-servers
http_access allow Authorized-wireless
http_access allow Authorized-proxy
http_access allow Authorized-pfsense
Hint: given that these are all of the same "src" type, AND that most of
them are not needed for special things you could collapse a few of these
ACL down to one name. It is possible to load several files (one for
workstations, one for wireless, etc) into one ACL name as long as the
ACL type is identical.
http_access allow webmin
#http_access localnet
http_access allow Authorization-admins Authorization-users
http_access deny all
http_reply_access allow Authorization-users
http_reply_access allow Authorization-admins
This kind of defeats the main purpose of authentication. By the time
the remote server has been contacted and sent the request data then
produced its reply and sent it back it is FAR too late to safely ask for
user credentials.
NOTE: this is likely also part of your problem with updaters. Since the
http_access you carefully defined before the auth challenge will get
past that request challenge and hit this reply one instead anyway.
Define your http_access with care and doing extra reply-time checks are
usually not needed.
#Allow ICP queries from local networks only
icp_access allow Authorized-worstations Authorized-wireless
Without seeing the content of the Authorized-worstations
Authorized-wireless I suspect this may be another case of the machine
being checked against non-overlapping lists of values. ICP (and HTCP)
are only used between proxy peers. If you seen this coming from client
workstations it means somebody it using a local proxy of their own,
usually to evade your controls. Its a good idea to find out why.
icp_access deny all
#Allow HTCP queries from local networks only
htcp_access deny all
There is no "htcp_access allow" anywhere above this. So HTCP is denied
always. the default in squid-3 is not to even have the port opened. So
this can go unless you want to add those settings to enable HTCP
properly.
# Squid normally listens to port 3128
#http_port 127.0.0.1:23654
http_port 10.2.2.3:56754 intercept
http_port 10.2.2.4:23654 intercept
#http_port 10.3.3.1:23654
# MISC SETTINGS
hierarchy_stoplist cgi-bin ?
cache_mem 7 MB
maximum_object_size_in_memory 100 mb
Um, memory space is only 7MB but you want to store 100MB objects there?
Problem coming.
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 1000 16 256
1000 MB of disk space to back that up...
max_open_disk_fds 10
minimum_object_size 1000 mb
? so global override over the buggered memory settings anyway. Nothing
smaller than 1000 MB will be stored by this proxy.
So... with 1000 MB of disk space and nothing smaller than 1000 MB
allowed to be stored...
maximum_object_size 1 GB
? and nothing over 1024 MB will be stored either. That is a very
strangely tuned band of storeable content. Why?
no_cache allow internal
Remove the "no_" part of this line.
#LOG
#ACCESS LOG
access_log /var/log/squid3/access.log
cache_store_log none
#logfile_rotate 0
#emulate_httpd_log on
emulate_httpd_log on
Remove emulate.If you actually need the apache format use this instead
on the above log line:
access_log /var/log/squid3/access.log common
log_ip_on_direct on
pid_filename /var/run/squid3.pid
strip_query_terms on
# OPTIONS FOR FTP GATEWAYING
ftp_list_width 50
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
unlinkd_program /usr/lib/squid3/unlinkd
Default setting. You can remove unlinkd_program
# OPTIONS FOR URL REWRITING
#url_rewrite_children 2
#url_rewrite_children 2
#url_rewrite_concurrency 0
url_rewrite_host_header on
url_rewrite_bypass off
# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
#Suggested default:
refresh_pattern ^ftp: 1440 5% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims
refresh_pattern Release$ 0 20% 4320 refresh-ims
Add right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 refresh-ims
Not that refresh_pattern has any effect given the cache size limits
above.
The various patterns doing refresh-ims are not really needed for Debian
anymore. Squid-3 obeys the caching headers the repo provide.
#Default:
# visible_hostname localhost
visible_hostname Secured_Proxy_Server_Authorization_Required
FQDN please. This is used as the base for
#Default:
never_direct allow localhost
#always_direct allow Authorized-pfsense Authorized-wireless
always_direct allow updates
windows_ipaddrchangemonitor on
Windows-only directive. Remove.
redirect_children 1
Rename this obsolete directive to:
url_rewrite_children 1
or, since to change its value again later on. remove completely.
unique_hostname Secured_Proxy_Server_Authorization_Required
cache_effective_group proxy
#fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
cache_peer localhost parent 8081 0
url_rewrite_program /usr/bin/adzapper.wrapper
url_rewrite_children 2
#ssl_unclean_shutdown on
icp_query_timeout 10
mcast_icp_query_timeout 10
half_closed_clients off
server_persistent_connections off
Why? 3.1 handles persistent connections these nicely now and they are
close to required for HTTP/1.1 support.
<snip>
tcp_outgoing_address 0.0.0.0
This hack is no longer required for 3.1.7+. and very probably why
debian.org (an IPv6-enabled website) is not working for you.
Amos
