Re: Windows RDS Gateway with Squid 3.3.5

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 3/07/2013 2:36 a.m., Stan2k wrote:
> Hello Everybody
>
> Here is the infrastructure I want :
>
> Client => Internet => Squid => RDS Gateway => VM
>
> Here is my configuration :
>
> https_port public_name:443 accel cert=/etc/ssl/private/servercert.pem
> key=/etc/ssl/private/serverkey.pem cafile=/etc/ssl/private/intermediate.pem
> capath=/etc/ssl/private/ defaultsite=parentserver.domain.qh version=1
>
>
> cache_peer parentservername parent 443 0 no-query originserver ssl
> sslcert=/etc/ssl/private/servercert.crt.pem
> sslkey=/etc/ssl/private/serverkey.pem sslcapath=/etc/ssl/private/
> login=PASSTHRU connection-auth=on ssloptions=ALL name=gateway
> sslflags=DONT_VERIFY_PEER front-end-https=on no-digest
>
>
> acl RDS dstdomain parentservername
>
> cache_peer_access gateway allow all
> #cache_peer_access gateway deny all
>
> http_access allow all

Congratulations you have an open proxy. Expect its IP address to be 
firewalled and blocked by various networks around the world in the next 
few days if not already.

Please follow the guidelines for reverse proxy configuration:

Namely that cache_peer_access and http_access restricts allowed requests 
based on the explicit dstdomain (FQDN) which your peer accepts. If that 
is not possible at least retain the CONNECT security rules and add these 
ones which will permit unlimited relay through the peer but nowhere else 
(still not great, but better than "http_access allow all" as the sole 
security control):
 always_direct deny all
 never_direct allow all


> miss_access allow all

Regarding "miss_access" if you are not going to configure any deny rules 
for it just remove it from your config file entirely. The default is 
"allow all".

> As you can see all is open but i have a problem.
> My configuration didn't work but yesterday I managed to log me 3 times from
> the office.
> Ten minutes after i could no longer log to the machine.
> I tried to log on at home last night and this morning and it worked. But now
> nobody can connect to the gateway.
>
> You can see the log when i could connect :
>
> 1372701961.331  79301 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -

This is followup from a previous connection (which got PINNED).

> 1372702018.639      8 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid 
delivered that to the client.

> 1372702018.735      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid 
delivered that to the client.

> 1372702025.441   6780 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -

Failed request. Squid relayed it to the peer. The client disconnected 
after 6.8 seconds and before the peer response could be relayed out to it.

> 1372702025.441   6686 public_ip_client TCP_MISS_ABORTED/200 7319
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc

Failed request. Squid relayed it to the peer. The peer processed it and 
responded 200 OK with some data. The client disconnected after 6.7 
seconds and before the peer response could be fully relayed out to it 
(only 7319 bytes delivered out of an unknown amount greater than 7319).

> 1372702506.635      8 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid 
delivered that to the client.

> 1372702506.728      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid 
delivered that to the client.

> 1372702514.727   7963 public_ip_client TCP_MISS_ABORTED/200 103543
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc

Failed request. Squid relayed it to the peer. The peer processed it and 
responded 200 OK with some data. The client disconnected after 6.7 
seconds and before the peer response could be fully relayed out to it 
(only 103KB delivered).

> 1372702514.728   8074 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372703139.182     11 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372703139.295      8 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372703146.054   6851 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372703146.054   6709 public_ip_client TCP_MISS_ABORTED/200 7319
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc
> 1372706052.563    123 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372706052.687      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372706151.972  99259 public_ip_client TCP_MISS_ABORTED/200 14007
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc
> 1372706151.972  99385 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372709339.193    118 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372709339.329      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372709383.530  44313 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372709383.532  44177 public_ip_client TCP_MISS/200 7319 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc
> 1372710088.478      9 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372710088.584      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372710480.819 392320 public_ip_client TCP_MISS/502 4579 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> text/html
> 1372710480.819 392209 public_ip_client TCP_MISS/200 7231 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc
> 1372744890.663    123 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372744890.772      7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372745699.263 808576 public_ip_client TCP_MISS/502 4583 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> text/html
> 1372745699.263 808466 public_ip_client TCP_MISS/200 7371 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc

> Even if I could connect you can see errors 401 and 502

401 is not an error. It is an auth challenge. This is normal on new 
connections when auth is required.
From the use of Pinning I deduce that you are using NTLM or Kerberos 
connection-based authentication. NTLM at least requires several 
exchanges of requests and 401/407 replies before login is completed - on 
the 401 responses above which I have noted "successful request" that is 
what appears to be happening.

The large sign of problems is the ABORTED state which the 
after-authentication responses which indicate the client is abandoning 
the connection without receiving all the data the peer delivered to Squid.

> The logs now :
>
> 1372768605.501      7 public_ip_client TCP_MISS/401 959 RDG_OUT_DATA
> https://public_name/remoteDesktopGateway/ -
> FIRSTUP_PARENT/private_parentserver_ip text/html
> 1372768605.663      1 public_ip_client TCP_MISS/502 4583 RDG_OUT_DATA
> https://public_name/remoteDesktopGateway/ - PINNED/private_parentserver_ip
> text/html

This 502 and the others are all being generated by the peer. As far as 
Squid is concerned they are successful responses.

> I'm confused, can you tell me if my setup looks good and if there is an
> explanation?

It looks like it should (and is) working. "Good" is another matter, see 
above comments about security.

401 are a result of the authentication method. Very probably normal.
 * Since this involves connections over the Internet it would be 
worthwhile ensuring that the authentication in use is 
Negotiate/Kerberos. NTLM is a *LAN* protocol with far too many problems 
and inefficiencies for reliable use outside the LAN.
 * Those ABORTED are a worry. It would be worth finding out why the 
close is happening.

502 are something going wrong on the peer server.
 * Check that servers logs for details (and this is the wrong place to 
followup on that).

Amos