Dnia Czwartek, 26 Września 2013 16:04 Amos Jeffries <squid3@xxxxxxxxxxxxx> napisał(a) > On 26/09/2013 7:35 a.m., kazio wolny wrote: > > Dnia Środa, 25 Września 2013 16:17 Amos Jeffries <squid3@xxxxxxxxxxxxx> napisał(a) > >> On 26/09/2013 12:58 a.m., kazio wolny wrote: > >>> Hello, > >>> > >>> I get tired of the topic already two days and I have no power, so please help ... > >>> > >>> I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even. > >>> Only I have a problem with Skype - in access.log I see: > >>> 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html; > >>> 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html; > >>> 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html; > >>> I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps. > >> Well... if Skype did support authentication you would still see these > >> log lines as part of the normal authentication challenge process. That > >> goes for all authentication types, NTLM is somewhat special in that it > >> always shows up with two 407 in a row like the *.22 client lines above. > >> > >> This may help you: > >> https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server > >> > >> My experience is that Skype has supported proxies and authentication > >> nicely enough in all releases for the last ~2 years not to need any > >> special consideration in the proxy config. > >> > >> Amost > > Thanks, but why Skype doesn't connect to servers? > > Skype is a P2P software. AFAIK these are not CONNECT to servers > specifically, but are CONNECT to other people running Skype - which just > happens to include the MS servers setup to relay packets. The requests > to servers managing the Skype "phonebook" lookup requests may be one of > these but usually a different HTTP transaction entirely. > > > In skype I have this settings like in your link: use port 80,443; https proxy, address and port (10.22.94.130:8080). I was trying with and without enabling proxy auth.. Always the same... > > When I disable auth on squid, then Skype works great, so I'm thinking, that this is a problem, but I can't solve it.. :-( > > > > Kazio > > Strange. From what I could see of your config there should be no > problem. Are you certain that these 407 are being sent by your proxy and > not by another? are there any successful CONNECT from Skype happening > amidst the 407's (auth schemes normally require one 407 denial to > request credentials then the next has them and gets through). > > Can you try this with a newer version of Squid at all? there are > HTTP/1.1 behaviour differences around keep-alive and authentication on > CONNECT which have been done in 3.2/3.3 series to "fix" HTTP/1.0 > problems sometimes seen in the 3.1 and older releases. Those were about > 2 years ago so my experience with Skype may be a bit warped by my > networks dog-fooding Squid. > > Amos I have this squid on ubuntu 12.04 tls. Never version should I install from PPA (like https://launchpad.net/~pdffs/+archive/squid-stable)? Could you give be better source? I found the cause of the problems. This was the last line: cache_effective_group proxy It is also strange. Apparently, with this entry Squid does not have access to something ... But as I read that squid always starts on the powers of root:root, and then divert it to the given, or nobody:nobody. So the group nobody has a better right?? kazio
