Thanks Amos,, mike
--
On 25 July 2015 at 03:20, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 25/07/2015 4:59 a.m., Jagannath Naidu wrote:
> 1. Its not a transparent proxy.
>
> 2. My clients get wpad configuration from AD server. So there are two
> question.
> 2.1 :I know that wpad is used to identify proxy server and port(and rest
> other bypass rules). When clients resolve to wpad.abc.com, is there way
> that I can overwrite the wpad file off client. Like creating a webserver to
> to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress>
> wpad.abc.com"
> 2.2 Is there any other way to tell clients via squid server, to do not come
> to squid server and re initiate the request.
Exactly that if you wish. Its not clear whether WPAD is the problem though.
The fact that you have Squid logs showing access indicates the traffic
us actually getting there okay. The responses do seem to be coming back
from 10.* servers as well.
So what is happening is something is causing those servers not to like
the traffic being requested from them.
>
> On 24 July 2015 at 21:10, Jagannath Naidu <
> jagannath.naidu@xxxxxxxxxxxxxxxxxx> wrote:
>
>>
>>
>> On 24 July 2015 at 21:05, Jagannath Naidu <
>> jagannath.naidu@xxxxxxxxxxxxxxxxxx> wrote:
>>
>>> Dear List,
>>>
>>> I have been working on this for last two weeks, but never got it
>>> resolved.
>>>
>>> We have a application server (SERVER) in our local network and a desktop
>>> application (CLIENT). The application picks proxy settings from IE. And we
>>> also have a wensense proxy server
>>>
>>> case 1: when there is no proxy set
>>> application works. No logs in squid server access.log
>>>
>>> case 2: when proxy ip address set and checked "bypass local network"
>>> application works. No logs in squid server access.log
>>>
>>> case 3: when proxy ip address is set to wensense proxy server. UNCHECKED
>>> "bypass local network"
>>> application works. We dont have access to websense server and hence we
>>> can not check logs
Can you explain "not works" in any better detail?
application expected vs actual behaviour?
if you can relate that to particular HTTP messages even better.
The application is "aspect unified ip agent desktop". It is a dialer application (VOIP). Used on windows machine.
Rest cases :
When application is launched, it shows that it has joined domain "HTP". HTP is default, we can change to other from the drop down list.
Case 4: not works.
But in this case, it shows no drop down list, nor with a single option like "HTP". Application can connect to server anymore. And I can not call or receive calls anymore.
>>>
>>>
>>> case 4: when proxy ip address is set to proxy server ip address.
>>> UNCHECKED "bypass local network"
>>> application does not work :-(. Below are the logs.
>>>
>>>
>>> 1437751240.149 7 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>>> - HIER_DIRECT/10.1.4.46 text/html
404. The URL you see above references an object that does not exist on
that server.
Things to look into:
Is it the right server?
Yes
Is it the right URL?
Yes
Why was it requested?
Don't know. These were the only logs I can get from access.log. The server is "Microsoft IIS HTTP/1.1"
Does the server actually know its "dlwvdialce.htmedia.net" name?
Yes. It is resolvable 1) ping dlwvdialce works 2) ping dlwvdialce.htmedia.net works
initially "dlwvdialce" was not resolving to any host. That's where used "append_domain .htmedia.net" is squid.conf (worked for other applications).
>>> 1437751240.992 94 192.168.122.1 TCP_DENIED/407 3757 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
>>> 1437751240.996 0 192.168.122.1 TCP_DENIED/407 4059 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
Authentication. Normal I think.
Yes, NTLM auth.
>>> 1437751242.327 5 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>>> 10.1.4.46 text/html
Same as the first 404'd URL.
>> 1437751244.777 1 192.168.122.1 TCP_MISS/503 4048 POST
>>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>>> - HIER_NONE/- text/html
503 usually indicates the attempted server failed.
Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work.
Which would also match the lack of server IP in the log.
1) ping cs-711-core.htmedia.net does not work "no such host"
2) ping cs-711-core does not work "no such host"
>>>
>>> UPDATE: correct logs
>>
>> 1437752279.774 6 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>> - HIER_DIRECT/10.1.4.46 text/html
>> 1437752281.854 5 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>> 10.1.4.46 text/html
>> 1437752284.265 2 192.168.122.1 TCP_MISS/503 4048 POST
>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>> - HIER_NONE/- text/html
>>
Same comments as above.
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>
>>
>>> squid -v
>>> Squid Cache: Version 3.3.8
>>> configure options: '--build=x86_64-redhat-linux-gnu'
>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
>>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
>>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
>>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>>> '--infodir=/usr/share/info' '--disable-strict-error-checking'
>>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>>> '--with-logdir=$(localstatedir)/log/squid'
>>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>>> '--disable-dependency-tracking' '--enable-eui'
>>> '--enable-follow-x-forwarded-for' '--enable-auth'
>>> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
>>> '--enable-auth-ntlm=smb_lm,fake'
>>> '--enable-auth-digest=file,LDAP,eDirectory'
>>> '--enable-auth-negotiate=kerberos'
>>> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
>>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>>> '--enable-ident-lookups' '--enable-linux-netfilter'
>>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
>>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2'
>>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
>>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
>>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
>>> -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2
>>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
>>> -m64 -mtune=generic -fpie'
>>> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>>
>>>
>>> squid.conf
>>>
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7 # RFC 4193 local private network range
>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
>>> machines
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 8180
>>> acl CONNECT method CONNECT
>>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54
>>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
For easier reading:
acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4
(at least I think they are all in one /27, double-check that)
>>> http_access allow wvdial
>>> acl dialer dstdomain .htmedia.net
>>> http_access allow dialer
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
"=" is a funny domain name. I suspect you wanted the domain-name part
of the line to be used instead. Remove the "= " bit.
Removed = bit.
>>> append_domain .mydomain.net
>>> ignore_expect_100 on
The ignore_* directive should not be useful in 3.3. You can remove it now.
>>> dns_v4_first on
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>>> auth_param ntlm children 1000
>>> auth_param ntlm keep_alive off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> acl auth proxy_auth REQUIRED
>>> http_access allow all auth
"allow all auth" means the same as "allow auth".
"all" only has meaning on the end (right-hand side) of the line which
would otherwise end in a proxy_auth ACL.
It should either be on the end of that line, or not used at all.
>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 0.0.0.0:8080
>>> coredump_dir /var/spool/squid
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>>
>>>
>>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to
>>> squid 3.3 would help. Please help me resolving this mystery.
Looks to me like the server at 10.1.4.46 does not know what to do with
the URLs requested.
I would start looking at whether the application is actually supposed to
be going there for its requests.
How can do that ?
I can install wireshark on client and test the result.
Am I missing any information to give ?
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Thanks & Regards
B Jagannath
B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
