On 26/03/2016 12:32 p.m., Jens Kallup wrote: > Hello Folks, > > I download the latest squid4.07 sources last night. > I can compile it without erros. > I have a optimized squid.conf - it works with squid3. > > But now, I get: > > ale missing adapted httprequest object > ale missing url > Those are informational that the Squid internal state is not being setup quite right for the way external ACL formats work now in Squid-4. Its a minor bug. Thanks for mentioning it > in the cache.log and sites where not block! You have configured Squid to let logged in users do *anything* they want. see below. > > Here is my squid.config, and the helper script: > > ---%<---- > auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd > auth_param basic children 4 > auth_param basic utf8 on > auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort > fuer die Internetberechtigung ein! > auth_param basic credentialsttl 60 minutes > auth_param basic casesensitive on > > external_acl_type MyAclHelper %LOGIN %DST /sap/squid/helper.py Is this configuration using the helper in concurrent way? I dont think so. But the helper requires concurrent channel-ID. Use the concurrency=N option to enable concurrency. <http://www.squid-cache.org/Doc/config/external_acl_type/> > > acl ncsa_users proxy_auth REQUIRED > acl block_list external MyAclHelper REQUIRED What do you think the keyword "REQUIRED" does? On proxy_auth ACL it means successful authentication is mandatory. The ACL will produce a 407 response even on "allowed" actions with credentials if they are not valid. On external ACL it is just a text string to be passed to the helper at the end of its format line. eg. "jens example.com REQUIRED\n" > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.178.80 > > acl SSL_ports port 443 > acl Safe_ports port 3128 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > http_access allow ncsa_users !block_list > > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports The purpose of the above two access controls is to protect your network against some very nasty security vulnerabilities. They need to be at the top of your http_access rules to do anything useful. > http_access deny all > > http_port 192.168.178.80:3128 > > cache_mgr jkallup@xxxxxx > cache_mem 8 MB > > cache_effective_user squid > cache_effective_group squid > > error_directory /usr/share/squid3/errors/de > error_default_language de Using error_directory disables the auto-negotiate feature which error_default_language is trying to configure. Pick only one of the directives: - error_directory to always send errors in German - error_default_language to send errors in a language the user can actually read. With German as the default if Squid cant figure that out. > > cache_dir ufs /sap/var/spool/squid 64 16 128 > cache_access_log /sap/squid/log/access.log > cache_log /sap/squid/log/cache.log > cache_store_log none > > # Leave coredumps in the first cache dir > coredump_dir /sap/var/spool/squid > > pid_filename /sap/squid/squid3.pid > > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > logformat squid %tl.%03tu %6tr %>a %un %Ss/%03>Hs %<st %rm %ru %Sh/%<A %mt Please do not re-define the "squid" built-in log format. Either use the default one of that name, or define your own custom one with a different name. > ---%<---- > > > ----%<------- > #!/usr/bin/perl -l > > use warnings; > use IO::Handle; > use URI::Escape; > use DBI; > use 5.010; > > $|=1; > > while (<>) { > ($chid,$ip,$user,$dest) = split; The input parameters you configured in squid.conf do not match the ones the helper is trying to parse. ... Which will make $dest not contain what you think it does. ... Which will make this helper will always produce "ERR". ... Which will always make the block_list ACL match false. ... Which will make the !block_list always be true. ... Which will make users who are logged in be allowed to do anything they like at any time through the proxy. > $user =~ s/%(..)/pack("H*", $1)/ge; > $dest =~ s/%(..)/pack("H*", $1)/ge; > > $dest = uri_unescape($dest); > $user = uri_unescape($user); > > if ($dest eq "web.de") { > print "OK user=" . $user; Since all users have to be successfully logged in with HTTP authentication before this helper is even queried what use does sending it back to Squid in the user= keyword have? > } else { > print "ERR"; > } > if ($ip eq "0") { > print $chid . "ERR"; > } > } > --%<--- Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
