Re: Problems with Linux Worstations

Marcio Demetrio Bacci <marciobacci@xxxxxxxxx> · Mon, 5 Sep 2016 13:25:19 -0300

Hi Amos

Now, my squid.conf is as follow (very simple):

############ START #################
http_port 3128

debug_options 11,2

cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90

maximum_object_size 512 MB
minimum_object_size 0 KB

maximum_object_size_in_memory 4096 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

fqdncache_size 1024

### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp:    1440      20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
refresh_pattern .        0    20%    4320

### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log

cache_dir aufs /var/spool/squid3 600 16 256

visible_hostname proxy

### acls
acl localhost src 192.168.200.7/32
acl to_localhost dst 192.168.200.7/32
acl SSL_ports port 22 443 563 7071 10000 
acl Safe_ports port 21 70 80 88 210 280 389 443 488 563 591 777 1025-65535         

acl purge method PURGE
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny purge

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm CMS
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

### Exige autenticacao
acl autenticados proxy_auth REQUIRED
http_access deny !autenticados

### Rede do CMS #####
acl lannet src 192.168.200.0/22 

### Nega acesso de quem nao esta na rede local do CMS
http_access allow lannet 
http_access allow localhost

#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all

### Erros em portugues
error_directory /usr/share/squid3/errors/pt-br

#cache_effective_user proxy
coredump_dir /var/spool/squid3

########## END ###########################

I have some doubts:

1) I open my browser to test the authentication. It seems OK, but  when I open new tab in browser the Squid3 ask the user and password again. Is this normal behavior  ?

2) Is necessary to declare LOCALHOST acl as "acl localhost src 192.168.200.7/32" ?

3) Isn't necessary MANAGER acl as "acl manager proto cache_object" ?

4) Is correct order of the ACL in my squid.conf ? How do I improve it?

5) In my access.log, I have saw many "TCP_MISS/200". Does mean only the website is not in cache or is a strange behavior?

Sorry, but I'm still learning about Squid!

Regards,

Márcio

2016-09-05 1:17 GMT-03:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:

> I have used debug_options 11,2 in squid.conf file. After I have following

> results in logs files:

>

> /var/log/squid3/access.log

> 1473026084.048    253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST

> http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -

> 1473026086.275      0 192.168.200.85 TCP_DENIED/407 3792 CONNECT

> tiles.services.mozilla.com:443 - HIER_NONE/- text/html

> 1473026086.778      0 192.168.200.85 TCP_DENIED/407 3995 GET

> http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html

> 1473026088.908      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT

> shavar.services.mozilla.com:443 - HIER_NONE/- text/html

> 1473026091.932      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT

> self-repair.mozilla.org:443 - HIER_NONE/- text/html

> 1473026096.418    180 192.168.200.85 TCP_MISS/200 960 POST

> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8

> application/ocsp-response

> 1473026096.467     85 192.168.200.85 TCP_MISS/200 960 POST

> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8

> application/ocsp-response

> 1473026102.051    525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET

> http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41

> text/html

> 1473026102.091      0 192.168.200.85 TCP_HIT/200 22099 GET

> http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png

> 1473026104.855      0 10.133.85.3 TCP_DENIED/407 3929 GET

> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?

> - HIER_NONE/- text/html

> 1473026146.453     83 192.168.200.85 TCP_MISS/200 960 POST

> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8

> application/ocsp-response

> 1473026147.447     83 192.168.200.85 TCP_MISS/200 960 POST

> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8

> application/ocsp-response

> 1473026148.923      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT

> shavar.services.mozilla.com:443 - HIER_NONE/- text/html

> 1473026157.117  61506 192.168.200.85 TCP_MISS/200 3525 CONNECT

> tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -

> 1473026157.195  61584 192.168.200.85 TCP_MISS/200 4521 CONNECT

> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -

> 1473026160.190  63085 192.168.200.85 TCP_MISS/200 5449 CONNECT

> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -

> 1473026204.518      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT

> safebrowsing.google.com:443 - HIER_NONE/- text/html

> 1473026207.807  62056 192.168.200.85 TCP_MISS/200 3686 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.808  61160 192.168.200.85 TCP_MISS/200 390 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.809  61160 192.168.200.85 TCP_MISS/200 390 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.814  61165 192.168.200.85 TCP_MISS/200 390 CONNECT

> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -

> 1473026207.866  61052 192.168.200.85 TCP_MISS/200 3821 CONNECT

> aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -

> 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT

> normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -

> 1473026264.532      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT

> safebrowsing.google.com:443 - HIER_NONE/- text/html

> 1473026299.647      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT

> iecvlist.microsoft.com:443 - HIER_NONE/- text/html

> 1473026335.221      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT

> ieonline.microsoft.com:443 - HIER_NONE/- text/html

> 1473026592.061   6624 10.133.85.3 TCP_MISS/200 3582 CONNECT

> forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -

Notice how the 407 occur in bunches. 2-3 getting a 407 reject, then many

requests going through with user credentials. Then again some without

any getting a 407.

Those bunches of 407 will be matching some type of credentials timeout

in the browser, or opening of new tabs.

This request below is the only one from 192.168.200.96 so appears to be

the one you provide cache.log trace for...

> 1473026793.073      0 192.168.200.96 TCP_DENIED/407 3780 CONNECT

> safebrowsing.google.com:443 - HIER_NONE/- text/html

>

> /var/log/squid3/cache.log

>

> ----------

> 2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP

> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1

> 2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP

> Client REQUEST:

> ---------

> CONNECT safebrowsing.google.com:443 HTTP/1.1

> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101

> Firefox/35.0

> Proxy-Connection: keep-alive

> Connection: keep-alive

> Host: safebrowsing.google.com:443

Notice the abence of any Proxy-Authorization header containing credentials.

>

>

> ----------

> 2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP

> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1

> 2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP

> Client REPLY:

> ---------

> HTTP/1.1 407 Proxy Authentication Required

> Server: squid/3.4.8

> Mime-Version: 1.0

> Date: Sun, 04 Sep 2016 22:06:33 GMT

> Content-Type: text/html

> Content-Length: 3357

> X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*

> Proxy-Authenticate: Basic realm="CMS"

That realm="CMS" does not match the realm value of "AUTENTICACAO" which

your earlier config contained.

Unless you changed your auth_param settings that is a sign that some

other proxy is generating that response message. BUT, your access.log

entry shows no server being contacted.

> X-Cache: MISS from proxy.cms.ensino.br

> X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128

> Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)

> Connection: keep-alive

>

> ----------

>

> Sorry, but I didn't discover the problem!

>

> Anybody have an idea?

If you altered your squid.conf settings as above in the auth details,

did you also remove 192.168.200.7 from the "localhost" ACL ?

Your rule "http_access allow localhost" occurs before anything that

requires authentication. That means these requests coming from

192.168.200.7 to your proxy would not use authentication for the above

CONNECT request. So no reason for your proxy to generate any 407 response.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users