Search squid archive

Re: Upstream Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Amos, thank you very much for your very helpful response!

The vendor, while not helpful at all as they want our org to use their new application rather than proxy....Has stated they are only looking for email address and not password. But they likely mean they're looking for user.name@xxxxxxxxxxxxxx

Thank you for tls-cafile= correction, as I do have GoGuardian's root certificate in that path and trusted on the Squid-hosted OS.

For Login= I have been trying to pass credentials from Windows to Squid to GoGuardian. From your response, I believe you are stating to have a "machine" user account that will be static for all users passing through Squid. This setup would be fine for us, but we would prefer to have the unique user's "email" passed through so that on GoGuardian's end our reports reflect the correct user.

I currently have Squid working with auth (when not handing off to GG), with Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in the form of the username ("email").

I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's authentication options memorized, however it is possible I am using them (login=) incorrectly.

The vendor refuses to look at logs on their end to troubleshoot, as they do not have access and the engineers who do aren't replying! Lovely...




1658160759.291    166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 - HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199"
1658160760.048     73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx HIER_NONE/- - "ws-iid=94" "ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220"
1658160760.165    117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx FIRSTUP_PARENT/52.44.107.1 - "ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1658160760.165      0 10.125.12.19 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=517"


----------
CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1
Host: getpocket.cdn.mozilla.net:443
Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5)
X-Forwarded-For: 10.125.12.19
Proxy-Authorization: Basic [redacted]
Cache-Control: max-age=259200
Connection: close


----------



---------
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: Basic realm="Secure Browsing"
Date: Mon, 18 Jul 2022 16:13:28 GMT
Content-Length: 0
Connection: close

----------




Best Regards, 
Johnathan
 
_______________________________________________________ 
  
Johnathan Hasty 
Senior DevOps Engineer 
Uncommon Schools 
C: 989.366.1672 
  
Uncommon Schools | Change History 
Website | Facebook | Twitter | LinkedIn | Apply Now 

-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries
Sent: Friday, July 15, 2022 1:27 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Upstream Proxy

On 16/07/22 04:05, Johnathan Hasty wrote:
>> What HTTP authentication method(s) or scheme(s) does your upstream proxy support or require?
>
> They're very vague and not helpful. It was said they look for email, but in reality it would be user@xxxxxxxxxxxxxxxx rather than user@xxxxxxxxxxx.
>
>
> This is the only information I have for them.
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian
> .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1,
> kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk
> BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com%
> 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN
> Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM
> MKCvRjnxg7&typo=1
>

This document is providing some answers, but indeed are a bit obscure.

The authentication is using LDAP service. Which means Squid should have its own account in LDAP registered as a machine account type (not a regular user, so it can avoid constant password update requirements).
Those are the credentials you configure in the cache_peer line to be passed to GG.
  Make sure that you configure the full username string. Whether it be login=user@xxxxxxxxxxxxxxxx:password  or login=user@xxxxxxxxxxx:password or  login=user:password


Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the Squid machine Trusted CA certs package is kept up to date. If GG has a special Server certificate based on some custom CA, then use the tls-cafile= option to load that custom public root cert.


If you are still having issues, the contents of the PAC file generated for a test user account could have some more hints about what GG is expecting.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1
CAUTION : This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux