Re: Upstream Proxy

[Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>]

On 7/18/22 12:15, Johnathan Hasty wrote:

> The vendor, while not helpful at all as they want our org to use
> their new application rather than proxy....Has stated they are only
> looking for email address and not password. But they likely mean
> they're looking for user.name@xxxxxxxxxxxxxx

I see two options for going forward:

* Continue guessing what the upstream proxy wants to receive from Squid. 
This may go on forever because you do not know the authentication scheme 
they are using and you do not know the proper credentials for that 
scheme. The number of potential configurations to test is infinite.

* Do what they want -- set things up (without Squid!) so that HTTP 
clients authenticate with the upstream proxy. AFAICT, the vendor will 
help you with that. Then use the _working_ example to reverse engineer 
the right answers instead of guessing them.

Alex.



> Thank you for tls-cafile= correction, as I do have GoGuardian's root certificate in that path and trusted on the Squid-hosted OS.
>
> For Login= I have been trying to pass credentials from Windows to Squid to GoGuardian. From your response, I believe you are stating to have a "machine" user account that will be static for all users passing through Squid. This setup would be fine for us, but we would prefer to have the unique user's "email" passed through so that on GoGuardian's end our reports reflect the correct user.
>
> I currently have Squid working with auth (when not handing off to GG), with Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in the form of the username ("email").
>
> I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's authentication options memorized, however it is possible I am using them (login=) incorrectly.
>
> The vendor refuses to look at logs on their end to troubleshoot, as they do not have access and the engineers who do aren't replying! Lovely...
>
>
>
>
> 1658160759.291    166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 - HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199"
> 1658160760.048     73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx HIER_NONE/- - "ws-iid=94" "ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220"
> 1658160760.165    117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx FIRSTUP_PARENT/52.44.107.1 - "ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
> 1658160760.165      0 10.125.12.19 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=517"
>
>
> ----------
> CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1
> Host: getpocket.cdn.mozilla.net:443
> Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5)
> X-Forwarded-For: 10.125.12.19
> Proxy-Authorization: Basic [redacted]
> Cache-Control: max-age=259200
> Connection: close
>
>
> ----------
>
>
>
> ---------
> HTTP/1.1 407 Proxy Authentication Required
> Proxy-Authenticate: Basic realm="Secure Browsing"
> Date: Mon, 18 Jul 2022 16:13:28 GMT
> Content-Length: 0
> Connection: close
>
> ----------
>
>
>
>
> Best Regards,
> Johnathan
>   
> _______________________________________________________
>    
> Johnathan Hasty
> Senior DevOps Engineer
> Uncommon Schools
> C: 989.366.1672
>    
> Uncommon Schools | Change History
> Website | Facebook | Twitter | LinkedIn | Apply Now
>
> -----Original Message-----
> From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries
> Sent: Friday, July 15, 2022 1:27 PM
> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  Upstream Proxy
>
> On 16/07/22 04:05, Johnathan Hasty wrote:
> > > What HTTP authentication method(s) or scheme(s) does your upstream proxy support or require?
> >
> > They're very vague and not helpful. It was said they look for email, but in reality it would be user@xxxxxxxxxxxxxxxx rather than user@xxxxxxxxxxx.
> >
> >
> > This is the only information I have for them.
> >
> > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian
> > .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1,
> > kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk
> > BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1
> >
> > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com%
> > 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN
> > Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM
> > MKCvRjnxg7&typo=1
>
> This document is providing some answers, but indeed are a bit obscure.
>
> The authentication is using LDAP service. Which means Squid should have its own account in LDAP registered as a machine account type (not a regular user, so it can avoid constant password update requirements).
> Those are the credentials you configure in the cache_peer line to be passed to GG.
>    Make sure that you configure the full username string. Whether it be login=user@xxxxxxxxxxxxxxxx:password  or login=user@xxxxxxxxxxx:password or  login=user:password
>
>
> Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the Squid machine Trusted CA certs package is kept up to date. If GG has a special Server certificate based on some custom CA, then use the tls-cafile= option to load that custom public root cert.
>
>
> If you are still having issues, the contents of the PAC file generated for a test user account could have some more hints about what GG is expecting.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1
> CAUTION : This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users