[squid-users] Unable to access websites through Squid

L.P.H. van Belle belle at bazuin.nl
Wed Dec 23 16:54:37 UTC 2015



I had troubles also with the squid config files, so i created “squid-conf-split” 


Basicly this small piece of code blow. 



## code starts here. 



DATE_NOW=$(date +%Y-%m-%d)


if [ -d /etc/squid/conf.d ]; then

    cp -R /etc/squid/conf.d-${DATE_NOW}


    mkdir /etc/squid/conf.d



cd /etc/squid/conf.d

if [ ! -e /etc/squid/squid.conf.debian ]; then

    if [ -e /etc/squid/squid.conf.dpkg-dist ]; then

        cp /etc/squid/squid.conf.dpkg-dist /etc/squid/squid.conf.debian


        cp /etc/squid/squid.conf /etc/squid/squid.conf.debian




csplit -f squid- -n2 /etc/squid/squid.conf.debian '/# -----------------------------------------------------------------------------/-1' '{*}' > /dev/null


for x in `ls squid-*` ; do NAME=`cat $x | head -n1 | tr -s ' ' | tr "[ ]" "[\-]"| cut -c3-100` ; mv $x $x-00-$NAME.conf  ; done


cat << EOF > /etc/squid/squid.conf


## Debian Squid splitted based config

## edit the files in /etc/squid/conf.d/

include /etc/squid/conf.d/*.conf"



## code ends here. 



You end up with a layout like this. 

All files starting with squid-XX-00 are the default settings of squid. 

All squid-XX-01-custom are my changes. 

Only 1 file with an exeption.    squid-03-00-ACCESS-CONTROLS.conf . since order is a big thing in this file, i make a copy of it. 

And add my entries there. All other see below. 


squid-00-00-WELCOME-TO-SQUID-3.5.12.conf                                squid-12-01-custom.conf                                      squid-27-00-SNMP-OPTIONS.conf

squid-01-00-OPTIONS-FOR-SMP.conf                                        squid-13-00-OPTIONS-FOR-EXTERNAL-SUPPORT-PROGRAMS.conf       squid-27-01-custom.conf

squid-02-00-OPTIONS-FOR-AUTHENTICATION.conf                             squid-13-01-custom.conf                                      squid-28-00-ICP-OPTIONS.conf

squid-02-01-auth-negotiate-both.conf                                    squid-14-00-OPTIONS-FOR-URL-REWRITING.conf                   squid-28-01-custom.conf

squid-02-04-auth-ldap-AD.conf                                           squid-15-00-OPTIONS-FOR-STORE-ID.conf                        squid-29-00-MULTICAST-ICP-OPTIONS.conf

squid-02-99-auth-acl.conf                                               squid-16-00-OPTIONS-FOR-TUNING-THE-CACHE.conf                squid-30-00-INTERNAL-ICON-OPTIONS.conf

squid-03-00-ACCESS-CONTROLS.conf                                        squid-16-01-custom.conf                                      squid-31-00-ERROR-PAGE-OPTIONS.conf

squid-04-00-NETWORK-OPTIONS.conf                                        squid-17-00-HTTP-OPTIONS.conf                                squid-31-01-custom.conf

squid-05-00-SSL-OPTIONS.conf                                            squid-17-01-custom.conf                                      squid-32-00-OPTIONS-INFLUENCING-REQUEST-FORWARDING-.conf

squid-06-00-OPTIONS-RELATING-TO-EXTERNAL-SSL_CRTD-.conf                 squid-18-00-TIMEOUTS.conf                                    squid-32-01-custom.conf

squid-07-00-OPTIONS-WHICH-AFFECT-THE-NEIGHBOR-SELECTION-ALGORITHM.conf  squid-18-01-custom.conf                                      squid-33-00-ADVANCED-NETWORKING-OPTIONS.conf

squid-08-00-MEMORY-CACHE-OPTIONS.conf                                   squid-19-00-ADMINISTRATIVE-PARAMETERS.conf                   squid-34-00-ICAP-OPTIONS.conf

squid-08-01-custom.conf                                                 squid-19-01-custom.conf                                      squid-34-01-icap-squidclamav.conf

squid-09-00-DISK-CACHE-OPTIONS.conf                                     squid-20-00-OPTIONS-FOR-THE-CACHE-REGISTRATION-SERVICE.conf  squid-35-00-eCAP-OPTIONS.conf

squid-09-01-custom.conf                                                 squid-21-00-HTTPD-ACCELERATOR-OPTIONS.conf                   squid-36-00-MESSAGE-ADAPTATION-OPTIONS.conf

squid-10-00-LOGFILE-OPTIONS.conf                                        squid-22-00-DELAY-POOL-PARAMETERS.conf                       squid-37-00-DNS-OPTIONS.conf

squid-10-01-custom.conf                                                 squid-23-00-CLIENT-DELAY-POOL-PARAMETERS.conf                squid-37-01-custom.conf

squid-11-00-OPTIONS-FOR-TROUBLESHOOTING.conf                            squid-24-00-WCCPv1-AND-WCCPv2-CONFIGURATION-OPTIONS.conf     squid-38-00-MISCELLANEOUS.conf

squid-11-01-custom.conf                                                 squid-25-00-PERSISTENT-CONNECTION-HANDLING.conf              squid-38-01-custom.conf

squid-12-00-OPTIONS-FOR-FTP-GATEWAYING.conf                             squid-26-00-CACHE-DIGEST-OPTIONS.conf



If you use kerberos authentication. You can use a setup like this., i’ve tested both, and both works as of 3.4.8  -> 3.5.12 ( i recomiled 3.5 from sid ) 

## this line needs a good working Pricipal names. (SPN’s) Like  HTTP/proxy1.internal.domain.tld  and you need an A and PTR record ! 


auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at MY.REALM.TLD \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN


## or same, check the -s !

#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \


auth_param negotiate children 30 startup=5 idle=1

auth_param negotiate keep_alive on



take one of the above lines and test with debug on , like :  

/usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at MY.REALM.TLD \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN -D

( -D added in this line )  


So, do the following, start over with a clean new config. 

Enable these: 

#acl localnet src    # RFC1918 possible internal network

#acl localnet src # RFC1918 possible internal network

#acl localnet src        # RFC1918 possible internal network

#acl localnet src fc00::/7       # RFC 4193 local private network range

#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

Which allows all local networks, or change them to your ip range. 


http_port 3128 intercept


add to firewall: 

-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 


Reload squid and test. 


Give it a try, im back here in 15 hours..  ;-) 






Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens dolson at ihcrc.org
Verzonden: woensdag 23 december 2015 16:26
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Unable to access websites through Squid




I am working with Squid 3.4.8 on a Debian 8.2 system.   The goal is to record all web activity, not block any sites at this time utilizing squid.  I have followed several different sets of instructions on setting up Squid to utilize Active Directory Authentication to record who goes where.   I have yet to be able to access any websites, even internal sites while passing through the Squid Proxy.   The browser I’m testing on is Mozilla Firefox 42.0 on a Windows 7 Professional system.  I am using Firefox for testing as I can set the proxy without affecting my other browsers on my workstation.


I have tried various different forms of the squid.conf file, found from various sources and I have yet to get a successful connection.  Depending on the file configuration I use, I am getting an “access denied” page from the squid server, or a “Problem loading page:  The connection was reset” error.   With the current squid.conf, which brings up the second error, nothing is recorded in the access.log file, and the cache.log file keeps reporting the following error:


WARNING:  memberof #Hlpr0 exited

FATAL:  The memberof helpers are crashing too rapidly, need help!


I feel like I’m banging my head against the wall at this point.   I have tried slowly building the squid.conf file, adding one authenticator program at a time until I got some sort of different response and I have not been able to get anything to work.


I have attached several different squid.conf files that I have used.  The current “Squid.conf” file generates the “Connection was reset” error message, while the squid.conf.bk5 file just gives me an access is denied message.


Please help!



Thank you,


Dan Olson

Indian Health Care Resource Center

Network Support Specialist

Main: 918.588.1900 Ext. 2212

Direct: 918.382.1212




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151223/3bf83a69/attachment-0001.html>

More information about the squid-users mailing list