[squid-users] ISSUE accssing content

Jagannath Naidu jagannath.naidu at fosteringlinux.com
Sat Jul 25 05:31:09 UTC 2015


Thanks Amos,, mike



On 25 July 2015 at 03:20, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 25/07/2015 4:59 a.m., Jagannath Naidu wrote:
> > 1. Its not  a transparent proxy.
> >
> > 2. My clients get wpad configuration from AD server. So there are two
> > question.
> >  2.1 :I know that wpad is used to identify proxy server and port(and rest
> > other bypass rules).  When clients resolve to wpad.abc.com, is there way
> > that I can overwrite the wpad file off client. Like creating a webserver
> to
> > to serve wpad file and I change /etc/hosts file to
> "<myhwebserveripaddress>
> > wpad.abc.com"
> > 2.2 Is there any other way to tell clients via squid server, to do not
> come
> > to squid server and re initiate the request.
>
> Exactly that if you wish. Its not clear whether WPAD is the problem though.
>
> The fact that you have Squid logs showing access indicates the traffic
> us actually getting there okay. The responses do seem to be coming back
> from 10.* servers as well.
> So what is happening is something is causing those servers not to like
> the traffic being requested from them.
>
>
> >
> > On 24 July 2015 at 21:10, Jagannath Naidu <
> > jagannath.naidu at fosteringlinux.com> wrote:
> >
> >>
> >>
> >> On 24 July 2015 at 21:05, Jagannath Naidu <
> >> jagannath.naidu at fosteringlinux.com> wrote:
> >>
> >>> Dear List,
> >>>
> >>> I have been working on this for last two weeks, but never got it
> >>> resolved.
> >>>
> >>> We have a application server (SERVER) in our local network and a
> desktop
> >>>  application (CLIENT). The application picks proxy settings from IE.
> And we
> >>> also have a wensense proxy server
> >>>
> >>> case 1: when there is no proxy set
> >>> application works. No logs in squid server access.log
> >>>
> >>> case 2: when proxy ip address set and checked "bypass local network"
> >>> application works. No logs in squid server access.log
> >>>
> >>> case 3: when proxy ip address is set to wensense proxy server.
> UNCHECKED
> >>> "bypass local network"
> >>> application works. We dont have access to websense server and hence we
> >>> can not check logs
>
> Can you explain "not works" in any better detail?
>  application expected vs actual behaviour?
>  if you can relate that to particular HTTP messages even better.
>
The application is "aspect unified ip agent desktop". It is a dialer
application (VOIP). Used on windows machine.
Rest cases :

When application is launched, it shows that it has joined domain "HTP". HTP
is default, we can change to other from the drop down list.

Case 4: not works.

But in this case, it shows no drop down list, nor with a single option like
"HTP". Application can connect to server anymore. And I can not call or
receive calls anymore.


>
> >>>
> >>>
> >>> case 4: when proxy ip address is set to proxy server ip address.
> >>> UNCHECKED "bypass local network"
> >>> application does not work :-(. Below are the logs.
> >>>
> >>>
> >>> 1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET
> >>>
> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
> >>> - HIER_DIRECT/10.1.4.46 text/html
>
> 404. The URL you see above references an object that does not exist on
> that server.
>
> Things to look into:
>  Is it the right server?
>
Yes

>  Is it the right URL?
>
Yes

>  Why was it requested?
>
Don't know. These were the only logs I can get from access.log. The server
is "Microsoft IIS HTTP/1.1"


>  Does the server actually know its "dlwvdialce.htmedia.net" name?
>
Yes. It is resolvable 1) ping dlwvdialce works 2) ping
dlwvdialce.htmedia.net works

initially "dlwvdialce" was not resolving to any host. That's where used
"append_domain .htmedia.net" is squid.conf (worked for other applications).


>
>
> >>> 1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT
> >>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
> >>> 1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT
> >>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
>
>
> Authentication. Normal I think.
>
Yes, NTLM auth.


>
> >>> 1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET
> >>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
> >>> 10.1.4.46 text/html
>
> Same as the first 404'd URL.
>
>
>> 1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST
> >>>
> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
> >>> - HIER_NONE/- text/html
>
> 503 usually indicates the attempted server failed.
>
> Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work.
> Which would also match the lack of server IP in the log.
>

 1)  ping cs-711-core.htmedia.net  does not work "no such host"
 2) ping  cs-711-core <http://cs-711-core.htmedia.net/> does not work "no
such host"


>
>
> >>>
> >>> UPDATE: correct logs
> >>
> >> 1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET
> >>
> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
> >> - HIER_DIRECT/10.1.4.46 text/html
> >> 1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET
> >> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
> >> 10.1.4.46 text/html
> >> 1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST
> >>
> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
> >> - HIER_NONE/- text/html
> >>
>
> Same comments as above.
>
> >>
> >>
> >>> squid -v
> >>> Squid Cache: Version 3.3.8
> >>> configure options:  '--build=x86_64-redhat-linux-gnu'
> >>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
> >>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
> >>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
> >>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
> >>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> >>> '--infodir=/usr/share/info' '--disable-strict-error-checking'
> >>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
> '--localstatedir=/var'
> >>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> >>> '--with-logdir=$(localstatedir)/log/squid'
> >>> '--with-pidfile=$(localstatedir)/run/squid.pid'
> >>> '--disable-dependency-tracking' '--enable-eui'
> >>> '--enable-follow-x-forwarded-for' '--enable-auth'
> >>>
> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
> >>> '--enable-auth-ntlm=smb_lm,fake'
> >>> '--enable-auth-digest=file,LDAP,eDirectory'
> >>> '--enable-auth-negotiate=kerberos'
> >>>
> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
> >>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> >>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
> >>> '--enable-ident-lookups' '--enable-linux-netfilter'
> >>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> >>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2'
> >>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
> >>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
> >>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
> >>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
> >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
> >>> --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
> >>> -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now'
> 'CXXFLAGS=-O2
> >>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> >>> -fstack-protector-strong --param=ssp-buffer-size=4
> -grecord-gcc-switches
> >>> -m64 -mtune=generic -fpie'
> >>>
> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
> >>>
> >>>
> >>> squid.conf
> >>>
> >>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> >>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> >>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> >>> acl localnet src fc00::/7       # RFC 4193 local private network range
> >>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
> plugged)
> >>> machines
> >>> acl SSL_ports port 443
> >>> acl Safe_ports port 80          # http
> >>> acl Safe_ports port 21          # ftp
> >>> acl Safe_ports port 443         # https
> >>> acl Safe_ports port 70          # gopher
> >>> acl Safe_ports port 210         # wais
> >>> acl Safe_ports port 1025-65535  # unregistered ports
> >>> acl Safe_ports port 280         # http-mgmt
> >>> acl Safe_ports port 488         # gss-http
> >>> acl Safe_ports port 591         # filemaker
> >>> acl Safe_ports port 777         # multiling http
> >>> acl Safe_ports port 8180
> >>> acl CONNECT method CONNECT
> >>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54
> >>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
>
> For easier reading:
>   acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4
>
> (at least I think they are all in one /27, double-check that)
>
> >>> http_access allow wvdial
> >>> acl dialer dstdomain .htmedia.net
> >>> http_access allow dialer
> >>> http_access deny !Safe_ports
> >>> http_access deny CONNECT !SSL_ports
> >>> http_access allow localhost manager
> >>> http_access deny manager
> >>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
>
>  "=" is a funny domain name. I suspect you wanted the domain-name part
> of the line to be used instead. Remove the "= " bit.
>
> Removed = bit.


> >>> append_domain  .mydomain.net
> >>> ignore_expect_100 on
>
> The ignore_* directive should not be useful in 3.3. You can remove it now.
>
> >>> dns_v4_first on
> >>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> >>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
> >>> auth_param ntlm children 1000
> >>> auth_param ntlm keep_alive off
> >>> auth_param basic program /usr/bin/ntlm_auth
> >>> --helper-protocol=squid-2.5-basic
> >>> auth_param basic children 100
> >>> auth_param basic realm Squid proxy-caching web server
> >>> auth_param basic credentialsttl 2 hours
> >>> acl auth proxy_auth REQUIRED
> >>> http_access allow all auth
>
> "allow all auth" means the same as "allow auth".
>
> "all" only has meaning on the end (right-hand side) of the line which
> would otherwise end in a proxy_auth ACL.
> It should either be on the end of that line, or not used at all.
>
>
> >>> http_access allow localnet
> >>> http_access allow localhost
> >>> http_access deny all
> >>> http_port 0.0.0.0:8080
> >>> coredump_dir /var/spool/squid
> >>> refresh_pattern ^ftp:           1440    20%     10080
> >>> refresh_pattern ^gopher:        1440    0%      1440
> >>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> >>> refresh_pattern .               0       20%     4320
> >>>
> >>>
> >>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to
> >>> squid 3.3 would help. Please help me resolving this mystery.
>
> Looks to me like the server at 10.1.4.46 does not know what to do with
> the URLs requested.
>
> I would start looking at whether the application is actually supposed to
> be going there for its requests.
>
> How can do that ?
I can install wireshark on client and test the result.

Am I missing any information to give ?


> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150725/128eeb2c/attachment-0001.html>


More information about the squid-users mailing list