[squid-users] Squid 3.5.9 Problems with Teamviewer

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 21 13:26:08 UTC 2016 

On 21/04/2016 3:39 a.m., epytir wrote:
> Hey Squid Users,
> 
> Sorry for my bad english im learning it currently.
> 
> I got a little problem with my squid proxy.
> I installed it with ufdbguard and squidclamav and everything works fine.
> 
> The users login with kerberos ntlm or normal username passowrt
> authentication.
> 
> My Problem is when Users start Teamviewer (every Version) some time
> teamviewer doing nothing then the message "no connection please check proxy
> settings" appears. Then i klick nothing after 10 more seconds the teamviewer
> is connected without changing anything.
> So Teamviewer needs up to 1 minute to connect through the proxy without i
> need like 5 seconds.
> 
> Teamviewer is not blocked for the users with the problems and it connects
> but needs to much time. I have 1500 User so the normal user dont understand
> that he must wait and dont klick on change settings or abort.
> 
> I log squid in database and every connect i see is not blocked:
> | 23731740 |   1461164861.040 | 2016-04-20 | 17:07:41  | 48 | ip  | TCP_MISS 
> | 200 | 15623 | GET | www.teamviewer.com     | Username| FIRSTUP_PARENT    |
> NULL | NULL   |
> | 23733412 |   1461165077.533 | 2016-04-20 | 17:11:18  |  11 | ip  |
> TCP_MEM_HIT | 200  |   15631 | GET   | www.teamviewer.com  | Username|
> HIER_NONE         | NULL           | NULL      |
> 

You missed out the bit where the column titles were described so we know
what that above means.


> The parent Proxy is not the problem cause our old proxy is tmg from
> microsoft and use the same proxy without teamviewer problems. (we want to
> shutdown tmg cause its extremly slow and squid is so fast :) ) 
> 

Maybe it, is maybe it isn't. Not a safe assumption.

It is likely tmg and Squid are talking to it slightly differently which
might make it do different things and hit some bug you never saw before.
The older that parent proxy software is the more likely this is to happen.


> 
> Here are some information:
> Squid 3.5.9
> UFDB 1.31-16
> Server Ubuntu 14.04 LTS
> 

The old Squid version could also be a problem. We have found and fixed
quite a lot of bugs in the last 2 years.

A useful rule of thumb when dealing with squid issues is to first try an
upgrade and see if the issue is resolved already.

If you can wait a few days I suggest trying for an upgrade to Ubuntu
Xenial 16.04 LTS, which should appear any day now and has a much better
Squid in it.


> Squid config snip:
> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth  --ntlm 
> /usr/lib/squid3/fakeauth_auth  --kerberos 
> /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$

The above line got truncated.

> auth_param negotiate children 80
> auth_param negotiate keep_alive on

I recommend using "off" here. It seems to be needed by recent Firefox
and some other tools as well.

> 
> auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC

This "x.x.x\DC" thing is suspicious. If it is actually needed, then I
suspect it should be on the Negotiate/NTLM helper as well as the NTLM one.


> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> 
> #LDAP Authentication
> auth_param basic program  /usr/lib/squid3/basic_ldap_auth -b
> "dc=X,dc=X,dc=X" -D "XXX at X.X.X" -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
> auth_param basic children 30
> auth_param basic realm Domain-Internet-Proxy
> auth_param basic credentialsttl 30 day  #How often ask for Login credentials
> auth_param basic casesensitive off
> 
> acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
> never_direct allow all
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> #http_access allow CONNECT SSL_ports

The security rule provided is "deny CONNECT !SSL_Ports".

That is *not* the same as "allow CONNECT SSL_Ports".

It uses "deny" explicitly to prevent other rules later in the config
doing unexpected bad things...


> http_access allow localnet
> http_access allow localhost
> 
> #LDAP User are allowed to connect to the Internet
> http_access allow ldap-auth
> http_access allow CONNECT  SSL_ports ldap-auth
> 

... like this rule doing nothing.

Why?
  Because ldap-auth, localnet, localhost ACLs already let users do
anything they want. Anything. Oops.


> 
> # And finally deny all other access to this proxy
> http_access deny all
> .
> .
> .
> 
> Normal ntlm dont work but we have some old programms that need ntlm so i use
> fake tnlm for them browsers only use kerberos.
> 
> In squid log i see nothing no entrys for the connection time.

Squid logs transactions when they complete. If the teamviewer is still
using it for some minutes/hours/days you wont see it until its over.

"Days" is not a joke, some can last that long. GoogleTalk, Facebook
Chat, Skype etc are known for it already. It woud not surprise me to
find TeamViewer is similar.

Amos

More information about the squid-users mailing list