[squid-users] Squid 3.5.9 Problems with Teamviewer

epytir auaauabubu at yahoo.de
Thu Apr 21 14:31:26 UTC 2016


Hey Amons,

thanks for your replay.

The line  /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$ 
there only missing the 2 letters ME sorry for that.

I will build a test server with the newest squid version and config changes.

>I log squid in database and every connect i see is not blocked:
The Column titles are
        ID        time_since_epoch     date_day      date_time  
response_time    squid_request_status
> | 23731740 |   1461164861.040 | 2016-04-20 | 17:07:41  | 48 | ip          
> | TCP_MISS
    http_status_code    reply_size       request_url                   user            
squid_hier_status
> | 200 |                 15623 | GET | www.teamviewer.com     | Username|
> FIRSTUP_PARENT    |
> NULL | NULL   |
> | 23733412 |   1461165077.533 | 2016-04-20 | 17:11:18  |  11 | ip  |
> TCP_MEM_HIT | 200  |   15631 | GET   | www.teamviewer.com  | Username|
> HIER_NONE         | NULL           | NULL      |
>

>You missed out the bit where the column titles were described so we know
>what that above means. 


I dont know what the parent proxy is cause it is outsourced by our customer
and they dont say what it is...
I think its squid or tmg and yes if it is tmg or an old verison of squid
maybe this is the problem..

Im new with squid so i might make some config mistakes thanks for correcting
me :)


I will write here when I have new Informations

Greetings Epytir



Amos Jeffries wrote
> On 21/04/2016 3:39 a.m., epytir wrote:
>> Hey Squid Users,
>> 
>> Sorry for my bad english im learning it currently.
>> 
>> I got a little problem with my squid proxy.
>> I installed it with ufdbguard and squidclamav and everything works fine.
>> 
>> The users login with kerberos ntlm or normal username passowrt
>> authentication.
>> 
>> My Problem is when Users start Teamviewer (every Version) some time
>> teamviewer doing nothing then the message "no connection please check
>> proxy
>> settings" appears. Then i klick nothing after 10 more seconds the
>> teamviewer
>> is connected without changing anything.
>> So Teamviewer needs up to 1 minute to connect through the proxy without i
>> need like 5 seconds.
>> 
>> Teamviewer is not blocked for the users with the problems and it connects
>> but needs to much time. I have 1500 User so the normal user dont
>> understand
>> that he must wait and dont klick on change settings or abort.
>> 
>> I log squid in database and every connect i see is not blocked:
>> | 23731740 |   1461164861.040 | 2016-04-20 | 17:07:41  | 48 | ip  |
>> TCP_MISS 
>> | 200 | 15623 | GET | www.teamviewer.com     | Username| FIRSTUP_PARENT   
>> |
>> NULL | NULL   |
>> | 23733412 |   1461165077.533 | 2016-04-20 | 17:11:18  |  11 | ip  |
>> TCP_MEM_HIT | 200  |   15631 | GET   | www.teamviewer.com  | Username|
>> HIER_NONE         | NULL           | NULL      |
>> 
> 
> You missed out the bit where the column titles were described so we know
> what that above means.
> 
> 
>> The parent Proxy is not the problem cause our old proxy is tmg from
>> microsoft and use the same proxy without teamviewer problems. (we want to
>> shutdown tmg cause its extremly slow and squid is so fast :) ) 
>> 
> 
> Maybe it, is maybe it isn't. Not a safe assumption.
> 
> It is likely tmg and Squid are talking to it slightly differently which
> might make it do different things and hit some bug you never saw before.
> The older that parent proxy software is the more likely this is to happen.
> 
> 
>> 
>> Here are some information:
>> Squid 3.5.9
>> UFDB 1.31-16
>> Server Ubuntu 14.04 LTS
>> 
> 
> The old Squid version could also be a problem. We have found and fixed
> quite a lot of bugs in the last 2 years.
> 
> A useful rule of thumb when dealing with squid issues is to first try an
> upgrade and see if the issue is resolved already.
> 
> If you can wait a few days I suggest trying for an upgrade to Ubuntu
> Xenial 16.04 LTS, which should appear any day now and has a much better
> Squid in it.
> 
> 
>> Squid config snip:
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth 
>> --ntlm 
>> /usr/lib/squid3/fakeauth_auth  --kerberos 
>> /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
> 
> The above line got truncated.
> 
>> auth_param negotiate children 80
>> auth_param negotiate keep_alive on
> 
> I recommend using "off" here. It seems to be needed by recent Firefox
> and some other tools as well.
> 
>> 
>> auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC
> 
> This "x.x.x\DC" thing is suspicious. If it is actually needed, then I
> suspect it should be on the Negotiate/NTLM helper as well as the NTLM one.
> 
> 
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>> 
>> #LDAP Authentication
>> auth_param basic program  /usr/lib/squid3/basic_ldap_auth -b
>> "dc=X,dc=X,dc=X" -D "

> XXX at .X

> " -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
>> auth_param basic children 30
>> auth_param basic realm Domain-Internet-Proxy
>> auth_param basic credentialsttl 30 day  #How often ask for Login
>> credentials
>> auth_param basic casesensitive off
>> 
>> acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
>> never_direct allow all
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>> 
>> # Deny CONNECT to other than secure SSL ports
>> #http_access allow CONNECT SSL_ports
> 
> The security rule provided is "deny CONNECT !SSL_Ports".
> 
> That is *not* the same as "allow CONNECT SSL_Ports".
> 
> It uses "deny" explicitly to prevent other rules later in the config
> doing unexpected bad things...
> 
> 
>> http_access allow localnet
>> http_access allow localhost
>> 
>> #LDAP User are allowed to connect to the Internet
>> http_access allow ldap-auth
>> http_access allow CONNECT  SSL_ports ldap-auth
>> 
> 
> ... like this rule doing nothing.
> 
> Why?
>   Because ldap-auth, localnet, localhost ACLs already let users do
> anything they want. Anything. Oops.
> 
> 
>> 
>> # And finally deny all other access to this proxy
>> http_access deny all
>> .
>> .
>> .
>> 
>> Normal ntlm dont work but we have some old programms that need ntlm so i
>> use
>> fake tnlm for them browsers only use kerberos.
>> 
>> In squid log i see nothing no entrys for the connection time.
> 
> Squid logs transactions when they complete. If the teamviewer is still
> using it for some minutes/hours/days you wont see it until its over.
> 
> "Days" is not a joke, some can last that long. GoogleTalk, Facebook
> Chat, Skype etc are known for it already. It woud not surprise me to
> find TeamViewer is similar.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list

> squid-users at .squid-cache

> http://lists.squid-cache.org/listinfo/squid-users


Amos Jeffries wrote
> On 21/04/2016 3:39 a.m., epytir wrote:
>> Hey Squid Users,
>> 
>> Sorry for my bad english im learning it currently.
>> 
>> I got a little problem with my squid proxy.
>> I installed it with ufdbguard and squidclamav and everything works fine.
>> 
>> The users login with kerberos ntlm or normal username passowrt
>> authentication.
>> 
>> My Problem is when Users start Teamviewer (every Version) some time
>> teamviewer doing nothing then the message "no connection please check
>> proxy
>> settings" appears. Then i klick nothing after 10 more seconds the
>> teamviewer
>> is connected without changing anything.
>> So Teamviewer needs up to 1 minute to connect through the proxy without i
>> need like 5 seconds.
>> 
>> Teamviewer is not blocked for the users with the problems and it connects
>> but needs to much time. I have 1500 User so the normal user dont
>> understand
>> that he must wait and dont klick on change settings or abort.
>> 
>> I log squid in database and every connect i see is not blocked:
>> | 23731740 |   1461164861.040 | 2016-04-20 | 17:07:41  | 48 | ip  |
>> TCP_MISS 
>> | 200 | 15623 | GET | www.teamviewer.com     | Username| FIRSTUP_PARENT   
>> |
>> NULL | NULL   |
>> | 23733412 |   1461165077.533 | 2016-04-20 | 17:11:18  |  11 | ip  |
>> TCP_MEM_HIT | 200  |   15631 | GET   | www.teamviewer.com  | Username|
>> HIER_NONE         | NULL           | NULL      |
>> 
> 
> You missed out the bit where the column titles were described so we know
> what that above means.
> 
> 
>> The parent Proxy is not the problem cause our old proxy is tmg from
>> microsoft and use the same proxy without teamviewer problems. (we want to
>> shutdown tmg cause its extremly slow and squid is so fast :) ) 
>> 
> 
> Maybe it, is maybe it isn't. Not a safe assumption.
> 
> It is likely tmg and Squid are talking to it slightly differently which
> might make it do different things and hit some bug you never saw before.
> The older that parent proxy software is the more likely this is to happen.
> 
> 
>> 
>> Here are some information:
>> Squid 3.5.9
>> UFDB 1.31-16
>> Server Ubuntu 14.04 LTS
>> 
> 
> The old Squid version could also be a problem. We have found and fixed
> quite a lot of bugs in the last 2 years.
> 
> A useful rule of thumb when dealing with squid issues is to first try an
> upgrade and see if the issue is resolved already.
> 
> If you can wait a few days I suggest trying for an upgrade to Ubuntu
> Xenial 16.04 LTS, which should appear any day now and has a much better
> Squid in it.
> 
> 
>> Squid config snip:
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth 
>> --ntlm 
>> /usr/lib/squid3/fakeauth_auth  --kerberos 
>> /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
> 
> The above line got truncated.
> 
>> auth_param negotiate children 80
>> auth_param negotiate keep_alive on
> 
> I recommend using "off" here. It seems to be needed by recent Firefox
> and some other tools as well.
> 
>> 
>> auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC
> 
> This "x.x.x\DC" thing is suspicious. If it is actually needed, then I
> suspect it should be on the Negotiate/NTLM helper as well as the NTLM one.
> 
> 
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>> 
>> #LDAP Authentication
>> auth_param basic program  /usr/lib/squid3/basic_ldap_auth -b
>> "dc=X,dc=X,dc=X" -D "

> XXX at .X

> " -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
>> auth_param basic children 30
>> auth_param basic realm Domain-Internet-Proxy
>> auth_param basic credentialsttl 30 day  #How often ask for Login
>> credentials
>> auth_param basic casesensitive off
>> 
>> acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
>> never_direct allow all
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>> 
>> # Deny CONNECT to other than secure SSL ports
>> #http_access allow CONNECT SSL_ports
> 
> The security rule provided is "deny CONNECT !SSL_Ports".
> 
> That is *not* the same as "allow CONNECT SSL_Ports".
> 
> It uses "deny" explicitly to prevent other rules later in the config
> doing unexpected bad things...
> 
> 
>> http_access allow localnet
>> http_access allow localhost
>> 
>> #LDAP User are allowed to connect to the Internet
>> http_access allow ldap-auth
>> http_access allow CONNECT  SSL_ports ldap-auth
>> 
> 
> ... like this rule doing nothing.
> 
> Why?
>   Because ldap-auth, localnet, localhost ACLs already let users do
> anything they want. Anything. Oops.
> 
> 
>> 
>> # And finally deny all other access to this proxy
>> http_access deny all
>> .
>> .
>> .
>> 
>> Normal ntlm dont work but we have some old programms that need ntlm so i
>> use
>> fake tnlm for them browsers only use kerberos.
>> 
>> In squid log i see nothing no entrys for the connection time.
> 
> Squid logs transactions when they complete. If the teamviewer is still
> using it for some minutes/hours/days you wont see it until its over.
> 
> "Days" is not a joke, some can last that long. GoogleTalk, Facebook
> Chat, Skype etc are known for it already. It woud not surprise me to
> find TeamViewer is similar.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list

> squid-users at .squid-cache

> http://lists.squid-cache.org/listinfo/squid-users





--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-9-Problems-with-Teamviewer-tp4677176p4677203.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list