[squid-users] squid4.07 - ale missing adapted httprequest object

Amos Jeffries squid3 at treenet.co.nz
Sat Mar 26 12:19:34 UTC 2016


On 26/03/2016 12:32 p.m., Jens Kallup wrote:
> Hello Folks,
> 
> I download the latest squid4.07 sources last night.
> I can compile it without erros.
> I have a optimized squid.conf - it works with squid3.
> 
> But now, I get:
> 
> ale missing adapted httprequest object
> ale missing url
> 

Those are informational that the Squid internal state is not being setup
quite right for the way external ACL formats work now in Squid-4. Its a
minor bug. Thanks for mentioning it

> in the cache.log and sites where not block!

You have configured Squid to let logged in users do *anything* they
want. see below.


> 
> Here is my squid.config, and the helper script:
> 
> ---%<----
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd
> auth_param basic children 4
> auth_param basic utf8 on
> auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort
> fuer die Internetberechtigung ein!
> auth_param basic credentialsttl 60 minutes
> auth_param basic casesensitive on
> 
> external_acl_type MyAclHelper %LOGIN %DST /sap/squid/helper.py

Is this configuration using the helper in concurrent way?
 I dont think so. But the helper requires concurrent channel-ID.

Use the concurrency=N option to enable concurrency.
<http://www.squid-cache.org/Doc/config/external_acl_type/>

> 
> acl ncsa_users proxy_auth REQUIRED
> acl block_list external MyAclHelper REQUIRED

What do you think the keyword "REQUIRED" does?

On proxy_auth ACL it means successful authentication is mandatory. The
ACL will produce a 407 response even on "allowed" actions with
credentials if they are not valid.

On external ACL it is just a text string to be passed to the helper at
the end of its format line. eg. "jens example.com REQUIRED\n"

> 
> acl localnet src 10.0.0.0/8        # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12        # RFC1918 possible internal network
> acl localnet src 192.168.178.80
> 
> acl SSL_ports port 443
> acl Safe_ports port 3128
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> 
> http_access allow ncsa_users !block_list
> 
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The purpose of the above two access controls is to protect your network
against some very nasty security vulnerabilities. They need to be at the
top of your http_access rules to do anything useful.


> http_access deny all
> 
> http_port 192.168.178.80:3128
> 
> cache_mgr jkallup at web.de
> cache_mem 8 MB
> 
> cache_effective_user  squid
> cache_effective_group squid
> 
> error_directory  /usr/share/squid3/errors/de
> error_default_language de

Using error_directory disables the auto-negotiate feature which
error_default_language is trying to configure. Pick only one of the
directives:

 - error_directory to always send errors in German

 - error_default_language to send errors in a language the user can
actually read. With German as the default if Squid cant figure that out.

> 
> cache_dir ufs    /sap/var/spool/squid 64 16 128
> cache_access_log /sap/squid/log/access.log
> cache_log        /sap/squid/log/cache.log
> cache_store_log  none
> 
> # Leave coredumps in the first cache dir
> coredump_dir /sap/var/spool/squid
> 
> pid_filename /sap/squid/squid3.pid
> 
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %<st %rm %ru %Sh/%<A %mt

Please do not re-define the "squid" built-in log format. Either use the
default one of that name, or define your own custom one with a different
name.

> ---%<----
> 
> 
> ----%<-------
> #!/usr/bin/perl -l
> 
> use warnings;
> use IO::Handle;
> use URI::Escape;
> use DBI;
> use 5.010;
> 
> $|=1;
> 
> while (<>) {
>     ($chid,$ip,$user,$dest) = split;

The input parameters you configured in squid.conf do not match the ones
the helper is trying to parse.

 ... Which will make $dest not contain what you think it does.
 ... Which will make this helper will always produce "ERR".
 ... Which will always make the block_list ACL match false.
 ... Which will make the !block_list always be true.
 ... Which will make users who are logged in be allowed to do anything
they like at any time through the proxy.


>      $user =~ s/%(..)/pack("H*", $1)/ge;
>      $dest =~ s/%(..)/pack("H*", $1)/ge;
> 
>     $dest = uri_unescape($dest);
>     $user = uri_unescape($user);
> 
>     if ($dest eq "web.de") {
>         print "OK user=" . $user;

Since all users have to be successfully logged in with HTTP
authentication before this helper is even queried what use does sending
it back to Squid in the user= keyword have?


>     }  else {
>         print "ERR";
>     }
>     if ($ip eq "0") {
>        print $chid . "ERR";
>     }
> }
> --%<---


Amos



More information about the squid-users mailing list