[squid-users] Problems with Linux Worstations

Amos Jeffries squid3 at treenet.co.nz
Mon Sep 5 04:17:44 UTC 2016 

On 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:
> I have used debug_options 11,2 in squid.conf file. After I have following
> results in logs files:
> 
> /var/log/squid3/access.log
> 1473026084.048    253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
> http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -
> 1473026086.275      0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
> tiles.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026086.778      0 192.168.200.85 TCP_DENIED/407 3995 GET
> http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html
> 1473026088.908      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026091.932      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> self-repair.mozilla.org:443 - HIER_NONE/- text/html
> 1473026096.418    180 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026096.467     85 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026102.051    525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET
> http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41
> text/html
> 1473026102.091      0 192.168.200.85 TCP_HIT/200 22099 GET
> http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
> 1473026104.855      0 10.133.85.3 TCP_DENIED/407 3929 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
> - HIER_NONE/- text/html
> 1473026146.453     83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026147.447     83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026148.923      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026157.117  61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
> tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
> 1473026157.195  61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026160.190  63085 192.168.200.85 TCP_MISS/200 5449 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026204.518      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026207.807  62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808  61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.809  61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.814  61165 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.866  61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
> aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
> 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
> normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
> 1473026264.532      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026299.647      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> iecvlist.microsoft.com:443 - HIER_NONE/- text/html
> 1473026335.221      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> ieonline.microsoft.com:443 - HIER_NONE/- text/html
> 1473026592.061   6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
> forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -

Notice how the 407 occur in bunches. 2-3 getting a 407 reject, then many
requests going through with user credentials. Then again some without
any getting a 407.
Those bunches of 407 will be matching some type of credentials timeout
in the browser, or opening of new tabs.


This request below is the only one from 192.168.200.96 so appears to be
the one you provide cache.log trace for...


> 1473026793.073      0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 
> /var/log/squid3/cache.log
> 
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP
> Client REQUEST:
> ---------
> CONNECT safebrowsing.google.com:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101
> Firefox/35.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: safebrowsing.google.com:443

Notice the abence of any Proxy-Authorization header containing credentials.

> 
> 
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP
> Client REPLY:
> ---------
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid/3.4.8
> Mime-Version: 1.0
> Date: Sun, 04 Sep 2016 22:06:33 GMT
> Content-Type: text/html
> Content-Length: 3357
> X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
> Proxy-Authenticate: Basic realm="CMS"

That realm="CMS" does not match the realm value of "AUTENTICACAO" which
your earlier config contained.

Unless you changed your auth_param settings that is a sign that some
other proxy is generating that response message. BUT, your access.log
entry shows no server being contacted.



> X-Cache: MISS from proxy.cms.ensino.br
> X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
> Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
> Connection: keep-alive
> 
> ----------
> 
> Sorry, but I didn't discover the problem!
> 
> Anybody have an idea?

If you altered your squid.conf settings as above in the auth details,
did you also remove 192.168.200.7 from the "localhost" ACL ?

Your rule "http_access allow localhost" occurs before anything that
requires authentication. That means these requests coming from
192.168.200.7 to your proxy would not use authentication for the above
CONNECT request. So no reason for your proxy to generate any 407 response.


Amos

More information about the squid-users mailing list