[squid-users] CentOS6 and squid34 package ...

Amos Jeffries squid3 at treenet.co.nz
Fri May 26 15:49:25 UTC 2017 

On 26/05/17 07:51, Mike wrote:
> Walter, what I've found is when compiling to squid 3.5.x and higher, 
> the compile options change. Also remember that many of the options 
> that were available with 3.1.x are depreciated and likely will not 
> work with 3.4.x and higher.
>
> The other issue is that squid is only supposed to be handling HTTP and 
> HTTPS traffic, not FTP. trying to use it as a FTP proxy will need a 
> different configuration than the standard HTTP/Secure proxy.
>

Well, to be correct Squid talks HTTP to the client software. It has log 
supported mapping FTP server URLs into HTTP.

This second problem seems like the symptoms of 
<http://bugs.squid-cache.org/show_bug.cgi?id=4132> which was fixed years 
ago in the Squid-3.5.5 release. But that was apparently a regression not 
affecting 3.4 or 3.1. Hmm.


Amos


>
> Mike
>
>
> On 5/25/2017 14:07 PM, Walter H. wrote:
>> On 25.05.2017 12:50, Amos Jeffries wrote:
>>> On 25/05/17 20:19, Walter H. wrote:
>>>> Hello
>>>>
>>>> what is the essential difference between the default squid package 
>>>> and this squid34 package,
>>>
>>> Run "squid -v" to find out if there are any build options different. 
>>> Usually its just two alternative versions from the vendor.
>>>
>> Squid Cache: Version 3.4.14
>> configure options:  '--build=x86_64-redhat-linux-gnu' 
>> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
>> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' 
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
>> '--datadir=/usr/share' '--includedir=/usr/include' 
>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
>> '--infodir=/usr/share/info' '--enable-internal-dns' 
>> '--disable-strict-error-checking' '--exec_prefix=/usr' 
>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
>> '--with-logdir=$(localstatedir)/log/squid' 
>> '--with-pidfile=$(localstatedir)/run/squid.pid' 
>> '--disable-dependency-tracking' '--enable-arp-acl' 
>> '--enable-follow-x-forwarded-for' 
>> '--enable-auth-basic=LDAP,MSNT,NCSA,PAM,SMB,POP3,RADIUS,SASL,getpwnam,NIS,MSNT-multi-domain' 
>> '--enable-auth-ntlm=smb_lm,fake' 
>> '--enable-auth-digest=file,LDAP,eDirectory' 
>> '--enable-auth-negotiate=kerberos' 
>> '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group' 
>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
>> '--enable-ident-lookups' '--enable-linux-netfilter' 
>> '--enable-referer-log' '--enable-removal-policies=heap,lru' 
>> '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' 
>> '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' 
>> '--enable-http-violations' '--with-aio' '--with-default-user=squid' 
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl' 
>> '--with-pthreads' '--disable-arch-native' 
>> 'build_alias=x86_64-redhat-linux-gnu' 
>> 'host_alias=x86_64-redhat-linux-gnu' 
>> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'CXXFLAGS=-O2 -g 
>> -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 
>> 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>
>> and
>>
>> Squid Cache: Version 3.1.23
>> configure options:  '--build=x86_64-redhat-linux-gnu' 
>> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
>> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' 
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
>> '--datadir=/usr/share' '--includedir=/usr/include' 
>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
>> '--infodir=/usr/share/info' '--enable-internal-dns' 
>> '--disable-strict-error-checking' '--exec_prefix=/usr' 
>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
>> '--with-logdir=$(localstatedir)/log/squid' 
>> '--with-pidfile=$(localstatedir)/run/squid.pid' 
>> '--disable-dependency-tracking' '--enable-arp-acl' 
>> '--enable-follow-x-forwarded-for' 
>> '--enable-auth=basic,digest,ntlm,negotiate' 
>> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' 
>> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
>> '--enable-digest-auth-helpers=password,ldap,eDirectory' 
>> '--enable-negotiate-auth-helpers=squid_kerb_auth' 
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' 
>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
>> '--enable-ident-lookups' '--enable-linux-netfilter' 
>> '--enable-referer-log' '--enable-removal-policies=heap,lru' 
>> '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' 
>> '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' 
>> '--enable-http-violations' '--with-aio' '--with-default-user=squid' 
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl' 
>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 
>> 'host_alias=x86_64-redhat-linux-gnu' 
>> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 
>> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic 
>> -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23
>>
>>>
>>>> as I have problems using this squid34 package for FTP connections;
>>>> there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
>>>> when I tell the browser to show the image then I get this squid 
>>>> generated message ...
>>>>
>>>> the same config /etc/squid/squid.conf works with the default squid 
>>>> package ...
>>>>
>>>> <message>
>>>> While trying to retrieve the URL: 
>>>> http://proxy.local:3128/squid-internal-static/icons/silk/folder.png 
>>>> <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png> 
>>>>
>>>>
>>>
>>> Notice the port number in that URL...
>>>
>> yes I see the squid port 3128
>>
>> when I do this with the default squid package, there I get the icons, 
>> and when I want to get the URL of such an icon,
>> it shows e.g. 
>> ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif
>>
>> when I add
>> global_internal_static off
>> to squid.conf at the squid34 package,
>> then there also no icons shown;
>> when I tell the browser to show the image then I get this squid 
>> generated message ...
>>
>> <message>
>> The following URL could not be retrieved: 
>> ftp://ftp.adobe.com/squid-internal-static/icons/silk/folder.png
>>
>> Squid sent the following FTP command:
>>
>>     *
>>
>>     CWD squid-internal-static
>>
>>     * 
>>
>> and then received this reply
>>
>>     *
>>
>>     Failed to change directory.
>>
>>     * 
>>
>> This might be caused by an FTP URL with an absolute path (which does 
>> not comply with RFC 1738).
>> If this is the cause, then the file can be found at 
>> ftp://ftp.adobe.com%2f2f/squid-internal-static/icons/silk/folder.png.
>>
>> Your cache administrator is ...
>>
>> Generated Thu, 25 May 2017 18:57:52 GMT by proxy.local (squid/3.4.14)
>> </message>
>>
>> what is running wrong here?
>> is there a setting I can change without having to allow
>> port 3128 traffic go through the proxy?
>> (this is not really logic, as the default squid package also doesn't 
>> allow port 3128 traffic go through ...)

Er, it is using the recommended default config we ship from upstream. 
Some Vendors like to install packages that are not usable without manual 
attention. Usually by commenting out the "http_access allow localnet" 
rule though, not marking registered HTTP ports as unsafe for use with HTTP.

Anyhow:

  acl Safe_ports port 3128
  acl port3128 port 3128
  acl squid-internal urlpath_regex ^/squid-internal

Then add this directly before the "deny manager" line:

   http_access deny port3128 !squid-internal


Amos

More information about the squid-users mailing list