[squid-users] Upstream Proxy
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 15 14:14:00 UTC 2022
On 7/15/22 09:51, Johnathan Hasty wrote:
> I’ve been trying to hand off credentials to our upstream proxy
> GoGuardian and have been facing many issues.
What HTTP authentication method(s) or scheme(s) does your upstream proxy
support or require?
> HTTP/1.1 407 Proxy Authentication Required
> Proxy-Authenticate: Basic realm="Secure Browsing"
This is not my area of expertise, but the above error message suggests
that the proxy wants to do HTTP Basic authentication, but you are
configuring Squid to use NEGOTIATE, so perhaps you should switch to
Basic as the next step in your triage, just to get something working
(cache_peer ... login=user:password)?
Sharing what CONNECT request headers Squid sends to the parent proxy may
be useful as well, but do not use any secrets in your test traffic if
you are going to share such details. If you still have that cache.log,
look for "Tunnel Server REQUEST" associated with conn2126.
HTH,
Alex.
> Has anyone gotten Squid to successfully hand off to GoGuardian as their
> upstream proxy?
>
> Advanced ACLs:
> cache_peer gateway.goguardian.com parent 443 0 no-query no-digest
> no-netdb-exchange connect-timeout=60 default tls
> login=NEGOTIATE:principal_name sslcapath=/usr/local/share/ca-certificates/
>
> cache_peer_access gateway.goguardian.com allow all
>
> never_direct allow all
>
> Log snipit:
> 2022/06/30 15:22:49.198 kid1| 5,3| IoCallback.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fIoCallback.cc&c=E,1,tkT-dyHiVAqZoP7tVfxLk3RVYLyb_avXd27fXGqjJMTzNKPAGHmmvW9pXYcC425jST0ZYFFPwV4uHf3fKHuux40xkg9kXWTzOHPdGV5BNGbILyA,&typo=1&ancr_add=1>(112)
> finish: called for conn2126 local=10.56.1.3:59674
> <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1 (0, 0)
>
> 2022/06/30 15:22:49.198 kid1| 93,3| AsyncCall.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fAsyncCall.cc&c=E,1,DRAaKArrkDvBn0UuKG4CO_yXvblIrZBSYHpMpA4H7oRhEraoEzGxMCRwZJpYUsTM63vFW1Co7R0A33jgXq0EZyS1JcelCRUFXLjE5tQ-siWuoU0bbvc,&typo=1&ancr_add=1>(96)
> ScheduleCall: IoCallback.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fIoCallback.cc&c=E,1,bCxz0FVR5jkr6lvnOvzW7e6G8tQBNRlVCCbel3ASQC74rRdj29Wxcj66G7Jit7W9Qdbz8catGFZxEEbA6bR1lmzxqhKOAxPRfaraHkB0Kq0,&typo=1&ancr_add=1>(131)
> will call Http::Tunneler::handleReadyRead(conn2126 local=10.56.1.3:59674
> <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1,
> data=0x55849f4926c8) [call548666]
>
> 2022/06/30 15:22:49.198 kid1| 93,3| AsyncCallQueue.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fAsyncCallQueue.cc&c=E,1,Ne0y7JJW7fBc_1MyCR5zK2LlFshqIfjXRI-DDHdH5PeY44sZtFyGkRMXgYLpMqHYj17Z8PToa57tNyAfAp6EUkVwM3SHgK37ObzCJYBj&typo=1&ancr_add=1>(59)
> fireNext: entering Http::Tunneler::handleReadyRead(conn2126
> local=10.56.1.3:59674 <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1,
> data=0x55849f4926c8)
>
> 2022/06/30 15:22:49.198 kid1| 93,3| AsyncCall.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fAsyncCall.cc&c=E,1,o0OzDC7879yEvRQoXyqb11XnNW2f6RJwmh1OP5vYSK4ukmnOFcBmRwtorjA94HFXF2MO38TdGcH68cNv4LkX122TcPK1Gwh5xQXTTnzhZCk0N4c,&typo=1&ancr_add=1>(41)
> make: make call Http::Tunneler::handleReadyRead [call548666]
>
> 2022/06/30 15:22:49.198 kid1| 93,3| AsyncJob.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fAsyncJob.cc&c=E,1,0XdqwD1hHo1N94DousFFhRiwV1YBiWmgmGgnmN3ivpK14dkV-pET6DcSkS2X_BoPOU0rcff0Z8GMOM6Se71G_crDtF1V4AWKNym2mjdbxuqKI47TC0GqeVQ,&typo=1&ancr_add=1>(123)
> callStart: Http::Tunneler status in: [state:w FD 24 job3836]
>
> 2022/06/30 15:22:49.198 kid1| 83,3| Session.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fSession.cc&c=E,1,5pwOO8oysGpMl2UW2Xm5P9KkR_3HsM1xcAdWaqJ5W67u3ht9dZCWWqKu-yt1JrDyn7NvUNMMfVsPhYQQ6rNYqmGGLwDuReUm7h6KmDVvRXk9hFQ,&typo=1&ancr_add=1>(36)
> tls_read_method: started for session=0x55849f86d970
>
> 2022/06/30 15:22:49.198 kid1| 5,3| Read.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fRead.cc&c=E,1,YRndcJz2bAhwR1PdmoQI8sRvkmjGdcO5EIyIIpp4iqwmuG7h-eaf-3lfNBR39-ZO7iGAxJ7K0S_cHbSgNtNlm0fjWnm8WFDq58f6THu4DI699rCS7t0,&typo=1&ancr_add=1>(93)
> ReadNow: conn2126 local=10.56.1.3:59674 <http://10.56.1.3:59674>
> remote=18.213.126.143:443 <http://18.213.126.143:443> FIRSTUP_PARENT FD
> 24 flags=1, size 65535, retval 172, errno 0
>
> 2022/06/30 15:22:49.198 kid1| 11,2| HttpTunneler.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fHttpTunneler.cc&c=E,1,7NW0kgZsy7tR63h5jeGLIfWqkf7MZMOiNKoehdSMu4P8C_Cyj5_2ApYRUA6cZWFOqSGAjikQJc_BpXOW4-kzssgabw7mHmj9JehJw69jCPqdH0f2XA,,&typo=1&ancr_add=1>(328)
> handleResponse: Tunnel Server conn2126 local=10.56.1.3:59674
> <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1
>
> 2022/06/30 15:22:49.198 kid1| 11,2| HttpTunneler.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fHttpTunneler.cc&c=E,1,3NizLysV5Gx9r_j5gTGoxUw_3T9zdjGtQ-DV4EhtvlwXKEzULXHluYnJByOJiEPPnVnNQqchSO6-31x_mXrtC-9VAHF1Rvi3G4KI9KdJOjbjUelpts2rPuVSNQ,,&typo=1&ancr_add=1>(329)
> handleResponse: Tunnel Server RESPONSE:
>
> ---------
>
> HTTP/1.1 407 Proxy Authentication Required
>
> Proxy-Authenticate: Basic realm="Secure Browsing"
>
> Date: Thu, 30 Jun 2022 15:22:49 GMT
>
> Content-Length: 0
>
> Connection: close
>
> ----------
>
> 2022/06/30 15:22:49.198 kid1| 83,3| HttpTunneler.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fHttpTunneler.cc&c=E,1,GviZgdhx9RYhEwKjYE8dVgxbEl8iol-igCMYAgae4yqcKPIFswYtt6EwZhF84hnL-ef9RpuZwEHsx85Xll9B5Gfbg7d2dHfIF34rKZsAxv6qOdMumpxPDQ,,&typo=1&ancr_add=1>(350)
> bailOnResponseError: unsupported CONNECT response status code [state:w
> FD 24 job3836]
>
> 2022/06/30 15:22:49.198 kid1| TCP connection to
> gateway.goguardian.com/443
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fgateway.goguardian.com%2f443&c=E,1,uAPXOfc9RgeMJ4nUQAbfSdcSO5Uq43sRY-gZmY85itIayxn-UVioUUW3XRszjHa-yYb6rECJlsja0UO3JoB46gLeuYZSjXkRbee8lCx9qDg8UMVty1UFtdYA&typo=1>
> failed
>
> current master transaction: master1228
>
> 2022/06/30 15:22:49.198 kid1| 15,2| neighbors.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fneighbors.cc&c=E,1,A9XtxL5DCKCd251CIXugkhx4aCzF9hXbpTke-TobSR1fyAJvDoqwTFq1cEcOoZJtiMbGKIRMTAdNo4BJFSkXvu8VJe16TUWacR3bLvbydug1knZSGkBYCZ0,&typo=1&ancr_add=1>(1284)
> peerConnectFailedSilent: TCP connection to gateway.goguardian.com/443
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fgateway.goguardian.com%2f443&c=E,1,dGVDR_a1JorHZeL7cCLZZYEKPcdKNP8q3xqZrI0znu3mp7ytE8irVnBC73FhdcWJ5M0-LWIn2Mn0GzYRz6V0M_GYqDtl_rvKTY_dWhrXIAFI1UpgdRqKz0hp&typo=1>
> dead
>
> 2022/06/30 15:22:49.198 kid1| 5,3| comm.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcomm.cc&c=E,1,_FSTyaiA0rkYHZ4Z7eAL4TwtVx69LC8zbzD277h9yuyffbapL47ZpB_oWH20eRbFct1TQy0vmI_r1caTRPIqNuxhiZ7iYIATofZyGH8m1ZkJn-_Pj74,&typo=1&ancr_add=1>(597)
> commUnsetConnTimeout: Remove timeout for conn2126 local=10.56.1.3:59674
> <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1
>
> 2022/06/30 15:22:49.198 kid1| 5,3| comm.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcomm.cc&c=E,1,2X_UeJ7syPVMh46zfITvmAcOXeJskvfXEcgk8IyJC4YzRQfPu92bh2NzVodZ0n4ZRK7THXkr0YSUqM7xqyqJCvdnyd9FAu6HfF5w6S0BZI45WZI8zKdCZe8,&typo=1&ancr_add=1>(571)
> commSetConnTimeout: conn2126 local=10.56.1.3:59674
> <http://10.56.1.3:59674> remote=18.213.126.143:443
> <http://18.213.126.143:443> FIRSTUP_PARENT FD 24 flags=1 timeout -1
>
> 2022/06/30 15:22:49.198 kid1| 5,3| comm.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcomm.cc&c=E,1,FfkOe7rgvl24KtYbMnfkVwBEdxcDHC1Qli-TWnd49Qh8gDEi83POkLUjbin88NBj9wz0eUa5EXJAjwxomX4QO4zLvkDabeKXKYlG6AdnYeWwBQX65a999EDQfHg,&typo=1&ancr_add=1>(877)
> _comm_close: start closing FD 24 by Connection.cc:108
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fConnection.cc%3a108&c=E,1,WyC_uIlGcAERUMOzZEzNpvTD0VNtdyMCu8_98mxi45Tfb8tS1Sk-xPVV7uo29dppxC6E7neNtZYKqy1MhMyuLt8f0VUXYaTTfg2ke0mgXESQjraUm9zxRlRV&typo=1&ancr_add=1>
>
> 2022/06/30 15:22:49.198 kid1| 5,3| comm.cc
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcomm.cc&c=E,1,3Gy87egR90ZnusSy5exBZU0res4kBdHXTtCKE_jPDFJ67k-PY9AWyJYQlbMs93MRcEX4tmriDwIFkUn6n7F57YT-OWPTUDgMXKLJDMijoQr3ETZ_4qmLyO3mxoc,&typo=1&ancr_add=1>(558)
> commUnsetFdTimeout: Remove timeout for FD 24
>
>
> Best Regards,
>
> Johnathan
>
> *_______________________________________________________*
>
> **
>
> *Johnathan Hasty*
>
> Senior DevOps Engineer
>
> Uncommon Schools
>
> C: 989.366.1672
>
> *Un*common Schools | Change History
>
> Website
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.uncommonschools.org%2f&c=E,1,cWhZ9NA37cAb3SSkIYkr5EbwjBXA_1ECEBWI1BpFOMixjdXiqIYF5NH_rpjuRqGzBt9Av6GCLPt7UYFH62vFjyLlBBvmIAwJtSORWZeE&typo=1> |
> Facebook <http://www.facebook.com/uncommonschools> | Twitter
> <http://www.twitter.com/uncommonschools> | LinkedIn
> <http://www.linkedin.com/company/124759?trk=tyah> | Apply Now
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.uncommonschools.org%2fcareers&c=E,1,rgbpQND7NOQlb8Jv2r2mLOBnCdzuRSxPkW0uIyooMP2TwhUotzeHZQjvRKQyUr3gDLWXSyG1jhOH92Ub7jL9_5wTQc42_HkbPCyQS5oyArE,&typo=1>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list