[squid-users] Upstream Proxy

Johnathan Hasty Johnathan.Hasty at uncommonschools.org
Mon Jul 18 16:15:46 UTC 2022 

Hello Amos, thank you very much for your very helpful response!

The vendor, while not helpful at all as they want our org to use their new application rather than proxy....Has stated they are only looking for email address and not password. But they likely mean they're looking for user.name at sub.domain.com

Thank you for tls-cafile= correction, as I do have GoGuardian's root certificate in that path and trusted on the Squid-hosted OS.

For Login= I have been trying to pass credentials from Windows to Squid to GoGuardian. From your response, I believe you are stating to have a "machine" user account that will be static for all users passing through Squid. This setup would be fine for us, but we would prefer to have the unique user's "email" passed through so that on GoGuardian's end our reports reflect the correct user.

I currently have Squid working with auth (when not handing off to GG), with Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in the form of the username ("email").

I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's authentication options memorized, however it is possible I am using them (login=) incorrectly.

The vendor refuses to look at logs on their end to troubleshoot, as they do not have access and the engineers who do aren't replying! Lovely...




1658160759.291    166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 - HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199"
1658160760.048     73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443 johnathan.hasty at USI.UNCOMMONSCHOOLS.ORG HIER_NONE/- - "ws-iid=94" "ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220"
1658160760.165    117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443 johnathan.hasty at USI.UNCOMMONSCHOOLS.ORG FIRSTUP_PARENT/52.44.107.1 - "ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1658160760.165      0 10.125.12.19 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=517"


----------
CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1
Host: getpocket.cdn.mozilla.net:443
Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5)
X-Forwarded-For: 10.125.12.19
Proxy-Authorization: Basic [redacted]
Cache-Control: max-age=259200
Connection: close


----------



---------
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: Basic realm="Secure Browsing"
Date: Mon, 18 Jul 2022 16:13:28 GMT
Content-Length: 0
Connection: close

----------




Best Regards, 
Johnathan
 
_______________________________________________________ 
  
Johnathan Hasty 
Senior DevOps Engineer 
Uncommon Schools 
C: 989.366.1672 
  
Uncommon Schools | Change History 
Website | Facebook | Twitter | LinkedIn | Apply Now 

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Friday, July 15, 2022 1:27 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Upstream Proxy

On 16/07/22 04:05, Johnathan Hasty wrote:
>> What HTTP authentication method(s) or scheme(s) does your upstream proxy support or require?
>
> They're very vague and not helpful. It was said they look for email, but in reality it would be user at blah.company.com rather than user at company.com.
>
>
> This is the only information I have for them.
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian
> .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1,
> kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk
> BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com%
> 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN
> Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM
> MKCvRjnxg7&typo=1
>

This document is providing some answers, but indeed are a bit obscure.

The authentication is using LDAP service. Which means Squid should have its own account in LDAP registered as a machine account type (not a regular user, so it can avoid constant password update requirements).
Those are the credentials you configure in the cache_peer line to be passed to GG.
  Make sure that you configure the full username string. Whether it be login=user at blah.example.com:password  or login=user at example.com:password or  login=user:password


Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the Squid machine Trusted CA certs package is kept up to date. If GG has a special Server certificate based on some custom CA, then use the tls-cafile= option to load that custom public root cert.


If you are still having issues, the contents of the PAC file generated for a test user account could have some more hints about what GG is expecting.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1
CAUTION : This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

More information about the squid-users mailing list