[squid-users] Upstream Proxy

Alex Rousskov rousskov at measurement-factory.com
Mon Jul 18 18:32:03 UTC 2022 

On 7/18/22 12:15, Johnathan Hasty wrote:

> The vendor, while not helpful at all as they want our org to use
> their new application rather than proxy....Has stated they are only
> looking for email address and not password. But they likely mean
> they're looking for user.name at sub.domain.com

I see two options for going forward:

* Continue guessing what the upstream proxy wants to receive from Squid. 
This may go on forever because you do not know the authentication scheme 
they are using and you do not know the proper credentials for that 
scheme. The number of potential configurations to test is infinite.

* Do what they want -- set things up (without Squid!) so that HTTP 
clients authenticate with the upstream proxy. AFAICT, the vendor will 
help you with that. Then use the _working_ example to reverse engineer 
the right answers instead of guessing them.

Alex.



> Thank you for tls-cafile= correction, as I do have GoGuardian's root certificate in that path and trusted on the Squid-hosted OS.
> 
> For Login= I have been trying to pass credentials from Windows to Squid to GoGuardian. From your response, I believe you are stating to have a "machine" user account that will be static for all users passing through Squid. This setup would be fine for us, but we would prefer to have the unique user's "email" passed through so that on GoGuardian's end our reports reflect the correct user.
> 
> I currently have Squid working with auth (when not handing off to GG), with Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in the form of the username ("email").
> 
> I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's authentication options memorized, however it is possible I am using them (login=) incorrectly.
> 
> The vendor refuses to look at logs on their end to troubleshoot, as they do not have access and the engineers who do aren't replying! Lovely...
> 
> 
> 
> 
> 1658160759.291    166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 - HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199"
> 1658160760.048     73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443 johnathan.hasty at USI.UNCOMMONSCHOOLS.ORG HIER_NONE/- - "ws-iid=94" "ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220"
> 1658160760.165    117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443 johnathan.hasty at USI.UNCOMMONSCHOOLS.ORG FIRSTUP_PARENT/52.44.107.1 - "ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
> 1658160760.165      0 10.125.12.19 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=517"
> 
> 
> ----------
> CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1
> Host: getpocket.cdn.mozilla.net:443
> Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5)
> X-Forwarded-For: 10.125.12.19
> Proxy-Authorization: Basic [redacted]
> Cache-Control: max-age=259200
> Connection: close
> 
> 
> ----------
> 
> 
> 
> ---------
> HTTP/1.1 407 Proxy Authentication Required
> Proxy-Authenticate: Basic realm="Secure Browsing"
> Date: Mon, 18 Jul 2022 16:13:28 GMT
> Content-Length: 0
> Connection: close
> 
> ----------
> 
> 
> 
> 
> Best Regards,
> Johnathan
>   
> _______________________________________________________
>    
> Johnathan Hasty
> Senior DevOps Engineer
> Uncommon Schools
> C: 989.366.1672
>    
> Uncommon Schools | Change History
> Website | Facebook | Twitter | LinkedIn | Apply Now
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
> Sent: Friday, July 15, 2022 1:27 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Upstream Proxy
> 
> On 16/07/22 04:05, Johnathan Hasty wrote:
>>> What HTTP authentication method(s) or scheme(s) does your upstream proxy support or require?
>>
>> They're very vague and not helpful. It was said they look for email, but in reality it would be user at blah.company.com rather than user at company.com.
>>
>>
>> This is the only information I have for them.
>>
>> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian
>> .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1,
>> kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk
>> BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1
>>
>> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com%
>> 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN
>> Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM
>> MKCvRjnxg7&typo=1
>>
> 
> This document is providing some answers, but indeed are a bit obscure.
> 
> The authentication is using LDAP service. Which means Squid should have its own account in LDAP registered as a machine account type (not a regular user, so it can avoid constant password update requirements).
> Those are the credentials you configure in the cache_peer line to be passed to GG.
>    Make sure that you configure the full username string. Whether it be login=user at blah.example.com:password  or login=user at example.com:password or  login=user:password
> 
> 
> Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the Squid machine Trusted CA certs package is kept up to date. If GG has a special Server certificate based on some custom CA, then use the tls-cafile= option to load that custom public root cert.
> 
> 
> If you are still having issues, the contents of the PAC file generated for a test user account could have some more hints about what GG is expecting.
> 
> 
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1
> CAUTION : This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list