<tt><font size=2>Hi Amos;</font></tt>
<br><tt><font size=2>To answer your query-</font></tt>
<br><tt><font size=2><br>
* those 'xx' are different numbers, or<br>
<br>
* the line was logged by another Squid process (with different config),
or<br>
<br>
* the config file you think is being used actually is not.<br>
</font></tt>
<br><tt><font size=2><<NILESH>> xx is just used to hide the
ip subnet over mail. Also ip is same it didn't change.</font></tt>
<br>
<br><tt><font size=2>=======================================================</font></tt>
<br><tt><font size=2><br>
I notice that this config tells your Squid to listen on port 8080 and<br>
pass all its traffic through a peer at 10.xx.xx.108 which also listens<br>
on port 8080.<br>
Is that log being produced by that other peer?</font></tt>
<br>
<br><tt><font size=2><<NILESH>> we have proxysetup as EndUser
PC >> Linux Proxy >> Windows Proxy >> Internet gateway.</font></tt>
<br><tt><font size=2>Log which I captured are from Linux proxy server.
<br>
==============================================<br>
Is there anything, any non-# lines at all, in your config besides what<br>
your first post contained? even if you dont think its relevant.<br>
</font></tt>
<br><tt><font size=2><<NILESH>> here is the compete squid.conf
for your reference-</font></tt>
<br>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Recommended minimum configuration:</font>
<br><font size=2 face="Courier New">#### AD SSO Integration #####</font>
<br><font size=2 face="Courier New">#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
-d -s GSS_C_NO_NAME</font>
<br><font size=2 face="Courier New">auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
-s HTTP/proxy02.CUST.IN@CUST.IN</font>
<br><font size=2 face="Courier New">auth_param negotiate children 20</font>
<br><font size=2 face="Courier New">auth_param negotiate keep_alive on</font>
<br>
<br><font size=2 face="Courier New">acl ad_auth proxy_auth REQUIRED</font>
<br>
<br><font size=2 face="Courier New">#### AD Group membership ####</font>
<br>
<br>
<br><font size=2 face="Courier New">external_acl_type AD_Group ttl=300
negative_ttl=0 children=10 %LOGIN /usr/lib64/squid/squid_ldap_group -P
-R -b "DC=CUST,DC=IN" -D svcproxy -W /etc/squid/pswd/pswd -f
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=cust,dc=in))"
-h CUST.IN -s sub -v 3</font>
<br>
<br><font size=2 face="Courier New">acl AVWSUS external AD_Group lgOnlineUpdate</font>
<br><font size=2 face="Courier New">acl windowsupdate dstdomain "/etc/squid/sitelist/infra_update_site"</font>
<br>
<br><font size=2 face="Courier New">acl custUSER external AD_Group lgInternetAccess_custUsers</font>
<br><font size=2 face="Courier New">acl custallowedsite dstdomain "/etc/squid/sitelist/cust_allowed_site"</font>
<br>
<br><font size=2 face="Courier New">#acl SHAVLIK external AD_Group lgShavlikUpdate</font>
<br><font size=2 face="Courier New">acl shavlikupdate dstdomain "/etc/squid/sitelist/shavlik_update_site"</font>
<br>
<br>
<br><font size=2 face="Courier New">acl manager proto cache_object</font>
<br><font size=2 face="Courier New">acl localhost src 127.0.0.1/32 ::1</font>
<br><font size=2 face="Courier New">acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
::1</font>
<br>
<br><font size=2 face="Courier New"># Example rule allowing access from
your local networks.</font>
<br><font size=2 face="Courier New"># Adapt to list your (internal) IP
networks from where browsing</font>
<br><font size=2 face="Courier New"># should be allowed</font>
<br><font size=2 face="Courier New">acl AVSRVR src 10.50.2.107
# Cloud SEPM Servr</font>
<br><font size=2 face="Courier New">acl SHAVLIK_SRVR src 10.50.2.112
# Shavlik Server(NTLM Only Access)</font>
<br><font size=2 face="Courier New">acl IWCCP01 src 10.55.15.103
# Application access to Worldpay/bottomline Payment test site.</font>
<br><font size=2 face="Courier New">acl localnet src 10.0.0.0/8
# RFC1918 possible internal network</font>
<br><font size=2 face="Courier New">acl localnet src 172.16.0.0/12
# RFC1918 possible internal network</font>
<br><font size=2 face="Courier New">acl localnet src 192.168.0.0/16
# RFC1918 possible internal network</font>
<br><font size=2 face="Courier New">acl localnet src fc00::/7
# RFC 4193 local private network range</font>
<br><font size=2 face="Courier New">acl localnet src fe80::/10
# RFC 4291 link-local (directly plugged) machines</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">acl SSL_ports port 443</font>
<br><font size=2 face="Courier New">acl Safe_ports port 80
# http</font>
<br><font size=2 face="Courier New">acl Safe_ports port 21
# ftp</font>
<br><font size=2 face="Courier New">acl Safe_ports port 443
# https</font>
<br><font size=2 face="Courier New">acl Safe_ports port 70
# gopher</font>
<br><font size=2 face="Courier New">acl Safe_ports port 210
# wais</font>
<br><font size=2 face="Courier New">acl Safe_ports port 1025-65535
# unregistered ports</font>
<br><font size=2 face="Courier New">acl Safe_ports port 280
# http-mgmt</font>
<br><font size=2 face="Courier New">acl Safe_ports port 488
# gss-http</font>
<br><font size=2 face="Courier New">acl Safe_ports port 591
# filemaker</font>
<br><font size=2 face="Courier New">acl Safe_ports port 777
# multiling http</font>
<br><font size=2 face="Courier New">acl CONNECT method CONNECT</font>
<br>
<br><font size=2 face="Courier New"># Recommended minimum Access Permission
configuration:</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Only allow cachemgr access from localhost</font>
<br><font size=2 face="Courier New">http_access allow manager localhost</font>
<br><font size=2 face="Courier New">http_access deny manager</font>
<br>
<br><font size=2 face="Courier New"># Deny requests to certain unsafe ports</font>
<br><font size=2 face="Courier New">http_access deny !Safe_ports</font>
<br>
<br><font size=2 face="Courier New"># Deny CONNECT to other than secure
SSL ports</font>
<br><font size=2 face="Courier New">http_access deny CONNECT !SSL_ports</font>
<br>
<br><font size=2 face="Courier New"># We strongly recommend the following
be uncommented to protect innocent</font>
<br><font size=2 face="Courier New"># web applications running on the proxy
server who think the only</font>
<br><font size=2 face="Courier New"># one who can access services on "localhost"
is a local user</font>
<br><font size=2 face="Courier New">#http_access deny to_localhost</font>
<br>
<br><font size=2 face="Courier New"># INSERT YOUR OWN RULE(S) HERE TO ALLOW
ACCESS FROM YOUR CLIENTS</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Example rule allowing access from
your local networks.</font>
<br><font size=2 face="Courier New"># Adapt localnet in the ACL section
to list your (internal) IP networks</font>
<br><font size=2 face="Courier New"># from where browsing should be allowed</font>
<br>
<br><font size=2 face="Courier New">#http_access allow test shavlikupdate</font>
<br><font size=2 face="Courier New">http_access allow SHAVLIK_SRVR shavlikupdate</font>
<br><font size=2 face="Courier New">http_access allow AVSRVR windowsupdate</font>
<br><font size=2 face="Courier New">http_access allow AVWSUS windowsupdate</font>
<br><font size=2 face="Courier New">http_access allow IWCCP01</font>
<br><font size=2 face="Courier New">#http_access allow IWCCP01 custallowedsite</font>
<br><font size=2 face="Courier New">http_access allow custUSER custallowedsite</font>
<br><font size=2 face="Courier New">http_access allow ad_auth</font>
<br><font size=2 face="Courier New"># And finally deny all other access
to this proxy</font>
<br><font size=2 face="Courier New">http_access deny all</font>
<br>
<br><font size=2 face="Courier New"># Squid normally listens to port 3128</font>
<br><font size=2 face="Courier New">http_port 8080</font>
<br><font size=2 face="Courier New">never_direct allow all</font>
<br>
<br><font size=2 face="Courier New">cache_peer 10.50.2.108 parent 8080
0 default</font>
<br><font size=2 face="Courier New">dns_nameservers 10.50.2.108</font>
<br>
<br><font size=2 face="Courier New"># We recommend you to use at least
the following line.</font>
<br><font size=2 face="Courier New">#hierarchy_stoplist cgi-bin ?</font>
<br>
<br><font size=2 face="Courier New"># Uncomment and adjust the following
to add a disk cache directory.</font>
<br>
<br><font size=2 face="Courier New">cache_dir ufs /var/spool/squid 10240
16 256</font>
<br>
<br><font size=2 face="Courier New"># Leave coredumps in the first cache
dir</font>
<br><font size=2 face="Courier New">coredump_dir /var/spool/squid</font>
<br>
<br><font size=2 face="Courier New"># Log forwarding to SysLog</font>
<br><font size=2 face="Courier New">#access_log syslog:local1.info ####Sachin
P.####</font>
<br><font size=2 face="Courier New">#access_log syslog:local1.info squid</font>
<br><font size=2 face="Courier New">access_log /var/log/squid/access.log</font>
<br>
<br><font size=2 face="Courier New"># Add any of your own refresh_pattern
entries above these.</font>
<br><font size=2 face="Courier New">refresh_pattern ^ftp:
1440
20% 10080</font>
<br><font size=2 face="Courier New">refresh_pattern ^gopher:
1440 0%
1440</font>
<br><font size=2 face="Courier New">refresh_pattern -i (/cgi-bin/|\?) 0
0% 0</font>
<br><font size=2 face="Courier New">refresh_pattern .
0
20% 4320</font>
<br>
<br><tt><font size=2>=============================================================</font></tt>
<br><tt><font size=2><br>
Date: Thu, 6 Oct 2016 02:23:23 +1300<br>
From: Amos Jeffries <squid3@treenet.co.nz><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Squid - AD kerberos auth and Linux Server<br>
proxy access not working<br>
Message-ID: <cc644993-3880-ece2-1369-942daa9b03c6@treenet.co.nz><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 5/10/2016 7:00 a.m., Nilesh Gavali wrote:<br>
> Hi Amos;<br>
> Ok, we can discussed the issue in Two part 1. For Windows AD
<br>
> Authentication & SSO and 2. Linux server unable to access via
squid proxy.<br>
> <br>
> For First point-<br>
> Requirement to have SSO for accessing internet via squid proxy and
based <br>
> on user's AD group membership allow access to specific sites only.
I <br>
> believe current configuration of squid is working as expected.<br>
> <br>
> For Second point -<br>
> Point I would like to highlight here is, the Linux server IWCCP01
is not <br>
> part of domain at all. Hence the below error as squid configured for
<br>
> AD_auth. So how can we allow Linux server or non domain machine to
access <br>
> specific sites?<br>
> <br>
>> Error 407 is "proxy auth required", so the proxy is
expecting <br>
> authentication <br>
>> for some reason.<br>
> ====================================<br>
> > Can you confirm that the hostname vseries-test.bottomline.com
is <br>
> contained in <br>
>> your site file /etc/squid/sitelist/dbs_allowed_site ?<br>
> <br>
> YES, we have entry as .bottomline.com , which work fine when access
via <br>
> windows machine having proxy enabled for that user.<br>
> ==============================<br>
>> Can you temporarily change the line "http_access allow IWCCP01
<br>
> allowedsite" to <br>
>> "http_access allow IWCCP01" and see whether the machine
then gets <br>
> access?<br>
> <br>
> I made the changes as suggested but still it is giving same Error
407.<br>
<br>
Meaning that is the ACL which is broken.<br>
<br>
<br>
> ========================================<br>
> If that works, please list the output of the command:<br>
> grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site<br>
> <br>
> o/p of above command as below -<br>
> <br>
> [root@Proxy02 ~]# grep "bottomline.com" <br>
> /etc/squid/sitelist/dbs_allowed_site<br>
> .bottomline.com<br>
> [root@Proxy02 ~]#<br>
<br>
Okay great. Your allowedsite has a correct entry to match the test request.<br>
<br>
<br>
Since IWCCP01 contains exactly one IP address for the server<br>
<br>
> acl IWCCP01 src 10.xx.15.103<br>
<br>
it means your server is not using that IP address when it contacts Squid.<br>
<br>
BUT that IP is what gots logged as the client/src IP.<br>
<br>
> 1475518342.279 0 10.xx.15.103 TCP_DENIED/407 3589
CONNECT<br>
vseries-test.bottomline.com:443 - NONE/- text/html<br>
<br>
Strange. Unless:<br>
<br>
* those 'xx' are different numbers, or<br>
<br>
* the line was logged by another Squid process (with different config),
or<br>
<br>
* the config file you think is being used actually is not.<br>
<br>
<br>
I notice that this config tells your Squid to listen on port 8080 and<br>
pass all its traffic through a peer at 10.xx.xx.108 which also listens<br>
on port 8080.<br>
Is that log being produced by that other peer?<br>
<br>
Is there anything, any non-# lines at all, in your config besides what<br>
your first post contained? even if you dont think its relevant.<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Thu, 6 Oct 2016 02:45:49 +1300<br>
From: Amos Jeffries <squid3@treenet.co.nz><br>
To: Hardik Dangar <hardikdangar+squid@gmail.com><br>
Cc: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Caching http google deb files<br>
Message-ID: <89f9840b-7ec7-2f0b-a81c-5376c344878e@treenet.co.nz><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 5/10/2016 11:27 p.m., Hardik Dangar wrote:<br>
> Hey Amos,<br>
> <br>
> I have implemented your patch at<br>
> <br>
> and added following to my squid.conf<br>
> archive_mode allow all<br>
> <br>
> and my refresh pattern is,<br>
> refresh_pattern dl-ssl.google.com/.*\.(deb|zip|tar|rpm) 129600 100%
129600<br>
> ignore-reload ignore-no-store override-expire override-lastmod ignor$<br>
> <br>
> but i am still not able to cache it, can you tell from below output
what<br>
> would be the problem ? Do i need to configure anything extra ?<br>
<br>
Sorry. I was a bit tired when I wrote earlier an steered you wrong.<br>
<br>
The archive patch will ony help for things which can be cached in the<br>
first place. Vary:* is not part of that set so this wont help you at all.<br>
<br>
That leaves you with the option of using a multi-level cache hierarchy<br>
where the frontend cache removes the header (causing the backend cache
/<br>
client to try and store it.<br>
<br>
Or removing all of Squids Vary header support. I really dont recommend<br>
either approach.<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Thu, 6 Oct 2016 03:05:59 +1300<br>
From: Amos Jeffries <squid3@treenet.co.nz><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Multiple auth schemes in a single Squid<br>
instance<br>
Message-ID: <8fa245d1-ed36-421c-7bb9-f95975d14d44@treenet.co.nz><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 6/10/2016 12:09 a.m., john jacob wrote:<br>
> Hi All,<br>
> <br>
> We have a requirement to use the same Squid instance for Basic and
NTLM<br>
> authentication to serve various customer groups (may not be on different<br>
> network sections). The customer groups which are using Basic authentication<br>
> (for legacy reasons) should not receive NTLM scheme and the customer
groups<br>
> which use NTLM should not receive Basic scheme.<br>
<br>
You seem to be implying that Basic auth is somehow worse than NTLM. In<br>
fact NTLM is the least secure of the two by a thin line. Both are almost<br>
equally bad to use anytime in the past decade.<br>
<br>
You should really be considering both those to be nasty legacy and<br>
moving on to Negotiate/Kerberos as much as possible.<br>
<br>
<br>
> I couldn't find a way to<br>
> implement this using the existing Squid 4.x config options. So I am<br>
> thinking of introducing a new config parameter called "endpoints"
like<br>
> below.<br>
> <br>
> auth_param basic endpoints ipofBasic portofBasic # Default is "endpoints<br>
> all"<br>
> <br>
> auth_param ntlm endpoints ipofNTLM portofNTLM # Default is "endpoints
all"<br>
> <br>
> acl ipofBasic localip 192.168.4.2<br>
> acl portofBasic localport 3129 3139<br>
> <br>
> acl ipofNTLM ipofNTLM 192.168.4.2<br>
> acl portofNTLMlocalport 3149 3159<br>
> <br>
> <br>
> The idea is ,if Squid recieves a request on an endpoint on which only
basic<br>
> authentication is needed (ie 192.168.4.2:3129 and192.168.4.2:3139),
NTLM<br>
> will not be presented to the client/browser. Vice versa for NTLM.
If no<br>
> endpoints is configured , then the existing behavior will be applied.<br>
> <br>
> Do you think this is reasonable and is there are any obvious problems
with<br>
> this?. If you find this useful, I am happy to contribute back when
I finish<br>
> implementing this module (I haven't yet started developing).<br>
<br>
<br>
The HTTP framework is negotiated thusly:<br>
the proxy offers what it supports,<br>
the client tries the most secure credential type it has access to,<br>
the proxy says whether that is acceptible or to try again.<br>
.. repeat as necessary until either a success or no more credentials<br>
are known - in which case ask the user with popup(s).<br>
<br>
When that framework is used properly the clients with NTLM will try that<br>
and the ones without will try Basic.<br>
<br>
<br>
Squid-3.5 and later have the "auth_param ... key_extras ..."
option that<br>
can take extra parameters for the auth helper to use when it decides if<br>
the credentials are valid.<br>
<br>
<br>
I suggest you try making your self a script that takes the client IP as<br>
one of those extra parameters; returning ERR if the IP is not allowed to<br>
use the type of auth or relays the lookup on to your real auth helper if<br>
it is allowed.<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Wed, 5 Oct 2016 08:19:52 -0600<br>
From: Alex Rousskov <rousskov@measurement-factory.com><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Bug: Missing MemObject::storeId<br>
Message-ID:<br>
<010b9e54-d853-6165-e00f-0266a3f71677@measurement-factory.com><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 10/05/2016 06:28 AM, amaury@tin.it wrote:<br>
<br>
> I'm using squid-3.5.21-20160908-r14081 and for the first time I <br>
> have configuration squid-smp (4workers and cache_dir rock).<br>
<br>
> 2016/10/05 14:12:55 kid4| Bug: Missing MemObject::storeId value<br>
<br>
<br>
> Is it a misconfiguration ?<br>
<br>
It is a known bug: </font></tt><a href="http://bugs.squid-cache.org/show_bug.cgi?id=4527"><tt><font size=2>http://bugs.squid-cache.org/show_bug.cgi?id=4527</font></tt></a><tt><font size=2><br>
<br>
I recommend updating that bug report with your configuration details,<br>
such as the fact that you are not using ICP (AFAICT). The bug also has<br>
some suggestions for triaging this problem further.<br>
<br>
The existence of that bug does not imply that your configuration is<br>
correct, but this bug is not a [known] sign of a misconfiguration.<br>
<br>
Alex.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Wed, 5 Oct 2016 20:03:47 +0530<br>
From: Hardik Dangar <hardikdangar+squid@gmail.com><br>
To: Amos Jeffries <squid3@treenet.co.nz><br>
Cc: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Caching http google deb files<br>
Message-ID:<br>
<CA+sSnVYCy5E00jKK5cPZm3q+eBX8Fx=Mjs_iu4Xs0oebxcte9Q@mail.gmail.com><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hey Amos,<br>
<br>
oh, i actually built archive mode squid by getting help at here,<br>
</font></tt><a href="http://bugs.squid-cache.org/show_bug.cgi?id=4604"><tt><font size=2>http://bugs.squid-cache.org/show_bug.cgi?id=4604</font></tt></a><tt><font size=2><br>
<br>
I was thinking if we have option vary_mode just like archive mode to set
it<br>
for particular domain like,<br>
<br>
acl dlsslgoogle srcdomain dl-ssl.google.com<br>
vary_mode allow dlsslgoogle<br>
Above could work one of the following way,<br>
<br>
1) We replace Vary header for srcdomain to some suitable option so request<br>
can be cached<br>
2) This will remove vary header totally for the above domain.<br>
3) above will use matching squid refresh pattern for srcdomain and only<br>
cache requests for<br>
particular type of file given in refresh_pattern<br>
<br>
What do you think would be easiar ? and how do i work on squid source to
do<br>
above? any hint is appreciated.<br>
<br>
<br>
One more thing can you tell me if we are already violating http via options<br>
like nocache, ignore-no-store ignore-private ignore-reload, why can't we
do<br>
the same for Vary header ?<br>
<br>
It seems servers that are notorious have Vary * header as well as at times<br>
(github) no Last modified header and these are the biggest bandwidth eaters.<br>
<br>
<br>
<br>
Thanks.<br>
Hardik<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <</font></tt><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20161005/df333a18/attachment.html"><tt><font size=2>http://lists.squid-cache.org/pipermail/squid-users/attachments/20161005/df333a18/attachment.html</font></tt></a><tt><font size=2>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
</font></tt><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><font size=2>http://lists.squid-cache.org/listinfo/squid-users</font></tt></a><tt><font size=2><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 26, Issue 22<br>
*******************************************<br>
</font></tt><p>=====-----=====-----=====<br>
Notice: The information contained in this e-mail<br>
message and/or attachments to it may contain <br>
confidential or privileged information. If you are <br>
not the intended recipient, any dissemination, use, <br>
review, distribution, printing or copying of the <br>
information contained in this e-mail message <br>
and/or attachments to it are strictly prohibited. If <br>
you have received this communication in error, <br>
please notify us by reply e-mail or telephone and <br>
immediately and permanently delete the message <br>
and any attachments. Thank you</p>
<p></p>