[squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 9 04:40:32 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/10/2014 4:19 a.m., Mirza Dedic wrote:
> Thanks Amos, It seems I spoke too fast, the proxy prompt is back,
> so disabling SG didn't do the trick.


Replying with a config file audit separately so it does not get lost
in the technical details of running on Windows. All of these are
general points relevant to 2.7 regardless of who is running it or where.


> # Port on which Squid will lisen on http_port 8080
> 
> # Authentication auth_param ntlm program
> c:/squid/libexec/mswin_ntlm_auth.exe
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 
> auth_param ntlm keep_alive on auth_param basic program
> c:/squid/libexec/mswin_ntlm_auth.exe
> --helper-protocol=squid-2.5-basic auth_param basic children 5 
> auth_param basic realm Visalia Proxy Server 10072014 auth_param
> basic credentialsttl 2 hours auth_param basic casesensitive off 
> authenticate_cache_garbage_interval 10 seconds
> 
> # Squid Defaults acl all src all acl manager proto cache_object acl
> localhost src 127.0.0.1
> 
> # Class C Internal Subnet - Defaults acl localnet src 10.0.0.0/8 
> acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16
> 
> # ACLs # for destination machine acl lan_dst dst 172.16.0.0/16 #
> for source machine acl lan_src src 172.16.0.0/16 # for destination
> domain acl lan_domain dstdomain .oppy.com
> 
> # SSL Ports acl SSL_ports port 443 8180 8443 563 1494 2598 8531
> 
> # Standard Ports acl Safe_ports port 80						# http acl Safe_ports
> port 81          			# http for Pacific Brokerage acl Safe_ports
> port 21						# ftp acl Safe_ports port 443 563					# http acl
> Safe_ports port 70						# gopher acl Safe_ports port 210						#
> wais acl Safe_ports port 280						# http-mgmt acl Safe_ports port
> 488						# gss-http acl Safe_ports port 591						# filemaker acl
> Safe_ports port 777						# multiling http acl Safe_ports port 8080
> 8081 8082 8088 8180 acl Safe_ports port 3128        			# Squid http
> server acl Safe_ports port 1494 2598   			# ICA - Citrix acl
> Safe_ports port 7000 8000   			# Oracle acl Safe_ports port 9000
> # Oracle acl Safe_ports port 8530					# WSUS acl Safe_ports port
> 55905					# WSUS acl Safe_ports port 1025-65535				# unregistered
> ports
> 
> external_acl_type AD_group %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G acl AuthorizedUsers
> proxy_auth REQUIRED
> 
> # ACL - Microsoft acl msdomains dstdomain .windowsupdate.com acl
> msdomains dstdomain .microsoft.com acl msdomains dstdomain ... acl
> msdomains dstdomain .microsoftonline.com acl msdomains dstdomain
> ...
> 
> # ACL - SSL Providers acl registars dstdomain ...
> 
> # LYNC acl lync2013 dst ...
> 
> # OFFICE 365 PORTAL AND IDENTITY acl 365portal dst ...
> 
> # OFFICE ONLINE acl office365 dst ...
> 
> acl dropbox dstdomain .dropbox.com acl icloud dstdomain
> .icloud.com
> 
> # Squid Cache acl PURGE method PURGE
> 
> http_access deny manager !localhost http_access allow PURGE
> localhost http_access deny PURGE
> 
> # The method ACL type allows you to restrict access based on the
> request HTTP method, i.e. GET (used for downloading), POST (used
> for uploading) and CONNECT (used for SSL data transfers) # It is
> very important that you stop CONNECT type requests to non-SSL
> ports. The CONNECT method allows data transfer in any direction at
> any time, regardless of the transport protocol used. acl CONNECT
> method CONNECT http_access deny CONNECT !SSL_ports
> 
> # Deny access to all ports except the ones defined http_access deny
> !Safe_ports # This blocks attempts to request http://localhost on
> the proxy server via the proxy. http_access deny localhost # Deny
> caching for everyone so that there is not caching at all cache deny
> all
> 
<snip default security checks>


> http_access allow msdomains

 ... the transaction "POST
http://sqm.microsoft.com/sqm/wm/sqmserver.dll" is permitted here.
Authentication is neither required nor used.

 ... the transaction "CONNECT login.microsoftonline.com:443" is
permitted here. Everythign inside that tunnel is then strictly between
the client software and login.microsoftonline.com server.
Authentication is neither required nor used to setup the tunnel itself.


> http_access allow lync2013 http_access allow 365portal http_access
> allow office365 http_access allow registars http_access allow
> dropbox http_access allow icloud http_access allow lan_domain
> 
> http_access allow CONNECT msdomains http_access allow CONNECT
> lync2013 http_access allow CONNECT 365portal http_access allow
> CONNECT office365 http_access allow CONNECT registars http_access
> allow CONNECT dropbox http_access allow CONNECT icloud http_access
> allow CONNECT lan_domain

All transactions which might match these CONNECT+something ACL checks
are already permitted by the "allow something" set directly above.

The CONNECT part of teh ACL check is unnecessary.

> 
> # Deny access to proxy to everyone except Authorized Users group in
> AD http_access deny !AuthorizedUsers
> 

> # Disable caching always_direct allow msdomains all always_direct
> allow registars all always_direct allow lync2013 all always_direct
> allow 365portal all always_direct allow office365 all
> 
> # Allow direct connection if the destination machine is on LAN 
> always_direct allow lan_dst

always_direct prevents configured cache_peer being used to fetch the
traffic. That is all.

You do not have any cache_peer, so these always_direct lines are not
useful and just slow the proxy down.

FWIW: 'DIRECT' in HTTP means using DNS records to locate an
appropriate server. Instead of peer configuration or WPAD algorithms.


> # Caching cache_mgr ittechs at oppy.com refresh_pattern ^ftp:		1440
> 20%	10080 refresh_pattern ^gopher:	1440	0%	1440 refresh_pattern -i
> (/cgi-bin/|\?) 0	0%	0 refresh_pattern .		0	20%	4320
> 
> # Dont cache these pages acl DYNAMIC_CONTENT urlpath_regex cgi-bin
> \.cgi \.pl \.php3 \.asp \.php no_cache deny DYNAMIC_CONTENT

Squid-2.7 and later are just fine caching dynamic content provided you
use correct refresh_patterns.

Also, you have two earlier config settings which make this useless.
First is the "cache deny all" above, which makes this useless. Second
is the refresh_pattern on (/cgi-bin/|\?), which discards dynamic
content strictly according to protocol requirements.

I suggest you erase the above DYNAMIC_CONTENT bits.

Cheers
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUNhHAAAoJELJo5wb/XPRj5QcH/imDm2RLbJnia4rqWamC3UTo
uQlM6Mha0/boL+L7VOHu/1MsBlq4pN22EEBUBWyfUYWFRT+0M6onQ6lb4sDSKgnu
hHvhaI3D0a6c/bXOYTv+19TXb4kzaXq1c4/ph9gEZFslymw457adIJjU/jZuSg7D
OsOKjvP3i7Bi1DoNsZwiuYXyN1e1zNjYGEFN5Vo+WlK4Ola2mno9mdzIhQGodibM
+x52uqmUGeKKsllkZ1CrLWsnbzNbHAY4x8F6m85yGUk7ZBQ1dASGmiBalYTN/cT+
LF2KTijgL/hnAFlAnejopxuUCRcb7sXElQQfPYcAA4LR0eHRb+G+jU1PduoY390=
=IDPH
-----END PGP SIGNATURE-----


More information about the squid-users mailing list