[squid-users] Unable to access websites through Squid
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 23 16:54:37 UTC 2015
Hai,
I had troubles also with the squid config files, so i created “squid-conf-split”
Basicly this small piece of code blow.
## code starts here.
#!/bin/sh
DATE_NOW=$(date +%Y-%m-%d)
if [ -d /etc/squid/conf.d ]; then
cp -R /etc/squid/conf.d-${DATE_NOW}
else
mkdir /etc/squid/conf.d
fi
cd /etc/squid/conf.d
if [ ! -e /etc/squid/squid.conf.debian ]; then
if [ -e /etc/squid/squid.conf.dpkg-dist ]; then
cp /etc/squid/squid.conf.dpkg-dist /etc/squid/squid.conf.debian
else
cp /etc/squid/squid.conf /etc/squid/squid.conf.debian
fi
fi
csplit -f squid- -n2 /etc/squid/squid.conf.debian '/# -----------------------------------------------------------------------------/-1' '{*}' > /dev/null
for x in `ls squid-*` ; do NAME=`cat $x | head -n1 | tr -s ' ' | tr "[ ]" "[\-]"| cut -c3-100` ; mv $x $x-00-$NAME.conf ; done
cat << EOF > /etc/squid/squid.conf
########################################"
## Debian Squid splitted based config
## edit the files in /etc/squid/conf.d/
include /etc/squid/conf.d/*.conf"
EOF
## code ends here.
You end up with a layout like this.
All files starting with squid-XX-00 are the default settings of squid.
All squid-XX-01-custom are my changes.
Only 1 file with an exeption. squid-03-00-ACCESS-CONTROLS.conf . since order is a big thing in this file, i make a copy of it.
And add my entries there. All other see below.
squid-00-00-WELCOME-TO-SQUID-3.5.12.conf squid-12-01-custom.conf squid-27-00-SNMP-OPTIONS.conf
squid-01-00-OPTIONS-FOR-SMP.conf squid-13-00-OPTIONS-FOR-EXTERNAL-SUPPORT-PROGRAMS.conf squid-27-01-custom.conf
squid-02-00-OPTIONS-FOR-AUTHENTICATION.conf squid-13-01-custom.conf squid-28-00-ICP-OPTIONS.conf
squid-02-01-auth-negotiate-both.conf squid-14-00-OPTIONS-FOR-URL-REWRITING.conf squid-28-01-custom.conf
squid-02-04-auth-ldap-AD.conf squid-15-00-OPTIONS-FOR-STORE-ID.conf squid-29-00-MULTICAST-ICP-OPTIONS.conf
squid-02-99-auth-acl.conf squid-16-00-OPTIONS-FOR-TUNING-THE-CACHE.conf squid-30-00-INTERNAL-ICON-OPTIONS.conf
squid-03-00-ACCESS-CONTROLS.conf squid-16-01-custom.conf squid-31-00-ERROR-PAGE-OPTIONS.conf
squid-04-00-NETWORK-OPTIONS.conf squid-17-00-HTTP-OPTIONS.conf squid-31-01-custom.conf
squid-05-00-SSL-OPTIONS.conf squid-17-01-custom.conf squid-32-00-OPTIONS-INFLUENCING-REQUEST-FORWARDING-.conf
squid-06-00-OPTIONS-RELATING-TO-EXTERNAL-SSL_CRTD-.conf squid-18-00-TIMEOUTS.conf squid-32-01-custom.conf
squid-07-00-OPTIONS-WHICH-AFFECT-THE-NEIGHBOR-SELECTION-ALGORITHM.conf squid-18-01-custom.conf squid-33-00-ADVANCED-NETWORKING-OPTIONS.conf
squid-08-00-MEMORY-CACHE-OPTIONS.conf squid-19-00-ADMINISTRATIVE-PARAMETERS.conf squid-34-00-ICAP-OPTIONS.conf
squid-08-01-custom.conf squid-19-01-custom.conf squid-34-01-icap-squidclamav.conf
squid-09-00-DISK-CACHE-OPTIONS.conf squid-20-00-OPTIONS-FOR-THE-CACHE-REGISTRATION-SERVICE.conf squid-35-00-eCAP-OPTIONS.conf
squid-09-01-custom.conf squid-21-00-HTTPD-ACCELERATOR-OPTIONS.conf squid-36-00-MESSAGE-ADAPTATION-OPTIONS.conf
squid-10-00-LOGFILE-OPTIONS.conf squid-22-00-DELAY-POOL-PARAMETERS.conf squid-37-00-DNS-OPTIONS.conf
squid-10-01-custom.conf squid-23-00-CLIENT-DELAY-POOL-PARAMETERS.conf squid-37-01-custom.conf
squid-11-00-OPTIONS-FOR-TROUBLESHOOTING.conf squid-24-00-WCCPv1-AND-WCCPv2-CONFIGURATION-OPTIONS.conf squid-38-00-MISCELLANEOUS.conf
squid-11-01-custom.conf squid-25-00-PERSISTENT-CONNECTION-HANDLING.conf squid-38-01-custom.conf
squid-12-00-OPTIONS-FOR-FTP-GATEWAYING.conf squid-26-00-CACHE-DIGEST-OPTIONS.conf
If you use kerberos authentication. You can use a setup like this., i’ve tested both, and both works as of 3.4.8 -> 3.5.12 ( i recomiled 3.5 from sid )
## this line needs a good working Pricipal names. (SPN’s) Like HTTP/proxy1.internal.domain.tld and you need an A and PTR record !
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at MY.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
## or same, check the -s !
#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
# --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
# --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \
auth_param negotiate children 30 startup=5 idle=1
auth_param negotiate keep_alive on
take one of the above lines and test with debug on , like :
/usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at MY.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN -D
( -D added in this line )
So, do the following, start over with a clean new config.
Enable these:
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
Which allows all local networks, or change them to your ip range.
http_port 3128 intercept
add to firewall:
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Reload squid and test.
Give it a try, im back here in 15 hours.. ;-)
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens dolson at ihcrc.org
Verzonden: woensdag 23 december 2015 16:26
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Unable to access websites through Squid
Greetings,
I am working with Squid 3.4.8 on a Debian 8.2 system. The goal is to record all web activity, not block any sites at this time utilizing squid. I have followed several different sets of instructions on setting up Squid to utilize Active Directory Authentication to record who goes where. I have yet to be able to access any websites, even internal sites while passing through the Squid Proxy. The browser I’m testing on is Mozilla Firefox 42.0 on a Windows 7 Professional system. I am using Firefox for testing as I can set the proxy without affecting my other browsers on my workstation.
I have tried various different forms of the squid.conf file, found from various sources and I have yet to get a successful connection. Depending on the file configuration I use, I am getting an “access denied” page from the squid server, or a “Problem loading page: The connection was reset” error. With the current squid.conf, which brings up the second error, nothing is recorded in the access.log file, and the cache.log file keeps reporting the following error:
WARNING: memberof #Hlpr0 exited
FATAL: The memberof helpers are crashing too rapidly, need help!
I feel like I’m banging my head against the wall at this point. I have tried slowly building the squid.conf file, adding one authenticator program at a time until I got some sort of different response and I have not been able to get anything to work.
I have attached several different squid.conf files that I have used. The current “Squid.conf” file generates the “Connection was reset” error message, while the squid.conf.bk5 file just gives me an access is denied message.
Please help!
Thank you,
Dan Olson
Indian Health Care Resource Center
Network Support Specialist
Main: 918.588.1900 Ext. 2212
Direct: 918.382.1212
www.ihcrc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151223/3bf83a69/attachment-0001.html>
More information about the squid-users
mailing list