[squid-users] ISSUE accssing content

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 24 21:50:08 UTC 2015 

On 25/07/2015 4:59 a.m., Jagannath Naidu wrote:
> 1. Its not  a transparent proxy.
> 
> 2. My clients get wpad configuration from AD server. So there are two
> question.
>  2.1 :I know that wpad is used to identify proxy server and port(and rest
> other bypass rules).  When clients resolve to wpad.abc.com, is there way
> that I can overwrite the wpad file off client. Like creating a webserver to
> to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress>
> wpad.abc.com"
> 2.2 Is there any other way to tell clients via squid server, to do not come
> to squid server and re initiate the request.

Exactly that if you wish. Its not clear whether WPAD is the problem though.

The fact that you have Squid logs showing access indicates the traffic
us actually getting there okay. The responses do seem to be coming back
from 10.* servers as well.
So what is happening is something is causing those servers not to like
the traffic being requested from them.


> 
> On 24 July 2015 at 21:10, Jagannath Naidu <
> jagannath.naidu at fosteringlinux.com> wrote:
> 
>>
>>
>> On 24 July 2015 at 21:05, Jagannath Naidu <
>> jagannath.naidu at fosteringlinux.com> wrote:
>>
>>> Dear List,
>>>
>>> I have been working on this for last two weeks, but never got it
>>> resolved.
>>>
>>> We have a application server (SERVER) in our local network and a desktop
>>>  application (CLIENT). The application picks proxy settings from IE. And we
>>> also have a wensense proxy server
>>>
>>> case 1: when there is no proxy set
>>> application works. No logs in squid server access.log
>>>
>>> case 2: when proxy ip address set and checked "bypass local network"
>>> application works. No logs in squid server access.log
>>>
>>> case 3: when proxy ip address is set to wensense proxy server. UNCHECKED
>>> "bypass local network"
>>> application works. We dont have access to websense server and hence we
>>> can not check logs

Can you explain "not works" in any better detail?
 application expected vs actual behaviour?
 if you can relate that to particular HTTP messages even better.


>>>
>>>
>>> case 4: when proxy ip address is set to proxy server ip address.
>>> UNCHECKED "bypass local network"
>>> application does not work :-(. Below are the logs.
>>>
>>>
>>> 1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>>> - HIER_DIRECT/10.1.4.46 text/html

404. The URL you see above references an object that does not exist on
that server.

Things to look into:
 Is it the right server?
 Is it the right URL?
 Why was it requested?
 Does the server actually know its "dlwvdialce.htmedia.net" name?


>>> 1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
>>> 1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html


Authentication. Normal I think.

>>> 1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>>> 10.1.4.46 text/html

Same as the first 404'd URL.

>>> 1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST
>>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>>> - HIER_NONE/- text/html

503 usually indicates the attempted server failed.

Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work.
Which would also match the lack of server IP in the log.


>>>
>>> UPDATE: correct logs
>>
>> 1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>> - HIER_DIRECT/10.1.4.46 text/html
>> 1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>> 10.1.4.46 text/html
>> 1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST
>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>> - HIER_NONE/- text/html
>>

Same comments as above.

>>
>>
>>> squid -v
>>> Squid Cache: Version 3.3.8
>>> configure options:  '--build=x86_64-redhat-linux-gnu'
>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
>>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
>>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
>>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>>> '--infodir=/usr/share/info' '--disable-strict-error-checking'
>>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>>> '--with-logdir=$(localstatedir)/log/squid'
>>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>>> '--disable-dependency-tracking' '--enable-eui'
>>> '--enable-follow-x-forwarded-for' '--enable-auth'
>>> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
>>> '--enable-auth-ntlm=smb_lm,fake'
>>> '--enable-auth-digest=file,LDAP,eDirectory'
>>> '--enable-auth-negotiate=kerberos'
>>> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
>>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>>> '--enable-ident-lookups' '--enable-linux-netfilter'
>>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
>>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2'
>>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
>>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
>>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>>> --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
>>> -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2
>>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
>>> -m64 -mtune=generic -fpie'
>>> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>>
>>>
>>> squid.conf
>>>
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
>>> machines
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl Safe_ports port 8180
>>> acl CONNECT method CONNECT
>>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54
>>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4

For easier reading:
  acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4

(at least I think they are all in one /27, double-check that)

>>> http_access allow wvdial
>>> acl dialer dstdomain .htmedia.net
>>> http_access allow dialer
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET

 "=" is a funny domain name. I suspect you wanted the domain-name part
of the line to be used instead. Remove the "= " bit.

>>> append_domain  .mydomain.net
>>> ignore_expect_100 on

The ignore_* directive should not be useful in 3.3. You can remove it now.

>>> dns_v4_first on
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>>> auth_param ntlm children 1000
>>> auth_param ntlm keep_alive off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> acl auth proxy_auth REQUIRED
>>> http_access allow all auth

"allow all auth" means the same as "allow auth".

"all" only has meaning on the end (right-hand side) of the line which
would otherwise end in a proxy_auth ACL.
It should either be on the end of that line, or not used at all.


>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 0.0.0.0:8080
>>> coredump_dir /var/spool/squid
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>> refresh_pattern .               0       20%     4320
>>>
>>>
>>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to
>>> squid 3.3 would help. Please help me resolving this mystery.

Looks to me like the server at 10.1.4.46 does not know what to do with
the URLs requested.

I would start looking at whether the application is actually supposed to
be going there for its requests.

Amos

More information about the squid-users mailing list