[squid-users] Squid 3.5.9 Problems with Teamviewer
epytir
auaauabubu at yahoo.de
Thu Apr 21 14:31:26 UTC 2016
Hey Amons,
thanks for your replay.
The line /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
there only missing the 2 letters ME sorry for that.
I will build a test server with the newest squid version and config changes.
>I log squid in database and every connect i see is not blocked:
The Column titles are
ID time_since_epoch date_day date_time
response_time squid_request_status
> | 23731740 | 1461164861.040 | 2016-04-20 | 17:07:41 | 48 | ip
> | TCP_MISS
http_status_code reply_size request_url user
squid_hier_status
> | 200 | 15623 | GET | www.teamviewer.com | Username|
> FIRSTUP_PARENT |
> NULL | NULL |
> | 23733412 | 1461165077.533 | 2016-04-20 | 17:11:18 | 11 | ip |
> TCP_MEM_HIT | 200 | 15631 | GET | www.teamviewer.com | Username|
> HIER_NONE | NULL | NULL |
>
>You missed out the bit where the column titles were described so we know
>what that above means.
I dont know what the parent proxy is cause it is outsourced by our customer
and they dont say what it is...
I think its squid or tmg and yes if it is tmg or an old verison of squid
maybe this is the problem..
Im new with squid so i might make some config mistakes thanks for correcting
me :)
I will write here when I have new Informations
Greetings Epytir
Amos Jeffries wrote
> On 21/04/2016 3:39 a.m., epytir wrote:
>> Hey Squid Users,
>>
>> Sorry for my bad english im learning it currently.
>>
>> I got a little problem with my squid proxy.
>> I installed it with ufdbguard and squidclamav and everything works fine.
>>
>> The users login with kerberos ntlm or normal username passowrt
>> authentication.
>>
>> My Problem is when Users start Teamviewer (every Version) some time
>> teamviewer doing nothing then the message "no connection please check
>> proxy
>> settings" appears. Then i klick nothing after 10 more seconds the
>> teamviewer
>> is connected without changing anything.
>> So Teamviewer needs up to 1 minute to connect through the proxy without i
>> need like 5 seconds.
>>
>> Teamviewer is not blocked for the users with the problems and it connects
>> but needs to much time. I have 1500 User so the normal user dont
>> understand
>> that he must wait and dont klick on change settings or abort.
>>
>> I log squid in database and every connect i see is not blocked:
>> | 23731740 | 1461164861.040 | 2016-04-20 | 17:07:41 | 48 | ip |
>> TCP_MISS
>> | 200 | 15623 | GET | www.teamviewer.com | Username| FIRSTUP_PARENT
>> |
>> NULL | NULL |
>> | 23733412 | 1461165077.533 | 2016-04-20 | 17:11:18 | 11 | ip |
>> TCP_MEM_HIT | 200 | 15631 | GET | www.teamviewer.com | Username|
>> HIER_NONE | NULL | NULL |
>>
>
> You missed out the bit where the column titles were described so we know
> what that above means.
>
>
>> The parent Proxy is not the problem cause our old proxy is tmg from
>> microsoft and use the same proxy without teamviewer problems. (we want to
>> shutdown tmg cause its extremly slow and squid is so fast :) )
>>
>
> Maybe it, is maybe it isn't. Not a safe assumption.
>
> It is likely tmg and Squid are talking to it slightly differently which
> might make it do different things and hit some bug you never saw before.
> The older that parent proxy software is the more likely this is to happen.
>
>
>>
>> Here are some information:
>> Squid 3.5.9
>> UFDB 1.31-16
>> Server Ubuntu 14.04 LTS
>>
>
> The old Squid version could also be a problem. We have found and fixed
> quite a lot of bugs in the last 2 years.
>
> A useful rule of thumb when dealing with squid issues is to first try an
> upgrade and see if the issue is resolved already.
>
> If you can wait a few days I suggest trying for an upgrade to Ubuntu
> Xenial 16.04 LTS, which should appear any day now and has a much better
> Squid in it.
>
>
>> Squid config snip:
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth
>> --ntlm
>> /usr/lib/squid3/fakeauth_auth --kerberos
>> /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
>
> The above line got truncated.
>
>> auth_param negotiate children 80
>> auth_param negotiate keep_alive on
>
> I recommend using "off" here. It seems to be needed by recent Firefox
> and some other tools as well.
>
>>
>> auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC
>
> This "x.x.x\DC" thing is suspicious. If it is actually needed, then I
> suspect it should be on the Negotiate/NTLM helper as well as the NTLM one.
>
>
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>>
>> #LDAP Authentication
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
>> "dc=X,dc=X,dc=X" -D "
> XXX at .X
> " -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
>> auth_param basic children 30
>> auth_param basic realm Domain-Internet-Proxy
>> auth_param basic credentialsttl 30 day #How often ask for Login
>> credentials
>> auth_param basic casesensitive off
>>
>> acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
>> never_direct allow all
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access allow CONNECT SSL_ports
>
> The security rule provided is "deny CONNECT !SSL_Ports".
>
> That is *not* the same as "allow CONNECT SSL_Ports".
>
> It uses "deny" explicitly to prevent other rules later in the config
> doing unexpected bad things...
>
>
>> http_access allow localnet
>> http_access allow localhost
>>
>> #LDAP User are allowed to connect to the Internet
>> http_access allow ldap-auth
>> http_access allow CONNECT SSL_ports ldap-auth
>>
>
> ... like this rule doing nothing.
>
> Why?
> Because ldap-auth, localnet, localhost ACLs already let users do
> anything they want. Anything. Oops.
>
>
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>> .
>> .
>> .
>>
>> Normal ntlm dont work but we have some old programms that need ntlm so i
>> use
>> fake tnlm for them browsers only use kerberos.
>>
>> In squid log i see nothing no entrys for the connection time.
>
> Squid logs transactions when they complete. If the teamviewer is still
> using it for some minutes/hours/days you wont see it until its over.
>
> "Days" is not a joke, some can last that long. GoogleTalk, Facebook
> Chat, Skype etc are known for it already. It woud not surprise me to
> find TeamViewer is similar.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries wrote
> On 21/04/2016 3:39 a.m., epytir wrote:
>> Hey Squid Users,
>>
>> Sorry for my bad english im learning it currently.
>>
>> I got a little problem with my squid proxy.
>> I installed it with ufdbguard and squidclamav and everything works fine.
>>
>> The users login with kerberos ntlm or normal username passowrt
>> authentication.
>>
>> My Problem is when Users start Teamviewer (every Version) some time
>> teamviewer doing nothing then the message "no connection please check
>> proxy
>> settings" appears. Then i klick nothing after 10 more seconds the
>> teamviewer
>> is connected without changing anything.
>> So Teamviewer needs up to 1 minute to connect through the proxy without i
>> need like 5 seconds.
>>
>> Teamviewer is not blocked for the users with the problems and it connects
>> but needs to much time. I have 1500 User so the normal user dont
>> understand
>> that he must wait and dont klick on change settings or abort.
>>
>> I log squid in database and every connect i see is not blocked:
>> | 23731740 | 1461164861.040 | 2016-04-20 | 17:07:41 | 48 | ip |
>> TCP_MISS
>> | 200 | 15623 | GET | www.teamviewer.com | Username| FIRSTUP_PARENT
>> |
>> NULL | NULL |
>> | 23733412 | 1461165077.533 | 2016-04-20 | 17:11:18 | 11 | ip |
>> TCP_MEM_HIT | 200 | 15631 | GET | www.teamviewer.com | Username|
>> HIER_NONE | NULL | NULL |
>>
>
> You missed out the bit where the column titles were described so we know
> what that above means.
>
>
>> The parent Proxy is not the problem cause our old proxy is tmg from
>> microsoft and use the same proxy without teamviewer problems. (we want to
>> shutdown tmg cause its extremly slow and squid is so fast :) )
>>
>
> Maybe it, is maybe it isn't. Not a safe assumption.
>
> It is likely tmg and Squid are talking to it slightly differently which
> might make it do different things and hit some bug you never saw before.
> The older that parent proxy software is the more likely this is to happen.
>
>
>>
>> Here are some information:
>> Squid 3.5.9
>> UFDB 1.31-16
>> Server Ubuntu 14.04 LTS
>>
>
> The old Squid version could also be a problem. We have found and fixed
> quite a lot of bugs in the last 2 years.
>
> A useful rule of thumb when dealing with squid issues is to first try an
> upgrade and see if the issue is resolved already.
>
> If you can wait a few days I suggest trying for an upgrade to Ubuntu
> Xenial 16.04 LTS, which should appear any day now and has a much better
> Squid in it.
>
>
>> Squid config snip:
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth
>> --ntlm
>> /usr/lib/squid3/fakeauth_auth --kerberos
>> /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$
>
> The above line got truncated.
>
>> auth_param negotiate children 80
>> auth_param negotiate keep_alive on
>
> I recommend using "off" here. It seems to be needed by recent Firefox
> and some other tools as well.
>
>>
>> auth_param ntlm program /usr/lib/squid3/fakeauth_auth x.x.x\DC
>
> This "x.x.x\DC" thing is suspicious. If it is actually needed, then I
> suspect it should be on the Negotiate/NTLM helper as well as the NTLM one.
>
>
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>>
>> #LDAP Authentication
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
>> "dc=X,dc=X,dc=X" -D "
> XXX at .X
> " -w "XXXXXXXXX" -v 3 -h ldaps://X.X.X
>> auth_param basic children 30
>> auth_param basic realm Domain-Internet-Proxy
>> auth_param basic credentialsttl 30 day #How often ask for Login
>> credentials
>> auth_param basic casesensitive off
>>
>> acl ldap-auth proxy_auth REQUIRED # Rule authentication needed
>> never_direct allow all
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access allow CONNECT SSL_ports
>
> The security rule provided is "deny CONNECT !SSL_Ports".
>
> That is *not* the same as "allow CONNECT SSL_Ports".
>
> It uses "deny" explicitly to prevent other rules later in the config
> doing unexpected bad things...
>
>
>> http_access allow localnet
>> http_access allow localhost
>>
>> #LDAP User are allowed to connect to the Internet
>> http_access allow ldap-auth
>> http_access allow CONNECT SSL_ports ldap-auth
>>
>
> ... like this rule doing nothing.
>
> Why?
> Because ldap-auth, localnet, localhost ACLs already let users do
> anything they want. Anything. Oops.
>
>
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>> .
>> .
>> .
>>
>> Normal ntlm dont work but we have some old programms that need ntlm so i
>> use
>> fake tnlm for them browsers only use kerberos.
>>
>> In squid log i see nothing no entrys for the connection time.
>
> Squid logs transactions when they complete. If the teamviewer is still
> using it for some minutes/hours/days you wont see it until its over.
>
> "Days" is not a joke, some can last that long. GoogleTalk, Facebook
> Chat, Skype etc are known for it already. It woud not surprise me to
> find TeamViewer is similar.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-9-Problems-with-Teamviewer-tp4677176p4677203.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list