[squid-users] Problems with Linux Worstations
Marcio Demetrio Bacci
marciobacci at gmail.com
Sun Sep 4 22:41:59 UTC 2016
I have used debug_options 11,2 in squid.conf file. After I have following
results in logs files:
/var/log/squid3/access.log
1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -
1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
tiles.services.mozilla.com:443 - HIER_NONE/- text/html
1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET
http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html
1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
self-repair.mozilla.org:443 - HIER_NONE/- text/html
1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST
http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
application/ocsp-response
1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST
http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
application/ocsp-response
1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET
http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41
text/html
1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET
http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- HIER_NONE/- text/html
1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST
http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
application/ocsp-response
1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST
http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
application/ocsp-response
1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT
self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT
incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
iecvlist.microsoft.com:443 - HIER_NONE/- text/html
1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
ieonline.microsoft.com:443 - HIER_NONE/- text/html
1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -
1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
safebrowsing.google.com:443 - HIER_NONE/- text/html
/var/log/squid3/cache.log
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP
Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP
Client REQUEST:
---------
CONNECT safebrowsing.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101
Firefox/35.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: safebrowsing.google.com:443
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP
Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
Mime-Version: 1.0
Date: Sun, 04 Sep 2016 22:06:33 GMT
Content-Type: text/html
Content-Length: 3357
X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
Proxy-Authenticate: Basic realm="CMS"
X-Cache: MISS from proxy.cms.ensino.br
X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
Connection: keep-alive
----------
Sorry, but I didn't discover the problem!
Anybody have an idea?
Regards,
Márcio
2016-09-02 11:10 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz>:
> On 2/09/2016 3:21 p.m., Marcio Demetrio Bacci wrote:
> > In my Windows workstations the authentication works correctly, however in
> > Ubuntu 14.04 the user and password are asked twice.
> >
> > I am using the basic_ncsa_auth with Squid 3.4.8
> >
> > Is there any setting that I do in Squid?
> >
> > Bellow is my squid.conf
> >
> ...
> >
> > auth_param basic program /usr/lib/squid3/basic_ncsa_auth
> /etc/squid3/passwd
> > auth_param basic children 5
> > auth_param basic realm AUTENTICACAO
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> ...
> >
> > ### Regras iniciais do Squid
> > http_access allow localhost
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
>
> Please re-order the above security rules to be:
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny purge
>
> >
> > ### Exige autenticacao
> > acl autenticados proxy_auth REQUIRED
> > http_access allow autenticados
> >
> > ### Bloqueia extensoes de arquivos
> > acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-
> proibidas"
> >
> > ### Liberar alguns sites
> > acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
> >
> > ### Bloqueia sites por URL
> > acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
> >
> > #bloqueios basicos
> > http_access allow sites_liberados
> > http_access deny extensoes_bloqueadas
> > http_access deny sites_bloqueados
> >
> > ### LAN #####
> > acl rede_lan src 192.168.200.0/22
> >
> > ### Nega acesso de quem nao esta na rede local do CMB
> > http_access allow rede_lan
> >
> > #negando o acesso para todos que nao estiverem nas regras anteriores
> > http_access deny all
> >
> ...
>
>
> With your config Squid will only challenge the browser to send some if
> they are completely missing. It will not deny access when invalid
> credentials are sent.
>
> That means the browser probably does not have access to any Basic auth
> credentials it can send.
>
> The two popups are probably from two TCP connections being made with no
> credentials (maybe the result of the "Happy Eyeballs" algorithm doing
> its thing). You can check for that with "debug_options 11,2" and seeing
> what HTTP messages are happening with what IP:port details.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160904/39fdd078/attachment-0001.html>
More information about the squid-users
mailing list