[squid-users] Problems with Linux Worstations
Amos Jeffries
squid3 at treenet.co.nz
Mon Sep 5 04:17:44 UTC 2016
On 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:
> I have used debug_options 11,2 in squid.conf file. After I have following
> results in logs files:
>
> /var/log/squid3/access.log
> 1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
> http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -
> 1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
> tiles.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET
> http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html
> 1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> self-repair.mozilla.org:443 - HIER_NONE/- text/html
> 1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET
> http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41
> text/html
> 1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET
> http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
> 1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
> - HIER_NONE/- text/html
> 1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
> tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
> 1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
> aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
> 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
> normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
> 1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> iecvlist.microsoft.com:443 - HIER_NONE/- text/html
> 1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> ieonline.microsoft.com:443 - HIER_NONE/- text/html
> 1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
> forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -
Notice how the 407 occur in bunches. 2-3 getting a 407 reject, then many
requests going through with user credentials. Then again some without
any getting a 407.
Those bunches of 407 will be matching some type of credentials timeout
in the browser, or opening of new tabs.
This request below is the only one from 192.168.200.96 so appears to be
the one you provide cache.log trace for...
> 1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
>
> /var/log/squid3/cache.log
>
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP
> Client REQUEST:
> ---------
> CONNECT safebrowsing.google.com:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101
> Firefox/35.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: safebrowsing.google.com:443
Notice the abence of any Proxy-Authorization header containing credentials.
>
>
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP
> Client REPLY:
> ---------
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid/3.4.8
> Mime-Version: 1.0
> Date: Sun, 04 Sep 2016 22:06:33 GMT
> Content-Type: text/html
> Content-Length: 3357
> X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
> Proxy-Authenticate: Basic realm="CMS"
That realm="CMS" does not match the realm value of "AUTENTICACAO" which
your earlier config contained.
Unless you changed your auth_param settings that is a sign that some
other proxy is generating that response message. BUT, your access.log
entry shows no server being contacted.
> X-Cache: MISS from proxy.cms.ensino.br
> X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
> Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
> Connection: keep-alive
>
> ----------
>
> Sorry, but I didn't discover the problem!
>
> Anybody have an idea?
If you altered your squid.conf settings as above in the auth details,
did you also remove 192.168.200.7 from the "localhost" ACL ?
Your rule "http_access allow localhost" occurs before anything that
requires authentication. That means these requests coming from
192.168.200.7 to your proxy would not use authentication for the above
CONNECT request. So no reason for your proxy to generate any 407 response.
Amos
More information about the squid-users
mailing list