[squid-users] Problems with Linux Worstations

Yuri Voinov yvoinov at gmail.com
Mon Sep 5 17:14:14 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


05.09.2016 22:25, Marcio Demetrio Bacci пишет:
> Hi Amos
>
> Now, my squid.conf is as follow (very simple):
>
> ############ START #################
> http_port 3128
>
> debug_options 11,2
>
> cache_mem 512 MB
> cache_swap_low 80
> cache_swap_high 90
>
> maximum_object_size 512 MB
> minimum_object_size 0 KB
>
> maximum_object_size_in_memory 4096 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
>
> fqdncache_size 1024
>
> ### Parametros de atualizacao da memoria cache
> refresh_pattern ^ftp:    1440      20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
> refresh_pattern .        0    20%    4320
>
> ### Localizacao dos logs
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
>
> cache_dir aufs /var/spool/squid3 600 16 256
>
> visible_hostname proxy
>
> ### acls
> acl localhost src 192.168.200.7/32 <http://192.168.200.7/32>
> acl to_localhost dst 192.168.200.7/32 <http://192.168.200.7/32>
> acl SSL_ports port 22 443 563 7071 10000
> acl Safe_ports port 21 70 80 88 210 280 389 443 488 563 591 777
1025-65535        
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny purge
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth
/etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm CMS
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> http_access deny !autenticados
>
> ### Rede do CMS #####
> acl lannet src 192.168.200.0/22 <http://192.168.200.0/22>
>
> ### Nega acesso de quem nao esta na rede local do CMS
> http_access allow lannet
> http_access allow localhost
>
> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all
>
> ### Erros em portugues
> error_directory /usr/share/squid3/errors/pt-br
>
> #cache_effective_user proxy
> coredump_dir /var/spool/squid3
>
> ########## END ###########################
>
> I have some doubts:
>
> 1) I open my browser to test the authentication. It seems OK, but 
when I open new tab in browser the Squid3 ask the user and password
again. Is this normal behavior  ?
>
> 2) Is necessary to declare LOCALHOST acl as "acl localhost src
192.168.200.7/32 <http://192.168.200.7/32>" ?
#Default:
# ACLs all, manager, localhost, and to_localhost are predefined.

PS. localhost is always 127.0.0.1. You specified localnet, not localhost.

>
> 3) Isn't necessary MANAGER acl as "acl manager proto cache_object" ?
No.
>
> 4) Is correct order of the ACL in my squid.conf ? How do I improve it?
Read squid.conf.documented carefully.
>
> 5) In my access.log, I have saw many "TCP_MISS/200". Does mean only
the website is not in cache or is a strange behavior?
website is not in cache
>
>
> Sorry, but I'm still learning about Squid!
Welcome. Do not forget to do RTFM first.

A good habit is to first try to find the answers yourself. Especially
the obvious questions.
>
>
> Regards,
>
> Márcio
>
>
>
>
> 2016-09-05 1:17 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz
<mailto:squid3 at treenet.co.nz>>:
>
>     On 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:
>     > I have used debug_options 11,2 in squid.conf file. After I have
following
>     > results in logs files:
>     >
>     > /var/log/squid3/access.log
>     > 1473026084.048    253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
>     > http://m.addthis.com/live/red_lojson/100eng.json
<http://m.addthis.com/live/red_lojson/100eng.json>? marcio HIER_NONE/- -
>     > 1473026086.275      0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
>     > tiles.services.mozilla.com:443
<http://tiles.services.mozilla.com:443> - HIER_NONE/- text/html
>     > 1473026086.778      0 192.168.200.85 TCP_DENIED/407 3995 GET
>     > http://start.ubuntu.com/14.04/Google/
<http://start.ubuntu.com/14.04/Google/>? - HIER_NONE/- text/html
>     > 1473026088.908      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
>     > shavar.services.mozilla.com:443
<http://shavar.services.mozilla.com:443> - HIER_NONE/- text/html
>     > 1473026091.932      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
>     > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
- HIER_NONE/- text/html
>     > 1473026096.418    180 192.168.200.85 TCP_MISS/200 960 POST
>     > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
>     > application/ocsp-response
>     > 1473026096.467     85 192.168.200.85 TCP_MISS/200 960 POST
>     > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
>     > application/ocsp-response
>     > 1473026102.051    525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200
2907 GET
>     > http://start.ubuntu.com/14.04/Google/
<http://start.ubuntu.com/14.04/Google/>? marcio HIER_DIRECT/91.189.90.41
<http://91.189.90.41>
>     > text/html
>     > 1473026102.091      0 192.168.200.85 TCP_HIT/200 22099 GET
>     > http://start.ubuntu.com/12.04/sprite.png
<http://start.ubuntu.com/12.04/sprite.png> marcio HIER_NONE/- image/png
>     > 1473026104.855      0 10.133.85.3 TCP_DENIED/407 3929 GET
>     >
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
<http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>?
>     > - HIER_NONE/- text/html
>     > 1473026146.453     83 192.168.200.85 TCP_MISS/200 960 POST
>     > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
>     > application/ocsp-response
>     > 1473026147.447     83 192.168.200.85 TCP_MISS/200 960 POST
>     > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
>     > application/ocsp-response
>     > 1473026148.923      0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
>     > shavar.services.mozilla.com:443
<http://shavar.services.mozilla.com:443> - HIER_NONE/- text/html
>     > 1473026157.117  61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
>     > tiles.services.mozilla.com:443
<http://tiles.services.mozilla.com:443> marcio HIER_DIRECT/52.24.123.95
<http://52.24.123.95> -
>     > 1473026157.195  61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
>     > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
marcio HIER_DIRECT/54.69.9.44 <http://54.69.9.44> -
>     > 1473026160.190 63085 192 <tel:190%20%2063085%20192>.168.200.85
TCP_MISS/200 5449 CONNECT
>     > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
marcio HIER_DIRECT/54.69.9.44 <http://54.69.9.44> -
>     > 1473026204.518      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
>     > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
>     > 1473026207.807  62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.808  61159 192.168.200.85 TCP_MISS/200 390 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.808  61160 192.168.200.85 TCP_MISS/200 390 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.809  61160 192.168.200.85 TCP_MISS/200 390 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.814  61165 192.168.200.85 TCP_MISS/200 390 CONNECT
>     > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
>     > 1473026207.866  61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
>     > aus5.mozilla.org:443 <http://aus5.mozilla.org:443> marcio
HIER_DIRECT/52.34.235.152 <http://52.34.235.152> -
>     > 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
>     > normandy.cdn.mozilla.net:443
<http://normandy.cdn.mozilla.net:443> marcio HIER_DIRECT/52.84.177.125
<http://52.84.177.125> -
>     > 1473026264.532      0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
>     > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
>     > 1473026299.647      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
>     > iecvlist.microsoft.com:443 <http://iecvlist.microsoft.com:443> -
HIER_NONE/- text/html
>     > 1473026335.221      0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
>     > ieonline.microsoft.com:443 <http://ieonline.microsoft.com:443> -
HIER_NONE/- text/html
>     > 1473026592.061   6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
>     > forum.zentyal.org:443 <http://forum.zentyal.org:443> marcio
HIER_DIRECT/162.13.13.134 <http://162.13.13.134> -
>
>     Notice how the 407 occur in bunches. 2-3 getting a 407 reject,
then many
>     requests going through with user credentials. Then again some without
>     any getting a 407.
>     Those bunches of 407 will be matching some type of credentials timeout
>     in the browser, or opening of new tabs.
>
>
>     This request below is the only one from 192.168.200.96 so appears
to be
>     the one you provide cache.log trace for...
>
>
>     > 1473026793.073      0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
>     > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
>     >
>     > /var/log/squid3/cache.log
>     >
>     > ----------
>     > 2016/09/04 19:06:33.073 kid1| client_side.cc(2407)
parseHttpRequest: HTTP
>     > Client local=192.168.200.7:3128 <http://192.168.200.7:3128>
remote=192.168.200.96:56302 <http://192.168.200.96:56302> FD 12 flags=1
>     > 2016/09/04 19:06:33.073 kid1| client_side.cc(2408)
parseHttpRequest: HTTP
>     > Client REQUEST:
>     > ---------
>     > CONNECT safebrowsing.google.com:443
<http://safebrowsing.google.com:443> HTTP/1.1
>     > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0)
Gecko/20100101
>     > Firefox/35.0
>     > Proxy-Connection: keep-alive
>     > Connection: keep-alive
>     > Host: safebrowsing.google.com:443
<http://safebrowsing.google.com:443>
>
>     Notice the abence of any Proxy-Authorization header containing
credentials.
>
>     >
>     >
>     > ----------
>     > 2016/09/04 19:06:33.073 kid1| client_side.cc(1459)
sendStartOfMessage: HTTP
>     > Client local=192.168.200.7:3128 <http://192.168.200.7:3128>
remote=192.168.200.96:56302 <http://192.168.200.96:56302> FD 12 flags=1
>     > 2016/09/04 19:06:33.073 kid1| client_side.cc(1460)
sendStartOfMessage: HTTP
>     > Client REPLY:
>     > ---------
>     > HTTP/1.1 407 Proxy Authentication Required
>     > Server: squid/3.4.8
>     > Mime-Version: 1.0
>     > Date: Sun, 04 Sep 2016 22:06:33 GMT
>     > Content-Type: text/html
>     > Content-Length: 3357
>     > X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
>     > Proxy-Authenticate: Basic realm="CMS"
>
>     That realm="CMS" does not match the realm value of "AUTENTICACAO"
which
>     your earlier config contained.
>
>     Unless you changed your auth_param settings that is a sign that some
>     other proxy is generating that response message. BUT, your access.log
>     entry shows no server being contacted.
>
>
>
>     > X-Cache: MISS from proxy.cms.ensino.br <http://proxy.cms.ensino.br>
>     > X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
<http://proxy.cms.ensino.br:3128>
>     > Via: 1.1 proxy.cms.ensino.br <http://proxy.cms.ensino.br>
(squid/3.4.8)
>     > Connection: keep-alive
>     >
>     > ----------
>     >
>     > Sorry, but I didn't discover the problem!
>     >
>     > Anybody have an idea?
>
>     If you altered your squid.conf settings as above in the auth details,
>     did you also remove 192.168.200.7 from the "localhost" ACL ?
>
>     Your rule "http_access allow localhost" occurs before anything that
>     requires authentication. That means these requests coming from
>     192.168.200.7 to your proxy would not use authentication for the above
>     CONNECT request. So no reason for your proxy to generate any 407
response.
>
>
>     Amos
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXzaflAAoJENNXIZxhPexG6eUH/jWH/V1FJmKWyDLDt8cTj4+Q
0cBW7KhaBvJnN0QX1t9J/AVaPP5ZY5wlsSFo6ESWd7tYo2h6UDbCLnUHADpI4DPC
nH3f8yBGL9sELL+RnUZjCV+mwwGLJPDbGquxRiJ2VVGijNj1CGrHEGQWMnZESG5D
Sz1e+9zBM62vM+40T/llgMopH7Z0NgsansWDgsFJlC9iuDzXQ3kDJ6lPG7w2HB2c
dL/jssrZg7tjDuMPJi5ZrI963GMxrbmqx8w2kTOvoLKiIYHmK6E1fSGvKtpSzXjz
PtuLqdleFGklny2n9iLBYwtPmjGCr1DBr4L7/k6Yt6GdPWaTfRQJolK5hBYm7/g=
=ObEq
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160905/012fa7cb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160905/012fa7cb/attachment-0001.key>


More information about the squid-users mailing list