[squid-users] Problems with Linux Worstations
Yuri Voinov
yvoinov at gmail.com
Mon Sep 5 17:14:14 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
05.09.2016 22:25, Marcio Demetrio Bacci пишет:
> Hi Amos
>
> Now, my squid.conf is as follow (very simple):
>
> ############ START #################
> http_port 3128
>
> debug_options 11,2
>
> cache_mem 512 MB
> cache_swap_low 80
> cache_swap_high 90
>
> maximum_object_size 512 MB
> minimum_object_size 0 KB
>
> maximum_object_size_in_memory 4096 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
>
> fqdncache_size 1024
>
> ### Parametros de atualizacao da memoria cache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> ### Localizacao dos logs
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
>
> cache_dir aufs /var/spool/squid3 600 16 256
>
> visible_hostname proxy
>
> ### acls
> acl localhost src 192.168.200.7/32 <http://192.168.200.7/32>
> acl to_localhost dst 192.168.200.7/32 <http://192.168.200.7/32>
> acl SSL_ports port 22 443 563 7071 10000
> acl Safe_ports port 21 70 80 88 210 280 389 443 488 563 591 777
1025-65535
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny purge
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth
/etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm CMS
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> http_access deny !autenticados
>
> ### Rede do CMS #####
> acl lannet src 192.168.200.0/22 <http://192.168.200.0/22>
>
> ### Nega acesso de quem nao esta na rede local do CMS
> http_access allow lannet
> http_access allow localhost
>
> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all
>
> ### Erros em portugues
> error_directory /usr/share/squid3/errors/pt-br
>
> #cache_effective_user proxy
> coredump_dir /var/spool/squid3
>
> ########## END ###########################
>
> I have some doubts:
>
> 1) I open my browser to test the authentication. It seems OK, but
when I open new tab in browser the Squid3 ask the user and password
again. Is this normal behavior ?
>
> 2) Is necessary to declare LOCALHOST acl as "acl localhost src
192.168.200.7/32 <http://192.168.200.7/32>" ?
#Default:
# ACLs all, manager, localhost, and to_localhost are predefined.
PS. localhost is always 127.0.0.1. You specified localnet, not localhost.
>
> 3) Isn't necessary MANAGER acl as "acl manager proto cache_object" ?
No.
>
> 4) Is correct order of the ACL in my squid.conf ? How do I improve it?
Read squid.conf.documented carefully.
>
> 5) In my access.log, I have saw many "TCP_MISS/200". Does mean only
the website is not in cache or is a strange behavior?
website is not in cache
>
>
> Sorry, but I'm still learning about Squid!
Welcome. Do not forget to do RTFM first.
A good habit is to first try to find the answers yourself. Especially
the obvious questions.
>
>
> Regards,
>
> Márcio
>
>
>
>
> 2016-09-05 1:17 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz
<mailto:squid3 at treenet.co.nz>>:
>
> On 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:
> > I have used debug_options 11,2 in squid.conf file. After I have
following
> > results in logs files:
> >
> > /var/log/squid3/access.log
> > 1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
> > http://m.addthis.com/live/red_lojson/100eng.json
<http://m.addthis.com/live/red_lojson/100eng.json>? marcio HIER_NONE/- -
> > 1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
> > tiles.services.mozilla.com:443
<http://tiles.services.mozilla.com:443> - HIER_NONE/- text/html
> > 1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET
> > http://start.ubuntu.com/14.04/Google/
<http://start.ubuntu.com/14.04/Google/>? - HIER_NONE/- text/html
> > 1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> > shavar.services.mozilla.com:443
<http://shavar.services.mozilla.com:443> - HIER_NONE/- text/html
> > 1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
- HIER_NONE/- text/html
> > 1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST
> > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
> > application/ocsp-response
> > 1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST
> > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
> > application/ocsp-response
> > 1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200
2907 GET
> > http://start.ubuntu.com/14.04/Google/
<http://start.ubuntu.com/14.04/Google/>? marcio HIER_DIRECT/91.189.90.41
<http://91.189.90.41>
> > text/html
> > 1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET
> > http://start.ubuntu.com/12.04/sprite.png
<http://start.ubuntu.com/12.04/sprite.png> marcio HIER_NONE/- image/png
> > 1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET
> >
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
<http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>?
> > - HIER_NONE/- text/html
> > 1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST
> > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
> > application/ocsp-response
> > 1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST
> > http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
<http://192.16.58.8>
> > application/ocsp-response
> > 1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> > shavar.services.mozilla.com:443
<http://shavar.services.mozilla.com:443> - HIER_NONE/- text/html
> > 1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
> > tiles.services.mozilla.com:443
<http://tiles.services.mozilla.com:443> marcio HIER_DIRECT/52.24.123.95
<http://52.24.123.95> -
> > 1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
> > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
marcio HIER_DIRECT/54.69.9.44 <http://54.69.9.44> -
> > 1473026160.190 63085 192 <tel:190%20%2063085%20192>.168.200.85
TCP_MISS/200 5449 CONNECT
> > self-repair.mozilla.org:443 <http://self-repair.mozilla.org:443>
marcio HIER_DIRECT/54.69.9.44 <http://54.69.9.44> -
> > 1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
> > 1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT
> > incoming.telemetry.mozilla.org:443
<http://incoming.telemetry.mozilla.org:443> marcio
HIER_DIRECT/52.89.83.186 <http://52.89.83.186> -
> > 1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
> > aus5.mozilla.org:443 <http://aus5.mozilla.org:443> marcio
HIER_DIRECT/52.34.235.152 <http://52.34.235.152> -
> > 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
> > normandy.cdn.mozilla.net:443
<http://normandy.cdn.mozilla.net:443> marcio HIER_DIRECT/52.84.177.125
<http://52.84.177.125> -
> > 1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
> > 1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> > iecvlist.microsoft.com:443 <http://iecvlist.microsoft.com:443> -
HIER_NONE/- text/html
> > 1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> > ieonline.microsoft.com:443 <http://ieonline.microsoft.com:443> -
HIER_NONE/- text/html
> > 1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
> > forum.zentyal.org:443 <http://forum.zentyal.org:443> marcio
HIER_DIRECT/162.13.13.134 <http://162.13.13.134> -
>
> Notice how the 407 occur in bunches. 2-3 getting a 407 reject,
then many
> requests going through with user credentials. Then again some without
> any getting a 407.
> Those bunches of 407 will be matching some type of credentials timeout
> in the browser, or opening of new tabs.
>
>
> This request below is the only one from 192.168.200.96 so appears
to be
> the one you provide cache.log trace for...
>
>
> > 1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
> > safebrowsing.google.com:443 <http://safebrowsing.google.com:443>
- HIER_NONE/- text/html
> >
> > /var/log/squid3/cache.log
> >
> > ----------
> > 2016/09/04 19:06:33.073 kid1| client_side.cc(2407)
parseHttpRequest: HTTP
> > Client local=192.168.200.7:3128 <http://192.168.200.7:3128>
remote=192.168.200.96:56302 <http://192.168.200.96:56302> FD 12 flags=1
> > 2016/09/04 19:06:33.073 kid1| client_side.cc(2408)
parseHttpRequest: HTTP
> > Client REQUEST:
> > ---------
> > CONNECT safebrowsing.google.com:443
<http://safebrowsing.google.com:443> HTTP/1.1
> > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0)
Gecko/20100101
> > Firefox/35.0
> > Proxy-Connection: keep-alive
> > Connection: keep-alive
> > Host: safebrowsing.google.com:443
<http://safebrowsing.google.com:443>
>
> Notice the abence of any Proxy-Authorization header containing
credentials.
>
> >
> >
> > ----------
> > 2016/09/04 19:06:33.073 kid1| client_side.cc(1459)
sendStartOfMessage: HTTP
> > Client local=192.168.200.7:3128 <http://192.168.200.7:3128>
remote=192.168.200.96:56302 <http://192.168.200.96:56302> FD 12 flags=1
> > 2016/09/04 19:06:33.073 kid1| client_side.cc(1460)
sendStartOfMessage: HTTP
> > Client REPLY:
> > ---------
> > HTTP/1.1 407 Proxy Authentication Required
> > Server: squid/3.4.8
> > Mime-Version: 1.0
> > Date: Sun, 04 Sep 2016 22:06:33 GMT
> > Content-Type: text/html
> > Content-Length: 3357
> > X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
> > Proxy-Authenticate: Basic realm="CMS"
>
> That realm="CMS" does not match the realm value of "AUTENTICACAO"
which
> your earlier config contained.
>
> Unless you changed your auth_param settings that is a sign that some
> other proxy is generating that response message. BUT, your access.log
> entry shows no server being contacted.
>
>
>
> > X-Cache: MISS from proxy.cms.ensino.br <http://proxy.cms.ensino.br>
> > X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
<http://proxy.cms.ensino.br:3128>
> > Via: 1.1 proxy.cms.ensino.br <http://proxy.cms.ensino.br>
(squid/3.4.8)
> > Connection: keep-alive
> >
> > ----------
> >
> > Sorry, but I didn't discover the problem!
> >
> > Anybody have an idea?
>
> If you altered your squid.conf settings as above in the auth details,
> did you also remove 192.168.200.7 from the "localhost" ACL ?
>
> Your rule "http_access allow localhost" occurs before anything that
> requires authentication. That means these requests coming from
> 192.168.200.7 to your proxy would not use authentication for the above
> CONNECT request. So no reason for your proxy to generate any 407
response.
>
>
> Amos
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXzaflAAoJENNXIZxhPexG6eUH/jWH/V1FJmKWyDLDt8cTj4+Q
0cBW7KhaBvJnN0QX1t9J/AVaPP5ZY5wlsSFo6ESWd7tYo2h6UDbCLnUHADpI4DPC
nH3f8yBGL9sELL+RnUZjCV+mwwGLJPDbGquxRiJ2VVGijNj1CGrHEGQWMnZESG5D
Sz1e+9zBM62vM+40T/llgMopH7Z0NgsansWDgsFJlC9iuDzXQ3kDJ6lPG7w2HB2c
dL/jssrZg7tjDuMPJi5ZrI963GMxrbmqx8w2kTOvoLKiIYHmK6E1fSGvKtpSzXjz
PtuLqdleFGklny2n9iLBYwtPmjGCr1DBr4L7/k6Yt6GdPWaTfRQJolK5hBYm7/g=
=ObEq
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160905/012fa7cb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160905/012fa7cb/attachment-0001.key>
More information about the squid-users
mailing list