[squid-users] Update from Squid 4 to Squid 5 :

Bertrand Friconneau bfriconneau at stemarie-aizenay.fr
Wed Nov 9 15:50:05 UTC 2022 

Hi Everyone,

I've got Squid 4.10 on Ubuntu 20.10 LTS

I try to upgrade my server to Ubuntu 22.04 LTS

But the users couldn't get internet no more.

Here is the log in /var/log/squid/access.log :
1668004454.050      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.052      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.057      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.063      1 172.22.200.1 TCP_DENIED/407 4454 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.076     10 172.22.200.1 NONE_NONE/500 0 CONNECT 
drive.google.com:443 infoe HIER_NONE/- -

And on the client :
ERR_TUNNEL_CONNECTION_FAILED

According to this page : 
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
The cause is due to challenge-response process of NTLM

How can I solve it ?

Regards

Bertrand Friconneau


-------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of squid :

dns_v4_first on
visible_hostname squid

error_directory /usr/share/squid/errors/French

cache_dir ufs /data/squid/spool 5000 16 256
#cache_mem 256 MB
cache_mem 512 MB
coredump_dir /data/squid/spool
cache_store_log none

auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 250

auth_param ntlm keep_alive off

acl sitebypass dstdomain 
"/var/lib/squidguard/db/exception/bypassite/bypassite.url"
acl tor dst "/etc/squid/tor"

acl administrationzone src 172.21.0.0/16
acl informatiquezone src 172.28.0.0/16
acl secuzone src 172.18.0.0/16
acl srvzone src 172.20.0.0/16
acl url_exe url_regex -i \.[Mm][Ss][Ii]$ \.[Dd][Ll][Ll]$
acl ntlm proxy_auth REQUIRED


acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow sitebypass
http_access deny tor
http_access deny url_exe
http_access allow administrationzone
#http_access allow pedagozone
#http_access allow xibozone
http_access allow informatiquezone
http_access allow secuzone
http_access allow srvzone
http_access allow ntlm

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localhost

http_access deny all
http_port 8080

url_rewrite_program /usr/bin/squidGuard -P -c 
/etc/squidguard/squidGuard.conf

url_rewrite_children 75

coredump_dir /var/spool/squid
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320

max_filedescriptors 65536

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of samba :

[global]
    workgroup = STEMARIEAIZENAY
    security = ADS
    realm = STEMARIE-AIZENAY.LOCAL
    encrypt passwords = yes
    winbind separator = +
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config STEMARIEAIZENAY:backend  = rid
    idmap config STEMARIEAIZENAY:range  = 10000-70000
    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    winbind use default domain = yes
    template homedir = /home/homes/%U

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is the krb5.conf file :

[libdefaults]
     default_realm = STEMARIE-AIZENAY.LOCAL
     dns_lookup_kdc = no
     dns_lookup_realm = no
     #ticket_lifetime = 24h
     default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
     default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
     default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
     permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5

[realms]
     STEMARIE-AIZENAY.LOCAL = {
         kdc = srv-ad.stemarie-aizenay.local
         admin_server = srv-ad.stemarie-aizenay.local
         default_domain = stemarie-aizenay.local
     }

[domain_realm]
     .stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL
     stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL

More information about the squid-users mailing list