Re: [squid-users] Yahoo messenger behind squid problem : difficult to login

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 18 Jun 2009 23:36:13 +1200

Gue wrote:
> I ran a view windows pc connected to internet via squid (on centos).
> setting is quite straight forward.
> YM works fine, until yahoo is releasing ver 9
>
> Now it is difficult to logon ( when I use the proxy, with ver 9 )
> Sometimes, i just kicked out in the middle of conv, and YM aske me to re-login.
>
> If i try to use older ver of ym, ver 8, cant logon for good.
> ( ver 9 sometime can logon, but most of the time diffoult)
>
> It all works fine when I bypass the proxy.
>
>
> Any Idea what to pun on setting to solve the problem ?
> what else to put on squid setting, to increase speed and /or security ?
>
> thanks in adv ...
>
>
>
> bellow id the squid proxy setting
>
> http_port 3128
> icp_port 0
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
>
> cache_mem 96 MB
> maximum_object_size 20480 KB
> maximum_object_size_in_memory 24 KB
> cache_replacement_policy heap LFUDA
> cache_dir aufs /var/spool/squid 6144 16 256
>
> redirect_children 10
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> connect_timeout 3 minute
> persistent_request_timeout 3 minute
> pconn_timeout 360 seconds
> ident_timeout 30 seconds
> shutdown_lifetime 90 seconds
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 1080 1863 6891-6900 563 5050 5190 5222 563 6667
>
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny CONNECT !Safe_ports
> http_access deny to_localhost
>
> acl our_networks src 192.168.1.0/24
> acl YIM_ports port 5000-5100
> acl YIM_ports port 936
> acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp .yahoo.co.id .yahoo.com.sg
> acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
> acl YIM_methods method CONNECT
> http_access allow YIM_methods YIM_ports YIM_hosts
> http_access allow YIM_methods YIM_ports YIM_domains
>
>
> acl notallowed src "/etc/squid/usr.notallowed"
> acl av_server src "/etc/squid/symantec.av"
> acl ajen src 192.168.2.10
> acl ph src 192.168.1.21
>
> acl big urlpath_regex -i \.mpg$ \.mpeg$ \.mp3$ \.avi$ \.wmv$ \.rm$
> acl badwords url_regex -i "/etc/squid/badwords"
> acl restrictedsites url_regex "/etc/squid/sites.restricted"
> acl avsites url_regex "/etc/squid/sites.av_server"
> no_cache deny QUERY YIM_ports YIM_domains YIM_hosts YIM_methods

Huh?
That simplifies down to: cache allow all.

Because: QUERY requires pieces of a URL which are not available in
YIM_methods (CONNECT) requests.

"no_cache deny" has been renamed "cache deny"

Therefor the entire rule will never match anything. So squid will drop
down to the default action in absence of other storage rules.

>
> http_access deny big
> http_access deny badwords all
> http_access deny notallowed all
>
> http_access allow ajen !restrictedsites
> http_access allow our_networks !restrictedsites
>
>
> http_access allow localhost
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow all
>
>
>
>
> and the access log (able to login):
>
> 1245319919.205 1229 192.168.1.21 TCP_MISS/200 188 GET http://httpvcs1.msg.yahoo.com/capacity - DIRECT/216.155.194.34 text/plain
> 1245319921.463 2224 192.168.1.21 TCP_MISS/200 193 GET http://httpvcs1.msg.yahoo.com/capacity - DIRECT/216.155.194.34 text/plain
> 1245319921.682 2431 192.168.1.21 TCP_MISS/200 192 GET http://httpvcs2.msg.yahoo.com/capacity - DIRECT/98.136.112.56 text/plain
> 1245319925.284 3796 192.168.1.21 TCP_MISS/200 2170 CONNECT 216.155.194.223:443 - DIRECT/216.155.194.223 -
> 1245319930.641 5321 192.168.1.21 TCP_MISS/200 2444 CONNECT login.yahoo.com:443 - DIRECT/66.163.169.186 -
> 1245319935.925 5260 192.168.1.21 TCP_MISS/200 3096 CONNECT login.yahoo.com:443 - DIRECT/66.163.169.186 -
> 1245319939.204 3251 192.168.1.21 TCP_MISS/200 11953 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319944.924 759 192.168.1.21 TCP_DENIED/403 1382 POST http://app.sweetim.com/sweetim/dispatcher - NONE/- text/html
> 1245319945.657 6318 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319946.061 6670 192.168.1.21 TCP_MISS/200 648 GET http://msgr.updates.yahoo.com/vitality_proxy/V1/getEvents? - DIRECT/98.137.44.106 application/xml
> 1245319946.292 2127 192.168.1.21 TCP_MISS/200 3779 GET http://insider.msg.yahoo.com/ycontent/? - DIRECT/209.191.120.30 text/xml
> 1245319951.645 12440 192.168.1.21 TCP_MISS/200 5837 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319951.645 7480 192.168.1.21 TCP_MISS/200 2868 GET http://insider.msg.yahoo.com/client_ad.php? - DIRECT/68.142.231.252 text/html
> 1245319951.714 7549 192.168.1.21 TCP_MISS/200 19423 GET http://address.yahoo.com/yab/us? - DIRECT/209.191.93.51 text/xml
> 1245319952.937 6627 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319953.704 7114 192.168.1.21 TCP_MISS/200 648 GET http://msgr.updates.yahoo.com/vitality_proxy/V1/getEvents? - DIRECT/98.137.44.106 application/xml
> 1245319956.195 3508 192.168.1.21 TCP_MISS/200 426 GET http://us.bc.yahoo.com/b? - DIRECT/203.84.204.69 image/gif
> 1245319956.913 12748 192.168.1.21 TCP_MISS/502 1248 POST http://216.155.194.223/ - DIRECT/216.155.194.223 text/html
> 1245319957.083 5438 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319958.913 2589 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.223/ - DIRECT/216.155.194.223 -
> 1245319959.962 14 192.168.1.21 TCP_DENIED/403 1382 POST http://app.sweetim.com/sweetim/dispatcher - NONE/- text/html
>
>
>
> another log , when cant login :
>
> 1245320691.956 994 192.168.1.21 TCP_MISS/200 188 GET http://httpvcs1.msg.yahoo.com/capacity - DIRECT/216.155.194.34 text/plain
> 1245320695.586 3589 192.168.1.21 TCP_MISS/200 193 GET http://httpvcs1.msg.yahoo.com/capacity - DIRECT/216.155.194.34 text/plain
> 1245320698.425 6431 192.168.1.21 TCP_MISS/200 192 GET http://httpvcs2.msg.yahoo.com/capacity - DIRECT/98.136.112.56 text/plain
> 1245320701.363 4811 192.168.1.21 TCP_MISS/200 1740 CONNECT 216.155.194.144:443 - DIRECT/216.155.194.144 -
> 1245320706.303 4906 192.168.1.21 TCP_MISS/200 1351 CONNECT 216.155.194.144:443 - DIRECT/216.155.194.144 -
> 1245320710.235 3917 192.168.1.21 TCP_MISS/200 2173 CONNECT 216.155.194.144:443 - DIRECT/216.155.194.144 -
> 1245320714.197 3921 192.168.1.21 TCP_MISS/200 2516 CONNECT login.yahoo.com:443 - DIRECT/66.163.169.186 -
> 1245320717.582 3352 192.168.1.21 TCP_MISS/200 3152 CONNECT login.yahoo.com:443 - DIRECT/66.163.169.186 -
> 1245320721.785 4200 192.168.1.21 TCP_MISS/200 11699 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320722.468 15 192.168.1.21 TCP_DENIED/403 1382 POST http://app.sweetim.com/sweetim/dispatcher - NONE/- text/html
> 1245320727.972 6054 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320733.350 11527 192.168.1.21 TCP_MISS/200 5182 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320734.245 6273 192.168.1.21 TCP_MISS/200 3779 GET http://insider.msg.yahoo.com/ycontent/? - DIRECT/68.142.231.252 text/xml
> 1245320734.441 12421 192.168.1.21 TCP_MISS/200 648 GET http://msgr.updates.yahoo.com/vitality_proxy/V1/getEvents? - DIRECT/66.196.106.31 application/xml
> 1245320739.315 5901 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320739.315 5901 192.168.1.21 TCP_MISS/200 684 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320739.315 11343 192.168.1.21 TCP_MISS/200 648 GET http://msgr.updates.yahoo.com/vitality_proxy/V1/getEvents? - DIRECT/66.196.106.31 application/xml
> 1245320739.315 11343 192.168.1.21 TCP_MISS/200 672 GET http://address.yahoo.com/yab/us? - DIRECT/209.191.93.51 text/xml
> 1245320739.315 11343 192.168.1.21 TCP_MISS/200 2869 GET http://insider.msg.yahoo.com/client_ad.php? - DIRECT/68.180.219.51 text/html
> 1245320739.315 11343 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320739.440 124 192.168.1.21 TCP_DENIED/403 1382 POST http://app.sweetim.com/sweetim/dispatcher - NONE/- text/html
> 1245320741.805 7264 192.168.1.21 TCP_MISS/200 648 GET http://msgr.updates.yahoo.com/vitality_proxy/V1/getEvents? - DIRECT/66.196.106.31 application/xml
>
> ( logged in, then kicked out )
>
> 1245320742.490 3174 192.168.1.21 TCP_MISS/200 231 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320742.960 3520 192.168.1.21 TCP_MISS/200 684 POST http://216.155.194.144/ - DIRECT/216.155.194.144 -
> 1245320744.007 3914 192.168.1.21 TCP_MISS/200 426 GET http://us.bc.yahoo.com/b? - DIRECT/203.84.204.124 image/gif
> 1245320745.023 3393 192.168.1.21 TCP_MISS/200 188 GET http://httpvcs1.msg.yahoo.com/capacity - DIRECT/216.155.194.34 text/plain
>
>

The only thing that stands out is that you have configured a number of
yahoo domains for IM access. But the 403 login failures are happening on
connections to app.sweetim.com

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Thu Jun 18 2009 - 11:36:23 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 18 2009 - 12:00:04 MDT