[squid-users] RE: Debian squeeze v6.0 and squid 3.1.11 help fixing

Hi my name is Shawn Caron I am havving issues with the new squid
3.1.11. I cant get my laptop to download any updates from with in squid
3.1.11. I have digest auth installed working correctly for web browsers
only. But when i try to update the laptop through aptitude using a sh
script i cant get it to connect to the update servers like, debian.org
or ubuntu.org for package updates. Also when i am at school at
davenport university in lansing michigan their blackboard system uses
ice java plugin and when i cannect through my remote proxy using
astrada firewill i will get a username and password box asking for my
user name and password. And if i dont type in the correct information
and cancel the promt the browser will lock up and i have to restart the
browser. Can any one provide the answers on this. Or do i have to
switch to a different auth scheem to make this work with both the
browsers and aptitude and apt-get. I can attach my squid.conf file if
needed. and also the update script also,

My primary goals is the have the most secure connection and block all
port 80,443 going out. Also i want to allow only certian mac address to
bypass squid for updates only and not allow any web bassed traffic out
with out it going through the quid proxy first.

Also i want to be able to have vpn access remotely from out side- into
my home network. For that i use kvpnc and astrado firewall. I have had
issues with the connections using kvpnc and not been able to get a
completed connection to the drop off point inside the network.

Here is the squid.comf Currently working on squid3 version 3.1.11

#Authorization
auth_param digest program /usr/lib/squid3/digest_pw_auth
-c /etc/squid3/auth/digest/authlist
auth_param digest nonce_garbage_interval 24 hours
auth_param digest nonce_max_duration 24 hours
auth_param digest nonce_max_count 50
auth_param digest children 5
auth_param digest realm Secured Proxy Server Authenication Required
authenticate_cache_garbage_interval 24 hour
authenticate_ttl 24 hour

#auth_parm basic program /usr/lib/squid3/ncsa_auth /etc/squid3/userpass

# ACL Lists
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl safe port 21 80
acl sslports port 22 441 443 465 587 631 995 8001
acl http proto http
acl ftp proto ftp
acl updateports port 21 80
acl updates
dstdomain .debian.org .microsoft.com .symantec.com .windowsupdate.com .database.clamav.net .ubuntu.org
acl Authorized-worstations src "/etc/squid3/workstations"
acl Authorized-servers src "/etc/squid3/servers"
acl Authorized-wireless src "/etc/squid3/wireless"
acl Authorized-proxy src "/etc/squid3/proxy"
acl Authorized-pfsense src "/etc/squid3/pfsense"
acl webmin src "/etc/squid3/webmin"
acl purge method purge
acl Authorization-admins proxy_auth REQUIRED
acl Authorization-users proxy_auth REQUIRED
acl internal port 8080 8081 8118 10000 57310 57311 7001

acl bad_url url_regex "/etc/squid3/bad-sites.acl"
#acl localnet 10.2.2.254/24 10.2.2.11/24 10.2.2.10/24 10.2.2.9/24
10.2.2.134/24

# HTTP ACCESS
# Only allow cachemgr access from localhost
http_access allow http updateports updates
http_access allow ftp updateports updates
http_access allow Authorization-admins Authorization-users

http_access allow safe sslports internal
http_access allow localhost
http_access allow manager localhost
http_access allow CONNECT webmin Authorized-pfsense updateports updates
http_access allow Authorized-worstations
http_access allow Authorized-servers
http_access allow Authorized-wireless
http_access allow Authorized-proxy
http_access allow Authorized-pfsense
http_access allow webmin
#http_access localnet
http_access allow Authorization-admins Authorization-users
http_access deny all

http_reply_access allow Authorization-users
http_reply_access allow Authorization-admins

#Allow ICP queries from local networks only
icp_access allow Authorized-worstations Authorized-wireless
icp_access deny all

#Allow HTCP queries from local networks only
htcp_access deny all

# Squid normally listens to port 3128
#http_port 127.0.0.1:23654
http_port 10.2.2.3:56754 intercept
http_port 10.2.2.4:23654 intercept
#http_port 10.3.3.1:23654

# MISC SETTINGS

hierarchy_stoplist cgi-bin ?
cache_mem 7 MB
maximum_object_size_in_memory 100 mb
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 1000 16 256
max_open_disk_fds 10
minimum_object_size 1000 mb
maximum_object_size 1 GB
no_cache allow internal

#LOG

#ACCESS LOG

access_log /var/log/squid3/access.log
cache_store_log none
#logfile_rotate 0

#emulate_httpd_log on
emulate_httpd_log on

log_ip_on_direct on

pid_filename /var/run/squid3.pid

strip_query_terms on

# OPTIONS FOR FTP GATEWAYING
ftp_list_width 50
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
unlinkd_program /usr/lib/squid3/unlinkd

# OPTIONS FOR URL REWRITING
#url_rewrite_children 2
#url_rewrite_children 2
#url_rewrite_concurrency 0
url_rewrite_host_header on
url_rewrite_bypass off

# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
#Suggested default:
refresh_pattern ^ftp: 1440 5% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims
refresh_pattern Release$ 0 20% 4320 refresh-ims
refresh_pattern . 0 20% 4320 refresh-ims

hierarchy_stoplist cgi-bin ?

#Default:

#Default:
read_ahead_gap 30 MB

#negative_ttl 5 minute
#positive_dns_ttl 24 hour

range_offset_limit 0 KB

minimum_expiry_time 60 seconds
store_avg_object_size 100 KB

# HTTP OPTIONS
#
-----------------------------------------------------------------------------

#Default:
#request_header_max_size 100 KB

#Default:
#read_timeout 15 minute
#read_timeout 24 hour

#Default:
# request_timeout 5 minutes
#request_timeout 24 hour

# shutdown_lifetime 30 seconds
shutdown_lifetime 0 second

#Default:
cache_effective_user proxy
#
#Default:
httpd_suppress_version_string on

#Default:
# visible_hostname localhost
visible_hostname Secured_Proxy_Server_Authorization_Required

#
#Default:
digest_bits_per_entry 5

#
#Default:
digest_rebuild_period 24 hour

digest_rewrite_period 24 hour

#digest_swapout_chunk_size 4096 bytes

#Default:
digest_rebuild_chunk_percentage 10

#
#Default:
udp_outgoing_address 0.0.0.0

#Default:
# prefer_direct off

# TAG: never_direct
# Usage: never_direct allow|deny [!]aclname ...
#
# never_direct is the opposite of always_direct. Please read
# the description for always_direct if you have not already.
#
# With 'never_direct' you can use ACL elements to specify
# requests which should NEVER be forwarded directly to origin
# servers. For example, to force the use of a proxy for all
# requests, except those in your local domain use something like:
#
# acl local-servers dstdomain .foo.net
# never_direct deny local-servers
# never_direct allow all
#
# or if Squid is inside a firewall and there are local intranet
# servers inside the firewall use something like:
#
# acl local-intranet dstdomain .foo.net
# acl local-external dstdomain external.foo.net
# always_direct deny local-external
# always_direct allow local-intranet
# never_direct allow all
#
# This option replaces some v1.1 options such as inside_firewall
# and firewall_ip.
#
#Default:
never_direct allow localhost

#always_direct allow Authorized-pfsense Authorized-wireless
always_direct allow updates

#cache_dns_program /usr/lib/squid3/dnsserver
#dns_children 5

#dns_retransmit_interval 5 seconds
#dns_timeout 2 minutes
#dns_nameservers 10.2.2.3

dns_defnames on

hosts_file /etc/hosts

append_domain .CA

ignore_unknown_nameservers on

ipcache_size 10000
ipcache_low 30
ipcache_high 50

memory_pools_limit 1000 KB

retry_on_error on

uri_whitespace strip

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

pipeline_prefetch on

windows_ipaddrchangemonitor on

redirect_children 1
unique_hostname Secured_Proxy_Server_Authorization_Required
cache_effective_group proxy
#fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)

cache_peer localhost parent 8081 0

url_rewrite_program /usr/bin/adzapper.wrapper
url_rewrite_children 2

#ssl_unclean_shutdown on

icp_query_timeout 10
mcast_icp_query_timeout 10
half_closed_clients off

server_persistent_connections off
client_persistent_connections on

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

tcp_outgoing_address 0.0.0.0
client_lifetime 24 hour
announce_period 2 day
#reference_age 24 hour
log_icp_queries off
memory_pools off
authenticate_ip_ttl 48 hour

Here is the user.sh script i use to create users account and passwords
for squid 3.1.11 on debia 6.0

#!/bin/sh
echo -e " Must use >> before output file"
echo ""
 
user=$1
pass=$2
realm=$3
 
if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then
        echo "Usage: $0 user password 'realm'";
        exit 1
fi
 
ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ')
echo "$user:$realm:$ha1"

Also here is my iptables.up.rules.squidnewmods

*nat
:PREROUTING ACCEPT [813:49625]
:POSTROUTING ACCEPT [99:5940]
:OUTPUT ACCEPT [272:16321]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m
multiport --dports 80,21,443 -j DNAT --to-destination 10.2.2.3:23654 -A
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport
--dports 80,21,443 -j DNAT --to-destination 10.2.2.3:56754
-A POSTROUTING -o eth0 -j MASQUERADE

Any help will be greatly accepted.

Thanks

Shawn
Received on Sun Feb 20 2011 - 16:57:39 MST