Re: [squid-users] RE: Debian squeeze v6.0 and squid 3.1.11 help fixing

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 21 Feb 2011 11:33:11 +1300

 On Sun, 20 Feb 2011 11:57:28 -0500, Shawn wrote:
> Hi my name is Shawn Caron I am havving issues with the new squid
> 3.1.11. I cant get my laptop to download any updates from with in
> squid
> 3.1.11. I have digest auth installed working correctly for web
> browsers
> only. But when i try to update the laptop through aptitude using a sh
> script i cant get it to connect to the update servers like,
> debian.org
> or ubuntu.org for package updates. Also when i am at school at
> davenport university in lansing michigan their blackboard system uses
> ice java plugin and when i cannect through my remote proxy using
> astrada firewill i will get a username and password box asking for my
> user name and password. And if i dont type in the correct information
> and cancel the promt the browser will lock up and i have to restart
> the
> browser. Can any one provide the answers on this. Or do i have to
> switch to a different auth scheem to make this work with both the
> browsers and aptitude and apt-get. I can attach my squid.conf file if
> needed. and also the update script also,
>
> My primary goals is the have the most secure connection and block all
> port 80,443 going out. Also i want to allow only certian mac address
> to
> bypass squid for updates only and not allow any web bassed traffic
> out
> with out it going through the quid proxy first

 AFAIK, the software you have listed in the updaters list do not support
 secure authentication. WindowsUpdate at least requires NO authentication
 for it to work properly. Apt on debian-based OS has Basic support, but I
 cant find anything on Digest.

>
>
> Also i want to be able to have vpn access remotely from out side-
> into
> my home network. For that i use kvpnc and astrado firewall. I have
> had
> issues with the connections using kvpnc and not been able to get a
> completed connection to the drop off point inside the network.
>
>
> Here is the squid.comf Currently working on squid3 version 3.1.11
>
>
>
>
> #Authorization
> auth_param digest program /usr/lib/squid3/digest_pw_auth
> -c /etc/squid3/auth/digest/authlist
> auth_param digest nonce_garbage_interval 24 hours
> auth_param digest nonce_max_duration 24 hours
> auth_param digest nonce_max_count 50
> auth_param digest children 5
> auth_param digest realm Secured Proxy Server Authenication Required
> authenticate_cache_garbage_interval 24 hour
> authenticate_ttl 24 hour
>
>
> #auth_parm basic program /usr/lib/squid3/ncsa_auth
> /etc/squid3/userpass
>
>
> # ACL Lists
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32

 New 3.1 definition:
    acl localhost src 127.0.0.1 ::1

> acl to_localhost dst 127.0.0.0/8

 New 3.1 definition:
     acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

> acl CONNECT method CONNECT
> acl safe port 21 80
> acl sslports port 22 441 443 465 587 631 995 8001
> acl http proto http
> acl ftp proto ftp
> acl updateports port 21 80
> acl updates
> dstdomain .debian.org .microsoft.com .symantec.com .windowsupdate.com
> .database.clamav.net .ubuntu.org
> acl Authorized-worstations src "/etc/squid3/workstations"
> acl Authorized-servers src "/etc/squid3/servers"
> acl Authorized-wireless src "/etc/squid3/wireless"
> acl Authorized-proxy src "/etc/squid3/proxy"
> acl Authorized-pfsense src "/etc/squid3/pfsense"
> acl webmin src "/etc/squid3/webmin"
> acl purge method purge
> acl Authorization-admins proxy_auth REQUIRED
> acl Authorization-users proxy_auth REQUIRED
> acl internal port 8080 8081 8118 10000 57310 57311 7001
>
> acl bad_url url_regex "/etc/squid3/bad-sites.acl"
> #acl localnet 10.2.2.254/24 10.2.2.11/24 10.2.2.10/24 10.2.2.9/24
> 10.2.2.134/24
>
> # HTTP ACCESS
> # Only allow cachemgr access from localhost
> http_access allow http updateports updates
> http_access allow ftp updateports updates
> http_access allow Authorization-admins Authorization-users

 So.. if someone is logged in as BOTH an admin and a user
 simultaneously? um yeah.

 It's a good thing that those names are wrongly describing what those
 ACL tests do. Both ACLs only check that valid credentials are given. Not
 what type they are.

 You can remove either Authorization-admins or Authorization-users
 completely with no effect on your access situation. Its also probably
 best to rename the one you keep as "authenticated" or similar generic
 description to avoid future confusion.

>
> http_access allow safe sslports internal

 This is also not working as intended. The port cannot be a member of
 three non-overlapping value sets.

> http_access allow localhost
> http_access allow manager localhost
> http_access allow CONNECT webmin Authorized-pfsense updateports
> updates

 The location of this below the auth line is part of the problem.
 Windows Update and maybe the others will be bouncing off the
 "http_access allow Authorization-admins" test when they try to get
 https:// files.

> http_access allow Authorized-worstations
> http_access allow Authorized-servers
> http_access allow Authorized-wireless
> http_access allow Authorized-proxy
> http_access allow Authorized-pfsense

 Hint: given that these are all of the same "src" type, AND that most of
 them are not needed for special things you could collapse a few of these
 ACL down to one name. It is possible to load several files (one for
 workstations, one for wireless, etc) into one ACL name as long as the
 ACL type is identical.

> http_access allow webmin
> #http_access localnet
> http_access allow Authorization-admins Authorization-users
> http_access deny all
>
> http_reply_access allow Authorization-users
> http_reply_access allow Authorization-admins

 This kind of defeats the main purpose of authentication. By the time
 the remote server has been contacted and sent the request data then
 produced its reply and sent it back it is FAR too late to safely ask for
 user credentials.

 NOTE: this is likely also part of your problem with updaters. Since the
 http_access you carefully defined before the auth challenge will get
 past that request challenge and hit this reply one instead anyway.

 Define your http_access with care and doing extra reply-time checks are
 usually not needed.

>
> #Allow ICP queries from local networks only
> icp_access allow Authorized-worstations Authorized-wireless

 Without seeing the content of the Authorized-worstations
 Authorized-wireless I suspect this may be another case of the machine
 being checked against non-overlapping lists of values. ICP (and HTCP)
 are only used between proxy peers. If you seen this coming from client
 workstations it means somebody it using a local proxy of their own,
 usually to evade your controls. Its a good idea to find out why.

> icp_access deny all
>
> #Allow HTCP queries from local networks only
> htcp_access deny all

 There is no "htcp_access allow" anywhere above this. So HTCP is denied
 always. the default in squid-3 is not to even have the port opened. So
 this can go unless you want to add those settings to enable HTCP
 properly.

>
>
> # Squid normally listens to port 3128
> #http_port 127.0.0.1:23654
> http_port 10.2.2.3:56754 intercept
> http_port 10.2.2.4:23654 intercept
> #http_port 10.3.3.1:23654
>
>
> # MISC SETTINGS
>
> hierarchy_stoplist cgi-bin ?
> cache_mem 7 MB
> maximum_object_size_in_memory 100 mb

 Um, memory space is only 7MB but you want to store 100MB objects there?
 Problem coming.

> memory_replacement_policy lru
> cache_replacement_policy heap LFUDA
> cache_dir ufs /var/spool/squid3 1000 16 256

 1000 MB of disk space to back that up...

> max_open_disk_fds 10
> minimum_object_size 1000 mb

 ? so global override over the buggered memory settings anyway. Nothing
 smaller than 1000 MB will be stored by this proxy.

 So... with 1000 MB of disk space and nothing smaller than 1000 MB
 allowed to be stored...

> maximum_object_size 1 GB

 ? and nothing over 1024 MB will be stored either. That is a very
 strangely tuned band of storeable content. Why?

> no_cache allow internal

 Remove the "no_" part of this line.

>
> #LOG
>
> #ACCESS LOG
>
> access_log /var/log/squid3/access.log
> cache_store_log none
> #logfile_rotate 0
>
> #emulate_httpd_log on
> emulate_httpd_log on

 Remove emulate.If you actually need the apache format use this instead
 on the above log line:

    access_log /var/log/squid3/access.log common

>
> log_ip_on_direct on
>
> pid_filename /var/run/squid3.pid
>
> strip_query_terms on
>
> # OPTIONS FOR FTP GATEWAYING
> ftp_list_width 50
> ftp_passive on
> ftp_sanitycheck on
> ftp_telnet_protocol on
>
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> unlinkd_program /usr/lib/squid3/unlinkd
>

 Default setting. You can remove unlinkd_program

>
> # OPTIONS FOR URL REWRITING
> #url_rewrite_children 2
> #url_rewrite_children 2
> #url_rewrite_concurrency 0
> url_rewrite_host_header on
> url_rewrite_bypass off
>
>
> # OPTIONS FOR TUNING THE CACHE
> #
>
> -----------------------------------------------------------------------------
> #Suggested default:
> refresh_pattern ^ftp: 1440 5% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims
> refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims
> refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims
> refresh_pattern Release$ 0 20% 4320 refresh-ims

 Add right here:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320 refresh-ims
>

 Not that refresh_pattern has any effect given the cache size limits
 above.
 The various patterns doing refresh-ims are not really needed for Debian
 anymore. Squid-3 obeys the caching headers the repo provide.

>
> #Default:
> # visible_hostname localhost
> visible_hostname Secured_Proxy_Server_Authorization_Required
>

 FQDN please. This is used as the base for

> #Default:
> never_direct allow localhost
>
> #always_direct allow Authorized-pfsense Authorized-wireless
> always_direct allow updates
>

>
> windows_ipaddrchangemonitor on

 Windows-only directive. Remove.

>
> redirect_children 1

 Rename this obsolete directive to:
   url_rewrite_children 1

 or, since to change its value again later on. remove completely.

> unique_hostname Secured_Proxy_Server_Authorization_Required
> cache_effective_group proxy
> #fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
>
> cache_peer localhost parent 8081 0
>
>
>
> url_rewrite_program /usr/bin/adzapper.wrapper
> url_rewrite_children 2
>
>
>
> #ssl_unclean_shutdown on
>
> icp_query_timeout 10
> mcast_icp_query_timeout 10
> half_closed_clients off
>
> server_persistent_connections off

 Why? 3.1 handles persistent connections these nicely now and they are
 close to required for HTTP/1.1 support.

 <snip>
>
>
> tcp_outgoing_address 0.0.0.0

 This hack is no longer required for 3.1.7+. and very probably why
 debian.org (an IPv6-enabled website) is not working for you.

 Amos
Received on Sun Feb 20 2011 - 22:33:15 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 21 2011 - 12:00:02 MST