Re: [squid-users] Windows RDS Gateway with Squid 3.3.5

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Jul 2013 09:31:43 +1200

On 3/07/2013 2:36 a.m., Stan2k wrote:
> Hello Everybody
>
> Here is the infrastructure I want :
>
> Client => Internet => Squid => RDS Gateway => VM
>
> Here is my configuration :
>
> https_port public_name:443 accel cert=/etc/ssl/private/servercert.pem
> key=/etc/ssl/private/serverkey.pem cafile=/etc/ssl/private/intermediate.pem
> capath=/etc/ssl/private/ defaultsite=parentserver.domain.qh version=1
>
>
> cache_peer parentservername parent 443 0 no-query originserver ssl
> sslcert=/etc/ssl/private/servercert.crt.pem
> sslkey=/etc/ssl/private/serverkey.pem sslcapath=/etc/ssl/private/
> login=PASSTHRU connection-auth=on ssloptions=ALL name=gateway
> sslflags=DONT_VERIFY_PEER front-end-https=on no-digest
>
>
> acl RDS dstdomain parentservername
>
> cache_peer_access gateway allow all
> #cache_peer_access gateway deny all
>
> http_access allow all

Congratulations you have an open proxy. Expect its IP address to be
firewalled and blocked by various networks around the world in the next
few days if not already.

Please follow the guidelines for reverse proxy configuration:

Namely that cache_peer_access and http_access restricts allowed requests
based on the explicit dstdomain (FQDN) which your peer accepts. If that
is not possible at least retain the CONNECT security rules and add these
ones which will permit unlimited relay through the peer but nowhere else
(still not great, but better than "http_access allow all" as the sole
security control):
  always_direct deny all
  never_direct allow all

> miss_access allow all

Regarding "miss_access" if you are not going to configure any deny rules
for it just remove it from your config file entirely. The default is
"allow all".

> As you can see all is open but i have a problem.
> My configuration didn't work but yesterday I managed to log me 3 times from
> the office.
> Ten minutes after i could no longer log to the machine.
> I tried to log on at home last night and this morning and it worked. But now
> nobody can connect to the gateway.
>
> You can see the log when i could connect :
>
> 1372701961.331 79301 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -

This is followup from a previous connection (which got PINNED).

> 1372702018.639 8 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid
delivered that to the client.

> 1372702018.735 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid
delivered that to the client.

> 1372702025.441 6780 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -

Failed request. Squid relayed it to the peer. The client disconnected
after 6.8 seconds and before the peer response could be relayed out to it.

> 1372702025.441 6686 public_ip_client TCP_MISS_ABORTED/200 7319
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc

Failed request. Squid relayed it to the peer. The peer processed it and
responded 200 OK with some data. The client disconnected after 6.7
seconds and before the peer response could be fully relayed out to it
(only 7319 bytes delivered out of an unknown amount greater than 7319).

> 1372702506.635 8 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid
delivered that to the client.

> 1372702506.728 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain

Successful request. The peer responded 401 auth-required. Squid
delivered that to the client.

> 1372702514.727 7963 public_ip_client TCP_MISS_ABORTED/200 103543
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc

Failed request. Squid relayed it to the peer. The peer processed it and
responded 200 OK with some data. The client disconnected after 6.7
seconds and before the peer response could be fully relayed out to it
(only 103KB delivered).

> 1372702514.728 8074 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372703139.182 11 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372703139.295 8 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372703146.054 6851 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372703146.054 6709 public_ip_client TCP_MISS_ABORTED/200 7319
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc
> 1372706052.563 123 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372706052.687 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372706151.972 99259 public_ip_client TCP_MISS_ABORTED/200 14007
> RPC_OUT_DATA https://public_name.com/rpc/rpcproxy.dll? -
> PINNED/private_parentserver_ip application/rpc
> 1372706151.972 99385 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372709339.193 118 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372709339.329 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372709383.530 44313 public_ip_client TCP_MISS_ABORTED/000 0 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip -
> 1372709383.532 44177 public_ip_client TCP_MISS/200 7319 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc
> 1372710088.478 9 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372710088.584 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372710480.819 392320 public_ip_client TCP_MISS/502 4579 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> text/html
> 1372710480.819 392209 public_ip_client TCP_MISS/200 7231 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc
> 1372744890.663 123 public_ip_client TCP_MISS/401 695 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372744890.772 7 public_ip_client TCP_MISS/401 695 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/private_parentserver_ip text/plain
> 1372745699.263 808576 public_ip_client TCP_MISS/502 4583 RPC_IN_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> text/html
> 1372745699.263 808466 public_ip_client TCP_MISS/200 7371 RPC_OUT_DATA
> https://public_name.com/rpc/rpcproxy.dll? - PINNED/private_parentserver_ip
> application/rpc

> Even if I could connect you can see errors 401 and 502

401 is not an error. It is an auth challenge. This is normal on new
connections when auth is required.
 From the use of Pinning I deduce that you are using NTLM or Kerberos
connection-based authentication. NTLM at least requires several
exchanges of requests and 401/407 replies before login is completed - on
the 401 responses above which I have noted "successful request" that is
what appears to be happening.

The large sign of problems is the ABORTED state which the
after-authentication responses which indicate the client is abandoning
the connection without receiving all the data the peer delivered to Squid.

> The logs now :
>
> 1372768605.501 7 public_ip_client TCP_MISS/401 959 RDG_OUT_DATA
> https://public_name/remoteDesktopGateway/ -
> FIRSTUP_PARENT/private_parentserver_ip text/html
> 1372768605.663 1 public_ip_client TCP_MISS/502 4583 RDG_OUT_DATA
> https://public_name/remoteDesktopGateway/ - PINNED/private_parentserver_ip
> text/html

This 502 and the others are all being generated by the peer. As far as
Squid is concerned they are successful responses.

> I'm confused, can you tell me if my setup looks good and if there is an
> explanation?

It looks like it should (and is) working. "Good" is another matter, see
above comments about security.

401 are a result of the authentication method. Very probably normal.
  * Since this involves connections over the Internet it would be
worthwhile ensuring that the authentication in use is
Negotiate/Kerberos. NTLM is a *LAN* protocol with far too many problems
and inefficiencies for reliable use outside the LAN.
  * Those ABORTED are a worry. It would be worth finding out why the
close is happening.

502 are something going wrong on the peer server.
  * Check that servers logs for details (and this is the wrong place to
followup on that).

Amos
Received on Tue Jul 02 2013 - 21:31:50 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 03 2013 - 12:00:12 MDT