Amos Jeffries | 25 Aug 05:13 2014
Picon

Re: Fwd: New to FreeBSD, Squid experiencing request loops

On 25/08/2014 2:22 p.m., orientalsniper wrote:
> nginx is serving as reverse proxy listening on 10.2.0.4-10.2.0.9 HTTP
> for some games patches.
> 
> pfSense serves as firewall, captive portal and among other services.
> 
> By NAT, I think you mean pfSense is doing it? pfSense is 10.0.0.1,
> 10.1.0.1 and 10.2.0.1.
> I have a NAT rule in pfSense to redirect all LAN2 HTTP traffic to
> 10.2.0.2 (port 3128).
> 

Great, that clarifies a lot.

The problem is that NAT is being done on a separate box from Squid. The
current Squid attempt to be as fully transparent as possible in
intercept/transparent mode. That includes ensuring the domain/IP the
client was contacting is actually the one Squid is using too - that is
mandatory due to CVE-2009-0801 issues.

With NAT on a separate box Squid only knows its own IP as the
destination. So on the outbound things get looped.

What you need to do to fix this is move the NAT rule changing port to
3128 onto the Squid VM. Have pfSense route port 80 traffic with 10.2.0.2
as the gateway router (policy routing) unless it came from 10.2.0.2 in
the first place.

After that your proxy should be usable. But there are some additional
security issues that need resolving as well:
(Continue reading)

orientalsniper | 25 Aug 02:37 2014
Picon

Fwd: New to FreeBSD, Squid experiencing request loops

Hello all, I'm having the same problem as this guy:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html

When I try to access a website I get a Access Denied by Squid message
and in the access.log I see I'm getting a forwarding loop error.

But we have different network setup and he's using Ubuntu. I'm running Squid 3.4

I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid)

I have the following network:
WAN1 + WAN2 in pfSense
10.0.0.1/24 (LAN1 in pfSense)
10.1.0.1/24 (LAN2 in pfSense)
10.2.0.1/24 (LAN3 in pfSense) ----> (connecting to nginx+squid[10.2.0.2] VM)

My squid.conf:
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
(Continue reading)

Stakres | 24 Aug 00:26 2014
Picon

Heuristic Filter for Squid

Hi Guys,

We just released a new free tool for Squid:  Heuristic Filter for Squid
<https://sourceforge.net/projects/heuristicfilterforsquid/>  

You can specify the MaxScore for the block.
All details are in the  readme.txt
<http://sourceforge.net/projects/heuristicfilterforsquid/files/readme.txt/download>  

*Warning*:
The Heuristic Filter does not replace a traditional WebFilter (UfdbGuard,
SquidGuard, DansGuardian, etc...), the "Heuristic Filter" is a pro-active
tool for your "not-yet-classified" Adult/Porn websites.

Important:
- We provide the API for free, we can not warranty it'll work with your
Squid installation, that's why you must test on a separated Squid before
going to production.
- We do not compile statistics based on your requests and we do not share
data with Marketing teams or external companies, we also do not use your
data for our internal needs.
- If you are interested for a local implementation of our API in your
network, just drop us an email at support <at> unveiltech.com

Your feadbacks are still welcome...

Bye Fred

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Heuristic-Filter-for-Squid-tp4667361.html
(Continue reading)

Nicolás | 23 Aug 15:00 2014
Picon

Only checking URLs via Squid for SSL

Hi,

I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, 
but I'd like to avoid cacheing HTTPS sites, and just determine whether 
the requested URL is listed as denied on Squid (via 'acl dstdom_regex' 
for instance), otherwise just make squid act as a proxy to the URL's 
content. Is that even possible without using SSL Bump? Otherwise, could 
you recommend the simplest way of achieving this?

Thanks

dxun | 23 Aug 04:34 2014
Picon

Filter squid cached files to multiple cache dirs

I am currently setting up a small home network - I've chosen to go with squid
proxy and I am wondering if it is possible to setup a single squid instance
with multiple cache_dirs so that different files (more precisely, files with
different sizes) end up on different cache_dirs?

The reason for this is that I'll be running squid as a VM on a machine with
semi-cannibalized hardware. I have a small SSD (which I'm hoping to use for
caching small, dynamic, very transient files such as web pages, small pics
and such) and a large, slow HDD (which I'd like to use for caching larger,
static content such as windows updates, youtube transfers, large pics and
the like).

This is my first foray into squid and it's only a small network so I would
like to avoid introducing complexities such as multiple squid instances or
hierarchical caches. Ideally, there would be a way to specify some simple
set of criteria that would place the given file either in cache dir A or
cache dir B.

I have sifted through SquidFAQ but I found nothing similar mentioned there
so I may have missed something really elemental.

How could this be done? Is there a pattern people use to cater for such
cases? Is it even necessary/advisable?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Filter-squid-cached-files-to-multiple-cache-dirs-tp4667347.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Stakres | 22 Aug 21:08 2014
Picon

Nudity Images Filter for Squid

Hi Guys,

We just released a new free tool for Squid:  Nudity Images Filter for Squid
<https://sourceforge.net/projects/nudityimagesfilterforsquid/>  

You can specify the MaxResol and the MaxScore for the block.
All details are in the  readme.txt
<http://sourceforge.net/projects/nudityimagesfilterforsquid/files/readme.txt/download>  

Important:
- We provide the API for free, we can not warranty it'll work with your
Squid installation, that's why you must test on a separated Squid before
going to production.
- We do not compile statistics based on your requests and we do not share
data with Marketing teams or external companies, we also do not use your
data for our internal needs.
- If you are interested for a local implementation of our API in your
network, just drop us an email at support <at> unveiltech.com

Your feadbacks are welcome... 

Bye Fred

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Nudity-Images-Filter-for-Squid-tp4667345.html
Sent from the Squid - Users mailing list archive at Nabble.com.

babajaga | 22 Aug 12:48 2014
Picon

Anybody using squid on openWRT ?

Just trying to use offic. package for openWRT, which is based on squid2.7
only.
Having detected some DNS-issues, does anybody use squid on openWRT, and
which squid version ?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Melvin Williams | 22 Aug 12:00 2014
Picon

negotiate_wrapper returns asteriks

Hello, 

I hope some can help me. I want to use squid for authentication and send the 
username to dansguardian. Here's the config of the authentiction program:

auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN 
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -d -s GSS_C_NO_NAME

I always get "negotiate_wrapper: Return 'AF = * username" where username is 
the currently logged in user. Where is this asteriks comming from. I can't map 
"* username" to dansguardian filter-groups. 

Thanks

Scott Finlon | 21 Aug 17:13 2014

Re: squid_kerb_ldap issues

Hi All,

I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I¹m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.

So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
gives a Preauthentication failed error and doesn¹t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt

That makes me think it¹s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott

Oleg Motienko | 21 Aug 13:02 2014
Picon

problem with squid-users maillist

Hello,

Due to DMARC policy of several domains some mail is blocked (see an
example below).

I suppose maillist software ( ezmlm ) needs some tuning, it must
forward email to list with own sender address (  <at> squid-cache.org ).

An example:

------------------------------------------------------------------------------------------------------

Return-Path: <>
Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 -0000
Date: 9 Aug 2014 15:48:22 -0000
From: MAILER-DAEMON <at> squid-cache.org
To: squid-users-return-123504- <at> squid-cache.org
Subject: failure notice

Hi. This is the qmail-send program at squid-cache.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<motienko <at> gmail.com>:
74.125.142.27 failed after I sent the message.
Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is
not accepted due to domain's
550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if
550-5.7.1 this was a legitimate mail. Please visit
550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC
(Continue reading)

Pavel Timofeev | 21 Aug 12:54 2014
Picon

Re: kerberos_ldap_group stopped working with subdomains

Group name in config is OCS-DenyInternet-G of course.

2014-08-21 14:48 GMT+04:00 Pavel Timofeev <timp87 <at> gmail.com>:
> Hi!
> Please, help.
> I've been using squid 3.3.11 on FreeBSD 10 for a year.
> I have AD and kerberos authentification. Squid checks DenyInternet
> group membership through kerberos_ldap_group. My domain example.org
> has subdomains like south.example.org, west.example.org, etc. All
> users use proxy.example.org.
> Everything works fine. Here is config:
>
> auth_param negotiate program
> /usr/local/libexec/squid/negotiate_kerberos_auth -s
> HTTP/proxy.example.org <at> EXAMPLE.ORG
> auth_param negotiate children 100 startup=30 idle=5
> auth_param negotiate keep_alive
>
> external_acl_type no_inet_users ttl=3600 negative_ttl=3600
> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass
>
> Now I'm tring to migrate to squid 3.4.6. Same config.
> I've encountered with problem that kerberos_ldap_group stopped working
> with subdomain users like user <at> south.example.org while it still works
> with user <at> example.org.
> In general it started to complain "ERROR: Error during setup of
> Kerberos credential cache" in cache.log.
> When I turn on the debug I'm getting this:
(Continue reading)


Gmane