Re: [squid-users] Squid without restrictions and problems withs prezi

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 21 May 2014 19:39:32 +1200

On 21/05/2014 7:18 p.m., Trenta sis wrote:
> Hi,
>
> Thanks for you information. We are using ntlm auth, TCP Denied are ok
> in this log? In ou log there are many error TCP Denied 407 and I'm not
> sure if this is correct...

They are part of the authentication process on each new connection. Just
highly annoying and one of the reasons NTLM was formally deprecated and
replaced back in *2006* with Negotiate/Kerberos.

You can mitigate the amount of DENIED/407 happening by enabling
persistent connections to both clients and servers in your proxy and as
many other software as you can.

>
> About second question, we need to use squid only as reporting tools,
> how can we ensure that squid doesn't apply any restriction and deny
> any connection? We only use squid to generate statistics with sarg.

In the squid.conf section labeled "INSERT YOUR OWN RULE(S) HERE TO ALLOW
ACCESS FROM YOUR CLIENTS" place your auth rule(s) in the form:

 http_access allow auth

Leaving the default rules above and below that section as-is. There are
security poolicies enforced by those default rules which you really do
want the proxy to be protected against even if its only reporting
traffic stats.

Amos

>
> Thanks
>
> 2014-05-20 18:32 GMT+02:00 Amos Jeffries:
>> On 21/05/2014 1:52 a.m., Trenta sis wrote:
>>> Hello,
>>>
>>> I have Debian Squeeze with squid3:
>>> ii sarg 2.3.1-1~bpo60+1
>>> squid analysis report generator
>>> ii squid-langpack 20100628-1
>>> Localized error pages for Squid
>>> ii squid3 3.1.6-1.2+squeeze2
>>> A full featured Web Proxy cache (HTTP proxy)
>>> ii squid3-common 3.1.6-1.2+squeeze2
>>> A full featured Web Proxy cache (HTTP proxy) - common files
>>>
>>>
>>> And we have some problems with some url, for example there are users
>>> that has disconnections when they are editing prezi presentations, in
>>> logs error is:
>>>
>>> 1400591927.068 164 192.168.10.17 TCP_MISS/200 36175 GET
>>> http://cdn-a.prezi.com/bin/modules/imagesearch-bbc2d65a304a2344a4239bda263525a92e1eb21c.swf
>>> 32847 DIRECT/23.51.75.49 application/x-shockwave-flash
>>> 1400591927.173 0 192.168.10.17 TCP_DENIED/407 3737 CONNECT
>>> s3.amazonaws.com:443 - NONE/- text/html
>>> 1400591927.179 0 192.168.10.17 TCP_DENIED/407 4048 CONNECT
>>> s3.amazonaws.com:443 - NONE/- text/html
>>> 1400591927.315 0 192.168.10.17 TCP_DENIED/407 4721 GET
>>> http://www.google-analytics.com/__utm.gif? - NONE/- text/html
>>> 1400591927.320 0 192.168.10.17 TCP_DENIED/407 5032 GET
>>> http://www.google-analytics.com/__utm.gif? - NONE/- text/html
>>> 1400591927.361 39 192.168.10.17 TCP_MISS/200 525 GET
>>> http://www.google-analytics.com/__utm.gif? 32847 DIRECT/173.194.41.9
>>> image/gif
>>> 1400591927.888 23 192.168.10.17 TCP_MISS/200 525 GET
>>> http://www.google-analytics.com/__utm.gif? 32847 DIRECT/173.194.41.9
>>> image/gif
>>> 1400591927.891 718 192.168.10.17 TCP_MISS/200 3469 POST
>>> http://prezi.com/api/token/imagerecommendation/ 32847
>>> DIRECT/54.235.184.72 application/json
>>> 1400591927.901 0 192.168.10.17 TCP_DENIED/407 3737 CONNECT
>>> search.prezi.com:443 - NONE/- text/html
>>> 1400591927.904 1 192.168.10.17 TCP_DENIED/407 4048 CONNECT
>>> search.prezi.com:443 - NONE/- text/html
>>> 1400591928.904 1723 192.168.10.17 TCP_MISS/200 34768 CONNECT
>>> s3.amazonaws.com:443 32847 DIRECT/176.32.102.82 -
>>> 1400591929.193 21000 192.168.10.17 TCP_MISS/503 5544 POST
>>> http://meeting04.prezi.com/ 32847 DIRECT/184.72.217.112 text/html
>>> 1400591929.933 0 192.168.10.17 TCP_DENIED/407 4281 GET
>>> http://s3.amazonaws.com/0103.static.prezi.com/media/d/9/d/435b54a01855f57523aff086e8f19dc72b6a2.jpg
>>> - NONE/- text/html
>>> 1400591929.934 0 192.168.10.17 TCP_DENIED/407 5528 GET
>>> http://0103.static.prezi.com/crossdomain.xml - NONE/- text/html
>>> 1400591929.936 1 192.168.10.17 TCP_DENIED/407 4592 GET
>>> http://s3.amazonaws.com/0103.static.prezi.com/media/d/9/d/435b54a01855f57523aff086e8f19dc72b6a2.jpg
>>> - NONE/- text/html
>>> 1400591929.937 1 192.168.10.17 TCP_DENIED/407 5839 GET
>>> http://0103.static.prezi.com/crossdomain.xml - NONE/- text/html
>>> 1400591930.351 414 192.168.10.17 TCP_MISS/200 828 GET
>>> http://0103.static.prezi.com/crossdomain.xml 32847
>>> DIRECT/75.101.163.113 text/xml
>>> 1400591930.552 142 192.168.10.17 TCP_MISS/302 569 GET
>>> http://0103.static.prezi.com/thumbnail/330/converted/1/1/a/af15ad4698fd68e3ab40dbfb63f791477916c.jpe
>>> 32847 DIRECT/75.101.163.113 text/html
>>> 1400591930.561 0 192.168.10.17 TCP_DENIED/407 3737 CONNECT
>>> s3.amazonaws.com:443 - NONE/- text/html
>>> 1400591930.563 0 192.168.10.17 TCP_DENIED/407 4048 CONNECT
>>> s3.amazonaws.com:443 - NONE/- text/html
>>>
>>> We are using samba-ldap domain and user are using an acl to allow only
>>> auths users.
>>>
>>> Our proxy is only to generate statitics using sarg, we need that squid
>>> doesn't make any tcp denied or any restriction, we need to allo all
>>> traffic from our internal ip and auth users. How can I do this and
>>> solve this problems with prezi?
>>
>> I dont see any errors in that log.
>>
>> Your Squid is requiring authentication. This requires the client
>> software (prezi) to be capable of authenticating HTTP requests.
>>
>> From the pattern of two 407 followed by a 200 it appears that you are
>> using NTLM authentication. That type of authentication has a 407
>> challenge to announce the available auth type(s), a second 407 challenge
>> to deliver security keys from the server, then a third request to
>> receive final authentication from the client.
>>
>> We have had a number of bugs in CONNECT handling over the years. I
>> suggest you install a later squid3 package the one from Debian Wheezy
>> (current stable Debian) repository should work on Squeeze.
>>
>> Amos
Received on Wed May 21 2014 - 07:39:39 MDT

This archive was generated by hypermail 2.2.0 : Wed May 21 2014 - 12:00:05 MDT