CentOS6 and squid34 package ...

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CentOS6 and squid34 package ...

Walter H.
Hello

what is the essential difference between the default squid package and this squid34 package,
as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid generated message ...

the same config /etc/squid/squid.conf works with the default squid package ...

<message>
While trying to retrieve the URL: http://proxy.local:3128/squid-internal-static/icons/silk/folder.png

The following error was encountered:

  • Access Denied.

Access control configuration prevents your request from being allowed at this time.
Please contact your service provider if you feel this is incorrect.

Your cache administrator is ...


Generated Thu, 25 May 2017 06:50:02 GMT by proxy.local (squid/3.4.14)
</message>

has anybody the hint for me, what is wrong ..., here is the /etc/squid/squid.conf

<squid.conf>
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
http_reply_access allow all

http_port 3128

cache_dir ufs /var/spool/squid 16400 16 256
coredump_dir /var/spool/squid

nonhierarchical_direct off

visible_hostname proxy.local
unique_hostname proxy.local

forwarded_for off
cache_mem 2560 MB

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

as_whois_server whois.ra.net

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
</squid.conf>

the same host has a running apache, where host proxy.local is a password protected web, which has the folling

for port 80
<virt. host>
RewriteCond %{HTTP_HOST} ^proxy\.local(:80)?$ [NC]
RewriteRule ^/(.*)$ https://proxy.local/$1 [L,R=301]
</virt. host>

for port 443
<virt. host>
<Location />
        AuthName Firewall/Router
        AuthType Basic
        AuthUserFile /var/www/passwrds
        Require User admin
</Location>
</virt. host>

/var/log/squid/access.log has this ...
<squid log>
client - - [25/May/2017:08:50:02 +0200] "GET http://proxy.local:3128/squid-internal-static/icons/silk/folder.png HTTP/1.1" 403 1655 "ftp://ftp.adobe.com/" "UserAgent" TCP_DENIED:HIER_NONE
</squid log>

the apache doesn't log anything in connection with this ...

has anybody the hint for me, what is causing this?

Thanks,
Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

Amos Jeffries
Administrator
On 25/05/17 20:19, Walter H. wrote:
> Hello
>
> what is the essential difference between the default squid package and
> this squid34 package,

Run "squid -v" to find out if there are any build options different.
Usually its just two alternative versions from the vendor.


> as I have problems using this squid34 package for FTP connections;
> there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
> when I tell the browser to show the image then I get this squid
> generated message ...
>
> the same config /etc/squid/squid.conf works with the default squid
> package ...
>
> <message>
> While trying to retrieve the URL:
> http://proxy.local:3128/squid-internal-static/icons/silk/folder.png 
> <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png>
>

Notice the port number in that URL...

>
> <squid.conf>
> acl localnet src 192.168.1.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher

You have removed the port range 1025-65535 from Safe_ports. So traffic
with URL port 3128 is no longer permitted.

>
> the apache doesn't log anything in connection with this ...

The request is for one of Squid's internal icon images. Apache has
nothing to do with those or any other squid generated content.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

Walter H.
On 25.05.2017 12:50, Amos Jeffries wrote:
On 25/05/17 20:19, Walter H. wrote:
Hello

what is the essential difference between the default squid package and this squid34 package,

Run "squid -v" to find out if there are any build options different. Usually its just two alternative versions from the vendor.

Squid Cache: Version 3.4.14
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth-basic=LDAP,MSNT,NCSA,PAM,SMB,POP3,RADIUS,SASL,getpwnam,NIS,MSNT-multi-domain' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

and

Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23


as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid generated message ...

the same config /etc/squid/squid.conf works with the default squid package ...

<message>
While trying to retrieve the URL: http://proxy.local:3128/squid-internal-static/icons/silk/folder.png <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png>


Notice the port number in that URL...

yes I see the squid port 3128

when I do this with the default squid package, there I get the icons, and when I want to get the URL of such an icon,
it shows e.g. ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif

when I add
global_internal_static off
to squid.conf at the squid34 package,
then there also no icons shown;
when I tell the browser to show the image then I get this squid generated message ...

<message>
The following URL could not be retrieved: ftp://ftp.adobe.com/squid-internal-static/icons/silk/folder.png

Squid sent the following FTP command:

CWD squid-internal-static
and then received this reply
Failed to change directory.

This might be caused by an FTP URL with an absolute path (which does not comply with RFC 1738).
If this is the cause, then the file can be found at ftp://ftp.adobe.com%2f2f/squid-internal-static/icons/silk/folder.png.

Your cache administrator is ...

Generated Thu, 25 May 2017 18:57:52 GMT by proxy.local (squid/3.4.14)
</message>

what is running wrong here?
is there a setting I can change without having to allow
port 3128 traffic go through the proxy?
(this is not really logic, as the default squid package also doesn't allow port 3128 traffic go through ...)


<squid.conf>
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher

You have removed the port range 1025-65535 from Safe_ports. So traffic with URL port 3128 is no longer permitted.
I configured on the clients this
http://proxy.local:3128
as proxy ...

Thanks,
Walter

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

talikarni
Walter, what I've found is when compiling to squid 3.5.x and higher, the compile options change. Also remember that many of the options that were available with 3.1.x are depreciated and likely will not work with 3.4.x and higher.

The other issue is that squid is only supposed to be handling HTTP and HTTPS traffic, not FTP. trying to use it as a FTP proxy will need a different configuration than the standard HTTP/Secure proxy.


Mike


On 5/25/2017 14:07 PM, Walter H. wrote:
On 25.05.2017 12:50, Amos Jeffries wrote:
On 25/05/17 20:19, Walter H. wrote:
Hello

what is the essential difference between the default squid package and this squid34 package,

Run "squid -v" to find out if there are any build options different. Usually its just two alternative versions from the vendor.

Squid Cache: Version 3.4.14
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth-basic=LDAP,MSNT,NCSA,PAM,SMB,POP3,RADIUS,SASL,getpwnam,NIS,MSNT-multi-domain' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

and

Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23


as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid generated message ...

the same config /etc/squid/squid.conf works with the default squid package ...

<message>
While trying to retrieve the URL: http://proxy.local:3128/squid-internal-static/icons/silk/folder.png <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png>


Notice the port number in that URL...

yes I see the squid port 3128

when I do this with the default squid package, there I get the icons, and when I want to get the URL of such an icon,
it shows e.g. ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif

when I add
global_internal_static off
to squid.conf at the squid34 package,
then there also no icons shown;
when I tell the browser to show the image then I get this squid generated message ...

<message>
The following URL could not be retrieved: ftp://ftp.adobe.com/squid-internal-static/icons/silk/folder.png

Squid sent the following FTP command:

CWD squid-internal-static
and then received this reply
Failed to change directory.

This might be caused by an FTP URL with an absolute path (which does not comply with RFC 1738).
If this is the cause, then the file can be found at ftp://ftp.adobe.com%2f2f/squid-internal-static/icons/silk/folder.png.

Your cache administrator is ...

Generated Thu, 25 May 2017 18:57:52 GMT by proxy.local (squid/3.4.14)
</message>

what is running wrong here?
is there a setting I can change without having to allow
port 3128 traffic go through the proxy?
(this is not really logic, as the default squid package also doesn't allow port 3128 traffic go through ...)


<squid.conf>
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher

You have removed the port range 1025-65535 from Safe_ports. So traffic with URL port 3128 is no longer permitted.
I configured on the clients this
http://proxy.local:3128
as proxy ...

Thanks,
Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

Walter H.
On 25.05.2017 21:51, Mike wrote:
Walter, what I've found is when compiling to squid 3.5.x and higher, the compile options change. Also remember that many of the options that were available with 3.1.x are depreciated and likely will not work with 3.4.x and higher.

the compile options are not really the matter ...
The other issue is that squid is only supposed to be handling HTTP and HTTPS traffic, not FTP.
this is definitely wrong ...


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

Amos Jeffries
Administrator
In reply to this post by talikarni
On 26/05/17 07:51, Mike wrote:
> Walter, what I've found is when compiling to squid 3.5.x and higher,
> the compile options change. Also remember that many of the options
> that were available with 3.1.x are depreciated and likely will not
> work with 3.4.x and higher.
>
> The other issue is that squid is only supposed to be handling HTTP and
> HTTPS traffic, not FTP. trying to use it as a FTP proxy will need a
> different configuration than the standard HTTP/Secure proxy.
>

Well, to be correct Squid talks HTTP to the client software. It has log
supported mapping FTP server URLs into HTTP.

This second problem seems like the symptoms of
<http://bugs.squid-cache.org/show_bug.cgi?id=4132> which was fixed years
ago in the Squid-3.5.5 release. But that was apparently a regression not
affecting 3.4 or 3.1. Hmm.


Amos


>
> Mike
>
>
> On 5/25/2017 14:07 PM, Walter H. wrote:
>> On 25.05.2017 12:50, Amos Jeffries wrote:
>>> On 25/05/17 20:19, Walter H. wrote:
>>>> Hello
>>>>
>>>> what is the essential difference between the default squid package
>>>> and this squid34 package,
>>>
>>> Run "squid -v" to find out if there are any build options different.
>>> Usually its just two alternative versions from the vendor.
>>>
>> Squid Cache: Version 3.4.14
>> configure options:  '--build=x86_64-redhat-linux-gnu'
>> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
>> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>> '--datadir=/usr/share' '--includedir=/usr/include'
>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--enable-internal-dns'
>> '--disable-strict-error-checking' '--exec_prefix=/usr'
>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>> '--with-logdir=$(localstatedir)/log/squid'
>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>> '--disable-dependency-tracking' '--enable-arp-acl'
>> '--enable-follow-x-forwarded-for'
>> '--enable-auth-basic=LDAP,MSNT,NCSA,PAM,SMB,POP3,RADIUS,SASL,getpwnam,NIS,MSNT-multi-domain'
>> '--enable-auth-ntlm=smb_lm,fake'
>> '--enable-auth-digest=file,LDAP,eDirectory'
>> '--enable-auth-negotiate=kerberos'
>> '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group'
>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>> '--enable-ident-lookups' '--enable-linux-netfilter'
>> '--enable-referer-log' '--enable-removal-policies=heap,lru'
>> '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
>> '--enable-useragent-log' '--enable-wccpv2' '--enable-esi'
>> '--enable-http-violations' '--with-aio' '--with-default-user=squid'
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>> '--with-pthreads' '--disable-arch-native'
>> 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu'
>> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'CXXFLAGS=-O2 -g
>> -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
>> 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>
>> and
>>
>> Squid Cache: Version 3.1.23
>> configure options:  '--build=x86_64-redhat-linux-gnu'
>> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
>> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>> '--datadir=/usr/share' '--includedir=/usr/include'
>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--enable-internal-dns'
>> '--disable-strict-error-checking' '--exec_prefix=/usr'
>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>> '--with-logdir=$(localstatedir)/log/squid'
>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>> '--disable-dependency-tracking' '--enable-arp-acl'
>> '--enable-follow-x-forwarded-for'
>> '--enable-auth=basic,digest,ntlm,negotiate'
>> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
>> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
>> '--enable-digest-auth-helpers=password,ldap,eDirectory'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>> '--enable-ident-lookups' '--enable-linux-netfilter'
>> '--enable-referer-log' '--enable-removal-policies=heap,lru'
>> '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
>> '--enable-useragent-log' '--enable-wccpv2' '--enable-esi'
>> '--enable-http-violations' '--with-aio' '--with-default-user=squid'
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu'
>> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
>> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
>> -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23
>>
>>>
>>>> as I have problems using this squid34 package for FTP connections;
>>>> there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
>>>> when I tell the browser to show the image then I get this squid
>>>> generated message ...
>>>>
>>>> the same config /etc/squid/squid.conf works with the default squid
>>>> package ...
>>>>
>>>> <message>
>>>> While trying to retrieve the URL:
>>>> http://proxy.local:3128/squid-internal-static/icons/silk/folder.png 
>>>> <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png>
>>>>
>>>>
>>>
>>> Notice the port number in that URL...
>>>
>> yes I see the squid port 3128
>>
>> when I do this with the default squid package, there I get the icons,
>> and when I want to get the URL of such an icon,
>> it shows e.g.
>> ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif
>>
>> when I add
>> global_internal_static off
>> to squid.conf at the squid34 package,
>> then there also no icons shown;
>> when I tell the browser to show the image then I get this squid
>> generated message ...
>>
>> <message>
>> The following URL could not be retrieved:
>> ftp://ftp.adobe.com/squid-internal-static/icons/silk/folder.png
>>
>> Squid sent the following FTP command:
>>
>>     *
>>
>>     CWD squid-internal-static
>>
>>     *
>>
>> and then received this reply
>>
>>     *
>>
>>     Failed to change directory.
>>
>>     *
>>
>> This might be caused by an FTP URL with an absolute path (which does
>> not comply with RFC 1738).
>> If this is the cause, then the file can be found at
>> ftp://ftp.adobe.com%2f2f/squid-internal-static/icons/silk/folder.png.
>>
>> Your cache administrator is ...
>>
>> Generated Thu, 25 May 2017 18:57:52 GMT by proxy.local (squid/3.4.14)
>> </message>
>>
>> what is running wrong here?
>> is there a setting I can change without having to allow
>> port 3128 traffic go through the proxy?
>> (this is not really logic, as the default squid package also doesn't
>> allow port 3128 traffic go through ...)

Er, it is using the recommended default config we ship from upstream.
Some Vendors like to install packages that are not usable without manual
attention. Usually by commenting out the "http_access allow localnet"
rule though, not marking registered HTTP ports as unsafe for use with HTTP.

Anyhow:

  acl Safe_ports port 3128
  acl port3128 port 3128
  acl squid-internal urlpath_regex ^/squid-internal

Then add this directly before the "deny manager" line:

   http_access deny port3128 !squid-internal


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: CentOS6 and squid34 package ...

Walter H.
On 26.05.2017 17:49, Amos Jeffries wrote:

> On 26/05/17 07:51, Mike wrote:
>> Walter, what I've found is when compiling to squid 3.5.x and higher,
>> the compile options change. Also remember that many of the options
>> that were available with 3.1.x are depreciated and likely will not
>> work with 3.4.x and higher.
>>
>> The other issue is that squid is only supposed to be handling HTTP
>> and HTTPS traffic, not FTP. trying to use it as a FTP proxy will need
>> a different configuration than the standard HTTP/Secure proxy.
>>
>
> Well, to be correct Squid talks HTTP to the client software. It has
> log supported mapping FTP server URLs into HTTP.
>
> This second problem seems like the symptoms of
> <http://bugs.squid-cache.org/show_bug.cgi?id=4132> which was fixed
> years ago in the Squid-3.5.5 release. But that was apparently a
> regression not affecting 3.4 or 3.1. Hmm.
>
>
Strange, isn't it?

>
>> On 5/25/2017 14:07 PM, Walter H. wrote:
>>> On 25.05.2017 12:50, Amos Jeffries wrote:
>>>
>>>> On 25/05/17 20:19, Walter H. wrote:
>>>>> Hello
>>>>>
>>>>> what is the essential difference between the default squid package
>>>>> and this squid34 package,
>>>>
>>>>> as I have problems using this squid34 package for FTP connections;
>>>>> there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
>>>>> when I tell the browser to show the image then I get this squid
>>>>> generated message ...
>>>>>
>>>>> the same config /etc/squid/squid.conf works with the default squid
>>>>> package ...
>>>>>
>>>>> <message>
>>>>> While trying to retrieve the URL:
>>>>> http://proxy.local:3128/squid-internal-static/icons/silk/folder.png <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png>
>>>>>
>>>>>
>>>>
>>>> Notice the port number in that URL...
>>>>
>>> yes I see the squid port 3128
>>>
>>> when I do this with the default squid package, there I get the
>>> icons, and when I want to get the URL of such an icon,
>>> it shows e.g.
>>> ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif
>>>
>>> what is running wrong here?
>>> is there a setting I can change without having to allow
>>> port 3128 traffic go through the proxy?
>>> (this is not really logic, as the default squid package also doesn't
>>> allow port 3128 traffic go through ...)
>
> Er, it is using the recommended default config we ship from upstream.
> Some Vendors like to install packages that are not usable without
> manual attention. Usually by commenting out the "http_access allow
> localnet" rule though, not marking registered HTTP ports as unsafe for
> use with HTTP.
>
> Anyhow:
>
>  acl Safe_ports port 3128
>  acl port3128 port 3128
>  acl squid-internal urlpath_regex ^/squid-internal
>
> Then add this directly before the "deny manager" line:
>
>   http_access deny port3128 !squid-internal
Many thanks,
this shows the icons and doesn't allow port 3128 go through ...
exactly as I wanted

Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment