ISSUE accssing content

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

ISSUE accssing content

Jagannath Naidu
Dear List,

I have been working on this for last two weeks, but never got it resolved. 

We have a application server (SERVER) in our local network and a desktop  application (CLIENT). The application picks proxy settings from IE. And we also have a wensense proxy server 

case 1: when there is no proxy set 
application works. No logs in squid server access.log

case 2: when proxy ip address set and checked "bypass local network"
application works. No logs in squid server access.log 

case 3: when proxy ip address is set to wensense proxy server. UNCHECKED "bypass local network"
application works. We dont have access to websense server and hence we can not check logs 


case 4: when proxy ip address is set to proxy server ip address. UNCHECKED "bypass local network"
application does not work :-(. Below are the logs. 


1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

squid -v
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


squid.conf 

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8180
acl CONNECT method CONNECT
acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
http_access allow wvdial
acl dialer dstdomain .htmedia.net
http_access allow dialer
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
append_domain  .mydomain.net
ignore_expect_100 on
dns_v4_first on
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
auth_param ntlm children 1000
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow all auth
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


It was the same behavior with squid-3.1.10-19. I thought, upgrading to squid 3.3 would help. Please help me resolving this mystery. 


--
Thanks & Regards

Jagannath Naidu 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Jagannath Naidu


On 24 July 2015 at 21:05, Jagannath Naidu <[hidden email]> wrote:
Dear List,

I have been working on this for last two weeks, but never got it resolved. 

We have a application server (SERVER) in our local network and a desktop  application (CLIENT). The application picks proxy settings from IE. And we also have a wensense proxy server 

case 1: when there is no proxy set 
application works. No logs in squid server access.log

case 2: when proxy ip address set and checked "bypass local network"
application works. No logs in squid server access.log 

case 3: when proxy ip address is set to wensense proxy server. UNCHECKED "bypass local network"
application works. We dont have access to websense server and hence we can not check logs 


case 4: when proxy ip address is set to proxy server ip address. UNCHECKED "bypass local network"
application does not work :-(. Below are the logs. 


1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

UPDATE: correct logs 

1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

 
squid -v
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


squid.conf 

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8180
acl CONNECT method CONNECT
acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
http_access allow wvdial
acl dialer dstdomain .htmedia.net
http_access allow dialer
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
append_domain  .mydomain.net
ignore_expect_100 on
dns_v4_first on
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
auth_param ntlm children 1000
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow all auth
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


It was the same behavior with squid-3.1.10-19. I thought, upgrading to squid 3.3 would help. Please help me resolving this mystery. 


--
Thanks & Regards

Jagannath Naidu 




--
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Jagannath Naidu
1. Its not  a transparent proxy. 

2. My clients get wpad configuration from AD server. So there are two question. 
 2.1 :I know that wpad is used to identify proxy server and port(and rest other bypass rules).  When clients resolve to wpad.abc.com, is there way that I can overwrite the wpad file off client. Like creating a webserver to to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress> wpad.abc.com"
2.2 Is there any other way to tell clients via squid server, to do not come to squid server and re initiate the request. 

On 24 July 2015 at 21:10, Jagannath Naidu <[hidden email]> wrote:


On 24 July 2015 at 21:05, Jagannath Naidu <[hidden email]> wrote:
Dear List,

I have been working on this for last two weeks, but never got it resolved. 

We have a application server (SERVER) in our local network and a desktop  application (CLIENT). The application picks proxy settings from IE. And we also have a wensense proxy server 

case 1: when there is no proxy set 
application works. No logs in squid server access.log

case 2: when proxy ip address set and checked "bypass local network"
application works. No logs in squid server access.log 

case 3: when proxy ip address is set to wensense proxy server. UNCHECKED "bypass local network"
application works. We dont have access to websense server and hence we can not check logs 


case 4: when proxy ip address is set to proxy server ip address. UNCHECKED "bypass local network"
application does not work :-(. Below are the logs. 


1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

UPDATE: correct logs 

1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

 
squid -v
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


squid.conf 

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8180
acl CONNECT method CONNECT
acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
http_access allow wvdial
acl dialer dstdomain .htmedia.net
http_access allow dialer
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
append_domain  .mydomain.net
ignore_expect_100 on
dns_v4_first on
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
auth_param ntlm children 1000
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow all auth
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


It was the same behavior with squid-3.1.10-19. I thought, upgrading to squid 3.3 would help. Please help me resolving this mystery. 


--
Thanks & Regards

Jagannath Naidu 




--
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006



--
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

talikarni
In reply to this post by Jagannath Naidu
I see a few issues.

1. The report from the log shows a 192.168.*.* address, common LAN IP

Then in the squid.conf:
2. You have wvdial destination as 10.1.*.* addresses, which is a completely different internal network.
Typically there will be no internal routing or communication from a 192.168..*.* address to/from a 10.*.*.* address without a custom routing server with 2 network connections, one from each IP set and to act as the DNS intermediary for routing. Otherwise for network/internet connections, the computer/browser sees its own IP as local network, and everything else including 10.*.*.* as an external address out on the internet. I would suggest getting both the browsing computer and the server on the same IP subset, as in 192.168.122.x or 10.1.4.x, otherwise these issues are likely to continue.

3. Next in the squid.conf is http_port which should be port number only, no IP address, especially 0.0.0.0 which can cause conflicts with squid 3.x versions. Best bet is use just port only, as in: "http_port 3128" or in your case "http_port 8080", which is the port (with server IP found in ifconfig) the browser will use to connect through the squid server.
4. The bypass local network means any IP connection attempt to a local network IP will not use the proxy. This goes back to the 2 different IP subsets. One option is to enter a proxy exception as 10.*.*.* (if the websense server is using 10.x.x.x IP address).


Mike


On 7/24/2015 10:35 AM, Jagannath Naidu wrote:
Dear List,

I have been working on this for last two weeks, but never got it resolved. 

We have a application server (SERVER) in our local network and a desktop  application (CLIENT). The application picks proxy settings from IE. And we also have a wensense proxy server 

case 1: when there is no proxy set 
application works. No logs in squid server access.log

case 2: when proxy ip address set and checked "bypass local network"
application works. No logs in squid server access.log 

case 3: when proxy ip address is set to wensense proxy server. UNCHECKED "bypass local network"
application works. We dont have access to websense server and hence we can not check logs 


case 4: when proxy ip address is set to proxy server ip address. UNCHECKED "bypass local network"
application does not work :-(. Below are the logs. 


1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application - HIER_DIRECT/10.1.4.46 text/html
1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT 0.client-channel.google.com:443 - HIER_NONE/- text/html
1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/10.1.4.46 text/html
1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal - HIER_NONE/- text/html

squid -v
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


squid.conf 

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8180
acl CONNECT method CONNECT
acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
http_access allow wvdial
acl dialer dstdomain .htmedia.net
http_access allow dialer
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
visible_hostname = NOIDAPROXY01.MYDOMAIN.NET
append_domain  .mydomain.net
ignore_expect_100 on
dns_v4_first on
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
auth_param ntlm children 1000
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow all auth
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


It was the same behavior with squid-3.1.10-19. I thought, upgrading to squid 3.3 would help. Please help me resolving this mystery. 


--
Thanks & Regards

Jagannath Naidu 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Amos Jeffries
Administrator
On 25/07/2015 6:57 a.m., Mike wrote:

> I see a few issues.
>
> 1. The report from the log shows a 192.168.*.* address, common LAN IP
>
> Then in the squid.conf:
> 2. You have wvdial destination as 10.1.*.* addresses, which is a
> completely different internal network.
> Typically there will be no internal routing or communication from a
> 192.168..*.* address to/from a 10.*.*.* address without a custom routing
> server with 2 network connections, one from each IP set and to act as
> the DNS intermediary for routing. Otherwise for network/internet
> connections, the computer/browser sees its own IP as local network, and
> everything else including 10.*.*.* as an external address out on the
> internet. I would suggest getting both the browsing computer and the
> server on the same IP subset, as in 192.168.122.x or 10.1.4.x, otherwise
> these issues are likely to continue.

WTF? Thats IPv4, no IP-range segmentation in that protocol except 127/8.
As long as a route exists 192.* can talk to 10.* no problems.

Also, he has indicated direct connectivity tests are working fine already.

Also, Squid is an application layer gateway. As long as Squid has access
to both networks it should be fine regardless of any obstructions direct
access might have. In fact its often used to get around that type of
problem, such as IPv4<->IPv6 translation.


>
> 3. Next in the squid.conf is http_port which should be port number only,
> no IP address, especially 0.0.0.0 which can cause conflicts with squid
> 3.x versions. Best bet is use just port only, as in: "http_port 3128" or
> in your case "http_port 8080", which is the port (with server IP found
> in ifconfig) the browser will use to connect through the squid server.

Nope again. The IP address is fine. In the case of 0.0.0.0 it forces
Squid to IPv4-only service on that port. Making way for another service
to run IPv6 in parallel with same ports. Or IPv6 clients to get rejected
at TCP level.

From the logs presented we can see traffic arriving at Squid and being
serviced. Just not with the desired responses.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Amos Jeffries
Administrator
In reply to this post by Jagannath Naidu
On 25/07/2015 4:59 a.m., Jagannath Naidu wrote:

> 1. Its not  a transparent proxy.
>
> 2. My clients get wpad configuration from AD server. So there are two
> question.
>  2.1 :I know that wpad is used to identify proxy server and port(and rest
> other bypass rules).  When clients resolve to wpad.abc.com, is there way
> that I can overwrite the wpad file off client. Like creating a webserver to
> to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress>
> wpad.abc.com"
> 2.2 Is there any other way to tell clients via squid server, to do not come
> to squid server and re initiate the request.

Exactly that if you wish. Its not clear whether WPAD is the problem though.

The fact that you have Squid logs showing access indicates the traffic
us actually getting there okay. The responses do seem to be coming back
from 10.* servers as well.
So what is happening is something is causing those servers not to like
the traffic being requested from them.


>
> On 24 July 2015 at 21:10, Jagannath Naidu <
> [hidden email]> wrote:
>
>>
>>
>> On 24 July 2015 at 21:05, Jagannath Naidu <
>> [hidden email]> wrote:
>>
>>> Dear List,
>>>
>>> I have been working on this for last two weeks, but never got it
>>> resolved.
>>>
>>> We have a application server (SERVER) in our local network and a desktop
>>>  application (CLIENT). The application picks proxy settings from IE. And we
>>> also have a wensense proxy server
>>>
>>> case 1: when there is no proxy set
>>> application works. No logs in squid server access.log
>>>
>>> case 2: when proxy ip address set and checked "bypass local network"
>>> application works. No logs in squid server access.log
>>>
>>> case 3: when proxy ip address is set to wensense proxy server. UNCHECKED
>>> "bypass local network"
>>> application works. We dont have access to websense server and hence we
>>> can not check logs

Can you explain "not works" in any better detail?
 application expected vs actual behaviour?
 if you can relate that to particular HTTP messages even better.


>>>
>>>
>>> case 4: when proxy ip address is set to proxy server ip address.
>>> UNCHECKED "bypass local network"
>>> application does not work :-(. Below are the logs.
>>>
>>>
>>> 1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>>> - HIER_DIRECT/10.1.4.46 text/html

404. The URL you see above references an object that does not exist on
that server.

Things to look into:
 Is it the right server?
 Is it the right URL?
 Why was it requested?
 Does the server actually know its "dlwvdialce.htmedia.net" name?


>>> 1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
>>> 1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html


Authentication. Normal I think.

>>> 1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>>> 10.1.4.46 text/html

Same as the first 404'd URL.

>>> 1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST
>>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>>> - HIER_NONE/- text/html

503 usually indicates the attempted server failed.

Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work.
Which would also match the lack of server IP in the log.


>>>
>>> UPDATE: correct logs
>>
>> 1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>> - HIER_DIRECT/10.1.4.46 text/html
>> 1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>> 10.1.4.46 text/html
>> 1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST
>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>> - HIER_NONE/- text/html
>>

Same comments as above.

>>
>>
>>> squid -v
>>> Squid Cache: Version 3.3.8
>>> configure options:  '--build=x86_64-redhat-linux-gnu'
>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
>>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
>>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
>>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>>> '--infodir=/usr/share/info' '--disable-strict-error-checking'
>>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>>> '--with-logdir=$(localstatedir)/log/squid'
>>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>>> '--disable-dependency-tracking' '--enable-eui'
>>> '--enable-follow-x-forwarded-for' '--enable-auth'
>>> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
>>> '--enable-auth-ntlm=smb_lm,fake'
>>> '--enable-auth-digest=file,LDAP,eDirectory'
>>> '--enable-auth-negotiate=kerberos'
>>> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
>>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>>> '--enable-ident-lookups' '--enable-linux-netfilter'
>>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
>>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2'
>>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
>>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
>>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>>> --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
>>> -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2
>>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
>>> -m64 -mtune=generic -fpie'
>>> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>>
>>>
>>> squid.conf
>>>
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
>>> machines
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl Safe_ports port 8180
>>> acl CONNECT method CONNECT
>>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54
>>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4

For easier reading:
  acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4

(at least I think they are all in one /27, double-check that)

>>> http_access allow wvdial
>>> acl dialer dstdomain .htmedia.net
>>> http_access allow dialer
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET

 "=" is a funny domain name. I suspect you wanted the domain-name part
of the line to be used instead. Remove the "= " bit.

>>> append_domain  .mydomain.net
>>> ignore_expect_100 on

The ignore_* directive should not be useful in 3.3. You can remove it now.

>>> dns_v4_first on
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>>> auth_param ntlm children 1000
>>> auth_param ntlm keep_alive off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> acl auth proxy_auth REQUIRED
>>> http_access allow all auth

"allow all auth" means the same as "allow auth".

"all" only has meaning on the end (right-hand side) of the line which
would otherwise end in a proxy_auth ACL.
It should either be on the end of that line, or not used at all.


>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 0.0.0.0:8080
>>> coredump_dir /var/spool/squid
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>> refresh_pattern .               0       20%     4320
>>>
>>>
>>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to
>>> squid 3.3 would help. Please help me resolving this mystery.

Looks to me like the server at 10.1.4.46 does not know what to do with
the URLs requested.

I would start looking at whether the application is actually supposed to
be going there for its requests.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Jagannath Naidu
Thanks Amos,, mike 



On 25 July 2015 at 03:20, Amos Jeffries <[hidden email]> wrote:
On 25/07/2015 4:59 a.m., Jagannath Naidu wrote:
> 1. Its not  a transparent proxy.
>
> 2. My clients get wpad configuration from AD server. So there are two
> question.
>  2.1 :I know that wpad is used to identify proxy server and port(and rest
> other bypass rules).  When clients resolve to wpad.abc.com, is there way
> that I can overwrite the wpad file off client. Like creating a webserver to
> to serve wpad file and I change /etc/hosts file to "<myhwebserveripaddress>
> wpad.abc.com"
> 2.2 Is there any other way to tell clients via squid server, to do not come
> to squid server and re initiate the request.

Exactly that if you wish. Its not clear whether WPAD is the problem though.

The fact that you have Squid logs showing access indicates the traffic
us actually getting there okay. The responses do seem to be coming back
from 10.* servers as well.
So what is happening is something is causing those servers not to like
the traffic being requested from them.


>
> On 24 July 2015 at 21:10, Jagannath Naidu <
> [hidden email]> wrote:
>
>>
>>
>> On 24 July 2015 at 21:05, Jagannath Naidu <
>> [hidden email]> wrote:
>>
>>> Dear List,
>>>
>>> I have been working on this for last two weeks, but never got it
>>> resolved.
>>>
>>> We have a application server (SERVER) in our local network and a desktop
>>>  application (CLIENT). The application picks proxy settings from IE. And we
>>> also have a wensense proxy server
>>>
>>> case 1: when there is no proxy set
>>> application works. No logs in squid server access.log
>>>
>>> case 2: when proxy ip address set and checked "bypass local network"
>>> application works. No logs in squid server access.log
>>>
>>> case 3: when proxy ip address is set to wensense proxy server. UNCHECKED
>>> "bypass local network"
>>> application works. We dont have access to websense server and hence we
>>> can not check logs

Can you explain "not works" in any better detail?
 application expected vs actual behaviour?
 if you can relate that to particular HTTP messages even better.
The application is "aspect unified ip agent desktop". It is a dialer application (VOIP). Used on windows machine. 
Rest cases : 

When application is launched, it shows that it has joined domain "HTP". HTP is default, we can change to other from the drop down list. 

Case 4: not works. 

But in this case, it shows no drop down list, nor with a single option like "HTP". Application can connect to server anymore. And I can not call or receive calls anymore.



>>>
>>>
>>> case 4: when proxy ip address is set to proxy server ip address.
>>> UNCHECKED "bypass local network"
>>> application does not work :-(. Below are the logs.
>>>
>>>
>>> 1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>>> - HIER_DIRECT/10.1.4.46 text/html

404. The URL you see above references an object that does not exist on
that server.

Things to look into:
 Is it the right server?
Yes 
 Is it the right URL?
Yes
 Why was it requested?
Don't know. These were the only logs I can get from access.log. The server is "Microsoft IIS HTTP/1.1"
 
 Does the server actually know its "dlwvdialce.htmedia.net" name?
Yes. It is resolvable 1) ping dlwvdialce works 2) ping dlwvdialce.htmedia.net works 
 
initially "dlwvdialce" was not resolving to any host. That's where used "append_domain .htmedia.net" is squid.conf (worked for other applications). 
 


>>> 1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html
>>> 1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT
>>> 0.client-channel.google.com:443 - HIER_NONE/- text/html


Authentication. Normal I think.
Yes, NTLM auth. 
 

>>> 1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET
>>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>>> 10.1.4.46 text/html

Same as the first 404'd URL.


>> 1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST
>>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>>> - HIER_NONE/- text/html

503 usually indicates the attempted server failed.

Makes sense if TCP to cs-711-core.htmedia.net port 8180 did not work.
Which would also match the lack of server IP in the log.

 1)  ping cs-711-core.htmedia.net  does not work "no such host"
 2) ping  cs-711-core does not work "no such host"
 


>>>
>>> UPDATE: correct logs
>>
>> 1437752279.774      6 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application
>> - HIER_DIRECT/10.1.4.46 text/html
>> 1437752281.854      5 192.168.122.1 TCP_MISS/404 579 GET
>> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - HIER_DIRECT/
>> 10.1.4.46 text/html
>> 1437752284.265      2 192.168.122.1 TCP_MISS/503 4048 POST
>> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal
>> - HIER_NONE/- text/html
>>

Same comments as above.

>>
>>
>>> squid -v
>>> Squid Cache: Version 3.3.8
>>> configure options:  '--build=x86_64-redhat-linux-gnu'
>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
>>> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
>>> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
>>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>>> '--infodir=/usr/share/info' '--disable-strict-error-checking'
>>> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>>> '--with-logdir=$(localstatedir)/log/squid'
>>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>>> '--disable-dependency-tracking' '--enable-eui'
>>> '--enable-follow-x-forwarded-for' '--enable-auth'
>>> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
>>> '--enable-auth-ntlm=smb_lm,fake'
>>> '--enable-auth-digest=file,LDAP,eDirectory'
>>> '--enable-auth-negotiate=kerberos'
>>> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group'
>>> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
>>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
>>> '--enable-ident-lookups' '--enable-linux-netfilter'
>>> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
>>> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2'
>>> '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
>>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>>> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
>>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>>> --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
>>> -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2
>>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
>>> -m64 -mtune=generic -fpie'
>>> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>>
>>>
>>> squid.conf
>>>
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
>>> machines
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl Safe_ports port 8180
>>> acl CONNECT method CONNECT
>>> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54
>>> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4

For easier reading:
  acl wvdial dst 10.1.4.45-10.1.4.55/27 10.1.2.4

(at least I think they are all in one /27, double-check that)

>>> http_access allow wvdial
>>> acl dialer dstdomain .htmedia.net
>>> http_access allow dialer
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET

 "=" is a funny domain name. I suspect you wanted the domain-name part
of the line to be used instead. Remove the "= " bit.

Removed = bit. 
 
>>> append_domain  .mydomain.net
>>> ignore_expect_100 on

The ignore_* directive should not be useful in 3.3. You can remove it now.

>>> dns_v4_first on
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>>> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>>> auth_param ntlm children 1000
>>> auth_param ntlm keep_alive off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> acl auth proxy_auth REQUIRED
>>> http_access allow all auth

"allow all auth" means the same as "allow auth".

"all" only has meaning on the end (right-hand side) of the line which
would otherwise end in a proxy_auth ACL.
It should either be on the end of that line, or not used at all.


>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 0.0.0.0:8080
>>> coredump_dir /var/spool/squid
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>> refresh_pattern .               0       20%     4320
>>>
>>>
>>> It was the same behavior with squid-3.1.10-19. I thought, upgrading to
>>> squid 3.3 would help. Please help me resolving this mystery.

Looks to me like the server at 10.1.4.46 does not know what to do with
the URLs requested.

I would start looking at whether the application is actually supposed to
be going there for its requests.

How can do that ? 
I can install wireshark on client and test the result. 

Am I missing any information to give ? 
 
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Jagannath Naidu
In reply to this post by talikarni

Thanks mike. 
But I think Amos is right. 

On 25 July 2015 at 00:27, Mike <[hidden email]> wrote:
I see a few issues.

1. The report from the log shows a 192.168.*.* address, common LAN IP

The ip 192.168.122.1 is the ip address of  virtual interface (acts as a default gateway for Virtual machines). I did NATing using iptables. 

Then in the squid.conf:
2. You have wvdial destination as 10.1.*.* addresses, which is a completely different internal network.
Typically there will be no internal routing or communication from a 192.168..*.* address to/from a 10.*.*.* address without a custom routing server with 2 network connections, one from each IP set and to act as the DNS intermediary for routing. Otherwise for network/internet connections, the computer/browser sees its own IP as local network, and everything else including 10.*.*.* as an external address out on the internet. I would suggest getting both the browsing computer and the server on the same IP subset, as in 192.168.122.x or 10.1.4.x, otherwise these issues are likely to continue.

I have two squid servers. 
1. squid 3.1 on physical server 
2. squid 3.3 on VM hosted by 1

Same logs. No different results. 

So when the client requests 8080 . 3.1 serves. When the client requests 3128 3.3 serves. 
This application behavior is same for both. 
 

3. Next in the squid.conf is http_port which should be port number only, no IP address, especially 0.0.0.0 which can cause conflicts with squid 3.x versions. Best bet is use just port only, as in: "http_port 3128" or in your case "http_port 8080", which is the port (with server IP found in ifconfig) the browser will use to connect through the squid server.

I tried your suggestion. But not worked. Same results :-(
 
4. The bypass local network means any IP connection attempt to a local network IP will not use the proxy. This goes back to the 2 different IP subsets. One option is to enter a proxy exception as 10.*.*.* (if the websense server is using 10.x.x.x IP address).

I was thinking, what would websense have deployed.  

@amos, mike: Can we overwrite wpad of a client using squid server or any means automatically ????? 



Mike
 
Jagannath Naidu 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ISSUE accssing content

Jagannath Naidu
Any one ?? !!!!

On 25 July 2015 at 11:14, Jagannath Naidu <[hidden email]> wrote:

Thanks mike. 
But I think Amos is right. 

On 25 July 2015 at 00:27, Mike <[hidden email]> wrote:
I see a few issues.

1. The report from the log shows a 192.168.*.* address, common LAN IP

The ip 192.168.122.1 is the ip address of  virtual interface (acts as a default gateway for Virtual machines). I did NATing using iptables. 

Then in the squid.conf:
2. You have wvdial destination as 10.1.*.* addresses, which is a completely different internal network.
Typically there will be no internal routing or communication from a 192.168..*.* address to/from a 10.*.*.* address without a custom routing server with 2 network connections, one from each IP set and to act as the DNS intermediary for routing. Otherwise for network/internet connections, the computer/browser sees its own IP as local network, and everything else including 10.*.*.* as an external address out on the internet. I would suggest getting both the browsing computer and the server on the same IP subset, as in 192.168.122.x or 10.1.4.x, otherwise these issues are likely to continue.

I have two squid servers. 
1. squid 3.1 on physical server 
2. squid 3.3 on VM hosted by 1

Same logs. No different results. 

So when the client requests 8080 . 3.1 serves. When the client requests 3128 3.3 serves. 
This application behavior is same for both. 
 

3. Next in the squid.conf is http_port which should be port number only, no IP address, especially 0.0.0.0 which can cause conflicts with squid 3.x versions. Best bet is use just port only, as in: "http_port 3128" or in your case "http_port 8080", which is the port (with server IP found in ifconfig) the browser will use to connect through the squid server.

I tried your suggestion. But not worked. Same results :-(
 
4. The bypass local network means any IP connection attempt to a local network IP will not use the proxy. This goes back to the 2 different IP subsets. One option is to enter a proxy exception as 10.*.*.* (if the websense server is using 10.x.x.x IP address).

I was thinking, what would websense have deployed.  

@amos, mike: Can we overwrite wpad of a client using squid server or any means automatically ????? 



Mike
 
Jagannath Naidu 



--
Thanks & Regards

B Jagannath
Keen & Able Computers Pvt. Ltd.
+919871324006

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users