webmails are not accessible - SQUID 2.5.STABLE12

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

webmails are not accessible - SQUID 2.5.STABLE12

shijjawi
Hello all,

I have SQUID 2.5 server implemented on SUSE linux enterprise 10.
No access lists are there, the http traffic has no problems.

I could not access any webmail! I have edited the squid.conf file to build
time based ACL and it worked, but even before I did that, webmails were
not accessible!

Is it a common issue? Please advise.

regards,
Simsam.


Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

Tek Bahadur Limbu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Simsam,

On Wed, 5 Sep 2007 15:12:58 +0400
[hidden email] wrote:

> Hello all,
>
> I have SQUID 2.5 server implemented on SUSE linux enterprise 10.
> No access lists are there, the http traffic has no problems.
>
> I could not access any webmail! I have edited the squid.conf file to build
> time based ACL and it worked, but even before I did that, webmails were
> not accessible!

Which webmails are you indicating? Hotmail, Yahoo, etc? Most of them use HTTPS. What's your ACL for SSL_ports?

Are you running Squid in transparent mode? Also are you filtering traffic with some kind of firewall? Do you have an parent cache or a firewall in front of your squid box?

What error message does your Squid cache give you when you try to access webmails? What does cache.log and access.log say?

Try accessing webmails such as myway.com with and without secure mode and check if you can access it's webmail with HTTP and HTTPS.

>
> Is it a common issue? Please advise.

It's not a common issue. I can't imagine what thousands of clients will say if they can't access the webmail service of Hotmail and Yahoo! And there are thousands of other webmail sites.

I would also recommend you to upgrade to the latest version of Squid which is 2.6.STABLE14 currently.

You can find the source package from the link below:

http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14.tar.gz

Hope it helps.


Thanking you...


>
> regards,
> Simsam.
>
>
>


- --

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

System Administrator

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal
http://wlink.com.np/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFG3qSifpE0pz+xqQQRAmnEAKCibKEUGNomqgu9Llpco3Tb0E9LcwCeNWow
s39Ifz4EVXRGrWf1cbNsxDs=
=UPVQ
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

shijjawi
Hello Tek,

Thank you for your help, actually I meant private webmails like my
company's one that has the central exchange server in the head office
taking in consideration that my network is not a subnet from their
network, hotmail is running normally, Yahoo, Gmail .... etc.

I am still beginner in this field but I could tell you that the proxy
itself is acting as a firewall, no specific protocol filtration  and here
is the acl for the SSL port:

acl SSL_ports port 443 563
http_access deny CONNECT !SSL_ports

acl Safe_ports port 443 563     # https, snews
http_access deny !Safe_ports

The machine hosting the squid is directly connected to the router, as I
mentioned before it is the firewall also and no ACL are there!
No it is not running in the transparent mode!

Before deploying the SQUID, this webmail was normally opening.

When trying to access a specific webmail like
http://mailhost.ccc.com.om/mail it is giving the following:

Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.
 
What you can try:
Check your Internet connection. Try visiting another website to make sure
you are connected.
Retype the address.
Go back to the previous page
......


let my upgrade it then I will feed you back.

thank you so much.


regards,
Simsam HIJJAWI




Tek Bahadur Limbu <[hidden email]>
09/05/2007 04:44 PM

To
[hidden email]
cc
<[hidden email]>
Subject
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Simsam,

On Wed, 5 Sep 2007 15:12:58 +0400
[hidden email] wrote:

> Hello all,
>
> I have SQUID 2.5 server implemented on SUSE linux enterprise 10.
> No access lists are there, the http traffic has no problems.
>
> I could not access any webmail! I have edited the squid.conf file to
build
> time based ACL and it worked, but even before I did that, webmails were
> not accessible!

Which webmails are you indicating? Hotmail, Yahoo, etc? Most of them use
HTTPS. What's your ACL for SSL_ports?

Are you running Squid in transparent mode? Also are you filtering traffic
with some kind of firewall? Do you have an parent cache or a firewall in
front of your squid box?

What error message does your Squid cache give you when you try to access
webmails? What does cache.log and access.log say?

Try accessing webmails such as myway.com with and without secure mode and
check if you can access it's webmail with HTTP and HTTPS.

>
> Is it a common issue? Please advise.

It's not a common issue. I can't imagine what thousands of clients will
say if they can't access the webmail service of Hotmail and Yahoo! And
there are thousands of other webmail sites.

I would also recommend you to upgrade to the latest version of Squid which
is 2.6.STABLE14 currently.

You can find the source package from the link below:

http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14.tar.gz

Hope it helps.


Thanking you...


>
> regards,
> Simsam.
>
>
>


- --

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

System Administrator

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal
http://wlink.com.np/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFG3qSifpE0pz+xqQQRAmnEAKCibKEUGNomqgu9Llpco3Tb0E9LcwCeNWow
s39Ifz4EVXRGrWf1cbNsxDs=
=UPVQ
-----END PGP SIGNATURE-----


Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

Peter Albrecht-2
Hi Simsam,

> I am still beginner in this field but I could tell you that the proxy
> itself is acting as a firewall, no specific protocol filtration  and here
> is the acl for the SSL port:
>
> acl SSL_ports port 443 563
> http_access deny CONNECT !SSL_ports
>
> acl Safe_ports port 443 563     # https, snews
> http_access deny !Safe_ports

Is this your only http_access rule? That would mean you only allow https
connections and no http connections.

> The machine hosting the squid is directly connected to the router, as I
> mentioned before it is the firewall also and no ACL are there!
> No it is not running in the transparent mode!
>
> Before deploying the SQUID, this webmail was normally opening.
>
> When trying to access a specific webmail like
> http://mailhost.ccc.com.om/mail it is giving the following:

If you only allow https as mentioned above, that will always be denied. Do
http connections to other servers work?

> Internet Explorer cannot display the webpage
> Most likely causes:
> You are not connected to the Internet.
> The website is encountering problems.
> There might be a typing error in the address.

This does not look like a Squid message denying access ... Please send all
your ACL and http_access rules from squid.conf so that we can have a look.

Regards,

Peter

--
Peter Albrecht, Novell Training Services
Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

shijjawi
Hi Peter,

No, this is only the https rule, I wrote it done to illustrate that the
https ports are open.
All http traffic are opened.

Could you please give me the commands needed to install SQUID 2.6
according to tek's advise.
I got the file from the site, I have some worries as the upgrade might
affect the current setup!



Thank you,
Simsam





Peter Albrecht <[hidden email]>
09/05/2007 05:58 PM

To
[hidden email]
cc

Subject
Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12






Hi Simsam,

> I am still beginner in this field but I could tell you that the proxy
> itself is acting as a firewall, no specific protocol filtration  and
here
> is the acl for the SSL port:
>
> acl SSL_ports port 443 563
> http_access deny CONNECT !SSL_ports
>
> acl Safe_ports port 443 563     # https, snews
> http_access deny !Safe_ports

Is this your only http_access rule? That would mean you only allow https
connections and no http connections.

> The machine hosting the squid is directly connected to the router, as I
> mentioned before it is the firewall also and no ACL are there!
> No it is not running in the transparent mode!
>
> Before deploying the SQUID, this webmail was normally opening.
>
> When trying to access a specific webmail like
> http://mailhost.ccc.com.om/mail it is giving the following:

If you only allow https as mentioned above, that will always be denied. Do

http connections to other servers work?

> Internet Explorer cannot display the webpage
> Most likely causes:
> You are not connected to the Internet.
> The website is encountering problems.
> There might be a typing error in the address.

This does not look like a Squid message denying access ... Please send all

your ACL and http_access rules from squid.conf so that we can have a look.

Regards,

Peter

--
Peter Albrecht, Novell Training Services


Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

Tek Bahadur Limbu
Hi Simsam,

[hidden email] wrote:

> Hi Peter,
>
> No, this is only the https rule, I wrote it done to illustrate that the
> https ports are open.
> All http traffic are opened.
>
> Could you please give me the commands needed to install SQUID 2.6
> according to tek's advise.
> I got the file from the site, I have some worries as the upgrade might
> affect the current setup!

Did you install Squid-2.5 with SUSE's package management tool or did you
install it from source?

Which ever method you had used, you can just keep the Old Squid binary
and it's configuration files just in case something goes wrong with the
Squid-2.6 installation!

The following installation steps might help:


(1.)  tar zxvf squid-2.6.STABLE14.tar.gz

(2.)  cd squid-2.6.STABLE14/

(3.)  ./configure  --bindir=/usr/local/sbin \

--sysconfdir=/usr/local/etc/squid \
--datadir=/usr/local/etc/squid \
--libexecdir=/usr/local/libexec/squid \
--localstatedir=/usr/local/squid \
--enable-removal-policies=heap,lru \
--enable-storeio=diskd,aufs,coss,ufs,null \
--enable-snmp \
--enable-epoll \
--with-large-files \
--prefix=/usr/local \
--disable-ident-lookups  \
--enable-underscores \
--with-large-files \
--disable-http-violations \
--enable-delay-pools \
--with-maxfd=8192


(4.)  make all

(5.)  make install

(6.)  vi /usr/local/etc/squid/squid.conf

(7.)  /usr/local/sbin/squid -z

(8.)  /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf


Note: Your compilation parameters may differ. Please adjust accordingly
to your demands and needs.

If your SUSE Linux box has installed and updated all the required
development tools, then the installation should be a breeze!

Remember to read the default squid.conf which comes with the new
installation.

Also check this out:

http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14-RELEASENOTES.html


Happy Squid proxying with Squid-2.6STABLE14 !!!


Thanking you...



>
>
>
> Thank you,
> Simsam
>
>
>
>
>
> Peter Albrecht <[hidden email]>
> 09/05/2007 05:58 PM
>
> To
> [hidden email]
> cc
>
> Subject
> Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
>
>
>
>
>
>
> Hi Simsam,
>
>> I am still beginner in this field but I could tell you that the proxy
>> itself is acting as a firewall, no specific protocol filtration  and
> here
>> is the acl for the SSL port:
>>
>> acl SSL_ports port 443 563
>> http_access deny CONNECT !SSL_ports
>>
>> acl Safe_ports port 443 563     # https, snews
>> http_access deny !Safe_ports
>
> Is this your only http_access rule? That would mean you only allow https
> connections and no http connections.
>
>> The machine hosting the squid is directly connected to the router, as I
>> mentioned before it is the firewall also and no ACL are there!
>> No it is not running in the transparent mode!
>>
>> Before deploying the SQUID, this webmail was normally opening.
>>
>> When trying to access a specific webmail like
>> http://mailhost.ccc.com.om/mail it is giving the following:
>
> If you only allow https as mentioned above, that will always be denied. Do
>
> http connections to other servers work?
>
>> Internet Explorer cannot display the webpage
>> Most likely causes:
>> You are not connected to the Internet.
>> The website is encountering problems.
>> There might be a typing error in the address.
>
> This does not look like a Squid message denying access ... Please send all
>
> your ACL and http_access rules from squid.conf so that we can have a look.
>
> Regards,
>
> Peter
>


--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

System Administrator

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

Manoj Rajkarnikar
On Thu, 6 Sep 2007, Tek Bahadur Limbu wrote:

> Hi Simsam,
>
> [hidden email] wrote:
>> Hi Peter,
>> No, this is only the https rule, I wrote it done to illustrate that the
>> https ports are open.
>> All http traffic are opened.
>>
>> Could you please give me the commands needed to install SQUID 2.6 according
>> to tek's advise.
>> I got the file from the site, I have some worries as the upgrade might
>> affect the current setup!
>
> Did you install Squid-2.5 with SUSE's package management tool or did you
> install it from source?
>
> Which ever method you had used, you can just keep the Old Squid binary and
> it's configuration files just in case something goes wrong with the Squid-2.6
> installation!
>
> The following installation steps might help:
>
>
> (1.)  tar zxvf squid-2.6.STABLE14.tar.gz
>
> (2.)  cd squid-2.6.STABLE14/
>
> (3.)  ./configure  --bindir=/usr/local/sbin \

I'd rather do it as :

./configure --prefix=/usr/local/squid26

so that it puts all the squid 2.6 related files in single directory. for
easier access of config files and binary and logs, I'd create the symlinks
to my fav path. Just a point to share.

>
> --sysconfdir=/usr/local/etc/squid \
> --datadir=/usr/local/etc/squid \
> --libexecdir=/usr/local/libexec/squid \
> --localstatedir=/usr/local/squid \
> --enable-removal-policies=heap,lru \
> --enable-storeio=diskd,aufs,coss,ufs,null \
> --enable-snmp \
> --enable-epoll \
> --with-large-files \
> --prefix=/usr/local \
> --disable-ident-lookups  \
> --enable-underscores \
> --with-large-files \
> --disable-http-violations \
> --enable-delay-pools \
> --with-maxfd=8192
>
>
> (4.)  make all
>
> (5.)  make install
>
> (6.)  vi /usr/local/etc/squid/squid.conf
>
> (7.)  /usr/local/sbin/squid -z
>
> (8.)  /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
>
>
> Note: Your compilation parameters may differ. Please adjust accordingly to
> your demands and needs.
>
> If your SUSE Linux box has installed and updated all the required development
> tools, then the installation should be a breeze!
>
> Remember to read the default squid.conf which comes with the new
> installation.
>
> Also check this out:
>
> http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE14-RELEASENOTES.html
>
>
> Happy Squid proxying with Squid-2.6STABLE14 !!!
>
>
> Thanking you...
>
>
>
>>
>>
>>
>> Thank you,
>> Simsam
>>
>>
>>
>>
>>
>> Peter Albrecht <[hidden email]> 09/05/2007 05:58 PM
>>
>> To
>> [hidden email]
>> cc
>>
>> Subject
>> Re: [squid-users] webmails are not accessible - SQUID 2.5.STABLE12
>>
>>
>>
>>
>>
>>
>> Hi Simsam,
>>
>>> I am still beginner in this field but I could tell you that the proxy
>>> itself is acting as a firewall, no specific protocol filtration  and
>> here
>>> is the acl for the SSL port:
>>>
>>> acl SSL_ports port 443 563
>>> http_access deny CONNECT !SSL_ports
>>>
>>> acl Safe_ports port 443 563     # https, snews
>>> http_access deny !Safe_ports
>>
>> Is this your only http_access rule? That would mean you only allow https
>> connections and no http connections.
>>
>>> The machine hosting the squid is directly connected to the router, as I
>>> mentioned before it is the firewall also and no ACL are there!
>>> No it is not running in the transparent mode!
>>>
>>> Before deploying the SQUID, this webmail was normally opening.
>>>
>>> When trying to access a specific webmail like
>>> http://mailhost.ccc.com.om/mail it is giving the following:
>>
>> If you only allow https as mentioned above, that will always be denied. Do
>> http connections to other servers work?
>>
>>> Internet Explorer cannot display the webpage
>>> Most likely causes:
>>> You are not connected to the Internet. The website is encountering
>>> problems. There might be a typing error in the address.
>>
>> This does not look like a Squid message denying access ... Please send all
>> your ACL and http_access rules from squid.conf so that we can have a look.
>>
>> Regards,
>>
>> Peter
>>
>
>
>

--
Reply | Threaded
Open this post in threaded view
|

Re: webmails are not accessible - SQUID 2.5.STABLE12

Henrik Nordström
In reply to this post by shijjawi
On ons, 2007-09-05 at 17:19 +0400, [hidden email] wrote:

> Thank you for your help, actually I meant private webmails like my
> company's one that has the central exchange server in the head office
> taking in consideration that my network is not a subnet from their
> network, hotmail is running normally, Yahoo, Gmail .... etc.

Exchange.. then probably NTLM authentication is used on the server.

Try upgrading to Squid-2.6. It has the needed protocol workarounds to be
able to deal with the protocol violations introduces by Microsoft in
their NTLM/Negotiate authentication "schemes" of things...

Regards
Henrik

signature.asc (316 bytes) Download Attachment