Squid hates SSL connections?

[Cragzman]

Hi all.

I finaly managed to get squid and dansguardian working together using NTLM. But it seems to hate SSL for some reason. It throws up an error 407 in the squid access log. But squid accesses normal http sites with no problem.

Here is the set up:

Ubuntu Server 8.10
Squid 2.7 Stable 3
Dansguardian 2.9.9.7

Clients -> Dansguardian -> Squid -> Parent proxy (E2BN Cachepilot).

Any ideas?

Cheers peeps

[matt40k]

Do you mean cachebox... cachepilot isn't E2BN. Might be the fact the cache box isn't the parent.

[RabbieBurns]

can your squid box connect out on https port 443 ok ?

[Cragzman]

Cachepilot is the filtering software that county set up. The Cachepilot is in the school and that goes out to a parent proxy that county has off our site.

I tried connecting to the county parent with the cache_peer command but it only seems to work with our Cachepilot as a parent.

I forgot to add the outsite parent to the diagram:

(Client -> Dans -> Squid -> School Proxy Squid 2.4 and Cachepilot) -> County parent proxy

[Cragzman]

I haven't tested port 443 directly from the squid box. Tried from the web browser on a client compy but with no luck. Even WSUS hates synchronizing through it as it uses ssl methinks. Thats the main reason why I made a proxy that uses NTLM. And I hate pop up login boxes .

Is there a command I can use on the squid box to test port 443?

Thanks.

[Geoff]

Code:

wget https://somewhere/

[matt40k]

What's your LEA?

Edit:

Ah Norfolk... Suffolk and Cambs are using E2BN Protex. Didn't know anyone was still using Equiinet's Cachepilot. If you still can't figure it out (even with LEA support) contact E2BN directly, Simon Bright normally deals with these sorts of things.

[Cragzman]

Our LEA is Norfolk County Council.

I tried wget https://help.ubuntu.com from the squid box but it times out.

Bahh.

[Cragzman]

If its any help, I get this sorta stuff in the access.log.

1225811336.380 1 10.103.0.3 TCP_DENIED/407 1762 CONNECT login.yahoo.com:443 - NONE/- text/html

[matt40k]

Contact Norfolk LEA\E2BN, it's prob something to stop people using SSL tunnels.

Might be where it's trying to pass on the user\pass, which are failing.

[Geoff]

If its any help, I get this sorta stuff in the access.log.

1225811336.380 1 10.103.0.3 TCP_DENIED/407 1762 CONNECT login.yahoo.com:443 - NONE/- text/html

You should be going via the upstream proxy for SSL connections shouldn't you? Because from that log entry it looks like your squid is (failing to) go direct

[ahuxham]

Squid to Parent;

PHP Code:

cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword 


127.0.0.1 = LEA IP/URL with 8080 as port or change.

Code:

login=(username):(password)

if you require one. if not remove the login string

The above is my redirection from Squid to DG

[Cragzman]

I have tweeked the squid.conf a bit to connect to the parent for ssl. I can get onto the https://help.ubuntu.com with no problems in the web browser. but still says 407 in the log.

But I think aiming ssl at the parent has worked as the parent dont show 407 errors in the logs. RESULT!!!

Now to get windows/microsoft update to work. I Know there is issues with that and squid. I take it i need acl stuff again.

[ahuxham]

I have tweeked the squid.conf a bit to connect to the parent for ssl. I can get onto the https://help.ubuntu.com with no problems in the web browser. but still says 407 in the log.

But I think aiming ssl at the parent has worked as the parent dont show 407 errors in the logs. RESULT!!!

Now to get windows/microsoft update to work. I Know there is issues with that and squid. I take it i need acl stuff again.

Minefield, heres mine from my conf, feel free to pinch, works perfectly.

PHP Code:

refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10800    100%    43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10800    100%    43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10800    100%    43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100%    43200 reload-into-ims
 
quick_abort_min -1 KB
quick_abort_max 512 KB
quick_abort_pct 50 


FLV, first instance is FORCED caching of youtube videos, works a charm

[ahuxham]

If your Squid box is correctly forwarding to parents you should see the following in your access.log files:

TCP_MISS/200 5395 GET http://wwwimages.adobe.com/www.adobe...ash_player.png u.sername FIRST_UP_PARENT/127.0.0.1 image/png

However, with NTLM authentication the following happens in digest of authentication.

TCP_DENIED/407 1796 CONNECT 207.46.112.193:443 - NONE/- text/html
TCP_DENIED/407 1796 CONNECT 207.46.112.193:443 - NONE/- text/html

than

TCP_MISS/200 1796 CONNECT 207.46.112.193:443 u.sername FIRST_UP_PARENT/127.0.0.1 text/html

Just how NTLM authenticates itself, 2 denied as it tries to fetch without authentication than realises it does need to authenticate and does so