+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
*nix Thread, Squid hates SSL connections? in Technical; Hi all. I finaly managed to get squid and dansguardian working together using NTLM. But it seems to hate SSL ...
  1. #1
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Squid hates SSL connections?

    Hi all.

    I finaly managed to get squid and dansguardian working together using NTLM. But it seems to hate SSL for some reason. It throws up an error 407 in the squid access log. But squid accesses normal http sites with no problem.

    Here is the set up:

    Ubuntu Server 8.10
    Squid 2.7 Stable 3
    Dansguardian 2.9.9.7

    Clients -> Dansguardian -> Squid -> Parent proxy (E2BN Cachepilot).

    Any ideas?

    Cheers peeps

  2. #2

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,407
    Thank Post
    368
    Thanked 639 Times in 521 Posts
    Rep Power
    158
    Do you mean cachebox... cachepilot isn't E2BN. Might be the fact the cache box isn't the parent.

  3. #3

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    can your squid box connect out on https port 443 ok ?

  4. #4
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Cachepilot is the filtering software that county set up. The Cachepilot is in the school and that goes out to a parent proxy that county has off our site.

    I tried connecting to the county parent with the cache_peer command but it only seems to work with our Cachepilot as a parent.

    I forgot to add the outsite parent to the diagram:

    (Client -> Dans -> Squid -> School Proxy Squid 2.4 and Cachepilot) -> County parent proxy

  5. #5
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I haven't tested port 443 directly from the squid box. Tried from the web browser on a client compy but with no luck. Even WSUS hates synchronizing through it as it uses ssl methinks. Thats the main reason why I made a proxy that uses NTLM. And I hate pop up login boxes .

    Is there a command I can use on the squid box to test port 443?

    Thanks.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Code:
    wget https://somewhere/

  7. #7

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,407
    Thank Post
    368
    Thanked 639 Times in 521 Posts
    Rep Power
    158
    What's your LEA?

    Edit:

    Ah Norfolk... Suffolk and Cambs are using E2BN Protex. Didn't know anyone was still using Equiinet's Cachepilot. If you still can't figure it out (even with LEA support) contact E2BN directly, Simon Bright normally deals with these sorts of things.
    Last edited by matt40k; 4th November 2008 at 12:18 PM.

  8. #8
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Our LEA is Norfolk County Council.

    I tried wget https://help.ubuntu.com from the squid box but it times out.

    Bahh.

  9. #9
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0
    If its any help, I get this sorta stuff in the access.log.

    1225811336.380 1 10.103.0.3 TCP_DENIED/407 1762 CONNECT login.yahoo.com:443 - NONE/- text/html

  10. #10

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,407
    Thank Post
    368
    Thanked 639 Times in 521 Posts
    Rep Power
    158
    Contact Norfolk LEA\E2BN, it's prob something to stop people using SSL tunnels.

    Might be where it's trying to pass on the user\pass, which are failing.

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Quote Originally Posted by Cragzman View Post
    If its any help, I get this sorta stuff in the access.log.

    1225811336.380 1 10.103.0.3 TCP_DENIED/407 1762 CONNECT login.yahoo.com:443 - NONE/- text/html
    You should be going via the upstream proxy for SSL connections shouldn't you? Because from that log entry it looks like your squid is (failing to) go direct

  12. Thanks to Geoff from:

    Cragzman (4th November 2008)

  13. #12
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Squid to Parent;

    PHP Code:
    cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword 
    127.0.0.1 = LEA IP/URL with 8080 as port or change.

    Code:
    login=(username):(password)
    if you require one. if not remove the login string

    The above is my redirection from Squid to DG

  14. #13
    Cragzman's Avatar
    Join Date
    Jan 2008
    Location
    In a cave - Somewhere in Naaaarrrfuk
    Posts
    38
    Thank Post
    7
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I have tweeked the squid.conf a bit to connect to the parent for ssl. I can get onto the https://help.ubuntu.com with no problems in the web browser. but still says 407 in the log.

    But I think aiming ssl at the parent has worked as the parent dont show 407 errors in the logs. RESULT!!!

    Now to get windows/microsoft update to work. I Know there is issues with that and squid. I take it i need acl stuff again.

  15. #14
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Quote Originally Posted by Cragzman View Post
    I have tweeked the squid.conf a bit to connect to the parent for ssl. I can get onto the https://help.ubuntu.com with no problems in the web browser. but still says 407 in the log.

    But I think aiming ssl at the parent has worked as the parent dont show 407 errors in the logs. RESULT!!!

    Now to get windows/microsoft update to work. I Know there is issues with that and squid. I take it i need acl stuff again.
    Minefield, heres mine from my conf, feel free to pinch, works perfectly.

    PHP Code:
    refresh_pattern -\.flv10080 90999999 ignore-no-cache override-expire ignore-private
    refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi10800    100%    43200 reload-into-ims
    refresh_pattern download
    .microsoft.com/.*\.(cab|exe|dll|msi10800    100%    43200 reload-into-ims
    refresh_pattern www
    .microsoft.com/.*\.(cab|exe|dll|msi10800    100%    43200 reload-into-ims
    refresh_pattern au
    .download.windowsupdate.com/.*\.(cab|exe|dll|msi4320 100%    43200 reload-into-ims
     
    quick_abort_min 
    -1 KB
    quick_abort_max 512 KB
    quick_abort_pct 50 
    FLV, first instance is FORCED caching of youtube videos, works a charm

  16. #15
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    If your Squid box is correctly forwarding to parents you should see the following in your access.log files:

    TCP_MISS/200 5395 GET http://wwwimages.adobe.com/www.adobe...ash_player.png u.sername FIRST_UP_PARENT/127.0.0.1 image/png

    However, with NTLM authentication the following happens in digest of authentication.

    TCP_DENIED/407 1796 CONNECT 207.46.112.193:443 - NONE/- text/html
    TCP_DENIED/407 1796 CONNECT 207.46.112.193:443 - NONE/- text/html

    than

    TCP_MISS/200 1796 CONNECT 207.46.112.193:443 u.sername FIRST_UP_PARENT/127.0.0.1 text/html

    Just how NTLM authenticates itself, 2 denied as it tries to fetch without authentication than realises it does need to authenticate and does so
    Last edited by ahuxham; 4th November 2008 at 04:22 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 4th August 2008, 01:50 PM
  2. DLT-v4 Drive hates Sata Card
    By Simcfc73 in forum Hardware
    Replies: 1
    Last Post: 29th November 2007, 08:10 AM
  3. Printer Connections - I NEED HELP PLEASE
    By Mr_M_Cox in forum Windows
    Replies: 14
    Last Post: 7th June 2007, 06:00 PM
  4. VPN showdown: IPSec vs SSL vs client-less SSL
    By ITWombat in forum Wireless Networks
    Replies: 9
    Last Post: 25th September 2006, 09:35 PM
  5. Internet Connections
    By 20RickY06 in forum General Chat
    Replies: 7
    Last Post: 6th September 2006, 08:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •