[SOLVED] TCP_DENIED/407 4606 GET http://appexdb3.stb.s-msn.com/emeaappex/i/C3/6F8BF749429B1D86

ganesh24pal@gmail.com · 08-16-2014, 08:26 PM

Hi,

We have installed CentOS 6.4 + Squid 3 .

We had configured Squid as NTLM Authentication base.

When users accessing internet is working via squid proxy.But there are unable to access "https" or 443 sites. Error coming saying "TCP_DENIED/407"

Please find logs of below.

1) squid.conf

Quote:

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
dns_nameservers 4.2.2.2 8.8.8.8
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl acl manager proto cache_object
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow auth
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

2) smb.conf

Quote:

[global]
workgroup = NEAD
netbios name = INPROXY
hosts allow = 10.211.0.0 127.
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/log.%m
max log size = 50
security = ADS
#password server = winmumi002.nead.danet
realm = NEAD.DANET
#winbind separator = \
winbind separator = =
#encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
#idmap uid = 10000-20000
#idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = yes

3)confkrb5.conf

Quote:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = NEAD.DANET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
NEAD.DANET = {
kdc = winmumi002.nead.danet
admin_server = winmumi002.nead.danet
default_domain = nead.danet
}

[domain_realm]
.nead.danet = NEAD.DANET
nead.danet = NEAD.DANET

5)nsswitch.conf

Quote:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

#passwd: files
shadow: files
#group: files
passwd:compat winbind
group:compat winbind

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

ganesh24pal@gmail.com · 08-16-2014, 08:27 PM

Myself trying to google, but no luck. myself trying.

TB0ne · 08-17-2014, 09:43 AM

Quote:

Originally Posted by ganesh24pal@gmail.com

Myself trying to google, but no luck. myself trying.

Really? Because putting the error into Google pulls up thousands of hits...many on this very site, which you could find if you tried to look:
http://www.squid-cache.org/mail-arch...1008/0571.html
http://www.linuxquestions.org/questi...g-well-934441/
http://oss.org.cn/man/newsoft/squid/...AQ/FAQ-23.html
http://www.linuxquestions.org/questi...ss-log-469574/
http://squid-web-proxy-cache.1019090...td4662372.html

What you're posting indicates either a failure in NTLM authentication, or the way you have Squid set up to handle HTTPS requests isn't correct. Since you've been using Squid for SEVERAL years now, it should be easy for you to diagnose this.

ganesh24pal@gmail.com · 08-17-2014, 08:47 PM

Hi Tbone,

http port is working fine. Its problem with https or 443 port.

TB0ne · 08-17-2014, 09:28 PM

Quote:

Originally Posted by ganesh24pal@gmail.com

Hi Tbone,
http port is working fine. Its problem with https or 443 port.

Right...which is what was said initially, and was covered VERY clearly in the links that were looked up for you. Did you read/understand them?

AGAIN, the error(s) you're getting are either because your NTLM setup is wrong, or because your https settings in squid/iptables are wrong. Check them, and correct the errors.

ganesh24pal@gmail.com · 08-18-2014, 01:32 AM

Hi Tbone,

Thanks for guiding, I will doing my best.

=====================

8343416.274 81888 10.211.2.101 TCP_MISS/200 5390 CONNECT www.google.co.in:443 indiahe-adm DIRECT/173.194.127.127 -
1408343423.212 291 10.211.2.101 TCP_MISS/200 776 GET http://msncricket.com/flash-gadget-list.xml? indiahe-adm DIRECT/119.81.115.196 text/xml
1408343425.188 116318 10.211.2.234 TCP_MISS/200 4151 CONNECT bluestacks-cloud.appspot.com:443 indiahe-adm DIRECT/74.125.23.141 -
1408343427.341 306 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? indiahe-adm DIRECT/50.16.200.46 image/gif
1408343430.471 59875 10.211.2.234 TCP_MISS/503 0 CONNECT www.facebook.com:443 indiahe-adm DIRECT/59.24.3.173 -
1408343442.392 357 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? indiahe-adm DIRECT/50.16.200.46 image/gif
1408343451.896 0 10.211.2.234 TCP_DENIED/407 3781 CONNECT a.config.skype.com:443 - NONE/- text/html

=======================================

ganesh24pal@gmail.com · 08-18-2014, 02:23 AM

Hi Tbone,

Now comment for all NTLM and open for whole network now problem is the diffrent.

1) Squid

Quote:

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl nutricia_network src 10.211.0.0/16

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
dns_nameservers 10.211.1.51
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 30
#auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl acl manager proto cache_object
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#acl auth proxy_auth REQUIRED

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow nutricia_network
#http_access deny !auth
#http_access allow auth
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128
http_port 8080

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

2) Error

Quote:

- DIRECT/46.51.216.25 text/html
1408345818.110 231 10.211.2.234 TCP_REFRESH_UNMODIFIED/200 8867 GET http://platform.twitter.com/widgets/hub.html - DIRECT/199.96.57.6 text/html
1408345824.742 19568 10.211.2.234 TCP_MISS/200 52729 GET http://connect.facebook.net/en_US/all.js - DIRECT/23.2.134.221 application/x-javascript
1408345825.964 7769 10.211.2.234 TCP_MISS/200 946 GET http://ocsp.digicert.com/MFEwTzBNMEs...F9Lv1AOMPzs%3D - DIRECT/117.18.237.29 application/ocsp-response
1408345831.966 26805 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? - DIRECT/54.225.131.223 image/gif
1408345831.967 14083 10.211.2.234 TCP_MISS/200 3629 CONNECT platform.twitter.com:443 - DIRECT/199.96.57.6 -
1408345834.721 21547 10.211.2.234 TCP_MISS/200 1617 GET http://crifeeds.timesofindia.indiati...Calender.json? - DIRECT/184.51.15.117 application/json
1408345835.438 265 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? - DIRECT/54.225.131.223 image/gif
1408345840.046 60709 10.211.2.234 TCP_MISS/503 0 CONNECT www.facebook.com:443 - DIRECT/59.24.3.173 -
1408345843.575 1789 10.211.2.234 TCP_REFRESH_MODIFIED/200 490 GET http://timesofindia.indiatimes.com/b...akingnews.html - DIRECT/205.169.30.217 text/html

TB0ne · 08-18-2014, 09:09 AM

Quote:

Originally Posted by ganesh24pal@gmail.com

Hi Tbone,
Now comment for all NTLM and open for whole network now problem is the diffrent.

...which says that you had errors in your NTLM configuration that you still haven't fixed. Again, since you've been using Squid for years now, and you said yourself that you were 'trying to Google, but no luck', I don't see how you missed the MANY guides to configuring NTLM, like the ones you were handed after someone else looked them up for you.

Quote:

2) Error

Code:

- DIRECT/46.51.216.25 text/html
1408345818.110 231 10.211.2.234 TCP_REFRESH_UNMODIFIED/200 8867 GET http://platform.twitter.com/widgets/hub.html - DIRECT/199.96.57.6 text/html
1408345824.742 19568 10.211.2.234 TCP_MISS/200 52729 GET http://connect.facebook.net/en_US/all.js - DIRECT/23.2.134.221 application/x-javascript
1408345825.964 7769 10.211.2.234 TCP_MISS/200 946 GET http://ocsp.digicert.com/MFEwTzBNMEs...F9Lv1AOMPzs%3D - DIRECT/117.18.237.29 application/ocsp-response
1408345831.966 26805 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? - DIRECT/54.225.131.223 image/gif
1408345831.967 14083 10.211.2.234 TCP_MISS/200 3629 CONNECT platform.twitter.com:443 - DIRECT/199.96.57.6 -
1408345834.721 21547 10.211.2.234 TCP_MISS/200 1617 GET http://crifeeds.timesofindia.indiati...Calender.json? - DIRECT/184.51.15.117 application/json
1408345835.438 265 10.211.2.234 TCP_MISS/200 384 GET http://ping.chartbeat.net/ping? - DIRECT/54.225.131.223 image/gif
1408345840.046 60709 10.211.2.234 TCP_MISS/503 0 CONNECT www.facebook.com:443 - DIRECT/59.24.3.173 -
1408345843.575 1789 10.211.2.234 TCP_REFRESH_MODIFIED/200 490 GET http://timesofindia.indiatimes.com/b...akingnews.html - DIRECT/205.169.30.217 text/html

Did you look up what the 'problem' was? Again, since you've been using squid for years now, have you ever looked at the documentation?
http://wiki.squid-cache.org/SquidFaq...ogs#access.log

And the better question is, are you having any problems GETTING THOSE WEBSITES???

ganesh24pal@gmail.com · 09-03-2014, 08:36 AM

Hi Tbone,

There is 2 issue.

1) ISP issue , and we had get resolved.
2) disable ipv6. make this entry /etc/sysctl file.

Quote:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Now internet is working fine.