Re: [squid-users] Java not working behind squid

From: Thomas Klein <mailinglist-postfixbuch_at_online.de>
Date: Thu, 18 Mar 2010 23:25:25 +0100

Amos Jeffries schrieb:
> On Wed, 17 Mar 2010 23:21:44 +0100, Thomas Klein
> <mailinglist-postfixbuch_at_online.de> wrote:
>
>> Truth Seeker schrieb:
>>
>>>> -
>>>>
>>>>
>>>>>> http_access deny !AuthorizedUsers
>>>>>>
>>>>>>
>>>>> ... performs authentication. Which was your problem
>>>>>
>>>>>
>>>> with
>>>>
>>>>
>>>>> Java...
>>>>>
>>>>> order is important!
>>>>>
>>>>>
>>>>>
>>>> So does it mean, i need to put them as the following;
>>>>
>>>> ### For JAVA
>>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>>> acl testnet src 192.168.7.0/24
>>>> acl testnet src 192.168.8.0/24
>>>> http_access allow testnet Java
>>>>
>>>> http_access deny !AuthorizedUsers
>>>>
>>>>
>>>>
>>> Yes when i modified as the above, its working fine....
>>>
>>> Now another doubt. will this solve the issues related to all the java
>>> sites?
>>>
>>>
>>>
>> Hi there,
>>
>> i have actually also the problem that java-applications are in no way
>> able to get a working connect to the internet, but this workaround with
>> the example of http://www.dailyfx.com/ doesn't work for me in any
>>
> case....
>
>> My test-user matches the acl "gruppe_vollzugriff" - i'm using
>> 2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM
>> auth against a AD.
>>
>> If I do it in this way:
>>
>> acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
>> acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
>> acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
>> acl gruppe_test external wbinfo_group Proxygruppe-test
>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>> acl localnet src 172.1.0.0/19
>> ...
>> http_access allow localnet Java
>> http_access allow gruppe_azubis erlaubte_seiten_azubis
>> http_access allow gruppe_standarduser
>> http_access allow gruppe_test
>> http_access allow gruppe_vollzugriff
>> http_access deny all
>>
>> I get in access.log the following:
>> 1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
>> DIRECT/- -
>> 1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
>> DIRECT/- -
>> 1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
>> DIRECT/- -
>> 1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
>> DIRECT/- -
>>
>>
>> If i modify the order of the http_access line in this way:
>>
>> acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
>> acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
>> acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
>> acl gruppe_test external wbinfo_group Proxygruppe-test
>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>> acl localnet src 172.1.0.0/19
>> ...
>> http_access allow gruppe_azubis erlaubte_seiten_azubis
>> http_access allow gruppe_standarduser
>> http_access allow gruppe_test
>> http_access allow gruppe_vollzugriff
>> http_access allow localnet Java
>> http_access deny all
>>
>> I get the following output in the log:
>> 1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>> 1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
>> balancer.netdania.com:443 - NONE/- text/html
>>
>>
>> As I described, java isn't able to get a working connect to the
>> internet. What's wrong in my case? I would be glad if you have a hint
>> for me....
>>
>
> There is some form of deny line happening outside the set you showed.
> Which blocks the first configuration form working. The Java auth problem
> blocks the second.
>
> Amos
>
>
Thank you for your hint - i'm using squidGuard, and this seems to be the
problem. If I comment out the following line from squid.conf, Java works
fine:
url_rewrite_program /root/squidGuard -c /etc/squid/squidGuard.conf

Ok so far - I'm now a step closer but i'm afraid that's not the
solution, because if I disable the content filter from squidGuard, my
boss will kill me ;)

I checked the squidGuard Logfiles, but there is nothing to find about
authentication and so on.... only the database updates are being logged.
Because the AD-Authentication from squidguard did not work, I'm pulling
with "net rpc group members" every 10 Minutes all members of the
neccessary AD-Groups into a local file for each access group in the
squidguard-Database directory, and squidguard looks into these files for
finding the usernames there.

This works so far for the whole internet access, but Java seems to get
in trouble with this. The case is also strange, that squidguard does not
log any information about authentication or something about the
filtering in its logfiles - don't know if thats ok?!?

Here is the end of my squidGuard.conf, above these lines are only the
allocations for the filter groups:

src standarduser {
                userlist squidGuard-standarduser
        }

src azubis {
                userlist squidGuard-azubis
        }

src test {
                userlist squidGuard-test
        }

acl {

        taa-test {
                pass !blacklist-test
                redirect
http://proxy.domain.local/site_blocked.php?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
        }

        standarduser {
                pass whitelist !blacklist !adv !aggressive !alcohol
!automobile-bikes !automobile-boats !automobile-cars
                redirect
http://proxy.domain.local/site_blocked.php?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
        }

        azubis {
                pass azubis-erlaubte-seiten
                redirect
http://proxy.domain.local/site_blocked.htm?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
        }

        vollzugriff {
                pass all
        }

        default {
                pass none
                redirect http://proxy.domain.local/no_access.htm
        }

}

Perhaps you have another good idea to fix this? Thanks in advance for
your assistance....

best regards
Thomas
Received on Thu Mar 18 2010 - 22:26:34 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 19 2010 - 12:00:05 MDT