Odp: Re: Odp: Re: [squid-users] Skype through SQUID integrated with AD

From: kazio wolny <mp3_klient_at_wp.pl>
Date: Mon, 30 Sep 2013 12:20:02 +0200

Dnia Czwartek, 26 Września 2013 16:04 Amos Jeffries <squid3_at_treenet.co.nz> napisał(a)
> On 26/09/2013 7:35 a.m., kazio wolny wrote:
> > Dnia Środa, 25 Września 2013 16:17 Amos Jeffries <squid3_at_treenet.co.nz> napisał(a)
> >> On 26/09/2013 12:58 a.m., kazio wolny wrote:
> >>> Hello,
> >>>
> >>> I get tired of the topic already two days and I have no power, so please help ...
> >>>
> >>> I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even.
> >>> Only I have a problem with Skype - in access.log I see:
> >>> 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html;
> >>> 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html;
> >>> 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html;
> >>> I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps.
> >> Well... if Skype did support authentication you would still see these
> >> log lines as part of the normal authentication challenge process. That
> >> goes for all authentication types, NTLM is somewhat special in that it
> >> always shows up with two 407 in a row like the *.22 client lines above.
> >>
> >> This may help you:
> >> https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server
> >>
> >> My experience is that Skype has supported proxies and authentication
> >> nicely enough in all releases for the last ~2 years not to need any
> >> special consideration in the proxy config.
> >>
> >> Amost
> > Thanks, but why Skype doesn't connect to servers?
>
> Skype is a P2P software. AFAIK these are not CONNECT to servers
> specifically, but are CONNECT to other people running Skype - which just
> happens to include the MS servers setup to relay packets. The requests
> to servers managing the Skype "phonebook" lookup requests may be one of
> these but usually a different HTTP transaction entirely.
>
> > In skype I have this settings like in your link: use port 80,443; https proxy, address and port (10.22.94.130:8080). I was trying with and without enabling proxy auth.. Always the same...
> > When I disable auth on squid, then Skype works great, so I'm thinking, that this is a problem, but I can't solve it.. :-(
> >
> > Kazio
>
> Strange. From what I could see of your config there should be no
> problem. Are you certain that these 407 are being sent by your proxy and
> not by another? are there any successful CONNECT from Skype happening
> amidst the 407's (auth schemes normally require one 407 denial to
> request credentials then the next has them and gets through).
>
> Can you try this with a newer version of Squid at all? there are
> HTTP/1.1 behaviour differences around keep-alive and authentication on
> CONNECT which have been done in 3.2/3.3 series to "fix" HTTP/1.0
> problems sometimes seen in the 3.1 and older releases. Those were about
> 2 years ago so my experience with Skype may be a bit warped by my
> networks dog-fooding Squid.
>
> Amos
I have this squid on ubuntu 12.04 tls. Never version should I install from PPA (like https://launchpad.net/~pdffs/+archive/squid-stable)? Could you give be better source?

I found the cause of the problems. This was the last line:
cache_effective_group proxy

It is also strange. Apparently, with this entry Squid does not have access to something ... But as I read that squid always starts on the powers of root:root, and then divert it to the given, or nobody:nobody. So the group nobody has a better right??

kazio
Received on Mon Sep 30 2013 - 10:20:17 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 30 2013 - 12:00:04 MDT