I’m using Squid 3.0
Example: I want to download software from cnet. After launching CNET Download.com Installer, I get an error:
Internet connection error
We’re unable to connect to the download server. It seems that your internet connection is down or firewalled. Please check your internet and proxy setting then click the «Try Again» button below.
I checked Squid, and got the error:
1319791754.173 1 192.168.1.101 TCP_DENIED/407 2081 GET http://api.cnet.com/rest/v1.0/softwareProductLink? - NONE/- text/html
1319791754.396 1 192.168.1.101 TCP_DENIED/407 2194 GET http://www.w3.org/TR/html4/strict.dtd - NONE/- text/html
I searched for «TCP_DENIED/407» but I could not find a solution.
asked Oct 28, 2011 at 8:55
The 407 error is coming from squid, telling the calling application that it must provide authentication credential to continue.
With a browser, this is straightforward, it would pop-up asking for the credentials if it didn’t already have them, and the user would type them in.
For non-interactive applications like a downloader, they should have a mechanism for entering the credentials into their configuration.
answered Oct 28, 2011 at 11:21
PaulPaul
58.8k18 gold badges142 silver badges167 bronze badges
3
Ответ на:
комментарий
от zgen 14.02.12 18:56:16 MSK
cache.log пишет :
2012/02/15 08:47:52| /var/cache/squid/00/171/0002E286
2012/02/15 08:48:02| WARNING: All ntlmauthenticator processes are busy.
2012/02/15 08:48:02| WARNING: 5 pending requests queued
2012/02/15 08:48:02| Consider increasing the number of ntlmauthenticator processes in your config file.
2012/02/15 08:48:13| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:13| /var/cache/squid/02/4E/00089CB7
2012/02/15 08:48:30| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:30| /var/cache/squid/04/47/00108E97
2012/02/15 08:48:34| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:34| /var/cache/squid/02/E6/0009CC90
2012/02/15 08:48:54| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:54| /var/cache/squid/02/1C5/000B8A5F
2012/02/15 08:48:58| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:58| /var/cache/squid/00/1EA/0003D4E6
2012/02/15 08:48:58| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:58| /var/cache/squid/03/121/000E43BB
2012/02/15 08:48:59| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:48:59| /var/cache/squid/04/167/0012CFE2
2012/02/15 08:49:00| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:00| /var/cache/squid/02/E0/0009C02F
2012/02/15 08:49:02| squidaio_queue_request: WARNING — Queue congestion
2012/02/15 08:49:10| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:10| /var/cache/squid/05/5C/0014B8C6
2012/02/15 08:49:27| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:27| /var/cache/squid/04/184/001309B7
2012/02/15 08:49:32| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:32| /var/cache/squid/00/1A8/0003502B
2012/02/15 08:49:32| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:32| /var/cache/squid/03/15A/000EB51C
2012/02/15 08:49:33| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:33| /var/cache/squid/00/5F/0000BEE6
2012/02/15 08:49:33| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:33| /var/cache/squid/01/1EF/0007DF63
2012/02/15 08:49:33| DiskThreadsDiskFile::openDone: (2) No such file or directory
2012/02/15 08:49:33| /var/cache/squid/05/75/0014EAFB
zema
(15.02.12 10:45:53 MSK)
- Показать ответы
- Ссылка
Ответ на:
комментарий
от VovanE 14.02.12 18:58:53 MSK
Браузер IE, но firefox выдает такие же ошибки!
zema
(15.02.12 10:47:06 MSK)
- Ссылка
Ответ на:
комментарий
от VovanE 14.02.12 18:59:26 MSK
Squid Cache: Version 3.0.STABLE19
zema
(15.02.12 10:48:58 MSK)
- Ссылка
Ответ на:
комментарий
от ansky 15.02.12 04:04:00 MSK
DNS сервер настроен на контроллере домена
zema
(15.02.12 10:50:41 MSK)
- Ссылка
Re: cache.log пишет :
All ntlmauthenticator processes are busy.
Consider increasing the number of ntlmauthenticator processes in your config file.
Пробовали?
VovanE ★
(15.02.12 11:00:57 MSK)
- Показать ответ
- Ссылка
Ответ на:
комментарий
от zema 15.02.12 11:08:35 MSK
Ответ на:
комментарий
от VovanE 15.02.12 11:15:52 MSK
Вот и причина:
All ntlmauthenticator processes are busy.
★★★★★
(15.02.12 13:58:02 MSK)
- Ссылка
Ответ на:
комментарий
от zema 15.02.12 12:23:40 MSK
Ответ на:
комментарий
от zgen 15.02.12 13:58:16 MSK
Ответ на:
комментарий
от zema 15.02.12 16:04:51 MSK
1) увеличить количество аутентификаторов на порядок —
~5-10 на пользователя.
2) включить кеширование запросов:
Непонятки с winbind
★★★★★
(15.02.12 18:00:32 MSK)
- Ссылка
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Сделал такое правило. Прокси блокирует.
cache.log
2016/12/27 19:14:20.536 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe04f5e000
2016/12/27 19:14:20.536 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe04f5e000
2016/12/27 19:14:20.542 kid1| 28,3| Checklist.cc(70) preCheck: 0x7efc6f55de78 checking slow rules
2016/12/27 19:14:20.542 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/12/27 19:14:20.542 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/12/27 19:14:20.542 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/12/27 19:14:20.542 kid1| 28,5| Acl.cc(138) matches: checking !nt_group
2016/12/27 19:14:20.543 kid1| 28,5| Acl.cc(138) matches: checking nt_group
2016/12/27 19:14:20.543 kid1| 33,2| client_side.cc(737) setAuth: Adding connection-auth to local=1.1.1.3:8080 remote=1.1.1.5:57516 FD 13 flags=1 from new Negotiate handshake request
2016/12/27 19:14:20.543 kid1| 28,3| AclProxyAuth.cc(119) checkForAsync: checking password via authenticator
2016/12/27 19:14:20.543 kid1| 28,4| Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
2016/12/27 19:14:20.543 kid1| 28,3| Acl.cc(158) matches: checked: nt_group = -1 async
2016/12/27 19:14:20.543 kid1| 28,3| Acl.cc(158) matches: checked: !nt_group = -1 async
2016/12/27 19:14:20.543 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = -1 async
2016/12/27 19:14:20.543 kid1| 28,3| Acl.cc(158) matches: checked: http_access = -1 async
2016/12/27 19:14:20.602 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access at 0
2016/12/27 19:14:20.603 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/12/27 19:14:20.603 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access#1 at 0
2016/12/27 19:14:20.603 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking !nt_group at 0
2016/12/27 19:14:20.603 kid1| 28,5| Acl.cc(138) matches: checking nt_group
2016/12/27 19:14:20.603 kid1| 28,7| UserData.cc(22) match: user is iv@DOMAIN.LOCAL, case_insensitive is 0
2016/12/27 19:14:20.603 kid1| 28,7| UserData.cc(28) match: aclMatchUser: user REQUIRED and auth-info present.
2016/12/27 19:14:20.603 kid1| 28,4| Acl.cc(344) cacheMatchAcl: ACL::cacheMatchAcl: miss for 'nt_group'. Adding result 1
2016/12/27 19:14:20.603 kid1| 28,3| Acl.cc(158) matches: checked: nt_group = 1
2016/12/27 19:14:20.603 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: !nt_group = 0
2016/12/27 19:14:20.603 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access#1 = 0
2016/12/27 19:14:20.603 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/12/27 19:14:20.603 kid1| 28,5| Acl.cc(138) matches: checking http_access#2
2016/12/27 19:14:20.603 kid1| 28,5| Acl.cc(138) matches: checking all
2016/12/27 19:14:20.603 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 1.1.1.5:57516/[::] ([::]:57516) vs [::]-[::]/[::]
2016/12/27 19:14:20.603 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '1.1.1.5:57516' found
2016/12/27 19:14:20.603 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/12/27 19:14:20.603 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1
2016/12/27 19:14:20.603 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access = 1
2016/12/27 19:14:20.603 kid1| 28,3| Checklist.cc(63) markFinished: 0x7efc6f55de78 answer DENIED for match
2016/12/27 19:14:20.603 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x7efc6f55de78 answer=DENIED
2016/12/27 19:14:20.603 kid1| 28,5| Gadgets.cc(83) aclIsProxyAuth: aclIsProxyAuth: called for all
2016/12/27 19:14:20.603 kid1| 28,9| Acl.cc(99) FindByName: ACL::FindByName 'all'
2016/12/27 19:14:20.603 kid1| 28,5| Gadgets.cc(88) aclIsProxyAuth: aclIsProxyAuth: returning 0
2016/12/27 19:14:20.603 kid1| 28,8| Gadgets.cc(51) aclGetDenyInfoPage: got called for all
2016/12/27 19:14:20.603 kid1| 28,8| Gadgets.cc(70) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
2016/12/27 19:14:20.604 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe04f5e030
2016/12/27 19:14:20.604 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe04f5e030
2016/12/27 19:14:20.604 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe04f5e030
2016/12/27 19:14:20.604 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe04f5e030
Добрый день. Второй день долбаюсь с ошибкой 407 об требовании авторизации, только я передаю данные для авторизации, но ему что-то все равно не хватает. Проверял в бразуере и через консоль (curl). Авторизация проходит через файл сформированный через htpasswd. Вот конфиг сквида:
debug_options ALL,3
# Squid normally listens to port 3128
http_port 0.0.0.0:3128 name=3128
acl rdproxy myportname 3128 src 0.0.0.0/0
tcp_outgoing_address 0.0.0.0 rdproxy
#include /etc/squid/conf.d/*
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users
auth_param basic children 20
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
# Example rule allowing access from your local networks.
acl localnet src 0.0.0.0
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access deny !auth_users
http_access allow auth_users
# And finally deny all other access to this proxy
http_access deny allЧто ему нехватает? Облазил и русскоязычные портали, и иностранные, у всех проблема вообще не похожа на мою
Спасибо
-
Sergey Kha
- Сообщения: 3
- Зарегистрирован: 10 янв 2017 10:33
- Контактная информация:
Squid 3.3.8 не пускает в интернет TCP_DENIED/407
Доброго времени суток,
Не запускает пользователя в интернет, сделано как в мануале
Конфиг сквида
Код: Выделить всё
# WELCOME TO SQUID 3.3.8
# ----------------------------
#
# Negotiate Kerberos and NTLM authentication
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/ubu.office.local@OFFICE.LOCAL
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off
# Only NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
# Basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b "dc=office,dc=local" -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f sAMAccountName=%s -h bdc.office.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#
# LDAP authorization
external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b "dc=office,dc=local" -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=Test,DC=office,DC=local))" -h bdc.office.local vip.office.local
#
# TAG: auth_param
acl auth proxy_auth REQUIRED
acl BlockedAccess external memberof "/etc/squid3/conf_param_groups_blocked.txt"
acl RestrictedAccess external memberof "/etc/squid3/conf_param_groups_restricted.txt"
acl StandardAccess external memberof "/etc/squid3/conf_param_groups_standard.txt"
acl FullAccess external memberof "/etc/squid3/conf_param_groups_full_auth.txt"
acl AnonymousAccess external memberof "/etc/squid3/conf_param_groups_full_anon.txt"
acl allowedsites dstdomain "/etc/squid3/conf_param_sites_allowed.txt"
acl blockedsites dstdomain "/etc/squid3/conf_param_sites_blocked.txt"
acl prioritysites dstdomain "/etc/squid3/conf_param_sites_priority.txt"
#
#acl LocalWUServers src "/etc/squid3/conf_param_computers_wsus.txt"
#acl GlobalWUSites dstdomain "/etc/squid3/conf_param_sites_wsus.txt"
# none
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#---------------------------------------------------------------------------------
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Рђllow cachemgr access from localhost and localnet
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
# Allow direct access to Windows Update
#http_access allow GlobalWUSites LocalWUServers
# Allow unrestricted access to prioritysites
http_access allow prioritysites localnet
# Enforce authentication, order of rules is important for authorization levels
http_access deny !auth
# Prevent access to basic auth prompt for BlockedAccess users
http_access deny BlockedAccess all
http_access allow allowedsites localnet
http_access deny RestrictedAccess all
http_access allow AnonymousAccess auth localnet
http_access allow FullAccess auth localnet
http_access deny blockedsites
http_access allow StandardAccess auth localnet
# And finally deny all other access to this proxy
http_access deny all
#
#----------------------------------------------------------------------------------
# Squid normally listens to port 3128
http_port 3128
# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
#
cache_mem 2048 MB
maximum_object_size_in_memory 2048 KB
memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
# ---------------------------------------------------------------------------
#
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 7000 16 256
maximum_object_size 32768 KB
#
# -----------------------------------------------------------------------------
logformat squid %{%Y.%m.%d/%H:%M:%S}tl %>A %>a %ru %un %Sh/%<A %mt
#
# don't log AnonymousAccess
access_log daemon:/var/log/squid3/access.log squid !AnonymousAccess
#access_log /var/log/squid3/access.log squid
# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
#
cache_log /var/log/squid3/cache.log
coredump_dir /var/spool/squid3
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
#
cache_mgr admin@polispektr.uz
httpd_suppress_version_string on
visible_hostname UBU
# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
#
error_directory /usr/share/squid3/errors/ru
error_default_language ru
# DNS OPTIONS
# -----------------------------------------------------------------------------
#
dns_v4_first on
# MISCELLANEOUS
# -----------------------------------------------------------------------------
#
forwarded_for delete
cachemgr_passwd StrOnG_PaZsZw0rD all
#
#
Машинка ubu, в домене, sudo wbinfo -t проходит, wbinfo -u; -g выдают пользователей и группы домена
sudo squid3 -k reconfigure отрабатывает нормально, ошибок конфига не найдено
в access.log сыпет
1484044361.775 0 192.168.2.106 TCP_DENIED/407 4176 GET http://ya.ru/ — HIER_NONE/- text/html
в какую сторону копать?
Последний раз редактировалось Sergey Kha 10 янв 2017 11:01, всего редактировалось 1 раз.
-
Sergey Kha
- Сообщения: 3
- Зарегистрирован: 10 янв 2017 10:33
- Контактная информация:
Re: Squid не пускает в интернет
Сообщение
Sergey Kha » 10 янв 2017 10:51
если прописано
access_log daemon:/var/log/squid3/access.log squid !AnonymousAccess
то в access.log ничего не записывается
использую
/usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b «dc=office,dc=local» -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f «(&(objectclass=person)(sAMAccountName=proxik)(memberOf:1.2.840.113556.1.4.1941:=cn=Internet-All-Users,OU=test,DC=office,DC=local))» -h bdc.office.local vip.office.local
получаю при вводе логина
proxik
ERR