Hallo!
ich hätte wieder mal eine Frage über den Proxy…:
Also Schüler und Lehrer können bei Freischaltung raus egal ob http oder Https.
Dennoch wird der Access.log zugeflutet mit tcp_denied/407 & TCP_MISS/200
und Seiten mit javascript werden blockiert.
ich weiß nicht wo ich bei diesem Fehler anknüpfen soll…
Danke im voraus für jeden Tipp!
Hallo,
- TCP_DENIED/407 ist der Proxy, der dem Client sagt, dass er sich gefälligst anmelden soll Das sollte aber im Hintergrund automatisch via Kerberos oder zur Not NTLM passieren und der Endbenutzer sollte davon nichts mitbekommen.
- TCP_MISS/200 ist der Proxy, der Bescheid sagt, dass die vom Client angeforderte Seite nicht im Proxy-Cache war und daher frisch aus dem Internet abgerufen werden muss.
Die Einträge sind also “normal”.
Warum Seiten mit Javascript aber blockiert werden, kann ich nicht sagen. Es gibt da zumindest keine mir bekannte Konfiguration in Squid, die wir ausliefern und die das bewirken sollte. Haben Sie ein Beispiel einer blockierten Seite? Dann könnte ich das mal mit einem Referenzsystem gegenprüfen.
Schönen Gruß,
Michael Grandjean
Hallo,
sry das es etwas gedauert hat
hier ist mal die ausgabe mal von ucr search squid:
appcenter/apps/squid/status: installed
appcenter/apps/squid/ucs: 4.2
appcenter/apps/squid/version: 3.4
security/packetfilter/package/univention-squid/tcp/3128/all/en: HTTP proxy
Variables following the scheme 'security/packetfilter/PACKAGE/*' are packet filter rules shipped by UCS packages (see 'security/packetfilter/use_packages'). They should not be modified.
security/packetfilter/package/univention-squid/tcp/3128/all: ACCEPT
Variables following the scheme 'security/packetfilter/PACKAGE/*' are packet filter rules shipped by UCS packages (see 'security/packetfilter/use_packages'). They should not be modified.
squid/acl/.*: <empty>
This variable defines a user-defined rule for proxy access, e.g. via user-agent, port, or destination domain. This is evaluated with precedence over the normal rules.
squid/acl/windowsupdater/allow/dstdomain-i/regex: (.*\.update\.microsoft|download.windowsupdate)\.com
This variable defines a user-defined rule for proxy access, e.g. via user-agent, port, or destination domain. This is evaluated with precedence over the normal rules.
squid/allowfrom: <empty>
As standard, the proxy server can only be accessed from local networks. If, for example, a network interface with the address 192.168.1.10 and the network mask 255.255.255.0 is available on the Squid server, only computers from the network 192.168.1.0/24 can access the proxy server. This variable allows the configuration of additional networks. The CIDR notation must be used; several networks should be separated by spaces. Example: '192.168.2.0/24 192.168.3.0/24'.
squid/append_domain: <empty>
This domain is appended to a DNS name without a dot. The domain has to start with a dot. Example: '.example.com'.
squid/auth/allowed_groups: <empty>
This variable can be used to limit the proxy access to one or several groups. If several groups are specified, they must be separated by semicolons. If this variable is empty or unset, all users can access the proxy.
squid/auth/groups: no
squid/basicauth/children: 50
The maximum amount of authentication processes for LDAP authentication. If the variable is unset, up to five processes are possible.
squid/basicauth: yes
If this option is enabled, an LDAP authentication is required for accessing the proxy.
squid/cache/directory: /var/spool/squid3
Directory where cache swap files will be stored.
squid/cache/format: ufs
The storage system to use. Only "ufs" is currently supported.
squid/cache/l1_size: 16
The number of first-level subdirectories which will be created under the cache directory.
squid/cache/l2_size: 256
The number of second-level subdirectories which will be created under each first-level directory.
squid/cache/size: 512
The amount of disk space (MB) to use in the cache directory.
squid/cache: yes
Squid is a caching proxy, i.e., previously accessed contents can be provided from a cache without being reloaded from the respective web server. If this option is deactivated, this cache is disabled. This can be useful for cascading proxies.
squid/contentscan: <empty>
In the standard setting Dansguardian performs a content scan (e.g. for banned file types). With this option the content scan can be deactivated. If the variable is unset, the content scan is enabled.
squid/debug/level: ALL,1
Verbosity of log messages as a space separated list of pairs like 'SECTION,LEVEL' ('ALL' as section logs all functionality levels, level is a value between 1 and 9). See <http://wiki.squid-cache.org/KnowledgeBase/DebugSections> for more details.
squid/forwardedfor: on
This options allows to finetune how/if the requesting client IP should be forwarded in the HTTP-Header X-Forwarded-For.
squid/httpport: <empty>
If this variable is unset, the web proxy can be accessed via port 3128. This variable allows the configuration of a different port. If Univention Firewall is used, the packet filter configuration must also be adjusted. If Dansguardian is used, it is accessible at the configured port instead of Squid. Squid then occupies the next-higher port.
squid/kerberos/join/timeout: <empty>
Timeout in seconds before the join script fails if the service account could not be created (default 1200).
squid/krb5auth/children: 50
The maximum number of authentication processes for Kerberos authentication. If the variable is unset, up to ten processes are possible.
squid/krb5auth/keepalive: <empty>
As standard, an NTLM authentication is performed for every HTTP query if Kerberos authentication is used. If for example the website <http://www.univention.de/> is opened, the subpages and images are loaded in addition to the actual HTML page. The Kerberos authentication can be cached per domain: If this option is enabled, no further authentication is performed for subsequent HMTL queries in the same domain. If the variable is unset, no authentication credentials are cached.
squid/krb5auth/tool: <empty>
The program used by Squid for Kerberos authentication. If the variable is unset, '/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm' is used. This setting should usually not be modified.
squid/krb5auth: <empty>
If this option is enabled, an Kerberos authentication is required for accessing the proxy.
squid/ntlmauth/cache/timeout: <empty>
Lifetime of entries in NTLM password cache in seconds. Default is 60.
squid/ntlmauth/children: 50
The maximum number of authentication processes for NTLM authentication. If the variable is unset, up to ten processes are possible.
squid/ntlmauth/keepalive: yes
As standard, an NTLM authentication is performed for every HTTP query if NTLM authentication is used. If for example the website <http://www.univention.de/> is opened, the subpages and images are loaded in addition to the actual HTML page. The NTML authentication can be cached per domain: If this option is enabled, no further NTLM authentication is performed for subsequent HMTL queries in the same domain. If the variable is unset, no authentication credentials are cached.
squid/ntlmauth/tool: <empty>
The program used by Squid for NTLM authentication. If the variable is unset, '/usr/lib/squid3/squid_ldap_ntlm_auth' is used. This setting should usually not be modified.
squid/ntlmauth: yes
If this option is enabled, an NTLM authentication is required for accessing the proxy.
squid/parent/directnetworks: <empty>
If a cascading proxy is used (see 'squid/parent/host), proxy requests from computers in the proxy server's local network are answered directly and not forwarded to the parent proxy. If additional networks should be excluded from forwarding to the parent proxy, these can be specified with this variable. When doing so, the CIDR notation must be used (e.g. 192.168.2.0/24); several networks should be separated by blanks.
squid/parent/host: <empty>
If cascading proxies are used, the superordinate proxy server is referred to as the parent proxy. This variable configures the hostname of the parent proxy.
squid/parent/options: <empty>
Options for the connection to a parent proxy (see 'squid/parent/host). An overview of the possible options can be found at <http://www.squid-cache.org/Versions/v3/3.1/cfgman/cache_peer.html> in der Sektion 'PEER SELECTION METHODS'. If the variable is not set, 'default' applies.
squid/parent/port: <empty>
This variable configures the port of the parent proxy (see 'squid/parent/host). If the variable is unset, 3128 is used.
squid/redirect: squidguard
This variable configures the squid option 'url_rewrite_program'. If it is set to the special value 'squidguard', the URL filter SquidGuard will be integrated. The setting is relevant for UCS@school. The configured programm needs to be installed separately.
squid/rewrite/children: 20
The maximum amount of URL rewrite processes. If the variable is unset, up to five processes are used.
squid/transparentproxy: yes
If this option is enabled, Squid runs as a transparent proxy, i.e. all web queries sent from a client are automatically rerouted to and answered by the proxy server. The prerequisite for such a configuration is that the proxy server is configured as the standard gateway for the clients. If enabled, packet filter rules are automatically included which redirect all queries for the ports specified in 'squid/webports' to the proxy server. After setting the variable Univention Firewall needs to be restarted.
squid/virusscan: <empty>
In the standard setting Dansguardian scans files for viruses using ClamAV. With this option the virus scan can be deactivated. If the variable is unset, a virus scan is performed.
squid/webports: <empty>
If this variable is not set, Squid only forwards client requests intended for the ports 80 (HTTP), 443 (HTTPS) or 21 (FTP). This variable allows the configuration of permitted ports; multiple entries must be separated by blanks. Example: '80 443 21 8080'.
das heißt ich stellte ntlm aus und Kerberos an??