Hello Amos, thank you very much for your very helpful response!
The vendor, while not helpful at all as they want our org to use their new
application rather than proxy....Has stated they are only looking for email
address and not password. But they likely mean they're looking for
user.n...@sub.domain.com
Thank you for tls-cafile= correction, as I do have GoGuardian's root
certificate in that path and trusted on the Squid-hosted OS.
For Login= I have been trying to pass credentials from Windows to Squid to
GoGuardian. From your response, I believe you are stating to have a "machine"
user account that will be static for all users passing through Squid. This
setup would be fine for us, but we would prefer to have the unique user's
"email" passed through so that on GoGuardian's end our reports reflect the
correct user.
I currently have Squid working with auth (when not handing off to GG), with
Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in
the form of the username ("email").
I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's
authentication options memorized, however it is possible I am using them
(login=) incorrectly.
The vendor refuses to look at logs on their end to troubleshoot, as they do not
have access and the engineers who do aren't replying! Lovely...
1658160759.291 166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 -
HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-"
"ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-"
"ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-"
"ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199"
1658160760.048 73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443
johnathan.ha...@usi.uncommonschools.org HIER_NONE/- - "ws-iid=94"
"ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0"
"ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0"
"ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2"
"ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220"
1658160760.165 117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443
johnathan.ha...@usi.uncommonschools.org FIRSTUP_PARENT/52.44.107.1 -
"ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0"
"ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1"
"ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2"
"ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1658160760.165 0 10.125.12.19 NONE_NONE/000 0 -
error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-"
"ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-"
"ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-"
"ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-"
"squid-gt-st=517"
----------
CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1
Host: getpocket.cdn.mozilla.net:443
Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5)
X-Forwarded-For: 10.125.12.19
Proxy-Authorization: Basic [redacted]
Cache-Control: max-age=259200
Connection: close
----------
---------
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: Basic realm="Secure Browsing"
Date: Mon, 18 Jul 2022 16:13:28 GMT
Content-Length: 0
Connection: close
----------
Best Regards,
Johnathan
_______________________________________________________
Johnathan Hasty
Senior DevOps Engineer
Uncommon Schools
C: 989.366.1672
Uncommon Schools | Change History
Website | Facebook | Twitter | LinkedIn | Apply Now
-----Original Message-----
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Amos
Jeffries
Sent: Friday, July 15, 2022 1:27 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Upstream Proxy
On 16/07/22 04:05, Johnathan Hasty wrote:
>> What HTTP authentication method(s) or scheme(s) does your upstream proxy
>> support or require?
>
> They're very vague and not helpful. It was said they look for email, but in
> reality it would be u...@blah.company.com rather than u...@company.com.
>
>
> This is the only information I have for them.
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian
> .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1,
> kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk
> BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com%
> 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN
> Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM
> MKCvRjnxg7&typo=1
>
This document is providing some answers, but indeed are a bit obscure.
The authentication is using LDAP service. Which means Squid should have its own
account in LDAP registered as a machine account type (not a regular user, so it
can avoid constant password update requirements).
Those are the credentials you configure in the cache_peer line to be passed to
GG.
Make sure that you configure the full username string. Whether it be
login=u...@blah.example.com:password or login=u...@example.com:password or
login=user:password
Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the
Squid machine Trusted CA certs package is kept up to date. If GG has a special
Server certificate based on some custom CA, then use the tls-cafile= option to
load that custom public root cert.
If you are still having issues, the contents of the PAC file generated for a
test user account could have some more hints about what GG is expecting.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1
CAUTION : This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
