Discussion:
[squid-users] TCP_MISS/502 - audio stream - none default http ports
Dörfler, Andreas
2018-09-18 12:07:06 UTC
Permalink
hello there,

i try to get mp3/audio streams working on a "kinda default" debian
stretch installation.

after i failed with the default debian squid configuration, i tried the
working config from the old proxy (Squid Cache: Version 3.1.20),
but no luck either.

audio streams work when it's a web-based radio on port 80/443, but once
the radio leaves the default ports, it stops working.

since the new squid is 4 minor releases above the old server, i think
something major changed, but i have no clue, i touch the squid
configuration only once every few years...


###>
Squid Cache: Version 3.5.23
<###

config below is the one i copied from the old squid server, but as said,
it won't work. security is handled by the firewall, so "allow all" isn't
a issue.

###>config

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 9418 5001
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_port 8080
access_log /var/log/squid/access.log squid
debug_options ALL,1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access From deny all
request_header_access Referer deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
forwarded_for delete

<###


###>example stream
https://tunein.com/radio/Americana-Breakdown-s281469/
<###

###squid access.log errors

172.16.x.x TCP_MISS/502 4307 GET http://91.121.164.210:8104/ -
HIER_DIRECT/91.121.164.210 text/html

172.16.x.x TCP_MISS/502 4312 GET http://91.121.164.210:8104/; -
HIER_DIRECT/91.121.164.210 text/html
<###

and ideas?

thanks in advance,
andy
L.P.H. van Belle
2018-09-18 13:02:35 UTC
Permalink
Hai,

You missed a few points in your config.
And thank you for the music link, something different then the radio here. ;-)

Ive installed a debian stretch server.
This is the debian default config with 2 modifications.

## Squid 3.5.23
## First enable the acl for YOUR localnet ( here i enable all 5)
: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
: acl localnet src fc00::/7 # RFC 4193 local private network range
: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
: acl SSL_ports port 443
## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port.
: acl Safe_ports port 80 # http
: acl Safe_ports port 21 # ftp
: acl Safe_ports port 443 # https
: acl Safe_ports port 70 # gopher
: acl Safe_ports port 210 # wais
: acl Safe_ports port 1025-65535 # unregistered ports
: acl Safe_ports port 280 # http-mgmt
: acl Safe_ports port 488 # gss-http
: acl Safe_ports port 591 # filemaker
: acl Safe_ports port 777 # multiling http

: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: http_access allow localnet
## And here you missed the "allow localnet"
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp: 1440 20% 10080
: refresh_pattern ^gopher: 1440 0% 1440
: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
: refresh_pattern . 0 20% 4320


As extra test.
I've installed squid 4.2 rebuilded from debian sid.
This is the exact config used, the used script is below the email.
I made 2 modifications.
Configuration File: /etc/squid/conf.d/debian.conf (depth 1) : enabled localnet
Configuration File: /etc/squid/conf.d/headers.conf (depth 1): added your headers.

: acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
: acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
: acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
: acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
: acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
: acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
: acl localnet src fc00::/7 # RFC 4193 local private network range
: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
: acl SSL_ports port 443
: acl Safe_ports port 80 # http
: acl Safe_ports port 21 # ftp
: acl Safe_ports port 443 # https
: acl Safe_ports port 70 # gopher
: acl Safe_ports port 210 # wais
: acl Safe_ports port 1025-65535 # unregistered ports
: acl Safe_ports port 280 # http-mgmt
: acl Safe_ports port 488 # gss-http
: acl Safe_ports port 591 # filemaker
: acl Safe_ports port 777 # multiling http
: acl CONNECT method CONNECT
: http_access deny !Safe_ports
: http_access deny CONNECT !SSL_ports
: http_access allow localhost manager
: http_access deny manager
: include /etc/squid/conf.d/*
Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
: logfile_rotate 0
: http_access allow localnet
Configuration File: /etc/squid/conf.d/headers.conf (depth 1)
: request_header_access From deny all
: request_header_access Referer deny all
: request_header_access Server deny all
: request_header_access WWW-Authenticate deny all
: request_header_access Link deny all
: forwarded_for delete
: http_access allow localhost
: http_access deny all
: http_port 3128
: coredump_dir /var/spool/squid
: refresh_pattern ^ftp: 1440 20% 10080
: refresh_pattern ^gopher: 1440 0% 1440
: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
: refresh_pattern . 0 20% 4320

If you want the 4.2 for stretch, you can find it here :
https://downloads.van-belle.nl/squid/squid4.2/
Buildlogs are all included, or rebuild it yourself from sid/testing.
Its a pretty easy rebuild imo.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Van: squid-users
Dörfler, Andreas
Verzonden: dinsdag 18 september 2018 14:07
Onderwerp: [squid-users] TCP_MISS/502 - audio stream - none
default http ports
hello there,
i try to get mp3/audio streams working on a "kinda default" debian
stretch installation.
after i failed with the default debian squid configuration, i
tried the
working config from the old proxy (Squid Cache: Version 3.1.20),
but no luck either.
audio streams work when it's a web-based radio on port
80/443, but once
the radio leaves the default ports, it stops working.
since the new squid is 4 minor releases above the old server, i think
something major changed, but i have no clue, i touch the squid
configuration only once every few years...
###>
Squid Cache: Version 3.5.23
<###
config below is the one i copied from the old squid server,
but as said,
it won't work. security is handled by the firewall, so "allow
all" isn't
a issue.
###>config
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 9418 5001
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_port 8080
access_log /var/log/squid/access.log squid
debug_options ALL,1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access From deny all
request_header_access Referer deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
forwarded_for delete
<###
###>example stream
https://tunein.com/radio/Americana-Breakdown-s281469/
<###
###squid access.log errors
172.16.x.x TCP_MISS/502 4307 GET http://91.121.164.210:8104/ -
HIER_DIRECT/91.121.164.210 text/html
172.16.x.x TCP_MISS/502 4312 GET http://91.121.164.210:8104/; -
HIER_DIRECT/91.121.164.210 text/html
<###
and ideas?
thanks in advance,
andy
Dörfler, Andreas
2018-09-18 13:31:49 UTC
Permalink
hey louis,

thanks for you help and time!

found the problem, since there are firewalls in between, i forgot check
a specific point, and well, it was one of the firewalls, no wonder it
was driving me nuts.
one of those double facepalm moments once i realized it.
Post by L.P.H. van Belle
And thank you for the music link, something different then the radio here. ;-)
no problem, was the first random google search result ;-)
Post by L.P.H. van Belle
: acl SSL_ports port 443
## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port.
na, actualy there are 3 ports configured :D
Post by L.P.H. van Belle
## And here you missed the "allow localnet"
"http_access allow all" makes localnet obsolete, access restrictions are
handled by a firewall.
Post by L.P.H. van Belle
https://downloads.van-belle.nl/squid/squid4.2/
Buildlogs are all included, or rebuild it yourself from sid/testing.
Its a pretty easy rebuild imo.
i'll check that the next days from a private server, thanks a bunch :D.

have a nice one,
andy
Amos Jeffries
2018-09-19 02:38:03 UTC
Permalink
Post by Dörfler, Andreas
hey louis,
thanks for you help and time!
found the problem, since there are firewalls in between, i forgot check
a specific point, and well, it was one of the firewalls, no wonder it
was driving me nuts.
one of those double facepalm moments once i realized it.
Post by L.P.H. van Belle
And thank you for the music link, something different then the radio here. ;-)
no problem, was the first random google search result ;-)
Post by L.P.H. van Belle
: acl SSL_ports port 443
## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port.
na, actualy there are 3 ports configured :D
Post by L.P.H. van Belle
## And here you missed the "allow localnet"
"http_access allow all" makes localnet obsolete, access restrictions are
handled by a firewall.
This statement is false, and very bad security practice. Squid handles
HTTP-level access controls. Firewalls handle network-layer access
control. Either way multiple layers of security that work together are
better than one - in case that one is compromised.

... and by using "allow all" you have explicitly compromised the Squid
layer.


* HTTP is a multiplexing pipelined protocol. One TCP connection can
contain traffic from multiple clients mixed up in arbitrary ways the
firewall will never see.

* As far as the firewall can be aware all traffic leaving Squid is from
*Squid* IP:port's not from the clients.


==> So those details mean any low-privilege client who is trusted just
enough to use the proxy gets automatically and *silently* privilege
escalated at the firewall to maximum privilege level *any* proxy user is
allowed by that firewall. This leaves your network wide open to insider
attacks, client hijacking and viral compromised clients.


You cannot trust firewall alone unless you have a *full* HTTP proxy
built into your firewall to handle the HTTP level control. In which case
your squid.conf is missing settings integrating the two proxies.


Like the other default rules this "deny all" serves multiple purposes -
along with the obvious access control to the network it is about denying
"legitimate" clients trying to make Squid do extremely resource
consuming things which are not permitted by your policy. Such as flood
the internal network with Tbps of traffic, or port-scan services they
are not normally allowed access to by the firewall.

Amos
Dörfler, Andreas
2018-09-19 07:09:30 UTC
Permalink
Post by Amos Jeffries
This statement is false, and very bad security practice. Squid handles
HTTP-level access controls. Firewalls handle network-layer access
control. Either way multiple layers of security that work together are
better than one - in case that one is compromised.
....
Like the other default rules this "deny all" serves multiple purposes -
along with the obvious access control to the network it is about denying
"legitimate" clients trying to make Squid do extremely resource
consuming things which are not permitted by your policy. Such as flood
the internal network with Tbps of traffic, or port-scan services they
are not normally allowed access to by the firewall.
hey amos,

thanks for your feedback, it's realy appreciated.

i re-enabled deny all, even when i still don't see any benifit, because:
without giving away to mutch internals, in my case allow all is still
ok, only a very few subnets have a route to this system and the
firewalls are working on a combination of layer 3 and 5-7 and also
running ssl-inspection to this specific squid.

but you are right, every layer counts.

greetings,
andy

Loading...