[squid-users] high load issues
I put a new squid/dansguardian in place duplicating what I had for a couple of other networks. The proxy is configured for everyone going through one of two groups with the ability in the 2nd group to elevate their privileges to bypass the filter by clicking on a link in the denied page. The authentication is done to our AD server using winbind. All of that worked great in testing with fewer than 10 people using it... However, when deployed to 50-100 people, I was getting sporadic page drops when browsing. Sometimes there would be a long pause then a page would be displayed: Unable to connect in firefox. Other times it would immediately drop into that Unable to connect page. By clicking refresh the page would then open up. There seemed to be no rhyme or reason why sometimes it would drop. Even very low browse sites like google would sometimes do this. When this happens, there is absolutely ZERO in the log files that the user even tried to browse a site. The utilization on the server is very low (under 5% for proc) and there's plenty of RAM (~4gb). I examined Squid for performance / proc / memory adjustments but nothing really jumped out at me as a potential issue. Do you think that this may be an issue with Squid or perhaps winbind not able to do the authentication? Thanks.
[squid-users] TPROXY squid and shorewall
Has anyone successfully setup shorewall with squid in tproxy mode? I'm having a hard time finding documentation on the shorewall side to work with Squid... Does anyone have any? Thanks.
[squid-users] Squid / OWA authentication issues - part 2
I've been messing around with getting my squid proxy to allow authentication to OWA (outlook web access) and discovered something very interesting... If I try another site that has OWA running behind an iptables based firewall (shorewall) I get the exact same message. This OWA is accessible with no issues if I do not use Squid. However, if I try accessing OWA through the Squid to an OWA that exists behind a commercial firewall (sonicwall) it works just fine. I'm now thinking that it's an issue with Squid and iptables based firewalls. I played around with packet mangling but that didn't seem to have any effect. Does anyone have an idea on what might be causing this? Thanks!
[squid-users] unrecognized: 'extension_methods'
I'm using Squid v. 3.1.0.17 on Fedora Core 12. In my search to get OWA running I stumbled on the command: extension_methods RPC_IN_DATA RPC_OUT_DATA I opened up my squid.conf and found the tag extension_methods in the config file so I uncommented it and added the RPC_IN_DATA and RPC_OUT_DATA. I then attempted to restart the service and got the error: 2010/06/08 09:55:14| cache_cf.cc(362) parseOneConfigFile: squid.conf:1949 unrecognized: 'extension_methods' Has this been removed and replaced by something else? Weird that it's in the config file and commented out though... I do see that in the docs for 3.1 that extension_methods seems to be missing from the configuration directives. Is there a replacement?
RE: [squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17
I thought it should just work... I tried the connection-auth=on and I still have the same issue... I have http_port 3128 transparent, but now says http_port 3128 transparent connection-auth=on I'm really scrambling to figure this out; do you have any additional ideas? thanks! -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, June 01, 2010 6:29 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17 On Tue, 1 Jun 2010 11:25:35 -0500, Johnson, S sjohn...@edina.k12.mn.us wrote: More information based on the searches I've done... I'm using transparent mode on the squid proxy (without auth). Well, I've got an AUP page set up for the users to agree to but no LDAP/AD/NTLM auth is being performed on this proxy. You said you had port 80 and port 443 configured with the proxy. This does match you above statement that it's working transparent. Or did you mean some other meaning of the word transparent than NAT interception? However, I tried the other squid proxy with ntlm_auth and it works a-ok. I'm really drawing a blank here... Stretching for a long-shot you could try with explicit connection-auth=on flag to the http_port line. Though. Middle-ware proxies really should just work with these. The only special config is needed to reverse-proxy OWA. Amos -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17
I'm using Squid and Dansguardian to block and cache sites. Everything works great but accessing OWA or Sharepoint related site with authentication doesn't work. I get a great non-descript error in IE: Internet Explorer cannot display the webpage. If I try using Chrome, the login prompt just keeps on showing up. I've got 80 and 443 configured through squid. Has anyone else run into this issue and know what's going on? Thanks. sj
RE: [squid-users] Accessing OWA or Sharepoint through Squid 3.1.0.17
More information based on the searches I've done... I'm using transparent mode on the squid proxy (without auth). Well, I've got an AUP page set up for the users to agree to but no LDAP/AD/NTLM auth is being performed on this proxy. However, I tried the other squid proxy with ntlm_auth and it works a-ok. I'm really drawing a blank here...
[squid-users] Squid Quicktime RTPS 401 unauthorized error
When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott
RE: [squid-users] Squid Quicktime RTPS 401 unauthorized error
I didn't know I could create an ACL for a browser service. Do you by chance have an example I could reference? (sorry about the dup message; forgot to hit reply all...) -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Thursday, April 22, 2010 10:10 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] unable to bypass AUP page with local servers
Hello, I've got a weird issue that I've been finding off an on. I can finally duplicate it regularly now. I'm working with a public network that we've separated from the local network. We have web resources that are on the external side of the squid box. This is what our network looks like: public network 65.80.133.x | | | public network firewall---(nat)DMZ (192.168.80.x/23) | (192.168.2.0/24) |(web servers) | | private network (10.x.x.x) The squid server here is configured with an AUP page with a click through to continue to the site they originally were trying to get to. Any page outside of our network altogether works great; they get the AUP and the click through it. However, if they try to access the local web server which shares the same external subnet as the squid server then I cannot click past the AUP. To make this a little more complex, I'm attempting to do this through transparent proxy. I've also got DNS configured to provide a WPAD file. If I use the autoproxy config in the browser then it works just fine (which is why it was working for me). Once I turn this off in the browser I once again cannot get to the local web server but other outside sites work just fine. I don't see any hits in the log if I try to browse the local web server which makes me believe that the traffic isn't even hitting the proxy. However, it should since there are no local routes on the workstation that would do otherwise. It's like the proxy server isn't picking up the packets at all... Oh one more weird thing... if I set myweb in the acl below at the top of the ACL list then I'm able to get to the local servers but the AUP page never shows if their homepage is set to the local web server. I guess I would expect this behavior since I've never denied the session. I've tried moving the myweb acl around the whole list but I don't get any other results... This is my config: # TAG: acl #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl myweb dst 64.80.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=10 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session #http_access allow myweb #trying different locations for the session to be set http_access deny !Safe_portshttp_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access allow myweb http_access deny !Safe_ports http_access deny all http_port 3128 transparent
[squid-users] Squid is unable to connect to local webservers
I've got a squid proxy running in transparent mode with an AUP on a public wireless network which is separated from our private network. We run a local webserver here and found that users get the AUP and cannot click past it when attempting to get to the local web server. Without using the proxy I can connect just fine to the web server from the squid server so I know they can see each other. Everything else works great. I tried setting up an ACL with localweb (seen in the config below) but that didn't allow it through. Weird thing is that when I try hitting the local web server, I don't see anything in the squid access.log file which makes be believe that squid isn't even seeing the traffic for some reason. squid config: # Credentials past their TTL are removed from memory #authenticate_ttl 0 seconds # TAG: acl #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl localweb dst 84.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_sessi on -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow localweb http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports
RE: [squid-users] Squid is unable to connect to local webservers
Another piece of information I just discovered... I use a wpad.dat file to assign the proxy to users. It works just fine except for the local servers. However, when I force the connection in the browser to the proxy with 8080 (dansguardian) then I can get to my local web servers. -Original Message- From: Johnson, S [mailto:sjohn...@edina.k12.mn.us] Sent: Thursday, April 08, 2010 9:50 AM To: squid-users@squid-cache.org Subject: [squid-users] Squid is unable to connect to local webservers I've got a squid proxy running in transparent mode with an AUP on a public wireless network which is separated from our private network. We run a local webserver here and found that users get the AUP and cannot click past it when attempting to get to the local web server. Without using the proxy I can connect just fine to the web server from the squid server so I know they can see each other. Everything else works great. I tried setting up an ACL with localweb (seen in the config below) but that didn't allow it through. Weird thing is that when I try hitting the local web server, I don't see anything in the squid access.log file which makes be believe that squid isn't even seeing the traffic for some reason. squid config: # Credentials past their TTL are removed from memory #authenticate_ttl 0 seconds # TAG: acl #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl localweb dst 84.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_sessi on -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow localweb http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] HTTPS passthrough
I'm missing something here... I had another squid/dansguardian proxy that was set up to pass though HTTPS traffic and I as using a URL blacklist to prevent bad site access. Unfortunately, that proxy was lost and I'm building anew. I have my browser set to port 3128 (squid) and when I try to attach to a SSL site there is a very long delay then I see three of the following messages: 02/Apr/2010,12:34:32, 21000,192.168.80.9,TCP_MISS/200,0,CONNECT,www.tcfbank.com:443,-,DIRECT/2 06.71.19.108,- So it looks like it's trying to go there. I already know I cannot do content filtering through HTTPS, but all I want is for the traffic to be passed through like I had it before. I'll block the places I don't want using a blacklist. Here's my config: Shorewall rules: = ACCEPT$FWnet tcpwww REDIRECT loc8080 tcp www - ACCEPT loc fw tcp www ACCEPT loc fw tcp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 443 Squid: = acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl mylocalserver dst 64.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow mylocalserver http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports
RE: [squid-users] HTTPS passthrough
Ok, I see what you mean. Yes, I tried the https://www.openssl.org and it worked a-ok but it's still not showing in my squid log. -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Friday, April 02, 2010 1:29 PM To: Johnson, S Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HTTPS passthrough fre 2010-04-02 klockan 12:59 -0500 skrev Johnson, S: 02/Apr/2010,12:34:32, 21000,192.168.80.9,TCP_MISS/200,0,CONNECT,www.tcfbank.com:443,-,DIRECT/2 06.71.19.108,- Can you connect to https sites from the proxy without using Squid? This must work for Squid to work.. Btw, I can not connect to that https://www.tcfbank.com server from here with or without Squid.. connection timeout after 2 minutes. Another site you can try: wget -O- https://www.openssl.org/ Regards Henrik -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] delay on session acceptance with AUP redirection
I've got one of my squid/dansguardian boxes configured for transparent proxy using an UAP to authorize the connection. What happens is the AUP shows, the user clicks on the accept link (which is just a URL forward to where they were originally going) then it drops them right back into the AUP. A session was never being created for the user (or so I thought). In the logs I can see the 302 denied show which causes the redirection: 01/Apr/2010,14:38:53, 0,192.168.80.245,TCP_DENIED/302,421,GET,http://www.yahoo.com/,-,NONE/-,text/html This should be easy to troubleshoot, however in working on this issue I discovered that if I click on the Accept AUP policy link 3 or 4 times then it eventually gives me the green light and sets up a session for me. Then browsing from there on out is ok. I thought I had the problem resolved a few times but discovered that it wasn't after a few other people tried it out. This is my squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl mywebserver dst 34.8.132.1/32 # this is my local web server follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 acl session external session acl localnet src 192.168.80.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow mywebserver http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access deny !session http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports
RE: [squid-users] delay on session acceptance with AUP redirection
Thank you! -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, April 01, 2010 3:41 PM To: Johnson, S Cc: squid-users@squid-cache.org Subject: Re: [squid-users] delay on session acceptance with AUP redirection tor 2010-04-01 klockan 15:02 -0500 skrev Johnson, S: external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 There should only be one children for squid_session. Having more than 1 children will give confusing results as each child keeps it's own session database. Also you want a much lover negative_ttl, or the user need to wait for 10 seconds before clicking the accept button. Regards Henrik -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] AUP issues; proxy to local network host issues
Ok, I've almost got everything working right but I've run into one last issue. I've got an AUP set for my users to accept before they go out to the internet. This works great for all but one thing. Any time I try to hit one of my local web servers that share the public address range of the squid proxy, the browser session does not get initialized and I cannot get past my AUP page. In addition, the logs for squid do not show any connection attempts so it's like the squid isn't even seeing the connection. If I go to any other web site, the AUP comes up and I can click through it. If I try to go back to any of the local web servers after the session is started I get the AUP page again and I cannot get past it. Has anyone seen this or have an idea on what is going on? Thanks Scott
[squid-users] AUP page squid_session and banner page
Squid 3.1.0.17 Ok, I'm able to get some of this working right... Although it's not quite what I expected for results. My config is below... First, I think since I have myserver in the acl then the AUP page doesn't display if the user has their home page set to http://www.myserver.com;. Secondly, when one computer gets the AUP subsequent computers will not be prompted with the AUP. The first computer to attempt to get to the internet gets the AUP all the others do not. Of course, resetting squid frees up the cache and then the first user after the restart will be prompted. My assumption in reading is that the %SRC is supposed to key the session identifier for the IP address of the requesting user. I did notice the following in my logs and I wonder if this could be my issue: 30/Mar/2010,14:56:08, 220,127.0.0.1,TCP_MISS/200,3150,GET,http://www.google.com/firefox?,-,DIR ECT/208.69.36.231,text/html Shouldn't my workstation show as the true IP address and not localhost (127.0.0.1)? I am running dansguardian on this server but that should be taking place after my connection. It would make sense that the first workstation authenticating with 127.0.0.1 would authorize in this case... If this is what my problem is, why is localhost showing instead of the real IP address? The dansguardian log does show the correct IP address... Oh wait... I'm connecting to 8080 which is dansguardian which forwards to squid @ 3128... oh my... How am I going to fix this? The docs for squid_session (http://linuxreviews.org/man/squid_session/) State: http://your.server/bannerpage to display a session startup page and then redirect the user back to the requested URL given in the url query parameter. I can't seem to figure out what to do on the AUP html page. Is there anything additional I need to do or just forward the user on? (I've played around with the negative_ttl a bit; if I set it to say 300, then I cannot progress pass the AUP.) acl to_localbox dst 192.168.80.5/32 acl myserver dst 64.8.132.1/32 external_acl_type session ttl=300 children=20 negative_ttl=10 concurrency=200 %SRC /usr/lib/squid/squid_session -t 3600 acl session external session acl localnet src 192.168.80.0/23 http_access allow myserver (this is my webserver that I want to allow unrestricted access to) http_access allow to_localbox(since I have an AUP html file on this web server; allow access) deny_info http://192.168.80.5/index.html?url=%s session (sets up the session html page; redirect connection here) http_access deny !Safe_ports (default config from squid; it is defined I just didn't cut and paste the ACL for it) http_access deny !session ( if you don't have a session defined then no way; you're stuck) http_access allow session http_access deny all
RE: [squid-users] Transparent Squid Gtalk Gmail And Other HTTPS
Did you look at SSLbump?
[squid-users] allowing youtube embedded video
I've got a squid proxy with dansguardian working on it. Youtube.com is blocked (blacklisted) however there are other external sites that contain embedded video hosted on youtube that this place wants to access. Does anyone know if I can open this functionality through Squid and/or dansguardian? Thanks Scott
RE: [squid-users] How do I see who's connected to my SQUID server?
Hmm, when I do this command all I get is a brief statistics of the filter; no IP addresses show... Scott -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, January 06, 2009 11:47 PM To: Rick Chisholm Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] How do I see who's connected to my SQUID server? Rick Chisholm wrote: something basic like netstat -an will give you some info, if you want squid specific info, you can setup cachemgr ... Or for a quick random dump squidclient. squidclient mgr:client_list reports all the client IPs that connected in the last N hours and some stats about their usage. This is identical to the cachemgr page. Amos Johnson, S wrote: I'm using NTLM_AUTH for my authentication mechanism, but if I run smbstatus I do not see anyone connected (and I know I am). Is there another tool to see who is connected to my server or at least their IP address? (I know I could dig through logs... but I just want a quick snapshot of who is using it at this particular moment). Thanks Scott -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] NTLM and transparent/interception confusion
That's exactly what I opted for... I configured WPAD which should work with the majority of browsers out there. And we also authenticate against the hardware (another LDAP connection) to even connect to the open wireless. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, January 05, 2009 10:18 PM To: Johnson, S Cc: Kinkie; Guido Serassio; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Johnson, S wrote: Keep in mind, group policies cannot always be used as in our environment. We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. We are now allowing students to bring their own notebooks in on a trial basis (to be permanent after this summer when we work out the bugs) to do research on their own computers. We have to monitor their access to the internet and deny bad sites, again mandated by federal law. So their authentication mechanism is AD/LDAP to their user ID set up for them to access network resources on the network. Since their computers are not on our domain (nor do we want them to be), we cannot push group policies down to their computer. In that case your best bet would be to lock down general port-80 access to them entirely. Using WPAD 'auto-detect' or with students setting browsers set manually. That will go a long way toward blocking risky behavior by malware on mobile devices. Second best after that would be to setup some helper where they can authenticate against some other system and the helper permits their requests past Squid for a time. This provides almost no protection from malware once the student is browsing a legit session. Amos The solution Bluecoat had was very secure, but again their devices are about $50,000usd / device. As an education provider, that money is hard to come by especially when we would need 3 devices for the load. Their authentication mechanism is SOX (sarbane oxley) tested and compliant. It also works with any computer outbound to the internet. There's no proxy configuration to worry about; it's all done at the proxy. Granted, I used WCCP to configure this on Bluecoat which allowed me a lot of flexibility to add in multiple proxies with ease (and the users would never know the difference). sj -Original Message- From: Kinkie [mailto:gkin...@gmail.com] Sent: Saturday, January 03, 2009 12:51 PM To: Guido Serassio Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] How do I see who's connected to my SQUID server?
I'm using NTLM_AUTH for my authentication mechanism, but if I run smbstatus I do not see anyone connected (and I know I am). Is there another tool to see who is connected to my server or at least their IP address? (I know I could dig through logs... but I just want a quick snapshot of who is using it at this particular moment). Thanks Scott
RE: [squid-users] NTLM and transparent/interception confusion
Keep in mind, group policies cannot always be used as in our environment. We are a K-12 education and are mandated by federal law to monitor and protect student access to the internet. We are now allowing students to bring their own notebooks in on a trial basis (to be permanent after this summer when we work out the bugs) to do research on their own computers. We have to monitor their access to the internet and deny bad sites, again mandated by federal law. So their authentication mechanism is AD/LDAP to their user ID set up for them to access network resources on the network. Since their computers are not on our domain (nor do we want them to be), we cannot push group policies down to their computer. The solution Bluecoat had was very secure, but again their devices are about $50,000usd / device. As an education provider, that money is hard to come by especially when we would need 3 devices for the load. Their authentication mechanism is SOX (sarbane oxley) tested and compliant. It also works with any computer outbound to the internet. There's no proxy configuration to worry about; it's all done at the proxy. Granted, I used WCCP to configure this on Bluecoat which allowed me a lot of flexibility to add in multiple proxies with ease (and the users would never know the difference). sj -Original Message- From: Kinkie [mailto:gkin...@gmail.com] Sent: Saturday, January 03, 2009 12:51 PM To: Guido Serassio Cc: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Yuck... IIRC Squid's session helper can do that too then. This is NOT authentication and it's absolutely insecure: even windows nowadays supports remote desktops (3 users can share one IP) and SNAT (connection sharing), and it's pretty easy to hijack an user's credentials (simply log on to his workstation as soon as possible after he's logged out). an nmblookup-based external authentication helper could be set up to do one of these, but after all what's the point? If the user has a proper Windows infrasctructure, it's much easier to use group policies to configure the browsers.. Thanks for the clarification Guido! -- /kinkie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] NTLM and transparent/interception confusion
That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Transparent proxy and NTLM auth
I've got the proxy work great with setting the browser configuration. Now I'm trying to get the transparent piece working so I added the http_port 3128 transparent and set the IPTABLES rule to route the packets from 80 to 3128. I can see that this piece is working as it's logging my attempts in the squid/access.log file. In switching between transparent and not-transparent I see that the source IP address switches from 127.0.0.1 (not-transparent) to my local PC IP address in transparent mode. I think because of this I'm getting an access denied. Trouble is... What in squid controls this? Any ideas? Thanks! Scott
[squid-users] NTLM and transparent/interception confusion
I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? Thanks Scott
[squid-users] squid_ldap_auth and passwords in clear text
Since this is going to be a public network, people will have the ability to load wireshark or another sniffer program. I just got the squid_ldap_auth working ok on my segment but when watching the protocol analyzer I see that the auth requests against the AD are coming in as clear text passwords. Is there anyway we can encrypt the ldap domain requests? Thanks Scott
[squid-users] Squid radius encryption
Ok, I think I got my issue narrowed down to the encryption that is being used to authenticate to my Microsoft IAS radius server. I'm getting an invalid auth type in the error on the server. Does anyone know what type of encryption is used on for this connection and/or how to configure squid to talk to the IAS radius server? Thanks
[squid-users] NTLM auth and groupmembership
Ok, I scrapped the radius authentication and went back to NTLM. Is it possible to check for a group membership during/after authentication to allow a user to use SQUID? For instance, I want to be able to take away or grant access to the proxy based on an AD group membership. Thanks Scott
[squid-users] Squid and Radius authentication
I'm trying to get the squid_radius_auth working and have tried to manually connect to my Microsoft radius server. I cannot get an ok for a response when manually testing the connection. Although, I can see the attempts in my Microsoft radius server log so I know I'm hitting it. I have a feeling it's my configuration in my Microsoft radius server. I've dug around and cannot find any articles on the setup for the radius server side; just the squid side (which again I think is working ok). Does anyone have information on this or suggestions to try? Thanks Scott
[squid-users] Squid and WCCP hardware placement
I'm working on getting this working but I'm unclear on the hardware placement for each of the devices. Is it: A) Workstation-Cisco-Squid--internet (WCCP) (NAT) B) Workstation-Cisco (WCCP) | Squid---internet (NAT) C) Workstation-Cisco-Internet | (WCCP) Squid D) or??? Thanks a bunch.
[squid-users] FW: Transparent proxy (WCCP) and LDAP authentication
I've been digging around while working on this and found a reference from someone 4 years ago that said that transparent proxy does not work with authentication. Is this true? I need to perform the following tasks: 1) Authenticate users against a windows AD 2) Transparent proxy (without the need to set browser settings at each computer). I'm looking at WCCP2 here 3) Log where people have gone for later review 4) Use a URL blacklist to block the majority of bad sites. Regards, Scott
[squid-users] WCCP and Squid both through Linux
Does anyone know of a good HowTo on running WCCP and Squid together? (Specifically running WCCP on the linux box itself and not a Cisco router.) Thanks Scott
[squid-users] Hardware placement
I've been digging around for an answer on this and am trying to figure out the best layout for attempting a WCCP2/Squid transparent proxy. I've done several installs of Cisco WCCP2 using Bluecoat's proxy, but this would be a much cheaper method. The hardware layout of Bluecoat was like the following (the way I did it before): USER Workstation | | Cisco--Bluecoat(WCCP)-Win2k3 DC | | | Internet The HTTP packet was transferred to the Cisco which was then forwarded to Bluecoat for validation. The configurations I seem to be finding on the net for SQUID/WCCP are like the following: User Workstation | | Cisco | |Win2k3(LDAP) | Bluecoat(WCCP) |(nat) | | Internet What I'm trying to accomplish is that only my SQUID server can talk to my AD environment. It's a weird situation in that this is a public network that is still being authenticated to our private side. In other words, our students are going to be bringing in their computers but we don't want them to touch our private network in any form. Can anyone make any recommendations/suggestions? Thanks much. Scott
[squid-users] Recommendations for URL filtering
Anyone have recommendations for a URL filtering list through squid? Regards, Scott