Re: [squid-users] Squid with more than 128 ports?

[Eliezer Croitor]

You can use 2 squid servers with VRRP Infront of the other proxies.

I would advise you to learn a little about haproxy authentication methods.

There is a possibility that you will be able to do somethings you haven’t done 
until now.

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: roee klinger  
Sent: Friday, December 11, 2020 1:23 PM
To: Eliezer Croitor ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Eliezer,

 

Thanks, but actually what I want to achieve is not dynamic load balancing, I 
want each user to always go to a predefined proxy.

 

For a failover solution, I will have an outside program checking for failed 
proxies, and then I will remove them from the list and send the user to a 
different proxy while I handle the failed ones.

 

Is Haproxy good for that it is Squid in the way I proposed OK?

 

Thanks

 


On Dec 10, 2020, at 23:14, Eliezer Croitor mailto:ngtech1...@gmail.com> > wrote:



You should use Haproxy in a Fail-over setup.

Squid is great but it’s possible that Haproxy does this much better theses days 
then Squid.

You can leave the authentication on the Squid servers and use the Haproxy as 
TCP Load balancer.

If you need the clients Original IP address you can use the PROXY protocol to 
send these details between the haproxy and squid.

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users mailto:squid-users-boun...@lists.squid-cache.org> > On Behalf Of roee klinger
Sent: Thursday, December 10, 2020 8:39 PM
To: squid-users@lists.squid-cache.org 
 
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Anthony,

 

Giving this a second thought, I believe I didn't explain myself correctly.

 

I have 5 Squid servers, each listening on 80 ports, I would like to add another

Squid server in the middle of the client and these servers to authenticate users

before sending them to their ports. I already have ACL controls and auth 
control tools

which I wrote and are working fine.

 

My question is regarding how to configure this, I have found this configuration 
online 

but I am not sure how it will work performance-wise with 500+ proxies (could be 
1000s in

the future):

 

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

 

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom 
authenticator,

can this cause a hit on performance or should it be no problem for squid to 
handle?

 
 
 

 

 

On Thu, Dec 10, 2020 at 2:29 PM Antony Stone mailto:antony.st...@squid.open.source.it> > wrote:

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
> 
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want 
to perform (ie: what is the authoritative system which holds the information 
about who can authenticate and who cannot), then you can decide on the best 
software to use to do that in front of Squid.


Antony.

-- 
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are 
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this 
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to 
class something as a cake or a biscuit.  McVitie's defended the classification 
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas 
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale 
and McVitie's won the case.

   Please reply to the list;
 please 

Re: [squid-users] Sqlite3 with Squid

[Eliezer Croitor]

Well indeed it's very similar.
I would need to think about it a bit more to grasp it again in my mind.
However in the embedded world ruby/perl/python are not usually available so..


Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Saturday, December 12, 2020 11:56 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Sqlite3 with Squid

On 11/12/20 12:03 pm, Eliezer Croitor wrote:
> Amos or Alex might remember or know how to trigger external_acl helper cache 
> cleanup.
> I don't know what it might affect since there is some context code per 
> request or connection or session.
> 

"squid -k reconfigure" is the best trigger I know of.


> Can someone help me only to grasp this concept?

Like Antony I am not quite understanding what the concept you are trying 
to describe is. It sounds a lot like what tools like Puppet do for 
network wide management.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authorized by pcname

[Antony Stone]

On Saturday 12 December 2020 at 14:03:23, sampe...@tiscali.it wrote:

> What Squid mechanism do you suggest me to identify the “computer name” ?
> What solution/corretion can I make to my environment to apply my idea?

A few suggestions:

1. Why not get your DHCP server to allocate IP addresses according to MAC 
address; then your clients will get fixed addresses again and you can use those 
in your ACLs.

2. Alternatively, get your DHCP server to update a local DNS server, and point 
Squid at that so that it can look up the names of the PCs in DNS (without 
needing to know about NetBIOS) and you can use those.

3. Get your users to authenticate to Squid as people, not as computers; then 
you can apply the appropriate rules for who is trying to do stuff instead of 
assuming who is using which computer.

4. Why have you switched from static addressing to DHCP?  If you need DHCP to 
cater for machines which "temporarily visit" your network, how about just 
allocating a subnet range for those and continue to use static addresses for 
the machines you know about?


Regards,


Antony.

-- 
A good conversation is like a miniskirt;
short enought to retain interest,
but long enough to cover the subject.

 - Celeste Headlee


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authorized by pcname

[sampe...@tiscali.it]

What Squid mechanism do you suggest me to identify the “computer name” ?
What solution/corretion can I make to my environment to apply my idea?



> On 12 Dec 2020, at 10:48, Amos Jeffries  wrote:
> 
> On 11/12/20 3:55 am, sampei02 wrote:
>> Can I set acl to authorize specific computer name by http_access directive ?
> 
> Maybe. That depends on whether there is any mechanism for Squid to identify 
> the "computer name".
> 
> 
> 
>> I used usually acl  src  but I’d like to specify Netbios name, so 
>> I Thought  as client IP address is sent to squid It’ll be the same thing 
>> with pc name.
> 
> 
> Your thought is both right and wrong.
> 
> NetBOIS name plays the same role as IP address - both are the "address" of 
> the client machine in their relevant protocols.
> 
> However, Squid does not use or implement NetBIOS protocol to talk to clients. 
> Squid only uses IP based protocols.
> 
> Sometimes NTLM credentials contain the NetBIOS name of a "NetBIOS node" 
> machine.
> 
> Or IDENT protocol can be used to directly query the client about its name. 
> *IF* that protocol is supported and enabled on the client.
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sqlite3 with Squid

[Amos Jeffries]

On 11/12/20 12:03 pm, Eliezer Croitor wrote:

Amos or Alex might remember or know how to trigger external_acl helper cache 
cleanup.
I don't know what it might affect since there is some context code per request 
or connection or session.



"squid -k reconfigure" is the best trigger I know of.



Can someone help me only to grasp this concept?


Like Antony I am not quite understanding what the concept you are trying 
to describe is. It sounds a lot like what tools like Puppet do for 
network wide management.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authorized by pcname

[Amos Jeffries]

On 11/12/20 3:55 am, sampei02 wrote:

Can I set acl to authorize specific computer name by http_access directive ?


Maybe. That depends on whether there is any mechanism for Squid to 
identify the "computer name".





I used usually acl  src  but I’d like to specify Netbios name, so I 
Thought  as client IP address is sent to squid It’ll be the same thing with pc name.



Your thought is both right and wrong.

NetBOIS name plays the same role as IP address - both are the "address" 
of the client machine in their relevant protocols.


However, Squid does not use or implement NetBIOS protocol to talk to 
clients. Squid only uses IP based protocols.


Sometimes NTLM credentials contain the NetBIOS name of a "NetBIOS node" 
machine.


Or IDENT protocol can be used to directly query the client about its 
name. *IF* that protocol is supported and enabled on the client.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] dhcp

[sampe...@tiscali.it]

I’m using Squid to permit or deny to clients to access to Internet (http/https 
traffic). 
Squid is dmz and It’s using my public DNS to solve names.
Clients are in Microsoft domain.
Client browser is configured to point squid service on 3128 port to access 
external network (local addresses are bypassed)  and inside squid.conf I’m 
referencing clients by IP address because until yesterday I used static 
addresses.
Today I’m going to use DHCP server too, e.g. for notebook, so I’ll use dynamic 
addresses too.
So I’d like to manage dynamic address to permit/deny Internet access in the 
same way.
I thought to specify "pc name”, instead of IP address, in squid.conf but Squid 
server has set DNS public, so It cannot to resolve client name. 
Thanks


> On 11 Dec 2020, at 19:27, Amos Jeffries  wrote:
> 
> On 11/12/20 7:48 pm, sampei02 wrote:
>> Can you suggest way to manage acl for clients which are using DHCP server?
> 
> Firstly, what does DHCP have to do with clients using HTTP ?
> 
> eg, why is it even a consideration for you?
> 
> 
> Secondly, what are you trying to have Squid do?
> 
> To provide help we need information about what your situation is.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users