Re: [squid-users] Authentication Problem
Hi Amos and Dima, I'm having the exact same problem. After updating Chrome to version (47.0.2526.73 m) I'm no longer able to authenticate. IE and Firefox still seem to work fine. I haven't changed anything in my config file for months. On Fri, Dec 4, 2015 at 5:22 AM, Dima Ermakov wrote: > Thank you, Amos. > > I checked all, that you wrote. > It didn't help me. > > I have this problem only on google chrome browser. > Before 2015-12-03 all was good. > I didn't change my configuration more than one month. > > Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this > list, that google chrome v47 has broken NTLM authentication. > My clients with problems has google chrome v47 ((( > > Mozilla Firefox clients work good. > > Thank you! > > This is message from Noel Kelly: > " > > Hi > > For information, the latest version of Google Chrome (v47.0.2526.73M) has > broken NTLM authentication: > > https://code.google.com/p/chromium/issues/detail?id=544255 > > https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome > > Cheers > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > " > > On 4 December 2015 at 04:55, Amos Jeffries wrote: > >> On 4/12/2015 9:46 a.m., Dima Ermakov wrote: >> > Hi! >> > I have a problem with authentiation. >> > >> > I use samba ntlm authentication in my network. >> > >> > Some users ( not all ) have problems with http traffic. >> > >> > They see basic authentication request. >> >> Meaning you *dont* have NTLM authentication on your network. >> >> Or you are making the mistake of thinking a popup means Basic >> authentication. >> >> > If they enter correct domain login and password, they have auth error. >> > If this users try to open https sites: all works good, they have not any >> > type of errors. >> >> So, >> a) they are probably not going through this proxy, or >> b) the browser is suppressing the proxy-auth popups, or >> c) the authentication request is not coming from *your* proxy. >> >> > >> > So we have errors only with unencrypted connections. >> > >> > I have this error on two servers: >> > debian8, squid3.4 (from repository) >> > CentOS7, squid3.3.8 (from repository). >> > >> >> Two things to try: >> >> 1) Adding a line like this before the group access controls in >> frntend.conf. This will ensure that authentiation credentials are valid >> before doing group lookups: >> http_access deny !AuthorizedUsers >> >> >> 2) checking up on the Debian winbind issue mentioned in >> < >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions >> > >> >> Im not sure about this it is likely to be involved on Debian, but CentOS >> is not known to have that issue. >> >> >> Oh and: >> 3) remove the "acl manager" line from squid.conf. >> >> 4) change your cachemgr_passwd. Commenting it out does not hide it from >> view when you post it on this public mailing list. >> >> You should remove all the commented out directives as well, some of them >> may be leading to misunderstanding of what the config is actually doing. >> >> >> Amos >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > > -- > С уважением, Дмитрий Ермаков. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > -- Samuel Anderson | System Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NTLM authentication problems with HTTP 1.1
Oh okay, that makes sense. Thanks brendan On Wed, Apr 8, 2015 at 1:20 PM, brendan kearney wrote: > Note the lack of a user-agent string. This is likely an app that cannot > authenticate. > > My standard for Auth Bypass is source IP, user-agent string and > destination URL. Generally the source is preferred to be statically > assigned otherwise you need to allow the entire dhcp pool or range. > Because there is no user-agent you can drop the requirement or force it > with some sort of negated logic (!any) > On Apr 8, 2015 11:21 AM, "Samuel Anderson" wrote: > >> Hello all, >> >> >> I'm having a problem where HTTP 1.1 connect requests do not authenticate >> using NTLM. Browsing the internet works fine in all major browsers, I >> mostly see this occurring in programs that are installed locally on a users >> computer. Using wireshark I'm able to follow the TCP stream and I can see >> that the server returns the error (407 Proxy Authentication Required). I am >> able to work around this problem by explicitly bypassing a domain from >> requiring authentication, however I really don't want to do that. Any ideas >> would be appreciated very much. >> >> Thanks, >> >> >> Below is the content summery of some of the network packets that I'm >> working with along with my config file >> >> TCP Stream Content >> >> >> CONNECT batch.internetpostage.com:443 HTTP/1.1 >> Host: batch.internetpostage.com >> Proxy-Connection: Keep-Alive >> >> >> HTTP/1.1 407 Proxy Authentication Required >> Server: squid/3.3.8 >> Mime-Version: 1.0 >> Date: Tue, 07 Apr 2015 21:02:24 GMT >> Content-Type: text/html >> Content-Length: 3208 >> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 >> Proxy-Authenticate: Negotiate >> Proxy-Authenticate: NTLM >> X-Cache: MISS from squid2..local >> X-Cache-Lookup: NONE from squid2..local:3128 >> Via: 1.1 squid2..local (squid/3.3.8) >> Connection: close >> >> >> CONFIG File >> >> >> >> #Kerberos and NTLM authentication >> >> auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm >> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp >> --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d >> -s GSS_C_NO_NAME >> auth_param negotiate children 30 >> auth_param negotiate keep_alive off >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp --domain= >> auth_param ntlm children 30 >> auth_param ntlm keep_alive off >> >> # AD group membership lookup >> >> external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 >> children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b >> "DC=,DC=local" -D "CN=SQUID,OU= Service Accounts,DC=,DC=local" >> -w "" -f "(&(objectclass=person) >> (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC= >> ,DC=local))" -h dc1..local,dc2..local,dc3..local,dc4..local >> >> # auth required >> >> acl auth proxy_auth REQUIRED >> http_access deny !auth all >> >> >> >> -- >> Samuel Anderson | Information Technology Administrator | >> International Document Services >> >> IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail and any attachments are confidential. If you are not an >> intended recipient, please contact the sender to report the error and >> delete all copies of this message from your system. Any unauthorized >> review, use, disclosure or distribution is prohibited. >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> >> -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] NTLM authentication problems with HTTP 1.1
Hello all, I'm having a problem where HTTP 1.1 connect requests do not authenticate using NTLM. Browsing the internet works fine in all major browsers, I mostly see this occurring in programs that are installed locally on a users computer. Using wireshark I'm able to follow the TCP stream and I can see that the server returns the error (407 Proxy Authentication Required). I am able to work around this problem by explicitly bypassing a domain from requiring authentication, however I really don't want to do that. Any ideas would be appreciated very much. Thanks, Below is the content summery of some of the network packets that I'm working with along with my config file TCP Stream Content CONNECT batch.internetpostage.com:443 HTTP/1.1 Host: batch.internetpostage.com Proxy-Connection: Keep-Alive HTTP/1.1 407 Proxy Authentication Required Server: squid/3.3.8 Mime-Version: 1.0 Date: Tue, 07 Apr 2015 21:02:24 GMT Content-Type: text/html Content-Length: 3208 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: NTLM X-Cache: MISS from squid2..local X-Cache-Lookup: NONE from squid2..local:3128 Via: 1.1 squid2..local (squid/3.3.8) Connection: close CONFIG File #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= auth_param ntlm children 30 auth_param ntlm keep_alive off # AD group membership lookup external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=,DC=local" -D "CN=SQUID,OU= Service Accounts,DC=,DC=local" -w "" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC= ,DC=local))" -h dc1..local,dc2..local,dc3..local,dc4..local # auth required acl auth proxy_auth REQUIRED http_access deny !auth all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Increase number of ext_ldap_group_acl processes
Try this: external_acl_type internet_domain_group children-startup=15 children-max=15 children-idle=2 %LOGIN On Wed, Mar 18, 2015 at 10:05 AM, Rich549 wrote: > Thanks! I've added the children-startup=15 to my config but it seems to be > ignoring it. An excerpt of my config is: > > external_acl_type internet_domain_group children-startup=15 %LOGIN > /usr/lib/squid3/ext_ldap_group_acl -R -P -b (this then goes on to provide > details of AD structure etc). > > Have I missed something? > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Increase-number-of-ext-ldap-group-acl-processes-tp4670484p4670488.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Refresh ACL list only
CCESS_DENIED_MOBILE-PHONE MOBILE-PHONE deny_info ERR_ACCESS_DENIED_NATURISM NATURISM deny_info ERR_ACCESS_DENIED_NEWS NEWS deny_info ERR_ACCESS_DENIED_ONLINEAUCTIONS ONLINEAUCTIONS deny_info ERR_ACCESS_DENIED_ONLINEGAMES ONLINEGAMES deny_info ERR_ACCESS_DENIED_ONLINEPAYMENT ONLINEPAYMENT deny_info ERR_ACCESS_DENIED_PERSONALFINANCE PERSONALFINANCE deny_info ERR_ACCESS_DENIED_PETS PETS deny_info ERR_ACCESS_DENIED_PHISHING PHISHING deny_info ERR_ACCESS_DENIED_PORN PORN deny_info ERR_ACCESS_DENIED_PRESS PRESS deny_info ERR_ACCESS_DENIED_PROXY PROXY deny_info ERR_ACCESS_DENIED_RADIO RADIO deny_info ERR_ACCESS_DENIED_RELIGION RELIGION deny_info ERR_ACCESS_DENIED_RINGTONES RINGTONES deny_info ERR_ACCESS_DENIED_SEARCHENGINE SEARCHENGINE deny_info ERR_ACCESS_DENIED_SECT SECT deny_info ERR_ACCESS_DENIED_SEXUALITY SEXUALITY deny_info ERR_ACCESS_DENIED_SEXUALITYEDUCATION SEXUALITYEDUCATION deny_info ERR_ACCESS_DENIED_SHOPPING SHOPPING deny_info ERR_ACCESS_DENIED_SOCIAL_NETWORKS SOCIAL_NETWORKS deny_info ERR_ACCESS_DENIED_SOCIALNETWORKING SOCIALNETWORKING deny_info ERR_ACCESS_DENIED_SPORTNEWS SPORTNEWS deny_info ERR_ACCESS_DENIED_SPORTS SPORTS deny_info ERR_ACCESS_DENIED_SPYWARE SPYWARE deny_info ERR_ACCESS_DENIED_TOBACCO TOBACCO deny_info ERR_ACCESS_DENIED_UPDATESITES UPDATESITES deny_info ERR_ACCESS_DENIED_VACATION VACATION deny_info ERR_ACCESS_DENIED_VIOLENCE VIOLENCE deny_info ERR_ACCESS_DENIED_VIRUSINFECTED VIRUSINFECTED deny_info ERR_ACCESS_DENIED_WAREZ WAREZ deny_info ERR_ACCESS_DENIED_WEATHER WEATHER deny_info ERR_ACCESS_DENIED_WEAPONS WEAPONS deny_info ERR_ACCESS_DENIED_WEBMAIL WEBMAIL # # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 cache deny all # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 On Tue, Mar 17, 2015 at 1:32 PM, Brendan Kearney wrote: > On Tue, 2015-03-17 at 16:13 -0300, Marcus Kool wrote: > > it has a configuration option to respond with > > 'allow all' during a reconfiguration. > > a Fail-Open policy can be a security gap, and should be considered > carefully before implementing. the intention of the whitelisted URLs is > to prevent access to content that is otherwise forbidden. failing open, > even briefly, undermines that control. what is the default setting > there? > > -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
Hey, I actually just figured it out. literally about 2 minutes ago. I changed the mode from (http) to (tcp) in the HAPROXY.CFG It looks like its able to authenticate again. Thanks for the response. On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney wrote: > On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote: > > Hello All, > > > > > > I have 2 squid servers that authenticate correctly when you point your > > browser to either of them. I'm using a negotiate_wrapper. I set it up > > following this > > ( > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory > ) > > > > > > I would like to set both servers behind a haproxy load balancer, > > however when you try to utilize the haproxy load balancer, it will not > > authenticate anymore. It just gives an error asking to authenticate. > > > > > > Any ideas? > > > > > > Thanks in advance. > > > > > > > > > > > > > > ##HAPROXY.CFG## > > > > > > global > > log /dev/log local0 > > log /dev/log local1 notice > > chroot /var/lib/haproxy > > user haproxy > > group haproxy > > daemon > > > > > > defaults > > log global > > mode http > > option httplog > > option dontlognull > > contimeout 5000 > > clitimeout 5 > > srvtimeout 5 > > > > > > # reverse proxy-squid > > listen proxy 10.10.0.254:3128 > > mode http > > cookie SERVERID insert indirect nocache > > balance roundrobin > > option httpclose > > option forwardfor header X-Client > > server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 > > server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 > > > > > > > > > > > > > > > > > > ##SQUID.CONF## > > > > > > > > > > #Kerberos and NTLM authentication > > auth_param negotiate program /usr/local/bin/negotiate_wrapper > > --ntlm /usr/bin/ntlm_auth --diagnostics > > --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL > > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME > > auth_param negotiate children 30 > > auth_param negotiate keep_alive off > > > > > > # LDAP authentication > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b > > "DC=,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=,DC=local" > > -w "" -f sAMAccountName=%s -h > > 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 > > auth_param basic children 150 > > auth_param basic realm Please enter your Domain credentials to > > continue > > auth_param basic credentialsttl 1 hour > > > > > > # AD group membership commands > > external_acl_type ldap_group ttl=60 children-startup=10 > > children-max=50 children-idle=2 % > > LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > > "DC=,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=,DC=local" > > -w "" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=% > > a,OU=PROXY,ou=ALL Groups,DC=,DC=local))" -h > > dc1..local,dc2..local,dc3..local,dc4..local > > > > > > acl auth proxy_auth REQUIRED > > > > > > > > acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE > > PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED > > PROXY-DEV PROXY-SALES > > > > > > http_access deny !auth all > > http_access deny !REQGROUPS all > > > > > > > > > > > > > > > > > > > > -- > > Samuel Anderson | Information Technology Administrator | > > International Document Services > > > > > > IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 > > > > > > > > CONFIDENTIALITY NOTICE: > > This e-mail and any attachments are confidential. If you are not an > > intended recipient, please contact the sender to report the error and > > delete all copies of this message from your system. Any unauthorized > > review, use, disclosure or distribution is prohibited. > > how did you create and distribute the keytab for the proxies? you must > create one keytab and put the same exact one on each of the proxies. > the KVNO numbers must match on every proxy. run "klist > -Kket /path/to/the.keytab" on the proxies to check. > > kerberos is heavily dependent on D
[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
Hello All, I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this ( http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ) I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate. Any ideas? Thanks in advance. ##HAPROXY.CFG## global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 # reverse proxy-squid listen proxy 10.10.0.254:3128 mode http cookie SERVERID insert indirect nocache balance roundrobin option httpclose option forwardfor header X-Client server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 ##SQUID.CONF## #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off # LDAP authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=,DC=local" -w "" -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 auth_param basic children 150 auth_param basic realm Please enter your Domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=,DC=local" -w "" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC=,DC=local))" -h dc1..local,dc2..local,dc3..local,dc4..local acl auth proxy_auth REQUIRED acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES http_access deny !auth all http_access deny !REQGROUPS all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Refresh ACL list only
Thanks, I'll look into using haproxy. On Tue, Mar 17, 2015 at 12:31 PM, Brendan Kearney wrote: > On Wed, 2015-03-18 at 00:08 +0600, Yuri Voinov wrote: > > Brendan reads my thoughts. :) > > > > You can, of course, use two or more squid instances and Cisco with > > configured WCCP protocol before it. WCCP can plays with several cache > > instances in load balancing role. Running squid at this moment sends > > "here I am" messages to WCCP-enabled router, which will redirect > > traffic on alive cache. The same time you can reconfigure second squid > > instance a visa versa. > > > > 18.03.15 0:00, Brendan Kearney пишет: > > > On Tue, 2015-03-17 at 11:59 -0600, Samuel Anderson wrote: > > >> Unfortunately thats not really an option for me. I've already > > >> built everything just using squid. It works great and does > > >> everything I need it to do with the exception of refreshing the > > >> ACL lists. I just need to find a way to refresh those single > > >> lists without disrupting Internet traffic to the users. If anyone > > >> knows how to do this I would greatly appreciate it. > > >> > > >> On Tue, Mar 17, 2015 at 11:39 AM, Yuri Voinov > > >> wrote: > > > Did you hear about rewriters and filters? I.e., squidGuard, or > > > Dansguardian? Or, of course > > > https://www.urlfilterdb.com/products/ufdbguard.html ? It has > > > separate server process which can be restart VERY quickly > > > independently of squid. > > > > > > 17.03.15 23:35, Samuel Anderson пишет: > > >> Hello all, > > > > > >> Does anyone know of a way to reload a single ACL list? I > > > have a > > >> very complicated and large config file that takes around 30 > > > seconds > > >> to reload when I run the (squid3 -k reconfigure) command. I > > > have > > >> several ACL lists that need to be updated throughout the day > > > and it > > >> would be nice if I could only reload those ACL lists and not > > > the > > >> entire config. Its problematic because while its reloading, > > > the > > >> server is effectively down and disrupts Internet access for > > > the > > >> rest of the users. Below is a small sample of the lists that > > > will > > >> be updated. If I could add a TTL to the lists so squid would > > > reload > > >> them periodically without a full reconfigure would be ideal. > > > > > > > > > > > >> acl GLOBAL-WHITELIST dstdomain > > >> "/etc/squid3/whitelists/GLOBAL-WHITELIST" acl > > >> UNRESTRICTED-WHITELIST dstdomain > > >> "/etc/squid3/whitelists/UNRESTRICTED-WHITELIST" acl > > > DEV-WHITELIST > > >> dstdomain "/etc/squid3/whitelists/DEV-WHITELIST" acl > > >> SALES-WHITELIST dstdomain > > > "/etc/squid3/whitelists/SALES-WHITELIST" > > > > > > > > >> Thanks > > > > > > > > > > > > > > >> ___ squid-users > > > mailing > > >> list squid-users@lists.squid-cache.org > > >> http://lists.squid-cache.org/listinfo/squid-users > > > > > >> ___ squid-users > > >> mailing list squid-users@lists.squid-cache.org > > >> http://lists.squid-cache.org/listinfo/squid-users > > >> > > >> > > >> > > >> > > >> -- Samuel Anderson | Information Technology Administrator | > > >> International Document Services > > >> > > >> > > >> IDS | 11629 South 700 East, Suite 200 | Draper, UT > > >> 84020-4607 > > >> > > >> > > >> > > >> CONFIDENTIALITY NOTICE: This e-mail and any attachments are > > >> confidential. If you are not an intended recipient, please > > >> contact the sender to report the error and delete all copies of > > >> this message from your system. Any unauthorized review, use, > > >> disclosure or distribution is prohibited. > > >> ___ squid-users > > >> mailing list squid-users@lists.squid-cache.org > > >> http://lists.squid-cache.org/listinfo/squid-users > > > > > > do you have the luxury of multiple squid instances behind a load > > > ba
Re: [squid-users] Refresh ACL list only
Unfortunately thats not really an option for me. I've already built everything just using squid. It works great and does everything I need it to do with the exception of refreshing the ACL lists. I just need to find a way to refresh those single lists without disrupting Internet traffic to the users. If anyone knows how to do this I would greatly appreciate it. On Tue, Mar 17, 2015 at 11:39 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Did you hear about rewriters and filters? I.e., squidGuard, or > Dansguardian? Or, of course > https://www.urlfilterdb.com/products/ufdbguard.html > ? > It has separate server process which can be restart VERY quickly > independently of squid. > > 17.03.15 23:35, Samuel Anderson пишет: > > Hello all, > > > > Does anyone know of a way to reload a single ACL list? I have a > > very complicated and large config file that takes around 30 seconds > > to reload when I run the (squid3 -k reconfigure) command. I have > > several ACL lists that need to be updated throughout the day and it > > would be nice if I could only reload those ACL lists and not the > > entire config. Its problematic because while its reloading, the > > server is effectively down and disrupts Internet access for the > > rest of the users. Below is a small sample of the lists that will > > be updated. If I could add a TTL to the lists so squid would reload > > them periodically without a full reconfigure would be ideal. > > > > > > > > acl GLOBAL-WHITELIST dstdomain > > "/etc/squid3/whitelists/GLOBAL-WHITELIST" acl > > UNRESTRICTED-WHITELIST dstdomain > > "/etc/squid3/whitelists/UNRESTRICTED-WHITELIST" acl DEV-WHITELIST > > dstdomain "/etc/squid3/whitelists/DEV-WHITELIST" acl > > SALES-WHITELIST dstdomain "/etc/squid3/whitelists/SALES-WHITELIST" > > > > > > Thanks > > > > > > > > > > ___ squid-users mailing > > list squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJVCGblAAoJENNXIZxhPexGRqwIAIS3iw5wIt9FPi85aH+vWmA8 > QJYyo8ChpnTGsKnAgpAMoSRFobo6AZjL9ABrRx7kGz2NC/VAla93NNR7SKr+mDdr > Z9jz9DRVRSAm4D1rC3+xvdQowoN2UraxYDj9fCQKczfU0whc4Qwool+n36gocPZH > I0nSbv40MhSTCO/Zybo1eonW/VQ4i9LopGFVI5q+dYwRRleu8Rh4Pg1qRBRzmKa4 > 5O+yCglKumIzMe4Pqa2JFQ6oq9VAimEslin7hoXS1VXRH8lE9Hbg0kKpuaWEiyFG > ySmdKoFu1O70Ffug48vXi1EQXAkE5C6xmtBHlCBxtiOf8kFoUHkyslJtEniA8Yw= > =+8IA > -END PGP SIGNATURE- > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Refresh ACL list only
Hello all, Does anyone know of a way to reload a single ACL list? I have a very complicated and large config file that takes around 30 seconds to reload when I run the (squid3 -k reconfigure) command. I have several ACL lists that need to be updated throughout the day and it would be nice if I could only reload those ACL lists and not the entire config. Its problematic because while its reloading, the server is effectively down and disrupts Internet access for the rest of the users. Below is a small sample of the lists that will be updated. If I could add a TTL to the lists so squid would reload them periodically without a full reconfigure would be ideal. acl GLOBAL-WHITELIST dstdomain "/etc/squid3/whitelists/GLOBAL-WHITELIST" acl UNRESTRICTED-WHITELIST dstdomain "/etc/squid3/whitelists/UNRESTRICTED-WHITELIST" acl DEV-WHITELIST dstdomain "/etc/squid3/whitelists/DEV-WHITELIST" acl SALES-WHITELIST dstdomain "/etc/squid3/whitelists/SALES-WHITELIST" Thanks -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] whitelists and active directory help
Hello All, I'm attempting to create way to grant users access to different categories using active directory. Currently what I have works but if a website is not listed in any of the whitelists it will allow traffic to that website. If I add a (http_access deny all) at the end, then nothing works. What I would like is for a user to only have access to whitlists that they are a member of. I'll have around 50 categories in the end. This is just a small sample. Thanks, acl NEWS external ldap_group NEWS acl SHOPPING external ldap_group SHOPPING acl SOCIALNETWORKING external ldap_group SOCIALNETWORKING acl RELIGION external ldap_group RELIGION acl SPORTNEWS external ldap_group SPORTNEWS acl rule1 url_regex -i "/etc/squid3/whitelists/news/domains" acl rule2 url_regex -i "/etc/squid3/whitelists/shopping/domains" acl rule3 url_regex -i "/etc/squid3/whitelists/socialnetworking/domains" acl rule4 url_regex -i "/etc/squid3/whitelists/religion/domains" acl rule5 url_regex -i "/etc/squid3/whitelists/sportnews/domains" http_access deny rule1 !NEWS all http_access deny rule2 !SHOPPING all http_access deny rule3 !SOCIALNETWORKING all http_access deny rule4 !RELIGION all http_access deny rule5 !SPORTNEWS all http_access allow all -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users