Re: [squid-users] Linux Noob - Squid Config
On 7/05/24 07:59, Piana, Josh wrote: Amos, You raise a good point about Kerberos! I was not aware that Squid supported this method. Yes - I think we would preferably use this method, especially because this looks like it's much easier to setup and still checks all the boxes we need for security purposes. With that being said, without using NTLM, can we bypass using Samba? We would rather not rely on that resource if possible. I'm not sure how much of Samba need to be setup to use the NTLM helper. It has been a while since I used it. In regards to your responses to all of the lines of code, I'll be going through that seperately and will get back to you if I have any more questions with it. After installing Squid, moving over and updating the old config, and adjusting the parameters you mentioned below, what else is there to do to finish setting up this server? I'm not entirely sure if Apache is needed anymore either. This would simplify and modernize our processes a great deal if this can be remopved as well. There is no sign in the squid.conf as to what Apache was being used for. So that and any other services the old machine had going will still need your attention, but they are not related to Squid. Cheers Amos - Josh -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Monday, May 6, 2024 12:59 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Linux Noob - Squid Config Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. [ please keep responses on-list to assist any others who encounter the same issues in future ] On 4/05/24 08:51, Piana, Josh wrote: Hey Amos, Thank you so much for getting back to me so quickly! To answer your question about NTLM, I meant to say NTLMv2. We're trying to become compliant with newer security standards and this old box in depersate need of some love and updating. Hmm. My question was more aiming as a yes/no answer. Squid can certainly still support NTLM. But if possible going to just Negotiate/Kerberos auth would be a simpler config. The /usr/bin/ntlm_auth authenticator you have been using is provided by Samba. So you will need to have Samba installed (yum install samba) and configured the same (or equivalent for its upgrade) as before Squid authentication is usable. FYI; Modern Squid start helpers only as-needed. Meaning Squid will startup and run fine without a working auth helper ... until the point where a helper lookup is needed. So you can test Squid with some trivial requests before needing Samba fully working. -- Current squid.conf file Output: max_filedesc 4096 I advise changing this to at least: max_filedescriptors 65536 Why? Modern web pages can cause clients to open up to a hundred connections to various servers to display a single web page. Each client of those connection consumes 3-4 file descriptors. You will also need to check the OS limitation to ensure cache_mgr itadmin@... cache_effective_user squid cache_effective_group squid coredump_dir /opt/squid/var pid_filename /var/run/squid.pid shutdown_lifetime 5 seconds error_directory /usr/local/share/squid/errors/English_CUSTOM Check what customizations have been done to the files inside that directory. If it is just the new templates for the deny_info lines later in your config; then you can copy those templates to the new machine. And create symlnks from the I suggest placing the custom error templates in a directory such as /etc/squid/errors/ and a symlink from the /usr/local/share/squid/errors/templates/ directory (or wherever the templates are put by yum install). [ This way upgrades that change the default templates will not erase your ones. At worst you should only have to re-create the symlinks manually. ] (If you need it; to learn how to create symlinks type "man ln".) logfile_rotate 0 debug_options ALL,1 You can remove the above line. It is a default setting. buffered_logs on > cache_log /var/log/squid/general> cache_access_log /var/log/squid/access The above two lines should be more like: cache_log /var/log/squid/cache.log access_log daemon:/var/log/squid/access.log cache_store_log none log_mime_hdrs off The above two lines can be removed. They are default settings. log_fqdn off Remove this line. It is not supported in modern Squid. strip_query_terms off http_port 10.46.11.20:8080 http_port 127.0.0.1:3128 icp_port 0 The above line can be removed. It is a default setting. forwarded_for off Change that "off" to; * "delete" for complete removal of the header), or * "transparent" for Squid to not add the header. ftp_user anonftpuser@... ftp_list_width 32 ftp_passive on connect_timeout 30 seconds peer_con
Re: [squid-users] Linux Noob - Squid Config
ORTIFY_SOURCE=2 -fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie' -- New Box squid -v Output: Squid Cache: Version 5.5 Service Name: squid This binary uses OpenSSL 3.0.7 1 Nov 2022. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' -- -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Friday, May 3, 2024 4:21 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Linux Noob - Squid Config [You don't often get email from squ...@treenet.co.nz. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 4/05/24 07:59, Piana, Josh wrote: Hey Everyone. I apologize in advance for any lack of formality normally shared on mailing lists such as these, it’s my first time seeking product support in this manner. NO need to apologize. Help and questions is most of what we do here :-) I want to start by saying that I’m new to Linux, been using Windows environments my entire life. Such is the reason for me reaching out to you all. I have been tasked with modernizing a Squid box and feel very overwhelmed, to say the least. Current Setup: èCentOS 5.0 èSquid 2.3 èApache 2.0.46 èSamba 3.0.9 Desired Setup: èRHEL 9.2 OS èNeeds to qualify for NTLM authentication Hmm, does it *have* to be NTLM? that auth protocol was deprecated in 2006. èWould like to remove legacy apps/services èContinue to authenticate outgoing communication via AD My question is, how do I get all of these services/apps to work together? Do I just install the newest versions of each and migrate the existing config files? I was hoping for a better understanding on how all of these work together and exactly how to configure or edit these as needed. I’ve gotten as far as installing RHEL 9.2 on a fresh VM Server and trying as best as I can to learn the basics on Linux and just the general operation of a Linux ran environment. It feels like trying to ride a bike with box w
Re: [squid-users] Linux Noob - Squid Config
On 4/05/24 07:59, Piana, Josh wrote: Hey Everyone. I apologize in advance for any lack of formality normally shared on mailing lists such as these, it’s my first time seeking product support in this manner. NO need to apologize. Help and questions is most of what we do here :-) I want to start by saying that I’m new to Linux, been using Windows environments my entire life. Such is the reason for me reaching out to you all. I have been tasked with modernizing a Squid box and feel very overwhelmed, to say the least. Current Setup: èCentOS 5.0 èSquid 2.3 èApache 2.0.46 èSamba 3.0.9 Desired Setup: èRHEL 9.2 OS èNeeds to qualify for NTLM authentication Hmm, does it *have* to be NTLM? that auth protocol was deprecated in 2006. èWould like to remove legacy apps/services èContinue to authenticate outgoing communication via AD My question is, how do I get all of these services/apps to work together? Do I just install the newest versions of each and migrate the existing config files? I was hoping for a better understanding on how all of these work together and exactly how to configure or edit these as needed. I’ve gotten as far as installing RHEL 9.2 on a fresh VM Server and trying as best as I can to learn the basics on Linux and just the general operation of a Linux ran environment. It feels like trying to ride a bike with box wheels. The installation of a basic Squid service for RHEL is easy. Just open a terminal and enter this command: yum install squid The next part is going over your old Squid configuration to see how much of it remains necessary or can be updated. It would be useful for the next steps to copy it to the RHEL machine as /etc/squid/squid.conf.old . You can likely find it on the CentOS machine at /etc/squid/squid.conf or /usr/share/squid/etc/squid.conf depending on how that Squid was built. If you are able to paste the contents of that file (without the '#' comment or empty lines) here, we can assist with getting the new Squid doing the same or equivalent actions. Also please paste the output of "squid -v" run on both the old CentOS machine and on the new RHEL. Cheers Amos ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
