[squid-users] acl aclname user ??? does this exist?
The squid.conf doco list of acltypes has an acltype of user. There is no explanation of this acltype I got a parse error when trying to implement it. Does it in fact exist? I want to match an acl against the authenticated user cache. Is it possible? (I thought mabe that was what the user acltype was) or do I have to do selective authentication before: acl password proxy_auth REQUIRED -- Greg Cunningham BAppComp, RHCE ph +61 3 6440 7453 Systems Analyst fx +61 3 6440 6455 Harris Company Pty. Ltd. mo0407 056 788 mailto:[EMAIL PROTECTED] The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
[squid-users] Intermittent Cache DNS problem
Hi All, I am using Squid from within Smoothwall. Lately, (2 to 3 times a day) I get the following error: The cache was not able to resolve the hostname presented in the URL I resolve it by restarting the firewall. Is there a better way? Thanks in advance Yiannos
Re: [squid-users] Intermittent Cache DNS problem
Venieris Yiannos wrote: Hi All, I am using Squid from within Smoothwall. Lately, (2 to 3 times a day) I get the following error: The cache was not able to resolve the hostname presented in the URL I resolve it by restarting the firewall. Is there a better way? That depends , you are leaving many parameters unspecified : - Which version of squid are you using ? - On which platform/os/version ? - How is your DNS setup, are you using internal or external DNS ? - Which are your DNS servers ? - Are they working reliable ? - Any DNS errors of squid before or during normal operation in cache.log ? - Use DNS stats in squid's cachemgr to observer potention problems (DNS request queues ) M. Thanks in advance Yiannos -- 'Love is truth without any future. (M.E. 1997)
Re: [squid-users] Intermittent Cache DNS problem
I am using Squid from within Smoothwall. Lately, (2 to 3 times a day) I get the following error: The cache was not able to resolve the hostname presented in the URL I resolve it by restarting the firewall. Is there a better way? That depends , you are leaving many parameters unspecified : - Which version of squid are you using ? 2.4.Stable7 - On which platform/os/version ? Kernel 2.2.23 installed with Smoothwall 1.0 - How is your DNS setup, are you using internal or external DNS ? External DNS from my ISP - very stable, sometimes my link to them is slow Ok, you mean you are using the dns servers from your isp , but you are using squid's internal dns. - Which are your DNS servers ? ns0,ns1.acn.gr - Are they working reliable ? See above - Any DNS errors of squid before or during normal operation in cache.log ? Nope - Use DNS stats in squid's cachemgr to observer potention problems (DNS request queues ) Could u please elaborate a bit on this? cachemgr provides access to various stat's presented by the squid cache. Install 'cachemgr' in the cgi-bin directory of an Intranet webserver you have access too, and access/use it accordingly. See squid.conf.default concerning protecting cachemgr's usage and access control. On the overall upgrading to SQUID 2.5 (S3) would be recommended, although it is not sure that this will solve this particular problem. M.
Re: [squid-users] Re: ntlm won't prompt
On Friday 11 July 2003 03.16, Norman Zhang wrote: Please excuse my ignorance. Would passwords be passed in clear text using basic auth? Yes. Is there an authentication scheme that works without clear text. Neither NTLM or Digest passes passwords over the wire. Of the two Digest is preferred as it is a standard HTTP authentication protocol without the design errors of NTLM and also provides a higher level of protection for the users passwords. You probably want to use Squid-2.5.STABLE3 or later however, and not all browsers support Digest yet (most mainstream browsers does). Both requires special password databases: local text file in case of Digest, a NT Domain in case of NTLM. Squid never gets the users password at all in these methods and thus can not integrate with normal password databases requiring the actual password like done in the basic scheme. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Re: ntlm won't prompt
On Friday 11 July 2003 03.41, Adam Aube wrote: Quite frankly, if you can use NTLM auth, do it. That is the one feature in IE that I wish other browsers would emulate. The NTLM over HTTP is fundamentally broken in it's design and should never have seen the light. A classical do it our way without regards to standards invention by Microsoft. The exact same thing (automatic single sign on, without risking the users private password) is fully possible to do with Digest MD5-sess authentication, and I wish browser and OS vendors would see the light and do so. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Re: ntlm won't prompt
On Friday 11 July 2003 05.18, Adam Aube wrote: Furthermore, since knowledge of the clear text password is needed to verify the digest sent, the password would need to be stored either in clear text or reversible encryption - unless I completely misunderstand how digest auth works (which is also quite possible). Digest requires no more knowledge of the password than NTLM does. Both require direct or indirect access to the secret of the user. Neither require access to the clear text password but both require access to something which for each protocol is equivalent to the clear text password. Digest could be improved upon by using a hash of the password instead of the password itself. Of course, there's something of a chicken- and-egg problem here: proxy and web servers won't support it until browsers support it, and browsers won't support it until proxy and web servers support it. Additionally, since digest auth is an RFC, someone would have to draft another RFC. So even if it is a great idea, it can't be implemented quickly (if at all). There is no problem with the Digest RFC in this respect. All the needed parts of the Digest protocol is there to build a reasonably secure system with good performance. What is missing is specification of integration with passoword directories. The RFC does not define how such integration is to be done, only what the Digest algorithm requires from such integration: a limited one-time hash of the users password (MD5-sess) which can not be decrypted or reused in a replay attack. The NTLM authentication method is on the level of Digest MD5 authentication (not MD5-sess), either requiring access to the secret key of the user or offloading all the processing to the domain controller. Digest MD5-sess improves on this by allowing the verification to run locally without requiring direct access to the users secret key (only a limited one-time hash of the same), greatly increasing the scaleability of the design. If you are worried about storing the passwords in plain-text then see the digest helper in Squid-HEAD. This helper supports storing passwords in a hashed form only usable on that server using the same format as Apache htdigest. However, note that the password file must still be kept secure or else it is possible for a hacker who gain accesss to the digest password file to fake digest logins to that server even if he does not known the actual clear text password, much the same as it is possible for a hacker who have read access to the NT SAM database or otherwise able to reconstruct the NT# to fake logins to the NT domain without knowing the acutal clear text passwords of the users. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] acl aclname user ??? does this exist?
On Friday 11 July 2003 08.30, Greg Cunningham wrote: The squid.conf doco list of acltypes has an acltype of user. There is no explanation of this acltype I got a parse error when trying to implement it. Does it in fact exist? Documentation error. Where did you find this? I want to match an acl against the authenticated user cache. Is it possible? Yes, by using the proxy_auth acl type. acl password proxy_auth REQUIRED The REQUIRED word there is just a magic user name matching all users. The syntax of the acl is actually a list of usernames to match. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] ntlm won't prompt
On Friday 11 July 2003 03.12, [EMAIL PROTECTED] wrote: just the adobe thing is the pain. that's why i was hoping for an acl that says this is adobe, use no auth (as most people won't be doing much 'surfing' from adobe web capture. Then just add a http_access line which allows adobe access before where you require authentication. The tricky part is how to identify adobe... if it is just a limited set of servers involved then the dst or dstdomain acl types is most suitable. It may also be possible to use the browser acl type, but this opens a possibility that users finds this out and reconfigures their browsers to claim to be the adobe product in question thereby bypassing authentication.. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Re: ntlm won't prompt
On Friday 11 July 2003 04.09, [EMAIL PROTECTED] wrote: from a programmers perspective it's probably a pain but from our point of view it seems the best. If you only knew the mess it makes with the HTTP protocol... NTLM is a proprietary protocol only available on Windows. Others who want to implement the protocol must first reverse-engineere the protocol (see Samba) or license the technology from Microsoft (not an option for Open Source). The implementation of NTLM over HTTP is violating important design aspects of the HTTP protocol. HTTP is a message oriented protocol, while NTLM is a connection oriented authentication scheme. Big collision there. Because of the HTTP protocol violations there are restrictions on the usefulness of NTLM over HTTP. The perhaps most visible restriction is that NTLM over HTTP can not be proxied via HTTP proxies, meaning that if you are using a proxy then you can not log in to web servers requiring NTLM over HTTP authentication. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] automatic batch process authentication
Hi, I have a Windows2000 server that has to automatically authenticate every 30 minutes to my squid proxy. Squid is authenticating against an LDAP server. Is there any way to have this authentication done automatically? Thanks a lot in advance ! Marie - This mail sent through Institut Eurecom Webmail: http://webmail.eurecom.fr
Re: [squid-users] automatic batch process authentication
fre 2003-07-11 klockan 11.49 skrev [EMAIL PROTECTED]: Hi, I have a Windows2000 server that has to automatically authenticate every 30 minutes to my squid proxy. Squid is authenticating against an LDAP server. Is there any way to have this authentication done automatically? Any HTTP client program can be used for the purpose. It is just HTTP. Why do you need to authenticate every 30 minutes? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] squid log and ip source
Hi,
We want to put an appliance to accelerate and compress content for http
traffic.
The appliance is in front of a squid server and we have a problem for
the log on the squid.
The appliance allow to keep the ip source in the log of the proxy
server/web server, we inject a new field inside the http header (the
value of this field contain the ip source) and we just need to change
for apache (%h - %{name_of_the_field}i), IIS (there is a dll), NetApp,
etc...
How to do it for Squid ? Is it possible ?
Thanks
Regards
Nicolas Scheffer
[squid-users] [OT squidGuard] Expression list in a source group declaration
This is kinday offtopic but since there are a lot of dquid/squidguard users here I thought that I could ask it anyway. Dear squidguard friends, I have a small question. Our department are seperated not by different domains but with computer numbers. Let me give you a example: TEKxxx.int.jongert.nl ITxxx.int.jongert.nl DOCxxx.int.jongert.nl where 'xxx' is a number from '000' to '099' Some of these group does have different working times and so I must setup different source group declarations, right? Is this possible in my situation??? I wanted to create a expression list for a source group but something like this: 'IT...\.int\.jongert\.nl' is not possible. How can I solve my situation without putting the groups in subdomain. Ries
Re: [squid-users] automatic batch process authentication
Thank you for your quick answer. There is a W2K server (I do not know what it is doing...) that opening a web page every 30 minutes... It has IE i suppose. The problem is that i have configured Squid2.5 to prompt the user for authentication. It is fine when it is for normal web browsing and when the users can enter his authentication credentials. But, we cannot put anybody behind the W2K server to answer to the authentication prompt. This is why i need to find a way for the squid to go and look into a file where the W2K credentials are. hava you been faced to this problems? Quoting Henrik Nordstrom [EMAIL PROTECTED]: fre 2003-07-11 klockan 11.49 skrev [EMAIL PROTECTED]: Hi, I have a Windows2000 server that has to automatically authenticate every 30 minutes to my squid proxy. Squid is authenticating against an LDAP server. Is there any way to have this authentication done automatically? Any HTTP client program can be used for the purpose. It is just HTTP. Why do you need to authenticate every 30 minutes? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] - This mail sent through Institut Eurecom Webmail: http://webmail.eurecom.fr
RE: [squid-users] Re: ntlm won't prompt
The NTLM over HTTP is fundamentally broken in it's design and should never have seen the light. A classical do it our way without regards to standards invention by Microsoft. Yes, NTLM is horribly broken - just like almost everything developed by Microsoft. The only reason I recommend it is because of the single sign on capability it offers, that both basic and digest do not offer. The exact same thing (automatic single sign on, without risking the users private password) is fully possible to do with Digest MD5-sess authentication, and I wish browser and OS vendors would see the light and do so. You're right - the integration shouldn't be too difficult either. There would have to be some standard for the realm string (DNS domain name would be a good pick), and the OS would have to store MD5(username:realm:password) in its password database. It's just an issue of getting the vendors to support it - the OS vendors would have to support it first. AFAIK, even Linux doesn't support it. What about wrapping basic auth in SSL? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] automatic batch process authentication
fre 2003-07-11 klockan 13.55 skrev [EMAIL PROTECTED]: Thank you for your quick answer. There is a W2K server (I do not know what it is doing...) that opening a web page every 30 minutes... It has IE i suppose. Why don't you simply allow this W2K server access without requiring authentication? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] Re: ntlm won't prompt
Well, there's a little project then :}. In point of fact, in 3.0 squid can read pre-digested passwords in the supplied helper. Well, that's good news. You completely misunderstand how digest auth works. See RFC 2617 for the spec.. Based on the info you provide here, I think I did understand it - I just didn't know of any implementation that didn't require the cleartext password. What is needed to verify the password is the HHA1 (see the spec), which is MD5(user:realm:password) - possibly combined with one time nonces from the client and the server (thats md5-sess, which we don't support (yet)). That's the problem - it's not an MD5 of just the password. So either the HHA1 needs to be precomputed and stored, or the cleartext password must be known. This currently presents integration issues - vendors would need to use some sort of standard for the realm, then precompute and store the HHA1. BTW, if Squid doesn't support the use on nonces, why are there squid.conf parameters - such as nonce_max_duration and nonce_max_count - to regulate their use? Once you have HHA1, then you can issue challenges and verify responses, without knowledge of the password. Yes, however, how many vendors store the HHA1 in their password databases by default, and automatically recompute it at password change? The only current option is to maintain a separate database just for Squid. Both Basic and NTLM are currently easier to integrate (NTLM provided you use a Samba/Windows domain). What about using SSL over the client - proxy connection? You would get the easy integration of basic auth without its insecurity. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] squid log and ip source
fre 2003-07-11 klockan 13.12 skrev Nicolas Scheffer:
The appliance allow to keep the ip source in the log of the proxy
server/web server, we inject a new field inside the http header (the
value of this field contain the ip source) and we just need to change
for apache (%h - %{name_of_the_field}i), IIS (there is a dll), NetApp,
etc...
How to do it for Squid ? Is it possible ?
http://devel.squid-cache.org/customlog/
Regards
Henrik
--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] Re: ntlm won't prompt
On Fri, 2003-07-11 at 22:26, Adam Aube wrote: Yes, NTLM is horribly broken - just like almost everything developed by Microsoft. The only reason I recommend it is because of the single sign on capability it offers, that both basic and digest do not offer. SSO is -not- a property of NTLM. It's a property of the OS and the browser. It's fully possible to do SSO with basic (bad because of password leak issues) and Digest (quite easy, using MD5-sess). The exact same thing (automatic single sign on, without risking the users private password) is fully possible to do with Digest MD5-sess authentication, and I wish browser and OS vendors would see the light and do so. You're right - the integration shouldn't be too difficult either. There would have to be some standard for the realm string (DNS domain name would be a good pick), and the OS would have to store MD5(username:realm:password) in its password database. The realm is specific to the proxy configuration - but within an enterprise it can be set yes. In fact Kerberos realms might be a good one to choose, if an organisation already has kerberos deployed. As far as whats stored, there are several options, but the key though is for the browser to be able to request a ticket: HHA1 = GetTicketForProxy(ProxyNonce, BrowserNonce); which would return a one-time ticket, unable to be used for attacking the password. It's just an issue of getting the vendors to support it - the OS vendors would have to support it first. AFAIK, even Linux doesn't support it. It's not even an OS issue. It's pretty straight forward: Pick a directory service. Extend it with a call like the above, syncronised with password changes. Then, add some glue to mozilla to use that call in preference to prompting the user. Voila. If someone hacks up such a solution, open source (and works to get it accepted by the maintainers of the relevant packages), I will contribute md5-sess support to squid. What about wrapping basic auth in SSL? This is also possible, squid supports this, but no browsers do. Also, as the browser would get the password, it /does/ lead to password compromise risks that the digest approach doesn't. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] Re: ntlm won't prompt
SSO is -not- a property of NTLM. It's a property of the OS and the browser. It's fully possible to do SSO with basic (bad because of password leak issues) and Digest (quite easy, using MD5-sess). As I acknowledged later in the message, it can be done with basic or digest. However, only NTLM supports it currently, and then only if you're running Windows desktops with a Samba/Windows domain server. The realm is specific to the proxy configuration - but within an enterprise it can be set yes. In fact Kerberos realms might be a good one to choose, if an organisation already has kerberos deployed. Kerberos would be a good option, because it's fairly universal - UNIX variants have supported it for years, and Windows started supporting it with Win2k. You would then just need browser support. It's not even an OS issue. It's pretty straight forward: Pick a directory service. Extend it with a call like the above, syncronised with password changes. Then, add some glue to mozilla to use that call in preference to prompting the user. Yes, it is really a directory service issue. But since most networks will use the directory service that came with their OS, and the OS (not the directory service) will likely handle database updates for password changes, there will still likely be some OS issues. What about wrapping basic auth in SSL? This is also possible, squid supports this, but no browsers do. Also, as the browser would get the password, it /does/ lead to password compromise risks that the digest approach doesn't. With digest the browser prompts the user for the password, so it's currently no more secure from the browser end than basic. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
RE: [squid-users] Re: ntlm won't prompt
I'm going to try to summarize the discussion thus far. NTLM auth is horribly broken, however: 1) It's currently the only auth scheme you can get SSO with 2) It does not send the password in the clear over the wire Therefore, if you are already running a Windows domain on your network, you might as well use NTLM auth with Squid. However, NTLM is still horribly broken. Therefore, a properly functioning auth scheme needs to be implemented by OS, directory service, and browser vendors to replace NTLM. The best candidates for this are: 1) Kerberos 2) md5-sess Kerberos has the added benefit of already being part of both Unix and Windows (2000 and above) - all that is missing is browser support. If OS and browser vendors adopted such a solution, it would readily be added to Squid. Henrik and Robert, thank you for a very enlightening discussion, and I hope my summary here effectively hit the main points. However, I (usually) know enough to know when I'm out of my depth, so I'm going to exit this thread now, and leave further discussion to the experts. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
RE: [squid-users] Re: ntlm won't prompt
fre 2003-07-11 klockan 14.57 skrev Adam Aube: Kerberos would be a good option, because it's fairly universal - UNIX variants have supported it for years, and Windows started supporting it with Win2k. You would then just need browser support. And the SPNEGO over HTTP method proposed by Microsoft is flawed in the same way as the NTLM over HTTP (but at least they document the flaw this time), and very much disliked by the Kerberos community the last time I looked for other reasons.. Yes, it is really a directory service issue. But since most networks will use the directory service that came with their OS, and the OS (not the directory service) will likely handle database updates for password changes, there will still likely be some OS issues. Indeed. Support in both is needed. Neither is very hard thou.. The thing with NTLM over HTTP is that it uses the NTLM framework which already existed in Windows. It is the OS level NTLM framework which provides single-sign-on, not the NTLM over HTTP protocol. To make the same thing for Digest a such framework for single-sign-on needs to be devised. A suggestion on how these interfaces could look like: * The user directory needs to provide a interface where remote applications can get access to the needed information in a secure manner to verify user credentials. This interface involves two calls a) Give me a server nounce and realm b) Give me a MD5-sess HA1 matching the above server nounce (login and client nounce specified) The directory needs to internally store either plaintext passwords or MD5 HA1 hashes (MD5 HA1 can be used as base for MD5-sess HA1). The requirements on internal storage of the password in a compatible format is probably the biggest challenge in directory integration. There is no special needs of a trust on the server application, but the server application needs to be able to trust the data returned by the directory. The use of SSL recommended as transport to guarantee the authenticity of the directory responses (from the correct directory and not tampered with). * A OS mechanism whereby locally authenticated users can get access their own credentials in a secure manner without having to re-enter the password. For Digest this interface should provide two operations a) Give me a client nounce b) Give me a MD5-sess HA1 matching the above client nounce (realm and server nounce specified by the application, login is known by the OS and does not need to be specified) This interface MUST be restricted and only available to locally authenticated users to get their own data. This is why it needs to be a OS level feature as it is only the OS who can trustworthy determine who the authenticated user is. The OS level support on the client stations does not really require directory integration, but the server side support does. On the client station the approach used by Windows can be used where the OS remembers the password used on login in a secure store not directly accessible by applications and then provides APIs where applications can make use of this information in a secure manner. It obviously becomes more secure if directory integration is used as then the password (or hashed equivalence) then not need to be stored in memory other than during the login phase and also allows for other means of logins as long as a trust chain can be established, restricting who may gain access to which users credentials. In both the directory interface and the OS interface the split in two operations protects the returned HA1 by hashing it with a random cookie generated by a trusted source (directory or OS), making it effectively worthless to anyone else outside the session. It still needs to be transmitted securely however to protect the session. This is also possible, squid supports this, but no browsers do. Also, as the browser would get the password, it /does/ lead to password compromise risks that the digest approach doesn't. With digest the browser prompts the user for the password, so it's currently no more secure from the browser end than basic. This is only because there is no currently no OS services for Digest single-sign-on. As a result the only available option is to query the user for his password as the stupid OS does not provide the needed information. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] Re: ntlm won't prompt
fre 2003-07-11 klockan 15.08 skrev Robert Collins: We support nonces, but not client nonces. md5-sess requires client nonce support. Err.. Squid support client nounces, just not capable of trigger md5-sess HHA1 calculation, and lacks an helper interface for md5-sess HA1 exchanges. NT Provides Digest for IIS, but under some constraints: * You MUST have an AD Domain * You MUST turn on 'store passwords with reversible encryption' in the AD policies. Rumor is that the IIS must also be a domain controller, but I have not seen this verified. To enlarge on my other message, this is actually less secure in a funny way. lets compare a hypothetical digest SSO, and a hypothetical basic/ssl SSO Sure, basic over ssl is less secure than Digest, but probably provides a reasonable level for most uses and is a whole lot easier to integrate with existing directory services. squid creates a nonce, challenges the client. the client gets the challenge, creates it's own nonce, hands both to the directory service over its *already existing* secured link, and recieves back a one-time HHA1 - specific to the two nonces. the client then sends the calculated digest response using the HHA1. squid recieves the response, with the new client nonce. squid then requests a HHA1 to match (user, realm, squid-nonce, client-nonce) from its connection to the directory service. squid then is able to validate the response. Correct, except that the nounce creation should be done by the OS/Directory for secure MD5-sess exchanges as outlined in my previous message. If not the system is vulnerable to cryptographic attacks on the MD5-sess exchange. If the OS/Directory can establish full trust on the application/server then nounce creation may be left to the application/server, but I see no valid reason to why do this. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Block download specifyc size
Hi How to for block download of specifyc size of the client pc ?? Thanks ! Andrea Soccal IT Sistema Ufficio [EMAIL PROTECTED]
RE: [squid-users] Block download specifyc size
I think you could manage it with delay pools. In other words, you would not be able to avoid large files from being downloaded, but you will be able to slow down the downloading, with basically will free up bandwidth for other users. Alvaro Figueroa Administrador de Red Corporación Santo Tomás (562)376-3483 -Mensaje original- De: Soccal Andrea [mailto:[EMAIL PROTECTED] Enviado el: viernes, 11 de julio de 2003 11:09 Para: '[EMAIL PROTECTED]' Asunto: [squid-users] Block download specifyc size Hi How to for block download of specifyc size of the client pc ?? Thanks ! Andrea Soccal IT Sistema Ufficio [EMAIL PROTECTED]
RE: [squid-users] Re: ntlm won't prompt
fre 2003-07-11 klockan 16.41 skrev Henrik Nordstrom: * A OS mechanism whereby locally authenticated users can get access their own credentials in a secure manner without having to re-enter the password. For Digest this interface should provide two operations a) Give me a client nounce b) Give me a MD5-sess HA1 matching the above client nounce (realm and server nounce specified by the application, login is known by the OS and does not need to be specified) Correction. The user application OS interface only needs one single operation: Give me a client nounce and matching MD5-sess HA1 for my account given * realm (from server) * server nounce (from server) * optionally login name (from user) in case the user has multiple stored credentials in the same realm. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Block download specifyc size
fre 2003-07-11 klockan 17.08 skrev Soccal Andrea: Hi How to for block download of specifyc size of the client pc ?? reply_body_max_size Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Squid 2.5.STABLE3 and ntlm and authentication popup
On Wed 07/02/2003-08:09:20AM -0400, [EMAIL PROTECTED] wrote: 2003/07/01 19:03:15| authenticateValidateUser: Auth_user_request was NULL! I see a bunch of these if I try to use NTLM and wb_group in conjunction with cache_peer_access ( Bugzilla #585 ). Are you using cache_peer_access? I was not getting auth popups and it was with a single users but it may be related. I never came up with a solution.
[squid-users] load balancing
the main drawback of load balancing between peers is that squid never tries to determine how much of bandwitch left on other parents, just query first one. IMO besides connect-timeout there should be use-band option, allowing squid to not use certain parent if there are connections pending to it using x of bandwitch. this would introduce true load balancing, as number of connections isn't good measure. in addition parent cache can occassionally return it's bandwidth report , and databases could hold ping reply times and troughput to sites (servers) as 'cost' . -- --
RE: [squid-users] Re: Re: ntlm won't prompt
Actually the reason, that I want the popup is because I want selective users to able to access the web. Not just anyone that walks up to someone's workstation and being able to browse the net. Also I would like to keep track user's authentication for accounting purpose. I would recommend you stick with NTLM and find a way to deal with people using others' stations, because that will cause more problems in the long run than just Internet abuse. Failing that, as I had posted before, you can use the winbind basic auth helper (wb_auth) to get the basic auth popup while keeping the Windows domain integration. But beware, many users will simply click the handy Remember my password box, defeating the whole purpose. I take it I need to replace acl authusrs proxy_auth REQUIRED with acl authusrs userA, userB, ..., userZ? Is there a way to keep these users in a different list? If you only want to allow certain users to access the Internet, take a look at the wb_group external acl helper. You can configure it to check a certain Windows group, and only allow access to members of that group. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] aca services
Could somebody tell what is this aca services .. My squid .. is listening on port 62/udp which in /etc/services is aca Services # nmap -sU 127.0.0.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on localhost (127.0.0.1): (The 1465 ports scanned but not shown below are in state: closed) Port State Service 53/udp opendomain 62/udp openacas 514/udpopensyslog Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds --- # fuser 62/udp 62/udp: 1999 -- # ps xau| grep 1999 squidu1999 0.5 3.1 53108 48648 ? SJul03 68:10 (squid) -D Thank you, Seby.
RE: [squid-users] aca services
In data de Fri, 11 Jul 2003 Adam Aube a scris: My squid .. is listening on port 62/udp which in /etc/services is aca Services Check your squid.conf for htcp_port, icp_port, and snmp_port. If you're not using peer/parent caches, you can set htcp_port and icp_port to 0 to disable. Note: htcp and snmp support must be compiled in. icp_port:3130 snmp_port: 3401 htcp_port: it isn't set up, but by default is 4827 and is not open .. And i am using peer/parent caches .. What version of Squid do you have, and where did you get it from? From www.squid-cache.org version 2.5STABLE1 Seby
[squid-users] NCSA Authentication...help
I realize this should be a simple thing, but I am new to squid. I am using the RPM that comes with redhat 9. I setup NCSA authentication and I am getting a login and password prompt from the browser when I hit the proxy, but it does not authenticate (I did create a passwd file using htpasswd) I thought is was configured correctly until I saw Too few Basic Authenicator processes are running when I do tail -f /var/log/messages while I am trying to log in. Is this a clear indication of a problem? Dave Jacobs
RE: [squid-users] Re: ntlm won't prompt
I google the net for wb_group but can't seem to find a place to download this. Is this include with Squid-2.5.STABLE1? I take it I need to compile squid again if it not found in /usr/lib/squid/? You will need to recompile Squid. Check in the helpers/external_acl folder of the Squid source for a winbind_group folder. I don't remember if STABLE1 had it; I know STABLE3 does. When you recompile Squid, you'll need to include --enable-external-acl-helpers=winbind_group in your ./configure command to enable the helper. The readme.txt file in helpers/external_acl/winbind_group gives excellent directions for using the helper. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] NCSA Authentication...help
David Jacobs wrote: I realize this should be a simple thing, but I am new to squid. I am using the RPM that comes with redhat 9. I setup NCSA authentication and I am getting a login and password prompt from the browser when I hit the proxy, but it does not authenticate (I did create a passwd file using htpasswd) I thought is was configured correctly until I saw Too few Basic Authenicator processes are running when I do tail -f /var/log/messages while I am trying to log in. Is this a clear indication of a problem? Hello David, Increase this value in your squid.conf file: authenticate_children (for example: 5 or 10) rgrds, Bart
RE: [squid-users] NCSA Authentication...help
I am using the RPM that comes with redhat 9. I setup NCSA authentication and I am getting a login and password prompt from the browser when I hit the proxy, but it does not authenticate (I did create a passwd file using htpasswd) I thought is was configured correctly until I saw Too few Basic Authenicator processes are running when I do tail -f /var/log/messages while I am trying to log in. Is this a clear indication of a problem? Make sure the password file you created is readable by the user squid runs as. If not, fix it and try again. If that wasn't it, or you're still having problems, post the auth_param lines from your squid.conf and the output of the following: ps ax | grep -c ncsa_auth Make sure squid is running when you run that command - it counts the number of running ncsa_auth processes. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
RE: [squid-users] NCSA Authentication...help
the passwd file is chmod 777 at this point and owned by the squid user. I check to make sure I had auth_param children 5 and I upped it to 15. Not sure what is causing this the output of the ps -ax line was 1 and here is my conf file, it is on an internal lan and I am only using it to test if something works with a authenticated proxy. For some reason your ncsa_auth children are dying en masse. Check the cache.log for details. Also, try setting the permissions on the password file to 644. http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 50 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl foo proxy_auth REQUIRED http_access allow foo http_access deny all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Remove one of the auth_param basic children lines from squid.conf - you've got 2. Your http_access lines are a little out of order, but should work. Unless cache.log reveals something, I don't know what else to check. Adam
[squid-users] Re: Re: Re: ntlm won't prompt
If you only want to allow certain users to access the Internet, take a look at the wb_group external acl helper. You can configure it to check a certain Windows group, and only allow access to members of that group. Would squidGuard do the trick? Regards, Norman
Re: [squid-users] cache.log
On Friday 11 July 2003 19.53, Stephen J. McCracken wrote: I guess I'm looking for ideas on what few, a lot and occasionally mean as we're getting the storeAufsOpenDone: error daily every few hours it seems. The last couple of days the Queue congestion has happens in the middle of these other messages a couple of times. A few is very subjective.. but a couple per hour defenitely falls into the category a few. a lot is easier to define. Very many, making it look like the log is flooded with such messages. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] aca services
On Friday 11 July 2003 20.28, Seby wrote: Port State Service 53/udp opendomain 62/udp openacas 514/udpopensyslog none of these ports are used by Squid. You have to look into what other software you are running on that server. lsof is a good tool for finding which application is having which port open. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] max time
Hi, I would like to know if it was possible to assign a maximun time of access to proxy for an authenticated user? Regards, David
[squid-users] cachemgr delay pool info
Dear all, I already install Squid 2.4.STABLE7 and so far it works well. Btw, If I open cachemgr.cgi and see the Delay pools level, there's result is as follow : Pool: 2 Class: 2 Aggregate: Max: 15 Restore: 5000 Current: 148000 Individual: Max: 1000 Rate: 5000 Current: 129:1000 175:0 180:1000 29:1000 My question is what Current: 129:1000 175:0 180:1000 29:1000 means ?? Thanks
