Re: [squid-users] Authentification via samba 3.0 to an active directory server
On Friday 15 August 2003 10.39, Markus Meissner wrote: OK, I understand. There is a pipe open at /tmp/.winbindd/pipe. The directory is accessable for the squid-user (ntlm_auth runs as squid user) and the pipe itself is srwxrwxrwx. So this should work. There is another pipe at /var/cache/samba/winbindd_privileged which is only accessable by root, but I _think_ that this is OK. If you are using NTLM then I think the helper need access to the privileged pipe. See the Samba documentation on how to use the Samba-3.0 helper. Regards Henrik
Re: [squid-users] Reverse proxy problem again
On Friday 15 August 2003 10.42, Niti Lohwithee wrote: Dear Henrik, Could you recommend the redirect script for solving this problem? My question is why at all using a redirector script? I see no reason why you would need or want a redirector script in your setup. Regards Henrik
[squid-users] Re: Squid + LDAP
On Friday 15 August 2003 17.43, Arias, Sebastian Alejandro - (Ext Arg) wrote: Henrik, I´m trying to implement LDAP authentication over SQUID, I´m using Squid Cache: Version 2.5.STABLE2. and I have some question about it. 1. How can I know if I must recompile the squid with an LDAP module? ... -I´m not compile the squid with an option tu support it, but I think that Squid support it by default-. You most likely don't need to recompile Squid, but you may need to install the LDAP helpers if those was not installed while you installed your Squid. To see which helpers was installed as part of your Squid installation see the libexec directory. 2. I was trying to test the ldap_auth script at the command prompt but I can´t get a succesfull results. I can not help you with the third-party ldap_auth helper as I have no experience from this helper. What I can help you with is the official squid_ldap_auth helper shipped with Squid. 3. And the last one, at the following lines I´m show you the args acl ldap proxy_auth REQUIRED acl ldap src 0.0.0.0/0.0.0.0 You can not combine two different acl types in the same acl name. If you need further help please use the squid-users mailinglist. Regards Henrik
Re: [squid-users] bootstrap.sh
On Friday 15 August 2003 19.42, [EMAIL PROTECTED] wrote: Can anyone tell me where I can get the bootstrap.sh script from the CVS tree? From the CVS tree, any of the access methods (cvs or web). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] bootstrap.sh
We had one cache dir on seperate h.disk. It was givng errors which was recoved via fsck. Now want to delete that cache and remake. But when delete dir gives error rm -rf 00 rm: cannot remove `00/0D/0D44': Input/output error rm: cannot remove `00/0D/0DBD': Input/output error rm: cannot remove directory `00/0D': Directory not empty How can reuse that h.disk ? any idea ( other than reinstaling linux;;-) Regards, Wajiha __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
[squid-users] Load Balancing
Hi, I have two instances of squid-2.5-STABLE3 running on same dual-processor machine under RH AS 2.1 (2.4.9-e.25). Everything works great. I would like to optimize hit ratio and have a following questions: Is it possible to configure squid-es with a cross referencing access to cache directories, f.e.: Squid #1 cache_dir aufs /cache1 3 46 256 cache_dir aufs /cache2 3 46 256 read-only Squid #2 cache_dir aufs /cache1 3 46 256 read-only cache_dir aufs /cache2 3 46 256 I haven't tried to do it. Any suggestions? Regards, Yuri N. Fominov
Re: [squid-users] Load Balancing
On Sat, 2003-08-16 at 22:59, Yuri N. Fominov wrote: Hi, I have two instances of squid-2.5-STABLE3 running on same dual-processor machine under RH AS 2.1 (2.4.9-e.25). Everything works great. I would like to optimize hit ratio and have a following questions: Is it possible to configure squid-es with a cross referencing access to cache directories, f.e.: No. Use ICP, or cache digests between the instances. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
[squid-users] delay pools problem
Sorry for this newbie questionbut I really need help Any links or directions on what methods to test delay pools and transparent proxy? (It *seems* my delay pools is not working yet) I am also using apache in the same machine. I added already a redirection rule in the firewall and it accepts ALL packets before interception. My squid.conf is below Thanks again in advance! -Jun ---squid.conf--- http_port 3128 icp_port 3130 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 16 MB cache_dir ufs /usr/cache 250 16 256 cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log logfile_rotate 4 redirect_rewrites_host_header off cache_replacement_policy GDSF acl localnet src 10.123.0.0/255.255.255.0 10.124.0.0/255.255.255.0 acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 80 443 210 119 70 20 21 1025-65535 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT http_access deny all maximum_object_size 3000 KB store_avg_object_size 50 KB httpd_accel_port 81 httpd_accel_host virtual httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header on anonymize_headers deny User-Agent fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/2001112 cache_mgr [EMAIL PROTECTED] cachemgr_passwd secret_password test cache_effective_user squid cache_effective_group squid log_icp_queries off buffered_logs on acl magic_words1 url_regex -i 10.123 10.124 acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov delay_pools 2 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_access 1 allow magic_words1 delay_class 2 2 delay_parameters 2 500/5000 500/2000 #these are for test values only delay_access 2 allow magic_words2 --end-
Re: [squid-users] Compression confirguation for low bandwidth
On Fri, 2003-08-15 at 20:36, jack beany wrote: Hi All, Could someone give me a to-the-point answer on: a) Does Squid internally support compression of data sent and received, if so, how is it activated/enforced for various mimetypes? No. b) Are there any modules that plugin to squid to enhance speed through low b/w connections(mod_gzip)? Not of production quality. I use the latest Mozilla, and that obviously sends the Accept-Encoding: gzip,deflate header, but everything still goes through in plaintext. Accept-Encoding is only of use for transcoding caches (squid isn't one), and for origin servers - which get to decide whether to use compressed data or not. TE - Transfer Encoding is appropriate for proxy caches, clients and servers - but there is also no module for this at the moment. Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Include file for squid.conf
On Friday 15 August 2003 14.14, Ilo wrote: Has this now become part of the current release yet or, is there any other way that I could accomplish this? What has become part of the Squid-3.0 release is the ability to specify that squid.conf is generated (or preprocessed) by an external program, allowing you to have squid.conf processed by any include/macro processor of choice. This feature is invoked by specifying a config file starting with | or !. In such case Squid will execute the specified config file as a command (possibly including arguments) and use the output of the command as the active configuraiton file. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] smb_auth x squid
On Friday 15 August 2003 20.43, Andre Rebitte wrote: Hi, I've three win2000 domains without trust. I want my users from all domains access the internet via only one squid at the first domain. I've already tested the smb_auth via prompt and it works. But via browser i cant get connect to internet, it retake password all the time. When using multiple domains the user must enter his full name including the domain name. For unqualified login names only the first domain name is queried. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] --. winbind auth
On Friday 15 August 2003 20.52, Alex Carlos Braga Antão wrote: I installed winbindd following some manuals found on the internet, and it seems that winbind is working correctly, since I can make a wbinfo -u, wbinfo -g, wbinto -t and wbinfo -a DOMAIN\user%password all commands suceeded perfectly. Which version of winbind? and on the winbindd log I get: [2003/08/15 15:40:07, 0] nsswitch/winbindd.c:process_loop(730) process_loop: Invalid request size from pid 596: 1304 bytes sent, should be 1312 This indicates you are using helpers designed for another winbind version than what you are running. If you are using winbind from Samba-3.X then you should be using the helper shipped with Samba, not the Samba-2.2.X helpers shipped with Squid. Also, when I run getent passwd and getent group, I get only the users/groups from the UNIX files, no DOMAIN\user entries... This is not a problem for Squid. Squid does not require NSS integration like the local account login requires. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] -- winbind AUTH - resolved, but a doubt remains
On Friday 15 August 2003 22.46, Alex Carlos Braga Antão wrote: Now, I can authenticate with wb_group Squid´s helper, but I got a little problem here. I was browsing, and I removed my user from the group I configured do access the internet, but the Squid permitted me to browse. I think there is a delay for winbind refresh the group list. How long is it ? Or it does not have to work like this... It is fully configurable. See the external_acl_type directive documentation for how to tune this aspect. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Blocking Kazaa, msn messenger...
On Saturday 16 August 2003 01.54, Sergio Alonso wrote: I think i've read all the information in squid's FAQ and user's guide but i would like to know if there is a way to block: - Kazaa - Yahoo Messenger - Aol Messenger - msn messenger Only if these non-HTTP applications are running in such mode that they tunnel their traffic over HTTP, and you have firewalled all other access to the Internet. If they do a quick analysis of access.log while running the applications should tell you how to block the use of the applications via Squid. Regards Henrik
Re: [squid-users] bootstrap.sh
On Saturday 16 August 2003 14.44, ssdd sdsds wrote: We had one cache dir on seperate h.disk. It was givng errors which was recoved via fsck. Now want to delete that cache and remake. But when delete dir gives error rm -rf 00 rm: cannot remove `00/0D/0D44': Input/output error rm: cannot remove `00/0D/0DBD': Input/output error rm: cannot remove directory `00/0D': Directory not empty Your drive seems to be broken, alternatively fsck did not fully repair the filesystem structure. My bet is for the first. Suggested actions is to run a surface analysis of the harddrive. If no media errors are found then newfs the cache partition. Also check your cables etc. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] delay pools problem
On Saturday 16 August 2003 15.40, Jun Tanamal wrote: acl magic_words1 url_regex -i 10.123 10.124 What is magic_words1 supposed to match? acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov The above regex patterns are not correct. Should read \.exe$ \.mp3$ etc, or else it will match a whole lot more than you intend.. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Squid3: ftp gateway in accelerator mode
I admit I'm confused. I'm trying to set up an accelerator that will allow access to both http and ftp on an originserver via browser around a firewall. My squid.conf has: squid.conf -- http_port a.b.c.d:80 vhost defaultsite=accel.domain.com cache_peer e.f.g.h parent 80 0 no-query originserver name=vhost1.domain.com http_access allow all (for testing) acl vhost1_domains dstdomain www.domain1.com www.domain2.com cache_peer_access vhost1.domain.com allow vhost1_domains never_direct allow all DNS --- accel.domain.com IN A a.b.c.d www.domain1.com IN CNAME accel.domain.com. www.domain2.com IN CNAME accel.domain.com vhost1.domain.com IN A e.f.g.h When I enter ftp://www.domain1.com in my (ie6) browser a query is sent to a.b.c.d on port 21 that is acked (tcpdump) but the browser displays a popup ftp Folder Error window saying 'a connection with the server cannot be established'. There is no attempt at a connection with e.f.g.h. What is the correct way to configure squid to do this? -- Jim Flowers[EMAIL PROTECTED]
Re: [squid-users] Squid3: ftp gateway in accelerator mode
On Saturday 16 August 2003 17.09, Jim Flowers wrote: I admit I'm confused. I'm trying to set up an accelerator that will allow access to both http and ftp on an originserver via browser around a firewall. When I enter ftp://www.domain1.com in my (ie6) browser a query is sent to a.b.c.d on port 21 that is acked (tcpdump) but the browser displays a popup ftp Folder Error window saying 'a connection with the server cannot be established'. There is no attempt at a connection with e.f.g.h. Squid is a HTTP proxy, not a FTP proxy. What is possible is to set up http access to the content of the FTP server via a redirector rewriting the accelerated URLs to ftp://, but you can not connect to Squid using FTP. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: [Squid Users] Re: squid_ldap_group
The two searches below sho no resemble of each other. The squid_ldap_group options which matches your ldapsearch command is squid_ldap_group -b DC=MyLDAP,DC=Domain -D CN=etc etc,CN=Users,DC=MyLDAP,DC=Domain -w etc -h LDAPSERVER -f ((objectClass=User)(sAMAccountName=%u)(memberOf=CN=%g, CN=Users,DC=MyLDAP,DC=Domain)) Your squid_ldap_group search pattern (-f option) does not look correct. There is no reference to what group to look for. Also, using the %u/%g codes of the 2.5.STABLE3 helper makes it a lot easier to understand what it what.. Note: The Squid configure flags is irrelevant. Only the squid_ldap_group command line options matters. For further help with squid_ldap_group please use the squid-users mailinglist. Regards Henrik On Saturday 16 August 2003 19.51, you wrote: Hi Hendrik, So Sooorryy to do this to you but I have been sitting on this for a whole week chasing my tail with getting the right syntax. I am using Squid Cache: Version 2.5.STABLE3 configure options: --enable-basic-auth-helper=ldap_auth --enable-external-acl-helpers=ldap_group --enable-kill-parent-hack --enable-snmp to connect to a Windows2K Active Directory. I tried to test the squid_ldap_group module with the following result: # /usr/local/squid/libexec/squid_ldap_group -b DC=MyLDAP,DC=Domain -D CN=etc etc,CN=Users,DC=MyLDAP,DC=Domain -w etc -h LDAPSERVER -f ((objectClass=group)(CN=%a)) -F ((sAMAccountName=%s)(objectClass=User)) -d -v1 etc proxy_access Connected OK user filter ((sAMAccountName=etc)(objectClass=User)) squid_ldap_group WARNING, LDAP search error 'Operations error' ERR yet when I do ldapsearch -b DC=MyLDAP,DC=Domain -D CN=etc etc,CN=Users,DC=MyLDAP,DC=Domain -w etc -h LDAPSERVER ((objectClass=User)(sAMAccountName=etc)(memberOf=CN=proxy_access, CN=Users,DC=MyLDAP,DC=Domain)) it returns all the user attributes I must be doing something wrong Can you please help. Kind Regards
[squid-users] NTLM but still got pop-ups /w IE ?
Thanks to Henrik, I got the big picture of squid auth. Now I got this : - Samba 2.2.8a installed. - Squid 2.5 Stable 3 running well configured with : ./configure --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-external-acl-helpers=winbind_group,wbinfo_group --enable-ntlm-auth-helpers=winbind Squid without authentication running well. But when authenticated, the pop-up asking Username password always shows up even with IE 6.0. Something else I missed ? Regards, Arief K - squid.conf - acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/cache/squid 100 16 256 #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/libexec/wb_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl AuthorizedUsers proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow all AuthorizedUsers http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all visible_hostname h07mis12 http_reply_access allow all icp_access allow all coredump_dir /var/cache
Re: [squid-users] NTLM but still got pop-ups /w IE ?
On Sun, 2003-08-17 at 09:39, Arief Kurniawan wrote: Squid without authentication running well. But when authenticated, the pop-up asking Username password always shows up even with IE 6.0. Something else I missed ? Try IE 5.5. IE 6 has more bugs than I've fingers to count on. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] NTLM but still got pop-ups /w IE ?
Still got the same result, I used my laptop with IE 5.5. Any suggestion ? Regards, Arief K At 09:48 AM 8/17/2003 +1000, Robert Collins wrote: On Sun, 2003-08-17 at 09:39, Arief Kurniawan wrote: Squid without authentication running well. But when authenticated, the pop-up asking Username password always shows up even with IE 6.0. Something else I missed ? Try IE 5.5. IE 6 has more bugs than I've fingers to count on. Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt.
