[squid-users] prevent users from downloading very large files from internet ONLY
Hi, I would like to prevent users from downloading very large files from internet ONLY,but allow unlimited download size from our local web server. I've construct the ACL as bellow, but it seem it did not working. acl weblocal dst 192.168.1.0/255.255.255.0 acl subnetA src 192.168.2.0/255.255.255.0 acl SubnetB src 192.168.3.0/255.255.255.0 reply_body_max_size 1048576 allow subnetA #10MB reply_body_max_size 1048576 allow subnetB #10MB reply_body_max_size 0 allow weblocal #unlimited Would you please point me to the right direction? Any help would be great! regards, karmila __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
[squid-users] Memory leak on epoll support in IA64
Hello Adam and all, I am muthukumar working in epoll development on Squid.I am working in IA64 platfrom.Then I have tested the squid with epoll for 300 req/sec.But after that it is consuming more than 1.9 GB out of 2.0 GB.As Adam's advice, I have changed the swap memory from 1945.634 to 256.000. [Try shrinking your swap partition in half (to about 1 GB) and see if that improves your memory situation. You don't have to reboot the system - just use swapoff to turn off the swap space, use parted to resize it (check /etc/fstab for the minor partition # first), then use swapon to turn it back on ] But still the squid is exiting due to Sep 4 11:10:19 pandia squid[1184]: Squid Parent: child process 1186 started Sep 4 11:15:40 pandia kernel: Out of Memory: Killed process 1186 (squid). Sep 4 11:15:40 pandia squid[1184]: Squid Parent: child process 1186 exited due to signal 9 I have tuned the kernel parameters of net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 kernel.sysrq = 0 kernel.core_uses_pid = 1 fs.file-max = 16384 net.ipv4.ipfrag_low_thresh = 90 net.ipv4.ipfrag_high_thresh = 100 net.ipv4.ipfrag_time = 45 net.ipv4.tcp_rmem = 200 225 250 net.ipv4.tcp_wmem = 100 125 150 net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 4096 net.ipv4.neigh.default.gc_thresh3 = 8192 net.core.rmem_max = 150 net.core.rmem_default = 150 net.core.wmem_max = 100 net.core.wmem_default = 100 I have used the squid configuration of configure options: '--prefix=/usr/local/squidepoll' '--enable-epoll' '--disable-poll' '--disable-select' '--disable-kqueue' '--enable-storeio=null,aufs,ufs' '--with-file-descriptors=16384' '--enable-async-io=16' '--with-pthreads' I have tried a lot to satisfy more than 300 requests.But i cann't make it .Any other parameter must be tuned for good performance?. So please suggest me some information regarding to this.Then regarding to kernel I am using the sys_epoll enabled 2.4.20 on Ia64.I have made it with sys_epoll patch and IA64 patch.Using the sys_call in entry.S,i have used the epoll support on IA64. I want to know whether this affection is on IA64 kernel or squid-3.0-pre3.Regarding to the 300 req test also consumed upto 1.8 GB.So please tell some way to improve the squid for epoll support.The kernel series 2.5 and 2.6 is supporting sys_epoll.But is their any affection of kenrel on Squid-3.0-pre. I have enabled the epoll on 2.4.20 mannually without default on 2.5 and 2.6.So I think ,there is no effection of kernel on Squid-3.0 in the effect of memory leak. Anyway to improve the squid-3.0-pre3 for epoll support. Thanks in advance. Muthukumar
AW: WG: [squid-users] problem installing squid 3.0 PRE3
ok, I repeated the step carefully cd /usr/local/squid-3.0-PRE3 ./configure --enable-auth=ntlm,basic \ --enable-external-acl-helpers=winbind_group,wbinfo_group \ --enable-basic-auth-helpers=winbind \ --enable-ntlm-auth-helpers=winbind \ --prefix=/usr/local/squid and got an error message: ... config.status: include/autoconf.h is unchanged config.status: executing depfiles commands configure: configuring in lib/libTrie configure: running /bin/ksh './configure' --prefix=/usr/local/squid '--enable-a uth=ntlm,basic' '--enable-external-acl-helpers=winbind_group,wbinfo_group' '--en able-basic-auth-helpers=winbind' '--enable-ntlm-auth-helpers=winbind' '--prefix= /usr/local/squid' --cache-file=/dev/null --srcdir=. checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking for C++ compiler default output... configure: error: C++ compiler canno t create executables See `config.log' for more details. configure: error: /bin/ksh './configure' failed for lib/libTrie Makefile is created, but make all gives: No suffix list. Making all in lib Making all in libTrie Make: Don't know how to make all. Stop. *** Exit 1 Stop. *** Exit 1 Stop. Mit freundlichem Gruß / regards Werner Rost GM-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Tel. +49 228 38 25 - 420 Fax +49 228 38 25 - 398 mailto:[EMAIL PROTECTED] www.zf.com/boge-elastmetall -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 3. September 2003 16:41 An: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: Re: WG: [squid-users] problem installing squid 3.0 PRE3 On Wednesday 03 September 2003 15.47, [EMAIL PROTECTED] wrote: Robert, Henrik: Should I create an entry in bugzilla? Please try to answer the questions asked by Robert first [see below]. configure.log shows a trace of all the tests configure performs, and many of these tests are supposed to fail. The configure.log output you proved is all normal as the failed test is the test if you are using GCC, which you are not so the test is supposed to fail on choke me. Do you get any errors printed on the screen when you run configure? -Ursprüngliche Nachricht- Von: Robert Collins [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 30. August 2003 09:06 An: [EMAIL PROTECTED] Cc: Squid Users Betreff: Re: [squid-users] problem installing squid 3.0 PRE3 On Sat, 2003-08-30 at 00:25, [EMAIL PROTECTED] wrote: The configure command runs without error messages, but does not create a Makefile. Therefore the command make all gives: Make: Don't know how to make all. Stop. Waht is wrong? I'm not sure. The output sure indicates that it's creating a Makefile. Does it create a config.log? config.status? Cheers, Rob -- GPG key available at: http://members.aardvark.net.au/lifeless/keys. txt. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: AW: WG: [squid-users] problem installing squid 3.0 PRE3
On Thursday 04 September 2003 08.28, [EMAIL PROTECTED] wrote: configure: configuring in lib/libTrie configure: running /bin/ksh './configure' --prefix=/usr/local/squid '--enable-auth=ntlm,basic' '--enable-external-acl-helpers=winbind_group,wbinfo_group' '--enable-basic-auth-helpers=winbind' '--enable-ntlm-auth-helpers=winbind' '--prefix=/usr/local/squid' --cache-file=/dev/null --srcdir=. checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking for C++ compiler default output... configure: error: C++ compiler cannot create executables See `config.log' for more details. This does not look good, assuming you do have a C++ compiler installed and in your PATH? If you have, please open a bug report with the above output and attach the content of lib/libTrie/config.log to this report. Regards Henrik
[squid-users] SquidNT 2.5 STABLE3 + NTLM = Access Denied.
Hello, I tried to use NTLM (Basic with NTAUTH and GROUP_CHECK works perfectly) but with NTLM that doesn't work. my squid.conf: auth_param ntlm program c:/progra~1/squid/libexec/ntlm_win32_auth.exe auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes my acl: external_acl_type NT_local_group %LOGIN c:/progra~1/squid/libexec/win32_check_group.exe acl LProxyUsers external NT_local_group LProxyUsers acl password proxy_auth REQUIRED http_access allow password LProxyUsers http_access deny all my config: SquidNT is installed on a french Windows 2000 Pro SP4, i created a local group LProxyUsers with 2 accounts (Administrateur the local admin, and Administrator the admin of my XP Client) I tried with two clients : Windows XP Pro US and the Windows 2000 directly... I get an error message in IE : the page cannot be displayed ... In the SquidNT log i found : 1062618185.984 0 192.168.1.2 TCP_DENIED/407 1690 GET http://www.google.fr/ - NONE/- text/html 1062618186.031 31 192.168.1.2 TCP_DENIED/407 1702 GET http://www.google.fr/ - NONE/- text/html I repeat with basic, it's work perfectly... Any idea ?? Thanks Nicko
Re: [squid-users] Accelerator proxy redirect question.
On Thursday 04 September 2003 02.35, Thad Irvin wrote: I'm trying to set up squid to do proxy redirects for hosts that are positioned behind the squid host. My current configuration is as follows. Squid Proxy: listens on port 80. Accelerator Host 1.1.1.212 Port 8080 Accelerator Host 1.1.1.211 Port 3000 The FQDN on the outside of the proxy for the individual hosts: http://www.domainname.com --- Should come in to squid on port 80, then redirect to host 1.1.1.212:8080. http://webmail.domainname.com --- Should come in to squid on port 80, then redirect to host 1.1.1.211:3000. To do this with Squid-2.5 you require the use of a redirector helper which rewrites www.domainname.com and webmail.domainname.com to their internal ip:port and the following squid.conf settings httpd_accel_host www.domainname.com httpd_accel_port 80 httpd_accel_uses_host_header on redirect_program /path/to/your/redirector acl accelerated_domains dstdomain www.domainname.com webmail.domainname.com acl HTTP protocol HTTP acl port80 port 80 http_access allow accelerated_domains HTTP port80 http_access deny all However, I would strongly recommend moving the internal servers to port 80 on their respective servers. This avoids then need of changing the URL in the reverse proxy (the redirector helper) and a bunch of ugly sideeffects of having different URLs externally and internally. In such setup just add the acclerated domains to /etc/hosts with the addresses of their internal servers and Squid will know where to go. In Squid-3 the setup will be different, using cache_peer and cache_peer_access to forward the requests to their corresponding servers. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] access.log redundancies and page cost
On Thursday 04 September 2003 00.35, Phil Lucs wrote: Ok, this is making some sense to me. I'm thinking that we sort based on time, then there should be some millisecond - second discrepancy between each forwarded cache request and then we can follow the path until a HIT or MISS (go to ISP) is encountered. To further make things a little safer some access.log checks can be made, such as making checks on content, and url requested, or an algorithmic check from each node - by keeping a handle to the previous node to make sure it requested the same content, url requested and for the return path, the same number of bytes. Complications: The number of bytes may differ slightly due to header modifications. The graph may have more than one branch in case there is multiple possile paths and an error is encountered while exploring one of the paths. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] trouble installing patch (can't find right squid version)
On Thursday 04 September 2003 02.28, Andrew Nelson wrote: I'm trying to install the X-Forwarded-For patch described here: http://devel.squid-cache.org/follow_xff/ I want to use the Squid-2.5 version, but can the actual squid source that it applies to.. Can anyone provide me with a link that this patch will work for? Tried to apply the Squid-2.5 version of the patch to the current Squid-2.5 soruces and it seemed to apply fine (no rejects). Have not tried to compile with the patch. What problems do you get when trying to apply the patch? -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] prevent users from downloading very large files from internet ONLY
On Thursday 04 September 2003 08.08, Karmila Sari wrote: acl weblocal dst 192.168.1.0/255.255.255.0 acl subnetA src 192.168.2.0/255.255.255.0 acl SubnetB src 192.168.3.0/255.255.255.0 reply_body_max_size 1048576 allow subnetA #10MB reply_body_max_size 1048576 allow subnetB #10MB reply_body_max_size 0 allow weblocal #unlimited The first reply_body_max_size Squid finds matchin the request is used, so for subnetA or subnetB the last rule will never ever be reached. I tink you want to move this rule above the other two.. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] no proxy browser settings
Hi... On Thu, Sep 04, 2003 at 11:07:57AM -0700, [EMAIL PROTECTED] wrote: I haved blocked audio and vedio sites by having a file with all sorts of extensions like (\.rm , \.ram) etc. Now the problem is one my user has her yahoo login as xxx.rm and because of this she is unable to login and stopped by proxy. You can try something like this: acl audiovideo url_regex -i /etc/squid/audiovideo acl yahoo url_regex -i ^http:\/\/www\.yahoo\.com\/.*xxx\.rom$ http_access deny audiovideo !yahoo This denies access to the audio/video extensions (being defined in the /etc/squid/audiovideo file - you are free to put it even in this very line in the squid.conf if you like) *except* when asking yahoo. The ACL conditionals are 'and'ed together. The '!' is a negation. Now i tried giving yahoo.com in No proxy for settings in netscape browser and it is not working (again stopped by squid ; tried clearing cache etc..) I don't recommend playing with the no proxy for field unless really necessary. If the problem is your proxy configuration then try to fix that. Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
RE: [squid-users] prevent users from downloading very large files from internet ONLY
You have defined the ACL name as SubnetB but you reference it in your reply_body_max rule as subnetB From memory squid.conf is case-sensitive is it not? -Original Message- From: Karmila Sari [mailto:[EMAIL PROTECTED] Sent: Thursday, 4 September 2003 2:08 PM To: [EMAIL PROTECTED] Subject: [squid-users] prevent users from downloading very large files from internet ONLY Hi, I would like to prevent users from downloading very large files from internet ONLY,but allow unlimited download size from our local web server. I've construct the ACL as bellow, but it seem it did not working. acl weblocal dst 192.168.1.0/255.255.255.0 acl subnetA src 192.168.2.0/255.255.255.0 acl SubnetB src 192.168.3.0/255.255.255.0 reply_body_max_size 1048576 allow subnetA #10MB reply_body_max_size 1048576 allow subnetB #10MB reply_body_max_size 0 allow weblocal #unlimited Would you please point me to the right direction? Any help would be great! regards, karmila __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [squid-users] surf control question
Pada 02-Sep-2003, elPunishar menulis: hello everybody, i have a very general and simple question that i just need answered before i dive into squid. can i do full surf controlling of the users who are behind the proxy? is there an easy way to specify which urls they can visit in which timeframes, which content, and so forth ? or is there another good solution for this on linux ? what is the best way to go ? Time to dive into squid then ! tnx for your input! greetings, stu aqil
Re: [squid-users] customlog patch for squid 3.0?
On Thursday 04 September 2003 10.08, Frank Neumann wrote: Or does squid 3 already have the logging capabilities added by the patch to squid 2.5? It has. See the release notes. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] no proxy browser settings
On Thu, Sep 04, 2003 at 03:56:57PM -0700, [EMAIL PROTECTED] wrote: Thank u for ur reply.But i am little confused.The acls I have is acl list1 url_regex /PROXY/porn acl list3 url_regex /PROXY/porn1 acl dl-filter urlpath_regex -i /PROXY/file_ext.block acl yahoo url_regex -i ^http:\/\/\login\.yahoo\.com\/config\/login acl MyDenyMIME urlpath_regex -i \.pif \.scr http_access deny list1 !yahoo Pls check the above and help me with the configuration.This is still not working. Generally it looks right. Enable the ACL debugging (add debug_options ALL,1 33,2 to your squid.conf) and check the cache.log. It should tell you which ACL blocks the request if there are more than one http_access statements. Also try a http_access allow yahoo and see if that works. Christoph P.S.: Please keep the list on Cc. You mailed me diretly. -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] Control Downloads
Hi, there is any away to use quotas by users in squid to control the downloads in a month? Thanks A. O.
Re: [squid-users] Control Downloads
tor 2003-09-04 klockan 13.18 skrev Adaíl Oliveira: Hi, there is any away to use quotas by users in squid to control the downloads in a month? Yes, by using a log processing program which keeps track of amount of data downloaded per month, and add a acl blocking users who have gone over their quota. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] header_access question
Hi all and thanks for taking time to read my post, I have a question regarding the header_access option. Does anyone have a list of all the parameters I can supply the header_access option with? I am asking this, because: -) I am using squid in 'paranoid' anonymouzyer setting -) I cannot use file attachements in webmail sites like hotmail.com so, in short, I need the correct paramater-name so I can use something like this 'header_access paramater allow all' to allow file attachment-usage in webmail sites. Thank you, Best regards, Jan Van Nieuwenhove
Re: [squid-users] header_access question
tor 2003-09-04 klockan 13.58 skrev Jan Van Nieuwenhove: so, in short, I need the correct paramater-name so I can use something like this 'header_access paramater allow all' to allow file attachment-usage in webmail sites. Is the problem that you can't attach files to emails, or that you can not view received files attached to emails? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] NAT/Citrix
What would be the best way to tackle this kind of application? I've got two groups of users: group A is behind NAT, and needs to use an authentication that isn't by IP. Group B is on a Citrix server and some users need different access restrictions. Is it possible to accomplish both? Can it be done from a windows/IE client using implicit authentication? Any ideas or directions will be appreciated. Thanks.
Re: [squid-users] header_access question
tor 2003-09-04 klockan 14.42 skrev Jan Van Nieuwenhove: It has nothing to do with email itself but strict html. imagine a webmail site (like hotmail.com); If I compose and send an email from my hotmail.com account, I have the option to upload files which will be used as attachments in the email. Now, I do not have this option (to upload files to be used as attachments) ever since I enable 'paranoic' anonymous-mode in squid. Thereby I need the 'header_access paramater allow all' to allow me to upload files (a standard HTML tag, similar to a form, but with POST/GET or something, I am not an expert on the subject). What happens when you try? There should be an error message returned, what does this error message say? note: do not use MSIE as MSIE has the odd habit of not showing error messages to the user, only abstract MS invented error descriptions Microsoft thinks explain the error better than the real error messages.. Are you sure it is http_access causing the problem and not request_body_max_size? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] squid_ldap_group and Active Directory
tor 2003-09-04 klockan 14.54 skrev fdfhf gjgjj: Thank you very much Henrik - I have read the man page and test a new command line (i'm trying first this option). I want to test an authentication with a user who belong to an internetaccess group... Then you should start with squid_ldap_auth. When you have squid_ldap_auth running correctly you can move on to squid_ldap_group for the group membership lookup. The normal operations of squid_ldap_auth is 0. Optionally bind (login) as a dummy user (by DN) if anonymous searches is disallowed in the directory (-D+-W arguments) 1. Search for the user in the directory based on the login name (-f argument) 2. Log in as the user located in step 2 to verify the password The normal operations of squid_ldap_group is 0. Optionally bind (login) as a dummy user (by DN) if anonymous searches is disallowed in the directory (-D+-W arguments) 1. Search for the user in the directory (-F argument with the same data as -f to squid_ldap_auth) 2. Search for the group in the directory and verify that the user is member of the group (-f argument). As you can see squid_ldap_group builds on the same LDAP operations as squid_ldap_auth, so to get squid_ldap_group running you must first have squid_ldap_auth running correctly. It is strongly recommended to play around a little with the ldapsearch tool to explore the operations of LDAP and how to search for things (i.e. users or groups) before trying to get squid_ldap_auth/squid_ldap_group to run unless one knows exacly the details of the directory. LDAP search filters are quite simple in principle but uses a different syntax than most other things in this world so it takes a couple of attempts before one understands the filters correctly. The ldapsearch tool also allows one to try binding to the directory Basic syntax of LDAP filters are (operation(condition1)(condition1)(...)) and in most cases the operation to use is AND ( in LDAP syntax) giving the typical filter syntax: ((attribute1=value1)(attribute2=value2)(...)) LDAP as such consists of objects named by their DN and each object has a list of attributes. Searches can search for attribute/value combinations (for example where the login attribute is equal to the login name looked for), and will return the DN of each matching object in the directory and optionally selected attributes from these objects. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] NTLM auth problems
Hello, I'm a Squid user since years but just today I have to configure our company's main proxy for user authentication / authorization, so I'm a newbie about NTLM auth, proxy_auth, winbindd and so on ;-) Client users are on win2k/xp machines in a Windows 2000 mixed-mode domain (I've few others samba servers in the net). I followed the good instructions of Squid doc about configuring Samba (2.2.8a) and winbindd for a Squid (2.5-stable3) box but I'm experiencing some weird -to me at least- problems. Random users got blocked and not only the few my policy should block. Box is a FreeBSD 4.8-rel machine. As said, I'm using Samba's winbindd as authenticator and it seems to be correctly installed and configured since wbinfo -t and wbinfo -a both work correctly. Here is my ACL setup in squid.conf: acl playstos src 192.168.9.0/24 acl playdest dst 192.168.9.0/24 #to allow particular services acl tomsn dstdomain .msn.com .msn.it .passport.com .msads.net acl autosrvs dstdomain .ravantivirus.com #useless currently acl playauth proxy_auth REQUIRED # experiment : this to just deny user called Sara acl lusers proxy_auth sara # scheduled access for lusers users acl pauseA time MTWHF 9:30-10:00 acl pauseB time MTWHF 13:30-14:00 acl pauseC time MTWHF 18:00-19:00 acl pauseWE time SA # per Simone acl nosimo dstdomain .morula.org acl sisimo srcdomain morula.playstos.ldr blastula.playstos.ldr arcadia.playstos.ldr eraser.playstos.ldr # Here are standard squid.conf ACLs #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT === and here is http_access setup: === #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only # one who can access services on localhost is a local user http_access deny to_localhost # HERE are my own settings http_access allow playdest http_access allow tomsn http_access allow autosrvs #if I comment out the following line all works fine (iit of course does not authenticate users but everything else works ok) http_access deny lusers !pauseA !pauseB !pauseC !pauseWE http_access allow sisimo http_access deny nosimo # catch everything else http_access allow playstos # And finally deny all other access to this proxy http_access deny all Here are the relevant parts of my smb.conf , if interested: workgroup = PLAYSTOS security = domain password server = PITAGORA PLATONE FILESERVER encrypt passwords = yes winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind cache time = 10 winbind enum users = yes winbind enum groups = yes Finally here are my squid.conf's auth_param settings auth_param ntlm program /usr/local/libexec/wb_ntlmauth auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/libexec/wb_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 minutes My problem is that I got a bunch of apparently random denies of actually authorized users! The above setup should allow access to EVERY user of my Win2K domain BUT user called sara, and in those pauseX hours allow her too, but this is not the behaviour I see. Many other users are blocked with 407 errors, not just sara and not just in those hours. Where my ACLs/http_access lines are wrong ? What I missed ? I really hope someone could help me ! :-) Every hints is welcome ! Many thanks in advance! Alessandro de Manzano Senior Network Manager Playstos - TIMA S.p.A. Corso Sempione 63 20149 Milano, Italy tel.: +39-023314153 fax: +39-02315678 email: [EMAIL
RE: [squid-users] NTLM auth problems
Random users got blocked and not only the few my policy should block. Go into Cache Manager and take a look at the NTLM Helper statistics - you may need to increase the number of helpers in your squid.conf. The requests served by the last 2 - 3 helpers should be few and far between. Adam
Re: [squid-users] header_access question
I just found out what the problem is, only I cannot solve it immediatly. the problem lies with that I don't allow User-Agent headers. I want to allow User-Agent headers, but only from hotmail.com (or is it hotmail.msn.com). how can I achieve this? acl hotmail srcdomain .hotmail.msn.com header_access User-Agent allow hotmail this doesn't seem to work :( Best regards, Jan - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Jan Van Nieuwenhove [EMAIL PROTECTED] Cc: Squid Users [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 3:34 PM Subject: Re: [squid-users] header_access question tor 2003-09-04 klockan 14.42 skrev Jan Van Nieuwenhove: It has nothing to do with email itself but strict html. imagine a webmail site (like hotmail.com); If I compose and send an email from my hotmail.com account, I have the option to upload files which will be used as attachments in the email. Now, I do not have this option (to upload files to be used as attachments) ever since I enable 'paranoic' anonymous-mode in squid. Thereby I need the 'header_access paramater allow all' to allow me to upload files (a standard HTML tag, similar to a form, but with POST/GET or something, I am not an expert on the subject). What happens when you try? There should be an error message returned, what does this error message say? note: do not use MSIE as MSIE has the odd habit of not showing error messages to the user, only abstract MS invented error descriptions Microsoft thinks explain the error better than the real error messages.. Are you sure it is http_access causing the problem and not request_body_max_size? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] msn messenger
Hi, Does anybody know how do I block everything except msn messenger? Thanks, -- Mitsue
RE: [squid-users] NTLM auth problems
On Thu, 4 Sep 2003 10:17:14 -0400, Adam Aube wrote: Random users got blocked and not only the few my policy should block. Go into Cache Manager and take a look at the NTLM Helper statistics - ehm sorry I don't understand what are you referring to.. :(( where should I look at ? you may need to increase the number of helpers in your squid.conf. The requests served by the last 2 - 3 helpers should be few and far between. I currently run 10 wb_ntlmauth processes and 5 wb_auth, for about 35 physical users I guess are enough to start with.. Many thanks for your answer! Alessandro de Manzano Senior Network Manager Playstos - TIMA S.p.A. Corso Sempione 63 20149 Milano, Italy tel.: +39-023314153 fax: +39-02315678 email: [EMAIL PROTECTED] http://www.playstos.com
RE: [squid-users] msn messenger
Does anybody know how do I block everything except msn messenger? Sure. Search the archives for acls that will match MSN Messenger (try block MSN Messenger). Setup an acl, then use http_access to deny everything but that acl. Adam
Re: [squid-users] msn messenger
Something like that should do it for you, also make sure you do not have any other ACL's allowing access... acl MSN req_mime_type -i ^application/x-msn-messenger$ http_access allow MSN http_access deny all Thanks, Ilo. - Original Message - From: Mitsue Acosta Murakami [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 4:19 PM Subject: [squid-users] msn messenger Hi, Does anybody know how do I block everything except msn messenger? Thanks, -- Mitsue
RE: [squid-users] NAT/Citrix
What would be the best way to tackle this kind of application? I've got two groups of users: group A is behind NAT, and needs to use an authentication that isn't by IP. Group B is on a Citrix server and some users need different access restrictions. Is it possible to accomplish both? Can it be done from a windows/IE client using implicit authentication? By setting up authentication in Squid, you can track and control access by authenticated usernames and possibly by groups (depending on the helper you use). Check the FAQ and the archives for authentication and the proxy_auth and proxy_auth_regex directives. Adam
RE: [squid-users] NTLM auth problems
Go into Cache Manager and take a look at the NTLM Helper statistics - ehm sorry I don't understand what are you referring to Check the Cache Manager section of the Squid FAQ. You'll need some kind of web server setup (either on the Squid box or another machine) - Cache Manager is a CGI program that allows access to Squid info through a web browser. I currently run 10 wb_ntlmauth processes and 5 wb_auth, for about 35 physical users There is no hard and fast rule for how many NTLM helpers to use - the only good way to tell is to use Cache Manager to see how busy the helpers are. However, increasing the NTLM helpers to 15 might be a good first step. Adam
Re: [squid-users] header_access question
Jan, On Thu, 4 Sep 2003, Jan Van Nieuwenhove wrote: I just found out what the problem is, only I cannot solve it immediatly. the problem lies with that I don't allow User-Agent headers. I want to allow User-Agent headers, but only from hotmail.com (or is it hotmail.msn.com). how can I achieve this? acl hotmail srcdomain .hotmail.msn.com header_access User-Agent allow hotmail this doesn't seem to work :( Shouldn't that be: acl hotmail dstdomain .hotmail.msn.com ??? HTH, Neil. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Jan Van Nieuwenhove [EMAIL PROTECTED] Cc: Squid Users [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 3:34 PM Subject: Re: [squid-users] header_access question tor 2003-09-04 klockan 14.42 skrev Jan Van Nieuwenhove: It has nothing to do with email itself but strict html. imagine a webmail site (like hotmail.com); If I compose and send an email from my hotmail.com account, I have the option to upload files which will be used as attachments in the email. Now, I do not have this option (to upload files to be used as attachments) ever since I enable 'paranoic' anonymous-mode in squid. Thereby I need the 'header_access paramater allow all' to allow me to upload files (a standard HTML tag, similar to a form, but with POST/GET or something, I am not an expert on the subject). What happens when you try? There should be an error message returned, what does this error message say? note: do not use MSIE as MSIE has the odd habit of not showing error messages to the user, only abstract MS invented error descriptions Microsoft thinks explain the error better than the real error messages.. Are you sure it is http_access causing the problem and not request_body_max_size? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] -- Neil Hillard[EMAIL PROTECTED] Westland Helicopters Ltd. http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] NAT/Citrix
tor 2003-09-04 klockan 15.06 skrev Dan Pinkard: What would be the best way to tackle this kind of application? I've got two groups of users: group A is behind NAT, and needs to use an authentication that isn't by IP. Group B is on a Citrix server and some users need different access restrictions. Is it possible to accomplish both? Can it be done from a windows/IE client using implicit authentication? Just set up authentication in Squid. You can use both NTLM and Basic authentication in parallell (normally recommended), no problem there. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] header_access question
tor 2003-09-04 klockan 16.20 skrev Jan Van Nieuwenhove: I just found out what the problem is, only I cannot solve it immediatly. the problem lies with that I don't allow User-Agent headers. I want to allow User-Agent headers, but only from hotmail.com (or is it hotmail.msn.com). how can I achieve this? acl hotmail srcdomain .hotmail.msn.com header_access User-Agent allow hotmail The above should be dstdomain srcdomain matches the domain name of the client station, not the requested server. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users]Memory leak problem on epoll i/o squid on IA64
Hi, MUTHUKUMAR KANDASAMY wrote: Hello all , In the compilation of squid ,I used cache_mem 1200 MB cache_dir null The cache line looks fine, I doubt that is causing you problems fs.file-max = 16384 That should probably be higher, like 32786 or something higher... net.ipv4.ipfrag_low_thresh = 90 net.ipv4.ipfrag_high_thresh = 100 net.ipv4.ipfrag_time = 45 net.ipv4.tcp_rmem = 200 225 250 net.ipv4.tcp_wmem = 100 125 150 net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 4096 net.ipv4.neigh.default.gc_thresh3 = 8192 net.core.rmem_max = 150 net.core.rmem_default = 150 net.core.wmem_max = 100 net.core.wmem_default = 100 What the heck? Why are your settings set to such insane levels? The first number in net.ipv4.tcp_wmem and net.ipv4.tcp_rmem would cause you problems. tcp_wmem - vector of 3 INTEGERs: min, default, max min: Amount of memory reserved for send buffers for TCP socket. Each TCP socket has rights to use it due to fact of its birth. Default: 4K tcp_rmem - vector of 3 INTEGERs: min, default, max min: Minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure. Default: 8K Taking a wild stab, and saying 256 file descriptors open, that means something on the order of: 256 * (200 + 100) = 768 MB (and that is MINIMUM even under moderate memory pressure) Lower all of your numbers down to a sane level -- David Nicklay Location: CNN Center - SE0811A Office: 404-827-2698Cell: 404-545-6218
[Fwd: Re: [squid-users]Memory leak problem on epoll i/o squid on IA64]
-- David Nicklay Location: CNN Center - SE0811A Office: 404-827-2698Cell: 404-545-6218 ---BeginMessage--- Hi, MUTHUKUMAR KANDASAMY wrote: Hello all , In the compilation of squid ,I used cache_mem 1200 MB cache_dir null The cache line looks fine, I doubt that is causing you problems fs.file-max = 16384 That should probably be higher, like 32786 or something higher... net.ipv4.ipfrag_low_thresh = 90 net.ipv4.ipfrag_high_thresh = 100 net.ipv4.ipfrag_time = 45 net.ipv4.tcp_rmem = 200 225 250 net.ipv4.tcp_wmem = 100 125 150 net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 4096 net.ipv4.neigh.default.gc_thresh3 = 8192 net.core.rmem_max = 150 net.core.rmem_default = 150 net.core.wmem_max = 100 net.core.wmem_default = 100 What the heck? Why are your settings set to such insane levels? The first number in net.ipv4.tcp_wmem and net.ipv4.tcp_rmem would cause you problems. tcp_wmem - vector of 3 INTEGERs: min, default, max min: Amount of memory reserved for send buffers for TCP socket. Each TCP socket has rights to use it due to fact of its birth. Default: 4K tcp_rmem - vector of 3 INTEGERs: min, default, max min: Minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure. Default: 8K Taking a wild stab, and saying 256 file descriptors open, that means something on the order of: 256 * (200 + 100) = 768 MB (and that is MINIMUM even under moderate memory pressure) Lower all of your numbers down to a sane level -- David Nicklay Location: CNN Center - SE0811A Office: 404-827-2698Cell: 404-545-6218 ---End Message---
Re: [squid-users] header_access question
I tried both dstdomain and srcdomain, neither of them seem to work :( - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Jan Van Nieuwenhove [EMAIL PROTECTED] Cc: Squid Users [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 5:04 PM Subject: Re: [squid-users] header_access question tor 2003-09-04 klockan 16.20 skrev Jan Van Nieuwenhove: I just found out what the problem is, only I cannot solve it immediatly. the problem lies with that I don't allow User-Agent headers. I want to allow User-Agent headers, but only from hotmail.com (or is it hotmail.msn.com). how can I achieve this? acl hotmail srcdomain .hotmail.msn.com header_access User-Agent allow hotmail The above should be dstdomain srcdomain matches the domain name of the client station, not the requested server. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] ncsa authentication
do you have any documentation abaut ncsa authentication on squid?please help me!!!
Re: [squid-users] ncsa authentication
tor 2003-09-04 klockan 19.15 skrev apoteke: do you have any documentation abaut ncsa authentication on squid?please help me!!! There is plenty. See the Squid FAQ and mail archives. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] ACL ?
OK. Whit this rule everything works, exepct MSN Messenger. In the access.log say: 1062598861.194 1 172.16.1.1 TCP_DENIED/407 1712 CONNECT loginnet.passport.com:443 - NONE/- text/html I need to elaborate two groups, one with all access and other with only browser. -Mensaje original- De: Christoph Haas [mailto:[EMAIL PROTECTED] Enviado el: Wednesday, September 03, 2003 17:08 Para: [EMAIL PROTECTED] Asunto: Re: [squid-users] ACL ? On Wed, Sep 03, 2003 at 12:49:32PM -0300, Guillermo Ettlin wrote: I put this acl for external ldap group: acl users proxy_auth REQUIRED acl grupo external ldap_group weberos http_access allow grupo But MSN dont work? What does MSN have to do with LDAP authentication? Please elaborate if you expect competent help. What URL? What error? Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] 105 no buffer space available
Thanks Francisco for thaking the time to anwers I did what you told me but i still had the problem. It turn out to be that i had on my internal lan a LAPTOP-PC infected with MSBLAST that was sending 1,000 and 1,000 of requests to my firewall running iptables-squid. My iptables-squid firewall had problem responding to all those requests and my users got that squid (105) no buffer space available. Thanks again PS: I think music from Peru is the most beautiful music in the world. Francisco Neira a écrit : Jacques Beaudoin wrote: I'm receiving this message from squid (105) no buffer space available Any idea where to look Thanks Jacques,Montreal That squid is running on RedHat 7.x, right? If so, I had the same problem and the solution was to tweak three kernel parameters: echo 256 /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 /proc/sys/net/ipv4/neigh/default/gc_thresh3 Hope this works for you as it did for me. Regards
[squid-users] ntlm_auth + ldap_group
Hi, is it possible to use ntlm_auth just to authenticate users, and ldap_group to control access by group membership? I´m trying this configuration: #ntlm_auth configuration auth_param ntlm program /usr/local/squid/libexec/ntlm_auth extranet/servername # ldap_group configuration external_acl_type ldap_group %LOGIN /usr/local/squid/libexec/squid_ldap_group -h servername -b dc=extranet,dc=lab -f ((cn=%g)(member=%u)) -F sAMAccountName=%s -D cn=ldapread,cn=Users,dc=extranet,dc=lab -w password -d 1 # access control acl test proxy_auth REQUIRED acl testldap external ldap_group Administrators http_access allow testldap http_access deny all But I receive the following error in cache.log: user filter sAMAccountName=extranet\5cadministrator squid_ldap_group WARNING, User 'sAMAccountName=extranet\5cadministrator' not found It looks like ntlm_auth passes extranet\administrator to ldap_group, but it is changed to extranet\5cadministrator. Where did this 5c come from? Thanks, Oswaldo
