[squid-users] restrict rouge proxy
hi, all Recently, I found some authorized Squid users privately installed other proxy software on their PC. So then, other unauthorized users can access my Squid server via it. I'm really at my wit's end. Can Squid fix this hole? ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] **
Re: [squid-users] restrict rouge proxy
On Saturday 13 September 2003 9:21 am, Li Wei wrote: hi, all Recently, I found some authorized Squid users privately installed other proxy software on their PC. So then, other unauthorized users can access my Squid server via it. I'm really at my wit's end. This is not really a technical problem; it is a management problem. If your users are breaking your Acceptable Use Policy like this, then you (or the management who set the policy and decided who was Authorised and who was not) should take disciplinary steps to make it clear to the users that this is not acceptable. If you have this sort of attitude amongst your users, such that they are (a) installing unauthorised software on their PCs, (b) to enable unauthorised users to access the web, and they are clearly technically capable of working out this solution and implementing it, then you are unlikely to stop them by purely technical means. This is a job for Management to enforce the Acceptable Use Policy within your organisation and make it clear to people that breaking it is not tolerated. Trying to beat them technically will simply result in both you and them wasting time which should be spent more productively, and will give the users who break the AUP feelings of (a) technical superiority, and (b) immunity from management discipline, when they can do things like this and get away with it. Even if you *could* defeat them technically, management should still step in with disciplinary measures because of the loss of productivity caused by people spending time attempting this sort of thing. Just my 2p. Antony. -- Normal people think if it ain't broke, don't fix it. Engineers think if it ain't broke, it doesn't have enough features yet.
Re: [squid-users] restrict rogue proxy
On Saturday 13 September 2003 9:21 am, Li Wei wrote: hi, all Recently, I found some authorized Squid users privately installed other proxy software on their PC. So then, other unauthorized users can access my Squid server via it. I'm really at my wit's end. This is not really a technical problem; it is a management problem. If your users are breaking your Acceptable Use Policy like this, then you (or the management who set the policy and decided who was Authorised and who was not) should take disciplinary steps to make it clear to the users that this is not acceptable. If you have this sort of attitude amongst your users, such that they are (a) installing unauthorised software on their PCs, (b) to enable unauthorised users to access the web, and they are clearly technically capable of working out this solution and implementing it, then you are unlikely to stop them by purely technical means. This is a job for Management to enforce the Acceptable Use Policy within your organisation and make it clear to people that breaking it is not tolerated. Trying to beat them technically will simply result in both you and them wasting time which should be spent more productively, and will give the users who break the AUP feelings of (a) technical superiority, and (b) immunity from management discipline, when they can do things like this and get away with it. Even if you *could* defeat them technically, management should still step in with disciplinary measures because of the loss of productivity caused by people spending time attempting this sort of thing. Just my 2p. Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi
[squid-users] Squid cache full --Cant surf
Dear all, I have squid caching server. My server cache drive gets full in 1 and half month but when it gets full. My lan users cant surf the internet. When i rebuilt the cache then it will start again to work. What should i do so that i dont have to rebuilt the cache. any help will be greatly appreciated. Joel
[squid-users] Local port
Hi, Can we increase number of socket for squid in linux ? How ? Please inform to me about that .. I used Slackware 8.1 kernel 2.4.19 Thanks Riza
[squid-users] Common Downloads
Dear All, I have this scenario and I need help from you. I'm running Transpararent Proxy + Squid + SquidGuard. Everything runs smooth. I want now to redirect all common downloads like windowsupdate to a local server which will be automatically update. The local Server will be sitting in my LAN. Please give me howto. Nasib A Salim
Re: [squid-users] Squid cache full --Cant surf
The cache directory itself shouldn't cause this since Squid manages this space itself by deleting least recently used files once the cache gets low on space. Are you rotating your squid logs? There's the 3 logs to rotate, and unless you do this regularly then it's likely the log files are growing to a size that fills the disk and this is causing the problem. Either that or you may have set your cache dir size to bigger than the amount of physical space you actually have on your disk? I guess this could cause squid some problems when it thinks it should be able to write files to disk but can't. Not rotating the error logs culd also cause this to happen since the logs would fill up the disk leaving squid with not enough left to use. hth Regards, nry Dear all, I have squid caching server. My server cache drive gets full in 1 and half month but when it gets full. My lan users cant surf the internet. When i rebuilt the cache then it will start again to work. What should i do so that i dont have to rebuilt the cache. any help will be greatly appreciated. Joel _ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband
Re: [squid-users] Route map and strange things happen
Thanks Nuno. Thx Rgds, Awie - Original Message - From: Nuno Ferreira [EMAIL PROTECTED] To: Awie [EMAIL PROTECTED]; Henrik Nordstrom [EMAIL PROTECTED]; Squid-users [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 4:32 AM Subject: RE: [squid-users] Route map and strange things happen Yeap, exactly that Nuno Ferreira -Original Message- From: Awie [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2003 1:36 AM To: Henrik Nordstrom; Squid-users; Nuno Ferreira Subject: Re: [squid-users] Route map and strange things happen Henrik Nuno, Many thanks for your kind help. Just want to make sure, as your explanation I assume the mechanism of route-mapped proxy is: All of HTTP request from client will be redirected to the proxy box. Then the proxy will check into it's cache. If no objects are found then it will fetch to Internet. On the fetching progress, proxy box also through router using HTTP request. The access-list will filter the IP and because of it captured the IP of proxy that be denied, it did not redirect the request. If my assumption above correct, it means the messages deny tcp host aaa.aaa.aaa.aaa any eq www (1263621 matches) as a normal thing. Am I right? Please advise. Thx Rgds, Awie - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Awie [EMAIL PROTECTED]; Squid-users [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 12:04 AM Subject: Re: [squid-users] Route map and strange things happen On Friday 12 September 2003 15.51, Awie wrote: deny tcp host aaa.aaa.aaa.aaa any eq www (1263621 matches) Would you tell me why there are so many denied packets? My Linux box is not be used for browsing at all. If I understand correctly this Linux box is the proxy you routed the HTTP traffic to, and there should be running a proxy which will connect to the requested web sites, rigth? If this is the case then your traffic will look something like the following graph: client - router - internet | ^ v | proxy The routemap is the downwards arrow, the proxied traffic is the upwards arrow. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] swuid / worm weirdness
On Fri, 12 Sep 2003, Brad Groshok wrote: Still tailing squid access.log Its still showing that IP address making requests to random ip addresses. 10 min later!!! Probably requests timing out. Squid does not know that you cut the DSL connection and still thinks the client is waiting for responses to the requests it has already sent. Sample access.log: 1063418773.024 240213 x.x.x.x TCP_MISS/504 1353 GET http://219.30.176.25/ - NONE/- text/html Note the second field. This tells how long ago the request was sent by the client. In the above line the request was sent 240 seconds (4 minutes) ago. Regards Henrik
Re: [squid-users] TCP_Denied
On Fri, 12 Sep 2003, Raymond Norton wrote: 1063418371.130 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 - NONE/- - This is Squid asking your client program (browser etc) to authenticate. Regards Henrik
[squid-users] ncsa authentication
Hi, I want to use ncsa authentication. I have installed squid-2.5.STABLE3 with [EMAIL PROTECTED] root]# /usr/local/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE3 configure options: --enable-delay_pools --enable-arp-acl --enable-auth As mentioned in Squid configuration manager Icould not find ./auth_modules/NCSA directory anywhere. Also as advised I could not find by rpm -ql squid-ncsa_auth. I tried configuring squid [EMAIL PROTECTED] root]# /usr/local/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE3 configure options: --enable-delay_pools --enable-arp-acl --enable-auth=ncsa_auth Don't know how to configure squid with ncsa. Also advice me which type of authentication is best. Thanks __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [squid-users] TCP_Denied
On Sat, 13 Sep 2003, Adam Aube wrote: acl Safe_ports port 800 # Squids port (for icons) You don't need this line - Squid won't make an HTTP request to the port it is listening on. But the clients does for icons in FTP listings etc... Regards Henrik
Re: [squid-users] restrict rouge proxy
On Sat, 13 Sep 2003, Li Wei wrote: Recently, I found some authorized Squid users privately installed other proxy software on their PC. So then, other unauthorized users can access my Squid server via it. I'm really at my wit's end. The use of authentication is stronly recommended. Can Squid fix this hole? Yes and no. If you have reasonable level of user identification in place then some simple statistics should indicate if some users are giving other users access with their identity. Then block the users who have given others access. If you are lucky then these rouge proxies adds some kind of identification to the requests forwarded via the proxy. For example if it is a Squid proxy then X-Forwarded-For may indicate who the real user was. If not it is virtually impossible to detect from an individual request if the request was a from the real user or proxied from another user and statistics need to be used to identify odd traffic patterns. Regards Henrik
Re: [squid-users] Squid cache full --Cant surf
On 13 Sep 2003, Joel wrote: My server cache drive gets full in 1 and half month but when it gets full. My lan users cant surf the internet. Then there is three posibilities a) You have configured a too large cache_dir setting for Squid. b) You are not rotating the log files. You need to call squid -k rotate periodically from cron. c) You are using an ancient buggy version of Squid where the cache maintenance does not work properly. What should i do so that i dont have to rebuilt the cache. Make sure your cache_dir setting is correct and that the log files are periodically rotated by squid -k rotate. Regards Henrik
Re: [squid-users] Common Downloads
On Sat, 13 Sep 2003, Nasib Salim wrote: I want now to redirect all common downloads like windowsupdate to a local server which will be automatically update. The local Server will be sitting in my LAN. See the redirectors chapter in the Squid FAQ or the SquidGuard documentation (SquidGuard is a redirector also trying to do access controls..). Regards Henrik
[squid-users] Sending email from LAN user problem
Whenever I try to email squid mailing from my LAN host machine I get follwoing error. Email FROM : [EMAIL PROTECTED] Email SUBJECT : failure notice ERROR message: Hi. This is the qmail-send program at squid-cache.org. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) --- Below this line is a copy of the message. Return-Path: [EMAIL PROTECTED] Received: (qmail 43879 invoked from network); 5 Sep 2003 16:43:01 - Received: from web20510.mail.yahoo.com (216.136.226.145) by squid-cache.org with SMTP; 5 Sep 2003 16:43:01 - Message-ID: [EMAIL PROTECTED] Received: from [66.119.33.170] by web20510.mail.yahoo.com via HTTP; Fri, 05 Sep 2003 09:43:00 PDT Date: Fri, 5 Sep 2003 09:43:00 -0700 (PDT) From: ads squid [EMAIL PROTECTED] Subject: Re: [squid-users] delay pool problem To: Henrik Nordstrom [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-2108689775-1062780180=:1092 --0-2108689775-1062780180=:1092 Content-Type: text/plain; charset=us-ascii When I send same email from server on which squid is installed it goes without problem. I am not restricting anything in iptables. I think my transperent proxy blocks it. Thanks __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
[squid-users] Site access problem
Hi, i'm trying to connect to site www.lightrio.com.br, and there they put a flash to link: https://200.170.45.6:7773/pls/sau/sau_pc_segda_via_cta.sau_pr_lst_cta and when a try to connect using transparent proxy, and error is shown in access.log: TCP_DENIED/403 1044 CONNECT 200.170.45.6:7773 - NONE/- - In browser: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. I turned off all of my acl and the problem persists. Any one knows how can i solve this problem? Thanks any help, Mauricio.
Re: [squid-users] TCP_Denied
1063418371.130 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 - NONE/- - This is Squid asking your client program (browser etc) to authenticate. Regards Henrik That is what it seems, but I have no way of passing authentication to the program. This site uses the link https://map.nwea.org/taa.hta . When I launch the link I get a download box, which I select open in current location A program launches specific to this site. At this point I have authenticated twice to squid. I can move around the site just fine, but there is a link for uploading records to their file server It looks like it will work, but then I get the above error, and the following error in the browser Error sending request: HTTP 407 returned, etc... Is there a way to make an exception for this site in squid? I really need to fix this, ASAP. Thanks in advance
[squid-users] deny_info kills squid
hello. from my squid.conf - external_acl_type bill_acl ttl=120 concurrency=8 %LOGIN %SRC /etc/billing/new/bill_acl acl password proxy_auth REQUIRED acl double_ip max_user_ip -s 1 REQUIRED acl billing external bill_acl REQUIRED acl all src 0.0.0.0/0.0.0.0 .. http_access allow all !double_ip password billing http_access deny all - i tried to configure deny_info pages for each of !double_ip password billing acls with these lines: deny_info ERR_DOUBLE_IP !double_ip (not, sure about this, also tried double_ip, but doesn't work either) deny_info ERR_BAD_PASSWORD password deny_info ERR_NO_QUOTA billing all corresponding files are placed in the errors/ dir but faced a strange problem - squid dies with SIGSEGV and dumps core file. gdb output is : --- #0 strcmp (p1=0x88 Address 0x88 out of bounds, p2=0x829c9c2 ERR_DOUBLE_IP) at ../sysdeps/generic/strcmp.c:38 38 ../sysdeps/generic/strcmp.c: No such file or directory. --- what is it all mean? thanks for answers. olegs
Re: [squid-users] Sending email from LAN user problem
Whenever I try to email squid mailing from my LAN host machine I get follwoing error. [EMAIL PROTECTED]: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) Try setting your LAN host's mail client to send plain text and not HTML. Adam
Re: [squid-users] Site access problem
i'm trying to connect to site www.lightrio.com.br, and there they put a flash to link: https://200.170.45.6:7773/pls/sau/sau_pc_segda_via_cta.sau_pr_lst_cta and when a try to connect using transparent proxy, and error is shown in access.log: TCP_DENIED/403 1044 CONNECT 200.170.45.6:7773 - NONE/- - Post your squid.conf (without blank lines or comments). Adam
Re: [squid-users] Site access problem
My guess is the port shown in the error mesaage: 7773 Does this not need added to the safe_ports list? I had a similar issue with a friends site who runs his webserver on a non-standard port... hth nry i'm trying to connect to site www.lightrio.com.br, and there they put a flash to link: https://200.170.45.6:7773/pls/sau/sau_pc_segda_via_cta.sau_pr_lst_cta and when a try to connect using transparent proxy, and error is shown in access.log: TCP_DENIED/403 1044 CONNECT 200.170.45.6:7773 - NONE/- - Post your squid.conf (without blank lines or comments). Adam _ Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
Re: [squid-users] Site access problem
Does this not need added to the safe_ports list? I had a similar issue with a friends site who runs his webserver on a non-standard port... Half right - since it's using CONNECT, it would also need to be on the SSL_ports list. I asked for the entire squid.conf so I could see what has already been attempted to make this work - so I could give just the information that's needed. Adam
Re: [squid-users] TCP_Denied
That is what it seems, but I have no way of passing authentication to the program. So you're not using a browser - you're using a brain dead program that doesn't understand proxy authentication. Two things you need to do: 1) Complain vigorously to the site in question - tell them their program doesn't understand proxy authentication and needs to be fixed. 2) Create an dst or dstdomain acl with the IP address/domain of this site, and allow this acl in http_access before you require authentication. This will give you a workaround until they fix their broken program. Adam
Re: [squid-users] TCP_Denied
On Sat, 13 Sep 2003, Raymond Norton wrote: That is what it seems, but I have no way of passing authentication to the program. This site uses the link https://map.nwea.org/taa.hta Then you may need to make an exception allowing this program access without requiring authentication, or speak to the author of this program to add support for authentication. browser Error sending request: HTTP 407 returned, etc... Is there a way to make an exception for this site in squid? I really need to fix this, ASAP. Probably. If the program only accesses a specific site then an exception can easily be done allowing access to this site without authentication acl special_site dstdomain ... http_access allow special_site before where you require authentication in your http_access rules. If the program navigates different sites which can not be easily defined then you may need to identify the program as such. Enable log_mime_hdrs and then pay attention to the User-Agent header when using the program. If there is something which uniquely identifies the application then you can use the browser acl type in the same manner as dstdomain is used above to create an exception based on the application. Regards Henrik
Re: [squid-users] Sending email from LAN user problem
Trying with plain text mail client. --- Adam Aube [EMAIL PROTECTED] wrote: Whenever I try to email squid mailing from my LAN host machine I get follwoing error. [EMAIL PROTECTED]: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) Try setting your LAN host's mail client to send plain text and not HTML. Adam __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
RE: [squid-users] dns and adding www to beginning
This probably isnt a good idea, since www is technically a host name. Not all sites have http://domain.com and http://www.domain.com pointing to the same place. And if you always put www if not present you will break sites that don't use it such as http://support.domain.com -Original Message- From: John Drouhard [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 11:10 PM To: [EMAIL PROTECTED] Subject: [squid-users] dns and adding www to beginning Is there a way I can make squid try the address i typed in with a www at the beginning if it doesn't work otherwise? Any site that doesn't have a redirector, I have to manually type in www. Thanks, John Drouhard -- Fri Sep 12 23:08:01 CDT 2003 - They told me to install Windows 98 or better, so I installed Linux. Registered Linux User # 315649 Registered Machine # 201001 ** This message was virus scanned at mail.siliconjunkie.net and any known viruses were removed. For a current virus list see http://www.siliconjunkie.net/antivirus/list.html
Re: [squid-users] dns and adding www to beginning
Is there a way I can make squid try the address i typed in with a www at the beginning if it doesn't work otherwise? Any site that doesn't have a redirector, I have to manually type in www. Many browsers will do this - check your browser documentation. That might be a better way than trying to get Squid to do it. Adam
Re: [squid-users] dns and adding www to beginning
On Sat, 13 Sep 2003 15:03:38 -0400 Adam Aube [EMAIL PROTECTED] wrote: Is there a way I can make squid try the address i typed in with a www at the beginning if it doesn't work otherwise? Any site that doesn't have a redirector, I have to manually type in www. Many browsers will do this - check your browser documentation. That might be a better way than trying to get Squid to do it. Adam Well, if I turn Squid off, then Mozilla Firebird (my browser) will do this. It is only when I do have squid that it doesn't try. What I want it to do is to TRY the www AFTER it tries what I actually type and that doesn't work. John Drouhard -- Sat Sep 13 15:29:58 CDT 2003 - They told me to install Windows 98 or better, so I installed Linux. Registered Linux User # 315649 Registered Machine # 201001
Re: [squid-users] Sending email from LAN user problem
On Sat, 13 Sep 2003, ads squid wrote: Content-Type 'multipart/alternative' (#5.2.3) You need to reconfigure your mail program to send plain-text email only. The mail server does not accept HTML email. Regards Henrik
Re: [squid-users] Site access problem
On Sat, 13 Sep 2003, Mauricio Portilho Cavalcanti wrote: i'm trying to connect to site www.lightrio.com.br, and there they put a flash to link: https://200.170.45.6:7773/pls/sau/sau_pc_segda_via_cta.sau_pr_lst_cta and when a try to connect using transparent proxy, and error is shown in access.log: TCP_DENIED/403 1044 CONNECT 200.170.45.6:7773 - NONE/- - See SSL_ports in squid.conf. The reason to this restriction is that the CONNECT method is very easy to abuse by hackers for other non-https services such as email, IRC etc. Regards Henrik
Re: [squid-users] deny_info kills squid
On Sat, 13 Sep 2003, oleg-s wrote: deny_info ERR_DOUBLE_IP !double_ip (not, sure about this, also tried double_ip, but doesn't work either) deny_info ERR_BAD_PASSWORD password deny_info ERR_NO_QUOTA billing all corresponding files are placed in the errors/ dir but faced a strange problem - squid dies with SIGSEGV and dumps core file. Are you using 2.5.STABLE3 without any patches? If so see http://www.squid-cache.org/Versions/v2/2.5/bugs/ Regards Henrik
Re: [squid-users] Squid in DMZ Help
Thank you for your reply! (...) 1) Set the ISA server to only provide firewall and NAT servi ce - make sure it does not do any proxying on its own. Make sure you allow acc ess to TCP port 3128 on the Squid box through the ISA server. I have configured an 'allow all' rule on ISA server and ISA is running on firewall mode 2) Configure the browsers on the LAN clients to use the Squi d box as a proxy and the ISA server as the default gateway. The default Gateway on ISA's DMZ interface should be Squid, right? Also, I wanted my LAN clients to be transparent proxied. I thought that being my ISA server transparent proxied by Squid, automatically all LAN clients having ISA as their default gateway would also be transparent proxied by Squid. Can you confirm that? 3) Start with the default squid.conf (which is pretty reason able) and make those changes necessary for your environment. Make sure the Squid box uses the External Firewall as its default gateway, and the Extern al Firewall lets the Squid box make requests to TCP port 80 on servers on the Internet. That's ok too You failed to mention which version of Squid you are using ( the output of squid -v will tell you if you don't know). The Squid version is squid-2.5.STABLE3 Claudius --- Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br
Re: [squid-users] TCP_Denied
Thank you everyone.! I finally got it to work.