RE: [squid-users] time based Instant Message blocking

[Manu C S]

Hi Adam,

>I noticed that you specify a proxy_auth acl, but don't show the
>http_access line that utilizes it. You haven't shown us all your acl
>and http_access lines; please post your entire squid.conf (please
>remove any blank lines or comments first).


Thanks for the response.
Here's my entire squid.conf file.
--
shutdown_lifetime 5 seconds
icp_port 0
http_port 192.168.10.254:800
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_effective_user squid
cache_effective_group squid
pid_filename /var/run/squid.pid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
log_mime_hdrs off
forwarded_for off

authenticate_program /usr/lib/squid/ncsa_auth /etc/squid/passwd

acl all src 0.0.0.0/0.0.0.0
acl cmie dstdomain .cmie.com .ibainternational.org
acl chpass url_regex ^http://192.168.10.254:81/cgi-bin/chpasswd.cgi$
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.10.0/255.255.255.0
acl admin-mc src 192.168.10.1
acl staff-mc src 192.168.10.201-192.168.10.220
acl restrict-im dstdom_regex -i "/etc/squid/im"
acl holiday-time time M 00:00-24:00
acl morning-time time STWHFA 07:00-09:00
acl noon-time time STWHFA 11:00-17:00
acl night-time time STWHFA 21:00-24:00
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 800 1025-65535
acl fw-port port 81
acl CONNECT method CONNECT
acl porn dstdom_regex -i "/etc/squid/porn1"
acl blockedsites dstdom_regex -i "/etc/squid/blocked_sites"
acl blockedwords url_regex -i "/etc/squid/blocked_words"
acl student proxy_auth "/etc/squid/students"
acl admin proxy_auth fwadmin

http_access allow restrict-im admin-mc
http_access allow restrict-im staff-mc
http_access allow holiday-time restrict-im localnet
http_access allow morning-time restrict-im localnet
http_access allow noon-time restrict-im localnet
http_access allow night-time restrict-im localnet
http_access deny restrict-im all
http_access allow localhost
http_access allow cmie localnet
http_access allow chpass student
http_access allow admin-mc
http_access allow fw-port admin localnet
http_access deny fw-port
http_access deny blockedsites
http_access deny blockedwords
http_access deny porn
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow staff-mc
http_access allow student localnet
http_access allow localnet
http_access deny all

maximum_object_size 4096 KB
minimum_object_size 0 KB
cache_mem 2000 KB
cache_dir ufs /var/log/cache 50 16 256
request_body_max_size 0 KB
reply_body_max_size 0 KB
--

/etc/squid/students has a list of all the students

/etc/squid/im has the following lines:
msg.*.yahoo.com
messenger.hotmail.com

/etc/squid/porn1 has a list of banned sites

/etc/squid/blocked_words has
\.pif$
\.mp3$
\+mp3$
\.wav$
\.mpeg$


/etc/squid/blocked_sites has
mp3.com
downloadmusic.com
musicindia.com
games.yahoo.com


Regards,
Manu

Re: [squid-users] SQUID and MS Active Directory

[Henrik Nordstrom]

On Thu, 23 Oct 2003 [EMAIL PROTECTED] wrote:

> Can I get further inputs on this ,How to go about authenticating AD USers.
> Which version to use ?Etc..

For NTLM authentication the installation is the same as for NT Domains,
using winbind.

If using LDAP (basic auth and groups only) then see the documentation to
the LDAP helpers.

Regards
Henrik

Re: [squid-users] header_replace User-Agent for SSL connections?

[Henrik Nordstrom]

On Wed, 22 Oct 2003, WEHT.net Webmaster wrote:

> works fine only for http connections, when you go through the squid
> proxy for an https:// url (SSL) the original user agent shows up
> in the logs.
> 
> I imagine there is either a good reason for this or some configuration
> option I'm overlooking.
> 
> Is there a way to set this for SSL?

No. SSL encrypts the traffic, including the request. All Squid knows is 
which server and port the browser whants to connect to, the rest is 
encrypted.

Regards
Henrik

Re: [squid-users] SQUID and MS Active Directory

[azad_a]

Hi
Can I get further inputs on this ,How to go about authenticating AD USers.
Which version to use ?Etc..

Cheers
.../AZad


   
   
Robert Collins 
   
<[EMAIL PROTECTED]   To: Rothermel Wolfgang <[EMAIL 
PROTECTED]> 
cache.org>cc: "'[EMAIL PROTECTED]'" <[EMAIL 
PROTECTED]>   
  Subject: Re: [squid-users] SQUID and MS 
Active Directory
10/22/2003 
   
04:52 PM   
   
   
   
   
   




On Wed, 2003-10-22 at 18:24, Rothermel Wolfgang wrote:

> Is it possible to
> - use AD users and AD groups in SQUID ACLs

Yes.

> - authenticate the IE users transparently as the NTLM authenticator does
it
> currently.

Yes.

Cheers,
Rob
--
GPG key available at: .
(See attached file: signature.asc)(See attached file:
InterScan_SafeStamp.txt)



signature.asc
Description: Binary data


InterScan_SafeStamp.txt
Description: Binary data
** Message from InterScan E-Mail VirusWall NT **

** No virus found in attached file signature.asc
** No virus found in attached file InterScan_SafeStamp.txt

This mail has been scanned by Interscan Virus Wall of Mailserver2 at SNR TCS,Shol 
Chennai
* End of message ***


This mail was scanned by Interscan Virus Wall of Mailserver2 at SNR, TCS, Chennai

[squid-users] header_replace User-Agent for SSL connections?

[WEHT.net Webmaster]

Thanks to all for the replies on my SSL Tunnel question (it would
be nice if there was a way to use PAC to tell the client to use
SSL to connect...)

At any rate, still under 2.5.STABLE4

header_replace User-Agent Nutscrape 1.0

works fine only for http connections, when you go through the squid
proxy for an https:// url (SSL) the original user agent shows up
in the logs.

I imagine there is either a good reason for this or some configuration
option I'm overlooking.

Is there a way to set this for SSL? (Basically anonymizing headers
as follows):


header_access Allow allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all

header_access User-Agent deny all
header_replace User-Agent Nutscrape 1.0

I also notice that fake_user_agent and anonymize_headers seems to
have depreciated out of 2.5 ?

Thanks, mark

-- 
WEHT.net
The Online Compendium of "What Ever Happened To" & "Where Are They Now?"
Subscribe to the newsletter at http://WEHT.net/newsletter.php

Re: [squid-users] https_port WAS: [client->SQUID1(https)->SQUID2(http)->apache]

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Markham, Richard wrote:

> Stopping squid: 2003/10/22 17:09:15| parseConfigFile: line 49 unrecognized:
> 'https_port 443'
> 
> https_port is not reconized when I try to start squid?

You need to specify at least which certificate to use I think.

> squid2.5stable4
> compiled with ./configure --enable-ssl

What does "squid -v" return?

kRegards
Henrik

Re: [squid-users] Authentication from PPP

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Yosi Greenfield wrote:

> Is it possible to automatically authenticate users based
> on their ppp login, so that ppp dialup users are automatically
> identified and don't have to log in again?

Not easily by standard means, but if your PPP server (or the
authentication server used by your PPP server) provides means where an 
application can query who the user is who has IP x then this can be 
integrated into Squid via the external_acl directives.

Regards
Henrik

Re: [squid-users] Bypassing Squid LDAP authentication?

[jeff . richards]

You just need to set up an acl for that subnet and position the relevant
http_access entry prior to the entry allowing LDAP-authorized requests.

Jeff

--
Jeff Richards
Technical Consultant
Unix Enterprise Services
[EMAIL PROTECTED]
Tel: +61 2 6219 8125



   
 
  [EMAIL PROTECTED]
 
  ector.comTo:   [EMAIL PROTECTED] 
   
   cc: 
 
  22/10/2003 23:10 Subject:  [squid-users] Bypassing Squid 
LDAP authentication? 
   
 
   
 
|-|
 
| ( ) Urgent(4 hours) |
 
| (*) Normal(24-48)   |
 
| ( ) Low(72 hours)   |
 
|-|  Expires on
 
   
 
   
 
   
 
   
 
   
 





Hello,

Squid-newbie here. Was wondering if/how it's possible to bypass
the LDAP authentication for Squid and let every single user with a
specific LAN subnet (ie: 192.168.190.*) to surf the internet without
providing credentials. Right now we're using Netscape Directory services
for LDAP. (but would like to move to Microsoft's AD). Any help would be
great...the more the better since I didn't setup this Squid system and
know nothing about SuSe Linux. Thanks. :)
-
Peter A. Berger Jr.
 Systems Administrator
 ifm efector, Inc.
 610.524.2760
 HP Certified Professional,
 CCNA, Network+, Server+, A+








Important:  This e-mail is intended for the use of the addressee and may contain 
information that is confidential, commercially valuable or subject to legal or 
parliamentary privilege.  If you are not the intended recipient you are notified that 
any review, re-transmission, disclosure, use or dissemination of this communication is 
strictly prohibited by several Commonwealth Acts of Parliament.  If you have received 
this communication in error please notify the sender immediately and delete all copies 
of this transmission together with any attachments.

Re: [squid-users] https_port WAS: [client->SQUID1(https)->SQUID2(http)->apache]

[Duane Wessels]

On Wed, 22 Oct 2003, Markham, Richard wrote:

> Stopping squid: 2003/10/22 17:09:15| parseConfigFile: line 49 unrecognized:
> 'https_port 443'
>
> https_port is not reconized when I try to start squid?
>
> squid2.5stable4
> compiled with ./configure --enable-ssl

are you positive that the correct binary is being executed at
startup?  Perhaps you forgot to 'make install' after reconfiguring
Squid with --enable-ssl?

Duane W.

[squid-users] https_port WAS: [client->SQUID1(https)->SQUID2(http)->apache]

[Markham, Richard]

Stopping squid: 2003/10/22 17:09:15| parseConfigFile: line 49 unrecognized:
'https_port 443'

https_port is not reconized when I try to start squid?

squid2.5stable4
compiled with ./configure --enable-ssl



NOTE: I fixed the problem below by making SQUID1 accelerate SQUID2 and then
set up cache_peer entry on SQUID2 that points to the internal web server
as a parent.  I'm guessing thats right =).

-Original Message-
From: Markham, Richard [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 4:26 PM
To: '[EMAIL PROTECTED]'
Subject: [squid-users] client->SQUID1(https)->SQUID2(http)->apache


I just installed 2.5.Stable.4 and I'm setting up two squid servers, one on
each side of a firewall.  I want to run
http on the internel squid server (it will talk to the internal web server
and external squid server) and then the external squid server will talk
https with the client.  I know these questions has been asked a million
times even by me when using 2.4 and I apologize.  I think what I need to do
is one of the squid servers will be and accelerator and the other will just
do forwarding.  I need help mostly on the forwarding part.

Re: [squid-users] reverse proxy and https

[Dan DeLong]

Henrik:
Thank you for the quick reply.  Unencrypting the key seemed the best
solution so that I could still run squid as a daemon.

Thanks,
Dan
- Original Message -
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Dan DeLong" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 22, 2003 2:34 PM
Subject: Re: [squid-users] reverse proxy and https


> On Wed, 22 Oct 2003, Dan DeLong wrote:
>
> > I'm am attempting to setup up squid as a reverse proxy to handle https
> > requests. ie  client-ssl  -> squid  -> web server.  I've added the
following
> > to a default squid.conf
>
> > ACK:problems getting password
> >
> > I'm using a cert and key file that are valid and I do know the key file
> > password but how do I tell squid what that password is ?
>
> You don't.
>
> You either give Squid an unencrypted key file, or start it with the -N
> option to allow entry of the password using the keyboard.
>
> To decrypt a RSA key file you can use the openssl rsa command.
>
> Regards
> Henrik
>
>
>
>

Re: [squid-users] Authentication from PPP

[Duane Wessels]

On Wed, 22 Oct 2003, Yosi Greenfield wrote:

> Hi -
>
> Is it possible to automatically authenticate users based
> on their ppp login, so that ppp dialup users are automatically
> identified and don't have to log in again?
>
> Any help will be most appreciated...

In general, I do not think so.  I am not aware of any software
that has been written for Squid to do that.

If *you* have some way of identifying PPP users on your system (for
example, looking for a username/ipaddr pair in a local file or
database), then you can write an external ACL program that will
interface to Squid and do what you want.

Duane W.

Re: [squid-users] Allow_direct and Never_direct

[Duane Wessels]

On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> Hi!
>
> I have sent a similar question before, but did not manage to solve the
> problem.
>
> I need to allow certain users of a Windows group to always bypass our
> cache_peer and the other ones to never bypass it.
>
> I am using the following configuration:
>
> always_direct allow windows_group
> always_direct deny all
> never_direct allow all
>
> The users belonging to windows_group are always going direct (good!!), but
> the other ones sometimes goes direct and sometimes go through our cache_peer
> ...
>
> What may be going wrong?

There is another way to do this, and it may work better for you.
you can use 'cache_peer_access' like this:

cache_peer_access neighbor.name deny windows_group

Then to make sure most of your users never bypass the
parent, you can use never_direct rules like this:

never_direct deny windows_group
never_direct allow all

Duane W.

[squid-users] Authentication from PPP

[Yosi Greenfield]

Hi -

Is it possible to automatically authenticate users based
on their ppp login, so that ppp dialup users are automatically
identified and don't have to log in again?

Any help will be most appreciated...

Thank you,

Yosi Greenfield
Kew Systems, Inc.

[squid-users] client->SQUID1(https)->SQUID2(http)->apache

[Markham, Richard]

I just installed 2.5.Stable.4 and I'm setting up two squid servers, one on
each side of a firewall.  I want to run
http on the internel squid server (it will talk to the internal web server
and external squid server) and then the external squid server will talk
https with the client.  I know these questions has been asked a million
times even by me when using 2.4 and I apologize.  I think what I need to do
is one of the squid servers will be and accelerator and the other will just
do forwarding.  I need help mostly on the forwarding part.

[squid-users] Allow_direct and Never_direct

[zottmann]

Hi! 

I have sent a similar question before, but did not manage to solve the 
problem. 

I need to allow certain users of a Windows group to always bypass our 
cache_peer and the other ones to never bypass it. 

I am using the following configuration: 

always_direct allow windows_group 
always_direct deny all 
never_direct allow all 

The users belonging to windows_group are always going direct (good!!), but 
the other ones sometimes goes direct and sometimes go through our cache_peer 
... 

What may be going wrong? 

Regards, 
Carlos. 

_
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

[squid-users] Allow_direct and Never_direct

[zottmann]

Hi! 

I have sent a similar question before, but did not manage to solve the 
problem. 

I need to allow certain users of a Windows group to always bypass our 
cache_peer and the other ones to never bypass it. 

I am using the following configuration: 

always_direct allow windows_group 
always_direct deny all 
never_direct allow all 

The users belonging to windows_group are always going direct (good!!), but 
the other ones sometimes goes direct and sometimes go through our cache_peer 
... 

What may be going wrong? 

Regards, 
Carlos. 

_
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

Re: [squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Henrik Nordstrom]

On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> yes, it does reply success for challenge/response authentication!

Good.

> Don't I have to build squid with the winbind helpers then?

When using Samba-3 you just need to enable the ntlm scheme when building 
Squid. There is no need to enable any ntlm helpers. Also the winbind 
helpers shipped with Squid does not at all work with Samba-3 due to 
fundamental changes in the Samba internal winbind interface.

When using Samba-3 you SHOULD use the helper provided by Samba for
connecting Squid to winbind. This Samba provided helper supports all
versions of Squid and both basic and ntlm authentication schemes. It is 
installed by default in a Samba-3 installation, so if you have Samba-3 
installed then you already have the required helper installed and just 
need to configure Squid for using it (assuming your Squid binary supports 
the authentication schemes you want to use, basic and/or ntlm).

Regards
Henrik

Re: [squid-users] reverse proxy and https

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Dan DeLong wrote:

> I'm am attempting to setup up squid as a reverse proxy to handle https
> requests. ie  client-ssl  -> squid  -> web server.  I've added the following
> to a default squid.conf

> ACK:problems getting password
> 
> I'm using a cert and key file that are valid and I do know the key file
> password but how do I tell squid what that password is ?

You don't.

You either give Squid an unencrypted key file, or start it with the -N 
option to allow entry of the password using the keyboard.

To decrypt a RSA key file you can use the openssl rsa command.

Regards
Henrik

Re: [squid-users] bypass domains - sites not working with squid

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Wilhelm Farrugia wrote:

> these sites are not block by acl i just want to disable trasparent proxy for
> them to allow clients to see these pages.
> 
> how can i achieve this ?

The best method is to add an acl to your WCCP router, excluding these 
sites from WCCP redirection. See the Cisco WCCP manuals for details.

Regards
Henrik

RE: [squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Adam Aube]

> yes, it does reply success for challenge/response authentication!
> Don't I have to build squid with the winbind helpers then?

No - you're using Samba 3. As Henrik said, you need to use the helpers
that Samba provides, not Squid. (I agree, Henrik - that must be at
least the 5th time this week this has come up)

All you need to do is compile Squid with support for the relevant auth
types (basic and/or NTLM) - you do not specifically add the winbind
helpers. When you build Samba 3, it provides a winbind helper that
supports both basic and NTLM auth - you use that helper.

Adam

Re: [squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Thomas . Bauer]

Hi Hendrik,

yes, it does reply success for challenge/response authentication!
Don't I have to build squid with the winbind helpers then?

thx tommy


   

  Henrik Nordstrom 

  <[EMAIL PROTECTED]To:   [EMAIL PROTECTED]

  org> cc:   [EMAIL PROTECTED] 
  
   Subject:  Re: [squid-users] Seamless 
authentication for squid linux in a NT Domain  
using samba and winbind!   

   





On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> Hi everybody!
>
> I wanna run a squid proxy server on Red Hat 9.0 in an Win NT 4 environment. At the 
> moment squid is running on NT but it sucks
> and crashes all the time.
> I set squid up on linux and tried the msnt authenticate. It works but I don't want a 
> prompt if you start the internet
explorer.
> So I tried to set up squid with winbind.
>
> I tried all the configurations and the hints in all threads I found.
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
>
> wbinfo -a mydomain\myuser%mypasswd SUCCESS

Does it also report success for challenge/response authentication? If not
your Samba is not built with support for challenge/response authentication
via winbind and NTLM can not work without this (NTLM is
challenge/response authentication based).

> /usr/local/squid/libexec/wb_auth -d
>
> I don't know where my problem is hidden. I use Samba 3.0.0 and Squid-2.5-STABLE3.

Ah.. again the same question. This must be the 5 time this week.

For Samba-3 you MUST use the ntlm_auth helper included in the Samba
distribution, not the older helpers shipped with Squid. See the Samba
documentation.

This single helper supports both basic and ntlm authentication schemes for
a number of different programs, Squid included.

Regards
Henrik

[squid-users] HELP - squidGuard, Squid amd LDAP authentication/groups

[Mauricio Pegoraro]

Hi.

I'm using squidGuard for content filtering and it's great (fast and reliable).

Till now I've been using Squid and squidGuard block/don't block based on IP adresses. 
But now, because some "new" policies, I must do the control based on username and 
groups of my LDAP server.
Ok. I did it fine with pam_auth, pam_auth and ldap_groups, but I'm having trouble to 
integrate all this with squidGuard (all blocking mechanism). And, moslty, my problems 
were originated because the way the "new" poilicies must be implemented. See bellow:

1. the user enter a URL in his browser;
2. if the URL is authorized, the navigation goes on, no blocking;
3. if the URL is not authorized (porn, gambling, ...), there must be authentication 
(via pam_auth + pam_ldap);
4. then after user authenticates, it's verified against LDAP groups to see if he 
belongs to NOBLOCK group;
5. if yes (the user belongs to NOBLOCK group), the navigation goes on, no blocking, 
but logged;
6. if no (the user doens't belong to NOBLOCK group), the navigation is denied.

So, I know that it's a bit complex (and the e-mail a bit longer), my question is: how 
can I implement this using squidGuard?

Maybe the developers or some user from the list could have a thought or two on this 
issue.

Thanks in advance.

MaurícioWP.

MaurícioWP.


Maurício Westendorff Pegoraro
Analista de Sistemas - Segurança
ADP Brasil
Suporte ADP RBS

51 3218-6227
[EMAIL PROTECTED]

Re: [squid-users] Proxy Authentication and Java Applets

[Schelstraete Bart]

[EMAIL PROTECTED] wrote:

Hi !! 

You should do the following: 

acl java_jvm browser Java 

then, before your http_access for the authenticated users, use: 

http_access allow java_jvm 

 

Ohhh!
Be aware that you're then allowing every Java client to access the proxy 
WITHOUT authentication!
There are a lot of java programs with uses proxy servers, and with that 
acl you'll allow them all.

rgrds,

 Bart

RE: [squid-users] Control squid VSZ and RSS from growing

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Zand, Nooshin wrote:

> Do you run the test on partial squid code or the whole "squid".

The whole.

> I just simply ran valgrind, by default option and set leak-check=yes,
> It returns no memory leak. However, I do not think so it examed all
> libraries in use.   

It does.

> Have you define suppressions for Redhat 9.0 and squid2.5Stable4?
> In case you do would you please make it available.

There is no supressions for Squid.

I do not remember if I had to make any supressions for RH9. I think I just 
had to upgrade to the current valgrind version at the time. I am using 
valgrind-1.9.6-1 installed from source RPM (or maybe tar RPM build, 
don't remember).

Regards
Henrik

RE: [squid-users] Problem configuring winbind for squid

[Adam Aube]

In the future, could you please reply to the list? This enables you to
get multiple opinions on your problem, not just mine.

Taiwo Akinosho [EMAIL PROTECTED] sent in private email:

> [EMAIL PROTECTED] bin]# squid -v
> Squid Cache: Version 2.5.STABLE1
> configure options:  --host=i386-redhat-linux
> --build=i386-redhat-linux --target=i386-redhat-linux-gnu
> --program-prefix= --prefix=/usr --exec-prefix=/usr
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
> --datadir=/usr/share --includedir=/usr/include
> --libdir=/usr/lib --libexecdir=/usr/libexec
> --localstatedir=/var --sharedstatedir=/usr/com
> --mandir=/usr/share/man --infodir=/usr/share/info
> --exec_prefix=/usr --bindir=/usr/sbin
> --libexecdir=/usr/lib/squid --localstatedir=/var
> --sysconfdir=/etc/squid --enable-poll --enable-snmp
> --enable-removal-policies=heap,lru
> --enable-storeio=aufs,coss,diskd,ufs --enable-ssl
> --with-openssl=/usr/kerberos --enable-delay-pools
> --enable-linux-netfilter --with-pthreads
> --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
> --enable-ntlm-auth-helpers=SMB,winbind
> --enable-external-acl-helpers=ip_user,ldap_group,unix_group,
> wbinfo_group,winbind_group

> does this ommision affect me authenticating squid via the windows
2000 domain.

You do include the NTLM winbind helper, but since Samba doesn't have
NTLM support built-in, the NTLM helper is useless. You need the basic
helper (wb_auth), which you didn't include in the ./configure
command - that's why there's no wb_auth program on your system.

You also neglected to configure Squid to use authentication - you need
to use this in ./configure as well:

--enable-auth="basic,ntlm"

> samba still does not seem to be installed. rpm -q samba does
> not find samba. do i still need to do something afta running
> make install.

If you didn't install Samba, then you wouldn't have been able to
perform the wbinfo test you mentioned in your original email. Samba is
installed; just not with RPM.

Adam

[squid-users] Valgrind result on squid 2.5Stable4

[Zand, Nooshin]

Hi,

Valgrind on squid2.5Stable4 returns the following report.
I used following options  --gen-suppressions=yes -v --leak-check=yes

Henrik, Please advise.
Gradually there is going to be a big difference between "Total space in
arena"
And "Total accounted"

Regards,
nooshin 


==21502== 32 bytes in 2 blocks are definitely lost in loss record 2 of 9
==21502==at 0x40029AD6: calloc (vg_replace_malloc.c:284)
==21502==by 0x80C1932: xcalloc (util.c:557)
==21502==by 0x8087161: memPoolAlloc (MemPool.c:254)
==21502==by 0x804B9AD: aclParseIpData (acl.c:393)
==21502==
==21502== LEAK SUMMARY:
==21502==definitely lost: 32 bytes in 2 blocks.
==21502==possibly lost:   0 bytes in 0 blocks.
==21502==still reachable: 22194 bytes in 879 blocks.
==21502== suppressed: 200 bytes in 1 blocks.
==21502== Reachable blocks (those to which a pointer was found) are not
shown.
==21502== To see them, rerun with: --show-reachable=yes
==21502==
--21502-- TT/TC: 0 tc sectors discarded.
--21502--4861 chainings, 0 unchainings.
--21502-- translate: new 6631 (97291 -> 1349146; ratio 138:10)
--21502--discard 213 (2990 -> 38912; ratio 130:10).
--21502--  dispatch: 230 jumps (bb entries), of which 295339 (12%)
were unchained.
--21502--48/51204 major/minor sched events.  7671 tt_fast
misses.
--21502-- reg-alloc: 1196 t-req-spill, 250656+7082 orig+spill uis, 33030
total-reg-r.
--21502--sanity: 49 cheap, 2 expensive checks.
--21502--ccalls: 24725 C calls, 58% saves+restores avoided (84704
bytes)
--21502--33089 args, avg 0.89 setup instrs each (6758 bytes)
--21502--0% clear the stack (74175 bytes)
--21502--8589 retvals, 31% of reg-reg movs avoided (5158
bytes)

[squid-users] reverse proxy and https

[Dan DeLong]

I'm am attempting to setup up squid as a reverse proxy to handle https
requests. ie  client-ssl  -> squid  -> web server.  I've added the following
to a default squid.conf
https_port 10.1.1.2:443 cert=cerfile key=keyfile
With this line added I get the following error in cache.log:
2003/10/22 12:45:32| Using private key in keyfile
FATAL: Failed to acquire SSL private key: error:0906406D:PEM
routines:DEF_CALLB\
ACK:problems getting password

I'm using a cert and key file that are valid and I do know the key file
password but how do I tell squid what that password is ?

Are there problems in setting squid up to work in this manner ?

Thanks,
Dan

Re: [squid-users] Squid 3 - Page Content

[Martin Ritchie]

Robert Collins wrote:
On Tue, 2003-10-21 at 21:31, Martin Ritchie wrote:

Sorry if this is a total newbee question but I'm wanting to store the 
actual page content in a database is there anyone out there that has 
done anything like this? Do you have any pointers of where I should start.


Well, there are a few approaches. The simplest would be to tail
store.log, and copy out the objects as they are completed. You can use
ufsdump in the squid3 sources (cd src && make ufsdump) as a sample
application for examining a single cached object. Only a little work
would be needed to list all the metadata, and the byte offset that
actual data starts - from there you can insert that into your database.
(Be sure to take a local copy (not hardlink) first, so as to minimise
the occurences of the object being recycled before you get to it. You
can't do that with COSS though. A second approach would be a hacked
squid with a an external call out of some sort - perhaps iCap , although
the iCap patches are still only for 2.5.
my cvs head ufsdump doesn't want to compile. I'm getting a number of 
mulitple definition errors based on a number of comm_select methods. I'm 
still new to C++ so please go easy on me. I'm not sure that even getting 
this working will solve our problem as only cached pages will be in the 
cache.

If I'm wanting to go for the second approach of 'patching' squid with an 
external call where would I start.  Is 2.5 and icap the best approach or 
should I be looking to v3?

I guess the html is sent to the client as it arrives but is it ever 
available fully in memory? and is it possible to add db processing when 
the content has been fully retrieved.

tia



--
Martin Ritchie
the Kelvin Institute
50, George Street
+44 (0) 141 548 5719

[squid-users] bypass domains - sites not working with squid

[Wilhelm Farrugia]

Hello,

I have set up squid using wccp and it is working fine, except some sites
that i do not want them to pass through the cache server since the pages
cannot be displayed ( if i stop cache these sites can be seen ). Note that
these sites are not block by acl i just want to disable trasparent proxy for
them to allow clients to see these pages.

how can i achieve this ?

Thanks,

Wil

RE: [squid-users] Control squid VSZ and RSS from growing

[Zand, Nooshin]

Henrik,

Do you run the test on partial squid code or the whole "squid".
I just simply ran valgrind, by default option and set leak-check=yes,
It returns no memory leak. However, I do not think so it examed all
libraries in use.   
Have you define suppressions for Redhat 9.0 and squid2.5Stable4?
In case you do would you please make it available.

Regards,
nooshin


-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 21, 2003 8:17 PM
To: Zand, Nooshin
Cc: Mike Mitchell; Marc Elsen; [EMAIL PROTECTED]
Subject: RE: [squid-users] Control squid VSZ and RSS from growing


On Tue, 21 Oct 2003, Zand, Nooshin wrote:

> I am just wonder how we can check and ensure there is not any memory
> leak
> On any library in use and squid.

If you see that total in use grows a lot, while total accounted for is 
mostly steady then it is quite likely a leak, either in Squid or in a 
library.

> I downloaded "valgrind" application to check memory leak; it exited
> prior to Squid memory allocation.

I use valgrind a lot when testing Squid for memory leaks, on many 
different RedHat versions (7.3, 8.0, 9).

Regards
Henrik

Re: [squid-users] Using Squid as a reverse proxy to balance traffic with stickiness

[Flavio Catalani]

Sorry, previous email not to the ML.

There is no possibility for the client to change IP in the middle of the 
session or to arrive "via a mesh of cache servers" because they came from a 
private LAN.

The rproxy patch you are writing is what I need? I am not sure about it.
It is stable enough to use in a production enviroment?
I downloaded the patch: over which version of squid must I apply it?

Thanx

Messaggio Originale 
 Da: Henrik Nordstrom 
 Inviato: 17:16, mercoledì 22 ottobre 2003 
 A: Flavio Catalani 17:16, mercoledì 22 ottobre 2003 
 Oggetto: Re: [squid-users] Using Squid as a reverse proxy to balance traffic 
with stickiness 
 

> On Wed, 22 Oct 2003, Flavio Catalani wrote:
> 
> > Hi,
> > 
> > I've read that squid can balance the requests when used as a reverse proxy 
> > using stickiness over srcIP.
> > 
> > On http://devel.squid-cache.org/old_projects.html#rproxy it is described 
as 
> > beta.
> > 
> > I could not find any info on how to configure squid using sticky load 
> > balancing. Can anyone help me?
> 
> This function is not yet in mainline Squid, but can be found in the rproxy 
> patch at the location above..
> 
> 
> > with stickiness  on srcIP: every request from the same IP must be 
satisfied 
> > (if not in cache) from the same WebServer.
> 
> Please note that there are perfectly valid situations where a client may 
> change source IP address in the middle of a session. You can not assume 
> the source IP is the clients IP. The client may be connecting to your site 
> via a mesh of cache servers, and different requests during the same 
> session may travel different paths in this cache mesh.
> 
> One simple example is a company having two cache servers in a load 
> balanced manner. Another example is companies having more than two cache 
> servers or peering with other cache servers.
> 
> Regards
> Henrik
> 
> 

RE: [squid-users] Need to set up a one-time redirect, per user, for a client...

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Jordan Young wrote:

> Are there any redirectors that have database support for something similar
> to this already available?

I have not seen many such things published, but there has been a lot of 
talk.

I think there was one such redirector published about 6-12 months ago. Try 
looking around in the archives.

Writing a such redirector is not very hard. It can be as simple as a 3 
line perl script using a directory as database with one file per user..

Regards
Henrik

Re: [squid-users] Bypassing Squid LDAP authentication?

[Henrik Nordstrom]

On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> Squid-newbie here. Was wondering if/how it's possible to bypass 
> the LDAP authentication for Squid and let every single user with a 
> specific LAN subnet (ie: 192.168.190.*) to surf the internet without 
> providing credentials.

Yes. Just allow him before where you allow authenticated users access.

Regards
Henrik

Re: [squid-users] Using Squid as a reverse proxy to balance traffic with stickiness

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Flavio Catalani wrote:

> Hi,
> 
> I've read that squid can balance the requests when used as a reverse proxy 
> using stickiness over srcIP.
> 
> On http://devel.squid-cache.org/old_projects.html#rproxy it is described as 
> beta.
> 
> I could not find any info on how to configure squid using sticky load 
> balancing. Can anyone help me?

This function is not yet in mainline Squid, but can be found in the rproxy 
patch at the location above..


> with stickiness  on srcIP: every request from the same IP must be satisfied 
> (if not in cache) from the same WebServer.

Please note that there are perfectly valid situations where a client may 
change source IP address in the middle of a session. You can not assume 
the source IP is the clients IP. The client may be connecting to your site 
via a mesh of cache servers, and different requests during the same 
session may travel different paths in this cache mesh.

One simple example is a company having two cache servers in a load 
balanced manner. Another example is companies having more than two cache 
servers or peering with other cache servers.

Regards
Henrik

Re: [squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Henrik Nordstrom]

On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> Hi everybody!
> 
> I wanna run a squid proxy server on Red Hat 9.0 in an Win NT 4 environment. At the 
> moment squid is running on NT but it sucks
> and crashes all the time.
> I set squid up on linux and tried the msnt authenticate. It works but I don't want a 
> prompt if you start the internet explorer.
> So I tried to set up squid with winbind.
> 
> I tried all the configurations and the hints in all threads I found.
> 
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
> 
> wbinfo -a mydomain\myuser%mypasswd SUCCESS

Does it also report success for challenge/response authentication? If not 
your Samba is not built with support for challenge/response authentication 
via winbind and NTLM can not work without this (NTLM is 
challenge/response authentication based).

> /usr/local/squid/libexec/wb_auth -d
> 
> I don't know where my problem is hidden. I use Samba 3.0.0 and Squid-2.5-STABLE3.

Ah.. again the same question. This must be the 5 time this week.

For Samba-3 you MUST use the ntlm_auth helper included in the Samba 
distribution, not the older helpers shipped with Squid. See the Samba 
documentation.

This single helper supports both basic and ntlm authentication schemes for 
a number of different programs, Squid included.

Regards
Henrik

Re: [squid-users] Squid Authentication on Domain with groups

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Altrock, Jens wrote:

> I have Squid running at the moment on RedHat 8 with Samba 3, and standard
> authentication with our domain controller is working (so only ppl within the
> network can use the proxy). 
> But I need to authenticate with the dc by checking if the user is in a
> special group (called "internet") to see if he is allowed to use internet.
> anyone got a clue if I can realize this by ACL or any other way?

See the wb_group external_acl helper, delivered with Squid. (documentation 
also included)

Regards
Henrik

Re: [squid-users] Parent & Child in squid.conf

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Frank Chibesakunda wrote:

> I want to setup two machines each with squid, one is connected to the 
> internet, the other one is not, i want to put the one which is not 
> directly connected to the internet as a child and put some machines to 
> browse using it, how do i do it/how do i specify in the squid.conf file.

See the Squid FAQ.

Regards
Henrik

Re: [squid-users] SSL and Authentication in http accelerator mode

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Reuben Pearse wrote:

> Hi all,
> 
> How do I configure Squid to run in http accelerator mode, over SSL,
> using pam authentication? 

With Squid-3, just do it ;-)

With Squid-2.5 is is a little more complex as authentication is normally
disabled in accelerator mode due to a serious conflict with transparent
proxying and you need to have the AUTH_ON_ACCEL define set when you build 
Squid for this to be enabled.

Regards
Henrik

Re: [squid-users] SQUID automatic detection Problems

[Henrik Nordstrom]

You have not configured Squid for interception caching. See the Squid FAQ 
for instruction on how to configure Squid for this.

Regards
Henrik

On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote:

> 
> 
> Hi,
> 
> I have a Redhat Linux 9 server setup.  I've configured Shorewall firewall
> as the main firewall and I've also setup Squid so that I can ban particular
> words and sites.  I need to setup the proxy server so that it is
> automatically detected by the client PC.  We're running a mixture of
> Windows 98 to XP Pro PC's
> 
> I've followed the command;
> 
> iptables -t nat -D PREROUTING  -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 
> The PC's on the network automatically detect the proxy server, BUT they get
> the following text displayed;
> 
> ERROR
> The requested URL could not be retrieved
> 
> 
> 
> While trying to retrieve the URL: /
> 
> The following error was encountered:
> 
> Invalid URL
> Some aspect of the requested URL is incorrect. Possible problems:
> 
> Missing or incorrect access protocol (should be `http://'' or similar)
> Missing hostname
> Illegal double-escape in the URL-Path
> Illegal character in hostname; underscores are not allowed
> Your cache administrator is root.
> 
> 
> 
> 
> 
> Generated Wed, 22 Oct 2003 09:10:46 GMT by WELPROXY (squid/2.5.STABLE1)
> 
> 
> I'm trying a whole host of websites (www.sky.com/news, www.ananova.com,
> etc)
> 
> Can anybody offer any advice on how to get round this?
> 
> Cheers
> 
> Steve
> 
> 
> 

Re: [squid-users] Passing identd username to cache_peer?

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Chris Wilcox wrote:

> I'm aware that when using basic_auth I can use 'login=*:password' in the 
> cache_peer definition to make squid pass the basic_auth username to the peer 
> cache.  But when only using identd lookups the identd string is not passed 
> in the same manner.
> 
> Is this possible and if so how?

Not at the moment no. The ident information is simply not available to 
Squid when forwarding the request. The ident is a property of the client 
connectin, not the request.

Regards
Henrik

RE: [squid-users] Problem configuring winbind for squid

[Adam Aube]

Please don't ask a question by replying to another question; send a
new message to the list instead.

> i am trying to configure winbind on my linux to
> allow ntlm authenticatiom.

> i followed the article i found on squid faq.
> on running wbinfo -a domain\\user%password, 
> i get "plaintext password authentication succeeded"
> and nothing more. i did not get any
> challenge/response authentiocation.

> i also learnt dat i cannot do NTLM without compiling
> samba with --with-winbind etc.

Correct.

> so what can i do with this setup since it can talk to
> windows domain and it did join successfully.

You can use basic auth with the Winbind helpers. This will allow you
to use the usernames and passwords in your Windows domain, but users
will be prompted by their browsers for their login information.

> i also can't find anything on squid helper.
> i had something like 
> # /usr/local/squid/libexec/wb_auth -d in the manual.
> i can't seem to find a file with the name wb_auth on my system.

Then you probably didn't build the helper support into Squid (using
the appropriate --enable options to configure), see configure --help
for a list of options.

What does squid -v give as output?

Adam
<>

Re: [squid-users] SQUID and MS Active Directory

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Rothermel Wolfgang wrote:

> Approximately next year it is planned to migrate the MS NT 4 domain to a
> native W2k AD structure.
> 
> Is it possible to 
> - use AD users and AD groups in SQUID ACLs

Yes.

> - authenticate the IE users transparently as the NTLM authenticator does it
> currently.

Yes and no.

As long as your AD setup supports NT systems you can continue using the
winbind approach for NTLM authentication, just as you does today.

You can also use LDAP for connecting to MS AD. This is a more reliable 
method, but only work for Basic authentication, not NTLM.

You can however combine both, using LDAP for Basic authentication and
groups, and Winbind for NTLM authentication.

Regards
Henrik

Re: [squid-users] Proxy Authentication and Java Applets

[Henrik Nordstrom]

On Wed, 22 Oct 2003, Rothermel Wolfgang wrote:

> When a java applet is to be loaded from a website an authentication
> dialogbox appears and the credentials have to be entered explicitely.

This should only happen if you are using a third-party JRE I think..

> When I understand it correctly the reason for this is that squid
> authenticates a socket (ip address and source port).  When the Java Virtual
> Machine is not part of the browser but a different process the browser's
> authentication is not valid for the JVM.

Nope. It simply is from the fact that the JVM runs somewhat detached from 
the internal logics of the browser, initiating it's own network 
connections rather than using the HTTP module of the browser (where the 
support for authentication resides in the browser).

> Is there a way to avoid the JVM authentication box ?

Using a JVM which supports integrated NTLM login method, or using the HTTP 
access methods from within JVM which uses the browser HTTP module and not 
direct network connections from JVM. The latter is application dependent, 
and is determined by the programmer when writing the application.

Regards
Henrik

Re: [squid-users] Problem configuring winbind for squid

[Thomas . Bauer]

Hi,

the wb_auth is located in /usr/lib/squid or in /usr/local/squid/libexec/ on my system.
but the command you are talking about is not working on my system.
Good luck.
Tommy


   
   
  "Taiwo Akinosho" 
   
  <[EMAIL PROTECTED]To:   <[EMAIL PROTECTED]>  
   
  ank.com.ng> cc:  
   
  Subject:  [squid-users] Problem 
configuring winbind for squid   
   
   




hello,
i am trying to configure winbind on my linux to
allow ntlm authenticatiom.

i followed the article i found on squid faq.
on running wbinfo -a domain\\user%password,
i get
"plaintext password authentication succeeded" and
nothing more. i did not get any challenge/response
authentiocation.

i also learnt dat i cannot do NTLM without compiling
samba with --with-winbind etc.

so what can i do with this setup since it can talk to
windows domain and it did join successfully.

i also can't find anything on squid helper.
i had something like
# /usr/local/squid/libexec/wb_auth -d in the manual.
i can't seem to find a file with the name wb_auth on my system.
is this connected with the samba compilation process or do i have a problem
with squid?

thanks a lot
Taiwo.

-Original Message-
From: Jordan Young [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 2:51 PM
To: 'Henrik Nordstrom'
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Need to set up a one-time redirect, per user,
for a client...


Are there any redirectors that have database support for something similar
to this already available?



-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 10:27 PM
To: Jordan Young
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Need to set up a one-time redirect, per user, for
a client...

On Tue, 21 Oct 2003, Jordan Young wrote:

> I have a client that needs a hotspot system, and they need it to
> accept all first URL requests and send them to their web site.  After
> the first request is made, then they want it to open up for outside
> sources.  It is not a pay system, but they just want all customers to
> see their web site.  I know there is some way to do this, whether it
> be with squid (preferred), or with netfilter.  If anybody could please
help me, that would be great.

Neither Squid or Netfilter have the technology for doing this builtin.

Adding technology to Squid for doing this is relatively simple. You will
need a redirector helper using a database keeping track of when the user was
last seen, and if the user was not active in the last say 60 minutes then
redirect him to the selected site (and record in the database that the user
is active, as is done for any other request).

Regards
Henrik




**Disclaimer

This email and any files transmitted with it are confidential and intended solely for 
the use of the individual or entity to
whom they are addressed.
If you have received this email in error please notify NAL BAnk Plc on [EMAIL 
PROTECTED] This message contains confidential
information and is intended only for
the individual named.

Dear [EMAIL PROTECTED], our products and services are listed below.

Optima:
Maxiyield:
Frontier Funds:
For further details contact [EMAIL PROTECTED]

First Bank Right Issues: Please claim your First Bank right issues on
or before 25th November at any NAL Bank office nation wide.
For further details contact, [EMAIL PROTECTED]

[squid-users] Problem configuring winbind for squid

[Taiwo Akinosho]

hello,
i am trying to configure winbind on my linux to
allow ntlm authenticatiom.

i followed the article i found on squid faq.
on running wbinfo -a domain\\user%password, 
i get 
"plaintext password authentication succeeded" and
nothing more. i did not get any challenge/response
authentiocation.

i also learnt dat i cannot do NTLM without compiling
samba with --with-winbind etc.

so what can i do with this setup since it can talk to
windows domain and it did join successfully.

i also can't find anything on squid helper.
i had something like 
# /usr/local/squid/libexec/wb_auth -d in the manual.
i can't seem to find a file with the name wb_auth on my system.
is this connected with the samba compilation process or do i have a problem
with squid?

thanks a lot
Taiwo.

-Original Message-
From: Jordan Young [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 2:51 PM
To: 'Henrik Nordstrom'
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Need to set up a one-time redirect, per user,
for a client...


Are there any redirectors that have database support for something similar
to this already available?

 

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 21, 2003 10:27 PM
To: Jordan Young
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Need to set up a one-time redirect, per user, for
a client...

On Tue, 21 Oct 2003, Jordan Young wrote:

> I have a client that needs a hotspot system, and they need it to 
> accept all first URL requests and send them to their web site.  After 
> the first request is made, then they want it to open up for outside 
> sources.  It is not a pay system, but they just want all customers to 
> see their web site.  I know there is some way to do this, whether it 
> be with squid (preferred), or with netfilter.  If anybody could please
help me, that would be great.

Neither Squid or Netfilter have the technology for doing this builtin.

Adding technology to Squid for doing this is relatively simple. You will
need a redirector helper using a database keeping track of when the user was
last seen, and if the user was not active in the last say 60 minutes then
redirect him to the selected site (and record in the database that the user
is active, as is done for any other request).

Regards
Henrik




**Disclaimer

This email and any files transmitted with it are confidential and intended solely for 
the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify NAL BAnk Plc on [EMAIL 
PROTECTED] This message contains confidential information and is intended only for
the individual named. 

Dear [EMAIL PROTECTED], our products and services are listed below.

Optima: 
Maxiyield:
Frontier Funds: 
For further details contact [EMAIL PROTECTED]

First Bank Right Issues: Please claim your First Bank right issues on 
or before 25th November at any NAL Bank office nation wide. 
For further details contact, [EMAIL PROTECTED]

Re: [squid-users] Compilation information

[Marc Elsen]

Benjamín Vayá wrote:
> 
> Hi there:
> 
> I've installed Squid on Red Hat 9, but I dont remember the options that I've
> used to compile it. Is there any way to know this information?
> 
> Thanks a lot for helping me!!

  %  squid -v

  will list the configure options squid was build with.
  Not the compiler options though.

  M.

-- 

 'Love is truth without any future.
 (M.E. 1997)

RE: [squid-users] Compilation information

[Adam Aube]

> I've installed Squid on Red Hat 9, but I dont
> remember the options that I've used to compile it.

They are shown in the output of squid -v (if your Squid version is 2.5
or 3).

Adam

[squid-users] Compilation information

[Benjamín Vayá]

Hi there:

I've installed Squid on Red Hat 9, but I dont remember the options that I've
used to compile it. Is there any way to know this information?

Thanks a lot for helping me!!

[squid-users] RE: Whitelist / Blacklist

["Rodriguez Quintero, Juan Diego, SYNAPSIS Perú"]

You may try:


acl SitesAllowed dstdomain "/SitesAllowed"

http_access allow SitesAllowed
http_access deny all

wher SitesAllowed contains the sites you want your users may access.

Regards, 

JD

-Mensaje original-
De: Olsson Mattias [mailto:[EMAIL PROTECTED]
Enviado el: Wednesday, October 22, 2003 3:02 AM
Para: [EMAIL PROTECTED]
Asunto: Whitelist / Blacklist




HI 

Im trying to to make an access and deny list. My blacklist should look like
"deny everyting" and my whitelist should consist of only allowed links. The
example below works, but i need to define 0.0.0.0/0.0.0.0 as the blacklist.
How do i do that? cant find it...


acl whitelist url_regex ^http://www\.siemens\.se/

acl blacklist dstdomain .siemens.se

http_access deny blacklist !whitelist


Thanks !!!


/Mattias

RE: [squid-users] Need to set up a one-time redirect, per user, for a client...

[Jordan Young]

Are there any redirectors that have database support for something similar
to this already available?

 

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 21, 2003 10:27 PM
To: Jordan Young
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Need to set up a one-time redirect, per user, for
a client...

On Tue, 21 Oct 2003, Jordan Young wrote:

> I have a client that needs a hotspot system, and they need it to 
> accept all first URL requests and send them to their web site.  After 
> the first request is made, then they want it to open up for outside 
> sources.  It is not a pay system, but they just want all customers to 
> see their web site.  I know there is some way to do this, whether it 
> be with squid (preferred), or with netfilter.  If anybody could please
help me, that would be great.

Neither Squid or Netfilter have the technology for doing this builtin.

Adding technology to Squid for doing this is relatively simple. You will
need a redirector helper using a database keeping track of when the user was
last seen, and if the user was not active in the last say 60 minutes then
redirect him to the selected site (and record in the database that the user
is active, as is done for any other request).

Regards
Henrik

RE: [squid-users] probably a simple question

[Alex Sharaz]

Yup I do that as well, but if i'm testing a new web cache out I don;t want 
to have to keep changing my auto-proxy config file that is load balanced 
over 2 machines and services the whole university every time I want to 
access a different cache.

Anyway the way to do it in ie6 is to add a wildcarded ip address in the 
exceptions section of your proxy definitions. The "bypass proxy server for 
local connections only works for named hosts and not ip addresses.

My exceptions entry has 150.237.*.*;*.hull.ac.uk

which covers everything

alex

--On 22 October 2003 08:43 -0400 Adam Aube <[EMAIL PROTECTED]> 
wrote:

99% of the time I use an auto proxy config script to
select whether to go direct to a site or via my caches

The othe 1% of the time I configure an explicit web
cache (for testing purposes) in IE6 and then specify an
exclusion list

the above is all very well, but i also want to access
some of our network boxes using their ip address. Can you
tell ie to go direct to an ip address?
No, but you can use your proxy auto-config script; just return DIRECT
for a given IP address.
Adam



Sent using Mulberry 3.01a

RE: [squid-users] Bypassing Squid LDAP authentication?

[Adam Aube]

> Was wondering if/how it's possible to bypass the
> LDAP authentication for Squid and let every single
> user with a specific LAN subnet (ie: 192.168.190.*)
> to surf the internet without providing credentials.

http_access rules are processed in the order they're listed in
squid.conf, and the one that matches first is applied. Insert a
http_access rule allowing that subnet before the http_access rule that
requires authentication.

Adam

RE: [squid-users] time based Instant Message blocking

[Adam Aube]

> I need to provide time-based access to
> yahoo & msn messengers in my college lab.

> The restriction is only for students.
> Staff & Admins have unrestricted access to IM services.

> My rules are like this:

[rules snipped]

I noticed that you specify a proxy_auth acl, but don't show the
http_access line that utilizes it. You haven't shown us all your acl
and http_access lines; please post your entire squid.conf (please
remove any blank lines or comments first).

Adam

RE: [squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Adam Aube]

> So I tried to set up squid with winbind.

> I don't know where my problem is hidden. I use
> Samba 3.0.0 and Squid-2.5-STABLE3.

Are you using the helpers that build with Samba? You have to use the
Samba winbind helpers with Samba 3; the Squid helpers won't work.

Adam

RE: [squid-users] Squid Authentication on Domain with groups

[Adam Aube]

> I have Squid running at the moment on RedHat 8 with
> Samba 3, and standard authentication with our domain
> controller is working (so only ppl within the network
> can use the proxy).

> But I need to authenticate with the dc by checking if
> the user is in a special group (called "internet") to
> see if he is allowed to use internet.

Use the winbind_group external acl helper (compiles to wb_group) - it
comes with Squid. I don't know for sure if the Squid helper will work
with Samba 3; see if Samba 3 comes with a winbind_group helper, and
use that if it does.

Adam

RE: [squid-users] Parent & Child in squid.conf

[Adam Aube]

> I want to setup two machines each with squid, one is connected to
the
> internet, the other one is not, i want to put the one which is not
> directly connected to the internet as a child and put some
> machines to browse using it, how do i do it/how do i specify in the
> squid.conf file.

See the following from the Squid FAQ:

http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.9

Adam

RE: [squid-users] SQUID automatic detection Problems

[Adam Aube]

> I need to setup the proxy server so that it is
> automatically detected by the client PC.  We're
> running a mixture of Windows 98 to XP Pro PC's

> I've followed the command;
>
> iptables -t nat -D PREROUTING  -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port 3128

> The PC's on the network automatically detect the proxy
> server, BUT they get
> the following text displayed;

I belive this error is generally caused by Squid misconfiguration.
Make sure Squid was compiled with Netfilter support (see
./configure --help for a list of options), and make sure the
http_accel options in Squid are properly set (this can be found in the
FAQ and the archives).

My personal recommendation is to dump transparent proxying. It is a
hack that limits the capabilities of the proxy and can cause problems
even when setup properly. Use a proxy auto-configuration script
instead.

Adam

Re: [squid-users] Proxy Authentication and Java Applets

[zottmann]

Hi !! 

You should do the following: 

acl java_jvm browser Java 

then, before your http_access for the authenticated users, use: 

http_access allow java_jvm 

Regards, 
Carlos 
 

Hi, 

I'm currently using SQUID 2.5 STABLE3 offering the NTLM and the basic 
authentications schemes, i.e. users using Internet Explorer - 5.5 and 6 - 
are authenticated transparently. 
When a java applet is to be loaded from a website an authentication 
dialogbox appears and the credentials have to be entered explicitely. 

When I understand it correctly the reason for this is that squid 
authenticates a socket (ip address and source port).  When the Java Virtual 
Machine is not part of the browser but a different process the browser's 
authentication is not valid for the JVM. 

Is there a way to avoid the JVM authentication box ? 



Regards 

Wolfgang 

_
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

Re: [squid-users] Proxy Authentication and Java Applets

[zottmann]

Hi !! 

You should do the following: 

acl java_jvm browser Java 

then, before your http_access for the authenticated users, use: 

http_access allow java_jvm 

Regards, 
Carlos 
 

Hi, 

I'm currently using SQUID 2.5 STABLE3 offering the NTLM and the basic 
authentications schemes, i.e. users using Internet Explorer - 5.5 and 6 - 
are authenticated transparently. 
When a java applet is to be loaded from a website an authentication 
dialogbox appears and the credentials have to be entered explicitely. 

When I understand it correctly the reason for this is that squid 
authenticates a socket (ip address and source port).  When the Java Virtual 
Machine is not part of the browser but a different process the browser's 
authentication is not valid for the JVM. 

Is there a way to avoid the JVM authentication box ? 



Regards 

Wolfgang 

_
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

[squid-users] Bypassing Squid LDAP authentication?

[pete_berger]

Hello,

Squid-newbie here. Was wondering if/how it's possible to bypass 
the LDAP authentication for Squid and let every single user with a 
specific LAN subnet (ie: 192.168.190.*) to surf the internet without 
providing credentials. Right now we're using Netscape Directory services 
for LDAP. (but would like to move to Microsoft's AD). Any help would be 
great...the more the better since I didn't setup this Squid system and 
know nothing about SuSe Linux. Thanks. :)
-
Peter A. Berger Jr.
 Systems Administrator
 ifm efector, Inc.
 610.524.2760
 HP Certified Professional, 
 CCNA, Network+, Server+, A+

[squid-users] Using Squid as a reverse proxy to balance traffic with stickiness

[Flavio Catalani]

Hi,

I've read that squid can balance the requests when used as a reverse proxy 
using stickiness over srcIP.

On http://devel.squid-cache.org/old_projects.html#rproxy it is described as 
beta.

I could not find any info on how to configure squid using sticky load 
balancing. Can anyone help me?

The solution is something like:


Squid
/\
  /\
/\
Web Web
  ServerServer


with stickiness  on srcIP: every request from the same IP must be satisfied 
(if not in cache) from the same WebServer.

Note that the web servers will be more than 2.


Thank you, Flavio

RE: [squid-users] Passing identd username to cache_peer?

[Adam Aube]

> I'm aware that when using basic_auth I can use 
> 'login=*:password' in the cache_peer definition
> to make squid pass the basic_auth username to the
> peer cache.  But when only using identd lookups
> the identd string is not passed in the same manner.

> Is this possible and if so how?

This was discussed in the last 24 hours - check the list archives.

Adam

RE: [squid-users] Whitelist / Blacklist

[Adam Aube]

> Im trying to to make an access and deny list.

> My blacklist should look like "deny everyting" and
> my whitelist should consist of only allowed links.

> The example below works, but i need to define
> 0.0.0.0/0.0.0.0 as the blacklist.

> acl whitelist url_regex ^http://www\.siemens\.se/
> acl blacklist dstdomain .siemens.se
> http_access deny blacklist !whitelist

Since you want to deny anything that's not on your whitelist, just use
something like this:

acl whitelist url_regex ^http://www\.somesite\.com
http_access deny !whitelist

Adam

RE: [squid-users] Problem with URLs

[Adam Aube]

> I use squid 2.5 stable 3 with cache and i have some
> problem when i want to obtain a web page as
> www.lactalis.fr.

> When i use IE 5.5 sp2 i have a download pop up page
> with download "/lactalis[1]".

> I remark that i have not the problem with netscape
> 4.75 and IE 5.0 sp2.

I would think, then, that it's a browser problem.

> I suppose it's a problem with cache.

> I purge completely my cache and i don't have any more
> problem.

Try switching the ie_refresh setting (if it's on, turn it off, and
vice versa) - this is a workaround for bugs in various versions of IE.

Adam

RE: [squid-users] [OT] PAC and specific rules for specifics users...

[Adam Aube]

> I use PAC (proxy autoconfig) on the clients to fix
> the parameteres of the proxy. So, i would to use
> specifics rules for particulary users.

That's not possible a proxy auto-config script, because there is no
form of authentication at this level.

However, if the Virus Wall is Squid's parent, and Squid is able to
access the Internet directly, you might be able to use always_direct
with a proxy_auth acl to make certain users bypass the Virus Wall.

Adam

[squid-users] time based Instant Message blocking

[Manu C S]

Hi,

[I'm a newbie, so please bear with me.]

I need to provide time-based access to 
yahoo & msn messengers in my college lab.

The restriction is only for students.
Staff & Admins have unrestricted access to IM services.
For students, chatting is allowed only on
Mondays - full day
all other days: 7AM to 9AM,
12PM to 5 PM
9PM to 12AM

My rules are like this:


acl admin-mc src 192.168.10.1
acl staff-mc src 192.168.10.201-192.168.10.220
acl holiday-time time M 00:00-24:00
acl morning-time time STWHFA 07:00-09:00
acl noon-time time STWHFA 12:00-17:00
acl night-time time STWHFA 21:00-24:00
acl restrict-im dstdom_regex -i "/etc/squid/im"

(where the file /etc/squid/im has the following lines:
msg.*.yahoo.com
messenger.hotmail.com
)
acl student proxy_auth "/etc/squid/students"
(where /etc/squid/students has a list of all the students)

http_access allow restrict-im admin-mc
http_access allow restrict-im staff-mc
http_access allow holiday-time restrict-im localnet
http_access allow morning-time restrict-im localnet
http_access allow noon-time restrict-im localnet
http_access allow night-time restrict-im localnet
http_access deny restrict-im all


On the admin & staff machines, things are working fine.
The problem now is that when I login to a student's machine
as an administrator, I can use the IMs properly.
If I login as a student, I'm unable to use it!

I used ethereal to sniff the traffic in order to 
find out what was happening. I found that
when I used yahoo messenger, absolutely no contact was
made with the gateway on which the proxy server was sitting.
Yahoo messenger immediately gave me a message saying
'Not connected'
In case of msn messenger, it was contacting the proxy,
but I wasn't prompted for proxy authentication. Finally I would
get a timed out message. In ethereal's output I found that
the proxy was actually sending back a HTML error message 
saying 'Cache access denied' because of improper authentication.

To make things more complicated, 2 of the total 95 machines
in the student network are allowing proper access to IMs!

All the machines on our network have Windows XP or 2K.
I'm using yahoo messenger v5.6 and msn messenger v6.0

Can anyone please help?

[If needed, I can email the entire squid.conf file. It's about 
119 lines long.]

Regards,
Manu

RE: [squid-users] probably a simple question

[Adam Aube]

> 99% of the time I use an auto proxy config script to
> select whether to go direct to a site or via my caches

> The othe 1% of the time I configure an explicit web
> cache (for testing purposes) in IE6 and then specify an
> exclusion list

> the above is all very well, but i also want to access
> some of our network boxes using their ip address. Can you
> tell ie to go direct to an ip address?

No, but you can use your proxy auto-config script; just return DIRECT
for a given IP address.

Adam

[squid-users] Seamless authentication for squid linux in a NT Domain using samba and winbind!

[Thomas . Bauer]

Hi everybody!

I wanna run a squid proxy server on Red Hat 9.0 in an Win NT 4 environment. At the 
moment squid is running on NT but it sucks
and crashes all the time.
I set squid up on linux and tried the msnt authenticate. It works but I don't want a 
prompt if you start the internet explorer.
So I tried to set up squid with winbind.

I tried all the configurations and the hints in all threads I found.

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html

wbinfo -t responds SUCCESS
wbinfo -g shows me all the NT groups
wbinfo -u shows me all the NT users
wbinfo -a mydomain\myuser%mypasswd SUCCESS


but the following command responds always the same error:

/usr/local/squid/libexec/wb_auth -d
/wb_auth[14615](wb_basic_auth.c:168): basich winbindd auth helper build Oct 21 2003, 
09:47:15 starting up...
mydomainmyuser mypasswd
/wb_auth[14615](wb_basic_auth.c:129): Got 'mydomainmyuser mypasswd' from squid 
(length: 21).
/wb_auth[14615](wb_basic_auth.c:55): winbindd result -1
/wb_auth[14615](wb_basic_auth.c:60): sending 'ERR' to squid
ERR

I don't know where my problem is hidden. I use Samba 3.0.0 and Squid-2.5-STABLE3.

my squid.conf:


auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


I also use free and denied domains which I can access. But if I want to open 
google.com or any other page, the prompt shows
up.
And if I type in my username and password, I can't logon to the Internet.
Some users in our company don't have access to the internet. How can I handle it, that 
the users with internet access can use
the internet without typing in their username and password again?

I hope you can help me out. I am working on this for a few weeks now. But I can't get 
the problem solved.
Thanks a lot for helping me!!

[squid-users] Squid Authentication on Domain with groups

[Altrock, Jens]

Hi there!

I have Squid running at the moment on RedHat 8 with Samba 3, and standard
authentication with our domain controller is working (so only ppl within the
network can use the proxy). 
But I need to authenticate with the dc by checking if the user is in a
special group (called "internet") to see if he is allowed to use internet.
anyone got a clue if I can realize this by ACL or any other way?

Jens Altrock
Stadtverwaltung Neustadt an der Weinstraße
Organisation und EDV
Marktplatz 1
67433 Neustadt an der Weinstraße

Tel. +49 6321 855 330
mailto:[EMAIL PROTECTED]
http://www.neustadt-weinstrasse.de

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.

[squid-users] Parent & Child in squid.conf

[Frank Chibesakunda]

Hi,

I want to setup two machines each with squid, one is connected to the 
internet, the other one is not, i want to put the one which is not 
directly connected to the internet as a child and put some machines to 
browse using it, how do i do it/how do i specify in the squid.conf file.

rgds,

frank

--
PK

Re: [squid-users] SQUID and MS Active Directory

[Robert Collins]

On Wed, 2003-10-22 at 18:24, Rothermel Wolfgang wrote:

> Is it possible to 
> - use AD users and AD groups in SQUID ACLs

Yes.

> - authenticate the IE users transparently as the NTLM authenticator does it
> currently.

Yes.

Cheers,
Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

[squid-users] SSL and Authentication in http accelerator mode

[Reuben Pearse]

Hi all,

How do I configure Squid to run in http accelerator mode, over SSL,
using pam authentication? 
The backend web server which Squid is sitting in front of, will be
communicating with Squid using normal HTTP, but the client needs to talk
to the Squid server over SSL - so it kinda looks like this.


 --- --
|Client | <== SSL ===> |Squid server|<--HTTP--->|Backend Server|
 --- --
  |
  |
  \/
 PAM database


NOTE: The Linux user accounts will be on the same server that Squid is
running on.

Has anyone got an example config file of how to do this?
I am currently experimenting on RedHat9 using Squid 2.5.

Thanks

Reuben
[EMAIL PROTECTED]

[squid-users] SQUID automatic detection Problems

[Steve . Simpson]

Hi,

I have a Redhat Linux 9 server setup.  I've configured Shorewall firewall
as the main firewall and I've also setup Squid so that I can ban particular
words and sites.  I need to setup the proxy server so that it is
automatically detected by the client PC.  We're running a mixture of
Windows 98 to XP Pro PC's

I've followed the command;

iptables -t nat -D PREROUTING  -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128

The PC's on the network automatically detect the proxy server, BUT they get
the following text displayed;

ERROR
The requested URL could not be retrieved



While trying to retrieve the URL: /

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed
Your cache administrator is root.





Generated Wed, 22 Oct 2003 09:10:46 GMT by WELPROXY (squid/2.5.STABLE1)


I'm trying a whole host of websites (www.sky.com/news, www.ananova.com,
etc)

Can anybody offer any advice on how to get round this?

Cheers

Steve

RE: [squid-users] Problem with URLs

[GUILLEMOT Yann]

Yes when i pass idrectly i don't have the problem

IE 6.0 made the same thing.

-Message d'origine-
De : Marc Elsen [mailto:[EMAIL PROTECTED]
Envoyé : mercredi 22 octobre 2003 10:44
À : GUILLEMOT Yann
Cc : [EMAIL PROTECTED]
Objet : Re: [squid-users] Problem with URLs




GUILLEMOT Yann wrote:
> 
> Hello,
> 
> I use squid 2.5 stable 3 with cache and i have some problem when i want to
> obtain a web page as www.lactalis.fr.
> 
> When i use IE 5.5 sp2 i have a download pop up page  with download
> "/lactalis[1]".
> 
> I remark that i have not the problem with netscape 4.75 and IE 5.0 sp2.
> 
> I don't undestand because IE and Netscape receive the same packets TCP.
> (Ethereal)
> 
> I suppose it's a problem with cache.

  Your test seems to indicate browser issue(s) however.

  Verify this, by if possible connecting to problem url's directly
  whithout squid.

  M.

> 
> I purge completely my cache and i don't have any more problem.
> 
> Also i have the problem when i want to consult PDF File example
> http://www.enterasys.com/products/switching/6C107/6C107.pdf...
> 
> Is it important to purge periodicallty cache ? (Crontab)
> 
> Sincerly.
> 
> Yann Guillemot
> Lactalis Informatique - service réseau
> tel : 02 43 59 51 50
> fax : 02 43 59 27 61

-- 

 'Love is truth without any future.
 (M.E. 1997)

[squid-users] Passing identd username to cache_peer?

[Chris Wilcox]

Hi all,

I'm aware that when using basic_auth I can use 'login=*:password' in the 
cache_peer definition to make squid pass the basic_auth username to the peer 
cache.  But when only using identd lookups the identd string is not passed 
in the same manner.

Is this possible and if so how?

Cheers for any replies,

Chris

_
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger

Re: [squid-users] Problem with URLs

[Marc Elsen]

GUILLEMOT Yann wrote:
> 
> Hello,
> 
> I use squid 2.5 stable 3 with cache and i have some problem when i want to
> obtain a web page as www.lactalis.fr.
> 
> When i use IE 5.5 sp2 i have a download pop up page  with download
> "/lactalis[1]".
> 
> I remark that i have not the problem with netscape 4.75 and IE 5.0 sp2.
> 
> I don't undestand because IE and Netscape receive the same packets TCP.
> (Ethereal)
> 
> I suppose it's a problem with cache.

  Your test seems to indicate browser issue(s) however.

  Verify this, by if possible connecting to problem url's directly
  whithout squid.

  M.

> 
> I purge completely my cache and i don't have any more problem.
> 
> Also i have the problem when i want to consult PDF File example
> http://www.enterasys.com/products/switching/6C107/6C107.pdf...
> 
> Is it important to purge periodicallty cache ? (Crontab)
> 
> Sincerly.
> 
> Yann Guillemot
> Lactalis Informatique - service réseau
> tel : 02 43 59 51 50
> fax : 02 43 59 27 61

-- 

 'Love is truth without any future.
 (M.E. 1997)

[squid-users] Problem with URLs

[GUILLEMOT Yann]

Hello,

I use squid 2.5 stable 3 with cache and i have some problem when i want to
obtain a web page as www.lactalis.fr.

When i use IE 5.5 sp2 i have a download pop up page  with download
"/lactalis[1]". 

I remark that i have not the problem with netscape 4.75 and IE 5.0 sp2.

I don't undestand because IE and Netscape receive the same packets TCP.
(Ethereal)

I suppose it's a problem with cache.

I purge completely my cache and i don't have any more problem.

Also i have the problem when i want to consult PDF File example
http://www.enterasys.com/products/switching/6C107/6C107.pdf...

Is it important to purge periodicallty cache ? (Crontab)

Sincerly.


Yann Guillemot  
Lactalis Informatique - service réseau
tel : 02 43 59 51 50
fax : 02 43 59 27 61

[squid-users] SQUID and MS Active Directory

[Rothermel Wolfgang]

Hi,

currently we're using SQUID 2.5 STABLE3 in conjunction with winbind for
authenticating our users when accessing internet sites.
SQUID is offering both NTLM and Basic authentication schemes and forwards
the request to our NT4 PDC.
IE users are authenticated transparently at the moment.

Approximately next year it is planned to migrate the MS NT 4 domain to a
native W2k AD structure.

Is it possible to 
- use AD users and AD groups in SQUID ACLs
- authenticate the IE users transparently as the NTLM authenticator does it
currently.

I'd like to avoid the migration to a MS ISA server.

Regards

Wolfgang

[squid-users] Proxy Authentication and Java Applets

[Rothermel Wolfgang]

Hi,

I'm currently using SQUID 2.5 STABLE3 offering the NTLM and the basic
authentications schemes, i.e. users using Internet Explorer - 5.5 and 6 -
are authenticated transparently.
When a java applet is to be loaded from a website an authentication
dialogbox appears and the credentials have to be entered explicitely.

When I understand it correctly the reason for this is that squid
authenticates a socket (ip address and source port).  When the Java Virtual
Machine is not part of the browser but a different process the browser's
authentication is not valid for the JVM.

Is there a way to avoid the JVM authentication box ?



Regards

Wolfgang

[squid-users] Whitelist / Blacklist

[Olsson Mattias]

HI 

Im trying to to make an access and deny list. My blacklist should look like
"deny everyting" and my whitelist should consist of only allowed links. The
example below works, but i need to define 0.0.0.0/0.0.0.0 as the blacklist.
How do i do that? cant find it...


acl whitelist url_regex ^http://www\.siemens\.se/

acl blacklist dstdomain .siemens.se

http_access deny blacklist !whitelist


Thanks !!!


/Mattias

Re: [squid-users] mod_expire newbie question?

[Henrik Nordstrom]

Sorry, I am not a Apache guru.

This kind of questions is better asked in the appropriate Apache forum. 
See http://httpd.apache.org/ for details on available Apache forums where 
one can ask fellow Apache administrators for configuration help.

Regards
Henrik


On Wed, 22 Oct 2003, Christian Purnomo wrote:

> Thanks Henrik.
> 
> I've tried using mod_expires but ...
> 
> ExpiresActive On
> ExpiresByType application/x-httpd-cgi A20
> ExpiresDefault A30
> 
> with the above settings, ExpiresDefault gets executed, application/x-httpd-cgi 
> doesn't.  I have been trying in the last 4 hours to figure out the right mime/type 
> what my /cgi-bin/path/to/file.wxh.  Neither text/html works. 
> 
> I have looked at the web for hints about mod_expires / mod_headers, but there 
> weren't many helpful links.
> 
> Could you or anyone share some thoughts on this? 
> 
> Many thanks.
> 
> PS: thanks for your hard work being a very active member in this list.
> 
> 
> Subject: Re: [squid-users] mod_expire newbie question?
> Date: Tue, Oct 21, 2003 at 10:38:19AM +0200
> Quoting Henrik Nordstrom ([EMAIL PROTECTED]):
> 
> : On Tue, 21 Oct 2003, Christian Purnomo wrote:
> : 
> : > I'm trying to figure out a way I can refresh my cache every day, ideally the
> : > caches would be re-freshed as soon as the database is updated (at a specific
> : > time via cron job).  One way of doing this that I can see is to include 
> 'Expires: GMT' header for something.wxh and the date HAS TO be absolute, as in:
> : >   Expires: Tue Oct 21 2003 17:05:44 GMT
> : 
> : I think mod_header is a closer match for what you want to do. If not try 
> : asking in the appropriate Apache forum.
> : 
> : Regards
> : Henrik
> 

Re: [squid-users] mod_expire newbie question?

[Christian Purnomo]

Thanks Henrik.

I've tried using mod_expires but ...

ExpiresActive On
ExpiresByType application/x-httpd-cgi A20
ExpiresDefault A30

with the above settings, ExpiresDefault gets executed, application/x-httpd-cgi 
doesn't.  I have been trying in the last 4 hours to figure out the right mime/type 
what my /cgi-bin/path/to/file.wxh.  Neither text/html works. 

I have looked at the web for hints about mod_expires / mod_headers, but there weren't 
many helpful links.

Could you or anyone share some thoughts on this? 

Many thanks.

PS: thanks for your hard work being a very active member in this list.


Subject: Re: [squid-users] mod_expire newbie question?
Date: Tue, Oct 21, 2003 at 10:38:19AM +0200
Quoting Henrik Nordstrom ([EMAIL PROTECTED]):

: On Tue, 21 Oct 2003, Christian Purnomo wrote:
: 
: > I'm trying to figure out a way I can refresh my cache every day, ideally the
: > caches would be re-freshed as soon as the database is updated (at a specific
: > time via cron job).  One way of doing this that I can see is to include 'Expires: 
GMT' header for something.wxh and the date HAS TO be absolute, as in:
: > Expires: Tue Oct 21 2003 17:05:44 GMT
: 
: I think mod_header is a closer match for what you want to do. If not try 
: asking in the appropriate Apache forum.
: 
: Regards
: Henrik

[squid-users] [OT] PAC and specific rules for specifics users...

[ch045-2]

Hello.
I use a proxy (squid 2.4) in front of my LAN.
Between the squid dedicated server and the LAN, i run an antivirus server. 
  Internet
|
  Proxy (Squid 2.4)
|
  VirusWall
|
  LAN
My users have problemes when downloading big files. This problem come with the 
use of the antivirus server.
I use PAC (proxy autoconfig) on the clients to fix the parameteres of the 
proxy.
So, i would to use specifics rules for particulary users. I would this user 
send request directly to Squid and don't use the Viruswall.
I use rules on my config script for IP, domains, regex and this works fine.
I don't known how to write the rule for a specific user (and i don't know if 
this is possible)...

I have read the docs:
http://squid-docs.sourceforge.net/latest/html/x1187.html#AEN1220
http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Thank's for your help.

Regards,
-- 
E.Bullier