Re: AW: [squid-users] Redirect unauthenticated users to a local web page
Hi I've installed headsup and found the following: When using an uploaded custom pac file I'm getting (The page cannot be displayed) whatever URL i put. And when using the pac file built by headsup , it's working but opening two windows - the welcome page and the requested URL. Why the custom pac file is not working, and why don't open the welcome page in the same window? Thanks, --- [EMAIL PROTECTED] wrote: > "headsup" should do the trick. I tried it some month > ago and it worked fine. > > > > --- > > Hi all, > > > A couple of months ago, my boss asked me if it was > possible to display an Internet Access Policy when > users first launch their browsers without setting > the > "Home" or "Start" page. His thought was that it > should > > be possible with our current Squid Servers. I > searched > > the mailing list and noticed the question had been > asked before but it wasn't possible without some > coding. I let him know. > > > The problem bugged me for ages. I do not know how to > > program in C so writing the necessary code was not > an > option for me. Also what about sites that do not use > a > > Proxy Server or a server other than Squid. To cut a > long story short I developed an application in TCL > that I want to share with the Squid community in an > effort to give something back and hopefully to help > others. > > > The application is called "HeadsUp" and it can > display > > an Internet Access Policy or Message of the > Day(MOTD) > to users. Browsers need to be configured to use a > PAC > file and a slight change to any existing PAC file is > > all that is needed. The PAC file directs the > browsers > first request to the server which is running > "HeadsUp". "HeadsUp" downloads a page which brings > up > a Popup window and causes the browser to reload the > page again to load the real page. "HeadsUp" is > available from http://www.freewebs.com/headsup It is > > built on Tclhttpd a webserver in written pure TCL > and > packaged as a Starkit. It runs on Windows, Linux, > HP-UX, Tru64 and Solaris. > > Easy to install, just copy 2 files to your system > and > run. No compiling necessary. To uninstall delete the > 2 > files! > > Enjoy! > > > Kind Regards > > > Jeff Smith > > > P.S. Can a link be added to > http://www.squid-cache.org/related-software.html > > > > > > > Mit freundlichem Gruß / regards > > Werner Rost > GM-FIR - Netzwerk > > ZF Boge Elastmetall GmbH > Friesdorfer Str. 175 > 53175 Bonn > > Tel. +49 228 38 25 - 420 > Fax +49 228 38 25 - 398 > mailto:[EMAIL PROTECTED] > www.zf.com/boge-elastmetall > > > > > > -Ursprüngliche Nachricht- > > Von: hasan shatty [mailto:[EMAIL PROTECTED] > > Gesendet: Sonntag, 16. November 2003 10:26 > > An: [EMAIL PROTECTED] > > Betreff: [squid-users] Redirect unauthenticated > users to a > > local web page > > > > > > We need to redirect all users to an intranet web > page > > before they authenticate , then authentication > will > > hapen in that page. > > i.e. instead of getting just popup window to fill > the > > user name and password , we need to display a > welcome > > page with some info, then popup the login window. > > > > __ > > Do you Yahoo!? > > Protect your identity with Yahoo! Mail > AddressGuard > > http://antispam.yahoo.com/whatsnewfree > > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Re: [squid-users] Starting Squid in FreeBSD 5.1
At 12:30 AM 18/11/2003 +, Antony Stone wrote: What is the best way to start squid in FreeBSD 5.1. sudo cat /usr/local/etc/rc.d/squid.sh #!/bin/sh if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then echo "$0: Cannot determine the PREFIX" >&2 exit 1 fi case "$1" in start) if [ -x ${PREFIX}/sbin/squid -a -f ${PREFIX}/etc/squid/squid.conf ]; then (cd /${PREFIX}/squid/logs; ${PREFIX}/sbin/squid >/dev/null 2>&1 &) ; echo -n ' squid' fi ;; stop) ${PREFIX}/sbin/squid -k shutdown 2>&1 # Uncomment this if you'd like the system to (attempt to # wait for) squid to shut down cleanly #echo "Sleeping for 45 seconds to allow squid to shutdown.." #sleep 45 ;; *) echo "Usage: `basename $0` {start|stop}" >&2 ;; esac exit 0 Regards, Jason. -- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it
Re: [squid-users] Starting Squid in FreeBSD 5.1
On Monday 17 November 2003 10:00 pm, Thron wrote: > What is the best way to start squid in FreeBSD 5.1. > Right now Im useing a Cron to start it but I get the > following errors after the first person trys to > connect. > > login: Nov 4 15L50:30 server-name kernel: pid 445 > (squid), uid 1001: exited on signal 6 > > Nov 4 15:50:30 server-name squid[445]: > authenticateNTLMHandleReply: called with no result > string > > How can I resolve this problem? Any help would be > greatly appreciated. I'm not a FreeBSD expert, but I wonder which user is running the cron job? Does the user have sufficient privileges? Also, just out of curiosity, why are you starting it from cron - why not from a system startup (boot) script? Do you find it needs restarting periodically? Antony. -- It's beautiful, man, beautiful. It's enough to make me merely hate BIND rather than loathe it with every fibre of my being. - David Cantrell Please reply to the list; please don't CC me.
Re: [squid-users] Restricting access via ip
On Tuesday 18 November 2003 12:02 am, Newman Emanouel wrote: > Hello > > I an new to this list and would like some help with the following > > I would like to limit users accessing the internet between the hours of > 11pm 5am but still allow other services like mail to access the net. I have > all my servers on a specific range and all my users on another range. > > What I would like to do is to stop users from accessing between the hours > of 11pm to 5am and then allow normal access > > Can anyone please point me to a site which has detailed instructions on how > to do this. If you are using Linux then the built-in firewalling code called netfilter (iptables) can handle time-specific rules for different protocols such as http, smtp and pop3. See http://www.netfilter.org for more infomation, and http://iptables-tutorial.frozentux.net/iptables-tutorial.html for one of the best tutorials in existence. Antony. -- The trouble with the French is that they don't have a word for 'entrepreneur'. - George W Bush, president of the United States of America Please reply to the list; please don't CC me.
Re: [squid-users] Squid Server multiple Nics
Dear Jim its depend on your default gateway you are using for yr machine check with route command on linux based systems [EMAIL PROTECTED] root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0* 255.255.255.128 U 0 00 eth1 192.168.1.128 * 255.255.255.128 U 0 00 eth1 169.254.0.0 * 255.255.0.0 U 0 00 eth1 127.0.0.0 * 255.0.0.0 U 0 00 lo default 192.168.1.1 0.0.0.0 UG0 00 eth1 that is showing it is using eth1 as default gateway to all other networks you can add default route with following commmadn route add default gw 192.168.1.1 eth1 Regards UW --- Jim_Brouse/[EMAIL PROTECTED] wrote: > > eth0 ip address is 24.0.0.2 > eth1 ip address is 55.0.0.2 > > > We have a squid server with 2 nics, if the DNS > server is at 55.0.0.5. > > How does the squid server know which nic to gain > Internet access from? > > Will it gain Internet access from the same nic that > the DNS server is > listed on? What stops squid from resolving > www.domain.com to an IP address > and then choosing either of the nics to get internet > access from. > > I only want squid to gain Internet access on eth1 > > > Jim > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
[squid-users] Restricting access via ip
Hello I an new to this list and would like some help with the following I would like to limit users accessing the internet between the hours of 11pm 5am but still allow other services like mail to access the net. I have all my servers on a specific range and all my users on another range. What I would like to do is to stop users from accessing between the hours of 11pm to 5am and then allow normal access Can anyone please point me to a site which has detailed instructions on how to do this. Regards Newman
[squid-users] Errors. "is a subdomain of" and FD
Our squid proxy server was SIGHUPped this morning to remove the adzapper redirector. The cache.log file has a huge amount of entries regarding an acl file of sites to block as well as some other errors. The server has been HUPped before without too many problems (certainly not the subdomain error). Has it read the same entries in twice or something? I don't see how a 2LD can be a subdomain of itself.. 2003/11/17 20:07:44| WARNING: 'ezgreen.com' is a subdomain of 'ezgreen.com' 2003/11/17 20:07:44| WARNING: because of this 'ezgreen.com' is ignored to keep splay tree searching predictable 2003/11/17 20:07:44| WARNING: You should probably remove 'ezgreen.com' from the ACL named 'adultSites' 2003/11/17 20:07:44| WARNING: 'ezgreen.com' is a subdomain of 'ezgreen.com' 2003/11/17 20:07:44| WARNING: because of this 'ezgreen.com' is ignored to keep splay tree searching predictable 2003/11/17 20:07:44| WARNING: You should probably remove 'ezgreen.com' from the ACL named 'adultSites' 2003/11/17 20:07:44| WARNING: 'facialporn.com' is a subdomain of 'facialporn.com' 2003/11/17 20:07:44| WARNING: because of this 'facialporn.com' is ignored to keep splay tree searching predictable 2003/11/17 20:07:44| WARNING: You should probably remove 'facialporn.com' from the ACL named 'adultSites' 2003/11/17 20:07:44| WARNING: 'facialporn.com' is a subdomain of 'facialporn.com' 2003/11/17 20:07:44| WARNING: because of this 'facialporn.com' is ignored to keep splay tree searching predictable 2003/11/17 20:07:44| WARNING: You should probably remove 'facialporn.com' from the ACL named 'adultSites' 2003/11/17 21:04:13| sslReadServer: FD 42: read failure: (131) Connection reset by peer 2003/11/17 21:49:13| sslReadServer: FD 72: read failure: (131) Connection reset by peer 2003/11/17 21:49:14| sslReadServer: FD 66: read failure: (131) Connection reset by peer 2003/11/17 22:14:39| comm_accept: FD 10: (130) Software caused connection abort 2003/11/17 22:14:39| httpAccept: FD 10: accept failure: (130) Software caused connection abort 2003/11/17 22:22:44| sslReadServer: FD 73: read failure: (131) Connection reset by peer 2003/11/17 22:27:43| sslReadServer: FD 108: read failure: (131) Connection reset by peer 2003/11/17 22:27:43| sslReadServer: FD 118: read failure: (131) Connection reset by peer 2003/11/17 22:31:55| sslReadServer: FD 96: read failure: (131) Connection reset by peer TIA Regards, Jason. -- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it
Re: [squid-users] Squid Server multiple Nics
Dear Jim its depend on your default gateway you are using for yr machine check with route command on linux based systems [EMAIL PROTECTED] root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0* 255.255.255.128 U 0 00 eth1 192.168.1.128 * 255.255.255.128 U 0 00 eth1 169.254.0.0 * 255.255.0.0 U 0 00 eth1 127.0.0.0 * 255.0.0.0 U 0 00 lo default 192.168.1.1 0.0.0.0 UG0 00 eth1 that is showing it is using eth1 as default gateway to all other networks you can add default route with following commmadn route add default gw 192.168.1.1 eth1 Regards UW --- Jim_Brouse/[EMAIL PROTECTED] wrote: > > eth0 ip address is 24.0.0.2 > eth1 ip address is 55.0.0.2 > > > We have a squid server with 2 nics, if the DNS > server is at 55.0.0.5. > > How does the squid server know which nic to gain > Internet access from? > > Will it gain Internet access from the same nic that > the DNS server is > listed on? What stops squid from resolving > www.domain.com to an IP address > and then choosing either of the nics to get internet > access from. > > I only want squid to gain Internet access on eth1 > > > Jim > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
[squid-users] Squid Server multiple Nics
eth0 ip address is 24.0.0.2 eth1 ip address is 55.0.0.2 We have a squid server with 2 nics, if the DNS server is at 55.0.0.5. How does the squid server know which nic to gain Internet access from? Will it gain Internet access from the same nic that the DNS server is listed on? What stops squid from resolving www.domain.com to an IP address and then choosing either of the nics to get internet access from. I only want squid to gain Internet access on eth1 Jim
Re: [squid-users] HTTP/1.1
Trigge, Graham wrote: Guys (and gals), A colleague of mine is wanting to find out which version of SQUID has HTTP/1.1 compliance (if at all at this point in time). He has searched the web to no avail. Any information would be grateful. Hello, As far as I know: None. Squid is HTTP/1.0 rgrds, Bart -- Schelstraete Bart http://www.hansbeke.com email: bart at schelstraete.org
[squid-users] HTTP/1.1
Guys (and gals), A colleague of mine is wanting to find out which version of SQUID has HTTP/1.1 compliance (if at all at this point in time). He has searched the web to no avail. Any information would be grateful. - Graham Trigge IT Technical Specialist Messaging Server Support - Northern Region (02) 8272 8657 0409 654 434 [EMAIL PROTECTED] "Birthdays are good for you. The more you have, the longer you live"
[squid-users] Starting Squid in FreeBSD 5.1
What is the best way to start squid in FreeBSD 5.1. Right now Im useing a Cron to start it but I get the following errors after the first person trys to connect. login: Nov 4 15L50:30 server-name kernel: pid 445 (squid), uid 1001: exited on signal 6 Nov 4 15:50:30 server-name squid[445]: authenticateNTLMHandleReply: called with no result string How can I resolve this problem? Any help would be greatly appreciated. Thanks Thron __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Re: [squid-users] Squid logrotate - Howto??
Dear Thomas let see you want run log rotation script at 3:15 AM use crontab any entry by using crontab -e 15 3 * * * /usr/local/squid/sbin/squid -k rotate that will do the trick Regards UW --- [EMAIL PROTECTED] wrote: > Hey folkes, > > I have a question again. I want to set up a > logrotation for squid on Redhat 9. > I created a file /etc/logrotate.d/squid with the > following content: > > /usr/local/squid/var/logs/access.log { >daily >rotate 14 >copytruncate >compress >notifempty >missingok >} >/usr/local/squid/var/logs/cache.log { >daily >rotate 14 >copytruncate >compress >notifempty >missingok >} > >/usr/local/squid/var/logs/store.log { >daily >rotate 14 >copytruncate >compress >notifempty >missingok >postrotate >/usr/local/squid/sbin/squid -k rotate >endscript >} > > But the rotation didn't work. I would like the > rotation to start daily at midnight. > What did I make wrong? Or is there anything else to > configure what I forgot? > Thanks in advance! > > Regards, > Tommy > > Hansgrohe, Inc. > Information Service > 1492 Bluegrass Lakes Parkway > Alpharetta, GA 30004 > phone (+001) 678 - 762 - 6994 > > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Re: [squid-users] Blocking FTP through squid
On Mon, 17 Nov 2003, Mr. Singh wrote: > I want to block clients uploading files through squid. How can it be > implemented? Assuming the clients use Squid for FTP access (please remember that Squid is a HTTP proxy) the following will block FTP PUT requests via Squid acl FTP protocol FTP acl PUT method PUT http_access deny FTP PUT Regards Henrik
[squid-users] Squid logrotate - Howto??
Hey folkes, I have a question again. I want to set up a logrotation for squid on Redhat 9. I created a file /etc/logrotate.d/squid with the following content: /usr/local/squid/var/logs/access.log { daily rotate 14 copytruncate compress notifempty missingok } /usr/local/squid/var/logs/cache.log { daily rotate 14 copytruncate compress notifempty missingok } /usr/local/squid/var/logs/store.log { daily rotate 14 copytruncate compress notifempty missingok postrotate /usr/local/squid/sbin/squid -k rotate endscript } But the rotation didn't work. I would like the rotation to start daily at midnight. What did I make wrong? Or is there anything else to configure what I forgot? Thanks in advance! Regards, Tommy Hansgrohe, Inc. Information Service 1492 Bluegrass Lakes Parkway Alpharetta, GA 30004 phone (+001) 678 - 762 - 6994
[squid-users] authentication issue
I have a customer that uses a proxy server to authenticate users to an internet based system. In summary, it is installed in a DMZ as a reverse proxy accessing the customers service. The Service is built up using several VIP addresses over http. When an Internet user accesses the external URL they are presented with Proxy authentication against the directory server. Once authenticated they then further authenticate to the internal service. This is fine, however when the user accesses say the webmail link they are redirected to webmail1.xxx.net and are presented with a further Proxy authentication. In total there could be up to five proxy authentications if a user accessed all services(webmail, calendar, Instant messaging etc etc) within a session. What the customer is looking for is a Proxy Server that can support session based authentication, so regardless of what address you are redirected to, you only authenticate once. Does Squid Support this type of model? Regards steve
RE: [squid-users] ACL problems
> I keep getting this error with Squid (i fully admit I'm a novice) > Access Denied. > I've setup the ACL to allow client addresses from > 192.168.0.15-192.168.0.150/255.255.255.0 Have you read the Access Controls FAQ? http://www.squid-cache.org/Doc/FAQ/FAQ-10.html If, after reading this, you still can't solve the problem, please post your entire squid.conf (without blank lines or comments). Adam
[squid-users] ACL problems
I keep getting this error with Squid (i fully admit I'm a novice) The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is root. I've setup the ACL to allow client addresses from 192.168.0.15-192.168.0.150/255.255.255.0 Any ideas? Thanks in adavance! Ryan
[squid-users] squid +smb_auth + sarg
- Forwarded by Azad A/IDM/TCSCHENNAI on 11/17/2003 10:50 PM - |-+> | | Azad A | | || | | 11/15/2003 03:37 | | | PM | | || |-+> >--| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: squid +smb_auth + sarg | >--| Hi I use squid 2.4 and smb_auth for authenticating with Windows 2000 domain users. I use Sarg to analyse the statistics and reports .This contain only the IP address from where the system is browsed and not the authenticated user details I need IP address with the user id displaying on the web. Access.log is pasted 172.20.128.96 TCP_MISS/304 229 GET http://www.gnu.org/graphics/gnu-head-sm.jpg 135528 DIRECT/199.232.41.10 - where 135528 is the logn used .Has anyone done changes to display in sarg report Rgds AZad This mail was scanned by Interscan Virus Wall of Mailserver2 at SNR, TCS, Chennai
Re: [squid-users] Transparency
On Monday 17 November 2003 2:50 pm, [EMAIL PROTECTED] wrote: > Here is the output: > > [EMAIL PROTECTED] logs]# iptables -t nat -L -n -v > Chain PREROUTING (policy ACCEPT 49710 packets, 8766K bytes) > pkts bytes target prot opt in out source destination > 152 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:80 redir ports 8000 > 152 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:21 redir ports 21 The first rule will (re)direct any packets coming in on eth1, which were going to some server on TCP port 80, to TCP port 8000 on the netfilter machine (presumably this is the port that Squid is listening on). The second rule I find a bit dubious - are you really running an ftp proxy on the machine (perhaps frox?), or are you hoping that Squid is going to transparently proxy ftp for you as well as http? (If you are, you will be disappointed - squid isn't an ftp proxy - well, certainly not in transparent mode, anyway). Aside from that, I trust you have some appropriate FORWARDing rules to allow the rest of the (non-proxied) traffic through your firewall? If not, then this is where the problem lies, and since (a) it's much more of a netfilter question than a squid question, and (b) we're both on the netfilter list as well, I suggest we transfer the discussion over there if you need any more help with getting non-http traffic through the machine. -- Ramdisk is not an installation procedure. Please reply to the list; please don't CC me.
Re: [squid-users] Transparency
Here is the output: [EMAIL PROTECTED] logs]# iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 49710 packets, 8766K bytes) pkts bytes target prot opt in out source destination 152 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8000 152 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 redir ports 21 Chain POSTROUTING (policy ACCEPT 103 packets, 6335 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 92 packets, 5707 bytes) pkts bytes target prot opt in out source destination Thanx for your additional info, Antony. Regards, Tim Rainier Antony Stone <[EMAIL PROTECTED]> 11/17/2003 09:09 AM To: [EMAIL PROTECTED] cc: Subject:Re: [squid-users] Transparency On Monday 17 November 2003 1:53 pm, [EMAIL PROTECTED] wrote: > I'm running Squid 2.5 STABLE4 in Transparency. > The proxy server is my gateway. > > My NAT table looks as follows: > > [EMAIL PROTECTED] logs]# iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > REDIRECT tcp -- anywhere anywhere tcp dpt:http > redir ports 8000 > REDIRECT tcp -- anywhere anywhere tcp dpt:ftp > redir ports 21 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination If you're going to post netfilter rules, it's better to post either the original rules which went into the table, or else the output of "iptables -t nat -L -n -v". The -n makes everything numeric so we can see what addresses are involved, and the -v shows more detail including the interfaces which the rules apply to. > Web browsing and ftping both work, at the moment. > I cannot get other internet connections to pass through the box. i.e.: > irc connections, telnet connections, etc. > > I imagine I need to be speaking with a linux person about this, but had a > couple of questions about squid and transparency mode. You could try the netfilter mailing list for a bunch of people who really know about this sort of thing. > First. I understand that squid proxies http traffic, only. Is this > correct? Yes. Squid will handle ftp requests over http, but only if the browser is configured to use the proxy. In transparent mode http is all you get. > So, all I should need are some redirects and forwards on the nat table and > the other internet stuff should work. > ie: I shouldn't need to go into my client programs (putty, mIRC, etc) and > tell them it's a proxy connection. For anything except http it isn't a proxy connection - those protocols go directly through your firewall to the Internet, nothing to do with a Squid proxy being around the place. Also, the whole point about transparent mode is that even for http, the client doesn't know there's a proxy - if it did, it wouldn't be transparent :) Antony. -- "I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. It is NOT portable , and it probably never will support anything other than AT-harddisks, as that's all I have :-(." - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 Please reply to the list; please don't CC me.
[squid-users] Anyone willing to talk about a big squid setup?
Hi. I'm talking to a company in the UK who want to implement squid as a replacement for a biggish cache server setup, but they'd like to talk to someone who's already using squid on the same sort of scale, just to get some reassurance it can do the job okay. They're currently dealing with 20-50 million http requests per day at each of three sites. If anyone doesn't mind talking to someone about using squid in this sort of setup please reply to me off-list so I can put them in contact. Thanks, Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984)
Re: [squid-users] Transparency
On Monday 17 November 2003 1:53 pm, [EMAIL PROTECTED] wrote: > I'm running Squid 2.5 STABLE4 in Transparency. > The proxy server is my gateway. > > My NAT table looks as follows: > > [EMAIL PROTECTED] logs]# iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > REDIRECT tcp -- anywhere anywhere tcp dpt:http > redir ports 8000 > REDIRECT tcp -- anywhere anywhere tcp dpt:ftp > redir ports 21 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination If you're going to post netfilter rules, it's better to post either the original rules which went into the table, or else the output of "iptables -t nat -L -n -v". The -n makes everything numeric so we can see what addresses are involved, and the -v shows more detail including the interfaces which the rules apply to. > Web browsing and ftping both work, at the moment. > I cannot get other internet connections to pass through the box. i.e.: > irc connections, telnet connections, etc. > > I imagine I need to be speaking with a linux person about this, but had a > couple of questions about squid and transparency mode. You could try the netfilter mailing list for a bunch of people who really know about this sort of thing. > First. I understand that squid proxies http traffic, only. Is this > correct? Yes. Squid will handle ftp requests over http, but only if the browser is configured to use the proxy. In transparent mode http is all you get. > So, all I should need are some redirects and forwards on the nat table and > the other internet stuff should work. > ie: I shouldn't need to go into my client programs (putty, mIRC, etc) and > tell them it's a proxy connection. For anything except http it isn't a proxy connection - those protocols go directly through your firewall to the Internet, nothing to do with a Squid proxy being around the place. Also, the whole point about transparent mode is that even for http, the client doesn't know there's a proxy - if it did, it wouldn't be transparent :) Antony. -- "I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. It is NOT portable , and it probably never will support anything other than AT-harddisks, as that's all I have :-(." - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991 Please reply to the list; please don't CC me.
[squid-users] Transparency
I'm running Squid 2.5 STABLE4 in Transparency. The proxy server is my gateway. My NAT table looks as follows: [EMAIL PROTECTED] logs]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 REDIRECT tcp -- anywhere anywhere tcp dpt:ftp redir ports 21 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Web browsing and ftping both work, at the moment. I cannot get other internet connections to pass through the box. i.e.: irc connections, telnet connections, etc. I imagine I need to be speaking with a linux person about this, but had a couple of questions about squid and transparency mode. First. I understand that squid proxies http traffic, only. Is this correct? So, all I should need are some redirects and forwards on the nat table and the other internet stuff should work. ie: I shouldn't need to go into my client programs (putty, mIRC, etc) and tell them it's a proxy connection. Is this correct? Regards, Tim Rainier
[squid-users] Blocking FTP through squid
Dear Users I want to block clients uploading files through squid. How can it be implemented? thanks in advance -- singh
Re: [squid-users] Re: Using ICAP patches
Hi Rui !! I had this error with some URLs . The last one was this: http://esportes.terra.com.br/tenis/ Thanks again, Carlos ... --- Hi Carlos, Can you please send me the URL of the file that's causing this error? So I can have look at it and see if it's an issue with SAVSE. Thank you! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Hi Rui !! I had this error with some URLs . The last one was this: http://esportes.terra.com.br/tenis/ Thanks again, Carlos ... --- Hi Carlos, Can you please send me the URL of the file that's causing this error? So I can have look at it and see if it's an issue with SAVSE. Thank you! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login
Hi, Had the same problem with WCCP/FreeBSD. I use route maps now and all is working 100%. It apparently has to do with the IOS version you use. I spoke to the guys at cacheflow as I tested there product and they gave me that answer. There is also a white paper on there site explaining this problem. I have not changed the IOS yet so cant tell you if it works or not. Doron -Original Message- From: Clive Cleland [mailto:[EMAIL PROTECTED] Sent: 16 November 2003 03:50 AM To: [EMAIL PROTECTED] Subject: RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login Raphael Try setting MSS = 1400 for TCP connections from your clients (use this number if your normal MSS is 1500/1476). This is done on the squid server, not the client machines, as it is negotiated during TCP connection setup. Under iptables, it is done using the following command: -A OUTPUT -d 1.2.3.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 I'm sorry I can't help with FreeBSD/ipfw. If you use 'ip route' to setup routing, I believe it can also be done on a per-route basis. The problem is that some sites use very large cookies. When the HTTP request exceeds the size of one packet, the addition of the GRE header makes the first packet too large, so it is dropped by the WCCP router. By telling clients to limit their packet size, the addition of the GRE overhead still results in legal packets. The smaller size should make negligible difference in network performance, but perhaps you can tune this to your needs? Also, you might be able to further restrict this to just port 80 traffic? Hopefully this at least gives you somewhere to look. Clive -Original Message- From: Raphael Maseko [mailto:[EMAIL PROTECTED] Sent: Sunday, 16 November 2003 4:02 AM To: [EMAIL PROTECTED] Subject: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login Hi Fellow Listers, I have been running squid-2.5.STABLE4 with transparent proxying using WCCP V1 on FreeBSD 4.6.2 without any problems. I have now installed the same version on FreeBSD 4.9. Unlike in the previous version where I had to apply patches and hacks to get the gre packets stripped by my BSD box, I used the "pseudo-device gre" option in the kernel and set up the tunnel using the following: ifconfig gre0 create ifconfig gre0 My_Squid_IP 10.20.30.1 netmask 255.255.255.255 link1 tunnel My_Squid_IP My_Router_IP up and the following IPFW rules: ipfw add 49 allow tcp from My_Squid_IP to any ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in (The ipfw is set to default to accept) Here is a sample from the ipfw -a sh command: 00049 29586 2886034 allow tcp from My_Squid_IP to any 00050 29592 2493277 fwd 127.0.0.1,3128 tcp from any to any 80 in recv gre0 65535 101631 65282581 allow ip from any to any The transparent proxy is working fine except when it comes to logging into sites like yahoo and hotmail and reading webmail. The main page is accessed but stalls and eventually fails on authentication. I suspect that this has something to do with the gre tunnel and the way packets that are not supposed to be cached are being treated. Has anyone run into this problem and if so how did you deal with it? Please help. Thanks in advance. Ralph
[squid-users] SNMP
Hi All, I have configured squid to enable snmp so I can monitor it. I see it does start: Accepting SNMP messages on port 3401, FD 20. But when I try to query the squid machine I get this in the log: Failed SNMP agent query from : And I get nothing back !! Can anyone help ? My config is below for snmp: acl snmppublic snmp_community public snmp_port 3401 snmp_access allow snmppublic crc2 thanks Kind Regards Doron Shmaryahu
RE: [squid-users] configuration error
On Mon, 17 Nov 2003, Firas Mubarak wrote: > yes the clients are all configured to use the proxy,, > the squid server is using uptream proxy Then see the Squid FAQ on using Squid inside a firewall. This will most likely help. Regards Henrik
RE: [squid-users] configuration error
dears, yes the clients are all configured to use the proxy,, the squid server is using uptream proxy p.s. i can provide u with the squid configuration file in case u neeed to take at it. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Sun 11/16/2003 8:43 PM To: Firas Mubarak Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] configuration error On Sun, 16 Nov 2003, Firas Mubarak wrote: > 1- opening any direct connection, such as ( yahoo messenger, msn messenger ) > 2- they cant log to any page that requires authentication, ( such as, web based emails, or any site that reqiures username and password. ) Are you running Squid as a transpernly intercepting proxy, or are the clients configured to use the proxy? For best operation make sure to have the clients configured to use the proxy. Regards Henrik
Re: [squid-users] Adding cache directory
On Sun, 16 Nov 2003, ads squid wrote: > "With Squid-2, you will not lose your existing cache. > You can add and delete cache_dir's without affecting > any of the others. " > > Doea that mean both new and old will work together. > Thanks for support. Yes. Regards Henrik
Re: AW: AW: AW: AW: AW: AW: AW: [squid-users] Group Authentication (N T4 D omai n)
On Mon, 17 Nov 2003, Altrock, Jens wrote: > k, forgot that :( > I set cache_effective_user to squid, as well as cache_effective group to > squid. > Same error even permissions are right? So what does the errror look like now? If it still says 'nobody' then cache_effective_user is still not set correctly. Regards Henrik
Re: [squid-users] Error in cache.log file
Hello I feel that the root file system is Full, do u have cache directory over there ? Can u move the cache to some partition which has space ? Regards Babar Kazmi. On Sunday 16 November 2003 11:33 am, ads squid wrote: > This is output of df > * > Filesystem Used Available Use% Mounted on > /dev/hda5 472375 7126 99% / > /dev/hda1 9378 86492 10% /boot > /dev/hda3 64220 9173968 1% /home > none 0111532 0% /dev/shm > /dev/hda21236568 24046956 5% /usr > /dev/hda6 127876847684 14% /var > > I have created /cache directory in the partition where > /root directory resides.
Re: [squid-users] Squid NT vs. Squid Linux
Hello As far as I see managing Squid on NT is a fuss itself, you cant get the performance out of the NT Machine what you can get outta Linux Box.Just see for your self, test it with any bench mark tools available and you will considerably feel the difference between NT Based Proxy and Linux Based Proxy.Give Squid and Linux Tag Team some ground to play, a wider bandwidth path, properly tuned cached tweaks and there you go.I did used Squid on Linux on AMD K-62 450 MHz , 512 MB Ram and 7200 RPM $) GB SCSCI , It was awesome.Regards,Babar Kazmi.On Friday 14 November 2003 10:33 pm, Cafe Admin wrote: > I'm currently running 2.5-Stable3 on a dedicated RH9 box, and I know my > hardware is being underutlized (2.0GHz Xeon , 2x10k RPM SCSI, 640MB, > 1000Mbps NIC). I'm thinking about converting the machine to Windows File > Server/PDC/SquidNT. I can think of several reasons to reconsider: 1) Domain controllers and file servers are very critical systems - run as little additional services and software on them as possible, for both security and performance reasons. 2) Even though your CPU and RAM may be underutilized, the extra load file serving will put on your disks likely will push the throughput near/beyond the available limit, and you'll see a performance hit. 3) Have you considered Samba on Linux instead of Windows Server? Recent benchmarks (linked to from the Samba website) show Samba 3 consistently delivering over twice the throughput of Windows Server 2003 under similar loads (averaging about 2.5 times the throughput). 4) SquidNT probably doesn't deliver the same level of performance as Squid on Linux (or other Unix variants), simply because of underlying OS performance issues. My suggestion: Don't do it. Move Squid to a smaller box if you're concerned about underutilization, and use the former Squid box to run Samba to provide domain controller and file services. Adam
AW: [squid-users] Redirect unauthenticated users to a local web p age
"headsup" should do the trick. I tried it some month ago and it worked fine. --- Hi all, A couple of months ago, my boss asked me if it was possible to display an Internet Access Policy when users first launch their browsers without setting the "Home" or "Start" page. His thought was that it should be possible with our current Squid Servers. I searched the mailing list and noticed the question had been asked before but it wasn't possible without some coding. I let him know. The problem bugged me for ages. I do not know how to program in C so writing the necessary code was not an option for me. Also what about sites that do not use a Proxy Server or a server other than Squid. To cut a long story short I developed an application in TCL that I want to share with the Squid community in an effort to give something back and hopefully to help others. The application is called "HeadsUp" and it can display an Internet Access Policy or Message of the Day(MOTD) to users. Browsers need to be configured to use a PAC file and a slight change to any existing PAC file is all that is needed. The PAC file directs the browsers first request to the server which is running "HeadsUp". "HeadsUp" downloads a page which brings up a Popup window and causes the browser to reload the page again to load the real page. "HeadsUp" is available from http://www.freewebs.com/headsup It is built on Tclhttpd a webserver in written pure TCL and packaged as a Starkit. It runs on Windows, Linux, HP-UX, Tru64 and Solaris. Easy to install, just copy 2 files to your system and run. No compiling necessary. To uninstall delete the 2 files! Enjoy! Kind Regards Jeff Smith P.S. Can a link be added to http://www.squid-cache.org/related-software.html Mit freundlichem Gruß / regards Werner Rost GM-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175 53175 Bonn Tel. +49 228 38 25 - 420 Fax +49 228 38 25 - 398 mailto:[EMAIL PROTECTED] www.zf.com/boge-elastmetall > -Ursprüngliche Nachricht- > Von: hasan shatty [mailto:[EMAIL PROTECTED] > Gesendet: Sonntag, 16. November 2003 10:26 > An: [EMAIL PROTECTED] > Betreff: [squid-users] Redirect unauthenticated users to a > local web page > > > We need to redirect all users to an intranet web page > before they authenticate , then authentication will > hapen in that page. > i.e. instead of getting just popup window to fill the > user name and password , we need to display a welcome > page with some info, then popup the login window. > > __ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree >