Re: AW: [squid-users] Redirect unauthenticated users to a local web page

[hasan shatty]

Hi 

I've installed headsup and found the following:

When using an uploaded custom pac file I'm getting
(The page cannot be displayed) whatever URL i put.

And when using the pac file built by headsup , it's
working but opening two windows - the welcome page and
the requested URL.

Why the custom pac file is not working, and why don't
open the welcome page in the same window?

Thanks,
--- [EMAIL PROTECTED] wrote:
> "headsup" should do the trick. I tried it some month
> ago and it worked fine.
> 
> 
>

> ---
> 
> Hi all, 
> 
> 
> A couple of months ago, my boss asked me if it was 
> possible to display an Internet Access Policy when 
> users first launch their browsers without setting
> the 
> "Home" or "Start" page. His thought was that it
> should
> 
> be possible with our current Squid Servers. I
> searched
> 
> the mailing list and noticed the question had been 
> asked before but it wasn't possible without some 
> coding. I let him know. 
> 
> 
> The problem bugged me for ages. I do not know how to
> 
> program in C so writing the necessary code was not
> an 
> option for me. Also what about sites that do not use
> a
> 
> Proxy Server or a server other than Squid. To cut a 
> long story short I developed an application in TCL 
> that I want to share with the Squid community in an 
> effort to give something back and hopefully to help 
> others. 
> 
> 
> The application is called "HeadsUp" and it can
> display
> 
> an Internet Access Policy or Message of the
> Day(MOTD) 
> to users. Browsers need to be configured to use a
> PAC 
> file and a slight change to any existing PAC file is
> 
> all that is needed. The PAC file directs the
> browsers 
> first request to the server which is running 
> "HeadsUp". "HeadsUp" downloads a page which brings
> up 
> a Popup window and causes the browser to reload the 
> page again to load the real page. "HeadsUp" is 
> available from http://www.freewebs.com/headsup It is
> 
> built on Tclhttpd a webserver in written pure TCL
> and 
> packaged as a Starkit. It runs on Windows, Linux, 
> HP-UX, Tru64 and Solaris. 
> 
> Easy to install, just copy 2 files to your system
> and
> run. No compiling necessary. To uninstall delete the
> 2
> files!
> 
> Enjoy! 
> 
> 
> Kind Regards 
> 
> 
> Jeff Smith 
> 
> 
> P.S. Can a link be added to 
> http://www.squid-cache.org/related-software.html
> 
> 
>

> 
> 
> 
> Mit freundlichem Gruß / regards
>  
> Werner Rost
> GM-FIR - Netzwerk
>  
> ZF Boge Elastmetall GmbH
> Friesdorfer Str. 175
> 53175 Bonn
>  
> Tel. +49 228 38 25 - 420
> Fax +49 228 38 25 - 398
> mailto:[EMAIL PROTECTED]
> www.zf.com/boge-elastmetall
>  
>  
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: hasan shatty [mailto:[EMAIL PROTECTED] 
> > Gesendet: Sonntag, 16. November 2003 10:26
> > An: [EMAIL PROTECTED]
> > Betreff: [squid-users] Redirect unauthenticated
> users to a 
> > local web page
> > 
> > 
> > We need to redirect all users to an intranet web
> page
> > before they authenticate , then authentication
> will
> > hapen in that page.
> > i.e. instead of getting just popup window to fill
> the
> > user name and password , we need to display a
> welcome
> > page with some info, then popup the login window.
> > 
> > __
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail
> AddressGuard 
> > http://antispam.yahoo.com/whatsnewfree
> > 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: [squid-users] Starting Squid in FreeBSD 5.1

[Jason Oakley]

At 12:30 AM 18/11/2003 +, Antony Stone wrote:
What is the best way to start squid in FreeBSD 5.1.


sudo cat /usr/local/etc/rc.d/squid.sh

#!/bin/sh

if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
echo "$0: Cannot determine the PREFIX" >&2
exit 1
fi
case "$1" in
start)
if [ -x ${PREFIX}/sbin/squid -a -f ${PREFIX}/etc/squid/squid.conf 
]; then
(cd /${PREFIX}/squid/logs; ${PREFIX}/sbin/squid >/dev/null 
2>&1 &) ; echo -n ' squid'
fi
;;
stop)
${PREFIX}/sbin/squid -k shutdown 2>&1
# Uncomment this if you'd like the system to (attempt to
# wait for) squid to shut down cleanly
#echo "Sleeping for 45 seconds to allow squid to shutdown.."
#sleep 45
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac

exit 0



Regards,

Jason.

--
Jason Oakley +612 82821434
  Open and Intel Systems
  Systems Administrator
   http://www.eds.com
 Add a dab of lavender to milk
   Leave town with an orange
and pretend you are laughing at it 

Re: [squid-users] Starting Squid in FreeBSD 5.1

[Antony Stone]

On Monday 17 November 2003 10:00 pm, Thron wrote:

> What is the best way to start squid in FreeBSD 5.1.
> Right now Im useing a Cron to start it but I get the
> following errors after the first person trys to
> connect.
>
> login: Nov 4 15L50:30 server-name kernel: pid 445
> (squid), uid 1001: exited on signal 6
>
> Nov 4 15:50:30 server-name squid[445]:
> authenticateNTLMHandleReply: called with no result
> string
>
> How can I resolve this problem? Any help would be
> greatly appreciated.

I'm not a FreeBSD expert, but I wonder which user is running the cron job?

Does the user have sufficient privileges?

Also, just out of curiosity, why are you starting it from cron - why not from 
a system startup (boot) script?   Do you find it needs restarting 
periodically?

Antony.

-- 

It's beautiful, man, beautiful.   It's enough to make me merely hate BIND 
rather than loathe it with every fibre of my being.

 - David Cantrell
 Please reply to the list;
   please don't CC me.

Re: [squid-users] Restricting access via ip

[Antony Stone]

On Tuesday 18 November 2003 12:02 am, Newman Emanouel wrote:

> Hello
>
> I an new to this list and would like some help with the following
>
> I would like to limit users accessing the internet between the hours of
> 11pm 5am but still allow other services like mail to access the net. I have
> all my servers on a specific range and all my users on another range.
>
> What I would like to do is to stop users from accessing between the hours
> of 11pm to 5am and then allow normal access
>
> Can anyone please point me to a site which has detailed instructions on how
> to do this.

If you are using Linux then the built-in firewalling code called netfilter 
(iptables) can handle time-specific rules for different protocols such as 
http, smtp and pop3.   See http://www.netfilter.org for more infomation, and 
http://iptables-tutorial.frozentux.net/iptables-tutorial.html for one of the 
best tutorials in existence.

Antony.

-- 

The trouble with the French is that they don't have a word for 'entrepreneur'.

 - George W Bush, president of the United States of America
 Please reply to the list;
   please don't CC me.

Re: [squid-users] Squid Server multiple Nics

[unixware]

Dear Jim

its depend on your default gateway you are using for
yr machine check with route command on linux based
systems

[EMAIL PROTECTED] root]# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric RefUse Iface
192.168.1.0*   255.255.255.128 U 0
 00 eth1
192.168.1.128  *   255.255.255.128 U 0
 00 eth1
169.254.0.0 *   255.255.0.0 U
0  00 eth1
127.0.0.0   *   255.0.0.0   U
0  00 lo
default 192.168.1.1 0.0.0.0 UG0   
  00 eth1

that is showing it is using eth1 as default gateway to
all other networks

you can add default route with following commmadn

route add default gw 192.168.1.1 eth1

Regards

UW



--- Jim_Brouse/[EMAIL PROTECTED] wrote:
> 
> eth0 ip address is 24.0.0.2
> eth1 ip address is 55.0.0.2
> 
> 
> We have a squid server with 2 nics, if the DNS
> server is at 55.0.0.5.
> 
> How does the squid server know which nic to gain
> Internet access from?
> 
> Will it gain Internet access from the same nic that
> the DNS server is
> listed on?  What stops squid from resolving
> www.domain.com to an IP address
> and then choosing either of the nics to get internet
> access from.
> 
> I only want squid to gain Internet access on eth1
> 
> 
> Jim
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

[squid-users] Restricting access via ip

[Newman Emanouel]

Hello

I an new to this list and would like some help with the following

I would like to limit users accessing the internet between the hours of 11pm
5am but still allow other services like mail to access the net. I have all
my servers on a specific range and all my users on another range.

What I would like to do is to stop users from accessing between the hours of
11pm to 5am and then allow normal access

Can anyone please point me to a site which has detailed instructions on how
to do this.

Regards


Newman

[squid-users] Errors. "is a subdomain of" and FD

[Jason Oakley]

Our squid proxy server was SIGHUPped this morning to remove the adzapper 
redirector.

The cache.log file has a huge amount of entries regarding an acl file of 
sites to block as well as some other errors. The server has been HUPped 
before without too many problems (certainly not the subdomain error).  Has 
it read the same entries in twice or something? I don't see how a 2LD can 
be a subdomain of itself..

2003/11/17 20:07:44| WARNING: 'ezgreen.com' is a subdomain of 'ezgreen.com'
2003/11/17 20:07:44| WARNING: because of this 'ezgreen.com' is ignored to 
keep splay tree searching predictable
2003/11/17 20:07:44| WARNING: You should probably remove 'ezgreen.com' from 
the ACL named 'adultSites'
2003/11/17 20:07:44| WARNING: 'ezgreen.com' is a subdomain of 'ezgreen.com'
2003/11/17 20:07:44| WARNING: because of this 'ezgreen.com' is ignored to 
keep splay tree searching predictable
2003/11/17 20:07:44| WARNING: You should probably remove 'ezgreen.com' from 
the ACL named 'adultSites'
2003/11/17 20:07:44| WARNING: 'facialporn.com' is a subdomain of 
'facialporn.com'
2003/11/17 20:07:44| WARNING: because of this 'facialporn.com' is ignored 
to keep splay tree searching predictable
2003/11/17 20:07:44| WARNING: You should probably remove 'facialporn.com' 
from the ACL named 'adultSites'
2003/11/17 20:07:44| WARNING: 'facialporn.com' is a subdomain of 
'facialporn.com'
2003/11/17 20:07:44| WARNING: because of this 'facialporn.com' is ignored 
to keep splay tree searching predictable
2003/11/17 20:07:44| WARNING: You should probably remove 'facialporn.com' 
from the ACL named 'adultSites'

2003/11/17 21:04:13| sslReadServer: FD 42: read failure: (131) Connection 
reset by peer
2003/11/17 21:49:13| sslReadServer: FD 72: read failure: (131) Connection 
reset by peer
2003/11/17 21:49:14| sslReadServer: FD 66: read failure: (131) Connection 
reset by peer
2003/11/17 22:14:39| comm_accept: FD 10: (130) Software caused connection abort
2003/11/17 22:14:39| httpAccept: FD 10: accept failure: (130) Software 
caused connection abort
2003/11/17 22:22:44| sslReadServer: FD 73: read failure: (131) Connection 
reset by peer
2003/11/17 22:27:43| sslReadServer: FD 108: read failure: (131) Connection 
reset by peer
2003/11/17 22:27:43| sslReadServer: FD 118: read failure: (131) Connection 
reset by peer
2003/11/17 22:31:55| sslReadServer: FD 96: read failure: (131) Connection 
reset by peer

TIA

Regards,

Jason.

--
Jason Oakley +612 82821434
  Open and Intel Systems
  Systems Administrator
   http://www.eds.com
 Add a dab of lavender to milk
   Leave town with an orange
and pretend you are laughing at it 

Re: [squid-users] Squid Server multiple Nics

[unixware]

Dear Jim

its depend on your default gateway you are using for
yr machine check with route command on linux based
systems

[EMAIL PROTECTED] root]# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric RefUse Iface
192.168.1.0*   255.255.255.128 U 0
 00 eth1
192.168.1.128  *   255.255.255.128 U 0
 00 eth1
169.254.0.0 *   255.255.0.0 U
0  00 eth1
127.0.0.0   *   255.0.0.0   U
0  00 lo
default 192.168.1.1 0.0.0.0 UG0   
  00 eth1

that is showing it is using eth1 as default gateway to
all other networks

you can add default route with following commmadn

route add default gw 192.168.1.1 eth1

Regards

UW



--- Jim_Brouse/[EMAIL PROTECTED] wrote:
> 
> eth0 ip address is 24.0.0.2
> eth1 ip address is 55.0.0.2
> 
> 
> We have a squid server with 2 nics, if the DNS
> server is at 55.0.0.5.
> 
> How does the squid server know which nic to gain
> Internet access from?
> 
> Will it gain Internet access from the same nic that
> the DNS server is
> listed on?  What stops squid from resolving
> www.domain.com to an IP address
> and then choosing either of the nics to get internet
> access from.
> 
> I only want squid to gain Internet access on eth1
> 
> 
> Jim
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

[squid-users] Squid Server multiple Nics

[Jim_Brouse/PYT]

eth0 ip address is 24.0.0.2
eth1 ip address is 55.0.0.2


We have a squid server with 2 nics, if the DNS server is at 55.0.0.5.

How does the squid server know which nic to gain Internet access from?

Will it gain Internet access from the same nic that the DNS server is
listed on?  What stops squid from resolving www.domain.com to an IP address
and then choosing either of the nics to get internet access from.

I only want squid to gain Internet access on eth1


Jim

Re: [squid-users] HTTP/1.1

[Schelstraete Bart]

Trigge, Graham wrote:

Guys (and gals),

A colleague of mine is wanting to find out which version of SQUID has
HTTP/1.1 compliance (if at all at this point in time). He has searched
the web to no avail.
Any information would be grateful.

 

Hello,

As far as I know: None.
Squid is HTTP/1.0
rgrds,

  Bart

--
Schelstraete Bart
http://www.hansbeke.com
email: bart at schelstraete.org

[squid-users] HTTP/1.1

[Trigge, Graham]

Guys (and gals),

A colleague of mine is wanting to find out which version of SQUID has
HTTP/1.1 compliance (if at all at this point in time). He has searched
the web to no avail.

Any information would be grateful.

-
Graham Trigge
IT Technical Specialist
Messaging Server Support - Northern Region
(02) 8272 8657
0409 654 434
[EMAIL PROTECTED]

"Birthdays are good for you. The more you have, the longer you live"

[squid-users] Starting Squid in FreeBSD 5.1

[Thron]

What is the best way to start squid in FreeBSD 5.1.
Right now Im useing a Cron to start it but I get the
following errors after the first person trys to
connect. 

login: Nov 4 15L50:30 server-name kernel: pid 445
(squid), uid 1001: exited on signal 6 

Nov 4 15:50:30 server-name squid[445]:
authenticateNTLMHandleReply: called with no result
string

How can I resolve this problem? Any help would be
greatly appreciated.

Thanks
Thron

__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: [squid-users] Squid logrotate - Howto??

[unixware]

Dear Thomas

let see you want run log rotation script at 3:15 AM

use crontab

any entry by using crontab -e


15 3 * * * /usr/local/squid/sbin/squid -k rotate

that will do the trick


Regards

UW





--- [EMAIL PROTECTED] wrote:
> Hey folkes,
> 
> I have a question again. I want to set up a
> logrotation for squid on Redhat 9.
> I created a file /etc/logrotate.d/squid with the
> following content:
> 
> /usr/local/squid/var/logs/access.log {
>daily
>rotate 14
>copytruncate
>compress
>notifempty
>missingok
>}
>/usr/local/squid/var/logs/cache.log {
>daily
>rotate 14
>copytruncate
>compress
>notifempty
>missingok
>}
> 
>/usr/local/squid/var/logs/store.log {
>daily
>rotate 14
>copytruncate
>compress
>notifempty
>missingok
>postrotate
>/usr/local/squid/sbin/squid -k rotate
>endscript
>}
> 
> But the rotation didn't work. I would like the
> rotation to start daily at midnight.
> What did I make wrong? Or is there anything else to
> configure what I forgot?
> Thanks in advance!
> 
> Regards,
> Tommy
> 
> Hansgrohe, Inc.
> Information Service
> 1492 Bluegrass Lakes Parkway
> Alpharetta,  GA  30004
> phone (+001) 678 - 762 - 6994
> 
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: [squid-users] Blocking FTP through squid

[Henrik Nordstrom]

On Mon, 17 Nov 2003, Mr. Singh wrote:

> I want to block clients uploading files through squid. How can it be
> implemented?

Assuming the clients use Squid for FTP access (please remember that Squid 
is a HTTP proxy) the following will block FTP PUT requests via Squid

acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT

Regards
Henrik

[squid-users] Squid logrotate - Howto??

[Thomas . Bauer]

Hey folkes,

I have a question again. I want to set up a logrotation for squid on Redhat 9.
I created a file /etc/logrotate.d/squid with the following content:

/usr/local/squid/var/logs/access.log {
   daily
   rotate 14
   copytruncate
   compress
   notifempty
   missingok
   }
   /usr/local/squid/var/logs/cache.log {
   daily
   rotate 14
   copytruncate
   compress
   notifempty
   missingok
   }

   /usr/local/squid/var/logs/store.log {
   daily
   rotate 14
   copytruncate
   compress
   notifempty
   missingok
   postrotate
   /usr/local/squid/sbin/squid -k rotate
   endscript
   }

But the rotation didn't work. I would like the rotation to start daily at midnight.
What did I make wrong? Or is there anything else to configure what I forgot?
Thanks in advance!

Regards,
Tommy

Hansgrohe, Inc.
Information Service
1492 Bluegrass Lakes Parkway
Alpharetta,  GA  30004
phone (+001) 678 - 762 - 6994

[squid-users] authentication issue

[Stephen Roberts]

I have a customer that uses a proxy server to authenticate users to an
internet based system. In summary, it is installed in a DMZ as a reverse
proxy accessing the customers service. The Service is built up using
several VIP addresses over http. When an Internet user accesses the
external URL they are presented with Proxy authentication against the
directory server. Once authenticated they then further authenticate to
the internal service. This is fine, however when the user accesses say
the webmail link they are redirected to webmail1.xxx.net and are
presented with a further Proxy authentication. In total there could be
up to five proxy authentications if a user accessed all
services(webmail, calendar, Instant messaging etc etc) within a session.
What the customer is looking for is a Proxy Server that can support
session based authentication, so regardless of what address you are
redirected to, you only authenticate once.
Does Squid Support this type of model?
Regards

steve

RE: [squid-users] ACL problems

[Adam Aube]

> I keep getting this error with Squid (i fully admit I'm a novice)

> Access Denied.

> I've setup the ACL to allow client addresses from
> 192.168.0.15-192.168.0.150/255.255.255.0

Have you read the Access Controls FAQ?

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

If, after reading this, you still can't solve the problem, please post
your entire squid.conf (without blank lines or comments).

Adam

[squid-users] ACL problems

[Ryan Nix]

I keep getting this error with Squid (i fully admit I'm a novice)

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.
Your cache administrator is root.

I've setup the ACL to allow client addresses from 
192.168.0.15-192.168.0.150/255.255.255.0

Any ideas?

Thanks in adavance!

Ryan

[squid-users] squid +smb_auth + sarg

[azad_a]

- Forwarded by Azad A/IDM/TCSCHENNAI on 11/17/2003 10:50 PM -
|-+>
| |   Azad A   |
| ||
| |   11/15/2003 03:37 |
| |   PM   |
| ||
|-+>
  
>--|
  |
  |
  |   To:   [EMAIL PROTECTED]  
|
  |   cc:  
  |
  |   Subject:  squid +smb_auth + sarg 
  |
  
>--|




Hi
 I use squid 2.4 and smb_auth for authenticating with Windows 2000 domain
users. I use Sarg to
analyse the statistics and reports .This contain only the IP address from
where the system is browsed and not the authenticated user details
I need IP address with the user id displaying on the web. Access.log is
pasted


172.20.128.96 TCP_MISS/304 229 GET
http://www.gnu.org/graphics/gnu-head-sm.jpg   135528   DIRECT/199.232.41.10
-

where 135528 is the logn  used .Has anyone done changes to display in sarg
report

Rgds
AZad



This mail was scanned by Interscan Virus Wall of Mailserver2 at SNR, TCS, Chennai

Re: [squid-users] Transparency

[Antony Stone]

On Monday 17 November 2003 2:50 pm, [EMAIL PROTECTED] wrote:

> Here is the output:
>
> [EMAIL PROTECTED] logs]# iptables -t nat -L -n -v
> Chain PREROUTING (policy ACCEPT 49710 packets, 8766K bytes)
>  pkts bytes target prot opt in out source destination
> 152 REDIRECT   tcp  --  eth1   *   0.0.0.0/0 0.0.0.0/0  tcp
> dpt:80 redir ports 8000
> 152 REDIRECT   tcp  --  eth1   *   0.0.0.0/0 0.0.0.0/0  tcp
> dpt:21 redir ports 21

The first rule will (re)direct any packets coming in on eth1, which were 
going to some server on TCP port 80, to TCP port 8000 on the netfilter 
machine (presumably this is the port that Squid is listening on).

The second rule I find a bit dubious - are you really running an ftp proxy on 
the machine (perhaps frox?), or are you hoping that Squid is going to 
transparently proxy ftp for you as well as http?   (If you are, you will be 
disappointed - squid isn't an ftp proxy - well, certainly not in transparent 
mode, anyway).

Aside from that, I trust you have some appropriate FORWARDing rules to allow 
the rest of the (non-proxied) traffic through your firewall?   If not, then 
this is where the problem lies, and since (a) it's much more of a netfilter 
question than a squid question, and (b) we're both on the netfilter list as 
well, I suggest we transfer the discussion over there if you need any more 
help with getting non-http traffic through the machine.

-- 

Ramdisk is not an installation procedure.

 Please reply to the list;
   please don't CC me.

Re: [squid-users] Transparency

[trainier]

Here is the output:

[EMAIL PROTECTED] logs]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 49710 packets, 8766K bytes)
 pkts bytes target prot opt in out source destination
152 REDIRECT   tcp  --  eth1   *   0.0.0.0/0 0.0.0.0/0  tcp 
dpt:80 redir ports 8000
152 REDIRECT   tcp  --  eth1   *   0.0.0.0/0 0.0.0.0/0  tcp 
dpt:21 redir ports 21

Chain POSTROUTING (policy ACCEPT 103 packets, 6335 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 92 packets, 5707 bytes)
 pkts bytes target prot opt in out source destination

Thanx for your additional info, Antony.

Regards,

Tim Rainier





Antony Stone <[EMAIL PROTECTED]>
11/17/2003 09:09 AM

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: [squid-users] Transparency


On Monday 17 November 2003 1:53 pm, [EMAIL PROTECTED] wrote:

> I'm running Squid 2.5 STABLE4 in Transparency.
> The proxy server is my gateway.
>
> My NAT table looks as follows:
>
> [EMAIL PROTECTED] logs]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source   destination
> REDIRECT   tcp  --  anywhere anywhere   tcp dpt:http
> redir ports 8000
> REDIRECT   tcp  --  anywhere anywhere   tcp dpt:ftp
> redir ports 21
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source   destination

If you're going to post netfilter rules, it's better to post either the 
original rules which went into the table, or else the output of "iptables 
-t 
nat -L -n -v".   The -n makes everything numeric so we can see what 
addresses 
are involved, and the -v shows more detail including the interfaces which 
the 
rules apply to.

> Web browsing and ftping both work, at the moment.
> I cannot get other internet connections to pass through the box.  i.e.:
> irc connections, telnet connections, etc.
>
> I imagine I need to be speaking with a linux person about this, but had 
a
> couple of questions about squid and transparency mode.

You could try the netfilter mailing list for a bunch of people who really 
know about this sort of thing.

> First.  I understand that squid proxies http traffic, only.  Is this
> correct?

Yes.   Squid will handle ftp requests over http, but only if the browser 
is 
configured to use the proxy.   In transparent mode http is all you get.

> So, all I should need are some redirects and forwards on the nat table 
and
> the other internet stuff should work.
> ie:  I shouldn't need to go into my client programs (putty, mIRC, etc) 
and
> tell them it's a proxy connection.

For anything except http it isn't a proxy connection - those protocols go 
directly through your firewall to the Internet, nothing to do with a Squid 

proxy being around the place.

Also, the whole point about transparent mode is that even for http, the 
client doesn't know there's a proxy - if it did, it wouldn't be 
transparent :)

Antony.

-- 

"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.

It is NOT portable , and it probably never will support anything other 
than 
AT-harddisks, as that's all I have :-(."

 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
 Please reply to the 
list;
   please don't CC 
me.

[squid-users] Anyone willing to talk about a big squid setup?

[Antony Stone]

Hi.

I'm talking to a company in the UK who want to implement squid as a 
replacement for a biggish cache server setup, but they'd like to talk to 
someone who's already using squid on the same sort of scale, just to get some 
reassurance it can do the job okay.   They're currently dealing with 20-50 
million http requests per day at each of three sites.
 
If anyone doesn't mind talking to someone about using squid in this sort of 
setup please reply to me off-list so I can put them in contact.
 
Thanks,

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

Re: [squid-users] Transparency

[Antony Stone]

On Monday 17 November 2003 1:53 pm, [EMAIL PROTECTED] wrote:

> I'm running Squid 2.5 STABLE4 in Transparency.
> The proxy server is my gateway.
>
> My NAT table looks as follows:
>
> [EMAIL PROTECTED] logs]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source   destination
> REDIRECT   tcp  --  anywhere anywhere   tcp dpt:http
> redir ports 8000
> REDIRECT   tcp  --  anywhere anywhere   tcp dpt:ftp
> redir ports 21
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source   destination

If you're going to post netfilter rules, it's better to post either the 
original rules which went into the table, or else the output of "iptables -t 
nat -L -n -v".   The -n makes everything numeric so we can see what addresses 
are involved, and the -v shows more detail including the interfaces which the 
rules apply to.

> Web browsing and ftping both work, at the moment.
> I cannot get other internet connections to pass through the box.  i.e.:
> irc connections, telnet connections, etc.
>
> I imagine I need to be speaking with a linux person about this, but had a
> couple of questions about squid and transparency mode.

You could try the netfilter mailing list for a bunch of people who really 
know about this sort of thing.

> First.  I understand that squid proxies http traffic, only.  Is this
> correct?

Yes.   Squid will handle ftp requests over http, but only if the browser is 
configured to use the proxy.   In transparent mode http is all you get.

> So, all I should need are some redirects and forwards on the nat table and
> the other internet stuff should work.
> ie:  I shouldn't need to go into my client programs (putty, mIRC, etc) and
> tell them it's a proxy connection.

For anything except http it isn't a proxy connection - those protocols go 
directly through your firewall to the Internet, nothing to do with a Squid 
proxy being around the place.

Also, the whole point about transparent mode is that even for http, the 
client doesn't know there's a proxy - if it did, it wouldn't be transparent :)

Antony.

-- 

"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.

It is NOT portable , and it probably never will support anything other than 
AT-harddisks, as that's all I have :-(."

 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
 Please reply to the list;
   please don't CC me.

[squid-users] Transparency

[trainier]

I'm running Squid 2.5 STABLE4 in Transparency.
The proxy server is my gateway.

My NAT table looks as follows:

[EMAIL PROTECTED] logs]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
REDIRECT   tcp  --  anywhere anywhere   tcp dpt:http 
redir ports 8000
REDIRECT   tcp  --  anywhere anywhere   tcp dpt:ftp 
redir ports 21

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


Web browsing and ftping both work, at the moment. 
I cannot get other internet connections to pass through the box.  i.e.: 
irc connections, telnet connections, etc.

I imagine I need to be speaking with a linux person about this, but had a 
couple of questions about squid and transparency mode.

First.  I understand that squid proxies http traffic, only.  Is this 
correct?

So, all I should need are some redirects and forwards on the nat table and 
the other internet stuff should work. 
ie:  I shouldn't need to go into my client programs (putty, mIRC, etc) and 
tell them it's a proxy connection.

Is this correct?

Regards,

Tim Rainier

[squid-users] Blocking FTP through squid

[Mr. Singh]

Dear Users

I want to block clients uploading files through squid. How can it be
implemented?
thanks in advance


-- 
singh

Re: [squid-users] Re: Using ICAP patches

[zottmann]

Hi Rui !! 

I had this error with some URLs . The last one was this: 

http://esportes.terra.com.br/tenis/ 

Thanks again, 
Carlos ... 

--- 

Hi Carlos, 

Can you please send me the URL of the file that's causing this error? So I 
can have look at it and see if it's an issue with SAVSE. 

Thank you! 

Regards, 

Rui 

_
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

Re: [squid-users] Re: Using ICAP patches

[zottmann]

Hi Rui !! 

I had this error with some URLs . The last one was this: 

http://esportes.terra.com.br/tenis/ 

Thanks again, 
Carlos ... 

--- 

Hi Carlos, 

Can you please send me the URL of the file that's causing this error? So I 
can have look at it and see if it's an issue with SAVSE. 

Thank you! 

Regards, 

Rui 

_
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login

[Doron Shmaryahu]

Hi,

Had the same problem with WCCP/FreeBSD. I use route maps now and all is
working 100%. It apparently has to do with the IOS version you use.

I spoke to the guys at cacheflow as I tested there product and they gave
me that answer. There is also a white paper on there site explaining
this problem. I have not changed the IOS yet so cant tell you if it
works or not.

Doron



-Original Message-
From: Clive Cleland [mailto:[EMAIL PROTECTED] 
Sent: 16 November 2003 03:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with
Yahoo/Hotmail login


Raphael

Try setting MSS = 1400 for TCP connections from your clients (use this
number if your normal MSS is 1500/1476).  This is done on the squid
server, not the client machines, as it is negotiated during TCP
connection setup.

Under iptables, it is done using the following command:
-A OUTPUT -d 1.2.3.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1400

I'm sorry I can't help with FreeBSD/ipfw.  If you use 'ip route' to
setup routing, I believe it can also be done on a per-route basis.

The problem is that some sites use very large cookies.  When the HTTP
request exceeds the size of one packet, the addition of the GRE header
makes the first packet too large, so it is dropped by the WCCP router.

By telling clients to limit their packet size, the addition of the GRE
overhead still results in legal packets.  The smaller size should make
negligible difference in network performance, but perhaps you can tune
this to your needs?  Also, you might be able to further restrict this to
just port 80 traffic?

Hopefully this at least gives you somewhere to look.

Clive


-Original Message-
From: Raphael Maseko [mailto:[EMAIL PROTECTED]
Sent: Sunday, 16 November 2003 4:02 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with
Yahoo/Hotmail login



Hi Fellow Listers,

I have been running squid-2.5.STABLE4 with transparent proxying using
WCCP V1 on FreeBSD 4.6.2 without any problems.

I have now installed the same version on FreeBSD 4.9.

Unlike in the previous version where I had to apply patches and hacks to
get the gre packets stripped by my BSD box, I used the "pseudo-device
gre" option in the kernel and set up the tunnel using the following:

ifconfig gre0 create
ifconfig gre0 My_Squid_IP 10.20.30.1 netmask 255.255.255.255 link1
tunnel My_Squid_IP My_Router_IP up

and the following IPFW rules:

ipfw add 49 allow tcp from My_Squid_IP to any
ipfw add 50 fwd 127.0.0.1,3128 tcp  from any to any 80 via gre0 in (The
ipfw is set to default to accept)

Here is a sample from the ipfw -a sh command:

00049  29586  2886034 allow tcp from My_Squid_IP to any
00050  29592  2493277 fwd 127.0.0.1,3128 tcp from any to any 80 in recv
gre0 65535 101631 65282581 allow ip from any to any


The transparent proxy is working fine except when it comes to logging
into sites like yahoo and hotmail and reading webmail. The main page is
accessed but stalls and eventually fails on authentication.

I suspect that this has something to do with the gre tunnel and the way
packets that are not supposed to be cached are being treated.

Has anyone run into this problem and if so how did you deal with it?
Please help.

Thanks in advance.

Ralph

[squid-users] SNMP

[Doron Shmaryahu]

Hi All,

I have configured squid to enable snmp so I can monitor it. I see it
does start:
Accepting SNMP messages on port 3401, FD 20. 

But when I try to query the squid machine I get this in the log:

Failed SNMP agent query from : 

And I get nothing back !! Can anyone help ? My config is below for snmp:

acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic crc2


thanks


Kind Regards

Doron Shmaryahu

RE: [squid-users] configuration error

[Henrik Nordstrom]

On Mon, 17 Nov 2003, Firas Mubarak wrote:

> yes the clients are all configured to use the proxy,,
> the squid server is using uptream proxy

Then see the Squid FAQ on using Squid inside a firewall. This will most 
likely help.

Regards
Henrik

RE: [squid-users] configuration error

[Firas Mubarak]

dears,

yes the clients are all configured to use the proxy,,
the squid server is using uptream proxy

p.s.
i can provide u with the squid configuration file in case u neeed to take at
it.


-Original Message- 
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Sun 11/16/2003 8:43 PM 
To: Firas Mubarak 
Cc: [EMAIL PROTECTED] 
Subject: Re: [squid-users] configuration error



On Sun, 16 Nov 2003, Firas Mubarak wrote:

> 1- opening any direct connection, such as ( yahoo messenger, msn messenger )
> 2- they cant log to any page that requires authentication, ( such as, web 
based emails, or any site that reqiures username and password. )

Are you running Squid as a transpernly intercepting proxy, or are the
clients configured to use the proxy?

For best operation make sure to have the clients configured to use the
proxy.

Regards
Henrik

Re: [squid-users] Adding cache directory

[Henrik Nordstrom]

On Sun, 16 Nov 2003, ads squid wrote:

> "With Squid-2, you will not lose your existing cache.
> You can add and delete cache_dir's without affecting
> any of the others. "
> 
> Doea that mean both new and old will work together.
> Thanks for support.

Yes.

Regards
Henrik

Re: AW: AW: AW: AW: AW: AW: AW: [squid-users] Group Authentication (N T4 D omai n)

[Henrik Nordstrom]

On Mon, 17 Nov 2003, Altrock, Jens wrote:

> k, forgot that :(
> I set cache_effective_user to squid, as well as cache_effective group to
> squid.
> Same error even permissions are right?


So what does the errror look like now? If it still says 'nobody' then 
cache_effective_user is still not set correctly.

Regards
Henrik

Re: [squid-users] Error in cache.log file

[Babar Kazmi]

Hello

I feel that the root file system is Full, do u have cache directory over
there ?

Can u move the cache to some partition which has space ?

Regards

Babar Kazmi.

On Sunday 16 November 2003 11:33 am, ads squid wrote:

> This is output of df
> *
> Filesystem  Used Available Use% Mounted on
> /dev/hda5 472375  7126 99% /
> /dev/hda1   9378 86492 10% /boot
> /dev/hda3  64220   9173968 1% /home
> none   0111532 0% /dev/shm
> /dev/hda21236568  24046956 5% /usr
> /dev/hda6 127876847684 14% /var
>
> I have created /cache directory in the partition where
> /root directory resides.

Re: [squid-users] Squid NT vs. Squid Linux

[Babar Kazmi]

Hello As far as I see managing Squid on NT is a fuss itself, you cant get
the performance out of the NT Machine what you can get outta Linux Box.Just
see for your self, test it with any bench mark tools available and you will
considerably feel the difference between NT Based Proxy and Linux Based
Proxy.Give Squid and Linux Tag Team some ground to play, a wider bandwidth
path, properly tuned cached tweaks and there you go.I did used Squid on
Linux on AMD K-62 450 MHz , 512 MB Ram and 7200 RPM $) GB SCSCI , It was
awesome.Regards,Babar Kazmi.On Friday 14 November 2003 10:33 pm, Cafe Admin
wrote:
> I'm currently running 2.5-Stable3 on a dedicated RH9 box, and I know my
> hardware is being underutlized (2.0GHz Xeon , 2x10k RPM SCSI, 640MB,
> 1000Mbps NIC). I'm thinking about converting the machine to Windows File
> Server/PDC/SquidNT.

I can think of several reasons to reconsider:

1) Domain controllers and file servers are very critical systems - run as
little additional services and software on them as possible, for both
security and performance reasons.

2) Even though your CPU and RAM may be underutilized, the extra load file
serving will put on your disks likely will push the throughput near/beyond
the available limit, and you'll see a performance hit.

3) Have you considered Samba on Linux instead of Windows Server? Recent
benchmarks (linked to from the Samba website) show Samba 3 consistently
delivering over twice the throughput of Windows Server 2003 under similar
loads (averaging about 2.5 times the throughput).

4) SquidNT probably doesn't deliver the same level of performance as Squid
on
Linux (or other Unix variants), simply because of underlying OS performance
issues.

My suggestion: Don't do it. Move Squid to a smaller box if you're concerned
about underutilization, and use the former Squid box to run Samba to provide
domain controller and file services.

Adam

AW: [squid-users] Redirect unauthenticated users to a local web p age

[Werner . Rost]

"headsup" should do the trick. I tried it some month ago and it worked fine.



---

Hi all, 


A couple of months ago, my boss asked me if it was 
possible to display an Internet Access Policy when 
users first launch their browsers without setting the 
"Home" or "Start" page. His thought was that it should

be possible with our current Squid Servers. I searched

the mailing list and noticed the question had been 
asked before but it wasn't possible without some 
coding. I let him know. 


The problem bugged me for ages. I do not know how to 
program in C so writing the necessary code was not an 
option for me. Also what about sites that do not use a

Proxy Server or a server other than Squid. To cut a 
long story short I developed an application in TCL 
that I want to share with the Squid community in an 
effort to give something back and hopefully to help 
others. 


The application is called "HeadsUp" and it can display

an Internet Access Policy or Message of the Day(MOTD) 
to users. Browsers need to be configured to use a PAC 
file and a slight change to any existing PAC file is 
all that is needed. The PAC file directs the browsers 
first request to the server which is running 
"HeadsUp". "HeadsUp" downloads a page which brings up 
a Popup window and causes the browser to reload the 
page again to load the real page. "HeadsUp" is 
available from http://www.freewebs.com/headsup It is 
built on Tclhttpd a webserver in written pure TCL and 
packaged as a Starkit. It runs on Windows, Linux, 
HP-UX, Tru64 and Solaris. 

Easy to install, just copy 2 files to your system and
run. No compiling necessary. To uninstall delete the 2
files!

Enjoy! 


Kind Regards 


Jeff Smith 


P.S. Can a link be added to 
http://www.squid-cache.org/related-software.html






Mit freundlichem Gruß / regards
 
Werner Rost
GM-FIR - Netzwerk
 
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175
53175 Bonn
 
Tel. +49 228 38 25 - 420
Fax +49 228 38 25 - 398
mailto:[EMAIL PROTECTED]
www.zf.com/boge-elastmetall
 
 


> -Ursprüngliche Nachricht-
> Von: hasan shatty [mailto:[EMAIL PROTECTED] 
> Gesendet: Sonntag, 16. November 2003 10:26
> An: [EMAIL PROTECTED]
> Betreff: [squid-users] Redirect unauthenticated users to a 
> local web page
> 
> 
> We need to redirect all users to an intranet web page
> before they authenticate , then authentication will
> hapen in that page.
> i.e. instead of getting just popup window to fill the
> user name and password , we need to display a welcome
> page with some info, then popup the login window.
> 
> __
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard 
> http://antispam.yahoo.com/whatsnewfree
>